Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [chosen-plaintext-attack]

The attacker can specify his own plain text and encrypt or sign it.

The attacker can specify his own plain text and encrypt or sign it. He can carefully craft it to learn characteristics about the algorithm.

For example he can provide an empty text, a text which consists of one "a", two "aa", ...

If Vigenère cipher is used for example, it is very easy to extract the key length and recover the key by repeating one letter.

309 questions
75
votes
1 answer

Easy explanation of "IND-" security notions?

There are many schemes that can advertise themselves with certain security notions, usually IND-CPA or IND-CCA2, for example plain ElGamal has IND-CPA security but doesn't provide IND-CCA security. The most common ones are the "IND-" ones,…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
40
votes
3 answers

Why is CBC with predictable IV considered insecure against chosen-plaintext attack?

I just learned that using CBC encryption with an IV which is predictable is not secure. From what I understand, using certain plain texts, and then guessing the IV that it uses, the attacker can verify if the IV he guessed was right. How does this…
asudhak
  • 501
  • 1
  • 4
  • 5
34
votes
1 answer

What do the signature security abbreviations like EUF-CMA mean?

From time to time, one stumbles across formal security definitions. This includes security definitions for signature schemes. The most common ones are the *UF-* ones, advertising security against specific classes of attackers. Now these notions may…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
33
votes
4 answers

What is the difference between known-plaintext attack and chosen-plaintext attack?

I am very confused between the concept of known-plaintext attack and chosen-plaintext attack. It seems to me that these two are the same thing, but it definitely is not. Can anyone explain to me how these two differ?
Tom Fabregas
29
votes
2 answers

How does a chosen plaintext attack on RSA work?

How can one run a chosen plaintext attack on RSA? If I can send some plaintexts and get the ciphertexts, how can I find a relation between them which helps me to crack another ciphertext?
user1829
17
votes
1 answer

The difference between these 4 breaking Cipher techniques?

I'm trying to understand the difference between the following and what they actually mean : Known plaintext attack Known ciphertext attack Chosen ciphertext attack Chosen plaintext attack Any clarification is much appreciated…
Scarl
  • 445
  • 1
  • 6
  • 15
15
votes
3 answers

Is using a predictable IV with CFB mode safe or not?

While writing this answer, I noted that NIST SP 800-38A says that (emphasis mine): "For the CBC and CFB modes, the IVs must be unpredictable. In particular, for any given plaintext, it must not be possible to predict the IV that will be associated…
Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189
14
votes
7 answers

Possibility of Chosen Plaintext Attack (CPA) in real-world scenario?

In CPA, it is said that the adversaries get ciphertext for the choice of plaintext of adversaries through an encryption oracle. Is this a realistic assumption in real-world, in which the adversaries get ciphertext for the choice of their plaintexts?…
Siva Kumar
  • 299
  • 2
  • 5
14
votes
2 answers

Chosen Plaintext attack on AES in ECB mode

I am familiar with the following method for an chosen-plaintext injection attack on ECB ciphers, where I am allowed to append a block of bytes to the packet being encrypted: I inject a string with known bytes one less than the blocksize and try…
Agnishom Chattopadhyay
  • 293
  • 1
  • 2
  • 13
14
votes
3 answers

In what way is XXTEA really vulnerable?

I'm looking at using the XXTEA algorithm to encrypt a small amount of data (say, less than 32KB) in the context of a software licensing algorithm. That is, we wish to make it difficult (not impossible) for our customers to forge (encrypted) license…
John Sambrook
  • 149
  • 1
  • 1
  • 4
12
votes
1 answer

Does IND-CPA imply PRF?

It is well-known that a pseudorandom function (PRF) can be used to build a CPA-secure symmetric cryptosystem. My question: is PRF necessary for this, i.e., can one show something like "If there exists an IND-CPA scheme then there exist PRF?"
Martin Hofmann
  • 181
  • 1
  • 6
12
votes
1 answer

CPA-security of a pseudorandom permutation encryption scheme

Let $F$ be a pseudorandom permutation, and define a fixed-length encryption scheme $(Gen, Enc, Dec)$ as follows: on input $m \in$ $\{0,1\}^{n/2}$ and key $k \in \{0,1\}^n$, algorithm $Enc$ chooses a random string $r \leftarrow \{0,1\}^{n/2}$…
pa5h1nh0
  • 541
  • 7
  • 17
12
votes
1 answer

If RSA is only used to encrypt symmetric keys which are random, what's wrong with textbook RSA?

As far as I know, IND-CPA is used to protect against frequency analysis. But if RSA is only used to encrypt symmetric keys, what's wrong with using only textbook RSA because random keys are very unlikely to repeat?
wlad
  • 1,259
  • 1
  • 13
  • 24
11
votes
4 answers

One round of AES-128

Maybe it’s a silly question, I’m interested in the best known/chosen plaintext attack on only one round of AES-128. More specifically, what is the smallest number of known/chosen plaintext/ciphertext pairs which allow us to recover the key with high…
user79425
11
votes
2 answers

What do NM-CPA and NM-CCA mean?

When I've been researching authenticated encryption, the following terms keep showing up: NM-CPA NM-CCA ....without any definition as to what they mean. I've tried searching the web for their definitions, but I'm not getting very far. Could…
starbeamrainbowlabs
  • 213
  • 2
  • 9
1
2 3
20 21