2

I was going through this question Why is it said that if we have a duplicate ciphertext block it can leak our information? and I was just wondering

  • if there is a $P_i \oplus P_j= C_{i−1}\oplus C_{j−1}$ relationship, is CBC still secure?
  • How does this equality lead to information leak?
kelalaka
  • 48,443
  • 11
  • 116
  • 196
Aish2410
  • 21
  • 1

1 Answers1

1
  • if there is a $P_i \oplus P_j= C_{i−1}\oplus C_{j−1}$ relationship, is CBC still secure?

As commented by SqueamishOssifrage standard collision of $2^{64}$ blocks for a 128-bit block cipher is not a hard limit. We want a negligible success for the adversaries. With $q$ queries ( encryptions) the advantage of the adversary must be negligible like $2^{-32}$ or $2^{-64}$.

To achieve this we need

  • $q^2/2^{128} = 1/2^{64}$ that is $q=2^{32}$, or
  • $q^2/2^{128} = 1/2^{32}$ that is $q=2^{48}$

Therefore you should not encrypt more than $2^{32}$ or $2^{48}$ block depending on the advantage settings of the adversary.

The CBC mode has more problems than this;

  • The IV must be unpredictable.
  • The padding oracle attacks on servers.
  • The BEAST and Lucky13 attacks on TLS only.

And, therefore CBC mode is removed from TLS 1.3. CBC mode is archaic. Today, you should use Authenticated Encryption as AES-GCM or ChaCha20-Poly1305.

  • How does this equality lead to information leak?

You have a relation $P_{i}\oplus P_j=C_{i-1}\oplus C_{j-1}$ in which you know $C_{i-1} \text{ and } C_{j-1}$ then you know the $\oplus$ difference of the two plaintext. In AES, you will have at most 128-bit to apply crib-dragging attack like in OPT. If you know one of the plaintext you know the other.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • $2^{64}$ is not a hard limit; it's not also a safe data volume. Really you should set a limit much lower than that so that $q^2!/2^{128}$ is always very small for any number of blocks $q$ your application will conceivably use. – Squeamish Ossifrage Oct 01 '19 at 13:31
  • @SqueamishOssifrage If I understand correctly, you are talking about the collision probability of $q$ queries with setting $q$ such that $q^2/2^{128} \approx 50%$ – kelalaka Oct 01 '19 at 13:45
  • I am talking about a bound on the adversary's advantage, which is some statistical distance between your ciphertexts and uniform random noise—a difference in probabilities, which in this case is derived from collision probabilities. You, as the legitimate user, want to make the adversary's advantage negligible. If $q^2 = 2^{128}$, then the advantage is near maximum possible advantage $q^2!/2^{128} = 1$. We might hope that for the application's entire lifetime, the advantage is more like $2^{-32}$ or $2^{-64}$ or so. – Squeamish Ossifrage Oct 01 '19 at 13:49
  • @SqueamishOssifrage I've updated with your comments. – kelalaka Oct 01 '19 at 14:03
  • 1
    Thank you Squeamish Ossifrage and kelalaka – Aish2410 Oct 09 '19 at 20:26
  • @Aish2410 The usual appreciation is upvoting and accepting the answers. – kelalaka Oct 10 '19 at 13:00