 Chosenciphertext attack

A chosenciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.
A number of otherwise secure schemes can be defeated under chosenciphertext attack. For example, the El Gamal cryptosystem is semantically secure under chosenplaintext attack, but this semantic security can be trivially defeated under a chosenciphertext attack. Early versions of RSA padding used in the SSL protocol were vulnerable to a sophisticated adaptive chosenciphertext attack which revealed SSL session keys. Chosenciphertext attacks have implications for some selfsynchronizing stream ciphers as well. Designers of tamperresistant cryptographic smart cards must be particularly cognizant of these attacks, as these devices may be completely under the control of an adversary, who can issue a large number of chosenciphertexts in an attempt to recover the hidden secret key.
When a cryptosystem is vulnerable to chosenciphertext attack, implementers must be careful to avoid situations in which an adversary might be able to decrypt chosenciphertexts (i.e., avoid providing a decryption oracle). This can be more difficult than it appears, as even partiallychosenciphertexts can permit subtle attacks. Additionally, some cryptosystems (such as RSA) use the same mechanism to sign messages and to decrypt them. This permits attacks when hashing is not used on the message to be signed. A better approach is to use a cryptosystem which is provably secure under chosenciphertext attack, including (among others) RSAOAEP, CramerShoup and many forms of authenticated symmetric encryption.
Contents
Varieties of chosenciphertext attacks
Chosenciphertext attacks, like other attacks, may be adaptive or nonadaptive. In a nonadaptive attack, the attacker chooses the ciphertext or ciphertexts to decrypt in advance, and does not use the resulting plaintexts to inform their choice for more ciphertexts. In an adaptive chosenciphertext attack, the attacker makes their ciphertext choices adaptively, that is, depending on the result of prior decryptions.
Lunchtime attacks
A specially noted variant of the chosenciphertext attack is the "lunchtime", "midnight", or "indifferent" attack, in which an attacker may make adaptive chosenciphertext queries but only up until a certain point, after which the attacker must demonstrate some improved ability to attack the system.^{[1]} The term "lunchtime attack" refers to the idea that a user's computer, with the ability to decrypt, is available to an attacker while the user is out to lunch. This form of the attack was the first one commonly discussed: obviously, if the attacker has the ability to make adaptive chosen ciphertext queries, no encrypted message would be safe, at least until that ability is taken away. This attack is sometimes called the "nonadaptive chosen ciphertext attack";^{[2]} here, "nonadaptive" refers to the fact that the attacker cannot adapt their queries in response to the challenge, which is given after the ability to make chosen ciphertext queries has expired.
Adaptive chosenciphertext attack
Main article: Adaptive chosenciphertext attackA (full) adaptive chosenciphertext attack is an attack in which ciphertexts may be chosen adaptively before and after a challenge ciphertext is given to the attacker, with only the stipulation that the challenge ciphertext may not itself be queried. This is a stronger attack notion than the lunchtime attack, and is commonly referred to as a CCA2 attack, as compared to a CCA1 (lunchtime) attack.^{[2]} Few practical attacks are of this form. Rather, this model is important for its use in proofs of security against chosenciphertext attacks. A proof that attacks in this model are impossible implies that any realistic chosenciphertext attack cannot be performed.
A practical adaptive chosenciphertext attack is the Bleichenbacher attack against PKCS#1.^{[3]}
Cryptosystems proven secure against adaptive chosenciphertext attacks include the CramerShoup system^{[1]} and RSAOAEP.^{[4]}
See also
 Ciphertext only attack
 Knownplaintext attack
 Chosen plaintext attack
References
 ^ ^{a} ^{b} Ronald Cramer and Victor Shoup, "A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack", in Advances in Cryptology  CRYPTO '98 proceedings, Santa Barbara, California, 1998, pp. 1325. (article)
 ^ ^{a} ^{b} Mihir Bellare, Anand Desai, David Pointcheval, and Phillip Rogaway, Relations among Notions of Security for PublicKey Encryption Schemes, in Advances in Cryptology  CRYPTO '98, Santa Barbara, California, pp. 549570.
 ^ D. Bleichenbacher. Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1. In Advances in Cryptology  CRYPTO'98, LNCS vol. 1462, pages: 1–12, 1998
 ^ M. Bellare, P. Rogaway. Optimal Asymmetric Encryption  How to encrypt with RSA. Extended abstract in Advances in Cryptology  Eurocrypt '94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, SpringerVerlag, 1995. full version (pdf)
Categories: Cryptographic attacks
Wikimedia Foundation. 2010.
Look at other dictionaries:
Chosenciphertext attack — Ein Angriff mit frei wählbarem Geheimtext (englisch chosen ciphertext attack) wird von Angreifern asymmetrischer Kryptosysteme verwendet, um den geheimen Schlüssel zu ermitteln. Bei einem solchen Szenario geht man davon aus, dass ein Angreifer… … Deutsch Wikipedia
Adaptive chosenciphertext attack — An adaptive chosen ciphertext attack (abbreviated as CCA2) is an interactive form of chosen ciphertext attack in which an attacker sends a number of ciphertexts to be decrypted, then uses the results of these decryptions to select subsequent… … Wikipedia
Chosenplaintext attack — A chosen plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the attack is to gain… … Wikipedia
Chosenplaintext attack — Die Kryptoanalyse (in neueren Publikationen auch: Kryptanalyse) bezeichnet im ursprünglichen Sinne das Studium von Methoden und Techniken, um Informationen aus verschlüsselten Texten zu gewinnen. Diese Informationen können sowohl der verwendete… … Deutsch Wikipedia
ChosenCiphertextAttacke — Ein Angriff mit frei wählbarem Geheimtext (englisch chosen ciphertext attack) wird von Angreifern asymmetrischer Kryptosysteme verwendet, um den geheimen Schlüssel zu ermitteln. Bei einem solchen Szenario geht man davon aus, dass ein Angreifer… … Deutsch Wikipedia
Chosen Ciphertext — Ein Angriff mit frei wählbarem Geheimtext (englisch chosen ciphertext attack) wird von Angreifern asymmetrischer Kryptosysteme verwendet, um den geheimen Schlüssel zu ermitteln. Bei einem solchen Szenario geht man davon aus, dass ein Angreifer… … Deutsch Wikipedia
Adaptive Chosen Ciphertext — Die Kryptoanalyse (in neueren Publikationen auch: Kryptanalyse) bezeichnet im ursprünglichen Sinne das Studium von Methoden und Techniken, um Informationen aus verschlüsselten Texten zu gewinnen. Diese Informationen können sowohl der verwendete… … Deutsch Wikipedia
Ciphertext indistinguishability — is a property of many encryption schemes. Intuitively, if a cryptosystem possesses the property of indistinguishability, then an adversary will be unable to distinguish pairs of ciphertexts based on the message they encrypt. The property of… … Wikipedia
Chosen — can mean: Chosen people, people who believe they have been chosen by a higher power to do a certain thing including Jews as a chosen people Contents 1 Korean 2 Cryptanalysis 3 Popular culture … Wikipedia
Attack model — Attack models or attack typesrefsecondname specify how much information a cryptanalyst has access to when cracking an encrypted message. Some common attack models are: *Ciphertext only attack *Known plaintext attack *Chosen plaintext attack… … Wikipedia