Talk:Malleability (cryptography)
This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||
|
Untitled
edit'Malleable' is a term used in the analyses of cryptographic algorithms:
Have a ciphertext C, and a plaintext P. C = E(P) meaning: C is the encrypted plaintext P.
With a malleable encryption algorithm it is possible to generate a C1 = f(C) so that P1 = f'(P) with arbitrary (but known) functions f and f'.
(this needs some linking from and to the math section).
An example of a malleable encryption algorithm is RSA.(you can contact me at avbidder@fortytwo.ch)
I've tried to expand this a bit, but it still needs some work. It would be helpful to have a history of the term and the concept, some more examples of malleable and nonmalleable systems, a comparison with related concepts (what's the name for the one where you can derive C'=E(f(P)) without knowing P?), some constructions for nonmalleable systems, and a note on formulations of nonmalleable algorithms (e.g. superpseudorandom permutations). Victor Lighthill 03:27, 18 October 2005 (UTC)
Signing
editIt wouldn't preserve the original content, but wouldn't digitally signing a message at least provide detection of modification? Or is this even relevent to the article? Twiek 22:47, 11 July 2006
My suspicion is that for symmetric encryption, malleability and [authenticated encryption] fall together. But these notions are not the same for public key cryptography. There you don't need to know a secret key in order to create a non-malleable encryption. Markulf 12:28, 5 August 2006 (UTC)
- For private-key encryptions, yes. If you take an encryption scheme secure under chosen plaintext attack, and append a MAC (like a private-key signature) of the ciphertext, you get a non-malleable (i.e, secure against chosen ciphertext attack) scheme. For public-key, it's more complicated. Blokhead 01:00, 11 February 2007 (UTC)
Malleability and Attacks
editAre not malleable encryption systems per definition susceptible to at least [adaptive chosen ciphertext attacks]. The [ElGamal] section of this articel claims such a weakness, but what is the difference to plain [RSA]? Why is ElGamal more "extreme" than RSA?
Markulf 12:13, 5 August 2006 (UTC)
- Non-malleability is exactly equivalent to security against adaptive CCA. I think this was demonstrated in Dolev, Dwork & Naor's first paper that introduced the idea of malleability. Blokhead 01:00, 11 February 2007 (UTC)
commutative encryption vs malleable encryption
editI think this article could be improved by adding a few words on commutative encryption (as used in the three-pass protocol, some kinds of mental poker, etc.) and its relationship to malleable encryption. --DavidCary (talk) 05:31, 17 October 2012 (UTC)