Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Malleability (cryptography)
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{Short description|Property of some cryptographic algorithms}} '''Malleability''' is a property of some [[cryptography|cryptographic]] [[algorithm]]s.<ref>{{cite journal | first1 = Danny | last1 = Dolev | author2-link = Cynthia Dwork | first2 = Cynthia | last2 = Dwork | author3-link = Moni Naor | first3 = Moni | last3 = Naor | title = Nonmalleable Cryptography | journal = [[SIAM Journal on Computing]] | volume = 30 | issue = 2 | pages = 391β437 | year = 2000 | doi = 10.1137/S0097539795291562 | citeseerx = 10.1.1.49.4643 }}</ref> An encryption algorithm is "malleable" if it is possible to transform a [[ciphertext]] into another ciphertext which decrypts to a related [[plaintext]]. That is, given an encryption of a plaintext <math>m</math>, it is possible to generate another ciphertext which decrypts to <math>f(m)</math>, for a known function <math>f</math>, without necessarily knowing or learning <math>m</math>. Malleability is often an undesirable property in a general-purpose cryptosystem, since it allows an attacker to modify the contents of a message. For example, suppose that a bank uses a stream cipher to hide its financial information, and a user sends an encrypted message containing, say, "{{mono|TRANSFER $0000100.00 TO ACCOUNT #199}}." If an attacker can modify the message on the wire, and can guess the format of the unencrypted message, the attacker could change the amount of the transaction, or the recipient of the funds, e.g. "{{mono|TRANSFER $0100000.00 TO ACCOUNT #227}}". Malleability does not refer to the attacker's ability to read the encrypted message. Both before and after tampering, the attacker cannot read the encrypted message. On the other hand, some cryptosystems are malleable by design. In other words, in some circumstances it may be viewed as a feature that anyone can transform an encryption of <math>m</math> into a valid encryption of <math>f(m)</math> (for some restricted class of functions <math>f</math>) without necessarily learning <math>m</math>. Such schemes are known as [[homomorphic encryption]] schemes. A cryptosystem may be [[Semantic security|semantically secure]] against [[Chosen-plaintext attack|chosen-plaintext attacks]] or even non-adaptive [[Chosen-ciphertext attack|chosen-ciphertext attacks]] (CCA1) while still being malleable. However, security against [[Adaptive chosen-ciphertext attack|adaptive chosen-ciphertext attacks]] (CCA2) is equivalent to non-malleability.<ref name=":0">{{Cite book|work= Advances in Cryptology β CRYPTO '98 |title= Relations among notions of security for public-key encryption schemes |last1=Bellare |first1=Mihir |last2=Desai |first2=Anand |last3= Pointcheval |first3=David |last4=Rogaway |first4=Phillip |date= 1998-08-23 |publisher= Springer Berlin Heidelberg |isbn= 978-3540648925 |editor-last= Krawczyk |editor-first= Hugo |series= Lecture Notes in Computer Science |pages= 26β45 |language=en |doi= 10.1007/bfb0055718}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)