Chosen-ciphertext attack facts for kids

A chosen-ciphertext attack (CCA) is a way for a bad guy, often called a code-breaker or attacker, to try and crack a secret code. They do this by picking some coded messages (called ciphertext) and then asking a computer or system to decode them. By seeing the decoded messages, the attacker tries to learn how the secret code works.

If a secret code system can be broken by a chosen-ciphertext attack, people who use it must be very careful. They need to make sure that attackers can't easily get messages decoded, even if they only choose parts of the messages. Some coding systems, like RSA, use the same method to sign messages and to decode them. This can create problems if special checks (called hashing) are not used on the message before it's signed. A better way is to use a coding system that is proven to be safe against these attacks. Examples include RSA-OAEP, Cramer-Shoup, and many types of authenticated symmetric encryption.

Types of Chosen-Ciphertext Attacks

Chosen-ciphertext attacks can happen in different ways. They can be "adaptive" or "non-adaptive."

Non-Adaptive Attacks

In a non-adaptive attack, the attacker chooses all the coded messages they want to decode right at the start. They don't change their choices based on what they learn from the decoded messages. It's like they have a fixed list of messages they want to try.

Adaptive Attacks

In an adaptive chosen-ciphertext attack, the attacker is smarter. They choose coded messages to decode, and then they use the results to help them pick the *next* coded message to try. This means their plan changes as they learn more.

Lunchtime Attacks

A special kind of adaptive attack is called a "lunchtime" or "midnight" attack. Imagine a computer that can decode messages is left alone while its owner goes to lunch. An attacker might use this short time to ask the computer to decode messages they chose. But they only have a limited time to do this. After that time, they have to show what they've learned about the secret code system.

This type of attack was one of the first ones people talked about. If an attacker can keep asking for messages to be decoded, no secret message would be safe for long. This attack is sometimes called "non-adaptive chosen ciphertext attack" too. Here, "non-adaptive" means the attacker can't change their requests *after* they are given a final secret message to break.

A famous example of a lunchtime attack happened when Daniel Bleichenbacher from Bell Laboratories found a way to break systems that used a method called PKCS#1, which was created by RSA Security.

Full Adaptive Chosen-Ciphertext Attack

A full adaptive chosen-ciphertext attack is even stronger. In this attack, the attacker can choose coded messages to decode both *before* and *after* they are given a special "challenge" message to break. The only rule is that they can't ask the system to decode the challenge message itself.

This type of attack is much harder to defend against than a lunchtime attack. It's often called a CCA2 attack, while the lunchtime attack is sometimes called a CCA1 attack. Not many real-world attacks are this strong. However, this model is very important for proving how safe a coding system is. If a system is proven to be safe against this strong type of attack, it means almost any practical chosen-ciphertext attack won't work.

Secret code systems that are proven to be safe against full adaptive chosen-ciphertext attacks include the Cramer-Shoup system and RSA-OAEP.

Related pages

• Ciphertext-only attack
• Chosen-plaintext attack
• Known-plaintext attack

See also

In Spanish: Ataque Chosen-ciphertext para niños