Security against Chosen-Plaintext Attacks
Discourse on November 17, 2016, for the cryptography seminar at FU Berlin
Up to this point, we have only discussed security definitions, where the adversary Eve only passively eavesdrops on a ciphertext sent between the honest parties A and B that share a key k. The following figure illustrates this issue.
illustration not visible in this excerpt
Figure 1: Previous Eavesdropper Model
We have already seen some possibilities to realize this communication model, for example OneTime-Pads or Pseudorandom Generators. In this discourse, I want to introduce you to a stronger security definition, where the adversary gets the ability to learn additional details about the messages that are being send between the honest parties A and B. In the following, I am going to explain, why it is necessary to view this communication model and how to maintain security for the communication.
2 Chosen-Plaintext Attacks
Let us assume, the adversary could influence what messages the honest parties encrypt. The honest parties A and B, sharing a key k, would then proceed to send those influenced messages in encrypted form over a channel, the adversary can observe. In the below figure, I try to illustrate, what is happening, if the eavesdropper Eve makes A encrypt several messages m0, m1, ... using k.
illustration not visible in this excerpt
Figure 2: The eavesdropper influences the encrypted messages
At a later point in time, the adversary observes a ciphertext which belongs to an unknown message m. Let us even assume, the adversary knew, that the message belonged either to m0 or m1. Security against so-called chosen-plaintext attaks, or CPA in short, means that even in this case the attacker cannot tell, what message has been encrypted with a significantly better chance than simply guessing.
Now, a question worth asking is: Why is this a realistic security concern and how can an eavesdropper possibly influence, what is being encrypted? In the following real world examples, these questions are answered.
Example 1. Let’s assume the adversary was typing on a terminal in a computer, which then encrypts and sends everything the attacker writes using a key shared with a remote server, thus unknown to the attacker. Here the adversary controls exactly, what is being encrypted, but the encryption scheme should stay secure when it is used to encrypt data for another user.
Example 2. In World War II a famous example for chosen-plaintext attacks took place. US cryptoanalysts intercepted an encrypted message from the japanese, which they were able to partially decode. It stated that the Japanese were planning an attack on AF, where AF was a ciphertext, the US was unable to decode.
The US now believed, Midway Island was the target, but couldn’t convince the authorities of this assumption, since the general belief was that Midway Island could not possibly be the aim. The US then carried out a chosen-plaintext attack by encrypting the fake message that Midway island was low on water supply. The Japanese intercepted this message and immeditately reported to their superiors ”AF is low on water.”
Of course, this was the proof the US cryptoanalysts needed and the US immediately sent several aircraft carriers, resulting in the rescue of Midway Island.
If the Japanese encryption scheme had been secure against CPA, this strategy would not have worked and history might have turned out very differently.
Although we have now accepted the necessity of CPA security, we still have to properly point out, what it means for an encryption scheme to be secure against chosen-plaintext attacks. Consequently, to formally define security against chosen-plaintext attacks, let’s consider the following experiment defined for any encryption scheme Π = (Gen, Enc, Dec), adversary A and value n for the security parameter.
- ISBN (eBook)
- ISBN (Book)
- File size
- 1 MB
- Catalog Number
- Institution / College
- Free University of Berlin – Fachbereich für Mathematik und Informatik
- encryption scheme security CPA chosen-plaintext encryptions decryptions crypto cryptography discourse