Objectives of adversary
The primary objective of an adversary who wishes to “attack” a public-key encryption scheme is to systematically recover plaintext from ciphertext intended for some other entity A. If this is achieved, the encryption scheme is informally said to have been broken. A more ambitious objective is key recovery> - to recover A’s private key. If this is achieved, the en?cryption scheme is informally said to have been completely broken since the adversary then has the ability to decrypt all ciphertext sent to A.
Types of attacks
Since the encryption transformations are public knowledge, a passive adversary can always mount a chosen-plaintext attack on a public-key encryption scheme (cf. §1.13.1). A stronger attack is a chosen-ciphertext attack where an adversary selects ciphertext of its choice, and then obtains by some means (from the victim A) the corresponding plaintext (cf. §1.13.1). Two kinds of these attacks are usually distinguished.
- 1. In an indifferent chosen-ciphertext attack, the adversary is provided with decryptions of any ciphertexts of its choice, but these ciphertexts must be chosen prior to receiving the (target) ciphertext c it actually wishes to decrypt.
- 2. In an adaptive chosen-ciphertext attack, the adversary' may use (or have access to) A’s decryption machine (but not the private key itself) even after seeing the target cipher- text c. The adversary may request decryptions of ciphertext which may be related to both the target ciphertext, and to the decryptions obtained from previous queries; a restriction is that it may not request the decryption of the target c itself.
Chosen-ciphertext attacks are of concern if the environment in which the public-key encryption scheme is to be used is subject to such an attack being mounted; if not, the existence of a chosen-ciphertext attack is typically viewed as a certificational weakness agamst a particular scheme, although apparently not directly exploitable.
Distributing public keys
The public-key encryption schemes described in this chapter assume that there is a means for the sender of a message to obtain an authentic copy of the intended receiver’s public key. In the absence of such a means, the encryption scheme is susceptible to an impersonation attack, as outlined in § 1.8.2. There are many techniques in practice by which authentic public keys can be distributed, including exchanging keys over a trusted channel, using a trusted public file, using an on-line trusted server, and using an off-line server and certificates. These and related methods are discussed in §13.4.
Some of the public-key encryption schemes described in this chapter assume that the message to be encrypted is, at most, some fixed size (bitlength). Plaintext messages longer than this maximum must be broken into blocks, each of the appropriate size. Specific techniques for breaking up a message into blocks are not discussed in this book. The component blocks can then be encrypted independently (cf. ECB mode hi §7.2.2(i)). To provide protection against manipulation (e.g., re-ordering) of the blocks, the Cipher Block Chaining (CBC) mode may be used (cf. §7.2.2(h) and Example 9.84). Since the CFB and OFB modes (cf. §7.2.2(ih) and §7.2.2(iv)) employ only single-block encryption (and not decryption) for both message encryption and decryption, they cannot be used with public-key encryption schemes.