Etydhv

Does addError() work outside of triggers?

Can my American children re-enter the USA by International flight with a passport card? Being that their passport book has expired

Why did Varys remove his rings?

How to check if comma list is empty?

When did game consoles begin including FPUs?

Why does SSL Labs now consider CBC suites weak?

Formal Definition of Dot Product

Slice a list based on an index and items behind it in python

Will there be more tax deductions if I put the house completely under my name, versus doing a joint ownership?

How will the lack of ground stations affect navigation?

Windows 10 lock screen - display my own random images

Wireless headphones interfere with Wi-Fi signal on laptop

Holding rent money for my friend which amounts to over $10k?

Why were the bells ignored in S8E5?

Understanding Deutch's Algorithm

In season 17 does LoN buff work against season journey set rewards?

Would life always name the light from their sun "white"

c++ conditional uni-directional iterator

Why is the Advance Variation considered strong vs the Caro-Kann but not vs the Scandinavian?

Why would someone open a Netflix account using my Gmail address?

What do the "optional" resistor and capacitor do in this circuit?

Capital gains on stocks sold to take initial investment off the table

Could a space colony 1g from the sun work?

How to handle professionally if colleagues has referred his relative and asking to take easy while taking interview

What are the implications of XORing ciphertext with plaintext?

Does adding complexity mean a more secure cipher?How to attack a “many-time pad” based on what happens when an ASCII space is XORed with a letter?Plaintext block chaining, bad idea why?Would this method deliver a perfectly non-malleable encryption for at least two blocks?Would this method allow fast authenticated encryption using only a single encryption operation per block?Would this method allow fast authenticated encryption using only a single encryption and RNG operation per block?Counter mode with $operatornameAES_k(m)$ vs $operatornameAES_m(k)$Does repeated xoring of the (same) key K lower the entropy of K?Replacement for XOR in CBC?What happens if CBC-mode uses the same IV for all processes?Does adding complexity mean a more secure cipher?

1

$begingroup$

I was intrigued by this question: Does adding complexity mean a more secure cipher?

And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:

$$C=(E_k(m)oplus m)$$

My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.

"In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."

encryption block-cipher stream-cipher cbc xor

share|improve this question

asked 5 hours ago

tjt263tjt263

1103

New contributor

tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$endgroup$

add a comment | 

1

$begingroup$

I was intrigued by this question: Does adding complexity mean a more secure cipher?

And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:

$$C=(E_k(m)oplus m)$$

My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.

"In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."

encryption block-cipher stream-cipher cbc xor

share|improve this question

asked 5 hours ago

tjt263tjt263

1103

New contributor

tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$endgroup$

add a comment | 

$begingroup$

I was intrigued by this question: Does adding complexity mean a more secure cipher?

And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:

$$C=(E_k(m)oplus m)$$

My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.

"In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."

encryption block-cipher stream-cipher cbc xor

share|improve this question

asked 5 hours ago

tjt263tjt263

1103

New contributor

tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$endgroup$

share|improve this question

asked 5 hours ago

tjt263tjt263

1103

New contributor

tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 5 hours ago

tjt263tjt263

1103

New contributor

tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 5 hours ago

tjt263tjt263

1103

New contributor

tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 5 hours ago

tjt263tjt263

1103

1 Answer
1

active

oldest

votes

3

$begingroup$

This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_0^(m) oplus m = (m oplus 0^) oplus m = m oplus m = 0^$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?

The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.

share|improve this answer

edited 2 hours ago

answered 4 hours ago

user69201user69201

313

New contributor

user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
  $endgroup$
  – tjt263
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^$ is the notation for a string of zeroes that is as long as the message $m$.
  $endgroup$
  – user69201
  3 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Is $D_k(E_k(m))=m$ the same as $m=E_k^-1(C)$?
  $endgroup$
  – tjt263
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
  $endgroup$
  – Maarten Bodewes♦
  1 hour ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

tjt263 is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70543%2fwhat-are-the-implications-of-xoring-ciphertext-with-plaintext%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

3

$begingroup$

This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_0^(m) oplus m = (m oplus 0^) oplus m = m oplus m = 0^$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?

The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.

share|improve this answer

edited 2 hours ago

answered 4 hours ago

user69201user69201

313

New contributor

user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
  $endgroup$
  – tjt263
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^$ is the notation for a string of zeroes that is as long as the message $m$.
  $endgroup$
  – user69201
  3 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Is $D_k(E_k(m))=m$ the same as $m=E_k^-1(C)$?
  $endgroup$
  – tjt263
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
  $endgroup$
  – Maarten Bodewes♦
  1 hour ago
  

  
  
  
  

add a comment | 

3

$begingroup$

This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_0^(m) oplus m = (m oplus 0^) oplus m = m oplus m = 0^$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?

The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.

share|improve this answer

edited 2 hours ago

answered 4 hours ago

user69201user69201

313

New contributor

user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
  $endgroup$
  – tjt263
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  $begingroup$
  Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^$ is the notation for a string of zeroes that is as long as the message $m$.
  $endgroup$
  – user69201
  3 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Is $D_k(E_k(m))=m$ the same as $m=E_k^-1(C)$?
  $endgroup$
  – tjt263
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
  $endgroup$
  – Maarten Bodewes♦
  1 hour ago
  

  
  
  
  

add a comment | 

$begingroup$

This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_0^(m) oplus m = (m oplus 0^) oplus m = m oplus m = 0^$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?

The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.

share|improve this answer

edited 2 hours ago

answered 4 hours ago

user69201user69201

313

New contributor

user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$endgroup$

share|improve this answer

edited 2 hours ago

answered 4 hours ago

user69201user69201

313

New contributor

user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 4 hours ago

user69201user69201

313

New contributor

user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 4 hours ago

user69201user69201

313