Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Chosen-ciphertext attack
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Introduction== A number of otherwise secure schemes can be defeated under chosen-ciphertext attack. For example, the [[El Gamal]] cryptosystem is [[semantic security|semantically secure]] under [[chosen-plaintext attack]], but this semantic security can be trivially defeated under a chosen-ciphertext attack. Early versions of [[RSA (algorithm)|RSA]] padding used in the [[Secure Sockets Layer|SSL]] protocol were vulnerable to a sophisticated [[adaptive chosen-ciphertext attack]] which revealed SSL session keys. Chosen-ciphertext attacks have implications for some self-synchronizing [[stream cipher]]s as well. Designers of tamper-resistant cryptographic [[smart card]]s must be particularly cognizant of these attacks, as these devices may be completely under the control of an adversary, who can issue a large number of chosen-ciphertexts in an attempt to recover the hidden secret key. It was not clear at all whether public key cryptosystems could withstand the chosen ciphertext attack until the initial breakthrough work of [[Moni Naor]] and [[Moti Yung]] in 1990, which suggested a mode of dual encryption with [[Data integrity|integrity]] proof (now known as the "Naor-Yung" encryption paradigm).<ref name=naor-yung>{{cite journal|title=Moni Naor and Moti Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks|journal=Proceedings 21st Annual ACM Symposium on Theory of Computing|date=1990|pages=427β437}}</ref> This work made understanding of the notion of security against chosen ciphertext attack much clearer than before and open the research direction of constructing systems with various protections against variants of the attack. When a cryptosystem is vulnerable to chosen-ciphertext attack, implementers must be careful to avoid situations in which an adversary might be able to decrypt chosen-ciphertexts (i.e., avoid providing a decryption oracle). This can be more difficult than it appears, as even partially chosen ciphertexts can permit subtle attacks. Additionally, other issues exist and some cryptosystems (such as [[RSA (algorithm)|RSA]]) use the same mechanism to sign messages and to decrypt them. This permits attacks when [[cryptographic hash function|hashing]] is not used on the message to be signed. A better approach is to use a cryptosystem which is [[provable security|provably secure]] under chosen-ciphertext attack, including (among others) [[Optimal Asymmetric Encryption Padding|RSA-OAEP]] secure under the random oracle heuristics, [[Cramer-Shoup system|Cramer-Shoup]] which was the first public key practical system to be secure. For symmetric encryption schemes it is known that [[authenticated encryption]] which is a primitive based on [[symmetric encryption]] gives security against chosen ciphertext attacks, as was first shown by [[Jonathan Katz (computer scientist)|Jonathan Katz]] and [[Moti Yung]].<ref name=katz-yung>{{cite journal|title=Jonathan Katz and Moti Yung, Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation. FSE 2000: 284-299}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)