This is the second article in a series on Cryptography for the Everyday Developer. Follow along to learn the basics of modern cryptography and encryption.
A cipher is only useful if it is secure. What makes a cipher secure? Let’s remember the use case for classical ciphers — keeping messages confidential.
Caesar’s cipher and Vigenère’s cipher both suffer from a similar flaw, which makes them insecure and unusable for secure communication. For both ciphers, the flaw is obvious — these ciphers allow an attacker to learn how the cipher works by inspecting the ciphertext itself. This allows an eavesdropper can decrypt the message given only the ciphertext. A secure cipher, on the other hand, is one where it is not possible to learn anything about the plaintext or the cipher’s behaviour even by inspecting numerous plaintext or ciphertext messages.
This notion of security is codified in security goals. These two goals are indistinguishability and nonmalleability.
Indistinguishability
Indistinguishability means that an attacker, even when seeing encrypted messages (ciphertexts), should not be able to tell anything about the original messages (plaintexts). More specifically, if an attacker sees two ciphertexts, they shouldn’t be able to tell which plaintext corresponds to which ciphertext, even if they know the possible plaintexts.
Imagine Alice sends two messages through an encryption system:
Yes(Plaintext A)No(Plaintext B)
And encryption produces two ciphertexts:
Xj9#mP(Ciphertext 1)Ky7$nQ(Ciphertext 2)
For the encryption method to have indistinguishability, even if an
attacker knows that Alice sent the plaintext messages Yes and No,
and sees both ciphertexts Xj9#mP and Ky7$nQ, they should have no
way to determine which ciphertext corresponds to Yes and which to No.
Nonmalleability
Nonmalleability means that an attacker should not be able to modify a ciphertext in a way that creates a predictable or meaningful change in the decrypted plaintext. In other words, if an attacker changes an encrypted message, they shouldn’t be able to control or predict how their change will affect the original message.
Imagine a simple banking system where plaintext messages of the form
Transfer $100 to Account 12345 are used to transfer money. Assume that
after encryption, the ciphertext for the original plaintext message is
Ax7#mP9$kL. In a malleable encryption system (which is insecure), an
attacker is able to modify this ciphertext to meaningfully change the
plaintext. For example:
- Given the original ciphertext:
Ax7#mP9$kL - an attacker modifies it to become:
Ax7#mP9$kM - After decryption, it becomes:
Transfer $1000 to Account 12345
The attacker was able to meaningfully modify the amount without knowing the key or the full message.
The Caesar cipher is an example of a system that is malleable. If the
plaintext message SEND $100 encrypts to VHQG X399, an attacker could
change the value X399 to X7999 and modify the amount of money being
sent from $100 to $1000.
In a nonmalleable system, on the other hand, any modification to the ciphertext should result in a decrypted result that is completely random and unusable — there should be no way to make targeted changes to the plaintext decrypted value like increasing amounts or changing account numbers
This is why modern encryption systems use techniques like message authentication codes (MACs) or authenticated encryption to detect any tampering with the ciphertext.
Both indistinguishability and nonmalleability are crucial properties for modern secure encryption systems. Indistinguishability ensures that encrypted messages reveal no information about their contents, even when comparing multiple ciphertexts. Modern encryption algorithms and protocols must implement both properties to be considered truly secure, protecting against both passive eavesdropping and active manipulation attempts.