Suppose I have some unknown plaintext P which I encrypt N times, each time with a completely new and random key and IV. Would knowing that all the encrypted output came from the same identical plaintext make it any easier to guess or derive the original message without any of the keys or IVs? If so, why and how much easier would it get as N became larger?
Asked
Active
Viewed 61 times
2
-
It really depends on the $N$, if $N$ is large then you are vulnerable to multi-target attacks – kelalaka Jan 06 '22 at 19:03
-
@kelalaka Thanks for the link. Multi-target attacks appear to be for a situation with a known plaintext. Is that accurate? I'm really only interested in a situation where the plaintext is unknown. – plumbn Jan 07 '22 at 01:43
1 Answers
2
If the encryption method in question is considered secure today, this will not be an issue.
To be considered secure, an encryption method today needs to be at least indistinguishable under chosen plaintext attack, short IND-CPA. Very informally: This is a game, where the attacker can choose 2 messages, then receives one ciphertext and has to guess which message it was. If the attacker has a probability better than just guessing randomly (more than a negligible amount), the attacker wins and the encryption us considered insecure.
The attacker in that game could just create of course a large amount of encryptions with new keys of his two messages. If that would lead to any type of advantage he could use this to win the game described previously. And that cipher is considered broken in today's world.
So if the encryption is at least IND-CPA, this will not be a problem.
tylo
- 12,654
- 24
- 39
-
I'm not sure how this relates. It seems this answer is specifically about protection against chosen plaintext attacks. In the question, the plaintext is unknown. The attacker only knows that all the different ciphertexts come from the same plaintext, but doesn't know the actual contents of the plaintext. Is IND-CPA security still relevant here? – plumbn Jan 07 '22 at 02:05
-
@plumbn: if a cryptosystem is secure in the IND-CPA model, it is obviously secure in the attacker's model – poncho Jan 07 '22 at 15:50
-
@poncho I see, so I think maybe I misinterpreted part of the answer. I was concerned perhaps tylo had misunderstood my question or that security against repeated trials may not have been part of the formal definition of IND-CPA. Thanks for the confirmation. – plumbn Jan 08 '22 at 03:39
-
@plumbn It is not 'part of the definition' of IND-CPA, the definition does not explicitly consider same messages under different random coins or even different keys. But it is covered, which the answer points out. And using IND-CPA as a minimum for today's cryptosystems is quite common. Anything weaker is not considered secure. – tylo Jan 08 '22 at 09:23
-