CBC CCA

CBC CCA works when we are given a decryption oracle. Suppose we have a ciphertext that contains 2 blocks (32 bytes). Let $m_1, m_2, c_1, c_2$ denote plaintext block 1, plaintext block 2, ciphertext block 1, and ciphertext block 2, respectively. Feed this ciphertext into the decryption oracle, we get:

m_1 = Dec(c_1) \oplus IV \\ m_2 = Dec(c_2) \oplus c_1

Here is the trick: if we choose a ciphertext containing only null bytes, in other word, c_1 = c_2 = b"\x00" * 16, we will have:

m_1 \oplus m_2 = Dec(0) \oplus Dec(0) \oplus 0 \oplus IV = IV

And now the IV is recovered and we are done.

PreviousByte at a Time NextCBC Bit Flipping

Last updated 2 years ago

m_1 = Dec(c_1) \oplus IV \\ m_2 = Dec(c_2) \oplus c_1

Here is the trick: if we choose a ciphertext containing only null bytes, in other word, c_1 = c_2 = b"\x00" * 16, we will have:

m_1 \oplus m_2 = Dec(0) \oplus Dec(0) \oplus 0 \oplus IV = IV

And now the IV is recovered and we are done.