Not at all what I was expecting, but yes this would work. (Notice that what you are doing is essentially applying CTR-mode encryption to the MAC F_k(r).)

The solution I was looking for was to just use an encryption scheme that gives you confidentiality *and* integrity, e.g., the encrypt-then-authenticate approach.

]]>Yes, of course!!

the encryption and decryption should be defined as follows:

Enc_k(r) = (iv, F_k(iv) xor F_k(r)), where iv is chosen at random.

Dec_k(Enc_k(r)) = F_k^-1(Enc_k(r) xor F_k(iv))

]]>*The root of the insecurity above was the fact that Eve could re-use IVs. *

I don’t know if I would put it that way. Re-using the IV was a particular way to attack the scheme, but the problem is more fundamental…

*let be the encryption is defined as
Enc_k(r) = (iv, iv xor F_k(r)), where iv is chosen at random.*

Actually, this scheme is not CPA-secure. Note that the iv essentially doesn’t add anything, since an attacker can recover F_k(r) by xor’ing the first half of the ciphertext with the second. And then two encryptions of the same value r could be identified…

]]>Lessons learned so far:

———————————

The root of the insecurity above was the fact that Eve could choose IVs such that that enables the attack (re-using is not necessary. Eve’s IV is not randomly selected, but, deterministically to enable the attack).

Lessons learned so far:

———————————

The root of the insecurity above was the fact that Eve could re-use IVs. The is was also the idea in my attack above.

Now, I changed to the Question-1 and Question-2 as follows:

———————–

Question-1++:

———————–

Show an encryption scheme that is secure against CPA- attacks and that would

lead to a secure protocol if plugged into the above.

———————–

Question-2++:

———————–

Show an encryption scheme that is not secure against CPA-attacks and that

would lead to an insecure protocol if plugged into the above.

For now, I will try to answer the first question. Any taker for the second question is welcome. Otherwise, I will also try to solve it.

Answer-1++:

—————-

let be the encryption is defined as

Enc_k(r) = (iv, iv xor F_k(r)), where iv is chosen at random.

(Corresponding decryption is defined as

Dec_k(Enc_k(r)) = F_k^-1(Enc_k(r) xor iv))

claim: This encryption would led to a secure protocol if plugged into the given authentication protocol.

proof sketch:

I have a strong intuition that the encryption is CPA-secure. But, I do not know how to formally proof it. I think that the given encryption would be used, let say, to simulate CBC encryption.

Given a random value r’ and given the encryption above, Eve has to compute F_k(r’) to be able to impersonate Alice to Bob. However, she cannot do this without having the secret key k.

]]>Exactly right!

]]>I have a feeling that I am seeing the things different than before after your answers. Thank you!!

Ok. if the length of r is large enough and it is chosen at random, the probability of a repetition is negligible => we do not require that r != r_i for all i.

This is also true for repeating IVs, if the length of IV is large enough and it is *honestly* chosen at random.

Eve is unlikely to see any repeating IV, since Alice is honest. But, Eve does not need to be honest and can re-use any IV which was chosen by Alice before. Since there is no requirement that IV != IV_i for all i, this would let Eve to be able to generate a valid encryption for Bob.

]]>Actually, we say Eve impersonates Alice to Bob if she can generate a valid encryption of a random value r chosen by Bob. *There is no requirement that r != r_i for all r_i !!* (Think in terms of the real world: would you say it’s ok for the adversary to impersonate Alice just because r=r_i for some i??)

It is for exactly this reason that we must choose the length of the random challenge long enough to make sure that r-values don’t repeat (except with very small probability.)

This should answer your question about repeating IVs as well.

]]>In the protocol, let say that Eve has eavesdropped the authentication protocol for random values r_1, …, r_n chosen by Bob. (I think) We say that Eve impersonates Alice to Bob, if she can generate a valid encryption of a random value r chosen by Bob, where r != r_i for all i=1 to n.

In case of an encryption mode, Eve also sees the IVs sent with the encryptions.

So, my question is, if it is allowed for Eve to use a IV which has been already used in previous encryptions. Or, does the answer depend on the attack model which we define? ]]>