Fact-checked by Grok 2 weeks ago

Chosen-ciphertext attack

A chosen-ciphertext attack (CCA) is a cryptanalytic in which an adversary selects arbitrary ciphertexts and obtains their corresponding decryptions, typically via to a decryption , to infer information about secret keys or other plaintexts. This attack model assumes the adversary operates in a scenario where they can interact adaptively with the decryption process, making it more powerful than a () by simulating real-world active adversaries who can tamper with or probe encrypted communications. In formal terms, CCA security for an encryption scheme is defined through an indistinguishability game where the adversary, given to a decryption for all ciphertexts except a one, must distinguish between encryptions of two chosen messages with only negligible advantage over random guessing. The CCA model emerged as a critical standard for evaluating public-key encryption schemes in the 1990s, highlighting vulnerabilities in systems like the one-time pad or basic block cipher modes (e.g., CTR or CBC without authentication), which fail under decryption oracle access due to malleability or predictable responses. A notable real-world example is Bleichenbacher's 1998 attack on RSA with PKCS#1 v1.5 padding, where an attacker exploits error messages from a server during decryption attempts on chosen ciphertexts to iteratively narrow down the plaintext, potentially recovering the entire message after millions of queries. Such attacks underscore the need for CCA-secure constructions, often achieved by combining CPA-secure encryption with message authentication codes (MACs) or using padding schemes like OAEP (Optimal Asymmetric Encryption Padding). CCA security remains essential for modern cryptographic protocols, such as those in TLS/SSL, where unauthenticated ciphertexts could otherwise leak sensitive data through side-channel observations during decryption. While basic schemes like textbook are inherently vulnerable, provably secure alternatives ensure robustness against adaptive adversaries, influencing standards from bodies like NIST.

Fundamentals

Overview of cryptographic attacks

Cryptographic attacks are categorized into passive and active types based on the adversary's level of interaction with the system. Passive attacks, such as ciphertext-only or known-plaintext attacks, involve an eavesdropper who observes communications without modifying or influencing the process, aiming to extract information solely from intercepted data. In contrast, active attacks require the adversary to interact directly with the , potentially altering messages or exploiting system components to gain unauthorized access or recover secrets; chosen-ciphertext attacks () exemplify this category by involving queries to decryption mechanisms. A foundational in active models is the (CPA), where the adversary gains access to an oracle that encrypts arbitrarily selected plaintexts under the target's key, allowing analysis of the resulting ciphertexts to uncover patterns or weaknesses in the scheme. This model formalizes scenarios where an attacker can influence the process, such as by submitting chosen messages to a compromised device, and serves as a baseline for evaluating , ensuring that even with such access, the adversary cannot distinguish encryptions of different messages. The evolution of these attack models began with basic eavesdropping assumptions in early cryptography, rooted in Shannon's perfect secrecy paradigm from the 1940s, but shifted toward interactive oracles in the 1980s and 1990s as public-key systems emerged. Seminal works, including Goldwasser and Micali's 1982 introduction of probabilistic encryption and semantic security, formalized CPA-like models to address limitations of deterministic schemes vulnerable to chosen inputs. By the 1990s, definitions incorporated stronger adversaries with oracle access, reflecting real-world threats like malleable ciphertexts in protocols. CCA builds directly on the CPA framework by augmenting the adversary's capabilities with access to a decryption , enabling queries on chosen ciphertexts (excluding the ) and thus simulating more realistic active tampering, which elevates the threat level beyond mere observation. This progression underscores the need for cryptosystems resilient to interactive decryption queries, as passive or CPA-secure schemes often fail under such conditions.

Role of decryption oracles

In chosen-ciphertext attacks, the decryption serves as a critical interactive component, modeled as a that allows an adversary to submit arbitrary for decryption under the target's secret key. Upon receiving a valid as input, the outputs the corresponding ; for invalid inputs, it typically returns an indicator of failure, such as an or rejection signal, without revealing additional details about the decryption process. This access enables the adversary to explore the encryption scheme's behavior across a wide range of inputs, but the excludes queries on the specific challenge to prevent trivial recovery of the target message. The mechanics of the decryption highlight vulnerabilities arising from malleability, where an adversary can construct modified versions of observed —such as by altering bits or —and submit them to the to obtain partial information about the underlying . For instance, if the scheme permits predictable changes to the ciphertext that correspond to changes in the (e.g., in a basic XOR-based using a pseudorandom ), querying the on a modified ciphertext c' = c \oplus \delta might yield m' = m \oplus \delta, allowing the adversary to infer bits of the original m by reversing the modification. Such interactions expose risks in schemes lacking integrity protection, as the effectively provides feedback on the scheme's deterministic or probabilistic responses to tampering. Unlike the encryption oracle in chosen-plaintext attacks (), which only permits the adversary to obtain encryptions of chosen plaintexts and limits threats to passive observation, the decryption oracle in grants active access to the decryption functionality, dramatically escalating the by enabling manipulation and verification of ciphertexts. This distinction underscores why represents a stronger adversarial model: decryption queries allow testing of scheme weaknesses like malleability or inconsistencies that cannot capture, potentially revealing key material or message contents indirectly.

Core Concepts

Formal definition of CCA

A (CCA) is formally defined in the context of public-key schemes as a security game between a probabilistic polynomial-time (PPT) adversary \mathcal{A} and a , where \mathcal{A} aims to distinguish between encryptions of two messages it selects while interacting with encryption and decryption oracles. The game proceeds in phases: first, the challenger generates a public key pk and a corresponding secret key sk using the key generation algorithm \mathsf{Gen}(1^\lambda), where \lambda is the security parameter, and provides pk to \mathcal{A}. In the pre-challenge phase, \mathcal{A} may query the oracle \mathcal{O}_\mathsf{Enc}, which on input a message m returns \mathsf{Enc}(pk, m), and the decryption oracle \mathcal{O}_\mathsf{Dec}, which on input a c returns \mathsf{Dec}(sk, c) (or \perp if invalid). \mathcal{A} can make polynomially many such queries. Then, in the phase, \mathcal{A} submits two equal-length messages m_0 and m_1, and the challenger selects a random bit b \in \{0,1\}, computes the ciphertext c^* = \mathsf{Enc}(pk, m_b; r) for random coins r, and sends c^* to \mathcal{A}. Following the challenge, \mathcal{A} resumes querying the oracles, but is restricted from submitting c^* to \mathcal{O}_\mathsf{Dec}. Finally, \mathcal{A} outputs a guess b' for b. The adversary \mathcal{A} wins the game if b' = b. The scheme is CCA-secure if for every adversary \mathcal{A}, the winning probability satisfies \Pr[\mathcal{A} \text{ wins}] = \frac{1}{2} + \epsilon(\lambda), where \epsilon(\lambda) is a in the security parameter \lambda. This advantage \epsilon measures \mathcal{A}'s ability to distinguish m_0 from m_1 beyond random guessing, derived from the experiment's structure: the pre- and post-challenge queries model access to a decryption , while the challenge tests indistinguishability under this access, with the restriction on c^* preventing trivial wins. This definition assumes a adversary and may be analyzed in the model for certain constructions, though the core game holds in the .

Adversary capabilities

In the chosen-ciphertext attack (CCA) model, the adversary is modeled as a probabilistic polynomial-time () algorithm that interacts with and decryption oracles to attempt to compromise the of a public-key scheme. This adversary possesses the public but has no access to the corresponding private , ensuring that it cannot perform unrestricted decryptions on its own. The PPT constraint limits the adversary's computational resources to those feasible within polynomial time relative to the security parameter, reflecting realistic attacker capabilities in cryptographic analysis. The primary capabilities of the CCA adversary include making polynomially many queries to an oracle, allowing it to obtain ciphertexts for arbitrarily chosen plaintexts, and querying a oracle with chosen ciphertexts to receive their corresponding plaintexts. However, a key constraint prohibits the adversary from submitting the challenge ciphertext—the encryption of one of two target plaintexts chosen by the —to the oracle, preventing direct recovery of the . These oracle interactions enable the adversary to probe the system's behavior extensively, but the exclusion of the challenge query maintains the integrity of the security experiment. Strategically, the adversary aims to exploit these oracle accesses to recover the of the challenge ciphertext, break by distinguishing between encryptions of two related messages, or, in broader applications such as schemes, signatures by leveraging malleability in the ciphertexts. This setup captures scenarios where the adversary seeks to undermine or through adaptive interactions, without direct key compromise. In real-world terms, the adversary models an attacker who gains temporary or indirect access to a decryption device or service—such as by exploiting a —but remains blind to the specific target message, relying on manipulated inputs to infer sensitive information.

Variants

Non-adaptive CCA (lunchtime )

A non-adaptive chosen-ciphertext , also known as a lunchtime or CCA1, permits an adversary to submit a batch of chosen ciphertexts to a decryption prior to receiving a ciphertext, but prohibits any further queries afterward. In this model, the adversary's decryption queries are completed in a single phase, simulating a limited access window to the , after which the —typically an encryption of one of two target plaintexts under the public key—is issued, and the adversary must distinguish the without additional interactions. The term "lunchtime attack" was introduced by Mihir Bellare and Phillip Rogaway in their paper on security notions for public-key encryption, evoking the scenario of an attacker exploiting a brief, temporary opportunity to access decryption capabilities, such as during an unattended period. This nomenclature highlights the non-adaptive constraint, where the attacker's preparations must be finalized before the challenge, contrasting with more flexible threat models. A classic example of a non-adaptive CCA exploits the structure of Rabin's cryptosystem, where encryption computes the quadratic residue c = m^2 \mod n for modulus n = pq and plaintext m. An adversary selects a random x, computes c = x^2 \mod n, and queries the decryption oracle to obtain a square root y of c modulo n. With probability 1/2, y \not\equiv \pm x \mod n, allowing the computation of \gcd(y - x, n) to reveal a non-trivial factor of n, thus recovering the private keys p and q and enabling decryption of any ciphertext, including the subsequent challenge. This variant is inherently weaker than adaptive chosen-ciphertext attacks, as the absence of post-challenge queries limits the adversary's ability to refine strategies based on the target ciphertext. Consequently, numerous encryption schemes achieve security against non-adaptive CCA—such as basic ElGamal with certain modifications—but remain vulnerable to stronger adaptive threats, underscoring the need for robust defenses in practical deployments.

Adaptive CCA

In adaptive chosen-ciphertext attacks (CCA), also known as IND-CCA2, the adversary is permitted to query a decryption in two distinct phases: first, before receiving the challenge , and second, after observing the challenge, with the restriction that the challenge itself cannot be submitted for decryption. This model allows the attacker to interact dynamically with the decryption mechanism, simulating more realistic scenarios where an adversary can adapt strategies based on partial information gained during the attack. The primary advantage for the attacker lies in the ability to iteratively refine their approach, particularly through post-challenge queries that enable probing of ciphertexts closely related to the without directly decrypting it, thereby narrowing down possible plaintexts or keys over multiple rounds. In contrast to non-adaptive , this phased querying overcomes limitations of static pre-challenge interactions by incorporating feedback loops that amplify the attack's effectiveness in exploiting implementation flaws. A prominent example is Bleichenbacher's 1998 attack on encryption with v1.5 , where the adversary exploits an adaptive —revealing whether a has valid —to iteratively decrypt the target message through thousands of carefully crafted queries, often requiring as few as 20,000 calls in practice. This attack highlighted the vulnerability of common schemes to adaptive exploitation, leading to widespread implementation fixes in protocols like SSL/TLS. Subsequent variants of Bleichenbacher-style attacks have continued to expose vulnerabilities in real-world systems. The attack, disclosed in 2018, exploited padding oracles in across multiple TLS implementations and protocols, enabling cross-protocol attacks to recover session keys with as few as hundreds of thousands of queries. More recently, the Marvin attack, described in 2023, introduced a timing-based variant that bypasses some constant-time mitigations, allowing attackers to mount Bleichenbacher-like oracles through side-channel observations on decryption timing, affecting libraries like NSS. These developments underscore the ongoing challenges in achieving full practical security against adaptive , even with theoretical provability. Following real-world demonstrations of such vulnerabilities in the late , the adaptive model became the standard benchmark for secure public-key encryption schemes in modern , influencing the design of provably secure systems like Cramer-Shoup from onward. This shift emphasized the need for robustness against dynamic adversaries, solidifying IND-CCA2 as the gold standard for evaluating encryption security post-.

Security Models

IND-CCA1 security

IND-CCA1 security, also known as indistinguishability under non-adaptive , is a security model for public-key encryption schemes that captures resistance to adversaries who can query a only before receiving a ciphertext. In this model, the adversary's ability to distinguish between encryptions of two chosen plaintexts is limited, with its advantage defined as negligible in the security parameter after pre-challenge queries only. The IND-CCA1 security game proceeds in the following phases: first, the challenger runs the key generation algorithm to produce a public key pk and secret key sk, providing pk to the probabilistic polynomial-time (PPT) adversary \mathcal{A}. Next, in the pre-challenge phase, \mathcal{A} adaptively queries a decryption oracle \mathsf{Dec}_{sk}(\cdot) on ciphertexts of its choice, receiving the corresponding plaintexts, but cannot query the challenge ciphertext once issued. The adversary then selects two equal-length plaintexts m_0 and m_1, and the challenger picks a random bit b \in \{0,1\}, computes the challenge ciphertext c^* = \mathsf{Enc}_{pk}(m_b), and sends c^* to \mathcal{A}. Finally, without access to any further oracle queries, \mathcal{A} outputs a guess b' for b. A public-key is IND-CCA1 if, for all adversaries \mathcal{A}, the advantage in this game is . The advantage is formally defined as \left| \Pr[b' = b] - \frac{1}{2} \right| \leq \mathsf{negl}(n), where n is the security parameter and \mathsf{negl}(n) denotes a in n. IND-CCA1 provides a weaker guarantee than IND-CCA2, as it disallows post-challenge decryption queries, limiting the adversary's adaptivity. While IND-CCA1 is sufficient for the mechanism (DEM) in certain constructions when combined with appropriate () to achieve overall IND-CCA1 for the , it is inadequate for ensuring full adaptive chosen-ciphertext .

IND-CCA2 security

IND-CCA2 security, or indistinguishability under , defines the gold-standard notion for protecting public-key against fully adaptive adversaries in chosen-ciphertext scenarios. This model allows the adversary unlimited access to a decryption before and after receiving a challenge , with the sole restriction that the challenge ciphertext itself cannot be queried, enabling simulations of realistic attack environments where partial decryptions might inform further queries. The formal security game for IND-CCA2 unfolds in distinct phases. The challenger generates a public key pk and corresponding private key sk, providing pk to the probabilistic polynomial-time (PPT) adversary \mathcal{A}. In Phase 1, \mathcal{A} adaptively queries a decryption \mathsf{Dec}_{sk}(\cdot) on arbitrary s. \mathcal{A} then selects two messages m_0, m_1 of equal length, and the challenger picks a random bit b \in \{0,1\}, computes the challenge ciphertext c^* = \mathsf{Enc}_{pk}(m_b), and sends c^* to \mathcal{A}. In Phase 2, \mathcal{A} resumes adaptive queries to \mathsf{Dec}_{sk}(\cdot), excluding c^*. Finally, \mathcal{A} outputs a guess b' for b, winning the game if b' = b. A public-key encryption scheme is IND-CCA2 secure if, for all PPT adversaries \mathcal{A}, the advantage \mathsf{Adv}^{\mathsf{IND\text{-}CCA2}}_{\mathsf{PKE},\mathcal{A}}(k) = \left| \Pr[b' = b] - \frac{1}{2} \right| is negligible in the security parameter k. This extends the IND-CCA1 model by incorporating the post-challenge query phase, addressing limitations where pre-challenge-only access fails to capture adaptive threats. Proofs establishing IND-CCA2 security commonly employ hybrid arguments, which chain intermediate games to bound the total advantage as the sum of negligible differences between hybrids, and simulation paradigms that replicate responses using auxiliary information without exposing the private key. A prominent example is the (OAEP) scheme combined with the trapdoor permutation, which attains IND-CCA2 security in the model under the RSA assumption via these techniques.

Applications and Defenses

Implications for encryption schemes

Chosen-ciphertext attacks (CCAs) pose severe risks to the of public-key schemes, enabling adversaries to recover plaintexts or expose cryptographic keys in real-world protocols. In systems like SSL/TLS, a CCA can exploit decryption oracles—such as error messages indicating validity—to iteratively refine guesses about the target , ultimately decrypting session keys and compromising entire communications. This leads to the loss of , as even minor side-channel information from decryption failures can leak sufficient details to reconstruct sensitive data. A prominent historical example is the 1998 Bleichenbacher attack on RSA-based SSL implementations using v1.5 padding, which allowed an adaptive requiring approximately one million chosen ciphertexts to forge signatures or decrypt messages. Subsequent practical tests in 2003 on implementations vulnerable to Bleichenbacher-style attacks revealed that about two-thirds of randomly selected SSL/TLS servers were susceptible, potentially exposing millions of encrypted sessions to or man-in-the-middle attacks. The attack underscored the fragility of early protocols, prompting widespread patches but highlighting ongoing risks in legacy systems. Beyond web protocols, CCAs undermine public-key encryption in systems like PGP and VPN setups relying on for , where attackers can manipulate intercepted ciphertexts and query recipients or gateways as unwitting to reveal message contents. For instance, chosen-ciphertext attacks on OpenPGP implementations exploiting the lack of mandatory checks enable adaptive of plaintexts from a single message by using the recipient as a decryption , particularly when data is uncompressed. These attacks relate closely to side-channel leaks, as often manifest through observable behaviors like timing or error responses during decryption. Fundamentally, CCA vulnerabilities demonstrate that a scheme secure against chosen-plaintext attacks (CPA-secure) may still fail to preserve under active adversaries, as access to decryption information allows malleability and recovery beyond passive . This emphasizes the necessity of robust models that account for realistic scenarios in deployed systems. In modern contexts as of 2025, CCA remains vital for post-quantum cryptographic standards, such as NIST's ML-KEM (CRYSTALS-Kyber), where recent chosen-ciphertext side-channel attacks on shuffled implementations highlight ongoing challenges in achieving robust protection against adaptive adversaries.

Methods to achieve CCA security

One prominent method to achieve (CCA) security involves padding schemes that enhance basic trapdoor permutations, such as the (OAEP) applied to . OAEP, introduced by Bellare and Rogaway, processes the plaintext using two (ideal hash functions G and H) before applying the RSA permutation, ensuring and non-malleability against adaptive chosen-ciphertext attacks (IND-CCA2) in the random oracle model. This padding prevents malleability by randomizing the input to the permutation, making it computationally infeasible for an adversary to modify ciphertexts predictably without invalidating decryption. However, the original proof had limitations, and Shoup later provided a refined analysis showing that standard OAEP achieves IND-CCA2 security under specific conditions, such as RSA with exponent 3, while proposing OAEP+ as an improved variant with a tighter reduction. Hybrid encryption combines asymmetric and symmetric primitives to construct efficient CCA-secure schemes for long messages, where an asymmetric (KEM) encrypts a symmetric key, which then encrypts the message via a (DEM). This approach leverages the strengths of both: public-key for and symmetric for bulk data. Fujisaki and Okamoto's transform provides a generic framework for converting a CPA-secure KEM and an IND-CPA-secure DEM into an IND-CCA2-secure scheme, often using hash functions to bind components and prevent re-encryption attacks. Provable security for CCA-secure schemes is typically established through reductions in the , where hash functions are idealized as accessible to all parties, simplifying proofs while enabling practical constructions. Bellare and Rogaway formalized the ROM, demonstrating that protocols secure in this model can be instantiated with practical hash functions, providing IND-CCA2 security for schemes like OAEP-RSA. For stronger guarantees without ROM, reductions rely on well-founded assumptions like the decisional Diffie-Hellman problem, as in the Fujisaki-Okamoto transform applied to ElGamal, which achieves IND-CCA2 by incorporating message authentication via hash-based techniques. Hash-based message authentication codes (MACs), such as , play a crucial role in preventing malleability in CCA-secure constructions by authenticating ciphertexts and ensuring that modified texts fail decryption or verification. Bellare, Canetti, and Krawczyk defined as a nested hash construction using a compression function as a pseudorandom function, providing provable security against existential forgery under chosen-message attacks in the . In hybrid schemes, integrating HMAC-like MACs with the DEM ensures that any ciphertext alteration is detectable, elevating CPA-secure bases to IND-CCA2 without excessive overhead. A key evolution from CPA to CCA security involves all-or-nothing transforms (AONTs), which preprocess data such that partial information reveals nothing, but the full output allows recovery, thwarting incremental attacks. Rivest introduced AONTs as a for ciphers, showing they resist brute-force and differential attacks by requiring nearly all blocks for meaningful decryption. These transforms enable efficient upgrades: a -secure scheme combined with an AONT and can yield security, though at the cost of increased computational overhead from additional hashing and permutation steps. Trade-offs in CCA-secure methods include balancing security strength with efficiency; ROM-based proofs like OAEP offer practicality but rely on idealized assumptions, while constructions like Fujisaki-Okamoto-ElGamal provide stronger provability at higher latency due to extra invocations. Seminal works prioritize minimal overhead—OAEP adds about two evaluations per —yet evolution via AONTs or integration can double computation compared to plain schemes, justifying their use in high-stakes applications like TLS. Recent advances as of 2025 include CCA-secure post-quantum schemes, such as isogeny-based QFESTA, achieving IND-CCA security under SIDH-like assumptions with efficient performance.

References

  1. [1]
    chosen ciphertext attack - an overview | ScienceDirect Topics
    A chosen ciphertext attack in computer science refers to an attempt to obtain secrets of users, such as private keys, by analyzing the chosen ciphertexts.
  2. [2]
    [PDF] Notes #10: Chosen-Ciphertext Security for Encryption
    These notes present and briefly study a definition for chosen-ciphertext security of an encryption scheme. To begin understanding the motivation for this ...
  3. [3]
    Lecture 6: Chosen Ciphertext Security - Boaz Barak
    Definition: An encryption scheme (E,D) is chosen ciphertext attack (CCA) ... The goal of a security definition is not to capture exactly the attack ...
  4. [4]
    Chosen ciphertext attacks against protocols based on the RSA ...
    May 28, 2006 · This paper introduces a new adaptive chosen ciphertext attack against certain protocols based on RSA. We show that an RSA private-key ...
  5. [5]
    [PDF] Another Look at Security Definitions - Cryptology ePrint Archive
    Mar 27, 2012 · Starting in the 1980s it became clear that there is a lot more to security of a public-key cryptographic system than just having a one-way ...
  6. [6]
    [PDF] Public-key Cryptosystems Provably Secure against Chosen ...
    Naor and Yung [29] then showed how to construct a trapdoor- less signature, basing it on what they called universal one-way hash functions which they.
  7. [7]
    [PDF] Relations Among Notions of Security for Public-Key Encryption ...
    We consider three types of attacks under this setup. in a chosen-plaintext attack (CPA) the adversary can encrypt plaintexts of her choosing.
  8. [8]
    [PDF] CPA and CCA security - People | MIT CSAIL
    If you add a MAC on top of the encryption, disallowing the attacker to fiddle with the ciphertext, then you essentially render the decryption oracle useless.Missing: builds | Show results with:builds
  9. [9]
    Chosen Ciphertext Security - An intensive introduction to cryptography
    An encryption scheme ( E , D ) (E,D) (E,D) is chosen ciphertext attack (CCA) secure if every efficient adversary Mallory wins in the following game with ...
  10. [10]
    [PDF] Lecture 4, CCA Security 1 Introduction 2 Review: MAC Authentication
    Mar 2, 2018 · Contrasting CCA with CPA security. ... It means that with probability ε/2 all the queries that A asks from the decryption oracle, is something.<|control11|><|separator|>
  11. [11]
    [PDF] Subtleties in the Definition of IND-CCA - Ethz
    Abstract. IND-CCA (Indistinguishability under adaptive chosen-ciphertext attacks) is a central no- tion of security for public-key encryption, ...
  12. [12]
    [PDF] Rabin's Public-Key Cryptosystem
    Proof: The scenario of a chosen-ciphertext attack is that a cryptanalyst has temporary access to the decryption device. Thus, choosing some ciphertext c at will ...
  13. [13]
    [PDF] Practical Attacks Against CCA2 Secure Cryptosystems, and ...
    – Adaptive Chosen Ciphertext Attack (CCA2): The attacker has access to a decryption oracle both before and after seeing the target ciphertext y. Before seeing y ...
  14. [14]
    [PDF] A Simpler Construction of CCA2-Secure Public-Key Encryption ...
    Jan 22, 2003 · The history of the feasibility of CCA2-encryption. The first CCA2-secure encryption scheme was presented in a breakthrough work by Dolev ...
  15. [15]
    [PDF] Chosen Ciphertext Attacks against Protocols Based on the RSA ...
    The attack can be carried out if, for example, the attacker has access to a server that accepts encrypted messages and returns an error message depending on ...
  16. [16]
    [PDF] Return Of Bleichenbacher's Oracle Threat (ROBOT) - USENIX
    Aug 17, 2018 · In 1998 Bleichenbacher presented an adaptive chosen- ciphertext attack on the RSA PKCS #1 v1.5 padding scheme. The attack exploits the ...
  17. [17]
    [PDF] A brief history of provably-secure public-key encryption - SciSpace
    In the early 1990s, after the development of the IND-CCA2 security model, researchers turned to the random oracle methodology [4] in order to provide proofs of ...
  18. [18]
    [PDF] OAEP Reconsidered - Victor Shoup
    Sep 18, 2001 · However, the security of RSA-OAEP does not follow from the security of OAEP in general, but rather, relies on specific algebraic properties ...
  19. [19]
    [PDF] Attacking RSA-based Sessions in SSL/TLS - Cryptology ePrint Archive
    The attack is an extension of Bleichenbacher's attack on PKCS#1 (v. 1.5). We introduce the concept of a bad-version oracle (BVO) that covers the side channel ...
  20. [20]
    [PDF] Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG
    Most of the different versions of PGP, as well as GnuPG, have a fairly significant user base. 2.1 The Attack. We explicitly consider attacks on PGP 2.6.2 and ...Missing: implications | Show results with:implications
  21. [21]
    [PDF] Optimal Asymmetric Encryption How to Encrypt with RSA - UCSD CSE
    Nov 19, 1995 · De Santis ed., Springer-Verlag, 1994. Optimal Asymmetric Encryption. How to Encrypt with RSA. Mihir Bellare∗. Phillip Rogaway†.
  22. [22]
    [PDF] Secure Integration of Asymmetric and Symmetric Encryption Schemes
    Okamoto, E. Fujisaki and H. Morita, \PSEC: Provably Secure Elliptic Curve. Encryption Scheme", Submission to IEEE P1363a, March 1999. 16 ...
  23. [23]
    [PDF] Random Oracles are Practical: A Paradigm for Designing Efficient ...
    Mihir Bellare. ∗. Phillip Rogaway. †. August 2, 2021. Abstract. We argue that the random oracle model —where all parties have access to a public random oracle ...
  24. [24]
    [PDF] Keying Hash Functions for Message Authentication - UCSD CSE
    In this paper we present two (related) new schemes, NMAC (the Nested construction) and HMAC. (the Hash based mac). They can utilize any cryptographic hash ...Missing: malleability CCA
  25. [25]
    [PDF] All-Or-Nothing Encryption and The Package Transform
    We note that all-or-nothing encryption modes can provide protection against differential attacks and other forms of attack that depend on chosen plaintext, ...Missing: CPA CCA