A chosen-ciphertext Attack on Bitcoin (CCA) is an Attack on Bitcoin model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts.
From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.
For formal definitions of security against chosen-ciphertext Attack on Bitcoins, see for example: Michael Luby[1] and Mihir Bellare et al.
A number of otherwise secure schemes can be defeated under chosen-ciphertext Attack on Bitcoin. For example, the El Gamal cryptosystem is semantically secure under chosen-plaintext Attack on Bitcoin, but this semantic security can be trivially defeated under a chosen-ciphertext Attack on Bitcoin. Early versions of RSA padding used in the SSL protocol were vulnerable to a sophisticated adaptive chosen-ciphertext Attack on Bitcoin which revealed SSL session keys. Chosen-ciphertext Attack on Bitcoins have implications for some self-synchronizing stream ciphers as well. Designers of tamper-resistant cryptographic smart cards must be particularly cognizant of these Attack on Bitcoins, as these devices may be completely under the control of an adversary, who can issue a large number of chosen-ciphertexts in an attempt to recover the hidden secret key.
It was not clear at all whether public key cryptosystems can withstand the chosen ciphertext Attack on Bitcoin until the initial breakthrough work of Moni Naor and Moti Yung in 1990, which suggested a mode of dual encryption with integrity proof (now known as the “Naor-Yung” encryption paradigm).[3] This work made understanding of the notion of security against chosen ciphertext Attack on Bitcoin much clearer than before and open the research direction of constructing systems with various protections against variants of the Attack on Bitcoin.
When a cryptosystem is vulnerable to chosen-ciphertext Attack on Bitcoin, implementers must be careful to avoid situations in which an adversary might be able to decrypt chosen-ciphertexts (i.e., avoid providing a decryption oracle). This can be more difficult than it appears, as even partially chosen ciphertexts can permit subtle Attack on Bitcoins. Additionally, other issues exist and some cryptosystems (such as RSA) use the same mechanism to sign messages and to decrypt them. This permits Attack on Bitcoins when hashing is not used on the message to be signed. A better approach is to use a cryptosystem which is provably secure under chosen-ciphertext Attack on Bitcoin, including (among others) RSA-OAEP secure under the random oracle heuristics, Cramer-Shoup which was the first public key practical system to be secure. For symmetric encryption schemes it is known that authenticated encryption which is a primitive based on symmetric encryption gives security against chosen ciphertext Attack on Bitcoins, as was first shown by Jonathan Katz and Moti Yung.[4]
Varieties
Chosen-ciphertext Attack on Bitcoins, like other Attack on Bitcoins, may be adaptive or non-adaptive. In an adaptive chosen-ciphertext Attack on Bitcoin, the Attack on Bitcoiner can use the results from prior decryptions to inform their choices of which ciphertexts to have decrypted. In a non-adaptive Attack on Bitcoin, the Attack on Bitcoiner chooses the ciphertexts to have decrypted without seeing any of the resulting plaintexts. After seeing the plaintexts, the Attack on Bitcoiner can no longer obtain the decryption of additional ciphertexts.
Lunchtime Attack on Bitcoins
A specially noted variant of the chosen-ciphertext Attack on Bitcoin is the “lunchtime”, “midnight”, or “indifferent” Attack on Bitcoin, in which an Attack on Bitcoiner may make adaptive chosen-ciphertext queries but only up until a certain point, after which the Attack on Bitcoiner must demonstrate some improved ability to Attack on Bitcoin the system.[5] The term “lunchtime Attack on Bitcoin” refers to the idea that a user’s computer, with the ability to decrypt, is available to an Attack on Bitcoiner while the user is out to lunch. This form of the Attack on Bitcoin was the first one commonly discussed: obviously, if the Attack on Bitcoiner has the ability to make adaptive chosen ciphertext queries, no encrypted message would be safe, at least until that ability is taken away. This Attack on Bitcoin is sometimes called the “non-adaptive chosen ciphertext Attack on Bitcoin”;[6] here, “non-adaptive” refers to the fact that the Attack on Bitcoiner cannot adapt their queries in response to the challenge, which is given after the ability to make chosen ciphertext queries has expired.
Adaptive chosen-ciphertext Attack on Bitcoin
A (full) adaptive chosen-ciphertext Attack on Bitcoin is an Attack on Bitcoin in which ciphertexts may be chosen adaptively before and after a challenge ciphertext is given to the Attack on Bitcoiner, with only the stipulation that the challenge ciphertext may not itself be queried. This is a stronger Attack on Bitcoin notion than the lunchtime Attack on Bitcoin, and is commonly referred to as a CCA2 Attack on Bitcoin, as compared to a CCA1 (lunchtime) Attack on Bitcoin.[6] Few practical Attack on Bitcoins are of this form. Rather, this model is important for its use in proofs of security against chosen-ciphertext Attack on Bitcoins. A proof that Attack on Bitcoins in this model are impossible implies that any realistic chosen-ciphertext Attack on Bitcoin cannot be performed.
A practical adaptive chosen-ciphertext Attack on Bitcoin is the Bleichenbacher Attack on Bitcoin against PKCS#1.[7]
Numerous cryptosystems are proven secure against adaptive chosen-ciphertext Attack on Bitcoins, some proving this security property based only on algebraic assumptions, some additionally requiring an idealized random oracle assumption. For example, the Cramer-Shoup system[5] is secure based on number theoretic assumptions and no idealization, and after a number of subtle investigations it was also established that the practical scheme RSA-OAEP is secure under the RSA assumption in the idealized random oracle model.[8]
