221:
The term "lunchtime attack" refers to the idea that a user's computer, with the ability to decrypt, is available to an attacker while the user is out to lunch. This form of the attack was the first one commonly discussed: obviously, if the attacker has the ability to make adaptive chosen ciphertext queries, no encrypted message would be safe, at least until that ability is taken away. This attack is sometimes called the "non-adaptive chosen ciphertext attack"; here, "non-adaptive" refers to the fact that the attacker cannot adapt their queries in response to the challenge, which is given after the ability to make chosen ciphertext queries has expired.
22:
236:
lunchtime attack, and is commonly referred to as a CCA2 attack, as compared to a CCA1 (lunchtime) attack. Few practical attacks are of this form. Rather, this model is important for its use in proofs of security against chosen-ciphertext attacks. A proof that attacks in this model are impossible implies that any realistic chosen-ciphertext attack cannot be performed.
220:
A specially noted variant of the chosen-ciphertext attack is the "lunchtime", "midnight", or "indifferent" attack, in which an attacker may make adaptive chosen-ciphertext queries but only up until a certain point, after which the attacker must demonstrate some improved ability to attack the system.
235:
A (full) adaptive chosen-ciphertext attack is an attack in which ciphertexts may be chosen adaptively before and after a challenge ciphertext is given to the attacker, with only the stipulation that the challenge ciphertext may not itself be queried. This is a stronger attack notion than the
166:
When a cryptosystem is vulnerable to chosen-ciphertext attack, implementers must be careful to avoid situations in which an adversary might be able to decrypt chosen-ciphertexts (i.e., avoid providing a decryption oracle). This can be more difficult than it appears, as even partially chosen
211:
Chosen-ciphertext attacks, like other attacks, may be adaptive or non-adaptive. In an adaptive chosen-ciphertext attack, the attacker can use the results from prior decryptions to inform their choices of which ciphertexts to have decrypted. In a non-adaptive attack, the attacker chooses the
162:
proof (now known as the "Naor-Yung" encryption paradigm). This work made understanding of the notion of security against chosen ciphertext attack much clearer than before and open the research direction of constructing systems with various protections against variants of the attack.
246:
Numerous cryptosystems are proven secure against adaptive chosen-ciphertext attacks, some proving this security property based only on algebraic assumptions, some additionally requiring an idealized random oracle assumption. For example, the
146:
must be particularly cognizant of these attacks, as these devices may be completely under the control of an adversary, who can issue a large number of chosen-ciphertexts in an attempt to recover the hidden secret key.
94:
where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the secret key used for decryption.
212:
ciphertexts to have decrypted without seeing any of the resulting plaintexts. After seeing the plaintexts, the attacker can no longer obtain the decryption of additional ciphertexts.
540:
251:
is secure based on number theoretic assumptions and no idealization, and after a number of subtle investigations it was also established that the practical scheme
428:
150:
It was not clear at all whether public key cryptosystems could withstand the chosen ciphertext attack until the initial breakthrough work of
533:
456:
526:
494:
180:
513:
355:"Jonathan Katz and Moti Yung, Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation. FSE 2000: 284-299".
196:
586:
316:
230:
135:
65:
43:
36:
574:
299:
Bellare, M.; Desai, A.; Jokipii, E.; Rogaway, P. (1997). "A concrete security treatment of symmetric encryption".
616:
187:
which was the first public key practical system to be secure. For symmetric encryption schemes it is known that
639:
126:, but this semantic security can be trivially defeated under a chosen-ciphertext attack. Early versions of
440:
138:
which revealed SSL session keys. Chosen-ciphertext attacks have implications for some self-synchronizing
172:
167:
ciphertexts can permit subtle attacks. Additionally, other issues exist and some cryptosystems (such as
340:"Moni Naor and Moti Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks".
114:
A number of otherwise secure schemes can be defeated under chosen-ciphertext attack. For example, the
405:
373:
188:
30:
569:
123:
598:
564:
47:
175:
is not used on the message to be signed. A better approach is to use a cryptosystem which is
398:
A Practical Public Key
Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack
360:
514:
Dancing on the Lip of the
Volcano: Chosen Ciphertext Attacks on Apple iMessage (Usenix 2016)
192:
131:
171:) use the same mechanism to sign messages and to decrypt them. This permits attacks when
8:
603:
409:
248:
184:
453:
98:
For formal definitions of security against chosen-ciphertext attacks, see for example:
611:
322:
491:
432:
312:
176:
119:
454:
Chosen
Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1
326:
304:
239:
A practical adaptive chosen-ciphertext attack is the
Bleichenbacher attack against
443:, in Advances in Cryptology – CRYPTO '98, Santa Barbara, California, pp. 549-570.
518:
498:
487:
476:
460:
436:
168:
127:
463:. In Advances in Cryptology – CRYPTO'98, LNCS vol. 1462, pages: 1–12, 1998
159:
486:'94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed,
633:
553:
472:
424:
389:
308:
264:
139:
103:
91:
549:
393:
99:
87:
255:
is secure under the RSA assumption in the idealized random oracle model.
397:
195:
gives security against chosen ciphertext attacks, as was first shown by
143:
483:
441:
Relations among
Notions of Security for Public-Key Encryption Schemes
200:
155:
151:
301:
Proceedings 38th Annual
Symposium on Foundations of Computer Science
252:
115:
401:
240:
342:
Proceedings 21st Annual ACM Symposium on Theory of
Computing
298:
179:
under chosen-ciphertext attack, including (among others)
480:
Optimal
Asymmetric Encryption -- How to encrypt with RSA
158:
in 1990, which suggested a mode of dual encryption with
142:
as well. Designers of tamper-resistant cryptographic
224:
548:
631:
286:Pseudorandomness and Cryptographic Applications
482:extended abstract in Advances in Cryptology –
534:
134:protocol were vulnerable to a sophisticated
183:secure under the random oracle heuristics,
541:
527:
66:Learn how and when to remove this message
348:
333:
29:This article includes a list of general
632:
591:
420:
418:
522:
385:
383:
283:
215:
15:
415:
292:
277:
13:
507:
35:it lacks sufficient corresponding
14:
651:
380:
231:Adaptive chosen-ciphertext attack
225:Adaptive chosen-ciphertext attack
136:adaptive chosen-ciphertext attack
20:
400:", in Advances in Cryptology –
191:which is a primitive based on
109:
466:
446:
1:
288:. Princeton University Press.
270:
206:
7:
258:
10:
656:
228:
560:
406:Santa Barbara, California
309:10.1109/SFCS.1997.646128
189:authenticated encryption
80:chosen-ciphertext attack
124:chosen-plaintext attack
50:more precise citations.
368:Cite journal requires
284:Luby, Michael (1996).
640:Cryptographic attacks
408:, 1998, pp. 13-25. (
303:. pp. 394–403.
193:symmetric encryption
130:padding used in the
452:D. Bleichenbacher.
249:Cramer-Shoup system
120:semantically secure
497:2008-07-08 at the
492:full version (pdf)
459:2012-02-04 at the
627:
626:
582:Chosen-ciphertext
433:David Pointcheval
404:'98 proceedings,
216:Lunchtime attacks
76:
75:
68:
647:
608:Open key models
570:Chosen-plaintext
543:
536:
529:
520:
519:
501:
470:
464:
450:
444:
422:
413:
387:
378:
377:
371:
366:
364:
356:
352:
346:
345:
344:: 427–437. 1990.
337:
331:
330:
296:
290:
289:
281:
118:cryptosystem is
71:
64:
60:
57:
51:
46:this article by
37:inline citations
24:
23:
16:
655:
654:
650:
649:
648:
646:
645:
644:
630:
629:
628:
623:
599:Known-plaintext
565:Ciphertext-only
556:
547:
510:
508:Further reading
505:
504:
499:Wayback Machine
488:Springer-Verlag
471:
467:
461:Wayback Machine
451:
447:
437:Phillip Rogaway
423:
416:
388:
381:
369:
367:
358:
357:
354:
353:
349:
339:
338:
334:
319:
297:
293:
282:
278:
273:
261:
233:
227:
218:
209:
177:provably secure
112:
72:
61:
55:
52:
42:Please help to
41:
25:
21:
12:
11:
5:
653:
643:
642:
625:
624:
622:
621:
620:
619:
614:
606:
601:
596:
595:
594:
589:
579:
578:
577:
567:
561:
558:
557:
546:
545:
538:
531:
523:
517:
516:
509:
506:
503:
502:
465:
445:
414:
379:
370:|journal=
347:
332:
317:
291:
275:
274:
272:
269:
268:
267:
260:
257:
229:Main article:
226:
223:
217:
214:
208:
205:
140:stream ciphers
111:
108:
74:
73:
28:
26:
19:
9:
6:
4:
3:
2:
652:
641:
638:
637:
635:
618:
615:
613:
610:
609:
607:
605:
602:
600:
597:
593:
590:
588:
585:
584:
583:
580:
576:
573:
572:
571:
568:
566:
563:
562:
559:
555:
554:cryptanalysis
551:
550:Attack models
544:
539:
537:
532:
530:
525:
524:
521:
515:
512:
511:
500:
496:
493:
489:
485:
481:
478:
474:
469:
462:
458:
455:
449:
442:
438:
434:
430:
426:
425:Mihir Bellare
421:
419:
411:
407:
403:
399:
395:
391:
390:Ronald Cramer
386:
384:
375:
362:
351:
343:
336:
328:
324:
320:
318:0-8186-8197-7
314:
310:
306:
302:
295:
287:
280:
276:
266:
265:RCCA security
263:
262:
256:
254:
250:
244:
242:
237:
232:
222:
213:
204:
202:
198:
197:Jonathan Katz
194:
190:
186:
182:
178:
174:
170:
164:
161:
157:
153:
148:
145:
141:
137:
133:
129:
125:
121:
117:
107:
105:
104:Mihir Bellare
101:
96:
93:
92:cryptanalysis
89:
85:
81:
70:
67:
59:
49:
45:
39:
38:
32:
27:
18:
17:
604:Side-channel
581:
479:
468:
448:
394:Victor Shoup
361:cite journal
350:
341:
335:
300:
294:
285:
279:
245:
238:
234:
219:
210:
185:Cramer-Shoup
165:
149:
113:
110:Introduction
100:Michael Luby
97:
88:attack model
83:
79:
77:
62:
56:January 2011
53:
34:
612:Related-key
429:Anand Desai
144:smart cards
48:introducing
477:P. Rogaway
473:M. Bellare
271:References
31:references
617:Known-key
592:Lunchtime
490:, 1995.
484:Eurocrypt
207:Varieties
201:Moti Yung
160:integrity
156:Moti Yung
152:Moni Naor
634:Category
587:Adaptive
575:Adaptive
495:Archived
457:Archived
327:42604387
259:See also
253:RSA-OAEP
181:RSA-OAEP
116:El Gamal
86:) is an
410:article
173:hashing
106:et al.
44:improve
435:, and
402:CRYPTO
325:
315:
241:PKCS#1
122:under
33:, but
323:S2CID
392:and
374:help
313:ISBN
199:and
154:and
102:and
90:for
552:in
396:, "
305:doi
169:RSA
132:SSL
128:RSA
84:CCA
636::
475:,
439:,
431:,
427:,
417:^
382:^
365::
363:}}
359:{{
321:.
311:.
243:.
203:.
78:A
542:e
535:t
528:v
412:)
376:)
372:(
329:.
307::
82:(
69:)
63:(
58:)
54:(
40:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.