Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [chosen-ciphertext-attack]

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key.

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

222 questions
78
votes
1 answer

Can you explain Bleichenbacher's CCA attack on PKCS#1 v1.5?

I've studied that the Bleichenbacher's CCA attack on PKCS#1 v1.5. is a base to many versions of attacks in the area. I'm trying to understand that attack, but every explanation I saw starts with the technical details, without giving some overview,…
Bush
  • 2,160
  • 3
  • 18
  • 27
75
votes
1 answer

Easy explanation of "IND-" security notions?

There are many schemes that can advertise themselves with certain security notions, usually IND-CPA or IND-CCA2, for example plain ElGamal has IND-CPA security but doesn't provide IND-CCA security. The most common ones are the "IND-" ones,…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
30
votes
2 answers

How does a chosen ciphertext attack work, with a simple example?

Can someone please explain - using a simple example - how a chosen ciphertext attack works?
mixkat
  • 505
  • 1
  • 4
  • 8
23
votes
2 answers

How does a padding oracle attack work?

I am unsure of how a padding oracle attack works. What I am not getting is how changing one bit at one time allows one to exploit(get keys) ASP.NET machines. Can anyone explain this?
Mark Dioes
19
votes
5 answers

AES GCM : is it acceptable to return the wrong plaintext if the tag is incorrect?

Let's start by saying I'm no cryptography expert, I'm just a developer, so feel free to correct me (using words, not downvotes) if what I'm saying is non-sense. Context: I'm doing some crypto as a service for embedded devices. Users of this service…
ShellCode
  • 293
  • 2
  • 7
17
votes
1 answer

The difference between these 4 breaking Cipher techniques?

I'm trying to understand the difference between the following and what they actually mean : Known plaintext attack Known ciphertext attack Chosen ciphertext attack Chosen plaintext attack Any clarification is much appreciated…
Scarl
  • 445
  • 1
  • 6
  • 15
15
votes
3 answers

Is the CBC weakness in XML Encryption a new discovery? Are other applications vulnerable?

The RUB in Germany reports that XML encryption is broken. This is essentially the W3C standard for protecting XML documents from prying eyes. Does this mean that an attacker can only see a single message, or that they can actually infer the…
makerofthings7
  • 2,631
  • 1
  • 22
  • 37
14
votes
5 answers

Does Grover's algorithm really threaten symmetric security proofs?

By Shannon's theorem of perfect security, if I give you a ciphertext 'LOUPL', you can do a brute-force attack and then you would find plaintexts like 'HELLO', 'APPLE', 'SPOON', but you can't distinguish the true plaintext from the fake one, unless…
Victor Espinoza
  • 171
  • 1
  • 1
  • 9
13
votes
1 answer

Can a homomorphic encryption scheme be made CCA2 Secure?

Is it possible to modify a homomorphic encryption scheme so that it can be CCA2 secure? From the definition of a homomorphic scheme, it seems that it is malleable, which would result in lack of CCA2 security. So, if we use the regular method to…
Misty
  • 133
  • 1
  • 4
13
votes
1 answer

Why do we encrypt-then-mac but sign-then-encrypt?

This question was asked in comments on my answer to Should we MAC-then-encrypt or encrypt-then-MAC? I think posing the question as a separate entity is best, so: The general advice for applying MACs seems to be that we should encrypt first, then…
user46
12
votes
2 answers

Are common (secure) stream ciphers CCA1-secure?

My latest question and especially Ricky Demer's comment on the answer got me thinking: This homomorphic tranformation of RSA is most likely IND-CPA and maybe even IND-CCA1, but if it could be IND-CCA1, so could be a stream cipher in theory. This is…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
11
votes
2 answers

What do NM-CPA and NM-CCA mean?

When I've been researching authenticated encryption, the following terms keep showing up: NM-CPA NM-CCA ....without any definition as to what they mean. I've tried searching the web for their definitions, but I'm not getting very far. Could…
starbeamrainbowlabs
  • 213
  • 2
  • 9
10
votes
1 answer

AES-CTR mode and the Biclique Attack

The biclique attacks that break AES (Biclique Cryptanalysis of the full AES) appear to require decryption oracles to work, presumably because the key schedule of AES is weaker in the decryption direction, enabling better bicliques to be constructed…
J.D.
  • 4,455
  • 18
  • 22
9
votes
2 answers

Is Bouncycastle RSA+OAEP implementation vulnerable to Manger’s attack?

I have written a code to encrypt a plaintext as below. Here I am using bouncycastle crypto provider and referring to the RSA+OAEP for that. public static void main(String [] args) throws Exception { Security.insertProviderAt(new…
NShani
  • 91
  • 1
  • 6
8
votes
1 answer

Is there a way of maintaining malleability in a homomorphic encryption system while making it infeasible to perform chosen ciphertext attacks?

Is there a way of maintaining malleability in a homomorphic encryption system while making it infeasible to perform chosen ciphertext attacks? I have been reading about homomorphic encryption and malleable cryptosystems lately and have found it…
hdu
  • 93
  • 4
1
2 3
14 15