Cryptography: Known-Plaintext Attack vs. Chosen-Plaintext Attack

1. Introduction

In this tutorial, we’ll learn the differences between the known-plaintext and the chosen-plaintext cryptographic attacks.

2. Plaintexts and Cryptographic Attacks

In cryptography, the objective of a cryptographic analysis isn’t always to decipher an encrypted text: sometimes, it’s more valuable, given some communication, to determine the secret key used to encrypt it. When this objective is achieved by leveraging the prior knowledge of some plaintext and perhaps of the ciphertext that derives from its encryption against some unknown key, we then talk about plaintext attacks against an encryption algorithm.

3. Known-Plaintext Attack vs. Chosen-Plaintext Attack

We can discriminate between two types of plaintext attacks according to whether we know a set of plaintexts and the corresponding encrypted texts and then have to work with those sets or whether we have instead the capacity to encrypt any arbitrary text and compare plaintexts against the encrypted ones. In the first case, we talk about known-plaintext attacks, whereas in the second case, we refer to chosen-plaintext attacks.

Therefore, the primary difference between these two approaches is whether we can put our hands on the encryption system and play with it or whether we have to rely instead on some given sets of plaintexts and ciphertexts, and those sets can’t be extended further.

4. Example of a Known-Plaintext Attack

A good example to illustrate the difference between these two approaches is to consider the XOR cipher. If $\text{plaintext}$ is the text we want to encrypt and $\text{key}$ is the encryption key, then we simply compute the encrypted text $\text{ciphertext}$ as $\text{ciphertext} = \text{plaintext} \oplus \text{key}$ . Our objective for both types of attacks will be to learn something about the key or the associated encryption algorithm. For simplicity, we define the short-name $\text{ciphertext} = \text{encrypt(plaintext, key)}$ to indicate the XOR function.

Let’s try the following values:

The encryption key, whose value we don’t know, is $\text{key} = 10101010$
The first plaintext we consider for both attacks will be $\text{plaintext} = 11111111$

We’ll begin with the known-plaintext attack. By the hypothesis of this attack, we get to know in advance the ciphertext that results out of $\text{encrypt(plaintext, key)}$ . Accordingly, the value of $\text{ciphertext}$ is $01010101$ . Because we know both $\text{plaintext} = 11111111$ and $\text{ciphertext} = 01010101$ , in this case we can exactly compute $\text{key}$ as $\text{key} = \text{plaintext} \oplus \text{ciphertext}$ , and therefore $\text{key} = 11111111 \oplus 01010101 = 10101010$ .

5. Example of a Chosen-Plaintext Attack

Let’s now consider the chosen-plaintext attack. In this case, we can relax the previous constraint and assume we aren’t certain of the encryption algorithm being used. However, we can still choose a set of plaintexts and compare them with the resulting ciphertexts in order to learn something about the encryption algorithm and its associated key.

If we begin with the plaintext $\text{plaintext} = 11111111$ , we will obtain the $\text{ciphertext} = 01010101$ as we discussed earlier. We could then consider changing the last bit of the plaintext and observe how the ciphertext changes accordingly. In doing so, and in changing every remaining bit of the plaintext in sequence, we would develop the following table of associations:

In varying each individual bit of the plaintext and comparing the corresponding encrypted text, we could notice that the bit we vary is consistently negated in the encryption process. We could also notice that, as one bit varies, the remaining ones are left untouched: in this case, we should strongly suspect that the encryption involves a bit-wise operator of some kind; that would, in turn, significantly restrict the search space of the possible encryption algorithms that generate the ciphertexts.

This can be important when working with hashes. If the passwords aren’t salted, then the similarity between the ciphertexts of two unknown passwords could tell us something about the similarity of the passwords that generated them.

6. Conclusion

In this article, we studied the differences between known-plaintext and chosen-plaintext cryptographic attacks.

Full Archive

About Baeldung

Core Concepts

Operating Systems

Artificial Intelligence

Graph Theory

Latex