Modes of Operation

Question 1

Why are block ciphers not secure witout modes of operation?

Answer 1

Because when you encrypt each block individually, structure of the plaintext will persist.
For instance, two blocks of all zeros will result in two blocks of the same cipher text. Hence the structure remains.

Question 2

What is one of the biggest risks in modes of operations?

Answer 2

When a single bit error occurs (f.i. in transmission) all following blocks will no longer be interpetable.

Question 3

What is ECB?

Answer 3

Electronic Code Book Mode

Question 4

Explain how ECB works.

Answer 4

Each block is encrypted/decrypted individually.

Question 5

What is the effect of bit error in ECB?

Answer 5

A one bit error will only effect that specific block.

Question 6

What is the effect of block loss in ECB?

Answer 6

The loss of blocks cannot be detected, same goes for block insertion.

Question 7

Explain how Adversary wins the OW CCA security game for any mode.

Answer 7

The cipher text is not allowed to be the same as the challengers.
So you append a block to the original cipher text containing the first block. This will allow you to succesfully decrypt the first block using the decryption oracle.

Question 8

Argue the security level of ECB. (explain for each level how it is broken).

Answer 8

ECB is not IND-PASS: It can provide two messages to lr-oracle one being M1 and other M1||M1 and then it can easily determine if y was chosen randomly or using block cipher.

ECB is not OW CCA secure using the same logic: So you append a block to the original cipher text containing the first block. This will allow you to succesfully decrypt the first block using the decryption oracle.

ECB is OW CPA secure, because it is computationally inthesible to inverse operation.

Question 9

xplain

What is CBC?

Answer 9

Cipher Block Chaining

Question 10

How does CBC encryption work?

Answer 10

You XOR block 1 with IV and encrypt the result using your cipher method. Then the first cipher block is used to XOR the second plain text, etc.

Question 11

How does CBC decryption work?

Answer 11

You decrypt cipher block 1 and then XOR the result with IV. Then the first cipher block is used to XOR the second plain text block (retrieved after deciphering second cipher block), continued…

Question 12

What effect has bit error on CBC?

Answer 12

That block is not decrypted properly (whole block is lost) and it will cause a single bit error in the next plain text block.
m1 || r || bit error || m4

Question 13

What effect has block loss on CBC?

Answer 13

It will cause one block to be decrypted incorrectly.
m1 || r || m4

Question 14

Explain how adversary can win CBC mode for IND CPA.

Answer 14

For fixed, or nonce based IV it is possible to win:
CBC encrypts m1 XOR IV to get c1. Hence, if m1 and IV are the same, we essentially encrypt( 0 ) to get c1.
Nonce can only be provided once to the adversary, so if we get c’ for m1 = Iv = 0, then we can user LR-Oracle with m1 = 0, m2 = 1= IV. Then c* is able to be compared.

Question 15

What does OFB mode stand for?

Answer 15

Output Feeback Mode

Question 16

How does OFB encryption work?

Answer 16

Lets say intermediate value Y is the result of encrypting the previous value of Y, with Y0= enc(IV). Then ci = Yi XOR mi, for i>0

Question 17

How does OFB decryption work?

Answer 17

Lets say intermediate value Y is the result of encrypting the previous value of Y, with Y0= enc(IV). Then mi = Yi XOR ci, for i>0

No encrypting is not a mistake here…

Question 18

What effect does bit error have on OFB?

Answer 18

That bit error is reflected in the plain text, but no block loss.
m1 || bit error || m3

Question 19

What effect does block loss have on OFB?

Answer 19

When the reciever is aware that block is lost: it can iterate the ‘key’ value (Y), in this case only one block is lost.
m1 || x || m3

In case of the reciever is not aware, then **avalanche effect **takes place and all the following blocks cannot be decrypted.
m1 || r || r

Question 20

What effect does block insertion have on OFB?

Answer 20

An attacker can not insert/replay blocks in the ciphertext (see block loss), but it can append blocks.

Question 21

What is the security of OFB mode?

Answer 21

• Fixed IV: not IND-CPA secure, also not OW-CPA secure
• Nonce based IV: not OW-CPA secure
• Random IV: IND-CPA secure

Question 22

What does CFB stand for?

Answer 22

Ciphertext Feedback Mode

Question 23

How does CFB encryption work?

Answer 23

You encrypt the previous cipher text block and XOR that with the plaintext block. Y0 = encr(IV)

Question 24

How does CFB decryption work?

Answer 24

You encrypt the previous cipher text block and XOR that with the ciphertext block. Y0 = encr(IV)

Question 25

What is the effect of bit error in CFB mode?

Answer 25

It will cause a bit error in that plain text block, and it won’t be able to correctly decrypt the next block.
m1 || bit error || r || m4

Question 26

What is the effect of block loss in CFB?

Answer 26

thenext cipher text block is not decrypted correctly:
m1 || r || m4

Question 27

What is the security of CFB?

Answer 27

• Nonce based IV: not IND-CPA secure but OW-CPA secure
• Random IV: IND CPA

Question 28

What is the big advantage of using CFB or OFB?

Answer 28

Speed: it is very fast to compute.

Question 29

What does CTR stand for?

Answer 29

Counter mode.

Question 30

How does CTR encryption work?

Answer 30

Each block encrypts value IV +i , and XORs it with mi. Where i is the block-id.
mi XOR e(IV+i) = ci

Question 31

How does CTR decryption work?

Answer 31

Each block encrypts value IV +i , and XORs it with c1. Where i is the block-id.
c1 XOR e(IV+i) = mi

Question 32

How is the IV managed in CTR? What is the advantage?

Answer 32

IV is publicly known, but incremented each time a block is encrpyted. This means that the same plain text results in different cipher texts.

Question 33

What is the effect of bit error in CTR?

Answer 33

Only that block is XORed with a bit error:
m1 || bit error || m3 ||

Question 34

What is the effect of block loss/insertion in CTR

Answer 34

It will be detected because the IV is no longer incremented correctly.

Block appending is possible, however.

Question 35

what is the security of CTR?

Answer 35

IND CPA, unless fixed IV is used, then IND PASS

Question 36

What is a big advantage of CTR?

Answer 36

Parallel computation is possible, due to lack of dependencies.

Question 37

How can we make any mode of operation IND CCA secure?

Answer 37

Encrypt-then-MAC

Question 38

Explain how Encrypt-then-Mac works and argue if it is secure.

Answer 38

Keygen: You use k1 for encryption and k2 for MAC. You compute the MAC of the ciphertext using k2.
During decryption you verify the MAC, based on k2, to verify if the ciphertext has been tempered.

It is IND CCA secure.

Question 39

Explain how Encrypt-and-Mac works and if it is secure.

Answer 39

Keygen: You use k1 for encryption and k2 for MAC. You compute the MAC of the plaintext using k2.
During decryption you first decrypt the cipher text, using k1, and then verify the MAC of the plain text.

It is not IND CPA secure.

Question 40

Explain how MAC then Encrypt works and argue if it is secure.

Answer 40

You first compute the MAC, then you compute the cipher text based on the plain text and the MAC. You verify it by decrpyting cipher text and verifiy MAC of plaintext.

It is not IND CPA secure. (for deterministic MAC)