Question

Show that ECB is not CPA secure if the length of the message is more than two blocks. (Hint: Use the CPA security game and show a successful attack strategy).

Answer 1

Electronic control block (ECB) is mode of operation for a block cipher , with the characteristic that each possible block of plaintext has a defined corresponding cipher text value and vice versa. It is used when a volume of plaintext is seperated into several block of data , each of which is then encrypted independently of other blocks. While Electronic code block is not beneficial to use with small block size and identical encryption mode. This is because some words and phrases may be reused often enough

So that the same repetitive part blocks of cipher text can emerge , laying the groundwork for a codebook attack where the plain text patterns are fairly obvious.

Choosen plaintext attack(CPA) is an attack model for cryptanalysis which presumes the attacker can obtain the ciphertext for arbitrary plaintexts.The goal of attack is to gain information that reduces the security of the encryption scheme.

Example..

Let P1 be plaintext we would like to decrypt and P2 be plaintext we get by adding some "A"'s to P1 . Now what we actually want to craft is P2 plaintext by looking individual blocks.

Notice that block 2 contains 15 A's and the first byte of unknown plaintext P1. Being able to know the offset and inject the plaintext as above ,it is then possible to brute force the 16th byte in block2 . First make sure to send P2 to the encryption Oracle to have a reference value (the one we will be looking for when brute forcing).

Note that the reference block is the second block encrypting P2. This is because it is particular block that now contains 15 A's and one secret byte. The idea is now to brute force that secret byte by iterate through all 256 combinations with 15 A's and last byte changing to 256 possible characters. Encrypt all 256 combinations using Oracle and when one of these encryption produces a cipher text with second block matching reference block we know that secret byte is . Yes, the ASCII for 0,1 and 255 is not a,b and Z, but above is just for illustration .

Create all plaintext and encrypt them and extract the second block and compare to "B8C42B6F757C16293F11B714647846F" which was the reference block in example . When a match is found ,check with ASCII value was used -that is plaintext value for the secret byte . Now the rest just follows craft with a plaintext P3 with 14 A's, the byte you just found and then the

Second secret byte in the end . Repeat the procedure . Hence the cipher got its information and attack got successful.