Re: Chosen plaintext attacks

I'm deliberately ignoring the keystream recovery version.

"JT" <jonas.thornvall@xxxxxxxxxxx> wrote in message news:2818809f-a710-4169-89b3-47371c471af8@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Someone here suggested a chosen plaintext attack on CSPRNG which
baffeled me a bit and made me tell him he was crazy.

When you make a CSPRNG which is just a random number generator with a
small period like a hash, or a long period like PRP pseudo random
permutation. And then you have the LFSR who i guess can have both
longer and shorter periods.

So when is known plaintext attacks applicable?

Oddly, it is actually possible that under some circumstances a chosen plaintext attack could be mounted on a PRNG. To see exactly how this would be done consider a block cipher in CTR mode, a chosen ciphertext attack on the PRNG in this case would be concievable, although the exact circumstances to mount this attack are murky at best.

To me it seems they are
mainly applicable on blockciphers with fixed S-boxes?

They are easily appicable any time a PRF (Pseudo Random Function, a PRP is one type of PRF) with an input that can be thought of as a plaintext is present in the system. In a streamcipher mode of operation these can be difficult to mount, but such an attack can still be possible.

Its also worth noting that in a streamcipher mode of operation the plaintexts are forced to an order chosen by the user, even if the attacker gets to choose the base point. For example, if a block cipher has a special plaintext where ciphertext=key, then the attack works quickly and quite obviously. However, if the attack requires plaintexts of the form where only one bit is set for each bit in the block, the attack would require near exahustion of the plaintext space in CTR mode, making the attack effectively impossible.

So the truth is, it is often possible to mount a chosen basepoint attack against a CSPRNG, but chosen basepoint attacks are significantly more difficult to understand than chosen plaintext.