
	Where results make sense

Topic: Chosen plaintexts

Related Topics

Differential cryptanalysis

ICE (cipher)

Advanced Encryption Standard

MacGuffin (cipher)

XTEA

Twofish

Feistel network

Golomb ruler

	Chosen plaintext attack - Wikipedia, the free encyclopedia (Site not responding. Last check: 2007-11-07)
		A chosen plaintext attack is any form of cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts.
		This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an attacker could to persuade a human cryptographer to encrypt large amounts of plaintexts of the attacker's choosing.
		Conventional symmetric ciphers, in which the same key is used to encrypt and decrypt a text, are often vulnerable to this type of attack, for example, differential cryptanalysis of block ciphers.
	www.encyclopedia-online.info /Chosen_plaintext (256 words)

	NationMaster - Encyclopedia: Chosen plaintext
		The bits in the plaintext are divided into two categories, ``fixed'' and ``changing''; a selection of the bits of the ciphertext are chosen as ``target'' bits.
		A number of chosen plaintexts are encrypted, all with the same fixed bits and with changing bits chosen at random; the attack is a success if a collision in the target bits of the ciphertext is generated.
		This attack may be applied to [2] by choosing the first two blocks of the plaintext as the ``changing'' bits, and all of the output except the second two blocks as the ``target'' bits.
	www.nationmaster.com /encyclopedia/Chosen-plaintext (487 words)

	Chosen-plaintext attack - Wikipedia, the free encyclopedia
		A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts.
		Chosen-plaintext attacks become extremely important in the context of public key cryptography, where the encryption key is public and attackers can encrypt any plaintext they choose.
		Any cipher that can prevent chosen-plaintext attacks is then also guaranteed to be secure against known-plaintext and ciphertext-only attacks; this is a conservative approach to security.
	en.wikipedia.org /wiki/Chosen_plaintext (396 words)

	[rc5] RC64 keyspace
		There is a differential attack that requires 2^24 chosen plaintexts for 5 rounds, 2^45 for 10 rounds, 2^53 for 12 rounds, and 2^68 for 15 rounds.
		This number may change." This is Applied Cryptography's description of the chosen plaintext attack (p.6): "The cryptanalyst not only has access to the ciphertext and associated plaintext for several messages, but he also chooses the plaintexts encrypted.
		Additionally, a chosen plaintext attack requires large amounts of memory, and I don't know that its implementation would be as conducive to a distributed effort as the brute force attack we are waging.
	lists.distributed.net /pipermail/rc5/1997-October/033851.html (380 words)

	[No title]
		A standard cryptanalytic attack is to know some plaintext matching a given piece of ciphertext and try to determine the key which maps one to the other.
		This plaintext can be known because it is standard (a standard greeting, a known header or trailer,...) or because it is guessed.
		chosen plaintext: the attacker has the capability to find the cyphertext corresponding to an arbitrary plaintext message of his choosing.
	members.tripod.com /~epiclord/cr03.html (1576 words)

	Cryptography - definition of Cryptography - Labor Law Talk Dictionary (via CobWeb/3.1 planetlab2.cs.unc.edu) (Site not responding. Last check: 2007-11-07)
		Associated fields are steganography — the study of hiding the very existence of a message, and not necessarily the contents of the message itself (for example, microdots, or invisible ink) — and traffic analysis, which is the analysis of patterns of communication in order to learn secret information.
		Encryption is the process of converting plaintext into an unreadable form, termed ciphertext, or, occasionally, a cryptogram.
		Classical ciphers tend to leak varying amounts of information about the statistics of the plaintext, and because of this they are easily broken, for example by frequency analysis.
	encyclopedia.laborlawtalk.com.cob-web.org:8888 /Cryptography (2451 words)

	Avalanche and certificational weaknesses
		Note that neither keys nor plaintext can be recovered using this attack; it merely serves to distinguish the cipher from a random permutation.
		Note that this attack is not applicable to any of the proposals in [1]; neither BEAR nor LION claim to be resistant to any kind of chosen plaintext attack, while LIONESS carries 256 or 320 bits of data between the two halves (depending on the underlying hash function), which would require
		chosen plaintexts; this is outside the security goals of the cipher.
	www.ciphergoth.org /crypto/mercy/html/avalanche_and_certif.html (537 words)

	FEAL - the free encyclopedia (Site not responding. Last check: 2007-11-07)
		A later paper (den Boer, 1988) describes an attack requiring100–10000 chosen plaintexts, and Sean Murphy (1990) found animprovement that needs only 20 chosen plaintexts.
		However, eight roundsalso proved to be insufficient — in 1989, at the Securicom conference, Eli Biham and Adi Shamir described adifferential attack on the cipher, mentioned in (Miyaguchi, 1989).
		Gilbert and Chassé (1990) subsequently published a statisticalattack similar to differential cryptanalysis which requires 10000 pairs of chosen plaintexts.
	www.encyclopedia-of-world-knowledge.com /default.asp?t=FEAL (443 words)

	FEAL
		However, eight rounds also proved to be insufficient — in 1989, at the Securicom conference, Eli Biham and Adi Shamir described a differential attack on the cipher, mentioned in (Miyaguchi, 1989).
		Gilbert and Chassé (1990) subsequently published a statistical attack similar to differential cryptanalysis which requires 10000 pairs of chosen plaintexts.
		Sean Murphy, The Cryptanalysis of FEAL-4 with 20 Chosen Plaintexts.
	www.starrepublic.org /encyclopedia/wikipedia/f/fe/feal.html (487 words)

	Triple DES - Wikipedia, the free encyclopedia
		When it was found that a 56-bit key of DES is not enough to guard against brute force attacks, TDES was chosen as a simple way to enlarge the key space without a need to switch to a new algorithm.
		The use of three steps is essential to prevent meet-in-the-middle attacks that are effective against double DES encryption.
		This attack is highly parallelizable and verges on the practical, given billion-dollar budgets and years to mount the attack, though the circumstances in which it would be useful are limited.
	en.wikipedia.org /wiki/Triple_DES (721 words)

	[No title]
		Following is Hellman's announcement: MAIN RESULT: a chosen text attack on 8- round DES that recovers 10 bits of key, takes less than than 10 seconds on a SUN-4 workstation, has 80% probability of success with only 512 chosen plaintexts and 95% probability of success with 768 chosen plaintexts.
		Based on Matsui's rule of thumb that approximately 8/(p-0.5^2) observations are needed when p is the probability of observing a parity relation, this would predict that about 1,400 plaintext pairs, or 2,800 chosen plaintexts, would be required.
		For example, the 768 chosen plaintexts which had a 95% success rate on the first ten bits of key, have an 85% success rate for all sixteen bits of key.
	www.niksula.cs.hut.fi /~troppone/projekti/break-des (1189 words)

	Khufu and Khafre
		There is a differential attack on 16 rounds of Khufu which can recover the secret key.
		plaintexts and complexity are required to merely distinguish the cipher from random.
		Henri Gilbert, Pascal Chauvaud: A Chosen Plaintext Attack of the 16-round Khufu Cryptosystem.
	www.xasa.com /wiki/en/wikipedia/k/kh/khufu_and_khafre.html (641 words)

	\Title
		Two examples of deletion cryptanalysis as applied to the one-time pad and the DES block cipher are given.
		It is shown that deletion cryptanalysis can sometimes break systems as efficiently as the chosen-key attacks (where the attacker can choose the key to be used and, optionally, any plaintexts that they would like to be encrypted).
		We expect that many public-key systems can also be broken by selective deletion of crucial operations or functions and feel that it is our duty to warn the craptologic community of the threat of deletion attacks.
	www.anagram.com /~jcrap/Volume_0_0/crv0n0-1.html (375 words)

	Step 1: Choose an XOR difference for the plaintext pairs
		chosen plaintexts (about 985 terabytes) and a computational effort on the order of 2
		The number of chosen plaintexts needed is dependent on the ability of XOR differences to propagate through a block cipher algorithm (and therefore partly dependent on the number rounds) and the computational effort comes from the size of the subkey used for each round.
		We know that the left half of the plaintext was used as input to the XOR4 in the first round.
	nsfsecurity.pr.erau.edu /crypto/diffcrypt.html (1549 words)

	APPLIED CRYPTOGRAPHY, SECOND EDITION: Protocols, Algorithms, and Source Code in C:Data Encryption Standard (DES) (Site not responding. Last check: 2007-11-07)
		This means that if you XOR some of the plaintext bits together, XOR some ciphertext bits together, and then XOR the result, you will get a single bit that is the XOR of some of the key bits.
		Linear cryptanalysis is heavily dependent on the structure of the S-boxes and the S-boxes in DES are not optimized against this attack.
		Susan Langford and Hellman have an attack on 8-round DES that recovers 10 key bits with an 80 percent probability of success with 512 chosen plaintexts and a 95 percent probability of success with 768 chosen plaintexts [938].
	friedo.szm.sk /krypto/AC/ch12/12-13.html (1003 words)

	David Hopwood - Cryptography - Recipient hiding
		We have chosen to use DHAES ("Diffie-Hellman Authenticated Encryption Scheme") as the basis for our discrete-log-based schemes, because DHAES is efficient, flexible in terms of the group to be used, and has security proofs that can be easily adapted for our purposes.
		Adaptive chosen plaintext attacks do not normally need to be considered explicitly for public key algorithms, because the attacker is assumed to have access to the public key.
		They are proven equally as secure as DHAES for message privacy under chosen plaintext, chosen ciphertext and adaptive chosen ciphertext attack (and hence also achieve non-malleability), under the same assumptions.
	www.users.zetnet.co.uk /hopwood/crypto/rh/index.html (3987 words)

	Text properties
		At first 2^23 plaintexts are chosen by starting at specific point and changing the 4 bytes over 2^23 possible values.
		Secondly, in the next part of the attack; one possibility of key bytes 2^24 groups of 256 plaintexts could be found in a way that within a single group where the encryption is different in one byte of m^(1).
		For the plaintexts that are different in the one byte of m^(1) must take on all of 256 possible values.
	shrike.depaul.edu /~ytkachuk/Pv.htm (2120 words)

	Cryptanalysis of MultiSwap (Site not responding. Last check: 2007-11-07)
		For example, to force the value multiplied by k6 to be w, simply query the encryption oracle with plaintext (0,w-k5).
		One can repeat this test for 16 right input pairs (w1,2w1)...(w16,2w16) chosen uniformly at random, and the probability of a given k6 value surviving all 16 tests is roughly (1/4)^16 = 2^-32, so we expect about one value of k6 to survive.
		Thus with 2^22.5 known plaintexts, we expect that the 2^22.5 inputs to the second round will contain about 2^13 pairs, enough to recover k6,...,k10.
	www.cs.sunysb.edu /~rtjohnso/multiswap (1884 words)

	Amazon.com: "Chosen Plaintext Attack": Key Phrase page (Site not responding. Last check: 2007-11-07)
		Cryptography Chosen Plaintext Attack (CPA) A CPA loads a cryptographic device with a hidden key, and the input of plaintext is allowed to see...
		The difference with a classical chosen plaintext attack on a block-cipher is that the attacker has only a partial knowledge of the ciphertext.
		By using the following chosen plaintext attack the key can be discovered in 2125 operations using 8 chosen plaintexts.
	www.amazon.com /phrase/Chosen-Plaintext-Attack (517 words)

	The Mandala Centre - Compression and Security - One on one compression FAQ
		IF an attacker can choose plaintexts to be encyphered, this can sometimes assist him in determining the internal workings of a cypher in ways that a simple knowledge of plaintext would not allow.
		It has been argued that this prevention of chosen plaintext attacks is actually one of the purposes of compression.
		In practice, defending against chosen plaintext attacks are not terribly important anyway.
	mandala.co.uk /securecompress/faq (826 words)

	On Chosen Ciphertext Security of Multiple Encryptions (Site not responding. Last check: 2007-11-07)
		We consider the security of multiple and possibly related plaintexts in the context of a chosen ciphertext attack.
		That is the attacker in addition and concurrently to obtaining encryptions of multiple plaintexts under the same key, may issue encryption and decryption queries and partial information queries.
		The extension is in considering the security of multiple plaintexts rather than the security of a single plaintext.
	www.wisdom.weizmann.ac.il /~oded/p_ccam.html (182 words)

	Dr. Dobb's \| Algorithm Alley \| July 22, 2001
		(If the plaintext is only known rather than chosen, then the table needs to be prepared for that particular plaintext.) Thus, while encryption of each plaintext block requires twice as much work, the cryptanalyst with resources to invest in memory is only faced with twice the computational effort required for single encryption.
		With single-encryption CBC, the previous ciphertext is XORed with the plaintext prior to block-cipher encryption.
		DES is a block cipher that transforms plaintext blocks of 64 bits to 64 bits of ciphertext.
	www.ddj.com /184409815?pgno=2 (3243 words)

	Dr. Dobb's \| Differential and Linear Cryptanalysis \| July 22, 2001
		Both are statistical in that an attacker collects a large amount of plaintext and ciphertext associated with a given key, then uses that information to determine the key.
		The two plaintexts can be chosen at random, as long as they satisfy particular difference conditions; you don't even have to know their values.
		A plaintext pair that satisfies the characteristic is a correct pair; the pair that does not is a wrong pair.
	www.ddj.com /184409803?pgno=10 (2597 words)

	Advanced Encryption Standard - Wikipedia, the free encyclopedia (via CobWeb/3.1 planetlab2.cs.unc.edu) (Site not responding. Last check: 2007-11-07)
		To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the inverse function with an invertible affine transformation.
		The S-box is also chosen to avoid any fixed points (and so is a derangement), and also any opposite fixed points.
		The custom server was designed to give out as much timing information as possible, and the attack required over 200 million chosen plaintexts.
	en.wikipedia.org.cob-web.org:8888 /wiki/Advanced_Encryption_Standard (1957 words)

	Cryptography
		If content is guessed, its position is probably not known, but the cryptanalyst can assume the known plaintext is in each possible position and do attacks for each case in parallel.
		2) known plaintext: the attacker has the plaintext and corresponding ciphertext of an arbitrary part of the content not of his choosing.
		3) chosen plaintext: the attacker has the capability to find the ciphertext corresponding to an arbitrary plaintext message of his choosing.
	cse.stanford.edu /class/cs201/projects/dvd-css/cryptography.htm (738 words)

	The Dispatch - Serving the Lexington, NC - News
		The original proposed version with four rounds (FEAL-4) can be broken using only eight chosen plaintexts, and even a 31-round version of FEAL is susceptible to the attack.
		Differential cryptanalysis is usually a chosen plaintext attack, meaning that the attacker must be able to obtain encrypted ciphertexts for some set of plaintexts of his choosing.
		There are, however, extensions that would allow a known plaintext or even a ciphertext-only attack.
	www.the-dispatch.com /apps/pbcs.dll/section?category=NEWS&template=wiki&text=differential_cryptanalysis (674 words)

	3.5.2 Has DES been broken? (Site not responding. Last check: 2007-11-07)
		chosen plaintexts, i.e., plaintexts chosen by the attacker.
		Although a theoretical breakthrough, this attack is not practical under normal circumstances because it requires the attacker to have easy access to the DES device in order to encrypt the chosen plaintexts.
		Another attack, known as linear cryptanalysis, does not require chosen plaintexts.
	ecwww.eurecom.fr /~arnaud/zds/appendix/node64.html (281 words)

	Snell-Pym » Cryptanalysis
		Using this information, we can come up with a set of chosen plaintexts that makes WY go through all possible values.
		So from the same chosen plaintexts we can also examine C'D' to get a table mapping any two L-values to an actual S-box output.
		This is now actually enough to copy the encryption operation of the cypher; we can choose any input message, use the first table to find WXYZ in terms of U- and L- values, then use the second two tables to get A'B'C'D'.
	www.snell-pym.org.uk /archives/2006/09/22/cryptanalysis/3 (720 words)

	Differential Cryptanalysis: A Literature Survey
		This is a chosen plaintext attack which uses only the resultant ciphertexts.
		The two plaintexts can be chosen at random, as long as they satisfy the difference condition, and the cryptanalyst does not have to know their values.
		Chosen plaintext attacks can be mounted which take advantage of the relatively high probabilities to reduce the search space for the key in use.
	www.ciphersbyritter.com /RES/DIFFANA.HTM (4246 words)

Try your search on: Qwika (all wikis)