Re: How to construct such oneway key chain without hash function
 From: daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)
 Date: Mon, 24 Apr 2006 15:00:09 +0000 (UTC)
laicko wrote:
In someway, I'd like the scheme could follow this condition:
E_{K_i+j}(M)= A_e( E_{K_i}{M}, j) for i,j >=0
E is the encryption algorithm, A is function, e is public known
parameter
Note that such a scheme cannot be INDCPA secure (since it is possible for
anyone who knows the public key to detect when a message M is sent more than
once, thanks to the above equation).
If the encryption E is probabilistic, CPA secure could be hold.
No, it couldn't. I already explained why not. Consider an adversary
who requests the encryption of two plaintexts. First the adversary
requests the encryption of message M (this gets encrypted at time 1, so
it is encrypted with key K_1); then the adversary requests encryption of
the same message M (this gets encrypted with key K_2). Let C_1 and C_2
be the resulting two ciphertexts. The adversary can recognize whether
C_1 and C_2 decrypt to the same thing by checking the equation C_2 =?=
A_e(C_1, 1).
.
 FollowUps:
 References:
 How to construct such oneway key chain without hash function
 From: laicko
 Re: How to construct such oneway key chain without hash function
 From: laicko
 Re: How to construct such oneway key chain without hash function
 From: David Wagner
 Re: How to construct such oneway key chain without hash function
 From: laicko
 How to construct such oneway key chain without hash function
 Prev by Date: getting nth prime
 Next by Date: tools for lecture
 Previous by thread: Re: How to construct such oneway key chain without hash function
 Next by thread: Re: How to construct such oneway key chain without hash function
 Index(es):
Relevant Pages
