2

In the paper of "Reaction Attacks against Several Public-Key Cryptosystems" CiteSeerX link, reaction attack is defined informally as "Obtaining information about the private key or plaintext by watching the reaction of someone decrypting a given ciphertext with the private key."

Is reaction attack explicitly defined in literature? What is the difference between fault attack and reaction attack -as defined here- ?

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
NB_1907
  • 630
  • 4
  • 14
  • 1
    Reading their abstract, I'm certain it's an umbrella term for side-channel attack (and you've tagged as such). – DannyNiu Nov 16 '21 at 13:42
  • 1
    Paper is here it is well-written about it on the second page. Yes, it is a side-channel but not a fault attack that targets the hardware, this is a soft attack that you get only information from the reaction like the CBC-padding oracles or the tag mismatch in GCM... – kelalaka Nov 16 '21 at 14:30
  • Are decryption failure attacks in these class? – NB_1907 Nov 17 '21 at 08:25

1 Answers1

4

"Reaction attack" seems to be just a custom name used in a few papers, meaning the reaction of the decryption oracle on maliciously crafted/modified ciphertexts. These are just CCA attacks, not side-channel attacks a priori, but in some cases side channel information such as timing can be used.

These attacks are based exploiting the decryption oracle. Note that many CPA-secure schemes are not CCA-secure (e.g. CBC encryption of a block cipher is vulnerable to the padding oracle attack), however there are ways to convert them in CCA-secure schemes (e.g. adding a MAC for symmetric encryption, or the Fujisaki-Okamoto (FO) transformation for asymmetric schemes).

Fractalice
  • 3,087
  • 12
  • 10
  • 2
    An example of "reaction" would be an error code that differs according to what went wrong in a decryption operation. I would rather take a position about the most natural endianness than about if that varying error code qualifies as a side-channel. – fgrieu Nov 18 '21 at 16:00