Example chosen-ciphertext attacks

Chosen-ciphertext attacks are powerful enough to break all the standard modes of operation, even those like CTR and CBC that (as we will see later) are secure against chosen-plaintext attack. The one-time pad scheme is also vulnerable to a chosen-ciphertext attack: perfect security only takes into account chosen-plaintext attacks. Let us now illustrate a few chosen-ciphertext attacks.

6.11.1 Attack on CTR

Let F:{0,1}^k × {0,1}^l → {0,1}^L be a family of functions and let SE = (K,E,D) be the associated R-CTR symmetric encryption scheme as described in Scheme 6.5. The weakness of the scheme that makes it susceptible to a chosen-ciphertext attack is the following. SayC[0]C[1] is a ciphertext of someL-bit message M, and we flip bit i of C[1], resulting in a new ciphertextC[0]C⁰[1]. LetM⁰ be the message obtained by decrypting the new ciphertext. Then M⁰ equals M with thei-th bit flipped. (You should check that you understand why by looking at Scheme 6.5.) Thus, by making a decryption oracle query ofC[0]C⁰[1] one can learn M⁰ and thus M. In the following, we show how this idea can be applied to break the scheme in our model by figuring out in which world an adversary has been placed.

Proposition 6.26 LetF:{0,1}^k× {0,1}^l→ {0,1}^Lbe a family of functions and letSE= (K,E,D) be the corresponding R-CTR symmetric encryption scheme as described in Scheme 6.5. Then

Adv^ind-cca

SE (t,1, L,1, l+L) = 1

Cryptography: Lecture Notes 113

fort=O(l+L) plus the time for one application ofF.

The advantage of this adversary is 1 even though it uses hardly any resources: just one query to each oracle.

That is clearly an indication that the scheme is insecure.

Proof of Proposition 6.26: We will present an adversary algorithmA, having time-complexityt, making 1 query to its lr-encryption oracle, this query being of length L, making 1 query to its decryption oracle, this query being of lengthl+L, and having

Adv^ind-cca

SE,A = 1. The Proposition follows.

Remember the the lr-encryption oracleEK(LR(·,·, b)) takes input a pair of messages, and returns an encryp-tion of either the left or the right message in the pair, depending on the value of b. The goal of A is to determine the value ofb. Our adversary works like this:

AdversaryA^{EK(LR(·,·,b)),DK(·)} M0←0^L ; M1←1^L

C[0]C[1]← EK(LR(M₀, M₁, b)) C⁰[1]←C[1]⊕1^L ; C⁰←C[0]C⁰[1]

M ← DK(C⁰)

IfM =M₀ then return 1 else return 0

The adversary’s single lr-encryption oracle query is the pair of distinct messages M₀, M₁, each one block long. It is returned a ciphertextC[0]C[1]. It flips the bits ofC[1] to getC⁰[1] and then feeds the ciphertext C[0]C⁰[1] to the decryption oracle. It bets on World 1 if it gets back M₀, and otherwise on World 0. It is important thatC[0]C⁰[1]6=C[0]C[1], so the decryption oracle query is legitimate. Now, we claim that

Ph

Exp^ind-cca-1 SE,A = 1i

= 1

Ph

Exp^ind-cca-0 SE,A = 1i

= 0. Hence Adv^ind-cca

SE,A = 1−0 = 1. And A achieved this advantage by making just one lr-encryption oracle query, whose length, which as per our conventions is just the length ofM0, isLbits, and just one decryption oracle query, whose length isl+L bits. SoAdv^ind-cca

SE (t,1, L,1, l+L) = 1.

Why are the two equations claimed above true? You have to return to the definitions of the quantities in question, as well as the description of the scheme itself, and walk it through. In World 1, meaning when b= 1, letC[0]C[1] denote the ciphertext returned by the lr-encryption oracle, and letR=StN(C[0]). Then

C[1] = F_K(NtS_l(R+ 1))⊕M₁ = F_K(NtS_l(R+ 1))⊕1^L. Now notice that

M = DK(C[0]C⁰[1])

= FK(NtSl(R+ 1))⊕C⁰[1]

= FK(NtSl(R+ 1))⊕C[1]⊕1^L

= FK(NtSl(R+ 1))⊕(FK(NtSl(R+ 1))⊕1^L)⊕1^L

= 0^L

= M0.

Thus, the decryption oracle will returnM0, and thus Awill return 1. In World 0, meaning whenb= 0, let C[0]C[1] denote the ciphertext returned by the lr-encryption oracle, and letR=StN(C[0]). Then

C[1] = FK(NtSl(R+ 1))⊕M0 = FK(NtSl(R+ 1))⊕0^L. Now notice that

M = DK(C[0]C⁰[1])

= FK(NtSl(R+ 1))⊕C⁰[1]

= FK(NtSl(R+ 1))⊕C[1]⊕1^L

= FK(NtSl(R+ 1))⊕(FK(NtSl(R+ 1))⊕0^L)⊕1^L

= 1^L

= M₁.

Thus, the decryption oracle will returnM1, and thusAwill return 0, meaning will return 1 with probability zero.

An attack on C-CTR (cf. Scheme 6.6) is similar, and is left to the reader.

6.11.2 Attack on CBC

LetE:{0,1}^k× {0,1}^l→ {0,1}^lbe a block cipher and letSE= (K,E,D) be the associated CBC symmetric encryption scheme as described in Scheme 6.4. The weakness of the scheme that makes it susceptible to a chosen-ciphertext attack is the following. SayC[0]C[1] is a ciphertext of some l-bit messageM, and we flip bitiof the IVC[0], resulting in a new ciphertextC⁰[0]C[1]. Let M⁰ be the message obtained by decrypting the new ciphertext. Then M⁰ equals M with the i-th bit flipped. (You should check that you understand why by looking at Scheme 6.4.) Thus, by making a decryption oracle query ofC⁰[0]C[1] one can learn M⁰ and thus M. In the following, we show how this idea can be applied to break the scheme in our model by figuring out in which world an adversary has been placed.

Proposition 6.27 Let E:{0,1}^k × {0,1}^l → {0,1}^l be a block cipher and let SE = (K,E,D) be the corresponding CBC symmetric encryption scheme as described in Scheme 6.4. Then

Adv^ind-cca

SE (t,1, l,1,2l) = 1 fort=O(l) plus the time for one application ofF.

The advantage of this adversary is 1 even though it uses hardly any resources: just one query to each oracle.

That is clearly an indication that the scheme is insecure.

Proof of Proposition 6.27: We will present an adversary algorithmA, having time-complexityt, making 1 query to its lr-encryption oracle, this query being of lengthl, making 1 query to its decryption oracle, this query being of length 2l, and having

Adv^ind-cca

SE,A = 1. The Proposition follows.

Remember the the lr-encryption oracleEK(LR(·,·, b)) takes input a pair of messages, and returns an encryp-tion of either the left or the right message in the pair, depending on the value of b. The goal of A is to determine the value ofb. Our adversary works like this:

Cryptography: Lecture Notes 115

AdversaryA^{EK(LR(·,·,b)),DK(·)} M0←0^l ; M1←1^l

C[0]C[1]← EK(LR(M0, M1, b)) C⁰[0]←C[0]⊕1^L ; C⁰←C⁰[0]C[1]

M ← DK(C⁰)

IfM =M₀ then return 1 else return 0

The adversary’s single lr-encryption oracle query is the pair of distinct messages M0, M1, each one block long. It is returned a ciphertext C[0]C[1]. It flips the bits of the IV C[0] to get a new IV C⁰[0] and then feeds the ciphertextC⁰[0]C[1] to the decryption oracle. It bets on World 1 if it gets back M0, and otherwise on World 0. It is important that C⁰[0]C[1]6=C[0]C[1], so the decryption oracle query is legitimate. Now, we claim that

Ph

Exp^ind-cca-1 SE,A = 1i

= 1

Ph

Exp^ind-cca-0 SE,A = 1i

= 0. Hence Adv^ind-cca

SE,A = 1−0 = 1. And A achieved this advantage by making just one lr-encryption oracle query, whose length, which as per our conventions is just the length ofM₀, islbits, and just one decryption oracle query, whose length is 2l bits. SoAdv^ind-cca

SE (t,1, l,1,2l) = 1.

Why are the two equations claimed above true? You have to return to the definitions of the quantities in question, as well as the description of the scheme itself, and walk it through. In World 1, meaning when b= 1, the lr-encryption oracle returnsC[0]C[1] with

C[1] = E_K(C[0]⊕M₁) = E_K(C[0]⊕1^l). Now notice that

M = DK(C⁰[0]C[1])

= E_K⁻¹(C[1])⊕C⁰[0]

= E_K⁻¹(EK(C[0]⊕1^l))⊕C⁰[0]

= (C[0]⊕1^l)⊕C⁰[0]

= (C[0]⊕1^l)⊕(C[0]⊕1^l)

= 0^l

= M₀.

Thus, the decryption oracle will returnM0, and thusAwill return 1. In World 0, meaning whenb= 0, the lr-encryption oracle returnsC[0]C[1] with

C[1] = E_K(C[0]⊕M₀) = E_K(C[0]⊕0^l). Now notice that

M = DK(C⁰[0]C[1])

= E_K⁻¹(C[1])⊕C⁰[0]

= E_K⁻¹(EK(C[0]⊕0^l))⊕C⁰[0]

= (C[0]⊕0^l)⊕C⁰[0]

= (C[0]⊕0^l)⊕(C[0]⊕1^l)

= 1^l

= M₁.

Thus, the decryption oracle will returnM1, and thusAwill return 0, meaning will return 1 with probability zero.