1.4. Some Cryptographic Terms
In cryptology, there are different models of attacks or attackers.
1.4.1. Models of Attacks
So far we have assumed that an adversary can only read messages during transmission over a channel. Such an adversary is called a passive adversary. An active adversary, on the other hand, can mutilate or delete messages during transmission and/or generate false messages. An attack mounted by an active (resp.[3] a passive) adversary is called an active (resp. a passive) attack. In this book, we will mostly concentrate on passive attacks.
[3] Throughout the book, resp. stands for respectively.
1.4.2. Models of Passive Attacks
A two-party communication involves transmission of ciphertext messages over a communication channel. A passive attacker can read these ciphertext messages. In practice, however, an attacker might have more control over the choice of ciphertext and/or plaintext messages. Based on these capabilities of the attacker we have the following types of attacks.
Ciphertext-only attack
This is the weakest model of the adversary. Here the attacker has absolutely no choices on the ciphertext messages that flow in the channel and also on the corresponding plaintext messages. Using only these ciphertext messages the attacker has to obtain a private key and/or a plaintext message corresponding to a new ciphertext message.
Known-pair attack
In this kind of attack (also called known-plaintext or known-ciphertext attack), the attacker uses her knowledge of some plaintext–ciphertext pairs. If many such pairs are available to the attacker, she can use these pairs to deduce a pattern based on which she can subsequently gain some information on a new plaintext for which the ciphertext is available. In a public-key scheme, the adversary can generate as many such pairs as she wants, because in order to generate such a pair it is sufficient to have a knowledge of the receiver’s public key. Thus a public-key encryption scheme must provide sufficient security against known plaintext attacks.
Chosen-plaintext attack
In this kind of attack, the attacker knows some plaintext–ciphertext pairs in which the plaintexts are chosen by the attacker. As discussed earlier, such an attack is easily mountable for a public-key encryption scheme.
Adaptive chosen-plaintext attack
This is similar to the chosen-plaintext attack with the additional possibility that the attacker chooses the plaintexts in the known plaintext–ciphertext pairs sequentially and adaptively based on the knowledge of the previous pairs. This kind of attack can be easily mounted on public-key encryption systems.
Chosen-ciphertext attack
The attacker has knowledge of some plaintext–ciphertext pairs in which the ciphertexts are chosen by the attacker. Such an attack is not directly mountable on a public-key scheme, since obtaining a plaintext from a chosen ciphertext requires knowledge of the private key. However, if the attacker has access to the receiver’s decryption equipment, the machine can divulge the plaintexts corresponding to the ciphertexts that the attacker supplies to the machine. In this context, we assume that the machine does not reveal the private key itself, that is, it has the key stored secretly somewhere in its hardware which the attacker cannot directly access. However, the attacker can run the machine to know the plaintexts corresponding to the ciphertexts of her choice. Later (when the attacker no longer has access to the decryption equipment) the known pairs may be exploited to obtain information about the plaintext corresponding to a new ciphertext.
Adaptive chosen-ciphertext attack
This is similar to the chosen-ciphertext attack with the additional possibility that the attacker chooses the ciphertexts in the known pairs sequentially and adaptively based on her knowledge of the previously generated plaintext–ciphertext pairs. This attack is mountable in a scenario described in connection with chosen-ciphertext attacks.
For a digital signature scheme, there are equivalent names for these types of attacks. The attacker is assumed to have access to the public key of the signer, because this key is used for signature verification. An attempt to forge signatures based only on the knowledge of this verification key is called a key-only attack. The adversary may additionally possess knowledge of some message–signature pairs. An attack based on this knowledge is called a known-pair or known-message or known-signature attack. If the messages are chosen by the adversary, we call the attack a chosen-message attack. If the adversary generates the sequence of messages in a chosen-message attack adaptively (based on the previously generated message–signature pairs), we have an adaptive chosen-message attack. An (adaptive or non-adaptive) chosen-message attack can be mounted, if the attacker gains access to the signer’s signature generation equipment, or if the signer is willing to sign arbitrary messages provided by the adversary.
The attacker can choose some signatures and generate the corresponding messages by encrypting them with the signer’s public key. The private-key operation on these messages generates the signatures chosen by the attacker. This gives chosen-signature and adaptive chosen-signature attacks on a digital signature scheme. Now the adversary cannot directly control the messages to sign. On the other hand, such an attack is easily mountable, because it utilizes only some public knowledge (the signer’s public key). Indeed, one may treat chosen-signature attacks as variants of key-only attacks.
1.4.3. Public Versus Private Algorithms
So far, we have assumed that all the parties connected to a network know the algorithms used in a cryptographic scheme. The security of the scheme is based on the difficulty of obtaining some secret information (the secret or private key).
It, however, remains possible that two parties communicate using an algorithm unknown to other entities. Top-secret communications (for example, during wars or diplomatic transactions) often use private cryptographic algorithms. In this book, we will not deal with such techniques. Our attention is focused mostly on Internet applications in which public knowledge of the algorithms is of paramount importance (for the sake of universal applicability and convenience).
In short, this book is going to deal with a world in which only public public-key algorithms are deployed and in which adversaries are usually passive. A restricted model of the world though it may be, it is general and useful enough to concentrate on. Let us begin our journey!