Symetric key encryption is not Authentication?











up vote
2
down vote

favorite












Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



I know you can create a setup that isn't authentication, but how will you go about it?






authenticated-encryption chosen-ciphertext-attack







share|improve this question









New contributor




Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    2
    down vote

    favorite












    Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



    I know you can create a setup that isn't authentication, but how will you go about it?






    authenticated-encryption chosen-ciphertext-attack







    share|improve this question









    New contributor




    Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



      I know you can create a setup that isn't authentication, but how will you go about it?






      authenticated-encryption chosen-ciphertext-attack







      share|improve this question









      New contributor




      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



      I know you can create a setup that isn't authentication, but how will you go about it?






      authenticated-encryption chosen-ciphertext-attack




      authenticated-encryption chosen-ciphertext-attack






      share|improve this question









      New contributor




      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 4 hours ago









      kelalaka

      4,84121837




      4,84121837






      New contributor




      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 6 hours ago









      Uhntiss

      112




      112




      New contributor




      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Uhntiss is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote













          Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.



          Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer





















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            1 hour ago











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "281"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65926%2fsymetric-key-encryption-is-not-authentication%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote













          Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.



          Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer





















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            1 hour ago















          up vote
          2
          down vote













          Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.



          Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer





















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            1 hour ago













          up vote
          2
          down vote










          up vote
          2
          down vote









          Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.



          Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer












          Consider a CCA2 secure secret key encryption scheme $mathcal{E}$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcal{E'}$ where we extend the randomness space of $mathcal{E}$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcal{E'}$ becomes the identity for every element.



          Now, I claim $mathcal{E'}$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcal{E'}$ is not a secure MAC as everybody knows a valid tag for any message.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 3 hours ago









          mephisto

          2,2471226




          2,2471226












          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            1 hour ago


















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            1 hour ago
















          Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
          – Maeher
          1 hour ago




          Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
          – Maeher
          1 hour ago










          Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.













          Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.












          Uhntiss is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Cryptography Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65926%2fsymetric-key-encryption-is-not-authentication%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Quarter-circle Tiles

          Image
          up vote 0 down vote favorite I have $99$ identical square tiles, each with a quarter-circle drawn on it like this: [asy] size(1.5cm); draw(Arc((2,0),1,90,180),red+1); draw((0,0)--(2,0)--(2,2)--(0,2)--(0,0)); [/asy] When I arrange the tiles in a $9times 11$ rectangular grid, each with a random orientation, what is the expected value of the number of full circles I form? I think this problem has to do with finding the chance any given 2x2 square has a circle, but I can't find it. expected-value share | cite | improve this question asked Nov 20 at 15:03 6minecraftninja 1 2
          Read more

          build a pushdown automaton that recognizes the reverse language of a given pushdown automaton?

          Image
          0 I think it's similiar to NFAs. I replace the finite states of the given automaton for start-states for my new automaton. I do it with $epsilon$ -transition from the start state to the actual finite states of the given automaton. The start state of the given automaton will be my accepting(finite) state of my new one. All transitions will be reversed of course to recognize the reversed word. But how do I have to change the stack of the pushdown automaton? That's tricky. formal-languages automata context-free-grammar share | cite | improve this question edited Nov 29 '18 at 14:20 joee
          Read more

          Mont Emei

          Image
          Mont Emei.mw-parser-output .entete.map{background-image:url("//upload.wikimedia.org/wikipedia/commons/7/7a/Picto_infobox_map.png")} Vue du sommet Wanfo du mont Emei Géographie Altitude 3 099  m , Wanfo Coordonnées 29° 31′ 11″ nord, 103° 19′ 57″ est Administration Pays   Chine Province Sichuan Ville-préfecture Leshan Géolocalisation sur la carte : Sichuan Mont Emei Géolocalisation sur la carte : Chine Mont Emei modifier   Paysage panoramique du mont Emei, incluant le paysage panoramique du grand Bouddha de Leshan *   Patrimoine mondial de l'UNESCO Passerelle en bois sur le versant ouest Pays   Chine Subdivision Sichuan Type Mixte Critères (iv) (vi) (x) Superficie 15 400 ha Numéro d’identification 779 Zone géographique Asie et Pacifique  ** Année d’inscription 1996 (20 e session) * Descriptif officiel UNESCO ** Classification géog
          Read more