Cryptography Reference
In-Depth Information
Exercise 4.7 Suppose that, after encryption with a mode of operation, an IV and a
ciphertext were transmitted and, in the process, one bit was flipped. Determine how
much plaintext one can expect to recover correctly in all the possible cases obtained
by assuming that the flipped bit was either (1) the first bit of the IV or (2) the first bit
of the first ciphertext block, and the mode used was one of the following: (a) CBC,
(b) OFB, (c) CTR.
4.3.1.6 Final Remarks on Confidentiality Modes
Observe that the modes that use an IV, namely, all modes except ECB, require
knowledge of the IV value for decryption. We have regarded the IV (or the initial
counter in the case of CTR mode) as an input of the decryption algorithm different
from the ciphertext but, of course, in practice the IV may be considered as part of
the ciphertext—for example, as the first block—and then the ciphertext input will
consist only of the ciphertext and the key as in the general definition of encryption
scheme.
We have mentioned that CBC, CFB, OFB and CTR modes (with a randomly
chosen IV) give rise to CPA secure encryption schemes when the underlying block
cipher is assumed to be a pseudo-random permutation. In the next section we prove
this for CTR mode and a similar argument can be used for the other modes. ECB
mode, in contrast, does not even give an IND-EAV secure scheme if no restrictions
are imposed on the message space.
Exercise 4.8 Prove that if the message space consists of one-block messages and the
underlying block cipher is a pseudo-random permutation, then ECB mode defines
an IND-EAV secure scheme. (Hint: Given an adversary
attacking the IND-EAV
security of the scheme, use it—as in the proof of Theorem 4.1 below—to construct
a distinguisher for the distinguishing experiment in Definition 4.2.)
A
4.3.2 A CPA Secure Encryption Scheme
We next prove that CTR mode, when used with a randomly chosen initial counter
and a key generation algorithm that chooses keys uniformly at random, defines a
CPA secure scheme assuming that the underlying block cipher F is a pseudo-random
function. This is an important result and its proof illustrateswell the kind of reductions
that are made to obtain CPA security from a pseudo-randomness hypothesis:
Theorem 4.1 If the underlying block cipher F is a pseudo-random function then
CTR mode with a random initial counter is CPA secure.
Proof For simplicity, we will also denote by CTR the encryption scheme obtained
from the block cipher F by using CTR mode with a random initial counter. The idea
of the proof is to consider the ideal encryption scheme iCTR obtained by using a
 
Search WWH ::




Custom Search