
A chosenciphertext attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption. Formal definitions of security against chosenciphertext attacks were given by Michael Luby and Mihir Bellare et al. ==Introduction== A number of otherwise secure schemes can be defeated under chosenciphertext attack. For example, the El Gamal cryptosystem is semantically secure under chosenplaintext attack, but this semantic security can be trivially defeated under a chosenciphertext attack. Early versions of RSA padding used in the SSL protocol were vulnerable to a sophisticated adaptive chosenciphertext attack which revealed SSL session keys. Chosenciphertext attacks have implications for some selfsynchronizing stream ciphers as well. Designers of tamperresistant cryptographic smart cards must be particularly cognizant of these attacks, as these devices may be completely under the control of an adversary, who can issue a large number of chosenciphertexts in an attempt to recover the hidden secret key. It was not clear whether public key cryptosystems can withstand the chosen ciphertext attack until the initial work of Moni Naor and Moti Yung in 1990, which suggested a mode of dual encryption with integrity proof (now known as the "NaorYung" encryption paradigm). When a cryptosystem is vulnerable to chosenciphertext attack, implementers must be careful to avoid situations in which an adversary might be able to decrypt chosenciphertexts (i.e., avoid providing a decryption oracle). This can be more difficult than it appears, as even partially chosen ciphertexts can permit subtle attacks. Additionally, other issues exist and some cryptosystems (such as RSA) use the same mechanism to sign messages and to decrypt them. This permits attacks when hashing is not used on the message to be signed. A better approach is to use a cryptosystem which is provably secure under chosenciphertext attack, including (among others) RSAOAEP secure under the random oracle heuristics, CramerShoup and many forms of authenticated symmetric encryption when one uses symmetric encryption rather than public key cryptography. 抄文引用元・出典: フリー百科事典『 ウィキペディア（Wikipedia）』 ■ウィキペディアで「Chosenciphertext attack」の詳細全文を読む スポンサード リンク
