Symetric key encryption is not Authentication?
Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?
I know you can create a setup that isn't authentication, but how will you go about it?
authenticated-encryption chosen-ciphertext-attack
add a comment |
Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?
I know you can create a setup that isn't authentication, but how will you go about it?
authenticated-encryption chosen-ciphertext-attack
add a comment |
Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?
I know you can create a setup that isn't authentication, but how will you go about it?
authenticated-encryption chosen-ciphertext-attack
Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?
I know you can create a setup that isn't authentication, but how will you go about it?
authenticated-encryption chosen-ciphertext-attack
authenticated-encryption chosen-ciphertext-attack
edited Dec 17 '18 at 7:29
kelalaka
6,10022142
6,10022142
asked Dec 17 '18 at 6:20
UhntissUhntiss
162
162
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.
Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
Dec 17 '18 at 11:08
True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
– mephisto
Dec 18 '18 at 8:43
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65926%2fsymetric-key-encryption-is-not-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.
Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
Dec 17 '18 at 11:08
True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
– mephisto
Dec 18 '18 at 8:43
add a comment |
Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.
Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
Dec 17 '18 at 11:08
True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
– mephisto
Dec 18 '18 at 8:43
add a comment |
Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.
Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.
Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.
Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.
answered Dec 17 '18 at 8:55
mephistomephisto
2,2571226
2,2571226
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
Dec 17 '18 at 11:08
True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
– mephisto
Dec 18 '18 at 8:43
add a comment |
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
Dec 17 '18 at 11:08
True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
– mephisto
Dec 18 '18 at 8:43
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
Dec 17 '18 at 11:08
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
Dec 17 '18 at 11:08
True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
– mephisto
Dec 18 '18 at 8:43
True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
– mephisto
Dec 18 '18 at 8:43
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65926%2fsymetric-key-encryption-is-not-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown