Cryptography Reference
In-Depth Information
undo the XOR operation by again XORing the correct ciphertext block. This can
be expressed for general blocks
y
i
as
e
−
1
k
y
i
−
1
. The right-hand side of
Fig. 5.4 shows this process. Again, if the first ciphertext block
y
1
is decrypted, the
result must be XORed with the initialization vector IV to determine the plaintext
block
x
1
, i.e.,
x
1
=
IV
(
y
i
)=
x
i
⊕
e
−
1
k
⊕
(
y
1
). The entire process of encryption and decryption
can be described as:
Definition 5.1.2
Cipher block chaining mode (CBC)
Let e
()
be a block cipher of block size b; let x
i
and y
i
be bit strings
of length b; and IV be a nonce of length b.
Encryption (first block):
y
1
=
e
k
(
x
1
⊕
IV
)
Encryption (general block):
y
i
=
e
k
(
x
i
⊕
y
i
−
1
)
,
i
≥
2
Decryption (first block):
x
1
=
e
−
1
k
(
y
1
)
⊕
IV
Decryption (general block):
x
i
=
e
−
1
k
(
y
i
)
⊕
y
i
−
1
,
i
≥
2
We now verify the mode, i.e., we show that the decryption actually reverses the
encryption. For the decryption of the first block
y
1
, we obtain:
d
(
y
1
)=
e
−
k
(
y
1
)
IV
=
e
−
k
(
e
k
(
x
1
⊕
⊕
IV
))
⊕
IV
=(
x
1
⊕
IV
)
⊕
IV
=
x
1
For the decryption of all subsequent blocks
y
i
,
i
≥
2, we obtain:
d
(
y
i
)=
e
−
k
(
y
i
)
y
i
−
1
=
e
−
k
(
e
k
(
x
i
⊕
⊕
⊕
⊕
⊕
y
i
−
1
))
y
i
−
1
=(
x
i
y
i
−
1
)
y
i
−
1
=
x
i
If we choose a new IV every time we encrypt, the CBC mode becomes a prob-
abilistic encryption scheme. If we encrypt a string of blocks
x
1
,...,
x
t
once with a
first IV and a second time with a different IV, the two resulting ciphertext sequences
look completely unrelated to each other for an attacker. Note that we do
not
have
to keep the IV secret. However, in most cases, we want the IV to be a nonce, i.e., a
number used only once. There are many different ways of generating and agreeing
on initialization values. In the simplest case, a randomly chosen number is trans-
mitted in the clear between the two communication parties prior to the encrypted
session. Alternatively it is a counter value that is known to Alice and Bob, and it is
incremented every time a new session starts (which requires that the counter value
must be stored between sessions). It could be derived from values such as Alice's
and Bob's ID number, e.g., their IP addresses, together with the current time. Also,
in order to strengthen any of these methods, we can take a value as described above
and ECB-encrypt it once using the block cipher with the key known to Alice and
Bob, and use the resulting ciphertext as the IV. There are some advanced attacks
which also require that the IV is nonpredictable.
It is instructive to discuss whether the substitution attack against the bank trans-
fer that worked for the ECB mode is applicable to the CBC mode. If the IV is
properly chosen for every wire transfer, the attack will not work at all since Os-
car will not recognize any patterns in the ciphertext. If the IV is kept the same for
several transfers, he would recognize the transfers from his account at bank A to
