What encryption scheme should be used where the order of encryption and decryption doesn't matter?

0
votes

For instance, two keys are used to encrypt a plain text and the same keys are used to decrypt the encrypted message or the cipher-text, regardless of the order of how keys are used in encrypting or decrypting a message.As per my understanding it seems like a symmetric cryptography scheme should be used because the same keys are used to encrypt and decrypt the message, but I am not sure if the order of key usage matters or not. Is there a different scheme which should/can be used for this example? Thanks for your answers in advance!

1
encryptioncryptography
Might be better suited to crypto.stackexchange.com. And I'm by no means an expert but I don't think symmetric vs non-symmetric matters here, if what you're asking for is to be able to apply E1(E2(plain text)) and then being able to use either D1(D2(crypto text)) or D2(D1(crypto text)) to recover the plain text.Damien_The_Unbeliever
This is known as commutative cipher. Duplicate: Is there a secure cryptographic algorithm where encryption and decryption can be in any order?CodesInChaos

1 Answers

1
votes

As per my understanding it seems like a symmetric cryptography scheme should be used because the same keys are used to encrypt and decrypt the message, but I am not sure if the order of key usage matters or no

If I am reading this correctly, you should use either (1) a stream cipher since the encryption is an XOR with the key stream; or (2) a block cipher whose mode performs a XOR with the plain text. You might need to ensure the block cipher always uses the forward transformation of the cipher for both encryption and decryption (for example, CTR mode).

The tricky thing here is to avoid forming a group. That is, you don't want something such that E_1(E_2(m)) == E_3(m). I think its easy to form a group using (1) and (2) above. If you go with a block cipher in a mode like CBC (e.g., 3-key TDEA or triple-DES), then you won't form a group. But you won't get that associativity property you are looking for either.

You could probably do it with public key cryptography too. But you would probably need to choose, for example, one of the RSA exponents to be 1 so its the identity function. There's some other things you could do in RSA, but you're likely to have something equivalent to the identity element to ensure the pre-image and image are within bounds of the resulting composite modulus.

Damien_The_Unbeliever had a good suggestion: move this over to crypto.stackexchange.com. There's a lot of talent in that exchange.