calofmijuck/blog
1
0
Fork 0
mirror of https://github.com/calofmijuck/blog.git synced 2025-12-06 22:53:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: links to other posts

Browse Source
This commit is contained in:
Sungchan Yi
2023-10-25 16:32:25 +09:00
parent b29e9d827e
commit bc9b2599a9
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_posts/Lecture Notes/Modern Cryptography/2023-09-26-cca-security-authenticated-encryption.md
View File

@@ -53,7 +53,7 @@ Now we define a stronger notion of security against **chosen ciphertext attacks*
None of the encryption schemes already seen thus far is CCA secure. None of the encryption schemes already seen thus far is CCA secure.
Recall a [CPA secure construction from PRF](2023-09-19-symmetric-key-encryption.md#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$. Recall a [CPA secure construction from PRF](../2023-09-19-symmetric-key-encryption#secure-construction-from-prf). This scheme is not CCA secure. Suppose that the adversary is given $c^* = (r, F(k, r) \oplus m_b)$. Then it can request a decryption for $c' = (r, s')$ for some $s'$ and receive $m' = s' \oplus F(k, r)$. Then $F(k, r) = m' \oplus s'$, so the adversary can successfully recover $m_b$.
In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure. In general, any encryption scheme that allows ciphertexts to be *manipulated* in a controlled way cannot be CCA secure.