Per the standard definitions of CPA-secure public key encryption, there are exactly the same security assurances for the protocol A --> B : {T},{P}
and A --> B : {T,P}
. Confidentiality, and nothing else.
Proof: from any CPA-secure public key encryption we build another one as follows:
- We define the new encryption of a single-bit¹ message $m$ to be the original encryption of a random bit $b$, concatenated with $c:=m\oplus b$. Decryption deciphers $b$, then finds $m=c\oplus b$.
- We define that the new encryption of a multi-bit message is the concatenation of the new encryption of each message bit. Decryption deciphers individuals bits, and rebuilds the original message.
It's easy to prove that the new encryption scheme decrypts correctly, and is CPA-secure. For this encryption scheme and any messages T
and P
it holds {T,P}
= {T},{P}
thus the two methods in the question are indistinguishable, thus equally secure.
In both cases, the data is not authenticated. Adversaries can encrypt any message and substitute the outcome for the original. And it should be assumed that they can manipulate a cryptogram in order to change any portion of the plaintext after decryption, including inserting, reordering, duplicating, flipping a bit, adding a constant.
Note: there are encryption schemes making A --> B : {T},{P}
susceptible to attacks that fail for A --> B : {T,P}
(like changing what B
gets to {T'},{P}
with T'
a close time, which allows to find {P}
in advance of the planned meeting by following B
trying to go to the meeting place too early). My point is that the problem statement does not allow to conclude that the encryption system used is one of these non-malleable cryptosystems.
¹ change bit to byte if the cryptosystem only allows messages with size multiple of 8 bits.