question archive The company has a software for an encryption scheme S E = ( K , E , D ) that is known to be IND-CCA secure under some reasonable assumptions
Subject:Computer SciencePrice: Bought3
that is known to be IND-CCA secure under some reasonable assumptions. But the message space for this scheme is only the set of messages up to 1MB long.
At some point they needed to encrypt messages of length more than 1MB but less than 2MB. So they decide to use the existing software in the following way. To encrypt a message M
, break it into equal parts M [ 1 ] , M [ 2 ]
(for simplicity let's assume that all messages have even length) and let a ciphertext be computed as E K ( M [ 1 ] ) | | E K ( M [ 2 ] )
, for any K
. Here || denotes concatenation. The new decryption algorithm outputs D K ( C [ 1 ] ) | | D K ( C [ 2 ] )
, where C [ 1 ] , C [ 2 ]
are two halves of the input ciphertext, if neither base decryption algorithm rejects. If either base decryption algorithm rejects, then the new decryption algorithm rejects. Let's call the modified scheme S E ′ = ( K , E ′ , D ′ )
. Prove that S E ′
is not IND-CCA.