El Gamal is a malleable homomorphic encryption system, so is Rabin. Are all homomorphic encryption systems malleable? Or are there any that are not malleable? Thanks!
Asked
Active
Viewed 1,235 times
1 Answers
7
The answer may depend on your exact definitions of "homomorphic" and "malleable", but I'll give it a shot.
Basically, homomorphic encryption means that given encryptions $E_k(x)$ and $E_k(y)$ of some values $x$ and $y$, you can obtain an encryption of $x\ast y$ under the same key $k$ from $E_k(x)$ and $E_k(y)$, where $\ast$ is some binary operation, without knowledge of the key $k$. Typically, $\ast$ is the usual addition or multiplication on (bounded) integers, but the attack actually works for almost arbitrary operations (namely, there must be a pair $(x,y)$ such that $x\ast y\notin\{x,y\}$): Assume that an attacker knows $x$ and $y$ along with their encryptions $E_k(x)$ and $E_k(y)$. They may then compute $E_k(x)\mathbin{\hat\ast}E_k(y)$, where $\hat\ast$ denotes the "lifted" implementation of $\ast$ on ciphertexts, to obtain a ciphertext $\zeta$. By definition, $\zeta$ decrypts to $x\ast y$, which was assumed different from both $x$ and $y$. Hence, the attacker has obtained a ciphertext ($\zeta$) corresponding to a plaintext they know ($x\ast y$) but whose ciphertext they haven't observed before.
Therefore, any homomorphic encryption scheme is malleable.
yyyyyyy
- 12,261
- 4
- 48
- 68