4

An encryption algorithm is "malleable" if it is possible to transform a ciphertext into another ciphertext which decrypts to a related plaintext. That is, given an encryption of a plaintext m, it is possible to generate another ciphertext which decrypts to f(m), for a known function f, without necessarily knowing or learning m.

And non-malleable is the adversary shouldn't be able to come up with a ciphertext whose underlying plaintext is related to the original message through a relation that also takes public keys into account.

My question is how can one turn a malleable encryption scheme into one that is not malleable?

M.J.Watson
  • 359
  • 1
  • 9

1 Answers1

6

It seems like you are asking about converting an IND-CPA encryption scheme into an IND-CCA one.

  • In the symmetric-key setting, the standard approach that works is Encrypt-then-MAC.

  • In the public-key setting, this is a longstanding open question. There is no known black-box construction of IND-CCA from IND-CPA, nor is there a known impossibility of such a construction. However, there is such a transformation in the random oracle model: the Fujisaki-Okamoto transformation.

Mikero
  • 14,908
  • 2
  • 35
  • 58