2

In modern cryptography, IND-CPA is the lowest security we want. We want at least IND-CCAx security from encryption mode. Their relation can be found in

All classical block cipher modes of operations (CTR,CBC,OFB,CFB,PCBC), as stated confidentiality only modes of operations in Wikipedia can achieve at most Ind-CPA.

It is easy to go beyond IND-CPA security with a secure MAC like HMAC, KMAC, etc., or even on can achieve Authentication Encryption mode where the provided security is more than Ind-CCAx.

Are there ways to achieve Ind-CCA without a MAC?

kelalaka
  • 48,443
  • 11
  • 116
  • 196

1 Answers1

3

Here is an example of a CCA-secure scheme that has no obvious appearance of a MAC. It's not an example of a general-purpose compiler from CPA to CCA security.

If you have a strong pseudorandom permutation $F$ with inputs/outputs of length $n + \lambda$ -- so either very short messages or a rather wide-block PRP -- then you can get a CCA-secure encryption scheme for $n$-bit messages:

$$ \begin{array}{l} \underline{\textsf{Enc}(k,m):} \\ \quad r \gets \{0,1\}^\lambda \\ \quad c := F(k, m \| r) \\ \quad \mbox{return } c \end{array} $$

(decrypt by doing $F^{-1}$ and throwing away the last $\lambda$ bits.)

Mikero
  • 13,187
  • 2
  • 33
  • 51
  • 2
    In addition, if you change it to $c := F(k, m||r||0^k)$ (and have the receiver check that the last $k$ bits are all zero after decryption, and fail if not), you also get integrity guarantees, again, without a MAC... – poncho Oct 27 '22 at 19:33
  • 1
    Ok, I've to admit that I was expecting something more complex. – kelalaka Oct 27 '22 at 20:44
  • 1
    @kelalaka That's just key-wrapping with randomized padding (without check value if we exclude poncho's idea). – DannyNiu Oct 28 '22 at 01:34