# Re: How to construct such one-way key chain without hash function

*From*: daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)*Date*: Mon, 24 Apr 2006 15:00:09 +0000 (UTC)

laicko wrote:

In someway, I'd like the scheme could follow this condition:

E_{K_i+j}(M)= A_e( E_{K_i}{M}, j) for i,j >=0

E is the encryption algorithm, A is function, e is public known

parameter

Note that such a scheme cannot be IND-CPA secure (since it is possible for

anyone who knows the public key to detect when a message M is sent more than

once, thanks to the above equation).

If the encryption E is probabilistic, CPA secure could be hold.

No, it couldn't. I already explained why not. Consider an adversary

who requests the encryption of two plaintexts. First the adversary

requests the encryption of message M (this gets encrypted at time 1, so

it is encrypted with key K_1); then the adversary requests encryption of

the same message M (this gets encrypted with key K_2). Let C_1 and C_2

be the resulting two ciphertexts. The adversary can recognize whether

C_1 and C_2 decrypt to the same thing by checking the equation C_2 =?=

A_e(C_1, 1).

.

**Follow-Ups**:

**References**:**How to construct such one-way key chain without hash function***From:*laicko

**Re: How to construct such one-way key chain without hash function***From:*laicko

**Re: How to construct such one-way key chain without hash function***From:*David Wagner

**Re: How to construct such one-way key chain without hash function***From:*laicko

- Prev by Date:
**getting nth prime** - Next by Date:
**tools for lecture** - Previous by thread:
**Re: How to construct such one-way key chain without hash function** - Next by thread:
**Re: How to construct such one-way key chain without hash function** - Index(es):