Symetric key encryption is not Authentication?
up vote
2
down vote
favorite
Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?
I know you can create a setup that isn't authentication, but how will you go about it?
authenticated-encryption chosen-ciphertext-attack
New contributor
add a comment |
up vote
2
down vote
favorite
Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?
I know you can create a setup that isn't authentication, but how will you go about it?
authenticated-encryption chosen-ciphertext-attack
New contributor
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?
I know you can create a setup that isn't authentication, but how will you go about it?
authenticated-encryption chosen-ciphertext-attack
New contributor
Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?
I know you can create a setup that isn't authentication, but how will you go about it?
authenticated-encryption chosen-ciphertext-attack
authenticated-encryption chosen-ciphertext-attack
New contributor
New contributor
edited 4 hours ago
kelalaka
4,84121837
4,84121837
New contributor
asked 6 hours ago
Uhntiss
112
112
New contributor
New contributor
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.
Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
1 hour ago
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65926%2fsymetric-key-encryption-is-not-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.
Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
1 hour ago
add a comment |
up vote
2
down vote
Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.
Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
1 hour ago
add a comment |
up vote
2
down vote
up vote
2
down vote
Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.
Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.
Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.
Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.
answered 3 hours ago
mephisto
2,2471226
2,2471226
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
1 hour ago
add a comment |
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
1 hour ago
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
1 hour ago
Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
– Maeher
1 hour ago
add a comment |
Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.
Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.
Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.
Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65926%2fsymetric-key-encryption-is-not-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown