Re: [Cfrg] Encrypting a known short text

Natanael <> Fri, 22 September 2017 16:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DCC6213454E for <>; Fri, 22 Sep 2017 09:57:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ok_DqB-aTFNg for <>; Fri, 22 Sep 2017 09:57:28 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C5AD4134545 for <>; Fri, 22 Sep 2017 09:57:28 -0700 (PDT)
Received: by with SMTP id l15so4439369iol.8 for <>; Fri, 22 Sep 2017 09:57:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PbpYZynJw++pJkBolnIkmMQYVgZrgjtpS5pg1oet/HA=; b=Hgh4qM+IwIcrUve0dLIvwnZarKMo4uJ+SlcSwf6ki2Jt57XT1loQJarkEbm0s8kreT QKY0qOnAcHGh/JWveBBVwZw/E1xQ6NI5p+avULZ7vpIPht5Rk2Bl00LyIDFsg3AxwYMO nfxywl5AtwPBlK4DMG4eKhvjafOUOUNNTWna3lZHmpr9XPio/+IA/eUgG7HhZSr6yQou hmhOp7yksOjKjS3JbIjh5VAshtu/IFFSYh1QQN0ONsqsDt0H3RgyAtMhK3JLEsBh1DEY 3iAtwG+RqfPqCFb6fg1BqPsGiWsBUoV6+U2kaGCMmCwbowSX3s6aFlYzoX9tiVScIYZl 4dXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PbpYZynJw++pJkBolnIkmMQYVgZrgjtpS5pg1oet/HA=; b=jbZROAbm3GwvStrhlWrM3VVAMP9tGToZzbqjT1XnAhgCuDRbZYzO/3YjokCmH5u7LR VjCv40uF90Q9YhJTGttKxtXT+dF3CITdELAnLxor7OK6bihy5x3GBY4uzppoPbdSwwFj TEKsFClXNJMF731P3j0Qt6iLeFmL8ZeokhDiegeECbGgyzKcIig68IbNxbHN1lyGcQzP J4uNgTyn4uHCjLxdbOrc4l7Z8+xKidL1nrav8Nk8CHXuviufoq+3j5hOq9BT0pl2e/6l IdIdn8RvUUjjviKqMJGssCvPw984remiGnM6nQA5f9eqKOezoOXGW7n4CwPTDU3EWf4T P4mg==
X-Gm-Message-State: AHPjjUg3cGQwlfaiygLRb0+S9savjzBNnseM+4FTg87O7FUQf29uckhe +DtGs4pPpHuKXp7/dzSM0T4Kc235IxDCsonIoMQ=
X-Google-Smtp-Source: AOwi7QA7ya4LlCA4OtHYl1UhN8xB37zV6TEAbrciNyRFMhmxaBtAJe/ukZAZsPsAs5AiuxY4zTmruttKEBb2NCbrQSI=
X-Received: by with SMTP id r66mr6851097oig.250.1506099447961; Fri, 22 Sep 2017 09:57:27 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 22 Sep 2017 09:57:27 -0700 (PDT)
Received: by with HTTP; Fri, 22 Sep 2017 09:57:27 -0700 (PDT)
In-Reply-To: <003801d333be$9cfee670$d6fcb350$>
References: <003801d333be$9cfee670$d6fcb350$>
From: Natanael <>
Date: Fri, 22 Sep 2017 18:57:27 +0200
Message-ID: <>
To: Erik Andersen <>
Cc: Cfrg <>
Content-Type: multipart/alternative; boundary="001a113d544497a0440559ca1a4e"
Archived-At: <>
Subject: Re: [Cfrg] Encrypting a known short text
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Sep 2017 16:57:35 -0000

Den 22 sep. 2017 18:20 skrev "Erik Andersen" <>:

Suppose we have a protocol, where everything is encrypted.

If the clear (short) text may be guessed by an attacker (it could be an
ASN.1 NULL), do we then have a security issue, where the encryption key
could be revealed?

For modern ciphers and ciphermodes, the private key is never at risk even
if both the plaintext message, the ciphertext and any nonce/IV are known.
They resist known plaintext attacks.

At best the adversary could use sidechannel leakage, metadata and size
correlation to make a guess, but without the secret key or another form of
verifier (like a hash of the plaintext, or similar derived data) they can't
confirm it.

For some contexts it may be a risk, like for "convergent encryption" in
which the encryption key is deterministicly determined from the plaintext,
for the purpose of deduplication in encrypted file storage. This is part of
the security model of such systems, but the users may not always be fully
aware that somebody can guess what files they have stored if the adversary
have a full identical copy of the plaintext or can guess it.
This would for example apply to leaked documents or honeypot documents
being possible to detect if unmodified, where your file list could be
compared against known files.
But if you're a bunch of people using it to store your non-sensitive media
collections, then there's no problem with it.

For comparison, regular encryption have full resistance to known plaintext
attacks. They also have ciphertext indistinguishability (the adversary
can't tell which ciphertext came from which plaintext message, even if you
know the full messages).

Convergent encryption also resists known plaintext attacks in the classic
definition (except for when the full exact message is known, wherein you
can derive the key directly), but the scheme fails completely on ciphertext
indistinguishability (you can always tell *what it isn't*, and sometimes
also tell what it is).