Can it be proven that attacker can obtain the full message if he knows some plain-ciphertext pairs?
Asked
Active
Viewed 7,348 times
1 Answers
7
Assuming you don't use counter-measures against this kind of an attack, a chosen-ciphertext attack works as follows:
Variables: $p$ is field prime, $\alpha$ is the chosen generator, $a$ is the private key, $\alpha^a=\beta$ is the public key. $k'$ and $m'$ are chosen at random.
Note: all the following equations are $(mod$ $p)$.
- Suppose you want to decrypt the ciphertext $C=(\gamma,\delta)=(\alpha^k,m*\beta^k)$
- Now calculate $C'=(\gamma*\alpha^{k'},\delta*\beta^{k'}*(m'))$
- Now give $C'$ to the decryption oracle, you'll get $m''$ in return.
- Finally calculate $m=m''*(m')^{-1}$
Why does this work?
Observe that $\gamma'=\gamma*\alpha^{k'}=\alpha^k*\alpha^{k'}=\alpha^{k+k'}=\alpha^{k''}$.
Further observe that $\delta'=\delta*\beta^{k'}*(m')=m*\beta^k*\beta^{k'}*(m')=(m*m')*\beta^{k+k'}=(m'')*\beta^{k''}$
If you let this pair get decrypted, you'll get $m''=m' * m$ in return an hence $m=m''*(m')^{-1}$ holds.
SEJPM
- 46,697
- 9
- 103
- 214