Week 4 CS6160: Cryptology

CPA Security and Block Cipher Modes

1 CPA Security: Semantic Security against Cho-

sen Plaintext Attack

In a Chosen Plaintext Attack (abbreviated as CPA), we assume that the

adversary can make queries to the Encryption function Enc(_, k) and thus
obtain the ciphertexts corresponding to plaintexts of their choice. Notice that
this is more powerful than a Known Plaintext Attack, where some (plaintext,
ciphertext) pairs are given to the adversary but the adversary cannot choose
the plaintexts or the ciphertexts.
When someone (in this case the adversary) does not know a function f (in
this case Enc(_, k)) but can query the values of the function on various
inputs, they are said to have oracle access to f .
We now formally dene CPA security by means of the following.
CPA Indistinguishability Experiment P rivKA,Π
CP A
(n):
1. Alice generates a key k ∈ {0, 1}n uniformly at random.
2. The adversary A is given the value n (in unary) and oracle access to
Enc(_, k) throughout the experiment.
3. The adversary A chooses two messages m0 , m1 and sends them to Alice.
4. Alice picks b ∈ {0, 1} uniformly at random and sends c = Enc(mb , k)
to A.
5. The adversary A outputs a value b′ ∈ {0, 1}.
6. The output or value of the experiment is 1 if b′ = b and 0 otherwise.
Clarication: The adversary may also query Enc(_, k) only on messages
m0 , m1 . In particular, this implies that for a deterministic cryptosystem

1
 2

(i.e. one which always outputs the same ciphertext for a given plaintext), an
adversary can win the above experiment with probability 1.
We can now dene CPA security for an encryption system.
Denition 1. We say that a private-key encryption scheme Π = (Gen, Enc, Dec)
is CPA-secure if for all PPT adversaries A, there is a negligible function
negl() such that:

CP A 1
P r[P rivA,Π (n) = 1] ≤ + negl(n).
2

2 Block Cipher Modes

Recall that in a block cipher, we divide a message into blocks of xed size
and also that an encryption algorithm such as DES or AES can encrypt one
block.
We now discuss the important issue of how to encrypt a message with several
blocks using an encryption algorithm.

2.1 ECB Mode:

The most obvious way is to encrypt each block separately and then concate-
nate all the corresponding ciphertexts and is called the Electronic Cook Book
(ECB) mode. However, the ECB mode is insecure in at least two ways.
ˆ Firstly, ECB encryption is deterministic and hence cannot be CPA-
secure.
ˆ Secondly, partial information is always leaked when two message blocks
are identical. For example, if the ciphertext looks like C1 C2 C1 C3 , then
an eavesdropper can see that the rst and third blocks are the same,
and even this is information that should not be leaked. This also opens
up the possibility of tampering for an active adversary, as they may be
able to modify just some blocks and send a valid and dierent ciphertext
to the receiver.
The main conclusion is that ECB mode should never be used for block cipher
encryption.
 3

2.2 CBC Mode:

We now describe the rst solution that addresses the drawbacks of ECB
mode. The Cipher Block Chaining (CBC) mode works as follows. Suppose
that the message is M = M1 M2 . . . ML , where each Mi is a n-bit block.
1. A random initialization vector (IV) is generated from {0, 1}n .
2. The rst cipherblock is computed as C1 = Enc(M1 ⊕ IV, k).
3. Each successive block is computed as Ci = Enc(Mi ⊕ Ci−1 , k).
4. The nal ciphertext is IV ||C1 || . . . ||CL .
It turns out that CBC Mode when used with a PRP as the encryption func-
tion, is CPA-secure. We do not formally prove this though, and instead give
a proof for the CTR mode (net section).
We mention a couple of drawbacks of CBC mode:
ˆ It cannot be parallelized.
ˆ When the last message block is shorter than the block size, it needs to
be padded and this can lead to padding attacks (discussed later).

2.3 CTR Mode:

The Counter Mode (also sometimes called Randomized Counter Mode) works
as follows. As before, let M = M1 . . . ML be the message.
ˆ As in CBC mode, a random IV is chosen from {0, 1}n .
ˆ The ith cipherblock is generated as Ci = Mi ⊕ Enc(IV + i − 1, k).
The IV used in CTR mode is usually called a counter (as it is incremented
for each block), hence the name of the mode.
The advantages of this mode over CBC mode are that it can be parallelized
(as each cipherblock can be generated independently of any other given the
IV) and it does not use padding.
In the next section, we show that a block cipher used in CTR mode is CPA-
secure if the encryption algorithm is a PRP.
 4

3 Block Ciphers in CTR Mode are CPA-secure

Theorem 1. Let Enc : M × {0, 1}n → C be a PRP (where C = M ).

Consider a block cipher encryption system Π that uses Enc() in CTR mode.
1
If A is a PPT-adversary, then P r[P rivKA,Π
CP A
(n) = 1] ≤ + negl(n), where
2
negl(n) is some negligible function.

Proof. Consider the following modied experiment P rivKA,Π

CP A
′ (n), where the

function Enc is replaced by a random permutation π : M → C .

We show two things:
ˆ For every PPT adversary A, it must be the case that:
CP A
|P rivKA,Π CP A
(n) − P rivKA,Π ′ (n)| ≤ negl(n) (1)
for some negligible function negl().
ˆ Let A be an adversary A that can make at most q(n) queries, with
each query message having at most q(n) blocks, where q() is some
polynomial. Then
1 2q(n)2
CP A
P rivKA,Π ′ (n) ≤ + (2)
2 2n

To prove (1), suppose for contradiction that there is a PPT adversary A

such that P rivKA,Π
CP A
(n) = p1 (n), P rivKA,Π
CP A
′ (n) = p2 (n), p1 (n) > p2 (n) and

r(n) = p1 (n) − p2 (n) is non-negligible.

Then we can build a PPT algorithm D which can distinguish Enc from a
random permutation as follows:
ˆ D receives oracle access to a function f that is either f0 = Enc or f1 , a
random permutation and D's goal is to make queries to f to determine
whether f = f0 or f = f1 .
ˆ D picks a random key k ∈ K .
ˆ D simulates A for P rivKA,Π
CP A
(n) and chooses two messages m0 , m1 .
ˆ D picks b ∈ {0, 1} at random and simulates A on f (mb , k) to obtain
A's guess b′ .
 5

ˆ If b′ = b, D guesses that f = f0 otherwise D guesses that f = f1 .

The probability that D is correct equals:

1 1 1 r(n)
p1 (n) + (1 − p2 (n)) = +
2 2 2 2
which is non-negligible if r(n) is non-negligible. This contradicts the fact
that Enc is a PRP, therefore it must be the case that (1) is true.
We now prove (2). Let q = q(n). Let M1 = M1,1 || . . . ||M1,q and M2 =
M2,1 || . . . ||M2,q be the two messages chosen by the adversary, where each
Mi,j is a block. Let C = IV ||Ci,1 || . . . Ci,q be the ciphertext corresponding to
Mi , where i ∈ {1, 2}. C is the ciphertext received by the adversary.
Let Mi = Mi,1 || . . . ||Mi,q for i = 3, . . . , q + 2 be the messages queried by the
adversary and let Ci = IVi ||Ci,1 || . . . ||Ci,q be the corresponding ciphertexts.
We have for i ≥ 3:
Ci,j = Mi,j ⊕ π(IVi + j − 1, k). (3)

Since π is a random permutation, each individual ciphertext block is a ran-

dom element of M ; thus the only way that the adversary can distinguish M1
from M2 is if an event such as the following happens:
For some j1 , j2 , j3 such that M1,j1 = Mi,j2 ̸= M2,j1 it is the case that
IV + j1 − 1 = IVi + j2 − 1 (4)
If the above happens, then the adversary checks whether the Ci,j2 cipherblock
is equal to Ci,j1 . If yes, the adversary concludes that the message was M1 ,
otherwise that the message was M2 .
2q(n)2
The probability that some relation of the form (4) happens is at most n .
2
If a relation of the form (4) does not exist among the IVs of the query cipher-
texts, then the adversary can only guess with probability 1/2. Combining
the above two observations, we obtain the bound in (2).