The ciphertext-only attack is an attack model for cryptanalysis, which assumes that the attacker has only passive capability to listen to the encrypted communication. The attacker only knows ciphertexts but not the corresponding plaintexts. Biryukov and Kushilevitz note in their 1998 paper “From Differential Cryptanalysis to Ciphertext-Only Attacks” that “one can perform a ciphertext-only attack on a cipher as soon as he is able to detect ciphertext pairs that come from good plaintext pairs.”
While the attacker has no access to the plaintext prior to encryption, in all practical ciphertext-only attacks, the attacker still has some knowledge of the plaintext. For instance, the attacker might know the language in which the plaintext is written. In addition, standard protocol data and messages are commonly part of the plaintext in many deployed systems and can usually be guessed or known efficiently as part of a ciphertext-only attack on these systems. Therefore, attackers may rely on certain redundancy assumptions about the plaintexts to reach their goal. This scenario is the weakest in terms of capabilities of the attacker, and thus it is the most practical in real-life applications.
The attack is completely successful if the corresponding plaintexts can be deduced, or even better, the key. The ability to obtain any information at all about the underlying plaintext beyond what was previously known to the attacker is still considered a success. This is also mentioned in the paper by Naor and Yung of IBM Research: “The notion of semantic security, as defined by Goldwasser and Micali, captures the requirement that it should be impossible to extract partial information on the plaintext from the ciphertext.”
In the history of cryptography, early ciphers, implemented using pen-and-paper, were routinely broken using ciphertexts alone. Cryptographers developed statistical techniques for attacking ciphertext, such as frequency analysis. Modern encryption systems made these attacks much more difficult, although not unfeasible. For instance, in 2003, Barkan, Biham and Keller demonstrated the successful launch of a ciphertext-only attack against encrypted GSM communications.
Therefore, it is particularly important to secure modern encryption algorithms against ciphertext-only attacks, as they are the most obvious starting point for every cryptanalysis. The vetting process for a new cipher design standard usually takes many years and includes exhaustive testing of large quantities of ciphertext for any statistical departure from random noise.
Known plaintext attack is a scenario in which the attacker has access to pairs of known plaintexts and their corresponding ciphertexts. The goal is to guess the secret key (or a number of secret keys) or to develop an algorithm which would allow him to decrypt any further messages. This attack is considered to be highly practical, especially if the amount of the pairs is not too large. This attack scenario is more practical than the chosen plaintext attack.
Probable word method which is a popular technique for solving classical simple substitution or transposition ciphers is an example of a known-plaintext attack.
The known plaintext is known as “crib”, which originated in Bletchley Park, during World War II, in the efforts of breaking the Enigma. The idea behind a crib is that cryptologists were looking at incomprehensible ciphertext, trying to find some word or phrase that might be expected to be in the ciphertext, so as to test it and break into the code. If these otherwise random attacks on the cipher managed to produce those words or phrases, they would know they might be on the right track. When those words or phrases appeared, they would feed the settings they had used to reveal them back into the whole encrypted message.
In the case of Enigma, the German High Command was very meticulous about the overall security of the Enigma system and understood the possible problem of cribs, but not the system operators. The Bletchley Park team would guess some of the plaintext based upon when the message was sent, and by recognizing routine operational messages. For instance, a daily weather report was transmitted by the Germans at the same time every day. Due to the standardized style of military reports, it would contain the word Wetter (German for "weather") at the same location in every message. Knowing the local weather conditions helped Bletchley Park guess other parts of the plaintext as well. Other operators would send standard salutations or introductions. “Heil Hitler” occurring at the end of a message, is another well-known example.
At Bletchley Park strenuous efforts were made to use (and even force) the Germans to produce messages with known plaintext. For example, when cribs were lacking, Bletchley Park would sometimes ask the Royal Air Force to "seed" a particular area in the North Sea with mines (a process that came to be known as gardening). The Enigma messages that were soon sent out would most likely contain the name of the area or the harbor threatened by the mines.
In modern cryptography, linear cryptanalysis is a typical example of a known-plaintext attack. Linear cryptanalysis is a known plaintext attack in which the attacker studies probabilistic linear relations (called linear approximations) between parity bits of the plaintext, the ciphertext, and the secret key. Given an approximation with high probability, the attacker obtains an estimate for the parity bit of the secret key by analyzing the parity bits of the known plaintexts and ciphertexts. Using auxiliary techniques, the attacker can usually extend the attack to find more bits of the secret key.
Linear cryptanalysis was introduced by Matsui in 1993. The attack in its current form was first applied to the Data Encryption Standard (DES).
Chosen plaintext attack is a scenario in which the attacker has the ability to choose plaintexts and to view their corresponding encryptions—ciphertexts. This attack is considered to be less practical than the known plaintext attack, but is still a very dangerous attack. If the cipher is vulnerable to a known plaintext attack, it is automatically vulnerable to a chosen plaintext attack as well, but not necessarily the opposite.
Chosen-plaintext attacks become extremely important in the context of public key cryptography, where the encryption key is public and so attackers can encrypt any plaintext they choose. In fact, Gregory Bard of the University of Maryland, introduced in 2004 a chosen-plaintext vulnerability for SSL/TLS 1.0.
How does it work? The attacker chooses a number n of plaintexts, which are input into the m-bit encryption oracle, that acts as a black box. The encryption oracle encrypts the n plaintexts and produces n ciphertexts, which the attacker can correlate with the original plaintexts. Based on the plaintext–ciphertext pairs, the attacker can attempt to extract the key used by the oracle to encode the plaintexts.
In the above scenario, the chosen-plaintext attack can be converted into known-plaintext attack, which will require known plaintexts, due to birthday-paradox arguments. The birthday paradox refers to the fact that there is a probability of more than 50% that among a group of at least 23 randomly selected people at least 2 have the same birthday.
Furthermore, as proved by Biryukov and Kushilevitz, the factor 2m/2 may be considerably reduced if the known plaintexts are redundant, which may even lead to a conversion of differential chosen-plaintext attack into a differential ciphertext-only attack.
In order to demonstrate how chosen-plaintext attack works, let us consider the Caesar cipher. Suppose the adversary sends the message Attack at dawn, and the oracle returns Nggnpx ng qnja. The adversary can then work through to recover the key in the same way you would decrypt a Caesar cipher. The adversary could deduce the substitutions A → N, T → G and so on. This would lead the adversary to determine that 13 was the key used in the Caesar cipher.