Re: What does the MAC in IES or ECIES achieve ?

From: fabrice.gautier@xxxxxxxxx
Date: 30 Oct 2006 16:16:47 -0800

fabrice.gautier@xxxxxxxxx wrote:

Kristian Gjøsteen wrote:

<fabrice.gautier@xxxxxxxxx> wrote:

What does the addition of a MAC achieve for IES/ECIES ?

Security?

If you look at what non-malleability really means, and then look at the
proof that NM-CCA is equivalent to IND-CCA, you will understand what
the MAC is for.

Hum... I'm not sure how it relates...

From wikipedia:

"A malleable encryption algorithm allows transformations on the
ciphertext to produce meaningful changes in the plaintext."

Okay, so obviously, with the MAC in IES, I can detect if the ciphertext
has been tampered with.

But since IES doesnt provide authentication anyway (the sender doesnt
even need a Public Key), what good does that do?

Oh, wait, I think I get it now:

"Authenticated encryption schemes can recognize improperly-constructed
ciphertexts and refuse to decrypt them. This in turn prevents the
attacker from requesting the decryption of any ciphertext unless he
generated it correctly using the encryption algorithm, which would
imply that he already knows the plaintext. Implemented correctly, this
removes the usefulness of the decryption oracle, by preventing an
attacker from gaining useful information that he does not already
possess."

(From wikipedia again)

This explain why the MAC is done on the ciphertext too, and not the
plaintext. And I think this might even help prevent timing attacks or
power analysis attacks against a decryption oracle that would not give
you the plaintext but would only verify authenticity and integrity
after the decryption...

Is that right? Am i forgetting anything else?

Thanks.

.

Follow-Ups:
- Re: What does the MAC in IES or ECIES achieve ?
  - From: fabrice . gautier

References:
- What does the MAC in IES or ECIES achieve ?
  - From: fabrice . gautier
- Re: What does the MAC in IES or ECIES achieve ?
  - From: Kristian Gjøsteen
- Re: What does the MAC in IES or ECIES achieve ?
  - From: fabrice . gautier

Prev by Date: Re: What does the MAC in IES or ECIES achieve ?
Next by Date: Newbie question about AES encryption
Previous by thread: Re: What does the MAC in IES or ECIES achieve ?
Next by thread: Re: What does the MAC in IES or ECIES achieve ?
Index(es):
- Date
- Thread

Relevant Pages

Re: reasons for the algorithm
... but i can't call the first variable keystream because it only ... That has gigs of known plaintext (all the operating system ... You really think you can prevent the attacker from knowing ... different attacks in different classes such as plaintext ciphertext side ...
(sci.crypt)
Re: [PROPOSAL/PATCH] Fortuna PRNG in /dev/random
... > plaintext that's not one of the two. ... > which plaintext of the two goes with which ciphertext, ... > attacker has to mount their attack is limited. ... > and propose a comment patch. ...
(Linux-Kernel)
Re: minimum plaintext length for security?
... I mean "is there a known method by which an attacker can figure out ... > given ciphertext plaintext pairs you do. ... > My Crypto code ...
(sci.crypt)
Re: encryption using a block cipher // ? size limit of plaintext
... The attacker finds two ciphertext blocks C_and C_that are the same. ... two plaintext blocks whose ciphertext matches. ... encrypt one file with a key you will only need to use one nonce, ...
(sci.crypt)
Vigenere++ Proposal of a (new?) cipher
... additional ciphertext shuffling phase. ... which is a fast hash function with a low collision rate and the Mersenne ... plaintext, "C" to indicate the i-th letter of the ciphertext and ... For each character of index "i" of the plaintext: ...
(sci.crypt)