Talk:Adaptive chosen-ciphertext attack

This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Cryptography: Computer science Mid‑importance This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.CryptographyWikipedia:WikiProject CryptographyTemplate:WikiProject CryptographyCryptography articles Mid This article has been rated as Mid-importance on the importance scale. This article is supported by WikiProject Computer science (assessed as Mid-importance).

"Unlike ad-hoc schemes such as the padding used in PKCS #1 v1, OAEP is provably secure under the random oracle model."

I was under the impression that the original proof was proven to be wrong in papers from Crypto 2001 - anyone knows more about that?--80.171.158.198 22:02, 27 February 2006 (UTC)[reply]

The original definition and proof were not strong enough. But a better proof has been published. See

Optimal Asymmetric Encryption Padding for details. 67.84.116.166 13:35, 7 October 2006 (UTC)[reply

]

Here is a heuristic example: If you encrypt a message m with RSA PKCS#1 v1.5 then the system is not plaintext aware. If you concatenate the encryption with a secure hash of the message then the encryption becomes plaintext aware, but is not longer semantically secure, because an attacker can simply try to guess the message, hash it and compare the result with the hash. So for getting security against chosen-ciphertext attacks you need a little bit more than just plaintext awareness. 85.2.38.165 17:59, 7 February 2007 (UTC)[reply]

Actually, I'm not that sure anymore. The paper "Relations among notions of security for public-key encryption schemes" by M. Bellare, A. Desai, D. Pointcheval and P. Rogaway [1] indeed proofs that plaintext awareness implies security against chosen-ciphertext attacks. However, the definition of plaintext awareness in this paper seems to imply semantic security, wheras the informal wikipedia definition does not. 85.2.38.165 18:41, 7 February 2007 (UTC)[reply]

As I understand it, Bleichenbacher's makes uses of a severely limited chosen ciphertext oracle that does not return the full plaintext but rather a single bit indicating whether the raw RSA plaintext is properly PKCS #1 v1.5 formatted. So, his attack does not require the full CCA2 oracle: it can success with less information, making it a stronger attack.

A critique of the CCA2 security definition is that ciphertext-decrypting oracle's limitation on not decrypting the challenge ciphertext is artificial. The critique suggests that CCA2 security is not really needed to avoid a practical attack.

Bleichenbacher's practical attack can be described without the ciphertext limitation above: one can submit the challenge cipherext to the oracle, which returns a bit about the challenge plaintext. It is realistic to suppose that the challenge ciphertext was already correctly PKCS#1 v1.5 formatteed, so this bit would always return 1, so the oracle reveals nothing new.

So, Bleichenbacher's attack does not overcome the critique above regarding CCA2. The article, as written, could be construed to support of the necessity of CCA2 to overcome a practical attack. I propose amending the article slightly to avoid giving this impression. DRLB (talk) 18:39, 2 March 2011 (UTC)[reply]