Cryptography Reference
In-Depth Information
plaintext or chosen ciphertext. In the discussion of
the preceding paragraphs, the cryptanalyst knows only
the ciphertext and general structural information
about the plaintext. Often the cryptanalyst either will
know some of the plaintext or will be able to guess at,
and exploit, a likely element of the text, such as a letter
beginning with “Dear Sir” or a computer session starting
with “LOG IN.” The last category represents the most
favourable situation for the cryptanalyst, in which he
can cause either the transmitter to encrypt a plaintext of
his choice or the receiver to decrypt a ciphertext that he
chose. Of course, for single-key cryptography there is no
distinction between chosen plaintext and chosen cipher-
text, but in two-key cryptography it is possible for one
of the encryption or decryption functions to be secure
against chosen input while the other is vulnerable.
One measure of the security of a cryptosystem is
its resistance to standard cryptanalysis; another is its
work function, i.e., the amount of computational effort
required to search the key space exhaustively. The first can
be thought of as an attempt to find an overlooked back
door into the system, the other as a brute-force frontal
attack. Assume the analyst has only ciphertext available
and, with no loss of generality, that it is a block cipher.
He could systematically begin decrypting a block of the
cipher with one key after another until a block of mean-
ingful text was output (although it would not necessarily
be a block of the original plaintext). He would then try
that key on the next block of cipher, very much like the
technique devised by Friedrich Kasiski to extend a par-
tially recovered key from the probable plaintext attack on
a repeated-key Vigenère cipher. If the cryptanalyst has the
time and resources to try every key, he will eventually find
the right one. Clearly, no cryptosystem can be more secure
than its work function.
