Re: How to construct such one-way key chain without hash function
- From: daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)
- Date: Mon, 24 Apr 2006 15:00:09 +0000 (UTC)
laicko wrote:
In someway, I'd like the scheme could follow this condition:
E_{K_i+j}(M)= A_e( E_{K_i}{M}, j) for i,j >=0
E is the encryption algorithm, A is function, e is public known
parameter
Note that such a scheme cannot be IND-CPA secure (since it is possible for
anyone who knows the public key to detect when a message M is sent more than
once, thanks to the above equation).
If the encryption E is probabilistic, CPA secure could be hold.
No, it couldn't. I already explained why not. Consider an adversary
who requests the encryption of two plaintexts. First the adversary
requests the encryption of message M (this gets encrypted at time 1, so
it is encrypted with key K_1); then the adversary requests encryption of
the same message M (this gets encrypted with key K_2). Let C_1 and C_2
be the resulting two ciphertexts. The adversary can recognize whether
C_1 and C_2 decrypt to the same thing by checking the equation C_2 =?=
A_e(C_1, 1).
.
- Follow-Ups:
- References:
- How to construct such one-way key chain without hash function
- From: laicko
- Re: How to construct such one-way key chain without hash function
- From: laicko
- Re: How to construct such one-way key chain without hash function
- From: David Wagner
- Re: How to construct such one-way key chain without hash function
- From: laicko
- How to construct such one-way key chain without hash function
- Prev by Date: getting nth prime
- Next by Date: tools for lecture
- Previous by thread: Re: How to construct such one-way key chain without hash function
- Next by thread: Re: How to construct such one-way key chain without hash function
- Index(es):
Relevant Pages
|
