2

Perhaps I don't understand the answers to Malleability attacks against encryption without authentication, so trying to be more concrete... please be patient.

If I want to change the first block and I can change the IV, I see that its easy to change the IV to IV xor old_block_0 xor new_block_0 and the first block would change.

However, if I want to change the second block block_1, I don't understand how can I do it? If I change the block before it to block_0 xor x I would garble the D(block_0), won't I?

Community
  • 1
ihadanny
  • 121
  • 5
  • 2
    The malleability attack on CBC mode does garble the previous block. $;$ –  Feb 01 '14 at 21:09
  • @RickyDemer - rephrased, hope its clearer now – ihadanny Feb 01 '14 at 21:20
  • 1
    If you change the block before it to block_0 xor x then you would indeed "destroy" the D(block_0), if "destroy" means garble. $;$ –  Feb 01 '14 at 21:26
  • ok :) I sense that I'm missing something basic and making you guys angry. Will think about it some more before bothering the community. Thanks! – ihadanny Feb 01 '14 at 21:35
  • Maybe some people had a "meh" moment, but if this question was not asked yet, I don't think there is too much wrong with the question. – Maarten Bodewes Feb 02 '14 at 12:09

1 Answers1

3

Depending on how malleability is defined, the question actually has some merit.

Given to the Wikipedia definition of malleability, a cipher is malleable if there exists at least one function $g$ over the set of possible cipher texts, and one function $f$ over the set of possible plain texts, such that given any cipher text $c_0$, the cipher text $c_1 = g(c_0)$ will decrypt to $D_k(c_1) = f(D_k(c_0))$ regardless of which key $k$ is used for the decryption.

Given that a function by definition assigns a unique value to each argument, there only exists such a function $f$ for CBC mode that might be known in advance to the attacker and might be determined from $g$ alone, if the corresponding function $g$ only modifies the IV. If the function $g$ modifies any other block, then $f$ will either be a relation (i.e. assign a set of possible values to each argument, rather than a unique value), or it will be a function that depends also on the key $k$.

Still, non-malleability might be defined in such way that the function $f$ only has to exist, without necessarily being known to the attacker in advance. If non-malleability is defined in such way, it is not necessarily a problem that this might imply that $f$ depends also on the unknown key and not just on $g$ and the plain text.

Henrick Hellström
  • 10,406
  • 1
  • 30
  • 58