In cryptography, a ciphertext-only attack is a form of cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts. The attack is completely successful if the corresponding plaintexts can be deduced, or even better, the key. The ability to obtain any information at all about the underlying plaintext is still considered a success. For example, if an adversary is sending ciphertext continuously to maintain traffic_flow security, it would be very useful to be be able to distinguish real messages from nulls. Even making an informed guess of the existence of real messages would facilitate traffic analysis.

In the history of cryptography, early ciphers, implemented using pen-and-paper, were routinely broken using ciphertexts alone. Cryptographers developed a variety of statistical techniques for attacking ciphertext, such as frequency analysis. Mechanical encryption devices such as Enigma made these attacks much more difficult. However a flaw in the German Enigma, the fact that it never enciphered a letter into itself, plus poor procedures by the Germans, sending encrypted initial rotor settings twice, allowed Polish cryptographers to mount a successful ciphertext-only cryptanalysis of the Enigma.

The eventual introduction of electronics and computers into cryptography should have resulted in ciphertext-only attacks becoming a thing of the past. Every modern cipher attempts to provide protection against ciphertext-only attacks. The vetting process for a new cipher design standard usually takes many years and includes exhaustive testing of large quantities of ciphertext for any statistical departure from random noise. See: Advanced Encryption Standard process. Nonetheless poor cipher usage or reliance on home-grown proprietary algorithms that have not be subject to thorough scrutiny has resulted in many computer-age encryption systems that are still subject to ciphertext-only attack. Examples include:

• Early versions of Microsoft's PPTP virtual private network software used the same RC4 key for the sender and the receiver (later versions had other problems). In any case where a stream cipher like RC4 is used twice with the same key it is open to ciphertext-only attack. See: stream cipher attack
• Wired Equivalent Privacy (WEP), the first security protocol for Wi-Fi, proved vulnerable to several attacks, most of them ciphertext-only.
• Some modern cipher designs have later been shown to be vulnerable to ciphertext-only attacks. See, for example, Akelarre.
• A cipher whose key space is too small is subject to brute force attack with access to nothing but ciphertext by simply trying all possible keys. All that is needed is some way to distinguish valid plaintext from random noise, never a problem for natural languages. One example is DES, which only has 56_bit keys. All too common current examples are commercial security products that derive keys for otherwise impregnable ciphers like AES from a user-selected password. Since users rarely employ passwords with anything close to the entropy of the cipher's key space, such systems are often quite easy to break in practice using only ciphertext.

References

• Alex Biryukov and Eyal Kushilevitz, From Differential Cryptanalysis to Ciphertext_Only Attacks, CRYPTO 1998, pp72–88;

See also

• Known-plaintext attack
• Chosen plaintext attack.