Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

JUST PART TWO! You may need the first part for part 2. (1). Show that CBC encryp

ID: 3596419 • Letter: J

Question

JUST PART TWO! You may need the first part for part 2.

(1). Show that CBC encryption where the IV is random but known in advance is not indistinguishable,
under chosen plaintext attack. Directions: assume attacker sees the ciphertext blocks c1 , c2 resulting
from CBC encryption of plaintext messages m1, m2. Furthermore, attacker is now given a random
value I, to be used in CBC encryption of a message X that the attacker can choose. The attacker
is given the result of that encryption; e.g., if X is exactly one block long, then attacker is given the
output of E(X XOR I). Show that this allows attacker to nd if m2 is a block of all zeros or block of all
1 bits. Conclude that such CBC encryption is not CPA-IND.
(2). Extend the attack, to allow the attacker to learn the last byte of m2, assuming that all other bytes
are known.

Explanation / Answer

--> In CBC encryption mode the IV used is random. Softest it is not apparent in polynomial time. If an attacker sees the cipher text produced by plaintext message. Furthermore attacker given a random value I they will be used in encryption of message X. But attacker has no idea that which cipher text block is generated from tag random value.
Suppose there are two oracles which are taking two inputs, a plaintext P and initialization vector IV. The first oracle Enc (P, IV) performs CBC encryption and outputs a cipher text with the same length of plaintext P. The second oracle R and (P, IV) returns a random string of bit with the same length of plaintext P.
By the security concern of CBC it is not apparent in polynomial time with respect to the length n of the encryption key k, that a given output is produced from Enc (P, IV) or R and (P, IV). So this Encryption is CPA-IND encryption.
Now, suppose an opponent A has access to an oracle content either by Enc or Rand. But A is unaware of which output is generated by Enc or which by Rand. Thus, it is observed that the scheme is most probably secure in polynomial time.
--> Now if an attacker has the cipher text C1 and C2, encrypted from the messages M1 and M2. Furthermore attacker is given random value I which is to be used in the encryption of the plaintext X. Attacker can choose the X appropriately. If the result of the encryption of X by random value I is matched with the cipher text seen by attacker. If cipher text of original message and cipher text of message X are same than attacker can read the original message.
So this type of CBC encryption is not CPA-IND encryption.

Related Questions

JU12. IViödule 5 QuiZ Actual 9 Forecast8 2 Based on the conidence interval, can
Question #3324060
JUIJ TOI TNè data provided in worksheet C11P5 in the OM6 Data Workbook on the Co
Question #353948
JUJUICWPIUUlum UnilltemID 2349414&enrollmentlDa219831; 100% until Tuesday, anuar
Question #1523617
JULY 1. Log on to your Oracle ApEx account. Navigate to SQL Workshop à SQL Scrip
Question #3812752
JUMIA: Africa\'s ALIBABA On safari for the rare African tech unicorn e, Goldman
Question #1152825
JUMIA: Africa’s ALIBABA On safari for the rare African tech unicorn (Links to an
Question #1152984
JUNE 05, 2018 QUIZ\', 1 Answer True or False 1. A working knowledge of accountin
Question #2395262
JUNE BANK STATEMENT: PAGE 1 MEMBER FDIC ACCOUNT NUMBER FROM 6/01/20Y2 BALANCE AM
Question #2396247

Navigate

Previous
JUST PART F: (1) (24 points) Oxalic acid, which is formulated as either (COOH) o
Next
JUST REPLY ABOUT THE COMMENT BELOW. DO YOU AGREE WITH THE COMMENT AND WHY My cur

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.