09 Known Plain Text Attacks

• If I know the plaintext I can change CTR encrypted messages
• e.g. If I know $En{c}_{CTR}(M_1)$ and I know $M_1$, I can make a ciphertext that decrypts to any message I want, e.g. $M_2$
• New ciphertext is

$$En{c}_{CTR}(M1)\oplus (M_1\oplus M_2)$$

• Decrypt it

$$\begin{array}{rl}\text{DecCTR}(\text{EncCTR}(M_1)\oplus (M_1\oplus M_2))& =\text{DecCTR}(\text{Enc}(N_{jjCtr})\oplus M_1)\oplus (M_1\oplus M_2)\\ & =\text{Enc}(N_{jjCtr})\oplus (\text{Enc}(N_{jjCtr})\oplus M_1)\oplus (M_1\oplus M_2)\\ & =M_2\end{array}$$