What are the implications of XORing ciphertext with plaintext?Does adding complexity mean a more secure...
What is the status of the Lannisters after Season 8 Episode 5, "The Bells"?
Assembly writer vs compiler
Why are lawsuits between the President and Congress not automatically sent to the Supreme Court
the correct order of manual install WP and SSL on server
Do people who work at research institutes consider themselves "academics"?
Can a tourist shoot a gun in the USA?
c++ conditional uni-directional iterator
APFS - how do I enable transparent compression
It is as easy as A B C, Figure out U V C from the given relationship
Holding rent money for my friend which amounts to over $10k?
Why is the Advance Variation considered strong vs the Caro-Kann but not vs the Scandinavian?
What metal is most suitable for a ladder submerged in an underground water tank?
What was Varys trying to do at the beginning of S08E05?
How to describe a building set which is like LEGO without using the "LEGO" word?
Why does SSL Labs now consider CBC suites weak?
Using chord iii in a chord progression (major key)
Will there be more tax deductions if I put the house completely under my name, versus doing a joint ownership?
Capital gains on stocks sold to take initial investment off the table
Is the seat-belt sign activation when a pilot goes to the lavatory standard procedure?
Cuban Primes
labelled end points on logic diagram
Was the dragon prowess intentionally downplayed in S08E04?
Understanding Deutch's Algorithm
Testing if os.path.exists with ArcPy?
What are the implications of XORing ciphertext with plaintext?
Does adding complexity mean a more secure cipher?How to attack a “many-time pad” based on what happens when an ASCII space is XORed with a letter?Plaintext block chaining, bad idea why?Would this method deliver a perfectly non-malleable encryption for at least two blocks?Would this method allow fast authenticated encryption using only a single encryption operation per block?Would this method allow fast authenticated encryption using only a single encryption and RNG operation per block?Counter mode with $operatorname{AES}_k(m)$ vs $operatorname{AES}_m(k)$Does repeated xoring of the (same) key K lower the entropy of K?Replacement for XOR in CBC?What happens if CBC-mode uses the same IV for all processes?Does adding complexity mean a more secure cipher?
$begingroup$
I was intrigued by this question: Does adding complexity mean a more secure cipher?
And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:
$$C=(E_k(m)oplus m)$$
My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.
"In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."
encryption block-cipher stream-cipher cbc xor
New contributor
$endgroup$
add a comment |
$begingroup$
I was intrigued by this question: Does adding complexity mean a more secure cipher?
And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:
$$C=(E_k(m)oplus m)$$
My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.
"In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."
encryption block-cipher stream-cipher cbc xor
New contributor
$endgroup$
add a comment |
$begingroup$
I was intrigued by this question: Does adding complexity mean a more secure cipher?
And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:
$$C=(E_k(m)oplus m)$$
My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.
"In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."
encryption block-cipher stream-cipher cbc xor
New contributor
$endgroup$
I was intrigued by this question: Does adding complexity mean a more secure cipher?
And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:
$$C=(E_k(m)oplus m)$$
My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.
"In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."
encryption block-cipher stream-cipher cbc xor
encryption block-cipher stream-cipher cbc xor
New contributor
New contributor
New contributor
asked 6 hours ago
tjt263tjt263
1103
1103
New contributor
New contributor
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_{0^{|m|}}(m) oplus m = (m oplus 0^{|m|}) oplus m = m oplus m = 0^{|m|}$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?
The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.
New contributor
$endgroup$
$begingroup$
You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
$endgroup$
– tjt263
3 hours ago
1
$begingroup$
Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^{|m|}$ is the notation for a string of zeroes that is as long as the message $m$.
$endgroup$
– user69201
3 hours ago
$begingroup$
Is $D_k(E_k(m))=m$ the same as $m=E_k^{-1}(C)$?
$endgroup$
– tjt263
2 hours ago
$begingroup$
Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
$endgroup$
– Maarten Bodewes♦
2 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
tjt263 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70543%2fwhat-are-the-implications-of-xoring-ciphertext-with-plaintext%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_{0^{|m|}}(m) oplus m = (m oplus 0^{|m|}) oplus m = m oplus m = 0^{|m|}$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?
The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.
New contributor
$endgroup$
$begingroup$
You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
$endgroup$
– tjt263
3 hours ago
1
$begingroup$
Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^{|m|}$ is the notation for a string of zeroes that is as long as the message $m$.
$endgroup$
– user69201
3 hours ago
$begingroup$
Is $D_k(E_k(m))=m$ the same as $m=E_k^{-1}(C)$?
$endgroup$
– tjt263
2 hours ago
$begingroup$
Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
$endgroup$
– Maarten Bodewes♦
2 hours ago
add a comment |
$begingroup$
This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_{0^{|m|}}(m) oplus m = (m oplus 0^{|m|}) oplus m = m oplus m = 0^{|m|}$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?
The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.
New contributor
$endgroup$
$begingroup$
You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
$endgroup$
– tjt263
3 hours ago
1
$begingroup$
Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^{|m|}$ is the notation for a string of zeroes that is as long as the message $m$.
$endgroup$
– user69201
3 hours ago
$begingroup$
Is $D_k(E_k(m))=m$ the same as $m=E_k^{-1}(C)$?
$endgroup$
– tjt263
2 hours ago
$begingroup$
Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
$endgroup$
– Maarten Bodewes♦
2 hours ago
add a comment |
$begingroup$
This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_{0^{|m|}}(m) oplus m = (m oplus 0^{|m|}) oplus m = m oplus m = 0^{|m|}$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?
The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.
New contributor
$endgroup$
This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_{0^{|m|}}(m) oplus m = (m oplus 0^{|m|}) oplus m = m oplus m = 0^{|m|}$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?
The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.
New contributor
edited 3 hours ago
New contributor
answered 4 hours ago
user69201user69201
313
313
New contributor
New contributor
$begingroup$
You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
$endgroup$
– tjt263
3 hours ago
1
$begingroup$
Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^{|m|}$ is the notation for a string of zeroes that is as long as the message $m$.
$endgroup$
– user69201
3 hours ago
$begingroup$
Is $D_k(E_k(m))=m$ the same as $m=E_k^{-1}(C)$?
$endgroup$
– tjt263
2 hours ago
$begingroup$
Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
$endgroup$
– Maarten Bodewes♦
2 hours ago
add a comment |
$begingroup$
You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
$endgroup$
– tjt263
3 hours ago
1
$begingroup$
Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^{|m|}$ is the notation for a string of zeroes that is as long as the message $m$.
$endgroup$
– user69201
3 hours ago
$begingroup$
Is $D_k(E_k(m))=m$ the same as $m=E_k^{-1}(C)$?
$endgroup$
– tjt263
2 hours ago
$begingroup$
Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
$endgroup$
– Maarten Bodewes♦
2 hours ago
$begingroup$
You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
$endgroup$
– tjt263
3 hours ago
$begingroup$
You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
$endgroup$
– tjt263
3 hours ago
1
1
$begingroup$
Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^{|m|}$ is the notation for a string of zeroes that is as long as the message $m$.
$endgroup$
– user69201
3 hours ago
$begingroup$
Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^{|m|}$ is the notation for a string of zeroes that is as long as the message $m$.
$endgroup$
– user69201
3 hours ago
$begingroup$
Is $D_k(E_k(m))=m$ the same as $m=E_k^{-1}(C)$?
$endgroup$
– tjt263
2 hours ago
$begingroup$
Is $D_k(E_k(m))=m$ the same as $m=E_k^{-1}(C)$?
$endgroup$
– tjt263
2 hours ago
$begingroup$
Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
$endgroup$
– Maarten Bodewes♦
2 hours ago
$begingroup$
Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
$endgroup$
– Maarten Bodewes♦
2 hours ago
add a comment |
tjt263 is a new contributor. Be nice, and check out our Code of Conduct.
tjt263 is a new contributor. Be nice, and check out our Code of Conduct.
tjt263 is a new contributor. Be nice, and check out our Code of Conduct.
tjt263 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70543%2fwhat-are-the-implications-of-xoring-ciphertext-with-plaintext%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown