Does AES-ECB with random padding added to each block satisfy IND-CPA?

Question

I present a modified version of AES-ECB. Suppose I want to encrypt the string hello, world. this is a test. For each block, I use the first eight bytes as my actual message, while the second eight bytes are random. For the last block, I'll pad my first eight bytes deterministically. So my four blocks are (I'll use * to denote random bytes, and $ to denote deterministic padding):

hello, w********
orld. th********
is is a ********
test$$$$********

Then I encrypt each block with AES to obtain my cipher text.

I know that this encryption scheme is still malleable. Is it still distinguishable under chosen plaintext?

Answer 1

First, I would not call this AES-ECB, since adding randomness means that it is not ECB. Second, when limiting the message space to what fits into one block, asymptotically -- meaning for a pseudorandom permutation with block size $n$ -- this construction is actually even CCA-secure (and so non-malleable, since indistinguishability and non-malleability are equivalent under CCA attacks). This is actually Exercise 4.2.5 in Introduction to Modern Cryptography, 2nd edition. (When using multiple blocks as in the question, it would be CPA-secure and certainly malleable.)

I just want to note (with respect to @poncho's answer) that this is asymptotically secure. This means that when considering a pseudorandom permutation with block size $n$, no adversary running in time polynomial in $n$ can succeed with probability that is more than negligible in $n$. In practice, with a 128-bit block cipher, this construction will give very poor bounds. However, $2^{32}$ is really here $2^{n/4}$ which is super-polynomial. Thus, there is no contradiction.

In conclusion, this isn't a great idea in practice (unless you have a very large block cipher). However, it works in theory.

Answer 2

Is it still distinguishable under chosen plaintext?

Yes; consider the encryption of $2^{32}$ occurrences of the same 8 byte block; it is likely that two of the blocks will have the same random padding (and hence the same 16 byte ciphertext block).