Open main menu

Talk:Adaptive chosen-ciphertext attack

WikiProject Cryptography / Computer science  (Rated Start-class, Mid-importance)
This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the quality scale.
 Mid  This article has been rated as Mid-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as Mid-importance).


"Unlike ad-hoc schemes such as the padding used in PKCS #1 v1, OAEP is provably secure under the random oracle model."

I was under the impression that the original proof was proven to be wrong in papers from Crypto 2001 - anyone knows more about that?-- 22:02, 27 February 2006 (UTC)

The original definition and proof were not strong enough. But a better proof has been published. See Optimal Asymmetric Encryption Padding for details. 13:35, 7 October 2006 (UTC)

Plaintext awareness is not sufficient for security against chosen-ciphertext attacksEdit

Here is a heuristic example: If you encrypt a message m with RSA PKCS#1 v1.5 then the system is not plaintext aware. If you concatenate the encryption with a secure hash of the message then the encryption becomes plaintext aware, but is not longer semantically secure, because an attacker can simply try to guess the message, hash it and compare the result with the hash. So for getting security against chosen-ciphertext attacks you need a little bit more than just plaintext awareness. 17:59, 7 February 2007 (UTC)

Actually, I'm not that sure anymore. The paper "Relations among notions of security for public-key encryption schemes" by M. Bellare, A. Desai, D. Pointcheval and P. Rogaway [1] indeed proofs that plaintext awareness implies security against chosen-ciphertext attacks. However, the definition of plaintext awareness in this paper seems to imply semantic security, wheras the informal wikipedia definition does not. 18:41, 7 February 2007 (UTC)

Bleichenbacher's attack stronger than adaptive chosen ciphertext attackEdit

As I understand it, Bleichenbacher's makes uses of a severely limited chosen ciphertext oracle that does not return the full plaintext but rather a single bit indicating whether the raw RSA plaintext is properly PKCS #1 v1.5 formatted. So, his attack does not require the full CCA2 oracle: it can success with less information, making it a stronger attack.

A critique of the CCA2 security definition is that ciphertext-decrypting oracle's limitation on not decrypting the challenge ciphertext is artificial. The critique suggests that CCA2 security is not really needed to avoid a practical attack.

Bleichenbacher's practical attack can be described without the ciphertext limitation above: one can submit the challenge cipherext to the oracle, which returns a bit about the challenge plaintext. It is realistic to suppose that the challenge ciphertext was already correctly PKCS#1 v1.5 formatteed, so this bit would always return 1, so the oracle reveals nothing new.

So, Bleichenbacher's attack does not overcome the critique above regarding CCA2. The article, as written, could be construed to support of the necessity of CCA2 to overcome a practical attack. I propose amending the article slightly to avoid giving this impression. DRLB (talk) 18:39, 2 March 2011 (UTC)

Return to "Adaptive chosen-ciphertext attack" page.