3

Let's assume that for encryption with AES in CBC mode we have $IV\in \{0\}^{113}||\{0,1\}^{15}$.

I know that if we can predict next IV with 100% probability there is attack that completely breaks encryption. Then if we randomly choose IV as prediction, we have $\frac{1}{2^{15}}$ probability of correctly guessing next vector.

Is there a better CCA or CPA for this weak IV? How many queries on average and at most would it take?

Naan
  • 249
  • 2
  • 6
  • When we can predict IV that will be used in future https://crypto.stackexchange.com/questions/3883/why-is-cbc-with-predictable-iv-considered-insecure-against-chosen-plaintext-atta – Naan Jul 06 '17 at 17:27
  • Removed comment as it doesn't apply to the question after the edit anymore. – puzzlepalace Jul 06 '17 at 18:53

1 Answers1

2

If the goal is to distinguish the encryptor from random, the obvious thing to do is to ask for $\sqrt{2^{15}}$ encryptions of the same plaintext. Assuming that each encryption uses one of the $2^{15}$ allowed IVs randomly, then with good probability, two separate encryptions will use the same IV (and thus result in the exact same ciphertext). This is rather better than the $\frac{1}{2^{15}}$ result you get from trying to predict the IV.

Now, if you want something better than a distinguishing attack, well, consider this attack model: the attacker has a ciphertext block $C$ where he has partial information about the corresponding plaintext $P$, namely, he knows the initial 113 bits, and has no information about the remaining 15. The attacker wishes to recover the remaining 15 bits, and is able to inject chosen plaintext, and is able to see in the ciphertext the IV that the encryptor selected.

What the attacker can do is inject a series of chosen plaintexts with the first 113 bits being the plaintext $P$ he knows, and the last 15 bits being 0 (arbitrary works, 0 makes it a bit easier to explain). The encryptor will select a random IV; if the random IV he selects happens to have the exact same last 15 bits as the unknown plaintext, then the resulting initial ciphertext block will be the challenge ciphertext block $C$ (and so, by examining the IV that the encryptor used, the attacker now knows the value $P$).

For each submitted plaintext, there's a probability $2^{-15}$ of the random IV being 'right', and so this takes an expected $2^{15}$ plaintext queries to succeed.

In contrast, in this attack model, if we assume that the attacker can predict the entire IV, he could recover the plaintext with an expected $2^{15}/2$ queries, and so the attacker not knowing the last 13 bits only reduces the efficiency by a factor of 2.

poncho
  • 147,019
  • 11
  • 229
  • 360
  • It's worth mentioning that $\sqrt{2^{15}}$ comes from birthsday paradox and is number of encryptions, from which we have more than 50% chance of two IV's being the same.

    I'm not sure if it shouldn't be $1.2\cdot\sqrt{2^{15}}$

     – Naan Jul 09 '17 at 15:25