Question

Symmetric key encryption. Suppose (KeyGen,Enc,Dec) is an IND-CPA secure symmetric key en- cryption.

We define following new encryption algorithms, are the new schemes still IND-CPA secure?

If yes, briefly explain why. If you think it insecure, give an explicit attack violating the IND-CPA definition.

Recall that the intuition of IND-CPA security means the ciphertext does not leak any non-trivial information about the plaintext.

Enc1(k,m) is defined as follows: It runs Enc(k,m) and obtains c₀; then it adds a fixed padding of 1..1 at the end to stretch it to the right length (suppose c₀ is shorter). The final ciphertext will be c₀ ||1..1.

Answer 1

Symmetric-key encryption provides secrecy between two parties communication. An adversary who intercepts a message should not get any significant information about its content. To set up their secure communication channel both first agree on a key . They keep their shared key secret. In of symmetric encryption, both communication partners use the same key for encryption and decryption. This is the simple definition regarding symmetric key encryption. IND-CPA represents a type of symmetric encryption.

Yes,the example you mentioned above is a secure one. The below is the explanation for it but a little bit in a modified way.

EXPLANATION:

Consider an IND-CPA secure scheme that has the setup, encrypt and decrypt functions as Senc, Eenc and Denc respectively. Consider another scheme with setup, encrypt and decrypt functions as Sdec, Edec and Ddec respectively.

Let Edec run Eenc(K,x) to get the ciphertext C, and return C||H(K) where H(x) is a collision resistant one way hash function. Let Ddec simply discard the hash part of the ciphertext and use Denc to decrypt.

Note that no additional information about any of the messages is revealed in this case, and this is the only thing that IND-CPA security wants to control for.

You have to make all possible ciphertexts equally long, so that the attacker cannot distinguish between the longest possible message and a 1 bit message. If maximum length is not known at the key generation, your ciphertexts would need unlimited length.

If you allow the attacker to know the message length (this isn't IND-CPA anymore), you can choose any kind of encoding (e.g. blockwise or arithmetically) and apply encryption on each part individually.