Malleability (cryptography) - Example Malleable Cryptosystems

Example Malleable Cryptosystems

In a stream cipher, the ciphertext is produced by taking the exclusive or of the plaintext and a pseudorandom stream based on a secret key, as . An adversary can construct an encryption of for any, as .

In the RSA cryptosystem, a plaintext is encrypted as, where is the public key. Given such a ciphertext, an adversary can construct an encryption of for any, as . For this reason, RSA is commonly used together with padding methods such as OAEP or PKCS1.

In the ElGamal cryptosystem, a plaintext is encrypted as, where is the public key. Given such a ciphertext, an adversary can compute, which is a valid encryption of, for any . In contrast, the Cramer-Shoup system (which is based on ElGamal) is not malleable.

In the Paillier, ElGamal, and RSA cryptosystems, it is also possible to combine several ciphertexts together in a useful way to produce a related ciphertext. In Paillier, given only the public-key and an encryption of and, one can compute a valid encryption of their sum . In ElGamal and in RSA, one can combine encryptions of and to obtain a valid encryption of their product .

Read more about this topic:  Malleability (cryptography)

Famous quotes containing the word malleable:

    Man is not merely the sum of his masks. Behind the shifting face of personality is a hard nugget of self, a genetic gift.... The self is malleable but elastic, snapping back to its original shape like a rubber band. Mental illness is no myth, as some have claimed. It is a disturbance in our sense of possession of a stable inner self that survives its personae.
    Camille Paglia (b. 1947)