Fact-checked by Grok 2 weeks ago

Known-plaintext attack

A known-plaintext attack (KPA) is a cryptanalytic in which an attacker possesses samples of both and the corresponding , using these pairs to derive the encryption key or reveal additional . This attack model assumes the adversary can obtain such pairs through various means, such as intercepted communications with predictable content, and aims to exploit correlations between the and to compromise the . The concept of known-plaintext attacks traces back to the early , when cryptologists began using the term "crib" to refer to guessed or known segments that could be matched against for . A prominent historical example occurred during , where Allied codebreakers at , including , applied crib-based known-plaintext techniques to break the German machine's codes. They exploited predictable message elements, such as routine weather reports beginning with "Wetter" or repetitive phrases like "Heil Hitler" in military dispatches, to align cribs with intercepted ciphertexts and systematically test settings. In modern , known-plaintext attacks remain a fundamental security criterion, with block ciphers like designed to withstand them under standard models. One notable advancement is , introduced by Mitsuru Matsui in 1993, which uses known plaintext-ciphertext pairs to approximate linear relations in the cipher's operations, enabling key recovery for ciphers like with approximately 2^43 known plaintexts. While strong modern ciphers such as are resistant to practical known-plaintext attacks, vulnerabilities persist in weaker systems, such as the stream cipher, where unencrypted headers in compressed files provide exploitable plaintext pairs. These attacks underscore the importance of avoiding predictable in secure communications, often mitigated through , , or one-time pads.

Fundamentals

Definition

A known-plaintext attack (KPA) is a cryptanalytic technique in which an attacker gains access to one or more pairs of and corresponding , leveraging this information to deduce the or recover additional from other s. The attacker's primary objective is to compromise the system by recovering the secret , thereby enabling decryption of arbitrary messages, or directly revealing hidden portions without full recovery. Within the spectrum of cryptanalytic models, KPA assumes partial but verifiable knowledge of message content, distinguishing it from weaker ciphertext-only attacks—where no plaintext is available—and positioning it as a foundational for evaluating cipher security. This attack presupposes familiarity with symmetric fundamentals, including methods that replace symbols with ciphertext equivalents via fixed mappings and techniques that rearrange positions to obscure the original order, both serving as core building blocks for more complex s.

Assumptions and Scenarios

A known-plaintext attack relies on the fundamental assumption that the attacker possesses one or more pairs of and corresponding , all encrypted under the same secret key. This access often stems from predictable or standardized structures, such as fixed headers in diplomatic messages or routine phrases in communications. For instance, during , Allied cryptanalysts exploited recurring weather reports in German naval messages, which began with known phrases like "WETTER" (German for "weather"), providing reliable plaintext cribs for decryption efforts. Common scenarios where such attacks become feasible include encrypted file formats with identifiable headers. In ZIP archives using the weak , attackers can leverage the unencrypted file headers or known internal structures—such as the 13 bytes of predictable data following the header—to recover the 96-bit internal key representation, enabling decryption of the entire archive and any other files under the same key. The feasibility of a known-plaintext attack depends on several factors, including the quantity of plaintext-ciphertext pairs available and the computational resources required. For simple ciphers like monoalphabetic substitution, typically 10-100 character pairs suffice to map the full substitution table, assuming coverage of the alphabet, with minimal computation needed beyond . In contrast, partial key recovery—such as extracting the keystream for a segment—may require fewer pairs than full key recovery, but ciphers like demand large numbers (e.g., approximately 2^{43} known plaintext-ciphertext pairs for on full ) due to high computational demands. Unique risks arise in systems with key reuse across multiple messages or predictable initialization vectors (IVs), amplifying the impact of known-plaintext pairs. When the same key encrypts diverse plaintexts, attackers can correlate multiple pairs to deduce the key more efficiently; for example, in ECB mode, identical plaintext blocks yield identical ciphertext blocks, directly revealing patterns without needing an IV. Non-random or fixed IVs in modes like CBC exacerbate this, as attackers can XOR known plaintext differences with ciphertext differences to isolate the key's effect on subsequent blocks, potentially recovering the full session key from just a few pairs.

Operational Mechanism

Attack Process

In a known-plaintext attack, the process begins with the attacker collecting one or more pairs of and corresponding , typically obtained through interception of encrypted communications, data leaks, or successful guessing of plaintext content in predictable formats. Next, the attacker analyzes these pairs to identify exploitable patterns, such as discrepancies in letter frequencies or statistical correlations between the plaintext and ciphertext distributions that reveal information about the . The attacker then generates hypotheses for possible key values based on the observed patterns and systematically tests these candidates by attempting to decrypt the known plaintext-ciphertext pairs with each one. Upon identifying a candidate that successfully decrypts all known pairs, the attacker verifies its correctness through additional checks, such as consistency with partial decryptions or cross-validation against any extra pairs, and applies it to decrypt previously unknown ciphertexts. Common tools and techniques employed include , which maps known plaintext characters directly to their ciphertext equivalents in monoalphabetic ciphers to build partial or full tables, and hill-climbing algorithms, which iteratively refine key guesses for polyalphabetic ciphers by maximizing a fitness function based on linguistic patterns in partial decryptions. The of the attack varies: it can be linear in the number of known pairs for simple ciphers where key derivation involves straightforward matching or solving small systems of equations, but approaches exponential time for robust ciphers like , requiring exhaustive search over vast key spaces (e.g., 2^{56} trials) without structural weaknesses to exploit.

Mathematical Basis

The formal of a known-plaintext attack assumes an scheme where the ciphertext c is produced from m using a secret key k, denoted as c = E_k(m). The attacker possesses a set of known plaintext-ciphertext pairs \{(m_i, c_i)\}_{i=1}^t, and the goal is to recover k or decrypt additional s by solving for k such that E_k(m_i) = c_i for all i. In linear ciphers, such as the defined over the integers n (typically n=26 for English letters), the encryption function is E(m) = (a \cdot m + b) \mod n, where a and b are the key parameters with \gcd(a, n) = 1 to ensure invertibility. Given two distinct pairs (m_1, c_1) and (m_2, c_2), the system of congruences is: \begin{cases} a \cdot m_1 + b \equiv c_1 \pmod{n} \\ a \cdot m_2 + b \equiv c_2 \pmod{n} \end{cases} Subtracting the equations yields a \cdot (m_1 - m_2) \equiv c_1 - c_2 \pmod{n}, allowing solution for a by multiplying both sides by the modular inverse of (m_1 - m_2) \pmod{n}; then b follows by substitution. Two such pairs suffice for key recovery, assuming the differences are coprime to n. For probabilistic or non-deterministic ciphers, a statistical approach recovers the key by maximizing the likelihood function L(k) = \prod_{i=1}^t P(c_i \mid m_i, k), where P(c_i \mid m_i, k) models the probability of observing ciphertext c_i given plaintext m_i and hypothesized key k. This maximization can employ brute-force enumeration over the key space or optimization techniques like Markov Chain Monte Carlo sampling from the posterior distribution in a Bayesian framework, incorporating priors on key components. From an information-theoretic perspective, known plaintext-ciphertext pairs reduce the uncertainty about the , as quantified by the H(K \mid \{(m_i, c_i)\}) < H(K), where H(K) is the initial and the reduction depends on the in the plaintext source. This shrinkage of the effective key space, bounded by the unicity distance n_0 \approx H(K) / D (with D the ), enables unique key recovery beyond a certain number of pairs. These equations and models assume the encryption is invertible and linear (or approximable as such); for non-linear ciphers, exact solutions may not exist, necessitating approximations or optimizations that increase .

Historical Development

Origins in Classical

The known- attack (KPA) emerged as a fundamental cryptanalytic technique in classical , where attackers exploited predictable or intercepted portions of to deduce encryption keys or patterns. One of the earliest applications involved simple ciphers like the , dating back to the 1st century BCE, where a shift in the alphabet could be directly revealed if even a single known letter corresponded to its equivalent, allowing brute-force testing of the limited 25 possible shifts. During the , particularly in 16th-century , cryptanalysts employed KPAs against polyalphabetic ciphers such as the Vigenère (invented around 1553 by ) in diplomatic communications. Italian codebreakers, working for city-states like , targeted standard phrases in official correspondence—such as formal salutations or recurring diplomatic formulas like references—which served as reliable "cribs" to align and uncover shifts, often breaking messages without full frequency . This approach was crucial in , as Venetian analysts routinely deciphered foreign dispatches to gain political advantages. A pivotal advancement came in 1863 with Friedrich Kasiski's systematic method for attacking the , which relied on identifying repeated sequences (like common words in messages) that produced identical fragments separated by multiples of the key length. By measuring distances between these repeats, Kasiski estimated key lengths, enabling subsequent decryption; this technique, while primarily -based, presupposed of likely redundancies in long texts, marking a bridge to more structured KPAs. Auguste Kerckhoffs formalized the risks of such attacks in his 1883 treatise La Cryptographie Militaire, outlining six principles for secure systems, emphasizing that ciphers must remain robust even if the enemy knows the system, thereby highlighting key secrecy as essential while noting exposure as a core vulnerability in . A landmark demonstration of KPA's wartime impact occurred during , when French cryptanalyst Georges Painvin broke the German in 1918 using cribs from known message depths and phrases like "attaque" in operational orders. This decryption revealed German troop movements for the Second Battle of the Marne, enabling Allied countermeasures that halted the offensive and contributed to shortening the war by months through superior intelligence on military traffic.

Evolution in Modern Contexts

A pivotal milestone in the theoretical evolution of known-plaintext attacks (KPA) occurred in 1949 when formalized cryptographic security models in his seminal work, "Communication Theory of Secrecy Systems," establishing perfect secrecy criteria and distinguishing attack types including KPA, where an adversary possesses pairs of plaintext and corresponding to infer keys or patterns. This framework shifted from ad hoc methods to information-theoretic analysis, influencing subsequent evaluations of resistance. During , KPAs played a crucial role in breaking the German at from 1939 to 1945, exploiting predictable plaintext elements such as the recurring "Heil Hitler" signoffs in military messages and standardized weather cipher formats transmitted daily. These "cribs"—known plaintext fragments aligned with —enabled cryptanalysts like to test rotor settings and message keys efficiently using devices such as the , accelerating decryption of naval and air traffic. The success of these attacks highlighted the vulnerability of mechanized ciphers to structured plaintext, informing post-war designs for randomness in message formats. In the post-war era, KPAs were integral to analyzing the (DES) during the 1970s, where cryptanalysts evaluated its 56-bit key against known blocks to assess brute-force feasibility and early techniques. A notable concern was the meet-in-the-middle attack on double DES, requiring approximately 2^56 operations with known plaintext-ciphertext pairs, which demonstrated that extending DES keys linearly did not quadratically enhance security. These analyses, conducted by and the National Bureau of Standards, underscored the need for longer keys in symmetric ciphers. The influence of KPAs extended to the design of the (AES) in 2001, where candidates like Rijndael were rigorously tested for resistance to known attacks, including linear and cryptanalysis variants that rely on plaintext-ciphertext pairs. 's substitution-permutation structure, with 10 rounds for the 128-bit key variant, provides a security margin exceeding the best-known KPA complexities, ensuring no practical breaks despite extensive scrutiny. This design philosophy prioritized broad attack resistance, shaping modern block ciphers. In the digital era of the , KPAs targeted stream ciphers like in the (WEP) protocol for , exploiting the reuse of initialization vectors (s) that exposed predictable keystream segments when combined with known from packet headers. Attacks such as Fluhrer-Mantin-Shamir (FMS) recovered the 40- or 104-bit WEP key using as few as 10,000-50,000 packets with weak IVs, demonstrating how IV predictability amplified KPA effectiveness in wireless environments. These vulnerabilities led to WEP's deprecation by 2004, prompting shifts to stronger protocols like WPA2. Recent trends up to 2025 have introduced quantum-assisted KPAs threatening symmetric keys, where reduces the search space for key recovery from 2^n to 2^{n/2} operations given known plaintext-ciphertext pairs, potentially halving -256's effective security to 128 bits. For instance, quantum implementations could accelerate exhaustive searches on reduced-round variants, though full-scale threats remain engineering-limited. Concurrently, post-2010 TLS handshake vulnerabilities have leveraged partial known plaintext in record protocols; the 2013 exploited timing side-channels on padding to recover plaintext bytes during handshakes, assuming knowledge of message structures like client hellos. Similarly, 2015 analyses of biases in TLS enabled password recovery from handshake cookies using known plaintext prefixes, affecting up to 30% of TLS traffic at the time. These developments emphasize ongoing adaptations of KPAs to quantum and protocol contexts.

Practical Examples

Application to Substitution Ciphers

In monoalphabetic ciphers, where each letter is consistently replaced by a corresponding letter according to a fixed , a known-plaintext attack exploits pairs of known and matching to directly reveal the mapping. For instance, if the known includes common words like "THE," and the corresponding is identified (e.g., "QEB" for "THE"), the attacker maps T to Q, H to E, and E to B, progressively building the full as more letters are covered by the known pairs. With sufficient pairs spanning the —typically 5-10 distinct letter mappings—the entire key can be reconstructed, rendering the insecure. Polyalphabetic substitution ciphers, such as the Vigenère cipher, use a repeating keyword to shift plaintext letters by varying amounts modulo 26, creating multiple substitution alphabets. In a known-plaintext attack, the attacker aligns the known plaintext with the ciphertext and computes the key stream by subtracting the plaintext letter values from the ciphertext values modulo 26 for each position. For example, consider the plaintext "ATTACKATDAWN" and a corresponding ciphertext "LXFOPVEFRNHR"; subtracting yields key letters L-E-M-O-N-L-E-M-O-N-L-E, revealing the repeating keyword "LEMON" once the period is evident from the repetition. Short keywords (e.g., length 5-10) are particularly vulnerable, as a known plaintext segment longer than the key length suffices to recover the full keyword and decrypt further messages. Historically, known-plaintext attacks contributed to breaking Confederate Vigenère ciphers during the U.S. Civil War (1861-1865), where Union cryptanalysts used —guessed plaintext phrases from standard military formats—alongside captured ciphertexts to deduce keywords like "MANCHESTER BLUFF" or "COMPLETE VICTORY," often succeeding with just a few aligned pairs due to the short key lengths employed. These attacks highlighted the cipher's weaknesses against predictable message structures. A key limitation arises with random or non-natural-language , which resists practical known-plaintext exploitation better than English text, as attackers rely on linguistic patterns to initially hypothesize or obtain reliable for alignment.

Vulnerabilities in Block Ciphers

Block ciphers operating in Electronic Codebook (ECB) mode are particularly susceptible to known-plaintext attacks because each block is encrypted independently, resulting in identical blocks for identical blocks. This allows an attacker with access to known to directly map specific blocks to their corresponding blocks, revealing structural patterns in the , such as repetitions in images or files. For instance, encrypting a penguin image in ECB mode produces visible outlines in the due to uniform color blocks mapping to the same encrypted values, enabling partial recovery without the key. In Cipher Block Chaining (CBC) mode, known plaintext can facilitate the recovery of the (IV), especially when combined with a oracle vulnerability. By reordering ciphertext blocks and exploiting the oracle to validate , an attacker can deduce the decryption of a known block and compute the IV as IV = known_plaintext ⊕ decrypted_block. This approach, demonstrated in Encrypt-then-TLS scenarios without , allows subsequent decryption of related ciphertexts, such as sensitive card numbers, using as few as two ciphertexts per message. Linear cryptanalysis on the Data Encryption Standard (DES) leverages known plaintext-ciphertext pairs to approximate linear relations through the cipher's operations, requiring approximately 2^43 pairs for key recovery on the full 16-round . Triple DES (3DES) inherits similar vulnerabilities but at higher complexity due to multiple encryptions; however, two-key 3DES can be targeted with known-plaintext attacks achieving key recovery in 2^88 time using partial plaintext information. For the (AES), linear cryptanalysis uses approximations of outputs, such as Γ(X_3 ⊕ X_4) ≈ Γ(Y_1 ⊕ Y_4) with a of 3/8, to attack reduced rounds; a 4-round AES-128 variant requires about 2^43 known plaintexts for key recovery by piling approximations across rounds. A notable real-world application occurred in the with wallet files, where known structural headers in the (e.g., wallet formats) enabled known-plaintext attacks on the underlying , facilitating recovery of private keys from compromised or forgotten wallets without full key exhaustion. Recent research up to 2025 highlights side-channel known-plaintext attacks on like in hardware implementations, particularly cache-timing variants targeting T-table lookups. These attacks measure execution time variations during of known to infer key bytes, with modern processors enabling full key recovery in under 2^30 measurements by exploiting cache eviction patterns, as benchmarked in .

Comparative Analysis

Differences from Ciphertext-Only Attacks

The known-plaintext attack (KPA) fundamentally differs from the (COA) in the information available to the cryptanalyst: while COA relies solely on the to infer the or through statistical methods like , KPA assumes access to specific plaintext-ciphertext pairs, often called "," which directly constrain the possible keys and reduce the search space from probabilistic guesses to targeted verification. This additional knowledge in KPA enables more efficient , as the pairs provide concrete mappings that can be used to solve for the key deterministically, whereas COA must exploit inherent patterns in the alone, such as letter frequencies in . In terms of complexity and data requirements, typically demands a vast amount of to achieve reliable results—for instance, breaking classical ciphers via often requires hundreds to thousands of characters to establish accurate statistical distributions, and for polyalphabetic systems like , ciphertext-only methods may necessitate multiple messages totaling thousands of characters for feasibility even with modern computing. In contrast, KPA can succeed with far fewer resources, such as dozens of known plaintext-ciphertext pairs or even shorter cribs, allowing the attacker to test and eliminate key candidates systematically rather than through exhaustive statistical inference. This disparity highlights KPA's advantage in practicality: key trials become deterministic and faster, leveraging the exact matches from known pairs, while remains probabilistic and sensitive to the absence of discernible patterns. A illustrative comparison arises in the cryptanalysis of the Enigma machine during World War II, where pure COA approaches, reliant on statistical methods without plaintext assumptions, proved infeasible with 1940s technology and would have taken months of manual effort even for initial breaks due to the cipher's design masking frequencies. Introducing cribs in known-plaintext attacks at Bletchley Park dramatically accelerated the process, enabling daily key settings to be recovered in hours to days using devices like the Bombe, which tested rotor configurations against assumed plaintext segments from predictable German message formats. Although COA represents a theoretically weaker attack model—providing the adversary with less information and thus being easier to resist in principle—it is often harder to execute in practice without exploitable patterns in the ciphertext, underscoring why KPAs were pivotal in historical breakthroughs.

Relation to Chosen-Plaintext Attacks

In the hierarchy of cryptanalytic attack models, a known-plaintext attack (KPA) represents a relatively passive where the adversary possesses a set of plaintext-ciphertext pairs obtained from the system's natural operation, without the ability to influence the inputs. This contrasts with the (CPA), a more powerful model in which the adversary actively queries an with plaintexts of their own selection to receive corresponding ciphertexts, enabling targeted analysis of the cipher's behavior. The progression from KPA to CPA escalates the adversary's capabilities, positioning KPA as a foundational, weaker threat in the spectrum that includes ciphertext-only, known-plaintext, chosen-plaintext, and chosen-ciphertext attacks. Many CPA techniques build directly on KPA foundations by leveraging known plaintext-ciphertext pairs to inform or simulate chosen inputs, allowing attackers to refine their strategies for key recovery or structural weaknesses. For example, differential cryptanalysis, a seminal method introduced for DES-like ciphers, primarily relies on plaintext pairs to exploit probabilistic differences in cipher outputs, though it can be adapted to known plaintext scenarios at the cost of increased complexity and data requirements. In practice, this transition highlights how KPA data can bootstrap more aggressive CPA probes, amplifying the attack's efficiency when partial control is achievable. Security implications underscore that ciphers provably secure against CPA are automatically resistant to KPA, as the latter requires no additional adversarial resources beyond what CPA already assumes. The Data Encryption Standard (DES) exemplifies vulnerability to both, succumbing to differential cryptanalysis under CPA with approximately 2^47 chosen plaintexts for its full 16 rounds, and requiring even more effort under KPA constraints. Conversely, the Advanced Encryption Standard (AES) incorporates design principles, such as wide-trail strategies, to provide strong resistance against both models, with no practical breaks known despite extensive analysis under CPA assumptions. A key distinction within CPA lies in its adaptive versus non-adaptive variants, where non-adaptive CPA involves selecting all plaintexts upfront—mirroring an enhanced but with attacker-chosen inputs—while adaptive CPA permits sequential queries informed by prior responses, further intensifying the threat. thus serves as a non-adaptive , informing the evaluation of ciphers' robustness across these spectra. In emerging post-quantum contexts, encryption schemes combining classical and quantum-resistant , such as those in HPKE standards, prioritize IND-CPA to encompass , addressing evolving threats from quantum adversaries.

Mitigation Strategies

Design Principles for Resistance

Cryptographic systems are designed to resist known-plaintext attacks (KPA) by adhering to principles that ensure security even when some plaintext-ciphertext pairs are available to an adversary. A foundational extension of Kerckhoffs' principle emphasizes that the system remains secure if the is secret, regardless of knowledge of the algorithm and partial , thereby preventing key recovery or pattern exploitation from known pairs. A key design principle involves employing large, random keys, such as 128 bits or greater, to render exhaustive key searches computationally infeasible even with multiple known plaintext-ciphertext pairs. For instance, the (AES) uses keys of 128, 192, or 256 bits, requiring approximately 2^{127} operations for brute-force attacks on the smallest variant, far beyond current computational capabilities. This key length ensures that the effort to test all possibilities remains prohibitive despite available pairs. In modes of operation, selecting modes that provide strong is essential to mitigate KPA vulnerabilities. Electronic Codebook (ECB) mode is avoided due to its lack of , where identical blocks produce identical blocks, allowing attackers to identify patterns from known . In contrast, (CTR) mode and Galois/ Mode (GCM) are preferred, as CTR generates a unique keystream via incrementing counters, and GCM combines this with to diffuse effects across the output, ensuring that known pairs do not reveal information about other blocks. Additional measures include the use of random initialization vectors (IVs) or nonces, salting for key derivation, and appropriate to obscure patterns and prevent predictability. Random IVs, which must be unique per under the same key, ensure variability in even for repeated plaintexts, thwarting direct correlation in KPA scenarios. schemes, such as , extend messages to block boundaries without introducing exploitable regularities, while salting adds to inputs, further randomizing outputs. These elements collectively enhance resistance by eliminating repeatable structures that could be leveraged from known . Theoretically, resistance to KPA is grounded in provable models where ciphers function as pseudorandom permutations (PRPs), indistinguishable from random permutations even under chosen-plaintext attacks—a stronger adversary model than KPA. PRPs ensure that no efficient adversary can exploit plaintext-ciphertext pairs to distinguish the from random behavior, providing formal guarantees of . This approach underpins modern ciphers, making KPA ineffective without key compromise.

Role in Cryptosystem Evaluation

Known-plaintext attacks (KPAs) form a cornerstone of cryptosystem evaluation frameworks, serving as a baseline security criterion in standardized testing processes conducted by bodies such as the National Institute of Standards and Technology (NIST) and the (ISO). During the (AES) competition in the late 1990s, candidate algorithms were explicitly required to withstand known plaintext attacks, alongside other cryptanalytic methods, to verify their robustness against scenarios where an adversary possesses matching plaintext-ciphertext pairs. This emphasis on KPA resistance ensures that approved ciphers maintain security even under realistic interception conditions, influencing the selection of Rijndael as AES. To assess KPA vulnerability, cryptographers simulate attacks using specialized tools that implement cipher operations and attack algorithms, measuring key recovery efficiency. Libraries like Crypto++, a C++-based cryptographic toolkit, enable the construction of test environments for block ciphers, allowing quantification of attack feasibility through repeated encryptions and key searches. Similarly, , an open-source mathematics software system, provides modules for , facilitating simulations of linear or differential KPAs on symmetric primitives to evaluate breakdown points. These methods typically involve generating controlled plaintext-ciphertext pairs and applying statistical or algebraic techniques to derive keys, with results informing iterative design refinements. Key performance metrics in KPA evaluations include the attack's success probability, the minimum number of plaintext-ciphertext pairs needed for reliable recovery, and the associated computational cost, often expressed in terms of operations or processor cycles. For example, Mitsuru Matsui's on requires approximately 2^43 known pairs with a probability exceeding 85% and a of 2^43 encryptions, highlighting how such metrics establish margins against practical threats. These indicators guide , ensuring systems exceed thresholds for deployment. The broader implications of KPA evaluations extend to certification standards like and its successor , where modules must employ algorithms resistant to fundamental attacks including KPAs to achieve validation levels. This process identifies persistent weaknesses in legacy systems, such as older VPN implementations relying on PPTP, which remain susceptible to KPAs on their encryption components like RADIUS or MPPE due to predictable plaintext structures in protocols.

References

  1. [1]
    [PDF] Known Plaintext Attack - IDC Technologies
    In cryptography, the known plaintext attack, or KPA, is an attack based on having samples of both the plaintext and corresponding encrypted or ciphertext ...Missing: credible | Show results with:credible<|control11|><|separator|>
  2. [2]
    Plaintext Attack - an overview | ScienceDirect Topics
    Linear cryptanalysis is a known plaintext attack where the cryptanalyst finds large amounts of plaintext/ciphertext pairs created with the same key and studies ...Types of Plaintext Attacks · Cryptographic Vulnerabilities...
  3. [3]
    [PDF] Linear cryptanalysis method for DES cipher - of Luca Giuzzi
    In this paper we introduce an essentially known-plaintext attack of DES cipher. ... This method has enabled us the first known-plaintext attack of the full 16- ...Missing: original | Show results with:original
  4. [4]
    [PDF] pdf - Centre For Applied Cryptographic Research
    Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S ... A known-plaintext attack is one where the adversary has a quantity of plaintext and.
  5. [5]
    [PDF] pdf
    2. known-plaintext – plaintext-ciphertext pairs are available. Handbook of Applied Cryptography by A. Menezes, P. van Oorschot and S. Vanstone ...
  6. [6]
    [PDF] The Mathematics and Machinations that Bested the German Enigma
    Mar 10, 2014 · engineering a method of deducing daily keys via a known plaintext attack. ... On D-Day the weather report had the following ciphertext.
  7. [7]
    [PDF] Vulnerability of SSL to Chosen-Plaintext Attack
    May 11, 2004 · We note that in SSH, some header data is pre-pended to the plaintext before encryption. This makes an attack such as the one outlined here ...
  8. [8]
    [PDF] Cryptanalysis of DES - Introduction to Cryptography CS 355
    Against 8-round DES, attack requires 238 known plaintext-ciphertext pairs. • Against 16-round DES, attack requires 247 chosen plaintexts. • Differential ...<|separator|>
  9. [9]
    AES-ECB known ciphertext/plaintext attack
    Sep 17, 2017 · Here is the scenario. I have the plain text I am not tall and the associated cipher-text generated using an unknown key with AES-ECB.In which cases AES doesn't need IV? - Cryptography Stack ExchangeKnown Plaintext Attack on Block Cipher in ECB and CBC Modes of ...More results from crypto.stackexchange.comMissing: reused non-
  10. [10]
    Why is using a Non-Random IV with CBC Mode a vulnerability?
    Jun 9, 2010 · Predictable IVs can be exploited by chosen plain text. Pretend that Eve is a DBA at an insurance company. The company collects medical histories from ...
  11. [11]
    [PDF] Lecture 5 - CPSC 467: Cryptography and Security
    Sep 15, 2020 · A known plaintext attack assumes the attacker has prior knowledge of some plaintext-ciphertext pairs (m1,c1),(m2,c2),.... The Hill cipher ...Missing: methodology | Show results with:methodology
  12. [12]
    [PDF] Section 1.2: Cryptanalysis - Hope College
    A frequency analysis will reveal which ciphertext characters are most common. A good strategy is to assume E maps to the most common character, and one of T, A, ...
  13. [13]
    [PDF] Lecture 6 - CS408 Cryptography & Internet Security
    Known-Plaintext Attack. ▫ Only one plaintext-ciphertext pair required. ○. Try all 256 possible keys. ○. Requires constant memory. ○. Time-consuming. ○. DES ...
  14. [14]
    [PDF] Generative Adversarial Networks for Classic Cryptanalysis
    Sep 12, 2021 · Training the HMM is a kind of hill climbing algorithm that optimizes these matrices to converge to the right solution. Given the nature of ...<|separator|>
  15. [15]
    [PDF] Lecture 6 - Introduction to Cryptography CS 355
    [x] = αx + β (mode 26). • What is the key size? • How to decrypt? • How to do ciphertext only, known plaintext, chosen plaintext attack?
  16. [16]
    [PDF] MATH 314 Spring 2018 - Class Notes - TigerWeb
    Jan 31, 2018 · Known Plaintext Attack: Eve needs to know the ciphertext of two different letters. ... Eve now has the key for the Affine Cipher with α=15 and β=4 ...
  17. [17]
    [PDF] A Theoretical Approach to Bayesian Cryptanalysis
    In this paper we use the Bayesian Inference tech- niques to analyze the block ciphers. We first de- rive a basis function which shall allow us to compute.
  18. [18]
    None
    ### Summary on Entropy in Cryptography and Known Plaintext Impact
  19. [19]
    The Hidden Professional Code Breakers of Renaissance Venice
    Sep 5, 2019 · The 16th-century Republic of Venice was not the first government to use cryptography and cryptanalysis. Renaissance Venetians who read the ...
  20. [20]
    [PDF] 1883 Auguste Kerckhoffs in La Cryptographie Militaire, six design pr
    Principles of Modern Cryptographic cyphers​​ The opponent may have access to the key used in the encrypting transformation. 4. Security is to be achieved by the ...
  21. [21]
    ADFGVX Cipher - Crypto Corner
    However, in June 1918, French Army Lieutenant Georges Painvin broke the cipher, making use of Cribs (a portion f text that is known or assumed to be know).
  22. [22]
    4 World War I Era Ciphers - Tamara Veenstra
    This allowed the allied troops to determine where the Germans were preparing to attack and relocate enough troops to defeat the attack. The ADFGX/ADFGVX cipher ...
  23. [23]
    [PDF] Communication Theory of Secrecy Systems
    In certain types of ciphers an error of one letter in enciphering or transmission leads to a large number of errors in the deciphered text. The error are spread.
  24. [24]
    [PDF] Shannon's Theory of Secrecy and its Extension to Authenticity
    Shannon 's 1949 definition: A cipher provides perfect secrecy against a ciphertext-only attack if the plaintext and the ciphertext, considered as random ...
  25. [25]
    Mechanized Cryptography - Paul Krzyzanowski
    Sep 14, 2025 · These repeated fragments, called cribs, gave cryptanalysts known plaintext-ciphertext pairs to work with. ... Bletchley Park refined and ...
  26. [26]
    The Genius of Alan Turing, and the Technology that Cracked the ...
    Jun 21, 2023 · On 9 May 1941, the German weather-ship Munchen was attacked by the Royal Navy in the North Atlantic. ... (known plaintext attack, KPA). For each ...
  27. [27]
    [PDF] the nbs data encryption standard
    Nov 10, 1976 · The rule followed by NBS in selecting DES was that it must resist a known plaintext attack [3]. A chosen plaintext attack is often used in.<|separator|>
  28. [28]
    [PDF] The Data Encryption Standard Fifteen Years of Public Scrutiny
    imply that the DES would be vulnerable to a meet-in-the-middle known-plaintext attack that would run in 228 steps approximately by exploiting the "birthday.Missing: 1970s | Show results with:1970s
  29. [29]
    [PDF] The Data Encryption Standard (DES) and its strength against attacks
    The Data Encryption Standard (DES) was developed by an IBM team around 1974 and adopted as a national standard In 1977. Since.
  30. [30]
    [PDF] The Rijndael Block Cipher - NIST Computer Security Resource Center
    The three criteria taken into account in the design of Rijndael are the following: • Resistance against all known attacks;. • Speed and code compactness on a ...
  31. [31]
    [PDF] Review of the Advanced Encryption Standard
    Multi-key attacks may drastically erode security claims, but a careful analysis is needed, as the mode of operation in which the AES block cipher is used may ...
  32. [32]
    [PDF] Advanced Encryption Standard History of AES
    Note that each step is invertible. Security of AES. • Resistant to all known attacks. – i.e., linear and differential cryptanalysis.
  33. [33]
    [PDF] Introduction to Stream Ciphers Attacks on CSS, WEP, MIFARE
    ◇Known-plaintext attack is very dangerous if keystream is ever repeated ... attack on RC4. • Attack requires known IVs of a special form. • WEP sends ...
  34. [34]
    [PDF] Weaknesses in the Key Scheduling Algorithm of RC4 | Cornell
    Finally, we show that RC4 is completely insecure in a common mode of operation which is used in the widely deployed Wired. Equivalent Privacy protocol (WEP, ...
  35. [35]
    [PDF] RC4 1
    o Known plaintext attack (1st byte of each packet). Page 14. RC4. 14. RC4 Initialization. ❑ Recall that RC4 initialization is… S i. = i for i = 0,1,2,…,255 j = ...
  36. [36]
    [PDF] Course Introduction - MIT
    Feb 3, 2025 · Grover search can speed up key recovery under known-plaintext attack on a symmetric-key cryptosystem. Let Enc(k, m) be a symmetric-key ...<|separator|>
  37. [37]
    [PDF] Quantum Attacks on AES - CHES
    Sep 7, 2024 · Not the only symmetric key attack! ▫ Multi-target attacks: (many such pairs, any key is fine). ▫ Unknown plaintext (we must guess as well).
  38. [38]
    [PDF] Lucky Thirteen: Breaking the TLS and DTLS Record Protocols
    Feb 27, 2013 · This is then a plaintext recovery attack with partially-known- plaintext. For example, suppose the attacker knows the value of the byte P ...
  39. [39]
    [PDF] Password Recovery Attacks Against RC4 in TLS - CS@Purdue
    Aug 12, 2015 · Despite recent high-profile attacks on the RC4 algorithm in TLS, its usage is still running at about 30% of all. TLS traffic.<|control11|><|separator|>
  40. [40]
    RFC 7457: Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)
    ### Summary of Known Plaintext Attacks or Vulnerabilities in TLS Post-2010 (RFC 7457)
  41. [41]
    [PDF] Notes 2/3 | TigerWeb
    Feb 10, 2020 · How do we attack the substitution cipher? • Ciphertext only attack ... Known plaintext attack: Literally just lets us fill out the ...
  42. [42]
    [PDF] Shift and substitution cipher - Introduction to Cryptography CS 355
    Shift ciphers are easy to break using brute force attacks, they have small key space. • Substitution ciphers vulnerable to frequency analysis attacks. Page 22 ...
  43. [43]
    [PDF] 3.1 Vigenere Cipher
    It always contained the German word for weather, "WETTER" This allowed for a known-plaintext attack. The British were also able to reduce their searches because ...<|separator|>
  44. [44]
    Confederate Ciphers during the Civil War: Various Vigenere Keywords
    The Confederates used a polyalphabetic (Vigenere) cipher during the Civil War. The present article describes its use with various keywords.Formation of Confederate... · Baltimore" -- Kirby Smith... · Manchester Bluff" -- J.E...
  45. [45]
    [PDF] Compromising sensitive information through Padding Oracle and ...
    Nov 20, 2023 · With a padding oracle and a known plaintext attack, we recovered the initialization vector considered private and sensitive information, namely ...Missing: post- | Show results with:post-<|control11|><|separator|>
  46. [46]
    Security Implications of Using the Data Encryption Standard (DES)
    These attacks are not generally considered practical, as they require 2^43 and 2^47 known plaintext/ciphertext pairs, respectively. To get a feel for what ...
  47. [47]
    [PDF] A Tutorial on Linear and Differential Cryptanalysis - IOActive
    Abstract: In this paper, we present a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable ...<|control11|><|separator|>
  48. [48]
    [PDF] A Survey on the Cryptanalysis of the Advanced Encryption Standard
    In this paper, we will review some existing cryptanalytic attacks on AES. Keywords: Cryptanalysis, Cryptography, Advanced. Encryption Standard. 1 Introduction.
  49. [49]
    How we recovered over $300K of Bitcoin - reperiendi - WordPress.com
    Apr 3, 2020 · Eli Biham and Paul Kocher had published a known-plaintext attack on the cipher, but the known plaintext was compressed plaintext. To get the ...Missing: 2010s | Show results with:2010s
  50. [50]
    [PDF] A Systematic Evaluation of Novel and Existing Cache Side Channels
    Feb 24, 2025 · Cache side-channel attacks measure timing to infer which memory locations were recently used, and which data is cached based on recent, ...
  51. [51]
    CS324e A1 - UT Computer Science
    Frequency analysis is performed by taking an encrypted message and counting up the occurrence of each letter or character. The longer the message the better, ...
  52. [52]
    [PDF] Solving the Enigma: History of Cryptanalytic Bombe
    Across the Atlantic, ships and submarines moved and countermoved, interspersed with attacks. However, delays in reading Enigma messages resulted in Allied.
  53. [53]
    [PDF] Modern Breaking of Enigma Ciphertexts - Crypto Cellar Research
    Based on known methods for ciphertext-only cryptanalysis of Enigma and a data treasure of approximately 500 genuine radio messages, a thorough investigation ...
  54. [54]
    11 Introduction to Cryptanalysis Attacks on Symmetric Ciphers
    Known vs chosen information: there exist four main types (or models) ... known-plaintext, chosen-plaintext, and chosen-ciphertext attacks. ... Become ...
  55. [55]
    Differential cryptanalysis of DES-like cryptosystems
    Feb 5, 1991 · In this paper we develop a new type of cryptanalytic attack which can break the reduced variant of DES with eight rounds in a few minutes on a personal ...
  56. [56]
    [PDF] Relations Among Notions of Security for Public-Key Encryption ...
    This is sometimes called a non-adaptive chosen-ciphertext attack, in that the decryption oracle is used to generate the test instance, but taken away before the ...
  57. [57]
    Cryptography - Pseudo-Random Permutations
    In other words, under a chosen plaintext attack, πK π K cannot be ... probability for a random permutation. Similarly, three-round Feistel does not ...
  58. [58]
    [PDF] Comments on Proposed AES Minimum Acceptability Requirements ...
    The types of attacks that the cipher must withstand must be made explicit (e.g., known plaintext, chosen plaintext, adaptive chosen plaintext/ciphertext, ...
  59. [59]
    Cryptosystems - Cryptography
    A cryptosystem is a pair of maps where K is the key space, M is the plaintext or message space, and C is the ciphertext space.
  60. [60]
    Linear Cryptanalysis Method for DES Cipher - SpringerLink
    Jul 13, 2001 · We introduce a new method for cryptanalysis of DES cipher, which is essentially a known-plaintext attack. As a result, it is possible to break 8-round DES ...
  61. [61]
    [PDF] Breaking PPTP VPNs via RADIUS Encryption
    Dec 16, 2016 · In the paper we showed two novel attacks. A known-plaintext attack on RADIUS en- cryption and a chosen-ciphertext attack on PPTP VPN. We ...
  62. [62]
    [PDF] Submission Requirements & Evaluation Criteria: Post-Quantum Crypto
    Another case where security and performance interact is resistance to side-channel attacks. Schemes that can be made resistant to side-channel attack at minimal ...