Re: Chosen plaintext attacks



I'm deliberately ignoring the keystream recovery version.

"JT" <jonas.thornvall@xxxxxxxxxxx> wrote in message news:2818809f-a710-4169-89b3-47371c471af8@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Someone here suggested a chosen plaintext attack on CSPRNG which
baffeled me a bit and made me tell him he was crazy.

When you make a CSPRNG which is just a random number generator with a
small period like a hash, or a long period like PRP pseudo random
permutation. And then you have the LFSR who i guess can have both
longer and shorter periods.

So when is known plaintext attacks applicable?

Oddly, it is actually possible that under some circumstances a chosen plaintext attack could be mounted on a PRNG. To see exactly how this would be done consider a block cipher in CTR mode, a chosen ciphertext attack on the PRNG in this case would be concievable, although the exact circumstances to mount this attack are murky at best.

To me it seems they are
mainly applicable on blockciphers with fixed S-boxes?

They are easily appicable any time a PRF (Pseudo Random Function, a PRP is one type of PRF) with an input that can be thought of as a plaintext is present in the system. In a streamcipher mode of operation these can be difficult to mount, but such an attack can still be possible.

Its also worth noting that in a streamcipher mode of operation the plaintexts are forced to an order chosen by the user, even if the attacker gets to choose the base point. For example, if a block cipher has a special plaintext where ciphertext=key, then the attack works quickly and quite obviously. However, if the attack requires plaintexts of the form where only one bit is set for each bit in the block, the attack would require near exahustion of the plaintext space in CTR mode, making the attack effectively impossible.

So the truth is, it is often possible to mount a chosen basepoint attack against a CSPRNG, but chosen basepoint attacks are significantly more difficult to understand than chosen plaintext.
Joe

.



Relevant Pages

  • Re: Countering chosen-plaintext attacks
    ... > If one passes the same plaintext to a encryptor X times, ... > means that we now have X ciphertexts that all decrypt to the same ... plaintext attack. ... "Her failure to do so meant that she was masking her Midway preparation ...
    (sci.crypt)
  • Re: Dynamic Hill cipher
    ... plaintext attack, since with plaintext materials of an amount equal ... Why base a modern cipher on an old and broken idea such as Hill's?. ... the fact that you do not see an attack on some method would ... Purely linear ciphers are ...
    (sci.crypt)
  • Re: A basic cryptanalysis question
    ... >> appear out of his attack, he assumes he's recovered the plaintext. ... >include the keys in your construction. ... such a function look at my second order bijective compression of english ...
    (sci.crypt)
  • Re: Matrixview SWISH almost two times better compression then GZIP and much faster
    ... like open source, chosen plaintext, lots of computing power. ... the ciphertext was encrypted with ME6 -- or simply encrypt the ME6 ... computing power and lots of crypto experts to help. ... If ME6 can't withstand such an attack, ...
    (comp.compression)
  • [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl)
    ... obtain plaintext of SSL/TLS communication ... Ilion) describe and demonstrate a timing-based attack on SSL/TLS ... Select the updated source RPM appropriate for your OpenPKG release ...
    (Bugtraq)