1. Introduction
In this tutorial, we’ll learn the differences between the known-plaintext and the chosen-plaintext cryptographic attacks.
2. Plaintexts and Cryptographic Attacks
In cryptography, the objective of a cryptographic analysis isn’t always to decipher an encrypted text: sometimes, it’s more valuable, given some communication, to determine the secret key used to encrypt it. When this objective is achieved by leveraging the prior knowledge of some plaintext and perhaps of the ciphertext that derives from its encryption against some unknown key, we then talk about plaintext attacks against an encryption algorithm.
3. Known-Plaintext Attack vs. Chosen-Plaintext Attack
We can discriminate between two types of plaintext attacks according to whether we know a set of plaintexts and the corresponding encrypted texts and then have to work with those sets or whether we have instead the capacity to encrypt any arbitrary text and compare plaintexts against the encrypted ones. In the first case, we talk about known-plaintext attacks, whereas in the second case, we refer to chosen-plaintext attacks.
Therefore, the primary difference between these two approaches is whether we can put our hands on the encryption system and play with it or whether we have to rely instead on some given sets of plaintexts and ciphertexts, and those sets can’t be extended further.
4. Example of a Known-Plaintext Attack
A good example to illustrate the difference between these two approaches is to consider the XOR cipher. If is the text we want to encrypt and is the encryption key, then we simply compute the encrypted text as . Our objective for both types of attacks will be to learn something about the key or the associated encryption algorithm. For simplicity, we define the short-name to indicate the XOR function.
Let’s try the following values:
- The encryption key, whose value we don’t know, is
- The first plaintext we consider for both attacks will be
We’ll begin with the known-plaintext attack. By the hypothesis of this attack, we get to know in advance the ciphertext that results out of . Accordingly, the value of is . Because we know both and , in this case we can exactly compute as , and therefore .
5. Example of a Chosen-Plaintext Attack
Let’s now consider the chosen-plaintext attack. In this case, we can relax the previous constraint and assume we aren’t certain of the encryption algorithm being used. However, we can still choose a set of plaintexts and compare them with the resulting ciphertexts in order to learn something about the encryption algorithm and its associated key.
If we begin with the plaintext , we will obtain the as we discussed earlier. We could then consider changing the last bit of the plaintext and observe how the ciphertext changes accordingly. In doing so, and in changing every remaining bit of the plaintext in sequence, we would develop the following table of associations:
Plaintext
Ciphertext
11111111
01010101
11111110
01010100
11111101
01010111
11111011
01010001
11110111
01011101
11101111
01000101
11011111
01110101
10111111
00010101
01111111
11010101
In varying each individual bit of the plaintext and comparing the corresponding encrypted text, we could notice that the bit we vary is consistently negated in the encryption process. We could also notice that, as one bit varies, the remaining ones are left untouched: in this case, we should strongly suspect that the encryption involves a bit-wise operator of some kind; that would, in turn, significantly restrict the search space of the possible encryption algorithms that generate the ciphertexts.
This can be important when working with hashes. If the passwords aren’t salted, then the similarity between the ciphertexts of two unknown passwords could tell us something about the similarity of the passwords that generated them.