Talk:Adaptive chosen-ciphertext attack
|WikiProject Cryptography / Computer science||(Rated Start-class, Mid-importance)|
"Unlike ad-hoc schemes such as the padding used in PKCS #1 v1, OAEP is provably secure under the random oracle model."
I was under the impression that the original proof was proven to be wrong in papers from Crypto 2001 - anyone knows more about that?--188.8.131.52 22:02, 27 February 2006 (UTC)
Plaintext awareness is not sufficient for security against chosen-ciphertext attacksEdit
Here is a heuristic example: If you encrypt a message m with RSA PKCS#1 v1.5 then the system is not plaintext aware. If you concatenate the encryption with a secure hash of the message then the encryption becomes plaintext aware, but is not longer semantically secure, because an attacker can simply try to guess the message, hash it and compare the result with the hash. So for getting security against chosen-ciphertext attacks you need a little bit more than just plaintext awareness. 184.108.40.206 17:59, 7 February 2007 (UTC)
- Actually, I'm not that sure anymore. The paper "Relations among notions of security for public-key encryption schemes" by M. Bellare, A. Desai, D. Pointcheval and P. Rogaway  indeed proofs that plaintext awareness implies security against chosen-ciphertext attacks. However, the definition of plaintext awareness in this paper seems to imply semantic security, wheras the informal wikipedia definition does not. 220.127.116.11 18:41, 7 February 2007 (UTC)
Bleichenbacher's attack stronger than adaptive chosen ciphertext attackEdit
As I understand it, Bleichenbacher's makes uses of a severely limited chosen ciphertext oracle that does not return the full plaintext but rather a single bit indicating whether the raw RSA plaintext is properly PKCS #1 v1.5 formatted. So, his attack does not require the full CCA2 oracle: it can success with less information, making it a stronger attack.
A critique of the CCA2 security definition is that ciphertext-decrypting oracle's limitation on not decrypting the challenge ciphertext is artificial. The critique suggests that CCA2 security is not really needed to avoid a practical attack.
Bleichenbacher's practical attack can be described without the ciphertext limitation above: one can submit the challenge cipherext to the oracle, which returns a bit about the challenge plaintext. It is realistic to suppose that the challenge ciphertext was already correctly PKCS#1 v1.5 formatteed, so this bit would always return 1, so the oracle reveals nothing new.
So, Bleichenbacher's attack does not overcome the critique above regarding CCA2. The article, as written, could be construed to support of the necessity of CCA2 to overcome a practical attack. I propose amending the article slightly to avoid giving this impression. DRLB (talk) 18:39, 2 March 2011 (UTC)