Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [chosen-ciphertext-attack]

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key.

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

214 questions
3
votes
1 answer

CPA + one-time strong signature --> CCA?

Does combining a CPA PKE (public key encryption) scheme with a one-time strong signature construct a CCA PKE scheme? More specifically, let $(Enc,Dec)$ be a CPA PKE scheme, and $(V,S)$ be a one-time signature, i.e., one cannot forge a valid…
Huanhuan Chen
  • 33
  • 5
2
votes
1 answer

Do Chosen-Chiphertext attacks only apply to public-key cryptosystems?

Do Chosen-Chiphertext attacks (CCA-1/2) only apply to public-key Cryptosystem?
user13076
  • 35
  • 1
1
vote
1 answer

Why does this attack on a simplified version of the Naor-Yung scheme not work for the original scheme?

tl;dr: We were given a homework, in which we should discuss, whether encrypting twice in the Naor-Yung scheme is actually necessary. I could prove that it is, by constructing an attacker on a scheme which encrypts only once. However, it seems to…
kawowski
  • 48
  • 4
1
vote
1 answer

CCA secure or not?

Let $F : \{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^n $ be a PRF. And let the encryption function be $Enc{_k}(m) = r || (F{_k}(m) \bigoplus r \bigoplus 0^n)$ , where r's value is random. Is this system CCA secure? I am having trouble deciding…
Lucian Tarna
  • 125
  • 1
  • 6
1
vote
1 answer

CCA-attack is possible in RSA, but how the decryption key $d$ is known to anyone

CCA-attack is possible in text-book RSA, but how the decryption key $d$ is known to anyone, as it is kept secret with receiver.
Aria
  • 711
  • 3
  • 9
  • 18
1
vote
0 answers

cipher text only attack - how to know when to stop when brute-force attack?

Possible Duplicate: How can I do a brute force (ciphertext only) attack on an CBC-encrypted message? My question is about a cipher text only attack - I have as input only the initialization vector and one cipher text. I know the key domain:…
gAsk
  • 11
  • 1
0
votes
1 answer

Proof that a modified public-key encryption scheme is not CCA secure

Let $\mathcal{E} = (G, E, D)$ be a CCA-secure public-key encryption scheme defined over $(\mathcal{M, C})$ where $\mathcal{C} := \{0, 1\}^\ell$. Let $\mathcal{E'} = (G, E', D')$ be a scheme (over $(\mathcal{M, C'})$ where $\mathcal{C'} := \{0,…
Daniel
  • 457
  • 4
  • 14
0
votes
1 answer

many time pad attack

I am a beginner in cryptography. I studied many time pad attack and now I want to solve a popular exercise, It consists 11 ciphertexts (s1,s2,...,s11), that encrypted by a same key and I want to find plaintext(p11) of s11. I know: p10 ⊕ k = s10 p11…
user47357
  • 1
  • 1