Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

6.857 Homework Problem Set 3 # 3-2. IND-CCA April 15, 2014

advertisement 
6.857 Homework
Anonymous
Anonymous
Anonymous
Anonymous
Problem Set 3
# 3-2. IND-CCA
April 15, 2014
Theorem: Bob’s method E is not IND-CCA secure.
Proof: The adversary picks m0 = 0x , m1 = 1x for large x ≥ 3·128 in phase I. Then y = EK1 ,K2 (md ).
Let z = y with the first bit flipped. Since z = y, the adversary is allowed to ask for DK1 ,K2 (z) in
phase II. This correctly gives the first 128-bit block of md , revealing d (zeroes if d = 0 or ones if
d = 1). Therefore, the adversary wins the game.
Why does this work? Consider the steps of E, where md is divided into n 128-bit blocks (n ≥ 3):
1.
2.
3.
4.
Start with md = m1 , . . . , mn .
(1)
(1)
EncCBCK1 (m1 , . . . , mn ) = IV (1) , C1 , . . . , Cn .
(1)
(1)
(1)
(1)
Rev(IV (1) , C1 , . . . , Cn ) = Cn , . . . , C1 , IV (1) .
(1)
(1)
(2)
(2)
(2)
EncCBCK2 (Cn , . . . , C1 , IV (1) ) = IV (2) , C1 , . . . , Cn , Cn+1 .
(2)
(2)
(2)
5. End with IV (2) , C1 , . . . , Cn , Cn+1 = y.
Now, consider the steps of D, which reverses E.
(2)
(2)
(2)
1. Start with y = IV (2) , C1 , . . . , Cn , Cn+1 .
(2)
(2)
(2)
(1)
(1)
2. DecCBCK2 (IV (2) , C1 , . . . , Cn , Cn+1 ) = Cn , . . . , C1 , IV (1) .
(1)
(1)
(1)
(1)
3. Rev(Cn , . . . , C1 , IV (1) ) = IV (1) , C1 , . . . , Cn .
(1)
(1)
4. DecCBCK1 (IV (1) , C1 , . . . , Cn ) = m1 , . . . , mn .
5. End with m1 , . . . , mn = md .
Finally, consider the steps of D when the input is z instead of y (the first bit is flipped). Denote
any changed blocks in red. As we observed in Lecture 9, the bit flip only affects the decryption
of the current block and the next block, since each decrypted block only depends on Ci and Ci− 1
(and only the first block depends on IV ).
(2)
(2)
(2)
1. Start with z = IV (2) , C1 , . . . , Cn , Cn+1 .
(2)
(2)
(2)
(1)
(1)
2. DecCBCK2 (IV (2) , C1 , . . . , Cn , Cn+1 ) = Cn , . . . , C1 , IV (1) .
(1)
(1)
(1)
(1)
3. Rev(Cn , . . . , C1 , IV (1) ) = IV (1) , C1 , . . . , Cn .
(1)
(1)
4. DecCBCK1 (IV (1) , C1 , . . . , Cn ) = m1 , . . . , mn .
5. End with m1 , . . . , mn .
Therefore, the first block m1 of md is correct, revealing d.
1
MIT OpenCourseWare
http://ocw.mit.edu
6.857 Network and Computer Security
Spring 2014
For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
Related documents
Document13377827 13377827
Document13377827 13377827
Document13346328 13346328
Document13346328 13346328
Document13377825 13377825
Document13377825 13377825
6.262 Discrete Stochastic Processes Wednesday, Feb. 23, 2011 MIT, Spring 2011
6.262 Discrete Stochastic Processes Wednesday, Feb. 23, 2011 MIT, Spring 2011
Errata for the Fourth Printing Nancy Lynch
Errata for the Fourth Printing Nancy Lynch
Handout 9: Problem Set #4
Handout 9: Problem Set #4
Document13449567 13449567
Document13449567 13449567
21. Maxima and minima: II
21. Maxima and minima: II
Document13488521 13488521
Document13488521 13488521
Document13475898 13475898
Document13475898 13475898
Solutions
Solutions
Document13512669 13512669
Document13512669 13512669
— Exam #1 20.320 Question 1
— Exam #1 20.320 Question 1
Massachusetts Institute of Technology
Massachusetts Institute of Technology
Download
advertisement