Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 282 Related-Mode Attacks on CTR Encrypton Mode Dayn Wang, Dongda Ln, and Wenlng Wu (Correspondng author: Dayn Wang) Key Laboratory of Informaton Securty, Insttute of Software, Chnese Academy of Scences Bejng 100080, Chna. (Emal: {wdy, ddln, wwl}@s.scas.ac.cn) (Receved Dec. 9, 2005; revsed and accepted Jan. 3, 2006) Abstract In ths paper, we dscuss usng CTR mode, another standard encrypton mode, to attack other standard encrypton modes and usng other standard encrypton modes to attack CTR mode under the related-mode attack model. In partcular, we pont out that when the adversary has access to an oracle under one proper mode, then almost all other related-cpher modes, whether they are encrypton modes or authentcaton modes or authentcated encrypton modes, can be attacked wth ease under the relatedmode attack model. Keywords: Block cpher, modes of operaton, relatedcpher attack, related-mode attack 1 Introducton Block cphers are often proposed wth several varants, n terms of a dfferent secret key sze and correspondng number of rounds. Wu [9] presented the related-cpher attack model applcable to related cphers n the sense that they are exactly dentcal to each other, dfferng only n the key sze and most often also n the total number of rounds. In [7], the authors generalze the concept of the related-cpher attack model to apply to a larger class of related model, n partcular cpher encryptons wth dfferent block cpher modes of operaton, but wth the underlyng block cpher beng dentcal. They called t related mode attack and further show that when the adversary has access to an oracle for any one mode of operaton of ECB, CBC, OFB, CFB, then almost all other related cpher modes can be easly attacked. But they ddn t study another standard encrypton mode CTR. In ths paper, we wll dscuss how to use CTR mode to attack other modes and how to use other modes to attack CTR mode under the related-mode attack model. In Secton 2, we brefly descrbe the standard block cpher modes of operaton. In Secton 3 and 4, we dscuss how to use CTR mode to attack other modes and how to use other modes to attack CTR mode under the relatedmode attack model. We conclude n Secton 5. 1 Fgure 1: ECB mode encrypton 2 Standard Block Cpher Encrypton Modes When encryptng a plantext P, whch s longer than the block sze, n of the underlyng block cpher, ths plantext s dvded nto m number of n-bt blocks, and each one s encrypted at a tme usng a block cpher mode of operaton that ncludes the Electronc Code Book (ECB), the Cpher Block Channg (CBC), the Cpher FeedBack (CFB), the Output FeedBack (OFB) [4, 5] and Counter Mode (CTR) [1]. The ECB mode s the smplest, where each plantext block s ndependently encrypted to a correspondng cphertext block va the underlyng block cpher keyed by secret key K: = ( ). Fgure 1 llustrates the ECB mode encrypton on two consecutve plantext blocks 1 and. Meanwhle, the CBC mode uses the prevous cphertext block as the feedback component that s exclusve- ORed (XORed) to the current plantext block, before the resultng XOR s encrypted to obtan the current cphertext block. In partcular: = ( ) where C 0 = ntalzaton vector (IV ). Fgure 2 llustrates the CBC mode encrypton on two consecutve plantext blocks 1 and.
Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 283 P 1 1 Fgure 2: CBC mode encrypton Fgure 4: OFB mode encrypton 1 ctr + ( 1) 1 ctr + Fgure 3: CFB mode encrypton Fgure 5: CTR mode encrypton The CFB mode also uses the prevous cphertext block as feedback, whch s frst encrypted and then XORed to the current plantext block to obtan the current cphertext block : = ( ) where C 0 = ntalsaton vector (IV). The CFB mode can also be vewed as a stream cpher mode by treatng X = ( ) as a keystream that s XORed to the plantext to obtan the cphertext. Fgure 3 shows the CFB mode. The OFB mode s smlar to the CFB n that a keystream s also generated to be XORed to the current plantext block to obtan the current cphertext block. The dfference s that the keystream s not a functon of the prevous cphertext block, but s the prevously encrypted feedback component X : X = (X 1 ) = (X ) where X 0 = ntalsaton vector (IV ). Note that the keystream s ndependent of prevous plantext and cphertext blocks. Fgure 4 llustrates the OFB mode. The CTR mode s smlar to the CFB n that a keystream s also generated to be XORed to the current plantext block to obtan the current cphertext block. The dfference s that the keystream s a functon of a counter, ctr, whch can also be looked on as an ntalsaton vector. Fgure 5 llustrates the CTR mode. = (ctr + ). There are two varants of the mode, one random and the other stateful. No matter whch varant s used, the ntalsaton vector, ctr, s ncluded n the cphertext as the frst block C 0 n order to enable decrypton. The counter s not allowed to wrap around. Thus the decrypton algorthm frst chops off the frst n bts C 0 and uses t as ctr, and then dvdes the rest of the strng nto n-bt blocks and decrypt cphertext usng the same method of encrypton. 3 Usng other Standard Modes to Attack CTR Throughout ths paper, we consder the case where the adversary has access to an oracle that s able to perform ether encrypton or decrypton for some fxed mode. Ths s smlar to havng access to known or chosen plantext/ cphertext queres under that mode. We show that ths oracle allows the adversary to attack other related-cpher modes, where the underlyng block cpher s the same. and respectvely denote the current plantext and cphertext block used n the nteracton wth the oracle beng exploted, whle and respectvely denote the current plantext and cphertext blocks of the related-cpher mode beng attacked. For the mode beng attacked, only the correspondng cphertext blocks, ( = 0, 1,, m) are known, where C 0 = IV s the ntalzaton vector. It s the adversary s objectve to drectly recover these unknown plantext blocks, ( = 0, 1,, m),.e. we assume a cphertext-only scenaro for the mode beng attacked. For the mode beng exploted, access to ts oracle
Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 284 P 1 P C 0 + ( 1) C 0 + 1 C 1 C Fgure 6: Explotng ECB to attack CTR P 1 P C 0 + ( 1) C 0 + 1 C 1 C Fgure 7: Explotng CBC to attack CTR allows the adversary to obtan known or chosen plantext/cphertext queres, and as necessary known or chosen IV queres - though we assume for more concrete and nterestng results that he can only access ether a mode encrypton or mode decrypton oracle, and not both at the same tme. Havng sad ths, note that a standard mode of operaton s expected to be secure aganst attacks where both encrypton and decrypton oracles are possble [2]. 3.1 Explotng an ECB Oracle Consder that the adversary has access to ether an encrypton or decrypton oracle under ECB mode. We wll show how ths oracle can be exploted to obtan the unknown plantext blocks encrypted under the CTR mode. In our current case, the adversary has access to the ECB encrypton oracle, and s explotng t to attack another related cpher n the CTR mode. In partcular, gven that he desres to know the unknown plantext block correspondng to an ntercepted cphertext block of the CTR mode, he chooses = C 0 + to feed to the ECB encrypton oracle and hence obtans the correspondng cphertext. Snce = (C 0 + ), we can get =. Ths s llustrated n Fgure 6, where the exploted oracle and the mode beng attacked are on the left and rght, respectvely, and where the rectangular boxes delmt the parts naccessble to the adversary. In summary, we requre just one chosen plantext(cp) query encrypted under ECB to obtan the plantext block correspondng to any cphertext block encrypted under CTR. 3.2 Explotng a CBC Oracle When the adversary has access to a CBC oracle, he can smlarly use ths to attack CTR mode. Attackng ths requres a CBC encrypton oracle. Frst the adversary queres the encrypton oracle and get the cphertext of plantext 1, then he chooses = (C 0 + ) and queres the oracle to obtan the correspondng cphertext. Snce = ( 1 ) = (C 0 + ) s drectly related to an ntermedate state n CTR, namely that =. Therefore, we can computer =. Ths s llustrated n Fgure 7. In summary, we requre two chosen plantext(cp) queres encrypted under CBC to obtan the plantext block correspondng to any cphertext block encrypted under CTR. 3.3 Explotng a CFB Oracle The adversary accesses a CFB decrypton oracle and chooses = C 0 +, and hence ( ) = (C 0 + ) = X can be drectly related to a smlar ntermedate state wthn CTR, namely X =. He then computes = X. See Fgure 8. Repeatng ths attack wll allow hm to other plantext blocks of the CTR. In summary, we requre just one chosen cphertext (CC) query encrypted under CFB to obtan the plantext block correspondng to any cphertext block encrypted under CTR. 3.4 Explotng an OFB Oracle In ths secton, We wll dscuss how to explot OFB oracle to attack the CTR mode.
Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 285 C 0 + ( 1) C 0 + P 1 C 1 X C P X P 1 P Fgure 8: Explotng CFB to attack CTR IV = C 0 + C 0 + ( 1) C 0 + X P 1 P 2 C 1 C 2 X P 1 P Fgure 9: Explotng OFB to attack CTR Ths s so far the hardest attack to mount, and requres a chosen-iv (CIV ) scenaro [8]. In partcular, the adversary chooses IV = C 0 +, and hence (IV ) = (C 0 +) = X. Ths ntermedate state relates between the two modes, OFB and CTR, namely X = P 1 C 1, and so he can compute = X = P 1 C 1. Ths s shown n Fgure 9. Note that n ths case the plantext and cphertext blocks of the exploted oracle do not need to be chosen but are merely known. 4 Explotng a CTR Oracle K In ths case, the adversary has access to a CTR oracle, and uses ths to attack other related-cpher modes. The CTR, CFB and OFB modes are sometmes called stream-cpher modes snce despte startng wth an underlyng block cpher,, usng t n these modes essentally results n a stream cpher. A stream-cpher mode uses the underlyng n both ts mode encrypton and decrypton, n contrast to other non-stream-cpher modes such as the ECB and CBC that use for mode encrypton and correspondngly E 1 for mode decrypton. Because of ths, t appears that stream-cpher mode oracles can only be used to construct encrypton oracles for other non-stream-cpher modes. Ths means that t wll not be possble to explot a stream-cpher mode oracle (such as CTR CFB and OFB) to attack non-stream-cpher modes (such as ECB and CBC). Instead, we consder only how stream-cpher modes can be exploted to attack other stream-cpher modes. Attackng CFB: The adversary accesses CTR decrypton oracle and chooses C 0 = 1, snce C 1 = (C 0 + 1) P 1 = ( ) P 1, and hence ( ) = C 1 P 1 = X can be drectly related to a smlar ntermedate state wthn CFB, namely X = P 1 C 1 =. He then computes = X. See Fgure 10. Repeatng ths attack wll allow hm to obtan other plantext blocks of the CFB. Attackng OFB: The adversary accesses a CTR decrypton oracle and chooses C 0 = IV 1, snce C 1 = (C 0 +1) P 1 = (IV ) P 1, and hence (IV ) = X can be drectly related to a smlar ntermedate state wthn OFB, namely X = P 1 C 1 = P 1 C 1. He then computes P 1 = X C 1. Ths s llustrated n Fgure 11. Repeatng ths attack wll allow hm to teratvely obtan the next plantext blocks of the OFB. 5 Conclusons In ths paper we dscuss how access to chosen plantexts/cphertexts n other standard encrypton modes allows related-cpher CTR mode to be attacked and how access to chosen cphertexts n the CTR mode allows almost all other related-cpher standard encrypton modes to be attacked. In Table 1, we lst our attacks and the correspondng text complextes, whle computatonal complexty s neglgble. The fve modes dscussed above are all standard encrypton modes. There are a lot of standard authentcaton modes and authentcated encrypton modes usng
Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 286 C 0 + 1 C 0 + 2 X C 1 C 2 P 1 P 2 X P 1 P Fgure 10: Explotng CTR to attack CFB C 0 + 1 C 0 + 2 X C 1 C 2 P 1 P 2 IV X P 1 P 2 C 1 C 2 Fgure 11: Explotng CTR to attack OFB Table 1: Related-mode attacks on standard encrypton modes Oracle Exploted Cpher Mode Text Complexty Attacked ECB CTR 1 CP CBC CTR 2 CP CFB CTR 1 CC OFB CTR 1 CP, 1 CIV CTR CFB 1 CC OFB 1 CC block cphers, such as authentcaton mode CMAC [6], authentcated encrypton mode GCM [3]. We further study the securty of those modes of operaton under relatedmode attack model and fnd they all are nsecure f the adversary can access to an oracle under one proper mode. So when we have the same cpher beng used as the underlyng component n dfferent block cpher modes of operaton, we should avod usng the same key n those modes n practcal applcatons. Acknowledge Ths research s supported by the Natonal Natural Scence Foundaton of Chna under Grant No.60373047 and No.90204016; the Natonal Basc Research 973 Program of Chna under Grant No.2004CB318004. References [1] http://csrc.nst.gov/encrypton/modes/ proposedmodes/ctr/ [2] A. Joux, Cryptanalyss of the EMD mode of operton, Advances n Cryptology-Eurocrypt 03, LNCS 2656, pp. 1-16, Sprnger-Verlag, 2003. [3] D. McGrew and J. Vega, The Galos/Counter Mode of Operaton (GCM), Submsson to NIST Modes of Operaton Process, 2004, Avalable at http://csrc.nst.gov/cryptotoolkt/modes/ proposedmodes/ [4] Natonal Insttute of Standards and Technology (NIST), Federal Informaton Processng Standards Publcaton 81 (FIPS PUB 81): DES Modes of Operaton, Dec. 1980. [5] Natonal Insttute of Standards and Technology (NIST), NIST Specal Publcaton 800-38A, Recommendaton for Block Cpher Modes of Operaton: Methods and Technques, Dec. 2001. [6] Natonal Insttute of Standards and Technology (NIST), NIST Specal Publcaton 800-38B, Recommendaton for Block Cpher Modes of Operaton: The CMAC Mode for Authentcaton, May 2005. [7] R. C. W. Phan and M. U. Sddq, Related-mode attacks on block cpher modes of operaton, ICCSA 2005, LNCS 3482, pp. 661-671, Sprnger-Verlag, 2005. [8] D. Wagner, Cryptanalyss of some recentlyproposed multple modes of operaton, FSE 98, LNCS 1372, pp. 254-269, Sprnger-Verlag, 1998. [9] H. Wu, Related-Cpher attacks, ICICS 02, LNCS 2513, pp. 447-455, Sprnger-Verlag, 2002.
Internatonal Journal of Network Securty, Vol.4, No.3, PP.282 287, May 2007 287 Dayn Wang s now a Ph.D canddate at the State Key Laboratory of Informaton Securty, Insttute of Software, Chnese Academy of Scences. Hs research nterests nclude Message Authentcaton codes and mode of operaton. E-mal address: wdy@s.scas.ac.cn. Dongda Ln s now a full tme research professor and deputy drector of State Key Labortory of Informaton Securty, Insttute of Software of the Chnese Academy of Scences. He receved hs B.S. degree n mathematcs from Shandong Unversty n 1984, and the M.S. degree and Ph. D degree n codng theory and cryptology at Insttute of Systems Scence of the Chnese Academy of Scences n 1987 and 1990 respectvely. Hs current research nterests nclude cryptology, nformaton securty, grd computng, mathematcs mechanzaton and symbolc computatons. Wenlng Wu s now a professor at the State Key Laboratory of Informaton Securty, Insttute of Software, Chnese Academy of Scences. She receved her B.S. degree and M.S. degree nmaths from Northwest Unversty n 1987 and 1990, respectvely. She receved her Ph.D degree n Cryptography from Xdan Unversty n 1997. From 1998 to 1999 she was a postdoctoral fellow n the Insttute of Software, Chnese Academy of Scence. Her current research nterests nclude theory of cryptography, mode of operaton, block cpher, stream cpher and hash functon.