question archive You have a software for an asymmetric encryption scheme AE = (K,E,D) that is known to be IND-CCA secure under some reasonable assumptions
Subject:Computer SciencePrice:2.87 Bought7
You have a software for an asymmetric encryption scheme AE = (K,E,D) that is known to be IND-CCA secure under some reasonable assumptions. But the message space for this scheme is only the set of messages up to 1MB long. At some point you needed to encrypt messages of length more than 1MB but less than 2MB. So you decide to use the existing software from now on in the following way. To encrypt a message M, break it into equal parts M1, M2 (for simplicity let's assume that all messages have even length) and let a ciphertext be computed as Epk(M1)?Epk(M2), for any public key pk. Here ? denotes concatenation. The decryption algorithm de- crypts both halves of the ciphertext as M1 ← Dsk(C1), M2 ← Dsk(C2) and returns M1?M2 if neither decryption rejected. If either decryption rejects, then the output is rejection. Let's call the modified scheme AE′ = (K, E′, D′). Do you think AE′ is IND-CPA? IND-CCA? Justify your answers.
Answer:
IND-CCA: (unforgeable under chosen message attacks).
Generally, Advantage of this signature method is ...it has negligible probability of forging a MAC.
But in your case. Message divided into two parts. And individually signature calculated and concatenated.
But , firstly we have to learn how the signature is calculated. IT will use identity key and sign..to store calculated signature.
So, if we split message to two lengths then it must use same identity key ( id ). So attacker / forger can guess and win game by identifying these two signatures and by comparing he can be able to forger the identity key. So Straight away it is not a secure. But solution for this is....calculated signatures separately with different identity keys and don't concatenate. Instead of concatenate send them separately using two different identity keys.
- No AE is a stronger notion than IND-CCA.
An asymmetric encryption scheme AE is indistinguishable under chosen- plaintext attacks (IND-CCA secure) if for any adversary A with "reasonable" resources
References.
https://www.uio.no/studier/emner/matnat/its/TEK4500/h20/lectures/lecture-5---authenticated-encryption.pdf