0
$\begingroup$

Here is my idea:

Under the symmetric key encryption. Alice and Bob share the symmetric key K. Let HASH be a secure hash function and Enc_k(message) be the encryption message m by AES in the CBC mode with a random IV

First, Alice compute c = Enc_k(message)

Second, Alice compute t = Hash(m)

Third, Alice sends (c, t) to Bob

Fourth, Bob receive (c, t), first verify if Hash(c) = t. If this is the case, Bob decrypts c using share K to output m.

Is this CCA secure? Why and why not? How can I improve this?

Improve this question
$\endgroup$
1
  • 2
    $\begingroup$ Deleting your post along with the answer is not the way to behave here, undeleted it. $\endgroup$ Commented Nov 11, 2022 at 10:18

1 Answer 1

Reset to default
3
$\begingroup$

This scheme is not CCA secure because it is not even CPA secure. In fact, it is not CCA secure even if we would replace AES-CBC with a CCA secure scheme, to begin with. The issue is that the ciphertext includes a hash of the plaintext, which leaks lots of plaintext information.

Additionally, using a simple hash function as an integrity protection mechanism instead of a MAC is quite problematic. But even if you used a MAC instead of a hash function, this scheme is still not generically CCA secure. A MAC need not conceal information about the message that it is integrity-protecting.

Improve this answer
$\endgroup$
1
  • $\begingroup$ Thank you, great answer i think $\endgroup$ Commented Nov 11, 2022 at 0:44

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.