Talk:Malleability (cryptography)

Cryptography: Computer science High‑importance

	This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.CryptographyWikipedia:WikiProject CryptographyTemplate:WikiProject CryptographyCryptography articles
High	This article has been rated as High-importance on the importance scale.
	This article is supported by WikiProject Computer science (assessed as High-importance).

Untitled

'Malleable' is a term used in the analyses of cryptographic algorithms:

Have a ciphertext C, and a plaintext P. C = E(P) meaning: C is the encrypted plaintext P.

With a malleable encryption algorithm it is possible to generate a C1 = f(C) so that P1 = f'(P) with arbitrary (but known) functions f and f'.

(this needs some linking from and to the math section).

An example of a malleable encryption algorithm is RSA.(you can contact me at avbidder@fortytwo.ch)

I've tried to expand this a bit, but it still needs some work. It would be helpful to have a history of the term and the concept, some more examples of malleable and nonmalleable systems, a comparison with related concepts (what's the name for the one where you can derive C'=E(f(P)) without knowing P?), some constructions for nonmalleable systems, and a note on formulations of nonmalleable algorithms (e.g. superpseudorandom permutations). Victor Lighthill 03:27, 18 October 2005 (UTC)[reply]

Signing

It wouldn't preserve the original content, but wouldn't digitally signing a message at least provide detection of modification? Or is this even relevent to the article? Twiek 22:47, 11 July 2006

My suspicion is that for symmetric encryption, malleability and [authenticated encryption] fall together. But these notions are not the same for public key cryptography. There you don't need to know a secret key in order to create a non-malleable encryption. Markulf 12:28, 5 August 2006 (UTC)[reply]

For private-key encryptions, yes. If you take an encryption scheme secure under chosen plaintext attack, and append a MAC (like a private-key signature) of the ciphertext, you get a non-malleable (i.e, secure against chosen ciphertext attack) scheme. For public-key, it's more complicated. Blokhead 01:00, 11 February 2007 (UTC)[reply]

Malleability and Attacks

Are not malleable encryption systems per definition susceptible to at least [adaptive chosen ciphertext attacks]. The [ElGamal] section of this articel claims such a weakness, but what is the difference to plain [RSA]? Why is ElGamal more "extreme" than RSA?

Markulf 12:13, 5 August 2006 (UTC)[reply]

Non-malleability is exactly equivalent to security against adaptive CCA. I think this was demonstrated in Dolev, Dwork & Naor's first paper that introduced the idea of malleability. Blokhead 01:00, 11 February 2007 (UTC)[reply]

commutative encryption vs malleable encryption

I think this article could be improved by adding a few words on commutative encryption (as used in the three-pass protocol, some kinds of mental poker, etc.) and its relationship to malleable encryption. --DavidCary (talk) 05:31, 17 October 2012 (UTC)[reply]