19.6.7 Adaptive chosen-plaintext attack

In an adaptive chosen-plaintext attack, Eve may choose the plaintext depending on the ciphertexts received previously from an encryption oracle. Whereas in a chosen-plaintext attack, Eve has to select the plaintexts before the attack begins, in an adaptive chosen-plaintext attack she can choose the plaintext based on the information gathered during the attack.

19.6.8 Chosen-ciphertext attack

In a chosen-ciphertext attack, Eve is able to choose ciphertexts for which she then obtains the corresponding plaintexts. In other words, Eve has access to a decryption oracle.

Eve can mount a chosen-ciphertext attack by gaining access to Bob’s hardware performing the decryption operation. Obviously, this attack model assumes that Eve cannot directly access the secret key, which is a reasonable assumption given that keys can be stored in a secure memory that cannot be read by the main processor.

Eve’s goal is to later on – specifically, without accessing Bob’s hardware – deduce the plaintexts for ciphertexts she has not previously seen.

19.6.9 Adaptive chosen-ciphertext attack

If Eve launches an adaptive chosen-ciphertext attack, she may choose the ciphertext she wants to submit to the decryption oracle based on a plaintext she received for one or more of the previously submitted ciphertexts.

More formally, an adaptive chosen-ciphertext attack allows Eve to first submit a number of adaptively chosen ciphertexts to be decrypted by a decryption oracle and then attack the encryption scheme based on the results, without querying the oracle with the challenge ciphertext.

19.7 Attacks on hash functions

Recall from Chapter 11, Hash Functions and Message Authentication Codes, that a hash function h maps a string of arbitrary length onto a string of fixed length. In this setting, collisions, that is, different inputs x1,x2 having the same output h(x1) = h(x2) have to occur at some point.

In Chapter 11, Hash Functions and Message Authentication Codes, we also defined two important properties for a hash function to be considered secure: Collision Resistance and the One-Way Property. In a nutshell, the first of these properties makes it difficult for Eve to actually find collisions, whereas the second makes it difficult to find pre-images, that is to find a matching input string x for a given hash value h(x). All of the attacks in the current section are aimed either at finding collisions or finding pre-images.