Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Chosen-ciphertext attack
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Varieties== Chosen-ciphertext attacks, like other attacks, may be adaptive or non-adaptive. In an adaptive chosen-ciphertext attack, the attacker can use the results from prior decryptions to inform their choices of which ciphertexts to have decrypted. In a non-adaptive attack, the attacker chooses the ciphertexts to have decrypted without seeing any of the resulting plaintexts. After seeing the plaintexts, the attacker can no longer obtain the decryption of additional ciphertexts. ===Lunchtime attacks=== A specially noted variant of the chosen-ciphertext attack is the "lunchtime", "midnight", or "indifferent" attack, in which an attacker may make adaptive chosen-ciphertext queries but only up until a certain point, after which the attacker must demonstrate some improved ability to attack the system.<ref name="CS">[[Ronald Cramer]] and [[Victor Shoup]], "[https://dx.doi.org/10.1007/BFb0055717 A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack]", in Advances in Cryptology β [[CRYPTO]] '98 proceedings, [[Santa Barbara, California]], 1998, pp. 13-25. ([[Cramer-Shoup system|article]])</ref> The term "lunchtime attack" refers to the idea that a user's computer, with the ability to decrypt, is available to an attacker while the user is out to lunch. This form of the attack was the first one commonly discussed: obviously, if the attacker has the ability to make adaptive chosen ciphertext queries, no encrypted message would be safe, at least until that ability is taken away. This attack is sometimes called the "non-adaptive chosen ciphertext attack";<ref name="BDPR">[[Mihir Bellare]], [[Anand Desai]], [[David Pointcheval]], and [[Phillip Rogaway]], [https://www.di.ens.fr/david.pointcheval/Documents/Papers/1998_crypto.pdf Relations among Notions of Security for Public-Key Encryption Schemes], in Advances in Cryptology β CRYPTO '98, Santa Barbara, California, pp. 549-570.</ref> here, "non-adaptive" refers to the fact that the attacker cannot adapt their queries in response to the challenge, which is given after the ability to make chosen ciphertext queries has expired. ===Adaptive chosen-ciphertext attack=== {{main|Adaptive chosen-ciphertext attack}} A (full) adaptive chosen-ciphertext attack is an attack in which ciphertexts may be chosen adaptively before and after a challenge ciphertext is given to the attacker, with only the stipulation that the challenge ciphertext may not itself be queried. This is a stronger attack notion than the lunchtime attack, and is commonly referred to as a CCA2 attack, as compared to a CCA1 (lunchtime) attack.<ref name="BDPR" /> Few practical attacks are of this form. Rather, this model is important for its use in proofs of security against chosen-ciphertext attacks. A proof that attacks in this model are impossible implies that any realistic chosen-ciphertext attack cannot be performed. A practical adaptive chosen-ciphertext attack is the Bleichenbacher attack against [[PKCS1|PKCS#1]].<ref>D. Bleichenbacher. [http://www.bell-labs.com/user/bleichen/papers/pkcs.ps Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1] {{webarchive|url=https://web.archive.org/web/20120204040056/http://www.bell-labs.com/user/bleichen/papers/pkcs.ps |date=2012-02-04 }}. In Advances in Cryptology β CRYPTO'98, LNCS vol. 1462, pages: 1–12, 1998</ref> Numerous cryptosystems are proven secure against adaptive chosen-ciphertext attacks, some proving this security property based only on algebraic assumptions, some additionally requiring an idealized random oracle assumption. For example, the [[Cramer-Shoup system]]<ref name="CS" /> is secure based on number theoretic assumptions and no idealization, and after a number of subtle investigations it was also established that the practical scheme [[RSA-OAEP]] is secure under the RSA assumption in the idealized random oracle model.<ref>[[Mihir Bellare|M. Bellare]], [[Phillip Rogaway|P. Rogaway]] ''Optimal Asymmetric Encryption -- How to encrypt with RSA'' extended abstract in Advances in Cryptology β [[Eurocrypt]] '94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, [[Springer-Verlag]], 1995. [http://www-cse.ucsd.edu/users/mihir/papers/oae.pdf full version (pdf)] {{Webarchive|url=https://web.archive.org/web/20080708233234/http://www-cse.ucsd.edu/users/mihir/papers/oae.pdf |date=2008-07-08 }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)