A chosen-ciphertext attack (CCA) is an
attack model for
cryptanalysis
Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic se ...
where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the secret key used for decryption.
For formal definitions of security against chosen-ciphertext attacks, see for example:
Michael Luby and
Mihir Bellare et al.
Introduction
A number of otherwise secure schemes can be defeated under chosen-ciphertext attack. For example, the
El Gamal cryptosystem is
semantically secure
In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any PP (complexity), probabilistic, polynomial-time algorithm (PPTA) that ...
under
chosen-plaintext attack
A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts.Ross Anderson, ''Security Engineering: A Guide to Building Dependable Distributed Systems'' ...
, but this semantic security can be trivially defeated under a chosen-ciphertext attack. Early versions of
RSA padding used in the
SSL protocol were vulnerable to a sophisticated
adaptive chosen-ciphertext attack
An adaptive chosen-ciphertext attack (abbreviated as CCA2) is an interactive form of chosen-ciphertext attack in which an attacker first sends a number of ciphertexts to be decrypted chosen adaptively, and then uses the results to distinguish a ta ...
which revealed SSL session keys. Chosen-ciphertext attacks have implications for some self-synchronizing
stream cipher
stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream ( keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystrea ...
s as well. Designers of tamper-resistant cryptographic
smart card
A smart card (SC), chip card, or integrated circuit card (ICC or IC card), is a card used to control access to a resource. It is typically a plastic credit card-sized card with an Embedded system, embedded integrated circuit (IC) chip. Many smart ...
s must be particularly cognizant of these attacks, as these devices may be completely under the control of an adversary, who can issue a large number of chosen-ciphertexts in an attempt to recover the hidden secret key.
It was not clear at all whether public key cryptosystems could withstand the chosen ciphertext attack until the initial breakthrough work of
Moni Naor
Moni Naor () is an Israeli computer scientist, currently a professor at the Weizmann Institute of Science. Naor received his Ph.D. in 1989 at the University of California, Berkeley. His advisor was Manuel Blum.
He works in various fields of com ...
and
Moti Yung
Mordechai M. "Moti" Yung is a cryptographer and computer scientist known for his work on cryptovirology and kleptography.
Career
Yung earned his PhD from Columbia University in 1988 under the supervision of Zvi Galil. In the past, he worked a ...
in 1990, which suggested a mode of dual encryption with
integrity
Integrity is the quality of being honest and having a consistent and uncompromising adherence to strong moral and ethical principles and values.
In ethics, integrity is regarded as the honesty and Honesty, truthfulness or of one's actions. Integr ...
proof (now known as the "Naor-Yung" encryption paradigm).
This work made understanding of the notion of security against chosen ciphertext attack much clearer than before and open the research direction of constructing systems with various protections against variants of the attack.
When a cryptosystem is vulnerable to chosen-ciphertext attack, implementers must be careful to avoid situations in which an adversary might be able to decrypt chosen-ciphertexts (i.e., avoid providing a decryption oracle). This can be more difficult than it appears, as even partially chosen ciphertexts can permit subtle attacks. Additionally, other issues exist and some cryptosystems (such as
RSA) use the same mechanism to sign messages and to decrypt them. This permits attacks when
hashing is not used on the message to be signed. A better approach is to use a cryptosystem which is
provably secure
Provable security refers to any type or level of computer security that can be proved. It is used in different ways by different fields.
Usually, this refers to mathematical proofs, which are common in cryptography. In such a proof, the capabilit ...
under chosen-ciphertext attack, including (among others)
RSA-OAEP secure under the random oracle heuristics,
Cramer-Shoup which was the first public key practical system to be secure. For symmetric encryption schemes it is known that
authenticated encryption
Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in othe ...
which is a primitive based on
symmetric encryption gives security against chosen ciphertext attacks, as was first shown by
Jonathan Katz and
Moti Yung
Mordechai M. "Moti" Yung is a cryptographer and computer scientist known for his work on cryptovirology and kleptography.
Career
Yung earned his PhD from Columbia University in 1988 under the supervision of Zvi Galil. In the past, he worked a ...
.
Varieties
Chosen-ciphertext attacks, like other attacks, may be adaptive or non-adaptive. In an adaptive chosen-ciphertext attack, the attacker can use the results from prior decryptions to inform their choices of which ciphertexts to have decrypted. In a non-adaptive attack, the attacker chooses the ciphertexts to have decrypted without seeing any of the resulting plaintexts. After seeing the plaintexts, the attacker can no longer obtain the decryption of additional ciphertexts.
Lunchtime attacks
A specially noted variant of the chosen-ciphertext attack is the "lunchtime", "midnight", or "indifferent" attack, in which an attacker may make adaptive chosen-ciphertext queries but only up until a certain point, after which the attacker must demonstrate some improved ability to attack the system.
[ Ronald Cramer and Victor Shoup,]
A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack
, in Advances in Cryptology – CRYPTO
Crypto commonly refers to:
* Cryptography, the practice and study of hiding information
* Cryptocurrency, a type of digital currency based on cryptography
Crypto or krypto may also refer to:
Cryptography
* Cryptanalysis, the study of methods f ...
'98 proceedings, Santa Barbara, California
Santa Barbara (, meaning ) is a coastal city in Santa Barbara County, California, of which it is also the county seat. Situated on a south-facing section of coastline, the longest such section on the West Coast of the United States excepting A ...
, 1998, pp. 13-25. ( article) The term "lunchtime attack" refers to the idea that a user's computer, with the ability to decrypt, is available to an attacker while the user is out to lunch. This form of the attack was the first one commonly discussed: obviously, if the attacker has the ability to make adaptive chosen ciphertext queries, no encrypted message would be safe, at least until that ability is taken away. This attack is sometimes called the "non-adaptive chosen ciphertext attack";
[ Mihir Bellare, Anand Desai, ]David Pointcheval
David Pointcheval is a French cryptographer. He is currently the Chief scientific officer (CSO) of Cosmian (on leave from CNRS), a French deeptech company in public cloud security. He is a Senior Researcher at CNRS, and the former head of the Compu ...
, and Phillip Rogaway
Phillip Rogaway (also referred to as Phil Rogaway) is an American cryptographer and former professor of computer science at the University of California, Davis. He graduated from Beverly Hills High School, and later earned a BA in computer scie ...
Relations among Notions of Security for Public-Key Encryption Schemes
in Advances in Cryptology – CRYPTO '98, Santa Barbara, California, pp. 549-570. here, "non-adaptive" refers to the fact that the attacker cannot adapt their queries in response to the challenge, which is given after the ability to make chosen ciphertext queries has expired.
Adaptive chosen-ciphertext attack
A (full) adaptive chosen-ciphertext attack is an attack in which ciphertexts may be chosen adaptively before and after a challenge ciphertext is given to the attacker, with only the stipulation that the challenge ciphertext may not itself be queried. This is a stronger attack notion than the lunchtime attack, and is commonly referred to as a CCA2 attack, as compared to a CCA1 (lunchtime) attack.
Few practical attacks are of this form. Rather, this model is important for its use in proofs of security against chosen-ciphertext attacks. A proof that attacks in this model are impossible implies that any realistic chosen-ciphertext attack cannot be performed.
A practical adaptive chosen-ciphertext attack is the Bleichenbacher attack against
PKCS#1.
Numerous cryptosystems are proven secure against adaptive chosen-ciphertext attacks, some proving this security property based only on algebraic assumptions, some additionally requiring an idealized random oracle assumption. For example, the
Cramer-Shoup system is secure based on number theoretic assumptions and no idealization, and after a number of subtle investigations it was also established that the practical scheme
RSA-OAEP is secure under the RSA assumption in the idealized random oracle model.
[ M. Bellare, P. Rogaway ''Optimal Asymmetric Encryption -- How to encrypt with RSA'' extended abstract in Advances in Cryptology – ]Eurocrypt
EuroCrypt is a conditional access system for Multiplexed Analogue Components-encoded analogue satellite television
Satellite television is a service that delivers television programming to viewers by relaying it from a communications satell ...
'94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, Springer-Verlag
Springer Science+Business Media, commonly known as Springer, is a German multinational publishing company of books, e-books and peer-reviewed journals in science, humanities, technical and medical (STM) publishing.
Originally founded in 1842 in ...
, 1995.
full version (pdf)
See also
*
RCCA security
References
Further reading
Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage (Usenix 2016)
{{DEFAULTSORT:Chosen-Ciphertext Attack
Cryptographic attacks