Symetric key encryption is not Authentication?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












3














Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



I know you can create a setup that isn't authentication, but how will you go about it?










share|improve this question




























    3














    Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



    I know you can create a setup that isn't authentication, but how will you go about it?










    share|improve this question


























      3












      3








      3







      Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



      I know you can create a setup that isn't authentication, but how will you go about it?










      share|improve this question















      Is there any way to show CCA-secure symmetric-key encryption does not have to be an authenticated encryption?



      I know you can create a setup that isn't authentication, but how will you go about it?







      authenticated-encryption chosen-ciphertext-attack






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 17 at 7:29









      kelalaka

      5,27821939




      5,27821939










      asked Dec 17 at 6:20









      Uhntiss

      162




      162




















          1 Answer
          1






          active

          oldest

          votes


















          2














          Consider a CCA2 secure secret key encryption scheme $mathcalE$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcalE'$ where we extend the randomness space of $mathcalE$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcalE'$ becomes the identity for every element.



          Now, I claim $mathcalE'$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcalE'$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer




















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            Dec 17 at 11:08










          • True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
            – mephisto
            Dec 18 at 8:43










          Your Answer





          StackExchange.ifUsing("editor", function ()
          return StackExchange.using("mathjaxEditing", function ()
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          );
          );
          , "mathjax-editing");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "281"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65926%2fsymetric-key-encryption-is-not-authentication%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          2














          Consider a CCA2 secure secret key encryption scheme $mathcalE$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcalE'$ where we extend the randomness space of $mathcalE$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcalE'$ becomes the identity for every element.



          Now, I claim $mathcalE'$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcalE'$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer




















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            Dec 17 at 11:08










          • True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
            – mephisto
            Dec 18 at 8:43















          2














          Consider a CCA2 secure secret key encryption scheme $mathcalE$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcalE'$ where we extend the randomness space of $mathcalE$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcalE'$ becomes the identity for every element.



          Now, I claim $mathcalE'$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcalE'$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer




















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            Dec 17 at 11:08










          • True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
            – mephisto
            Dec 18 at 8:43













          2












          2








          2






          Consider a CCA2 secure secret key encryption scheme $mathcalE$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcalE'$ where we extend the randomness space of $mathcalE$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcalE'$ becomes the identity for every element.



          Now, I claim $mathcalE'$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcalE'$ is not a secure MAC as everybody knows a valid tag for any message.






          share|improve this answer












          Consider a CCA2 secure secret key encryption scheme $mathcalE$ with an exponentially large randomness space. Turn this into an encryption scheme $mathcalE'$ where we extend the randomness space of $mathcalE$ with one more element. Let's think of it as $0$ (we can get there by rearranging the randomness space). For randomness $0$ the encryption in $mathcalE'$ becomes the identity for every element.



          Now, I claim $mathcalE'$ is still CCA secure as the probability that for the challenge query randomness 0 is chosen is negligible. However, $mathcalE'$ is not a secure MAC as everybody knows a valid tag for any message.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 17 at 8:55









          mephisto

          2,2571226




          2,2571226











          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            Dec 17 at 11:08










          • True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
            – mephisto
            Dec 18 at 8:43
















          • Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
            – Maeher
            Dec 17 at 11:08










          • True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
            – mephisto
            Dec 18 at 8:43















          Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
          – Maeher
          Dec 17 at 11:08




          Two comments/nitpicks: 1. You don't need to add an additional randomness value, you can just repurpose an existing one (e.g. the all 0 string). 2. For that scheme to be be complete you need to mark from which mode of the scheme the ciphertext resulted. You can do that e.g. by prefixing actual encryptions with 0 and the identity with 1.
          – Maeher
          Dec 17 at 11:08












          True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
          – mephisto
          Dec 18 at 8:43




          True. While 1. i just an efficiency improvement, 2. is indeed necessary to allow for decryption of the added ciphertexts.
          – mephisto
          Dec 18 at 8:43

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Cryptography Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65926%2fsymetric-key-encryption-is-not-authentication%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?