Malleability (cryptography)
From Free net encyclopedia
Malleable is a term used in the analyses of cryptographic algorithms:
A malleable encryption algorithm allows transformations on the ciphertext to produce meaningful changes in the plaintext. That is, given a plaintext <math>P</math> and the corresponding ciphertext <math>C = E(P)</math>, it is possible to generate <math>C_1 = f(C)</math> so that the decryption of <math>C_1</math> is a function <math>P_1 = f'(P)</math> of the original plaintext <math>P</math>, with arbitrary but known functions <math>f</math> and <math>f'</math>.
Stream ciphers are examples of malleable encryption algorithms. In a stream cipher, the ciphertext is produced by taking the exclusive or of the plaintext and a stream based on a secret key (<math>C = P \oplus S(K)</math>). Given an arbitrary <math>P_1</math>, it is possible to generate <math>C_1 = C \oplus P \oplus P_1</math>.
Malleability is an undesirable property in a general-purpose cryptosystem, since it allows an attacker to modify the contents of a message. For example, suppose that a bank uses a stream cipher to hide its financial information, and a user sends an encrypted message containing, say, "TRANSFER $0000100.00 TO ACCOUNT #199." If an attacker can modify the message on the wire, and can guess the format of the unencrypted message, the attacker can change the amount of the transaction, or the recipient of the funds.
Other malleable encryption algorithms include:
RSA. If the attacker obtains the ciphertext (<math>C = P^e \mod{n}</math> where <math>m</math> is the plaintext and <math>n</math> is the public modulus) the attacker can produce the ciphertext <math>C_1</math> corresponding to any <math>P_1 = k P</math> by multiplying the original ciphertext by <math>k^e \mod{n}</math>. For this reason, RSA is commonly used together with padding methods such as OAEP or PKCS1.
It is possible to build non-malleable encryption algorithms from malleable ones.