1. Introduction

In this tutorial, we’ll learn the differences between the known-plaintext and the chosen-plaintext cryptographic attacks.

2. Plaintexts and Cryptographic Attacks

In cryptography, the objective of a cryptographic analysis isn’t always to decipher an encrypted text: sometimes, it’s more valuable, given some communication, to determine the secret key used to encrypt it. When this objective is achieved by leveraging the prior knowledge of some plaintext and perhaps of the ciphertext that derives from its encryption against some unknown key, we then talk about plaintext attacks against an encryption algorithm.

3. Known-Plaintext Attack vs. Chosen-Plaintext Attack

We can discriminate between two types of plaintext attacks according to whether we know a set of plaintexts and the corresponding encrypted texts and then have to work with those sets or whether we have instead the capacity to encrypt any arbitrary text and compare plaintexts against the encrypted ones. In the first case, we talk about known-plaintext attacks, whereas in the second case, we refer to chosen-plaintext attacks.

Therefore, the primary difference between these two approaches is whether we can put our hands on the encryption system and play with it or whether we have to rely instead on some given sets of plaintexts and ciphertexts, and those sets can’t be extended further.

4. Example of a Known-Plaintext Attack

A good example to illustrate the difference between these two approaches is to consider the XOR cipher. If \text{plaintext} is the text we want to encrypt and \text{key} is the encryption key, then we simply compute the encrypted text \text{ciphertext} as \text{ciphertext} = \text{plaintext} \oplus \text{key}. Our objective for both types of attacks will be to learn something about the key or the associated encryption algorithm. For simplicity, we define the short-name \text{ciphertext} = \text{encrypt(plaintext, key)} to indicate the XOR function.

Let’s try the following values:

  • The encryption key, whose value we don’t know, is \text{key} = 10101010
  • The first plaintext we consider for both attacks will be \text{plaintext} = 11111111

We’ll begin with the known-plaintext attack. By the hypothesis of this attack, we get to know in advance the ciphertext that results out of \text{encrypt(plaintext, key)}. Accordingly, the value of \text{ciphertext} is 01010101. Because we know both \text{plaintext} = 11111111 and \text{ciphertext} = 01010101, in this case we can exactly compute \text{key} as \text{key} = \text{plaintext} \oplus \text{ciphertext}, and therefore \text{key} = 11111111 \oplus 01010101 = 10101010.

5. Example of a Chosen-Plaintext Attack

Let’s now consider the chosen-plaintext attack. In this case, we can relax the previous constraint and assume we aren’t certain of the encryption algorithm being used. However, we can still choose a set of plaintexts and compare them with the resulting ciphertexts in order to learn something about the encryption algorithm and its associated key.

If we begin with the plaintext \text{plaintext} = 11111111, we will obtain the \text{ciphertext} = 01010101 as we discussed earlier. We could then consider changing the last bit of the plaintext and observe how the ciphertext changes accordingly. In doing so, and in changing every remaining bit of the plaintext in sequence, we would develop the following table of associations:

Plaintext

Ciphertext

11111111

01010101

11111110

01010100

11111101

01010111

11111011

01010001

11110111

01011101

11101111

01000101

11011111

01110101

10111111

00010101

01111111

11010101

In varying each individual bit of the plaintext and comparing the corresponding encrypted text, we could notice that the bit we vary is consistently negated in the encryption process. We could also notice that, as one bit varies, the remaining ones are left untouched: in this case, we should strongly suspect that the encryption involves a bit-wise operator of some kind; that would, in turn, significantly restrict the search space of the possible encryption algorithms that generate the ciphertexts.

This can be important when working with hashes. If the passwords aren’t salted, then the similarity between the ciphertexts of two unknown passwords could tell us something about the similarity of the passwords that generated them.

6. Conclusion