Malleability (Cryptography)

cryptography

Definition

Malleability

An encryption scheme is malleable if an attacker can modify a ciphertext so that the decrypted plaintext changes in a related and partly predictable way, without knowing the secret key.

Meaning

Malleability is not the same as decryption. An attacker may still be unable to recover the original plaintext, yet be able to force a chosen change in the decrypted message.

This is a problem whenever encrypted data is later interpreted as commands, roles, flags, or other structured fields.

Controlled change without decryption

If an attacker knows that an encrypted field contains logs, it may be enough to transform that field into flag. The attacker does not need to recover the whole plaintext in order to exploit the system.

Example

CTR mode is malleable because ciphertext is plaintext XOR keystream. If

$$C=P\oplus K,$$

then replacing $C$ by

$$C^{\prime }=C\oplus \Delta$$

forces the decrypted plaintext to become

$$P^{\prime }=P\oplus \Delta .$$

logs to flag

In CTR mode, the ciphertext bytes for logs can be changed so that they decrypt to flag by XORing with

$$\text{logs}\oplus \text{flag}.$$

This changes the meaning of the field without revealing the key.

Contrast

Malleability is prevented by integrity protection. In practice, this is achieved by a construction such as HMAC or GCM.