aes-ctr(key, ++iv, sha-1(plainText + aes-ctr(key,iv,0^128))+(plainText + aes-ctr(key,iv,0^128))); is it secure?

Question

Proposed Cipher suite:

aes-ctr(key, ++iv, sha-1(plainText + aes-ctr(key,iv,0^128))+(plainText + aes-ctr(key,iv,0^128)));

Security targets achieved:

1. Encryption of the plain text.
2. Integrity of the plain text.
3. Authenticity of the plain text.

Used components and reason behind using them:

1. sha-1: For checking integrity of the plaintext.
2. aes-ctr: Used for encryption of the plaintext.
3. aes-ctr(sha-1): sha-1's output is encrypted with aes-ctr to provide authenticity of the plaintext.

Reasons, I think it is secure:

1. As aes-ctr is secure encryption algorithm we can't predict the key-stream.
2. To generate a new ciphertext the attacker need to have knowledge about message encrypted. Here the message is sha-1(plainText + aes-ctr(key,iv,0^128))+(plainText + aes-ctr(key,iv,0^128)), which would be unique for every message because of using the key stream aes-ctr(key,iv,0^128). Hence it is not attackable by chosen plaintext attack.
3. We also can't predict sha-1 value because everytime a new sha-1 would be generated because the text used to generate is plainText + aes-ctr(key,iv,0^128), which contains the unpredictable key stream aes-ctr(key,iv,0^128).
4. Hence the encrypted message can be authenticated and checked for integrity.

This method is improved version derived from the method proposed in this question.

Answer 1

I run a chosen plaintext attack against the authenticity of the scheme as follows:

I request a ciphertext for message $0^{96}\mathbin\|0^{128}\mathbin\|0^{128}\mathbin\|0^{128}\mathbin\|0^{128} = 0^{608}$. A fresh $IV$ will be chosen and a key stream $k_0\mathbin\|k_1\mathbin\|k_2\mathbin\|k_3\mathbin\|k_4\mathbin\|k_5\mathbin\|k_6\mathbin\|k_7$ will be derived from key $k$ and $IV$.

I will receive the $IV$ and a ciphertext \begin{align}c=&(H(0^{608}\mathbin\|k_0)\mathbin\|0^{96})\oplus (k_1\mathbin\|k_2)\mathbin\|0^{128}\oplus k_3\mathbin\|0^{128}\oplus k_4\mathbin\|0^{128}\oplus k_5\mathbin\|0^{128}\oplus k_6\mathbin\|k_0\oplus k_7\\ =&(H(0^{608}\mathbin\|k_0)\mathbin\|0^{96})\oplus (k_1\mathbin\|k_2)\mathbin\|k_3\mathbin\|k_4\mathbin\|k_5\mathbin\|k_6\mathbin\|k_0\oplus k_7\end{align}

I now choose an arbitrary message $m \in \{0,1\}^{96}$ and compute the ciphertext \begin{align} c' = (H(m\mathbin\|k_3)\mathbin\|m)\oplus(k_4\mathbin\|k_5)\mathbin\|k_3\oplus k_6 \end{align} and output $c'$ together with $IV'=IV+3$.

$(IV',c')$ is now a valid ciphertext for $m$. This works, because CTR mode with $IV+3$ will result in a keystream $k'_0\mathbin\|k'_1\mathbin\|k'_2\mathbin\|k'_3 = k_3\mathbin\|k_4\mathbin\|k_5\mathbin\|k_6$