Cryptography Reference
In-Depth Information
which, as is easily seen, is the same as
m
with the
i
th bit flipped. This allows the
adversary to distinguish which of the two messages submitted was encrypted and to
succeed in the
PrivK
ind-cca
experiment with probability 1 (since the adversary may
submit two messages that differ in at least one bit distinct from the
i
th bit). In fact,
this attack is even stronger because it allows the adversary to recover any encrypted
message
m
with just one query, by flipping the
i
th bit of the message
m
.
Exercise 4.10
Show that CBC andOFBmodes do not define CCA secure encryption
schemes even assuming that the underlying block cipher is a pseudo-randomfunction.
4.4 AES in Maple
In Sect.
4.2.2
we have givenMaple implementations of the S-box and the Key Expan-
sion algorithm. We are now going to give a full implementation of AES in Maple as
a preliminary step to implementing the modes of operation. A more detailed Maple
version, which also includes the possibility of performing statistical tests on the dif-
fusion properties of AES, as well as all the modes of operation, can be found in
[93].
4.4.1 AES Operations in Maple
4.4.1.1
SubBytes
and its Inverse
We start with the
SubBytes
operation and its inverse. We could map the above-
defined
SB
function to the entries of the state array but, to increase speed, we will
instead replace the state entries by looking directly at the
SBox
and
InvSBox
tables. The input of these functions is the state array, given as a two-dimensional
Maple
Array
of type 0
..
3
,
0
..
3 and the output is the modified version of the state.
> SubBytes := proc(state)
local i, j;
for i from 0 to 3 do
for j from 0 to 3 do
state[i, j] := SBox[state[i, j]]
end do
end do;
state
end proc:
> InvSubBytes := proc(state)
local i, j;
for i from 0 to 3 do
for j from 0 to 3 do
state[i, j] := InvSBox[state[i, j]]
end do
end do;
state
end proc: