14

I read somewhere that if a cipher has a known-plaintext attack, then it is considered completely broken.

Say there is a cipher that someone uses where the algorithm is understood and a known-plaintext attack is trivial to perform, however a ciphertext only attack is as impractical as brute force. The XOR-Cipher with the key length equal to message length, for example.

If the user changes the key for every message sent, then what use is a known-plaintext attack?

It's always been my understanding that if one finds the key to a message they already know but to nothing else, then that is just as useless as not being able to perform a known-plaintext attack at all.

So what use is a known-plaintext attack in a world where a key is never used more than once (effectively a one-pad pad)? How is that "a complete break"?

Danegraphics
  • 251
  • 2
  • 6

4 Answers4

24

if a cipher has a known-plaintext attack, then it is considered completely broken.

Yes, pretty much...

[Paraphrased] But can't we come up with a case where this isn't true, such as a One Time Pad?

Yes, we can come up with cases like that; however the requirements of such a case (key as long as the plaintext, no key reuse) make such a cipher impractical.

Instead, when we talk about such a cipher:

  • We generally use the same key to encrypt multiple messages (for example, consider TLS, where the the symmetric key is used to encrypt all records going in the same direction)

  • And, even when we use a key to encrypt only one message, the attacker might be able to guess parts of it; if he can use those guessed parts as known plaintexts, and recover the parts he didn't know (or even to verify if his guess is accurate), well, the cipher didn't do its job.

"Known plaintexts implies total break" is an excellent rule-of-thumb, even if you can come up with cases where it is not true.

poncho
  • 154,064
  • 12
  • 239
  • 382
17

If the user changes the key for every message sent, then what use is a known-plaintext attack?

Stop right there. This is not what we are trying to prove when conducting a known-plaintext attack. A known-plaintext attack is one where we are given a bunch of ciphertexts, all stemming from encryption using a fixed key. We are then given one plaintext/ciphertext pair, that was formed using the same fixed key. The question we want to answer is wether or not having this known plaintext/ciphertext pair gives the attacker some sort of advantage in breaking the other ciphertexts.

Now, how could this help in a real world attack. Well, often there will be some known plaintext/ciphertext pairs in a long message. If, for example, we are encrypting an HTML document, there is a lot of header information that will likely be consistent. So, say the program encrypts with ECB mode. If I have a pretty good guess what the first block of plaintext is, and I can perform a known-plaintext attack, I can recover the key and get the remaining blocks. That key won't help me decrypt other blocks, but I can break them using the same method since all of the HTML documents are likely to have some known (or easily guessable) beginning.

And don't believe that this is only because my example used ECB. In other modes, similar attacks can be constructed.

mikeazo
  • 39,117
  • 9
  • 118
  • 183
4

Another, more indirect take on this: because of the semantic security requirement, we evaluate ciphers by their ability to resist an adaptive chosen-plaintext attack—where the attack not only sees some plaintext/ciphertext pairs, but also:

  1. Gets to choose which plaintexts they wish to see ciphertexts for;
  2. Gets to use the knowledge they gain from earlier choices to make later ones.

And not only that, we don't require that the attacker be able to actually decipher messages before we declare them victorious. They win if they meet the much lower bar of distinguishability.

Compared to this, the ability to decipher messages from non-chosen known plaintexts is a scenario where an attacker has fewer advantages and yet accomplishes more. So totally broken, yes.

Of course, that shifts your question around. Why do we consider ciphers to be broken if there's a distinguishing attack with adaptive chosen-plaintexts? Several reasons:

  • Semantic security: We don't just want that the attacker be unable to recover the plaintext. We want the attacker not to be able to learn anything about the plaintext. That's why cryptography aims for the high bar of indistinguishability—it's the one thing that guarantees semantic security.
  • Interactive protocols: Cryptography today is used by programs that communicate through interactive client/server protocols, where attackers are often able to cause servers to encrypt plaintexts of their choice. So safety from adaptive chosen-plaintext attacks is a suitable high bar to guarantees that this doesn't give attackers any advantages.
  • Other applications: Ciphers aren't just used for encryption. They're also routinely used for random number generation, for example by running a block cipher in CTR mode. In this case the plaintext is a sequence of blocks with public nonce and counter values, so the attacker knows all of the plaintexts!
  • Conservativeness: Setting a very high bar for the defender and a very low one for the attacker is just safer. Remember that the attacker always has the advantage:
    • The cipher's designer has to defend against attacks that nobody has though of yet;
    • The attacker is free to come up with new attacks years after the cipher design was done.

And note additionally that even though it is good and common practice to rekey often, modern cryptography almost always involve some amount of key reuse—either literally (using the same key to encrypt more than one message), indirectly (using a block cipher mode of operation to encrypt a message longer than the key), or in the very loose sense of just using a key shorter than the message.

But the other thing to say is that many of the motivations for rekeying are driven not by the fear not that cipher will be broken, but rather by key management concerns—the fear that some of keys will be disclosed. Rekeying frequently limits the damage in such scenarios.

Luis Casillas
  • 14,703
  • 2
  • 33
  • 53
1

Here's an analogue of your question:

What is the use of cars which can seat six people when there are only four people in my family?

If a key is not used more than once, then you do not need security against chosen plaintext attacks. But other (most) people do need it.

fkraiem
  • 8,242
  • 2
  • 28
  • 38