Attack model

In cryptanalysis, attack models or attack types are a classification of cryptographic attacks specifying how much information a cryptanalyst has access to when attempting to "break" an encrypted message (also known as ciphertext).

In cryptography, a sending party uses a cipher to encrypt (transform) a secret plaintext into a ciphertext, which is sent over an insecure communication channel to the receiving party. The receiving party uses his secret knowledge of the cipher to decrypt the ciphertext to obtain the plaintext. The secret knowledge required to decrypt the message is usually a short number or string called a key. In a cryptographic attack a third party cryptanalyst analyzes the ciphertext to try to "break" the cipher, to read the plaintext and obtain the key so that future enciphered messages can be read. It is usually assumed that the encryption and decryption algorithms themselves are public knowledge and available to the cryptographer, as this is the case for modern ciphers which are published openly. Some common attack models are:
 * Ciphertext-only attack (COA) - in this type of attack it is assumed that only the ciphertext is available to the cryptanalyst. This is the most likely case encountered in real life cryptanalysis, but is the weakest attack because of the cryptanalyst's lack of information.  Modern ciphers are required to be very resistant to this type of attack.
 * Brute force attack or exhaustive search - in this attack every possible key is tried until the correct one is found. Every cipher except the unbreakable Information-theoretically secure methods like the one time pad is vulnerable to this method, and its difficulty depends not on the cipher but only on the key length.  If the key has N bits, there are 2N possible keys to try, so a brute-force attack can break the cipher in a worst-case time proportional to 2N and an average time of 2N-1  This is often used as a standard of comparison for other attacks.
 * Known-plaintext attack (KPA) - in this type of attack it is assumed that pairs of plaintext and the corresponding enciphered text are available to the analyst. During World War II, the Allies used known-plaintexts  in their successful cryptanalysis of the Enigma machine cipher.  The plaintext samples are called "cribs"; the term originated at Bletchley Park, the British World War II decryption operation.
 * In the widely-used public-key cryptosystems, the key used to encrypt the plaintext is publicly distributed and anyone may use it, allowing the cryptanalyst to create cyphertext of any plaintext he wants. So public-key algorithms must be very resistant to all the known-plaintext attacks.


 * Chosen-plaintext attack (CPA) - in this attack the cryptanalyst is able to choose a number of plaintexts to be enciphered and have access to the resulting ciphertext. This allows him to explore whatever areas of the plaintext state space he wishes and may allow him to exploit vulnerabilities and nonrandom behavior which appear only with certain plaintexts.
 * Adaptive chosen-plaintext attack (CPA2) - in this attack the analyst can choose a sequence of plaintexts to be encrypted and have access to the ciphertexts. At each step he has the opportunity to analyze the previous results before choosing the next plaintext.  This allows him to have more information when choosing plaintexts than if he was required to choose all the plaintexts beforehand as required in the chosen-plaintext attack.
 * Chosen-ciphertext attack (CCA) - in this attack the analyst can choose arbitrary ciphertext and have access to plaintext decrypted from it. In an actual real life case this would require the analyst to have access to the communication channel and the recipient end.
 * Lunchtime attack or midnight attack - In this variant it is assumed the cryptanalyst can only have access to the system for a limited time or a limited number of plaintext-ciphertext pairs, after which he must show progress. The name comes from the common security vulnerability in which an employee signs into his encrypted computer and then leaves it unattended while he goes to lunch, allowing an attacker a limited-time access to the system.
 * Adaptive chosen-ciphertext attack (CCA2) - in this attack he can choose a series of ciphertexts and see the resulting plaintexts, with the opportunity at each step to analyze the previous ciphertext-plaintext pairs before choosing the next ciphertext.
 * Side channel attack - This is not strictly speaking a cryptanalytic attack, and does not depend on the strength of the cipher. It refers to using other data about the encryption or decryption process to gain information about the message,  such as electronic noise produced by encryption machines, sound produced by keystrokes as the plaintext is typed, or measuring how much time various computations take to perform.

Different attack models are used for other cryptographic primitives, or more generally for all kind of security systems. Examples for such attack models are:


 * Adaptive chosen-message attack for digital signatures