A number of otherwise secure schemes can be defeated under chosen-ciphertext attack. For model, the El Gamal cryptosystem is semantically secure under chosen-plaintext attack, but this semantic security can be trivially defeated under a chosen-ciphertext attack. early versions of RSA padding used in the SSL protocol were vulnerable to a sophisticate adaptive chosen-ciphertext attack which revealed SSL seance keys. Chosen-ciphertext attacks have implications for some self-synchronizing stream ciphers angstrom well. Designers of tamper-resistant cryptanalytic bright cards must be peculiarly aware of these attacks, as these devices may be wholly under the control of an adversary, who can issue a big count of chosen-ciphertexts in an undertake to recover the hidden confidential key .
When a cryptosystem is vulnerable to chosen-ciphertext attack, implementers must be careful to avoid situations in which an adversary might be able to decrypt chosen-ciphertexts ( i.e., avoid providing a decoding oracle ). This can be more difficult than it appears, as even partially-chosen-ciphertexts can permit elusive attacks. additionally, some cryptosystems ( such as RSA ) use the same mechanism to sign messages and to decrypt them. This permits attacks when hash is not used on the message to be signed. A better approach is to use a cryptosystem which is demonstrably guarantee under chosen-ciphertext approach, including ( among others ) RSA-OAEP, Cramer-Shoup and many forms of attested symmetrical encoding .
Varieties of chosen-ciphertext attacks
Chosen-ciphertext attacks, like other attacks, may be adaptive or non-adaptive. In a non-adaptive attack, the attacker chooses the ciphertext or ciphertexts to decrypt in progress, and does not use the resulting plaintexts to inform their option for more ciphertexts. In an adaptive chosen-ciphertext approach, the attacker makes their ciphertext choices adaptively, that is, depending on the result of prior decryptions.
Reading: Chosen-ciphertext attack
A particularly note version of the chosen-ciphertext attack is the “ lunchtime ”, “ midnight ”, or “ indifferent ” attack, in which an attacker may make adaptive chosen-ciphertext queries but merely up until a certain point, after which the attacker must demonstrate some improved ability to attack the system. [ 1 ] The terminus “ lunchtime attack ” refers to the idea that a user ‘s calculator, with the ability to decrypt, is available to an attacker while the drug user is out to lunch. This form of the attack was the first one normally discussed : obviously, if the attacker has the ability to make adaptive chosen ciphertext queries, no code message would be dependable, at least until that ability is taken away. This attack is sometimes called the “ non-adaptive chosen ciphertext attack ” ; [ 2 ] hera, “ non-adaptive ” refers to the fact that the attacker can not adapt their queries in reaction to the challenge, which is given after the ability to make choose ciphertext queries has expired.
adaptive chosen-ciphertext assail
A ( entire ) adaptive chosen-ciphertext approach is an fire in which ciphertexts may be chosen adaptively before and after a challenge ciphertext is given to the attacker, with alone the stipulation that the challenge ciphertext may not itself be queried. This is a stronger assail notion than the lunchtime attack, and is normally referred to as a CCA2 assail, as compared to a CCA1 ( lunchtime ) attack. [ 2 ] Few virtual attacks are of this phase. rather, this model is significant for its use in proof of security against chosen-ciphertext attacks. A proof that attacks in this model are impossible implies that any naturalistic chosen-ciphertext attack can not be performed .
A practical adaptive chosen-ciphertext attack is the Bleichenbacher attack against PKCS # 1. [ 3 ]
Cryptosystems prove dependable against adaptive chosen-ciphertext attacks include the Cramer-Shoup system [ 1 ] and RSA-OAEP. [ 4 ]
- Ciphertext only attack
- Known-plaintext attack
- Chosen plaintext attack