Let's say I have ciphertext c = Enc(pk,m), produced by a public-key encryption scheme but I don't know the public key of the sender. Can the sender easily produce another key pair and then claim that the ciphertext actually corresponds to c = Enc(pk',m') or is this computationally impossible?
Asked
Active
Viewed 83 times
1
Theo
- 87
- 4
1 Answers
2
There are certainly public key schemes where this is possible. The recent CurveBall exploit was essentially able to switch out public keys on an elliptic curve and thus forge signatures. The same trick could be pulled with the elliptic curve El Gamal encryption scheme. It would be trickier to do with RSA (you have to construct a very special public key), but far from infeasible.
Daniel S
- 29,316
- 1
- 33
- 73