Score:2

How would having multiple independently encrypted versions of the same plaintext impact confidentiality?

cn flag

Suppose I have some unknown plaintext P which I encrypt N times, each time with a completely new and random key and IV. Would knowing that all the encrypted output came from the same identical plaintext make it any easier to guess or derive the original message without any of the keys or IVs? If so, why and how much easier would it get as N became larger?

kelalaka avatar
in flag
It really depends on the $N$, if $N$ is large then you are vulnerable to [multi-target attacks](https://crypto.stackexchange.com/q/75880/18298)
plumbn avatar
cn flag
@kelalaka Thanks for the link. Multi-target attacks appear to be for a situation with a known plaintext. Is that accurate? I'm really only interested in a situation where the plaintext is unknown.
Score:2
cn flag

If the encryption method in question is considered secure today, this will not be an issue.

To be considered secure, an encryption method today needs to be at least indistinguishable under chosen plaintext attack, short IND-CPA. Very informally: This is a game, where the attacker can choose 2 messages, then receives one ciphertext and has to guess which message it was. If the attacker has a probability better than just guessing randomly (more than a negligible amount), the attacker wins and the encryption us considered insecure.

The attacker in that game could just create of course a large amount of encryptions with new keys of his two messages. If that would lead to any type of advantage he could use this to win the game described previously. And that cipher is considered broken in today's world.

So if the encryption is at least IND-CPA, this will not be a problem.

plumbn avatar
cn flag
I'm not sure how this relates. It seems this answer is specifically about protection against chosen plaintext attacks. In the question, the plaintext is unknown. The attacker only knows that all the different ciphertexts come from the same plaintext, but doesn't know the actual contents of the plaintext. Is IND-CPA security still relevant here?
poncho avatar
my flag
@plumbn: if a cryptosystem is secure in the IND-CPA model, it is obviously secure in the attacker's model
plumbn avatar
cn flag
@poncho I see, so I think maybe I misinterpreted part of the answer. I was concerned perhaps tylo had misunderstood my question or that security against repeated trials may not have been part of the formal definition of IND-CPA. Thanks for the confirmation.
cn flag
@plumbn It is not 'part of the definition' of IND-CPA, the definition does not explicitly consider same messages under different random coins or even different keys. But it is covered, which the answer points out. And using IND-CPA as a minimum for today's cryptosystems is quite common. Anything weaker is not considered secure.
plumbn avatar
cn flag
@tylo I see. Thanks for clarifying.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.