Understanding Cryptography by Christof Paar and Jan Pelzl - Chapter 5 Solutions - Ex5.10

- 4 mins

Exercise 5.10

Sometimes error propagation is an issue when choosing a mode of operation in practice. In order to analyze the propagation of errors, let us assume a bit error (i.e., a substitution of a “0” bit by a “1” bit or vice versa) in a ciphertext block \(y_i\).

  1. Assume an error occurs during the transmission in one block of ciphertext, let’s say yi. Which cleartext blocks are affected on Bob’s side when using the ECB mode?
  2. Again, assume block \(y_i\) contains an error introduced during transmission. Which cleartext blocks are affected on Bob’s side when using the CBC mode?
  3. Suppose there is an error in the cleartext \(x_i\) on Alice’s side. Which cleartext blocks are affected on Bob’s side when using the CBC mode?
  4. Assume a single bit error occurs in the transmission of a ciphertext character in 8-bit CFB mode. How far does the error propagate? Describe exactly how each block is affected.
  5. Prepare an overview of the effect of bit errors in a ciphertext block for the modes ECB, CBC, CFB, OFB and CTR. Differentiate between random bit errors and specific bit errors when decrypting \(y_i\).

Solution

I haven’t yet verified this solution independently. If you spot any mistakes, please leave a comment in the Disqus box at the bottom of the page.

1. In ECB mode, the only block affected will be the one containing the error. ECB mode essentially functions as a substitution cipher operating on a n-bit alphabet (where n is the block width of the cryptographic primative). Blocks have no interaction with, or dependence on, each other.

2. In CBC mode, this error will propagate also to the next block (block \(y_{i+1}\)), since the bit flip will be present when Bob XORs prior to decrypting the next block. Block \(y_{i+2}\) will not have any decryption errors, since block \(y_{i+1}\)’s ciphertext is uncorrupted.

3. In CBC mode, a bit-flip error introduced prior to encryption will only affect the block containing the error. This is because, in this case, the encryption and transmission have actually functioned without error. It’s just that the wrong data was encrypted. As such, the exact same (correct in terms of reproducing the plaintext input provided, but) semantically incorrect plaintext will be produced by Bob as was encrypted by Alice. It’s worth noting however that the error block and all the subsequent blocks will have different ciphertexts due to the propagation of the change, but this isn’t an error. These blocks will decrypt correctly.

4. In CFB mode, transmission errors will affect the block they occurred in and the following block by corrupting the keystream upon decryption (this happens due to the ciphertext being used as input to the cryptographic primitive). Note that CFB functions somewhat like a stream cipher, so in the “block” (of keystream bits produced by the primitive) that the error occurs, only that bit is altered. However, the following “block” of keybits will be totally corrupted due to the feedback of corrupted ciphertext into the cryptographic primitive upon decryption. As with CBC mode, \(y_{i+2}\) will not have any decryption errors, since block \(y_{i+1}\)’s ciphertext is uncorrupted.

5. To summarise the propagation of errors in the various modes:


Thomas Busby

Thomas Busby

I write about computing stuff

comments powered by Disqus
rss facebook twitter github youtube mail spotify instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora