Cryptography Reference
In-Depth Information
RSA (defined earlier) is not known to be secure under standard assumptions such as
the intractability of factoring (or of inverting the RSA function).
2
B.1.3. Beyond Eavesdropping Security
The foregoing definitions refer only to a “passive” attack in which the adversary merely
eavesdrops on the communication line (over which ciphertexts are being sent). Stronger
types of attacks, culminating in the so-called chosen ciphertext attack, may be possible
in various applications. Furthermore, these definitions refer to an adversary that tries
to extract explicit information about the plaintext. A less explicit attempt, captured by
the so-called notion of
malleability
, is to generate an encryption of a related plaintext
(possibly without learning anything about the original plaintext). Thus, we have a
“matrix” of adversaries, with one dimension (parameter) being the
type of attack
and
the second being its
purpose
.
Types of Attacks.
The following mini-taxonomy of attacks certainly is not exhaustive:
1.
Passive attacks
, as captured in the foregoing definitions. Among public-key schemes,
we distinguish two sub-cases:
(a)
A
key-oblivious
passive attack, as captured in the foregoing definitions. By “key-
obliviousness” we refer to the fact that the choice of plaintext does not depend on
the public key.
(b)
A
key-dependent
passive attack, in which the choice of plaintext may depend on the
public key.
(In Definition B.1.1 the choice of plaintext means the random variable
X
n
, whereas in
Definition B.1.2 it means the pair of strings (
x
n
,
y
n
). In both of these definitions, the
choice of the plaintext is non-adaptive.)
2.
Chosen plaintext attacks
. Here the attacker can obtain the encryption of any plaintext of
its choice (under the key being attacked). Such an attack does not add power in case of
public-key schemes.
3.
Chosen ciphertext attacks
. Here the attacker can obtain the decryption of any ciphertext
of its choice (under the key being attacked). That is, the attacker is given oracle access
to the decryption function corresponding to the decryption key in use. We distinguish
two types of such attacks:
(a)
In an
a-priori-chosen
ciphertext attack, the attacker is given this oracle access prior
to being presented the ciphertext that it will attack (i.e., the ciphertext for which
it has to learn partial information or form a related ciphertext). That is, the attack
consists of two stages: In the first stage the attacker is given the oracle access, and
in the second stage the oracle is removed and the attacker is given a “test ciphertext”
(i.e., a target to be learned or modified in violation of non-malleability).
2
Recall that Randomized RSA is secure assuming that the
n
2 least significant bits constitute a hard-core
function for
n
-bit RSA moduli. We only know that the
O
(log
n
) least significant bits constitute a hard-core
function for
n
-bit moduli [5].
/
