1

Let's say I have ciphertext c = Enc(pk,m), produced by a public-key encryption scheme but I don't know the public key of the sender. Can the sender easily produce another key pair and then claim that the ciphertext actually corresponds to c = Enc(pk',m') or is this computationally impossible?

Theo
  • 67
  • 4

1 Answers1

2

There are certainly public key schemes where this is possible. The recent CurveBall exploit was essentially able to switch out public keys on an elliptic curve and thus forge signatures. The same trick could be pulled with the elliptic curve El Gamal encryption scheme. It would be trickier to do with RSA (you have to construct a very special public key), but far from infeasible.

Daniel S
  • 23,716
  • 1
  • 29
  • 67
  • 2
    Actually, depending on the RSA padding scheme, it can be quite feasible (and wouldn't require a special public key...) – poncho Mar 12 '21 at 14:01
  • 1
    Agreed, depending on how much control you want over $m'$. If you want to completely specify $m'$, the special key is required. If you just want to produce something that matches a particular padding scheme it can be much easier as you say. – Daniel S Mar 12 '21 at 14:12