Attack Model

In cryptanalysis, attack models or attack types are a classification of cryptographic attacks specifying how much information a cryptanalyst has access to when attempting to "break" an encrypted message (also known as ciphertext).

In cryptography, a sending party uses a cipher to encrypt (transform) a secret plaintext into a ciphertext, which is sent over an insecure communication channel to the receiving party. The receiving party uses his secret knowledge of the cipher to decrypt the ciphertext to obtain the plaintext. The secret knowledge required to decrypt the message is usually a short number or string called a key. In a cryptographic attack a third party cryptanalyst analyzes the ciphertext to try to "break" the cipher, to read the plaintext and obtain the key so that future enciphered messages can be read. Some common attack models are:

• Ciphertext-only attack (COA) - in this type of attack it is assumed that only the ciphertext is available to the cryptanalyst. This is the most likely case encountered in real life cryptanalysis, but is the weakest attack because of the cryptanalyst's lack of information. Modern ciphers rarely fail under this attack type.
  • Brute force attack or exhaustive search - in this attack every possible key is tried until the correct one is found. Every cipher except the unbreakable one time pad is vulnerable to this method, and its difficulty depends not on the cipher but only on the key length. If the key has N bits, it can break the cipher in a worst-case time proportional to 2N and an average time of 2N-1 This is often used as a standard of comparison for other attacks.
• Known-plaintext attack (KPA) - in this type of attack it is assumed that pairs of plaintext and the corresponding enciphered text are available to the analyst. During World War II, the Allies used known-plaintexts in their successful cryptanalysis of the Enigma machine cipher. The plaintext samples are called "cribs"; the term originated at Bletchley Park, the British World War II decryption operation.
  • Chosen-plaintext attack (CPA) - in this attack the cryptanalyst is able to choose a number of plaintexts to be enciphered and have access to the resulting ciphertext. This allows him to explore whatever areas of the plaintext state space he wishes and may allow him to exploit vulnerabilities and nonrandom behavior which appear only with certain plaintexts.
    • Adaptive chosen-plaintext attack (CPA2) - in this attack the analyst can choose a sequence of plaintexts to be encrypted and have access to the ciphertexts. At each step he has the opportunity to analyze the previous results before choosing the next plaintext. This allows him to have more information when choosing plaintexts than if he was required to choose all the plaintexts beforehand as required in the chosen-plaintext attack.
  • Chosen-ciphertext attack (CCA) - in this attack the analyst can choose arbitrary ciphertext and have access to plaintext decrypted from it. In an actual real life case this would require the analyst to have access to the communication channel and the recipient end.
    • Adaptive chosen-ciphertext attack (CCA2) - in this attack he can choose a series of ciphertexts and see the resulting plaintexts, with the opportunity at each step to analyze the previous ciphertext-plaintext pairs before choosing the next ciphertext.
    • Indifferent chosen-ciphertext attack or Lunchtime attack
• Side channel attack - This is not strictly speaking a cryptanalytic attack, and does not depend on the strength of the cipher. It refers to using other data about the encryption or decryption process to gain information about the message, such as electronic noise produced by encryption machines, sound produced by keystrokes as the plaintext is typed, or measuring how much time various computations take to perform.

Different attack models are used for other cryptographic primitives, or more generally for all kind of security systems. Examples for such attack models are:

• Adaptive chosen-message attack for digital signatures