The difference between these 4 breaking Cipher techniques?

Question

I'm trying to understand the difference between the following and what they actually mean :

1. Known plaintext attack
2. Known ciphertext attack
3. Chosen ciphertext attack
4. Chosen plaintext attack

Any clarification is much appreciated…

Answer 1

These aren't "attacks" in and of themselves, they are simply a way to classify attacks depending on how many assumptions they make. For instance, if an attack requires plaintext-ciphertext pairs to recover the key, but they don't have to be any particular pairs, that attack is categorized as a known-plaintext attack. However if another attack required the attacker to be able to give input plaintext and obtain the corresponding ciphertext, it would be a chosen-plaintext attack.

To summarize, from weakest to strongest in terms of assumptions made and data requirements:

Known Ciphertext Attack

The attacker is given some ciphertext, but does not know (or does not know exactly) what the plaintext corresponding to this ciphertext is. As with the previous type of attack, he does not get to choose what ciphertexts he obtains, and cannot produce more.

This is the weakest type of attack, as the attacker has essentially nothing to work with except a few ciphertexts obtained from eavesdropping or other. As such, it is typically the hardest to design, but the easiest to implement/carry out.

Example:

• Eve steals a bunch of ciphertexts from Alice's handbag, but has no idea what they mean.

Known Plaintext Attack

The attacker is given some plaintext-ciphertext pairs which he didn't choose (say, obtained from an encrypted conversation between two people - he knows what the conversation is about, but he didn't get to choose what was said). The attacker cannot produce more plaintext-ciphertext pairs, he has to obtain them from whoever has the key, for instance by eavesdropping again.

Example:

• Eve overhears an encrypted communication from Bob to Alice, and later observes them meeting at Baker Street - Eve can now guess that the communication contained the word "baker street" somewhere, a form of known plaintext attack.

Chosen Plaintext Attack

The attacker is able to select any plaintext and obtain the corresponding ciphertext through that which is known as an encryption oracle, which is a sort of black box that produces the corresponding ciphertext given any plaintext under the sought-after key, but does not reveal the key itself (i.e. you can't crack it open and just grab the key).

Note: there are two types of chosen plaintext attacks. Either the attacker can only submit a set of plaintexts once to the oracle, after which he can no longer use it (batch chosen-plaintext attack), or he can use the oracle interactively, able to select new plaintext based on what the oracle tells him (adaptive chosen-plaintext attacks).

Example:

• A poorly designed file storage system uses the same key to encrypt everyone's files, and lets anyone see anyone's files (in encrypted form). Eve knows Bob uses the service, she registers as well and starts encrypting arbitrary files (which she can choose) and looks at the resulting ciphertext. From this she obtains the service's encryption key, and decrypts Bob's stuff.

Chosen Ciphertext Attack

This is essentially the opposite of the previous attack, the attacker can choose any ciphertext he wants and obtain the corresponding plaintext using a decryption oracle. It is however a stronger attack model than a chosen plaintext attack, and the strongest of all four here (but there are even stronger models outside the scope of your question, such as related-key attacks).

Example:

• Eve breaks into Bob's house while he is sleeping, and replaces the ciphertext he was going to send to Alice tomorrow with a new one of her choosing. She then eavesdrops on their communications (encrypted or not) the next day to try and work out what Alice read when she decrypted the fake ciphertext (variants of this involve Eve not just creating a new ciphertext, but modifying the existing one slightly).

---

• Encryption and decryption oracles are generally concretized as weaknesses in an interactive protocol which allow an attacker to attempt to impersonate a legitimate user and obtain information from the other party (but there are many other situations that may cause the attacker to have access to an oracle, of course). They aren't actually "oracles" that helpfully assist the attacker, that is only a mathematical abstraction.

• As per Kerckhoffs's principle, the attacker is assumed to always know the internals of the cipher used, in addition to whatever plaintext or ciphertext he may have access to.

• Note that some of the attack types above are mutually exclusive (for instance, an attack can't be both chosen-plaintext and known-plaintext).

• Chosen plaintext/ciphertext attacks are somewhat exclusive to the modern ages of cryptography. In the past, such oracles were difficult to obtain, as physical communication between parties was not easy. However, they were not completely unknown, for instance, during WW2, Allied cryptographers routinely carried out maneuvers to tempt the Germans into sending specific messages encrypted with the Enigma (as an oversimplified example, by destroying an enemy ship, they could then be reasonably sure subsequent transmissions would contain the words "ship" and "destroyed" - a form of chosen plaintext attack, just not with an entirely reliable oracle).