Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [malleability]

A cipher or mode of operation is said to be malleable if it is feasible to modify ciphertext to produce meaningful changes in the corresponding plaintext without knowing the encryption key.

45 questions
15
votes
1 answer

What is complexity leveraging

Complexity leveraging is a technique that is generally used to prove adaptive security of a selectively secure scheme. Eg: We can prove adaptive security of Yao's garbling scheme using complexity leveraging. Many papers mention about complexity…
satya
  • 1,484
  • 10
  • 32
14
votes
2 answers

Encrypt-then-MAC: Do I need to authenticate the IV?

In the setting of Encrypt-then-MAC, do I need to include the IV in what I'm HMACing, or is authenticating just the AES-encrypted data sufficient?
fadedbee
  • 968
  • 1
  • 11
  • 31
11
votes
2 answers

What do NM-CPA and NM-CCA mean?

When I've been researching authenticated encryption, the following terms keep showing up: NM-CPA NM-CCA ....without any definition as to what they mean. I've tried searching the web for their definitions, but I'm not getting very far. Could…
starbeamrainbowlabs
  • 213
  • 2
  • 9
9
votes
3 answers

Malleability attacks against encryption without authentication

Suppose there is a message that is encrypted with AES-128-CBC. The message is as follows, new lines are used to delimit the 16 byte boundary for each block: Wire funds from: Alice to Bob in the amount of $ 1 Because this message is encrypted…
Rook
  • 1,506
  • 1
  • 13
  • 22
8
votes
1 answer

Is there a way of maintaining malleability in a homomorphic encryption system while making it infeasible to perform chosen ciphertext attacks?

Is there a way of maintaining malleability in a homomorphic encryption system while making it infeasible to perform chosen ciphertext attacks? I have been reading about homomorphic encryption and malleable cryptosystems lately and have found it…
hdu
  • 93
  • 4
8
votes
1 answer

Is there any known malleability of scrypt outputs?

The scenario is single-use passphrase-based non-interactive message authentication. The obvious try to do this is to chose a random salt of the appropriate length and send: concat(workfactor, salt, message, mac(scrypt(workfactor, salt,…
user991
7
votes
0 answers

Is there a standard definition of non-malleability for the encryption schemes?

I find some different definitions of non-malleability for the encryption schemes. They may be equivalent, but I am not sure which one is better or if there is a standard definition. I give two definitions of NM-CCA2 for PKE schemes. Relations Among…
Blanco
  • 1,632
  • 1
  • 11
  • 20
7
votes
1 answer

The REACT transform and Replayable CCA

Before stating my questions, let us recall the REACT transform [OP01], which enables to construct a CCA-secure hybrid PKE scheme, $\varepsilon'_{pk}$, from an OW-CPA PKE scheme $\varepsilon_{pk}^{asym}$, an IND-secure symmetric encryption scheme…
cygnusv
  • 5,072
  • 1
  • 23
  • 48
7
votes
1 answer

Non-standard signature security definition conforming ed25519 malleability

According to the paper “High-speed high-security signatures”… Malleability. We also see no relevance of "malleability" to the standard definition of signature security. Aside from the example, how is ed25519 malleable by the non-standard…
user7024
5
votes
1 answer

What type of hash functions provides non-malleability of hash digests?

I want to use a hash function for commitments. I don't want an attacker to construct a commitment related to a previously published (but still unopened) commitment. A simple deterministic commitment scheme Commit(x) = Hash (x) may be insecure,…
SDL
  • 1,927
  • 13
  • 25
5
votes
3 answers

Malleability of ElGamal and Hashed ElGamal

Question: Suppose A encrypts a number $x$ which indicates her bid on a contract, using ElGamal encryption. Say that the encryption of $x$ produces a ciphertext $c$. Explain how E can modify $c$ to make it an encryption of $100 \cdot x$. Answer: E is…
Bobby S
  • 1,973
  • 4
  • 23
  • 30
4
votes
2 answers

Making a cipher non-malleable using a plaintext transform?

NOTE: By malleable/non-malleable, I mean the ability/or not to change a byte/block of the ciphertext and have it change only that byte/block of the plaintext. I understand that we use authentication (via HMAC/UMAC/etc.) to verify integrity. However,…
Modal Nest
  • 1,473
  • 5
  • 18
4
votes
1 answer

ECDSA: with knowledge of private key, can we make signatures with partially chosen content?

In ECDSA, with knowledge of private key, can we make signatures with partially chosen content? Detailing that: In ECDSA (with secp256r1 curve and SHA-256 hash), assume we know the private key, the message, and can choose the per-signature random. It…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
4
votes
1 answer

How can one turn a malleable encryption to not malleable

An encryption algorithm is "malleable" if it is possible to transform a ciphertext into another ciphertext which decrypts to a related plaintext. That is, given an encryption of a plaintext m, it is possible to generate another ciphertext which…
M.J.Watson
  • 359
  • 1
  • 9
4
votes
1 answer

Malleability of homomorphic encryption

El Gamal is a malleable homomorphic encryption system, so is Rabin. Are all homomorphic encryption systems malleable? Or are there any that are not malleable? Thanks!
user100503
  • 143
  • 3
1
2 3