HOME

TheInfoList



OR:

A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the
ciphertext In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
s for arbitrary
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of com ...
s.Ross Anderson, ''Security Engineering: A Guide to Building Dependable Distributed Systems''. The first edition (2001): http://www.cl.cam.ac.uk/~rja14/book.html The goal of the attack is to gain information that reduces the security of the
encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can de ...
scheme. Modern ciphers aim to provide semantic security, also known as ''ciphertext indistinguishability under chosen-plaintext attack'', and they are therefore, by design, generally immune to chosen-plaintext attacks if correctly implemented.


Introduction

In a chosen-plaintext attack the
adversary An adversary is generally considered to be a person, group, or force that opposes and/or attacks. Adversary may also refer to: * Satan ("adversary" in Hebrew), in Judeo-Christian religion Entertainment Fiction * Adversary (comics), villain fro ...
can (possibly adaptively) ask for the ciphertexts of arbitrary plaintext messages. This is formalized by allowing the adversary to interact with an encryption oracle, viewed as a
black box In science, computing, and engineering, a black box is a system which can be viewed in terms of its inputs and outputs (or transfer characteristics), without any knowledge of its internal workings. Its implementation is "opaque" (black). The te ...
. The attacker’s goal is to reveal all or a part of the secret encryption key. It may seem infeasible in practice that an attacker could obtain ciphertexts for given plaintexts. However, modern cryptography is implemented in software or hardware and is used for a diverse range of applications; for many cases, a chosen-plaintext attack is often very feasible (see also
In practice ''De facto'' ( ; , "in fact") describes practices that exist in reality, whether or not they are officially recognized by laws or other formal norms. It is commonly used to refer to what happens in practice, in contrast with ''de jure'' ("by la ...
). Chosen-plaintext attacks become extremely important in the context of
public key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...
where the encryption key is public and so attackers can encrypt any plaintext they choose.


Different forms

There are two forms of chosen-plaintext attacks: *Batch chosen-plaintext attack, where the adversary chooses all of the plaintexts before seeing any of the corresponding ciphertexts. This is often the meaning intended by "chosen-plaintext attack" when this is not qualified. *Adaptive chosen-plaintext attack (CPA2), where the adversary can request the ciphertexts of additional plaintexts after seeing the ciphertexts for some plaintexts.


General method of an attack

A general batch chosen-plaintext attack is carried out as follows : # The attacker may choose ''n'' plaintexts. (This parameter ''n'' is specified as part of the attack model, it may or may not be bounded.) # The attacker then sends these ''n'' plaintexts to the encryption oracle. # The encryption oracle will then encrypt the attacker's plaintexts and send them back to the attacker. # The attacker receives ''n'' ciphertexts back from the oracle, in such a way that the attacker knows which ciphertext corresponds to each plaintext. # Based on the plaintext–ciphertext pairs, the attacker can attempt to extract the key used by the oracle to encode the plaintexts. Since the attacker in this type of attack is free to craft the plaintext to match his needs, the attack complexity may be reduced. Consider the following extension of the above situation. After the last step, # The adversary outputs two plaintexts 0 and 1. # A bit is chosen uniformly at random b\leftarrow\. # The adversary receives the encryption of b, and attempts to "guess" which plaintext it received, and outputs a bit . A cipher has indistinguishable encryptions under a chosen-plaintext attack if after running the above experiment with =1 the adversary can't guess correctly (=) with probability non- negligibly better than 1/2.


Examples

The following examples demonstrate how some ciphers that meet other security definitions may be broken with a chosen-plaintext attack.


Caesar cipher

The following attack on the Caesar cipher allows full recovery of the secret key: # Suppose the adversary sends the message: , # and the oracle returns . # The adversary can then work through to recover the key in the same way you would decrypt a Caesar cipher. The adversary could deduce the substitutions , and so on. This would lead the adversary to determine that 13 was the key used in the Caesar cipher. With more intricate or complex encryption methodologies the decryption method becomes more resource-intensive, however, the core concept is still relatively the same.


One-time pads

The following attack on a
one-time pad In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a single-use pre-shared key that is not smaller than the message being sent. In this technique, a plaintext is paired with a ran ...
allows full recovery of the secret key. Suppose the message length and key length are equal to . # The adversary sends a string consisting of zeroes to the oracle. # The oracle returns the bitwise
exclusive-or Exclusive or or exclusive disjunction is a logical operation that is true if and only if its arguments differ (one is true, the other is false). It is symbolized by the prefix operator J and by the infix operators XOR ( or ), EOR, EXOR, , , ...
of the key with the string of zeroes. # The string returned by the oracle ''is'' the secret key. While the one-time pad is used as an example of an information-theoretically secure cryptosystem, this security only holds under security definitions weaker than CPA security. This is because under the formal definition of CPA security the encryption oracle has no state. This vulnerability may not be applicable to all practical implementations – the one-time pad can still be made secure if key reuse is avoided (hence the name "one-time" pad).


In practice

In
World War II World War II or the Second World War, often abbreviated as WWII or WW2, was a world war that lasted from 1939 to 1945. It involved the vast majority of the world's countries—including all of the great powers—forming two opposing ...
US Navy cryptanalysts discovered that Japan was planning to attack a location referred to as "AF". They believed that "AF" might be
Midway Island Midway Atoll (colloquial: Midway Islands; haw, Kauihelani, translation=the backbone of heaven; haw, Pihemanu, translation=the loud din of birds, label=none) is a atoll in the North Pacific Ocean. Midway Atoll is an insular area of the Unit ...
, because other locations in the Hawaiian Islands had codewords that began with "A". To prove their hypothesis that "AF" corresponded to "Midway Island" they asked the US forces at Midway to send a plaintext message about low supplies. The Japanese intercepted the message and immediately reported to their superiors that "AF" was low on water, confirming the Navy's hypothesis and allowing them to position their force to win the
battle A battle is an occurrence of combat in warfare between opposing military units of any number or size. A war usually consists of multiple battles. In general, a battle is a military engagement that is well defined in duration, area, and force ...
. Also during
World War II World War II or the Second World War, often abbreviated as WWII or WW2, was a world war that lasted from 1939 to 1945. It involved the vast majority of the world's countries—including all of the great powers—forming two opposing ...
, Allied codebreakers at
Bletchley Park Bletchley Park is an English country house and estate in Bletchley, Milton Keynes ( Buckinghamshire) that became the principal centre of Allied code-breaking during the Second World War. The mansion was constructed during the years followin ...
would sometimes ask the
Royal Air Force The Royal Air Force (RAF) is the United Kingdom's air and space force. It was formed towards the end of the First World War on 1 April 1918, becoming the first independent air force in the world, by regrouping the Royal Flying Corps (RFC) an ...
to lay mines at a position that didn't have any abbreviations or alternatives in the German naval system's grid reference. The hope was that the Germans, seeing the mines, would use an Enigma machine to encrypt a warning message about the mines and an "all clear" message after they were removed, giving the allies enough information about the message to break the German naval Enigma. This process of ''planting'' a known-plaintext was called '' gardening''. Allied codebreakers also helped craft messages sent by double agent
Juan Pujol García Juan Pujol García (; 14 February 1912 – 10 October 1988), also known as Joan Pujol i García (), was a Spanish spy who acted as a double agent loyal to Great Britain against Nazi Germany during World War II, when he relocated to Britain ...
, whose encrypted radio reports were received in Madrid, manually decrypted, and then re-encrypted with an Enigma machine for transmission to Berlin. This helped the codebreakers decrypt the code used on the second leg, having supplied the original
text Text may refer to: Written word * Text (literary theory), any object that can be read, including: **Religious text, a writing that a religious tradition considers to be sacred **Text, a verse or passage from scripture used in expository preachin ...
. Seaman (2004). "The first code which Garbo was given by the Germans for his wireless communications turned out to be the identical code which was currently in use in the German circuits" In modern day, chosen-plaintext attacks (CPAs) are often used to break symmetric ciphers. To be considered CPA-secure, the symmetric cipher must not be vulnerable to chosen-plaintext attacks. Thus, it is important for symmetric cipher implementors to understand how an attacker would attempt to break their cipher and make relevant improvements. For some chosen-plaintext attacks, only a small part of the plaintext may need to be chosen by the attacker; such attacks are known as plaintext injection attacks.


Relation to other attacks

A chosen-plaintext attack is more powerful than
known-plaintext attack The known-plaintext attack (KPA) is an attack model for cryptanalysis where the attacker has access to both the plaintext (called a crib), and its encrypted version (ciphertext). These can be used to reveal further secret information such as secr ...
, because the attacker can directly target specific terms or patterns without having to wait for these to appear naturally, allowing faster gathering of data relevant to cryptanalysis. Therefore, any cipher that prevents chosen-plaintext attacks is also secure against known-plaintext and ciphertext-only attacks. However, a chosen-plaintext attack is less powerful than a
chosen-ciphertext attack A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the hidden ...
, where the attacker can obtain the plaintexts of arbitrary ciphertexts. A CCA-attacker can sometimes break a CPA-secure system. For example, the El Gamal cipher is secure against chosen plaintext attacks, but vulnerable to chosen ciphertext attacks because it is unconditionally malleable.


References

{{DEFAULTSORT:Chosen-Plaintext Attack