Re: Countering chosen-plaintext attacks

From: Mok-Kong Shen (mok-kong.shen_at_t-online.de)
Date: 03/06/04 

Date: Sat, 06 Mar 2004 13:39:50 +0100

AE wrote:
> Mok-Kong Shen wrote:
>
>> AE wrote:
>>
>>> Mok-Kong Shen wrote:
>>>
>>>> AE wrote:
>>>>
>>>>> ...
>>>>> To do a chosen-plaintext-attack the attacker will have to be able
>>>>> to chose one block when already knowing the previous block :-/
>>>>
>>>> You start with one block, then you have freedom in choosing
>>>> any following blocks of plaintext.
>>>> ...
>>>
>>>
>>> No: You are free to change the next plaintext block, but the
>>> ciphertext-block which is used to change the block that follows
>>> depends on the key.
>>>
>>> For example controlling the IV and the plaintext and then let
>>> somebody encrypt it and intercept the encrypted message doesn't allow
>>> to mount a chosen-plaintext-attack on a cipher in CBC mode.
>>
>>
>> I assume that IV is random and not under the control of
>> the opponent and further it is either transmitted encrypted
>> or encrypted to obtain a block for chaining the first
>> plaintext block.
>
>
> Well - if the opponent isn't able to change the IV or any
> ciphertextblock, he can't mount a chosen-plaintext-attack except he
> would be able to change the first plaintext block when already knowing
> the IV and - as mentioned - every other plaintext block when he already
> knows the previous ciphertext block.

But that was exactly my point: Because he knows the ciphertexts,
he can in CBC mode modify his chosen plaintext to suit his
purpose. If, say, he wants to have the 'input' to the cipher
to be the block P1. Suppose the ciphertext of the previous
block is C0. He could choose P1'=C0^P1 instead. Now according
to CBC, the 'input' to the cipher (i.e. what the original
algorithm actually obtains) will be P1'^C0=P1, as desired.
Thus CBC isn't good enough to protect against chosen-plaintext
attacks. In (1) of my first post in this thread, I suggested
considering therefore the eventually viable application of
certain non-linear block chaining that depends on 'all'
previous plaintext and ciphertext blocks for that purpose.

M. K. Shen

Relevant Pages

  • Re: Countering chosen-plaintext attacks
    ... >> In CBC the chaining value of the next following block is the ... >> ciphertext of the present block. ... So the opponent could choose ... >> his next plaintext block with due consideration of that. ...
    (sci.crypt)
  • Re: Countering chosen-plaintext attacks
    ... In CBC the chaining value of the next following block is the ... ciphertext of the present block. ... So the opponent could choose ...
    (sci.crypt)
  • Re: CBC questions
    ... >Of course, from an integrity standpoint, garbling the CBC IV only alters ... >one block of the ciphertext, and that in a bit-flipping way, whereas ...
    (sci.crypt)
  • Re: Block cypher mode of operation for MAC
    ... CBC mode is the common mode used for MACing data. ... be better than just ciphertext output is kind of wrong. ... Let's say I gave you something to MAC, ...
    (sci.crypt)
  • Re: CBC questions
    ... the clear is -- at the very least -- unwise. ... Since the CBC IV stands in exactly the same relationship to the block ... Of course, from an integrity standpoint, garbling the CBC IV only alters ... one block of the ciphertext, and that in a bit-flipping way, whereas ...
    (sci.crypt)