Difference between revisions 5929565 and 7281518 on simplewiki

< previous diff
next diff >
Chosen-ciphertext attack
{{complex|date=December 2011}}
A '''chosen-ciphertext attack (CCA)''' is an [[attack model]] for [[cryptanalysis]] in which the cryptanalyst gathers information, at least in part, by choosing a [[ciphertext]] and obtaining its decryption under an unknown key.  

(contracted; show full)ariant of the chosen-ciphertext attack is the "lunchtime" or "midnight" attack, in which an attacker may make adaptive chosen-ciphertext queries but only up until a certain point, after which the attacker must demonstrate some improved ability to attack the system.<ref name="CS">[[Ronald Cramer]] and [[Victor Shoup]], "[http://www.springerlink.com/content/bejnetn8v8n5vkc3/ A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack]
{{Dead link|date=January 2021 |bot=InternetArchiveBot |fix-attempted=yes }}", in Advances in Cryptology – [[CRYPTO]] '98 proceedings, [[Santa Barbara, California]], 1998, pp. 13–25. ([[Cramer-Shoup system|article]])</ref>  The term "lunchtime attack" refers to the idea that a user's computer, with the ability to decrypt, is available to an attacker while the user is out to lunch.  This form of the attack was the first one commonly discussed: obviously, if the attacker has the ability to make adaptive chosen ciphertext queries, no encrypted message would be safe, at least until that ability is taken away.  This attack is sometimes called the "non-adaptive chosen ciphertext attack";<ref name="BDPR">[[Mihir Bellare]], [[Anand Desai]], [[David Pointcheval]], and [[Philip Rogaway]], [http://www.springerlink.com/content/xl9cf8qpg0trrl9f/ Relations among Notions of Security for Public-Key Encryption Schemes]{{Dead link|date=January 2021 |bot=InternetArchiveBot |fix-attempted=yes }}, in Advances in Cryptology – CRYPTO '98,  Santa Barbara, California, pp. 549–570.</ref> here, "non-adaptive" refers to the fact that the attacker cannot adapt their queries in response to the challenge, which is given after the ability to make chosen ciphertext queries has expired.  

Many chosen-ciphertext attacks of practical importance are lunchtime attacks, including, for instance, when [[Daniel Bleichenbacher]] of [[Bell Laboratories]] demonstrated a practical attack against systems using the [[PKCS#1]]; invented and published by [[RSA Security]].<ref>D. Bleichenbacher. [http://www.bell-labs.com/user/bleichen/papers/pkcs.ps Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1] {{Webarchive|url=https://web.archive.org/web/20000815233711/http://www.bell-labs.com/user/bleichen/papers/pkcs.ps |date=2000-08-15 }}. In Advances in Cryptology – CRYPTO'98, LNCS vol. 1462, pages: 1–12, 1998</ref>

===Adaptive chosen-ciphertext attack===
A (full) adaptive chosen-ciphertext attack is an attack in which ciphertexts may be chosen adaptively before and after a challenge ciphertext is given to the attacker, with ONE condition that the challenge ciphertext may not itself be queried.  This is a stronger attack notion than the lunchtime attack, and is commonly referred to as a CCA2 attack, as compared to a CCA1 (lunchtime) attack.<ref name="BDPR" />  Few practical attacks are of this form.  Rather, this model is important for its use in proofs of security against chosen-ciphertext attacks.  A proof that attacks in this model are impossible implies that any practical chosen-ciphertext attack cannot be performed.  

Cryptosystems proven secure against adaptive chosen-ciphertext attacks include the [[Cramer-Shoup system]]<ref name="CS" /> and [[RSA-OAEP]].<ref>
[[Mihir Bellare|M. Bellare]], [[Phillip Rogaway|P. Rogaway]]. ''Optimal Asymmetric Encryption -- How to encrypt with RSA''.  Extended abstract in Advances in Cryptology - [[Eurocrypt]] '94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, [[Springer-Verlag]], 1995.  [http://www-cse.ucsd.edu/users/mihir/papers/oae.pdf full version (pdf)]</ref>  

==Related pages==
* [[Ciphertext-only attack]]
* [[Chosen-plaintext attack]]
* [[Known-plaintext attack]]

==References==
{{reflist}}

[[Category:Cryptography]]