Symetric key encryption is not Authentication?











up vote
2
down vote

favorite












Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



I know you can create a setup that isn't authentication, but how will you go about it?










share|improve this question









New contributor




Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    2
    down vote

    favorite












    Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



    I know you can create a setup that isn't authentication, but how will you go about it?










    share|improve this question









    New contributor




    Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



      I know you can create a setup that isn't authentication, but how will you go about it?










      share|improve this question









      New contributor




      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



      I know you can create a setup that isn't authentication, but how will you go about it?







      authenticated-encryption chosen-ciphertext-attack






      share|improve this question









      New contributor




      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 4 hours ago









      kelalaka

      4,84121837




      4,84121837






      New contributor




      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 6 hours ago









      Uhntiss

      112




      112




      New contributor




      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote













          Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.



          Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer





















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            1 hour ago











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "281"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65926%2fsymetric-key-encryption-is-not-authentication%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote













          Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.



          Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer





















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            1 hour ago















          up vote
          2
          down vote













          Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.



          Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer





















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            1 hour ago













          up vote
          2
          down vote










          up vote
          2
          down vote









          Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.



          Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer












          Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.



          Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 3 hours ago









          mephisto

          2,2471226




          2,2471226












          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            1 hour ago


















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            1 hour ago
















          Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
          – Maeher
          1 hour ago




          Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
          – Maeher
          1 hour ago










          Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.













          Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.












          Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Cryptography Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65926%2fsymetric-key-encryption-is-not-authentication%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Ellipse (mathématiques)

          Quarter-circle Tiles

          Mont Emei