Protecting Cipher Block Chaining Against Adaptive Chosen Plaintext Attack

In the literature, several encryption modes of operation based on cipher block chaining (CBC) has been proven to be secure under non-adaptive chosen plaintext attack (CPA-1) in the left-or-right (LOR) or find-then-guess (FTG) security models. However, it was shown by Joux et. al. at Crypto 2002 that if we allow the adversary to perform an adaptive chosen plaintext attack (CPA-2), then CBC, ABC and GEM are susceptible to FTG attacks. In this paper, we propose a new CBC-type encryption called input-output masked CBC (IO-CBC) which can protect against FTG and LOR attacks based on forcing an input collision, protects against Joux’s FTG attack under proper implementation, and increases the difficulty of linear and differential cryptanalysis. The efficiency of IO-CBC is comparable to CBC because it does only one additonal encryption when compared with CBC. We also reasoned that the security proof of an IO-CBC variant follows from that of OCB. 1 Insecurity of CBC-type Modes under CPA-2 Attack The CBC mode is one of the most commonly used encryption mode in practice. Let Ek(·) denote a secure block encryption function with secret key k. CBC can be described as: Algorithm 1 CBC Mode: Input: Randomly Generated Initial Vector (IV), Plaintext blocks M [1],M [2], . . . ,M [l]. Initialize: O[0] = IV, Input: I[i] = M [i]⊕O[i− 1], Output: O[i] = Ek(I[i]), Ciphertext: C[i] = O[i], i = 1, . . . , l. Output: IV, Ciphertext blocks C[1], C[2], . . . , C[l]. The CBC mode was proven to be secured against left-or-right distinguishing attack (LOR-secure) (Bellare, 1997, Proposition 15, Lemma 16, Theorem 17) under non-adaptive chosen plaintext attack (CPA-1). However in (Joux, 2002), Joux et. al. proved that under blockwise adaptive chosen plaintext attack (CPA2), CBC can be distinguished by a find-then-guess (FTG) attack. The FTG attack uses the fact that in CBC under CPA-2, the adversary can force a collision in the input of the block cipher at any two iterations i and j (j > i) by settingM [j] = C[j−1]⊕C[i−1]⊕ M [i]. In that case, the ciphertext of iteration i and j will be the same. This fact can also be used to mount a LOR-attack on CBC under CPA-2 assumptions. Similar LOR and FTG attacks, based on collision of the block cipher input at two blocks, can also be performed against CBC-type encryption modes like the Accumulated Block Chaining (ABC) (Knudsen, 2000) and the Propagating CBC mode (PCBC) (Matyas, 1982). In ABC, the adversary forces a collision as in CBC but instead of comparing C[i] = C[j], he compares C[i]⊕M [i−1] = C[j]⊕M [j−1]. And in PCBC, to force a collision, the adversary needs to choose a plaintextM [j] such thatM [j]⊕C[j − 1]⊕ M [j − 1] = M [i]⊕ C[i− 1]⊕M [i− 1]. In the LOR and FTG attacks, the adversary is able to force a collision because the ”masking” at each block is known, therefore adaptively choose the appropriate plaintext. Moreover, a collision can be verified by observing the ciphertext. This pose an advantage to blackbox cryptanalysis as a stepping stone to determine the mode of operation the encryptor uses. To protect encryption modes against these attacks is to mask the input and output with some unknown data. One possible candidate is IACBC proposed by Jutla. To encryptm blocks of data, additional log(m) encryptions of the values r+1, . . . , r+log(m) where r is secret. Then these log(m) encrypted values are expanded using Gray’s code to formm pairwise independent secret blocks S1, S2, . . . , Sm. The encryption of IACBC is identical to CBC except that the block cipher output O[i] is XORed with Si to form the ciphertext C[i]. Similarly, OCB (Rogaway, 2001) uses (a different) masking to enhance ECB mode. In this paper, we propose a new CBC-type encryption mode called input-output masked CBCmode (IO-CBC). Unlike OCB and IACBC which generates their maskings from an independent (from the plaintext and ciphertext) structured algorithm (Gray’s Code), IO-CBC generates its masking from a psedorandom source, the block encryptor. 2 The Input-Output Masked CBC Mode In this Section, we describe the Input-Output Masked CBC mode (IO-CBC). The design goals of IO-CBC are as followed: