+\begin{table}
+ \begin{tabularx}{\textwidth}{Mr X}
+ G & A cyclic group known by all participants \\
+ q = |G| & The prime order of $G$ \\
+ g & A generator of $G$ \\
+ E_K(\cdot) & Encryption under key $K$, here used to denote
+ application of the $\id{encrypt}(K, \cdot)$
+ operation \\
+ \alpha \inr \Nupto{q} & Alice's private key \\
+ a = g^{\alpha} & Alice's public key \\
+ \rho_A \inr \Nupto{q} & Alice's secret Diffie-Hellman value \\
+ r_A = g^{\rho_A} & Alice's public \emph{challenge} \\
+ c_A = H(\cookie{cookie}, r_A)
+ & Alice's \emph{cookie} \\
+ v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})
+ & Alice's challenge \emph{check value} \\
+ r_B^\alpha = a^{\rho_B}
+ & Alice's reply \\
+ K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}
+ & Alice and Bob's shared secret key \\
+ w_A = H(\cookie{switch-request}, c_A, c_B)
+ & Alice's \emph{switch request} value \\
+ u_A = H(\cookie{switch-confirm}, c_A, c_B)
+ & Alice's \emph{switch confirm} value \\
+ \end{tabularx}
+
+ \caption{Names used during key-exchange}
+ \label{tab:kx-names}
+\end{table}
+
+\begin{table}
+ \begin{tabular}[C]{Ml}
+ \cookie{kx-pre-challenge}, r_A \\
+ \cookie{kx-cookie}, r_A, c_B \\
+ \cookie{kx-challenge}, r_A, c_B, v_A \\
+ \cookie{kx-reply}, c_A, c_B, v_A, E_K(r_B^\alpha)) \\
+ \cookie{kx-switch}, c_A, c_B, E_K(r_B^\alpha, w_A)) \\
+ \cookie{kx-switch-ok}, E_K(u_A))
+ \end{tabular}
+
+ \caption{Message contents, as sent by Alice}
+ \label{tab:kx-messages}
+\end{table}
+
+\begin{messages}
+\item[kx-pre-challenge] Contains a plain statement of Alice's challenge.
+ This is Alice's first message of a session.
+\item[kx-cookie] A bare acknowledgement of a received challenge: it restates
+ Alice's challenge, and contains a hash of Bob's challenge. This is an
+ engineering measure (rather than a cryptographic one) which prevents
+ trivial denial-of-service attacks from working.
+\item[kx-challenge] A full challenge, with a `check value' which proves the
+ challenge's honesty. Bob's correct reply to this challenge informs Alice
+ that she's received his challenge correctly.
+\item[kx-reply] A reply. This contains a `check value', like the
+ \cookie{kx-challenge} message above, and an encrypted reply which confirms
+ to Bob Alice's successful receipt of his challenge and lets Bob know he
+ received Alice's challenge correctly.
+\item[kx-switch] Acknowledges Alice's receipt of Bob's \cookie{kx-reply}
+ message, including Alice's own reply to Bob's challenge. Tells Bob that
+ she can start using the key they've agreed.
+\item[kx-switch-ok] Acknowlegement to Bob's \cookie{kx-switch} message.
+\end{messages}
+
+\begin{figure}
+ \small
+ \let\ns\normalsize
+ \let\c\cookie
+ \[ \begin{graph}
+ []!{0; <4.5cm, 0cm>: <0cm, 1.5cm>::}
+ *++[F:<4pt>]\txt{\ns Start \\ Choose $\rho_A$} ="start"
+ :[dd]
+ *++[F:<4pt>]\txt{
+ \ns State \c{challenge} \\
+ Send $(\c{pre-challenge}, r_A)$}
+ ="chal"
+ [] "chal" !{!L(0.5)} ="chal-cookie"
+ :@(d, d)[l]
+ *+\txt{Send $(\c{cookie}, r_A, c_B)$}
+ ="cookie"
+ |*+\txt{Receive \\ $(\c{pre-challenge}, r_B)$ \\ (no spare slot)}
+ :@(u, u)"chal-cookie"
+ "chal" :@/_0.8cm/ [ddddl]
+ *+\txt{Send \\ $(\c{challenge}, $\\$ r_A, c_B, v_A)$}
+ ="send-chal"
+ |<>(0.67) *+\txt\small{
+ Receive \\ $(\c{pre-challenge}, r_B)$ \\ (spare slot)}
+ "chal" :@/^0.8cm/ "send-chal" |<>(0.33)
+ *+\txt{Receive \\ $(\c{cookie}, r_B, c_A)$}
+ :[rr]
+ *+\txt{Send \\ $(\c{reply}, c_A, c_B, $\\$ v_A, E_K(r_B^\alpha))$}
+ ="send-reply"
+ |*+\txt{Receive \\ $(\c{challenge}, $\\$ r_B, c_A, v_B)$}
+ "chal" :"send-reply"
+ |*+\txt{Receive \\ $(\c{challenge}, $\\$ r_B, c_A, v_B)$}
+ "send-chal" :[ddd]
+ *++[F:<4pt>]\txt{
+ \ns State \c{commit} \\
+ Send \\ $(\c{switch}, c_A, c_B, $\\$ E_K(r_B^\alpha, w_A))$}
+ ="commit"
+ |*+\txt{Receive \\ $(\c{reply}, c_B, c_A, $\\$ v_B, E_K(b^{\rho_A}))$}
+ :[rr]
+ *+\txt{Send \\ $(\c{switch-ok}, E_K(u_A))$}
+ ="send-switch-ok"
+ |*+\txt{Receive \\ $(\c{switch}, c_B, c_A, $\\$ E_K(b^{\rho_A}, w_B))$}
+ "send-reply" :"commit"
+ |*+\txt{Receive \\ $(\c{reply}, c_B, c_A, $\\$ v_B, E_K(b^{\rho_A}))$}
+ "send-reply" :"send-switch-ok"
+ |*+\txt{Receive \\ $(\c{switch}, c_B, c_A, $\\$ E_K(b^{\rho_A}, w_B))$}
+ :[dddl]
+ *++[F:<4pt>]\txt{\ns Done}
+ ="done"
+ "commit" :"done"
+ |*+\txt{Receive \\ $(\c{switch-ok}, E_K(u_B))$}
+ "send-chal" [r] !{+<0cm, 0.75cm>}
+ *\txt\itshape{For each outstanding challenge}
+ ="for-each"
+ !{"send-chal"+DL-<8pt, 8pt> ="p0",
+ "for-each"+U+<8pt> ="p1",
+ "send-reply"+UR+<8pt, 8pt> ="p2",
+ "send-reply"+DR+<8pt, 8pt> ="p3",
+ "p0" !{"p1"-"p0"} !{"p2"-"p1"} !{"p3"-"p2"}
+ *\frm<8pt>{--}}
+ \end{graph} \]
+
+ \caption{State-transition diagram for key-exchange protocol}
+ \label{fig:kx-states}
+\end{figure}
+
+We now describe the protocol message by message, and Alice's actions when she
+receives each. Since the protocol is completely symmetrical, Bob should do
+the same, only swapping round $A$ and $B$ subscripts, the public keys $a$ and
+$b$, and using his private key $\beta$ instead of $\alpha$.
+
+\subsubsection{Starting the protocol}
+
+As described above, at the beginning of the protocol Alice chooses a random
+$\rho_A \inr \Nupto q$, and computes her \emph{challenge} $r_A = g^{\rho_A}$
+and her \emph{cookie} $c_A = H(\cookie{cookie}, r_A)$. She sends her
+announcement of her challenge as
+\begin{equation}
+ \label{eq:kx-pre-challenge}
+ \cookie{kx-pre-challenge}, r_A
+\end{equation}
+and enters the \cookie{challenge} state.
+
+\subsubsection{The \cookie{kx-pre-challenge} message}
+
+If Alice receieves a \cookie{kx-pre-challenge}, she ensures that she's in the
+\cookie{challenge} state: if not, she rejects the message.
+
+She must first calculate Bob's cookie $c_B = H(\cookie{cookie}, r_B)$. Then
+she has a choice: either she can send a full challenge, or she can send the
+cookie back.
+
+Suppose she decides to send a full challenge. She must compute a \emph{check
+value}
+\begin{equation}
+ \label{eq:v_A}
+ v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})
+\end{equation}
+and sends
+\begin{equation}
+ \label{eq:kx-challenge}
+ \cookie{kx-challenge}, r_A, c_B, v_A
+\end{equation}
+to Bob. Then she remembers Bob's challenge for later use, and awaits his
+reply.
+
+If she decides to send only a cookie, she just transmits
+\begin{equation}
+ \label{eq:kx-cookie}
+ \cookie{kx-cookie}, r_A, c_B
+\end{equation}
+to Bob and forgets all about it.
+
+Why's this useful? Well, if Alice sends off a full \cookie{kx-challenge}
+message, she must remember Bob's $r_B$ so she can check his reply and that
+involves using up a table slot. That means that someone can send Alice
+messages purporting to come from Bob which will chew up Alice's memory, and
+they don't even need to be able to read Alice's messages to Bob to do that.
+If this protocol were used over the open Internet, script kiddies from all
+over the world might be flooding Alice with bogus \cookie{kx-pre-challenge}
+messages and she'd never get around to talking to Bob.
+
+By sending a cookie intead, she avoids committing a table slot until Bob (or
+someone) sends either a cookie or a full challenge, thus proving, at least,
+that he can read her messages. This is the best we can do at this stage in
+the protocol. Against an adversary as powerful as the one we present in
+section~\fixme\ref{sec:formal} this measure provides no benefit (but we have
+to analyse it anyway); but it raises the bar too sufficiently high to
+eliminate a large class of `nuisance' attacks in the real world.
+
+Our definition of the Wrestlers Protocol doesn't stipulate when Alice should
+send a full challenge or just a cookie: we leave this up to individual
+implementations, because it makes no difference to the security of the
+protocol against powerful adversaries. But we recommend that Alice proceed
+`optimistically' at first, sending full challenges until her challenge table
+looks like it's running out, and then generating cookies only if it actually
+looks like she's under attack. This is what our pseudocode in
+figure~\ref{fig:kx-messages} does.
+
+\subsubsection{The \cookie{kx-cookie} message}
+
+When Alice receives a \cookie{kx-cookie} message, she must ensure that she's
+in the \cookie{challenge} state: if not, she rejects the message. She checks
+the cookie in the message against the value of $c_A$ she computed earlier.
+If all is well, Alice sends a \cookie{kx-challenge} message, as in
+equation~\ref{eq:kx-challenge} above.
+
+This time, she doesn't have a choice about using up a table slot to remember
+Bob's $r_B$. If her table size is fixed, she must choose a slot to recycle.
+We suggest simply recycling slots at random: this means there's no clever
+pattern of \cookie{kx-cookie} messages an attacker might be able to send to
+clog up all of Alice's slots.
+
+\subsubsection{The \cookie{kx-challenge} message}
+
+
+
+\begin{figure}
+ \begin{program}
+ Procedure $\id{kx-initialize}$: \+ \\
+ $\rho_A \getsr [q]$; \\
+ $r_a \gets g^{\rho_A}$; \\
+ $\id{state} \gets \cookie{challenge}$; \\
+ $\Xid{n}{chal} \gets 0$; \\
+ $k \gets \bot$; \\
+ $\id{chal-commit} \gets \bot$; \\
+ $\id{send}(\cookie{kx-pre-challenge}, r_A)$; \- \\[\medskipamount]
+ Procedure $\id{kx-receive}(\id{type}, \id{data})$: \\ \ind
+ \IF $\id{type} = \cookie{kx-pre-challenge}$ \THEN \\ \ind
+ \id{msg-pre-challenge}(\id{data}); \- \\
+ \ELSE \IF $\id{type} = \cookie{kx-cookie}$ \THEN \\ \ind
+ \id{msg-cookie}(\id{data}); \- \\
+ \ELSE \IF $\id{type} = \cookie{kx-challenge}$ \THEN \\ \ind
+ \id{msg-challenge}(\id{data}); \- \\
+ \ELSE \IF $\id{type} = \cookie{kx-reply}$ \THEN \\ \ind
+ \id{msg-reply}(\id{data}); \- \\
+ \ELSE \IF $\id{type} = \cookie{kx-switch}$ \THEN \\ \ind
+ \id{msg-switch}(\id{data}); \- \\
+ \ELSE \IF $\id{type} = \cookie{kx-switch-ok}$ \THEN \\ \ind
+ \id{msg-switch-ok}(\id{data}); \-\- \\[\medskipamount]
+ Procedure $\id{msg-pre-challenge}(\id{data})$: \+ \\
+ \IF $\id{state} \ne \cookie{challenge}$ \THEN \RETURN; \\
+ $r \gets \id{data}$; \\
+ \IF $\Xid{n}{chal} \ge \Xid{n}{chal-thresh}$ \THEN \\ \ind
+ $\id{send}(\cookie{kx-cookie}, r_A, \id{cookie}(r_A)))$; \- \\
+ \ELSE \+ \\
+ $\id{new-chal}(r)$; \\
+ $\id{send}(\cookie{kx-challenge}, r_A,
+ \id{cookie}(r), \id{checkval}(r))$; \-\-\\[\medskipamount]
+ Procedure $\id{msg-cookie}(\id{data})$: \+ \\
+ \IF $\id{state} \ne \cookie{challenge}$ \THEN \RETURN; \\
+ $(r, c_A) \gets \id{data}$; \\
+ \IF $c_A \ne \id{cookie}(r_A)$ \THEN \RETURN; \\
+ $\id{new-chal}(r)$; \\
+ $\id{send}(\cookie{kx-challenge}, r_A,
+ \id{cookie}(r), \id{checkval}(r))$; \- \\[\medskipamount]
+ Procedure $\id{msg-challenge}(\id{data})$: \+ \\
+ \IF $\id{state} \ne \cookie{challenge}$ \THEN \RETURN; \\
+ $(r, c_A, v) \gets \id{data}$; \\
+ \IF $c_A \ne \id{cookie}(r_A)$ \THEN \RETURN; \\
+ $i \gets \id{check-reply}(\bot, r, v)$; \\
+ \IF $i = \bot$ \THEN \RETURN; \\
+ $k \gets \id{chal-tab}[i].k$; \\
+ $y \gets \id{encrypt}(k, \cookie{kx-reply}, r^\alpha)$; \\
+ $\id{send}(\cookie{kx-reply}, c_A, \id{cookie}(r),
+ \id{checkval}(r), y)$
+ \next
+ Procedure $\id{msg-reply}(\id{data})$: \+ \\
+ $(c, c_A, v, y) \gets \id{data}$; \\
+ \IF $c_A \ne \id{cookie}(r_A)$ \THEN \RETURN; \\
+ $i \gets \id{find-chal}(c)$; \\
+ \IF $i = \bot$ \THEN \RETURN; \\
+ \IF $\id{check-reply}(i, \id{chal-tab}[i].r, v) = \bot$ \THEN \\ \ind
+ \RETURN; \- \\
+ $k \gets \id{chal-tab}[i].k$; \\
+ $x \gets \id{decrypt}(k, \cookie{kx-reply}, y)$; \\
+ \IF $x = \bot$ \THEN \RETURN; \\
+ \IF $x \ne b^{\rho_A}$ \THEN \RETURN; \\
+ $\id{state} \gets \cookie{commit}$; \\
+ $\id{chal-commit} \gets \id{chal-tab}[i]$; \\
+ $w \gets H(\cookie{switch-request}, c_A, c)$; \\
+ $x \gets \id{chal-tab}[i].r^\alpha$; \\
+ $y \gets \id{encrypt}(k, (x, \cookie{kx-switch}, w))$; \\
+ $\id{send}(\cookie{kx-switch}, c_A, c, y)$; \-\\[\medskipamount]
+ Procedure $\id{msg-switch}(\id{data})$: \+ \\
+ $(c, c_A, y) \gets \id{data}$; \\
+ \IF $c_A \ne \cookie(r_A)$ \THEN \RETURN; \\
+ $i \gets \id{find-chal}(c)$; \\
+ \IF $i = \bot$ \THEN \RETURN; \\
+ $k \gets \id{chal-tab}[i].k$; \\
+ $x \gets \id{decrypt}(k, \cookie{kx-switch}, y)$; \\
+ \IF $x = \bot$ \THEN \RETURN; \\
+ $(x, w) \gets x$; \\
+ \IF $\id{state} = \cookie{challenge}$ \THEN \\ \ind
+ \IF $x \ne b^{\rho_A}$ \THEN \RETURN; \\
+ $\id{chal-commit} \gets \id{chal-tab}[i]$; \- \\
+ \ELSE \IF $c \ne \id{chal-commit}.c$ \THEN \RETURN; \\
+ \IF $w \ne H(\cookie{switch-request}, c, c_A)$ \THEN \RETURN; \\
+ $w \gets H(\cookie{switch-confirm}, c_A, c)$; \\
+ $y \gets \id{encrypt}(y, \cookie{kx-switch-ok}, w)$; \\
+ $\id{send}(\cookie{switch-ok}, y)$; \\
+ $\id{done}(k)$; \- \\[\medskipamount]
+ Procedure $\id{msg-switch-ok}(\id{data})$ \+ \\
+ \IF $\id{state} \ne \cookie{commit}$ \THEN \RETURN; \\
+ $y \gets \id{data}$; \\
+ $k \gets \id{chal-commit}.k$; \\
+ $w \gets \id{decrypt}(k, \cookie{kx-switch-ok}, y)$; \\
+ \IF $w = \bot$ \THEN \RETURN; \\
+ $c \gets \id{chal-commit}.c$; \\
+ $c_A \gets \id{cookie}(r_A)$; \\
+ \IF $w \ne H(\cookie{switch-confirm}, c, c_A)$ \THEN \RETURN; \\
+ $\id{done}(k)$;
+ \end{program}
+
+ \caption{The key-exchange protocol: message handling}
+ \label{fig:kx-messages}
+\end{figure}
+
+\begin{figure}
+ \begin{program}
+ Structure $\id{chal-slot}$: \+ \\
+ $r$; $c$; $\id{replied}$; $k$; \- \\[\medskipamount]
+ Function $\id{find-chal}(c)$: \+ \\
+ \FOR $i = 0$ \TO $\Xid{n}{chal}$ \DO \\ \ind
+ \IF $\id{chal-tab}[i].c = c$ \THEN \RETURN $i$; \- \\
+ \RETURN $\bot$; \- \\[\medskipamount]
+ Function $\id{cookie}(r)$: \+ \\
+ \RETURN $H(\cookie{cookie}, r)$; \- \\[\medskipamount]
+ Function $\id{check-reply}(i, r, v)$: \+ \\
+ \IF $i \ne \bot \land \id{chal-tab}[i].\id{replied} = 1$ \THEN \\ \ind
+ \RETURN $i$; \- \\
+ $\rho \gets v \xor H(\cookie{expected-reply}, r, r_A, r^\alpha)$; \\
+ \IF $g^\rho \ne r$ \THEN \RETURN $\bot$; \\
+ \IF $i = \bot$ \THEN $i \gets \id{new-chal}(r)$; \\
+ $\id{chal-tab}[i].k \gets \id{gen-keys}(r_A, r, r^{\rho_A})$; \\
+ $\id{chal-tab}[i].\id{replied} \gets 1$; \\
+ \RETURN $i$;
+ \next
+ Function $\id{checkval}(r)$: \\ \ind
+ \RETURN $\rho_A \xor H(\cookie{expected-reply},
+ r_A,r, b^{\rho_A})$; \- \\[\medskipamount]
+ Function $\id{new-chal}(r)$: \+ \\
+ $c \gets \id{cookie}(r)$; \\
+ $i \gets \id{find-chal}(c)$; \\
+ \IF $i \ne \bot$ \THEN \RETURN $i$; \\
+ \IF $\Xid{n}{chal} < \Xid{n}{chal-max}$ \THEN \\ \ind
+ $i \gets \Xid{n}{chal}$; \\
+ $\id{chal-tab}[i] \gets \NEW \id{chal-slot}$; \\
+ $\Xid{n}{chal} \gets \Xid{n}{chal} + 1$; \- \\
+ \ELSE \\ \ind
+ $i \getsr [\Xid{n}{chal-max}]$; \- \\
+ $\id{chal-tab}[i].r \gets r$; \\
+ $\id{chal-tab}[i].c \gets c$; \\
+ $\id{chal-tab}[i].\id{replied} \gets 0$; \\
+ $\id{chal-tab}[i].k \gets \bot$; \\
+ \RETURN $i$;
+ \end{program}
+
+ \caption{The key-exchange protocol: support functions}
+ \label{fig:kx-support}
+\end{figure}
+
+%%%--------------------------------------------------------------------------
+
+\section{CBC mode encryption}
+\label{sec:cbc}
+
+Our implementation of the Wrestlers Protocol uses Blowfish
+\cite{Schneier:1994:BEA} in CBC mode. However, rather than pad plaintext
+messages to a block boundary, with the ciphertext expansion that entails, we
+use a technique called \emph{ciphertext stealing}
+\cite[section 9.3]{Schneier:1996:ACP}.
+
+\subsection{Standard CBC mode}
+
+Suppose $E$ is an $\ell$-bit pseudorandom permutation. Normal CBC mode works
+as follows. Given a message $X$, we divide it into blocks $x_0, x_1, \ldots,
+x_{n-1}$. Choose a random \emph{initialization vector} $I \inr \Bin^\ell$.
+Before passing each $x_i$ through $E$, we XOR it with the previous
+ciphertext, with $I$ standing in for the first block:
+\begin{equation}
+ y_0 = E_K(x_0 \xor I) \qquad
+ y_i = E_K(x_i \xor y_{i-1} \ \text{(for $1 \le i < n$)}.
+\end{equation}
+The ciphertext is then the concatenation of $I$ and the $y_i$. Decryption is
+simple:
+\begin{equation}
+ x_0 = E^{-1}_K(y_0) \xor I \qquad
+ x_i = E^{-1}_K(y_i) \xor y_{i-1} \ \text{(for $1 \le i < n$)}
+\end{equation}
+See figure~\ref{fig:cbc} for a diagram of CBC encryption.
+
+\begin{figure}
+ \[ \begin{graph}
+ []!{0; <0.85cm, 0cm>: <0cm, 0.5cm>::}
+ *+=(1, 0)+[F]{\mathstrut x_0}="x"
+ :[dd] *{\xor}="xor"
+ [ll] *+=(1, 0)+[F]{I} :"xor"
+ :[dd] *+[F]{E}="e" :[ddd] *+=(1, 0)+[F]{\mathstrut y_0}="i"
+ "e" [l] {K} :"e"
+ [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_1}="x"
+ :[dd] *{\xor}="xor"
+ "e" [d] :`r [ru] `u "xor" "xor"
+ :[dd] *+[F]{E}="e" :[ddd]
+ *+=(1, 0)+[F]{\mathstrut y_1}="i"
+ "e" [l] {K} :"e"
+ [rrruuuu] *+=(1, 0)+[F--]{\mathstrut x_i}="x"
+ :@{-->}[dd] *{\xor}="xor"
+ "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+ :@{-->}[dd] *+[F]{E}="e" :@{-->}[ddd]
+ *+=(1, 0)+[F--]{\mathstrut y_i}="i"
+ "e" [l] {K} :@{-->}"e"
+ [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_{n-1}}="x"
+ :[dd] *{\xor}="xor"
+ "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+ :[dd] *+[F]{E}="e" :[ddd]
+ *+=(1, 0)+[F]{\mathstrut y_{n-1}}="i"
+ "e" [l] {K} :"e"
+ \end{graph} \]
+
+ \caption{Encryption using CBC mode}
+ \label{fig:cbc}
+\end{figure}
+
+\begin{definition}[CBC mode]
+ \label{def:cbc}
+ Let $P\colon \keys P \times \Bin^\ell to \Bin^\ell$ be a pseudorandom
+ permutation. We define the symmetric encryption scheme
+ $\Xid{\mathcal{E}}{CBC}^P = (\Xid{E}{CBC}^P, \Xid{D}{CBC}^P)$ for messages
+ in $\Bin^{\ell\Z}$ by setting $\keys \Xid{\mathcal{E}}{CBC} = \keys P$ and
+ defining the encryption and decryption algorithms as follows:
+ \begin{program}
+ Algorithm $\Xid{E}{CBC}^P_K(x)$: \+ \\
+ $I \getsr \Bin^\ell$; \\
+ $y \gets I$; \\
+ \FOR $i = 0$ \TO $|x|/\ell$ \DO \\ \ind
+ $x_i \gets x[\ell i \bitsto \ell (i + 1)]$; \\
+ $y_i \gets P_K(x_i \xor I)$; \\
+ $I \gets y_i$; \\
+ $y \gets y \cat y_i$; \- \\
+ \RETURN $y$;
+ \next
+ Algorithm $\Xid{D}{CBC}^P_K(y)$: \+ \\
+ $I \gets y[0 \bitsto \ell]$; \\
+ $x \gets \emptystring$; \\
+ \FOR $1 = 0$ \TO $|y|/\ell$ \DO \\ \ind
+ $y_i \gets y[\ell i \bitsto \ell (i + 1)]$; \\
+ $x_i \gets P^{-1}_K(y_i) \xor I$; \\
+ $I \gets y_i$; \\
+ $x \gets x \cat x_i$; \- \\
+ \RETURN $x$;
+ \end{program}
+\end{definition}
+
+\begin{theorem}[Security of standard CBC mode]
+ \label{thm:cbc}
+ Let $P\colon \keys P \times \Bin^\ell \to \Bin^\ell$ be a pseudorandom
+ permutation. Then,
+ \begin{equation}
+ \InSec{lor-cpa}(\Xid{\mathcal{E}}{CBC}; t, q_E + \mu_E) \le
+ 2 \cdot \InSec{prp}(P; t + q t_P, q) +
+ \frac{q (q - 1)}{2^\ell - 2^{\ell/2}}
+ \end{equation}
+ where $q = \mu_E/\ell$ and $t_P$ is some small constant.
+\end{theorem}
+
+\begin{note}
+ Our security bound is slightly better than that of \cite[theorem
+ 17]{Bellare:2000:CST}. Their theorem statement contains a term $3 \cdot q
+ (q - 1) 2^{-\ell-1}$. Our result lowers the factor from 3 to just over 2.
+ Our proof is also much shorter and considerably more comprehensible.
+\end{note}
+
+The proof of this theorem is given in section~\ref{sec:cbc-proof}
+
+\subsection{Ciphertext stealing}
+
+Ciphertext stealing allows us to encrypt any message in $\Bin^*$ and make the
+ciphertext exactly $\ell$ bits longer than the plaintext. See
+figure~\ref{fig:cbc-steal} for a diagram.
+
+\begin{figure}
+ \[ \begin{graph}
+ []!{0; <0.85cm, 0cm>: <0cm, 0.5cm>::}
+ *+=(1, 0)+[F]{\mathstrut x_0}="x"
+ :[dd] *{\xor}="xor"
+ [ll] *+=(1, 0)+[F]{I} :"xor"
+ :[dd] *+[F]{E}="e" :[ddddd] *+=(1, 0)+[F]{\mathstrut y_0}="i"
+ "e" [l] {K} :"e"
+ [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_1}="x"
+ :[dd] *{\xor}="xor"
+ "e" [d] :`r [ru] `u "xor" "xor"
+ :[dd] *+[F]{E}="e" :[ddddd]
+ *+=(1, 0)+[F]{\mathstrut y_1}="i"
+ "e" [l] {K} :"e"
+ [rrruuuu] *+=(1, 0)+[F--]{\mathstrut x_i}="x"
+ :@{-->}[dd] *{\xor}="xor"
+ "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+ :@{-->}[dd] *+[F]{E}="e" :@{-->}[ddddd]
+ *+=(1, 0)+[F--]{\mathstrut y_i}="i"
+ "e" [l] {K} :@{-->}"e"
+ [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_{n-2}}="x"
+ :[dd] *{\xor}="xor"
+ "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+ :[dd] *+[F]{E}="e"
+ "e" [l] {K} :"e"
+ [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_{n-1} \cat 0^{\ell-t}}="x"
+ :[dd] *{\xor}="xor"
+ "e" [d] :`r [ru] `u "xor" "xor"
+ "e" [dddddrrr] *+=(1, 0)+[F]{\mathstrut y_{n-1}[0 \bitsto t]}="i"
+ "e" [dd] ="x"
+ "i" [uu] ="y"
+ []!{"x"; "e" **{}, "x"+/4pt/ ="p",
+ "x"; "y" **{}, "x"+/4pt/ ="q",
+ "y"; "x" **{}, "y"+/4pt/ ="r",
+ "y"; "i" **{}, "y"+/4pt/ ="s",
+ "e";
+ "p" **\dir{-};
+ "q" **\crv{"x"};
+ "r" **\dir{-};
+ "s" **\crv{"y"};
+ "i" **\dir{-}?>*\dir{>}}
+ "xor" :[dd] *+[F]{E}="e"
+ "e" [l] {K} :"e"
+ "e" [dddddlll] *+=(1, 0)+[F]{\mathstrut y_{n-2}}="i"
+ "e" [dd] ="x"
+ "i" [uu] ="y"
+ []!{"x"; "e" **{}, "x"+/4pt/ ="p",
+ "x"; "y" **{}, "x"+/4pt/ ="q",
+ "y"; "x" **{}, "y"+/4pt/ ="r",
+ "y"; "i" **{}, "y"+/4pt/ ="s",
+ "x"; "y" **{} ?="c" ?(0.5)/-4pt/ ="cx" ?(0.5)/4pt/ ="cy",
+ "e";
+ "p" **\dir{-};
+ "q" **\crv{"x"};
+ "cx" **\dir{-};
+ "c" *[@]\cir<4pt>{d^u};
+ "cy";
+ "r" **\dir{-};
+ "s" **\crv{"y"};
+ "i" **\dir{-}?>*\dir{>}}
+ \end{graph} \]
+
+ \caption{Encryption using CBC mode with ciphertext stealing}
+ \label{fig:cbc-steal}
+\end{figure}
+
+\begin{definition}[CBC stealing]
+ \label{def:cbc-steal}
+ Let $P\colon \keys P \times \Bin^\ell \to \Bin^\ell$ be a pseudorandom
+ permutation. We define the symmetric encryption scheme
+ $\Xid{\mathcal{E}}{CBC-steal}^P = (\Xid{G}{CBC}^P, \Xid{E}{CBC-steal}^P,
+ \Xid{D}{CBC-steal}^P)$ for messages in $\Bin^{\ell\Z}$ by setting $\keys
+ \Xid{\mathcal{E}}{CBC-steal} = \keys P$ and defining the encryption and
+ decryption algorithms as follows:
+ \begin{program}
+ Algorithm $\Xid{E}{CBC-steal}^P_K(x)$: \+ \\
+ $I \getsr \Bin^\ell$; \\
+ $y \gets I$; \\
+ $t = |x| \bmod \ell$; \\
+ \IF $t \ne 0$ \THEN $x \gets x \cat 0^{\ell-t}$; \\
+ \FOR $i = 0$ \TO $|x|/\ell$ \DO \\ \ind
+ $x_i \gets x[\ell i \bitsto \ell (i + 1)]$; \\
+ $y_i \gets P_K(x_i \xor I)$; \\
+ $I \gets y_i$; \\
+ $y \gets y \cat y_i$; \- \\
+ \IF $t \ne 0$ \THEN \\ \ind
+ $b \gets |y| - 2\ell$; \\
+ $y \gets $\=$y[0 \bitsto b] \cat
+ y[b + \ell \bitsto |y|] \cat {}$ \\
+ \>$y[b \bitsto b + t]$; \- \\
+ \RETURN $y$;
+ \next
+ Algorithm $\Xid{D}{CBC-steal}^P_K(y)$: \+ \\
+ $I \gets y[0 \bitsto \ell]$; \\
+ $t = |y| \bmod \ell$; \\
+ \IF $t \ne 0$ \THEN \\ \ind
+ $b \gets |y| - t - \ell$; \\
+ $z \gets P^{-1}_K(y[b \bitsto b + \ell])$; \\
+ $y \gets $\=$y[0 \bitsto b] \cat
+ y[b + \ell \bitsto |y|] \cat {}$ \\
+ \>$z[t \bitsto \ell]$; \- \\
+ $x \gets \emptystring$; \\
+ \FOR $1 = 0$ \TO $|y|/\ell$ \DO \\ \ind
+ $y_i \gets y[\ell i \bitsto \ell (i + 1)]$; \\
+ $x_i \gets P^{-1}_K(y_i) \xor I$; \\
+ $I \gets y_i$; \\
+ $x \gets x \cat x_i$; \- \\
+ \IF $t \ne 0$ \THEN \\ \ind
+ $x \gets x \cat z[0 \bitsto t] \xor y[b \bitsto b + t]$; \- \\
+ \RETURN $x$;
+ \end{program}
+\end{definition}
+
+\begin{theorem}[Security of CBC with ciphertext stealing]
+ \label{thm:cbc-steal}
+ Let $P\colon \keys P \times \Bin^\ell \to \Bin^\ell$ be a pseudorandom
+ permutation. Then
+ \begin{equation}
+ \InSec{lor-cpa}(\Xid{\mathcal{E}}{CBC-steal}; t, q_E, \mu_E) \le
+ 2 \cdot \InSec{prp}(P; t + q t_P, q) +
+ \frac{q (q - 1)}{2^\ell - 2^{\ell/2}}
+ \end{equation}
+ where $q = \mu_E/\ell$ and $t_P$ is some small constant.
+\end{theorem}
+
+\begin{proof}
+ This is an easy reducibility argument. Let $A$ be an adversary attacking
+ $\Xid{\mathcal{E}}{CBC-steal}^P$. We construct an adversary which attacks
+ $\Xid{\mathcal{E}}{CBC}^P$:
+ \begin{program}
+ Adversary $A'^{E(\cdot)}$: \+ \\
+ $b \gets A^{\Xid{E}{steal}(\cdot)}$; \\
+ \RETURN $b$;
+ \- \\[\medskipamount]
+ Oracle $\Xid{E}{steal}(x_0, x_1)$: \+ \\
+ \IF $|x_0| \ne |x_1|$ \THEN \ABORT; \\
+ \RETURN $\id{steal}(|x_0|, E(\id{pad}(x_0), \id{pad}(x_1)))$;
+ \next
+ Function $\id{pad}(x)$: \+ \\
+ $t \gets |x| \bmod \ell$; \\
+ \RETURN $x \cat 0^{\ell-t}$;
+ \- \\[\medskipamount]
+ Function $\id{steal}(l, y)$: \+ \\
+ $t \gets l \bmod \ell$; \\
+ \IF $t \ne 0$ \THEN \\ \ind
+ $b \gets |y| - 2\ell$; \\
+ $y \gets $\=$y[0 \bitsto b] \cat
+ y[b + \ell \bitsto |y|] \cat y[b \bitsto b + t]$; \- \\
+ \RETURN $y$;
+ \end{program}
+ Comparing this to definition~\ref{def:cbc-steal} shows that $A'$ simlates
+ the LOR-CPA game for $\Xid{\mathcal{E}}{CBC-steal}$ perfectly. The theorem
+ follows.
+\end{proof}
+
+\subsection{Proof of theorem~\ref{thm:cbc}}
+\label{sec:cbc-proof}
+
+Consider an adversary $A$ attacking CBC encryption using an ideal random
+permutation $P(\cdot)$. Pick some point in the attack game when we're just
+about to encrypt the $n$th plaintext block. For each $i \in \Nupto{n}$,
+let $x_i$ be the $i$th block of plaintext we've processed; let $y_i$ be the
+corresponding ciphertext; and let $z_i = P^{-1}(y_i)$, i.e., $z_i = x_i \xor
+I$ for the first block of a message, and $z_i = x_i \xor y_{i-1}$ for the
+subsequent blocks.
+
+Say that `something went wrong' if any $z_i = z_j$ for $i \ne j$. This is
+indeed a disaster, because it means that $y_i = y_j$ , so he can detect it,
+and $x_i \xor y_{i-1} = x_j \xor y_{j-1}$, so he can compute an XOR
+difference between two plaintext blocks from the ciphertext and thus
+(possibly) reveal whether he's getting his left or right plaintexts
+encrypted. The alternative, `everything is fine', is much better. If all
+the $z_i$ are distinct, then because $y_i = P(z_i)$, the $y_i$ are all
+generated by $P(\cdot)$ on inputs it's never seen before, so they're all
+random subject to the requirement that they be distinct. If everything is
+fine, then, the adversary has no better way of deciding whether he has a left
+oracle or a right oracle than tossing a coin, and his advantage is therefore
+zero. Thus, we must bound the probability that something went wrong.
+
+Assume that, at our point in the game so far, everything is fine. But we're
+just about to encrypt $x^* = x_n$. There are two cases:
+\begin{itemize}
+\item If $x_n$ is the first block in a new message, we've just invented a new
+ random IV $I \in \Bin^\ell$ which is unknown to $A$, and $z_n = x_n \xor
+ I$. Let $y^* = I$.
+\item If $x_n$ is \emph{not} the first block, then $z_n = x_n \xor y_{n-1}$,
+ but the adversary doesn't yet know $y_{n-1}$, except that because $P$ is a
+ permutation and all the $z_i$ are distinct, $y_{n-1} \ne y_i$ for any $0
+ \le i < n - 1$. Let $y^* = y_{n-1}$.
+\end{itemize}
+Either way, the adversary's choice of $x^*$ is independent of $y^*$. Let
+$z^* = x^* \xor y^*$. We want to know the probability that something goes
+wrong at this point, i.e., that $z^* = z_i$ for some $0 \le i < n$. Let's
+call this event $C_n$. Note first that, in the first case, there are
+$2^\ell$ possible values for $y^*$ and in the second there are $2^\ell - n +
+1$ possibilities for $y^*$. Then
+\begin{eqnarray}[rl]
+ \Pr[C_n]
+ & = \sum_{x \in \Bin^\ell} \Pr[C_n \mid x^* = x] \Pr[x^* = x] \\
+ & = \sum_{x \in \Bin^\ell}
+ \Pr[x^* = x] \sum_{0\le i<n} \Pr[y^* = z_i \xor x] \\
+ & \le \sum_{0\le i<n} \frac{1}{2^\ell - n}
+ \sum_{x \in \Bin^\ell} \Pr[x^* = x] \\
+ & = \frac{n}{2^\ell - n}
+\end{eqnarray}