I will assume that the IV for each packet is unknown to the attacker.
Perhaps the IV is the simple block encryption of the serial number of the packet.
I assume that the encryptor demands the entire packet before it reveals any of the ciphertext.
Let X be the set of values that can be fed to the block cipher.
In the cases of interest X is either [0, 2^{64}−1] or [0, 2^{128}−1].
Consider an abelian group whose elements are X, such as add or XOR.
The group is chosen independently of the key and known to the attacker.
Let f be the operator of the group.
A **good packet** is one whose sum (using f) over each plaintext block is 0 (the group identity).
The task for the attacker is to choose a good packet which when encrypted with the key=k and IV=i yields the encrypted packet.
The attacker may then see that packet and then choose an alternative encrypted packet which when decrypted with k and i produces a good packet different from the original.

The attacker does not know k or i but has a large collection of plaintext-ciphertext pairs for k.

I summarize:

- The attacker knows neither the key nor the initial vector for the packet.
- Attacker chooses all of the plaintext bits of a packet. He must choose a good packet lest it be rejected by the encryptor.
**Packet by packet encryption**: The attacker sees the ciphertext but only after the good packet has been submitted to the encryptor. See note below.- The attacker has a Partial Code Book (
**PCB**) which is a collection of N random pairs of plaintext and ciphertext blocks for the current key. He has not been able to influence which pairs those are. - The attacker gets to see any decryption of a ciphertext that he chooses and submits to the decrypter, but only if it decrypts to a good packet.
- Of course the attacker cannot reset the counter which controls the IV without a new cipher key being selected.

To set notation, the blocks of the plaintext are P_{j} for 0 ≤ j ≤ n.
That the plaintext packet is good is the requirement that cs_{n} = O where cs_{−1} = O and for 0 ≤ j ≤ n; cs_{j} = cs_{j−1} • P_{j} where “•” is the group operator and “O” is the group identity.
E(x) is the encryption of text x and D(E(x)) = x.
Block j of the encrypted packet is C_{j}.
C_{0} = E(E(sn) xor P_{0}) and for 0 < j ≤ n; C_{j} = E(C_{j−1} xor P_{j}).
“sn” is the packet serial number and E(sn) serves as the initial vector.

The attacker may attempt to find a substitute encrypted packet for delivery as follows. He chooses some encrypted block in some packet and searches for substitute encrypted blocks for that and the following blocks of the encrypted packet. The modified encrypted packet need not be the same length but it must decrypt to a good packet. The attacker can consult his PCB and consider alternate encrypted blocks for which he knows the block decryption.

Suppose that the attacker chooses ciphertext block C_{j}.
He considers substituting C'_{j} for C_{j} because he knows D(C'_{j}) from his PCB.
He already knows C_{j−1}.
He can thus predict the decryption of the corrupted plaintext block P'_{j} = C_{j−1} xor D(C'_{j}).
Next he checks to see of the abelian checksum is zero and in the likely case that it not he must either try another value for C'_{j} or try propagating the ruse further into the packet.
Each step of this process has a probability of success of 2^{−J} in case of a block cipher of J bits.
If he does not succeed he must eventually pass the uncorrupted encrypted packet thru lest the
time-out of the communications protocols call attention to his efforts.
He can restart his efforts with the arrival of the next encrypted packet.
All of the combinatorial work or the attacker must be done while these timeouts are running.
These work can be done in parallel.

I define a “good packet” rather than committing where the checksum is. I found that I was spending too much time wondering whether there were advantages of putting it first or last.