I'm just confused about this topic problem. I know that the CBC mode will be vulnerable to CPA attacks if the IV is predictable, but what about the CTR mode?
Asked
Active
Viewed 152 times
1 Answers
1
No, it is not. In the CBC mode, the predictable IV works since the first plaintext $P_0$ is x-ored with the nonce/IV and then encrypted $(C_0 = E_k(P_0 \oplus IV)$. The nonce/IV prediction helps play here so that the CPA attacker can choose $P_O'$ to their advantage.
On the other hand, CTR mode uses the PRP( = Block cipher) or PRF ( where CTR is originally designed) to encrypt IV|counter then x-or with the plaintext $(c_i = E_k(counter_i) \oplus m_i$). So, one cannot play with the input of the block cipher as in CBC mode.
kelalaka
- 49,797
- 12
- 123
- 211