What are the implications of XORing ciphertext with plaintext?Does adding complexity mean a more secure cipher?How to attack a “many-time pad” based on what happens when an ASCII space is XORed with a letter?Plaintext block chaining, bad idea why?Would this method deliver a perfectly non-malleable encryption for at least two blocks?Would this method allow fast authenticated encryption using only a single encryption operation per block?Would this method allow fast authenticated encryption using only a single encryption and RNG operation per block?Counter mode with $operatornameAES_k(m)$ vs $operatornameAES_m(k)$Does repeated xoring of the (same) key K lower the entropy of K?Replacement for XOR in CBC?What happens if CBC-mode uses the same IV for all processes?Does adding complexity mean a more secure cipher?

Can my American children re-enter the USA by International flight with a passport card? Being that their passport book has expired

When did game consoles begin including FPUs?

Will consteval functions allow template parameters dependent on function arguments?

Could there be something like aerobatic smoke trails in the vacuum of space?

Is random forest for regression a 'true' regression?

How to redirect stdout to a file, and stdout+stderr to another one?

What was Varys trying to do at the beginning of S08E05?

Why did the metro bus stop at each railway crossing, despite no warning indicating a train was coming?

c++ conditional uni-directional iterator

Polynomial division: Is this trick obvious?

Does addError() work outside of triggers?

I recently started my machine learning PhD and I have absolutely no idea what I'm doing

Wifi is sometimes soft blocked by unknown service

Network latencies between opposite ends of the Earth

Would life always name the light from their sun "white"

Why would company (decision makers) wait for someone to retire, rather than lay them off, when their role is no longer needed?

Why are goodwill impairments on the statement of cash-flows of GE?

How does Ctrl+c and Ctrl+v work?

Formal Definition of Dot Product

Understanding Deutch's Algorithm

To whom did Varys write those letters in Game of Thrones S8E5?

Why do galaxies collide

Holding rent money for my friend which amounts to over $10k?

Does the Rogue's Reliable Talent feature work for thieves' tools, since the rogue is proficient in them?



What are the implications of XORing ciphertext with plaintext?


Does adding complexity mean a more secure cipher?How to attack a “many-time pad” based on what happens when an ASCII space is XORed with a letter?Plaintext block chaining, bad idea why?Would this method deliver a perfectly non-malleable encryption for at least two blocks?Would this method allow fast authenticated encryption using only a single encryption operation per block?Would this method allow fast authenticated encryption using only a single encryption and RNG operation per block?Counter mode with $operatornameAES_k(m)$ vs $operatornameAES_m(k)$Does repeated xoring of the (same) key K lower the entropy of K?Replacement for XOR in CBC?What happens if CBC-mode uses the same IV for all processes?Does adding complexity mean a more secure cipher?













1












$begingroup$


I was intrigued by this question: Does adding complexity mean a more secure cipher?

And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:



$$C=(E_k(m)oplus m)$$



My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.




"In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."











share|improve this question







New contributor



tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$
















    1












    $begingroup$


    I was intrigued by this question: Does adding complexity mean a more secure cipher?

    And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:



    $$C=(E_k(m)oplus m)$$



    My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.




    "In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."











    share|improve this question







    New contributor



    tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






    $endgroup$














      1












      1








      1





      $begingroup$


      I was intrigued by this question: Does adding complexity mean a more secure cipher?

      And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:



      $$C=(E_k(m)oplus m)$$



      My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.




      "In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."











      share|improve this question







      New contributor



      tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      $endgroup$




      I was intrigued by this question: Does adding complexity mean a more secure cipher?

      And it led me to wonder: What are the implications (if any) of XORing a ciphertext with the original plaintext message? So:



      $$C=(E_k(m)oplus m)$$



      My first impression was: "That sounds like a bad idea.", but is it necessarily? Seems like something similar is being used for Propagating Cipher Block Chaining.




      "In PCBC mode, each block of plaintext is XORed with both the previous plaintext block and the previous ciphertext block before being encrypted."








      encryption block-cipher stream-cipher cbc xor






      share|improve this question







      New contributor



      tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      share|improve this question







      New contributor



      tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      share|improve this question




      share|improve this question






      New contributor



      tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      asked 5 hours ago









      tjt263tjt263

      1103




      1103




      New contributor



      tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




      New contributor




      tjt263 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          1 Answer
          1






          active

          oldest

          votes


















          3












          $begingroup$

          This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_0^m(m) oplus m = (m oplus 0^m) oplus m = m oplus m = 0^m$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?



          The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.






          share|improve this answer










          New contributor



          user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.





          $endgroup$












          • $begingroup$
            You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
            $endgroup$
            – tjt263
            3 hours ago






          • 1




            $begingroup$
            Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^m$ is the notation for a string of zeroes that is as long as the message $m$.
            $endgroup$
            – user69201
            2 hours ago











          • $begingroup$
            Is $D_k(E_k(m))=m$ the same as $m=E_k^-1(C)$?
            $endgroup$
            – tjt263
            2 hours ago











          • $begingroup$
            Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
            $endgroup$
            – Maarten Bodewes
            1 hour ago











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "281"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          tjt263 is a new contributor. Be nice, and check out our Code of Conduct.









          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70543%2fwhat-are-the-implications-of-xoring-ciphertext-with-plaintext%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          3












          $begingroup$

          This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_0^m(m) oplus m = (m oplus 0^m) oplus m = m oplus m = 0^m$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?



          The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.






          share|improve this answer










          New contributor



          user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.





          $endgroup$












          • $begingroup$
            You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
            $endgroup$
            – tjt263
            3 hours ago






          • 1




            $begingroup$
            Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^m$ is the notation for a string of zeroes that is as long as the message $m$.
            $endgroup$
            – user69201
            2 hours ago











          • $begingroup$
            Is $D_k(E_k(m))=m$ the same as $m=E_k^-1(C)$?
            $endgroup$
            – tjt263
            2 hours ago











          • $begingroup$
            Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
            $endgroup$
            – Maarten Bodewes
            1 hour ago















          3












          $begingroup$

          This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_0^m(m) oplus m = (m oplus 0^m) oplus m = m oplus m = 0^m$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?



          The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.






          share|improve this answer










          New contributor



          user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.





          $endgroup$












          • $begingroup$
            You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
            $endgroup$
            – tjt263
            3 hours ago






          • 1




            $begingroup$
            Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^m$ is the notation for a string of zeroes that is as long as the message $m$.
            $endgroup$
            – user69201
            2 hours ago











          • $begingroup$
            Is $D_k(E_k(m))=m$ the same as $m=E_k^-1(C)$?
            $endgroup$
            – tjt263
            2 hours ago











          • $begingroup$
            Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
            $endgroup$
            – Maarten Bodewes
            1 hour ago













          3












          3








          3





          $begingroup$

          This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_0^m(m) oplus m = (m oplus 0^m) oplus m = m oplus m = 0^m$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?



          The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.






          share|improve this answer










          New contributor



          user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.





          $endgroup$



          This is not a correct encryption scheme because it cannot be properly decrypted. Consider $Enc_k$ to be the one-time pad (OTP), the key being all zeroes. Then you have that $$C = Enc_0^m(m) oplus m = (m oplus 0^m) oplus m = m oplus m = 0^m$$ for any message. Or consider encrypting some random string r, then you have $C = Enc_k(r) oplus r$ which is basically the OTP. How would you want to decrypt that?



          The PCBC mode also does not output this construct as part of the ciphertext but feeds it as input to the block cipher encryption XORed with a plaintext block.







          share|improve this answer










          New contributor



          user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.








          share|improve this answer



          share|improve this answer








          edited 2 hours ago





















          New contributor



          user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.








          answered 4 hours ago









          user69201user69201

          313




          313




          New contributor



          user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.




          New contributor




          user69201 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.













          • $begingroup$
            You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
            $endgroup$
            – tjt263
            3 hours ago






          • 1




            $begingroup$
            Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^m$ is the notation for a string of zeroes that is as long as the message $m$.
            $endgroup$
            – user69201
            2 hours ago











          • $begingroup$
            Is $D_k(E_k(m))=m$ the same as $m=E_k^-1(C)$?
            $endgroup$
            – tjt263
            2 hours ago











          • $begingroup$
            Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
            $endgroup$
            – Maarten Bodewes
            1 hour ago
















          • $begingroup$
            You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
            $endgroup$
            – tjt263
            3 hours ago






          • 1




            $begingroup$
            Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^m$ is the notation for a string of zeroes that is as long as the message $m$.
            $endgroup$
            – user69201
            2 hours ago











          • $begingroup$
            Is $D_k(E_k(m))=m$ the same as $m=E_k^-1(C)$?
            $endgroup$
            – tjt263
            2 hours ago











          • $begingroup$
            Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
            $endgroup$
            – Maarten Bodewes
            1 hour ago















          $begingroup$
          You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
          $endgroup$
          – tjt263
          3 hours ago




          $begingroup$
          You lost me. Why OTPs? I was really just thinking of generic block or stream ciphers. Why all zeroes? And what is that first equation? Ciphertext equals message XOR message equals 0 to the power of the length of the message?
          $endgroup$
          – tjt263
          3 hours ago




          1




          1




          $begingroup$
          Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^m$ is the notation for a string of zeroes that is as long as the message $m$.
          $endgroup$
          – user69201
          2 hours ago





          $begingroup$
          Because encryption schemes are usually required to fulfill the correctness requirement that $Dec_k(Enc_k(m)) = m$. If distinct messages encrypt to zero-strings, this cannot hold. So your approach does not work in general, for example when $Enc_k$ is the encryption function of the OTP. The answer you linked already mentions this: "Xoring the message into the ciphertext removes the ability to decrypt the ciphertext." This is easy to see if you think of encrypting random messages. $0^m$ is the notation for a string of zeroes that is as long as the message $m$.
          $endgroup$
          – user69201
          2 hours ago













          $begingroup$
          Is $D_k(E_k(m))=m$ the same as $m=E_k^-1(C)$?
          $endgroup$
          – tjt263
          2 hours ago





          $begingroup$
          Is $D_k(E_k(m))=m$ the same as $m=E_k^-1(C)$?
          $endgroup$
          – tjt263
          2 hours ago













          $begingroup$
          Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
          $endgroup$
          – Maarten Bodewes
          1 hour ago




          $begingroup$
          Yes, because $C$ is $E_k(m)$ and the inverse of $E_k$ is of course decryption $D_k$ (presuming that $-1$ is the inverse op. of course).
          $endgroup$
          – Maarten Bodewes
          1 hour ago










          tjt263 is a new contributor. Be nice, and check out our Code of Conduct.









          draft saved

          draft discarded


















          tjt263 is a new contributor. Be nice, and check out our Code of Conduct.












          tjt263 is a new contributor. Be nice, and check out our Code of Conduct.











          tjt263 is a new contributor. Be nice, and check out our Code of Conduct.














          Thanks for contributing an answer to Cryptography Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f70543%2fwhat-are-the-implications-of-xoring-ciphertext-with-plaintext%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

          Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

          Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її