Re: Chosen plaintext attacks



On Tue, 14 Sep 2010 02:45:43 -0700 (PDT), JT
<jonas.thornvall@xxxxxxxxxxx> wrote:

Someone here suggested a chosen plaintext attack on CSPRNG which
baffeled me a bit and made me tell him he was crazy.

When you make a CSPRNG which is just a random number generator with a
small period like a hash,
A hash is not a CSPRNG. A hash may be a component of a CSPRNG but not
on its own.

or a long period like PRP pseudo random
permutation. And then you have the LFSR who i guess can have both
longer and shorter periods.

Alll CSPRNG rely on that the algorithm do not leak information about
the internal states so you want to prevent the attacker from being
able to calculate next bit, byte or block of output from the CSPRNG.
A good CSPRNG should not leak any information about either the next
state or the previous state. If the attacker captures part of the
keystream then she should not be able to read either new messages sent
after or old messages sent before the known keystream.


So if i give the attacker 1 gigabyte of output from the CSPRNG, he
should not be able to calculate next, bit byte or block. So that
someone who suggested a chosen plaintext attack on CSPRNG what did he
really mean was he just confused or was there any idea within that OT
statement?

So when is known plaintext attacks applicable? To me it seems they are
mainly applicable on blockciphers with fixed S-boxes?
A chosen plaintext allows the attacker to easily extract the keystream
from the cyphertext. Having the keystream allows the attacker to
attack the underlying CSPRNG directly.

rossum

.