🔓
Cryptography
  • What's this
  • Chapter 1 - Introduction
    • Exercise 1.1
  • Chapter 3 - Private-Key Encryption
    • Exercise 3.1
  • Chapter 4 - Message Authentication Codes
    • Exercise 4.7
    • Exercise 4.8
    • Exercise 4.14
    • Exercise 4.15
    • Extra: Authenticated Encryption CBC-XOR
  • Chapter 5 - Hash Functions and Applications
    • Exercise 5.3
  • Chapter 8 - Number Theory and Cryptographic Hardness Assumptions
    • (Unresolved) Exercise 8.15
Powered by GitBook
On this page
  • Problem
  • Solution

Was this helpful?

  1. Chapter 4 - Message Authentication Codes

Extra: Authenticated Encryption CBC-XOR

Last updated 5 years ago

Was this helpful?

Problem

Show two types of forgery attacks for authenticated encryption scheme CBC-XOR.

Given a pseudorandom permutation F
Gen: k <- {0, 1}^n
Enc: On input a message m = B_0 || B_1 || ... || B_l and a key k, 
     uniformly generate an IV <- {0, 1}^m
    1. Compute B_{l+1} = B_0 ^ B_1 ^ ... ^ B_l
    2. Do CBC encryption on m || B_{l+1} using k and IV
        - Output ciphertext c := IV || c_0 || c_1 || ... || c_l || c_{l+1}
Dec: On input a ciphertext c = IV || c_0 || c_1 || ... || c_l || c_{l+1} and a key k
    1. Do CBC decryption on c_0 || c_1 || ... || c_l || c_{l+1} using k and IV
    2. Check if B_{l+1} = B_0 ^ B_1 ^ ... ^ B_l
        - If true, output plaintext B_0 ^ B_1 ^ ... ^ B_l
        - If false, output error

Solution

Method 1 - Truncation

Query m=B0∣∣B1∣∣(B0⊕B1) m = B_0 || B_1 || (B_0 \oplus B_1) m=B0​∣∣B1​∣∣(B0​⊕B1​) and obtain the ciphertext c=IV∣∣c0∣∣c1∣∣c2∣∣c3 c = IV || c_0 || c_1 || c_2 || c_3 c=IV∣∣c0​∣∣c1​∣∣c2​∣∣c3​.

Thus c∗=IV∣∣c0∣∣c1∣∣c2 c^* = IV || c_0 || c_1 || c_2 c∗=IV∣∣c0​∣∣c1​∣∣c2​ should be a valid ciphertext for m∗=B0∣∣B1m^* = B_0 || B_1m∗=B0​∣∣B1​

Method 2 - Swap

Thus

Query m=B0∣∣B1∣∣B2m = B_0 || B_1 || B_2 m=B0​∣∣B1​∣∣B2​ and obtain the ciphertext c=IV∣∣c0∣∣c1∣∣c2∣∣c3c = IV || c_0 || c_1 || c_2 || c_3 c=IV∣∣c0​∣∣c1​∣∣c2​∣∣c3​

Fk(IV⊕B0)=c0F_k(IV \oplus B_0) = c_0Fk​(IV⊕B0​)=c0​

Fk(c0⊕B1)=c1F_k(c_0 \oplus B_1) = c_1Fk​(c0​⊕B1​)=c1​

Fk(c1⊕B2)=c2 F_k(c_1 \oplus B_2) = c_2 Fk​(c1​⊕B2​)=c2​

Fk(c2⊕B0⊕B1⊕B2)=c3 F_k(c_2 \oplus B_0 \oplus B_1 \oplus B_2) = c_3 Fk​(c2​⊕B0​⊕B1​⊕B2​)=c3​

Hence c∗=IV∣∣c1∣∣c0∣∣c2∣∣c3c^* = IV || c_1 || c_0 || c_2 || c_3c∗=IV∣∣c1​∣∣c0​∣∣c2​∣∣c3​ should be a valid tag for m∗=B1∗∣∣B0∗∣∣B2∗m^* = B^*_1 || B^*_0 || B^*_2m∗=B1∗​∣∣B0∗​∣∣B2∗​, where

B0∗=c0⊕B1⊕IV B^*_0 = c_0 \oplus B_1 \oplus IVB0∗​=c0​⊕B1​⊕IV

B1∗=IV⊕B0⊕c1 B^*_1 = IV \oplus B_0 \oplus c_1B1∗​=IV⊕B0​⊕c1​

B2∗=c1⊕B2⊕c0 B^*_2 = c_1 \oplus B_2 \oplus c_0B2∗​=c1​⊕B2​⊕c0​

B0∗⊕B1∗⊕B2∗=c0⊕B1⊕IV⊕IV⊕B0⊕c1⊕c1⊕B2⊕c0=B0⊕B1⊕B2 B^*_0 \oplus B^*_1 \oplus B^*_2 = c_0 \oplus B_1 \oplus IV \oplus IV \oplus B_0 \oplus c_1 \oplus c_1 \oplus B_2 \oplus c_0 = B_0 \oplus B_1 \oplus B_2B0∗​⊕B1∗​⊕B2∗​=c0​⊕B1​⊕IV⊕IV⊕B0​⊕c1​⊕c1​⊕B2​⊕c0​=B0​⊕B1​⊕B2​