I'm just confused about this topic problem. I know that the CBC mode will be vulnerable to CPA attacks if the IV is predictable, but what about the CTR mode?
1 Answer
No, it is not. In the CBC mode, the predictable IV works since the first plaintext $P_0$ is x-ored with the nonce/IV and then encrypted $(C_0 = E_k(P_0 \oplus IV)$. The nonce/IV prediction helps play here so that the CPA attacker can choose $P_O'$ to their advantage.
On the other hand, CTR mode uses the PRP( = Block cipher) or PRF ( where CTR is originally designed) to encrypt IV|counter
then x-or with the plaintext $(c_i = E_k(counter_i) \oplus m_i$). So, one cannot play with the input of the block cipher as in CBC mode.
-
$\begingroup$ Yeah, thanks a lot. I have just accorded to the 《introduction to modern cryptograhpy》. And i have fount that the CTR may be insecure under the circumstance that the Iv was repeated somehow maybe by misuse, thus we can imply the attack similar to many time one pad :) $\endgroup$ Commented May 12 at 10:14
-
1$\begingroup$ Yes, that is the weakness of the CTR mode and GCM inherited this since it is internally uses the CTR mode. Nothing is perfect. $\endgroup$– kelalakaCommented May 12 at 10:28
-
-
$\begingroup$ well, I just have another extended question, I think the Iv is predictable does not affect the security of OFB mode. either, right? Is the security of OFB similar to CTR? $\endgroup$ Commented May 12 at 12:08
-
1