What is a chosen-ciphertext attack?
Q: What is a chosen-ciphertext attack?
A: A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key.
Q: Why must implementers be careful to avoid situations in which attackers might be able to decrypt chosen ciphertexts?
A: When a cryptosystem is susceptible to chosen-ciphertext attack, implementers must be careful to avoid situations in which attackers might be able to decrypt chosen ciphertexts (i.e., avoid providing a decryption scheme), as even partially chosen ciphertexts can permit subtle attacks.
Q: Which cryptosystems are vulnerable to attacks when hashing is not used on the message to be signed?
A: Some cryptosystems (such as RSA) use the same mechanism to sign messages and to decrypt them. This permits attacks when hashing is not used on the message to be signed.
Q: What is the better approach to avoid attacks under a chosen-ciphertext attack model?
A: A better approach is to use a cryptosystem which is provably secure under chosen-ciphertext attack, including (among others) RSA-OAEP, Cramer-Shoup and many forms of authenticated symmetric encryption.
Q: What does RSA-OAEP stand for?
A: RSA-OAEP stands for RSA Optimal Asymmetric Encryption Padding.
Q: What is one of the consequences of a cryptosystem being vulnerable to a chosen-ciphertext attack?
A: One of the consequences of a cryptosystem being vulnerable to a chosen-ciphertext attack is that implementers must be careful to avoid situations in which attackers might be able to decrypt chosen ciphertexts (i.e., avoid providing a decryption scheme).
Q: What type of attacks can partially chosen ciphertexts permit?
A: Partially chosen ciphertexts can permit subtle attacks.