2

I was going through this question Why is it said that if we have a duplicate ciphertext block it can leak our information? and I was just wondering

  • if there is a $P_i \oplus P_j= C_{i−1}\oplus C_{j−1}$ relationship, is CBC still secure?
  • How does this equality lead to information leak?
kelalaka
  • 49,797
  • 12
  • 123
  • 211
Aish2410
  • 21
  • 1

1 Answers1

1
  • if there is a $P_i \oplus P_j= C_{i−1}\oplus C_{j−1}$ relationship, is CBC still secure?

As commented by SqueamishOssifrage standard collision of $2^{64}$ blocks for a 128-bit block cipher is not a hard limit. We want a negligible success for the adversaries. With $q$ queries ( encryptions) the advantage of the adversary must be negligible like $2^{-32}$ or $2^{-64}$.

To achieve this we need

  • $q^2/2^{128} = 1/2^{64}$ that is $q=2^{32}$, or
  • $q^2/2^{128} = 1/2^{32}$ that is $q=2^{48}$

Therefore you should not encrypt more than $2^{32}$ or $2^{48}$ block depending on the advantage settings of the adversary.

The CBC mode has more problems than this;

  • The IV must be unpredictable.
  • The padding oracle attacks on servers.
  • The BEAST and Lucky13 attacks on TLS only.

And, therefore CBC mode is removed from TLS 1.3. CBC mode is archaic. Today, you should use Authenticated Encryption as AES-GCM or ChaCha20-Poly1305.

  • How does this equality lead to information leak?

You have a relation $P_{i}\oplus P_j=C_{i-1}\oplus C_{j-1}$ in which you know $C_{i-1} \text{ and } C_{j-1}$ then you know the $\oplus$ difference of the two plaintext. In AES, you will have at most 128-bit to apply crib-dragging attack like in OPT. If you know one of the plaintext you know the other.

kelalaka
  • 49,797
  • 12
  • 123
  • 211