### Question 63. At What Point Does an Attack
Become Practical?

There is no easy answer to this question since it depends on many distinct
factors. Not only must the work and computational resources required by
the cryptanalyst be reasonable, but the amount and type of data required
for the attack to be successful must also be taken into account.

One classification distinguishes among cryptanalytic attacks according
to the data they require in the following way: *chosen plaintext *or*
chosen ciphertext*, *known plaintext,* and *ciphertext-only*.
(This classification is not particular to secret-key ciphers and can be
applied to cryptanalytic attacks on any cryptographic function.)

A *chosen plaintext* or *chosen ciphertext* attack gives the
cryptanalyst the greatest freedom in analyzing a cipher. The cryptanalyst
chooses the plaintext to be encrypted and analyzes the plaintext together
with the resultant ciphertext to derive the secret key. Such attacks will,
in many circumstances, be difficult to mount but they should not be discounted.
As Merkle and Hellman have remarked
[MH81], a chosen text attack can in
some ways be viewed as a "certificational weakness" in a cryptosystem.

A *known plaintext* attack is more useful to the cryptanalyst than
a chosen plaintext attack (with the same amount of data) since the cryptanalyst
now requires a certain numbers of plaintexts and their corresponding ciphertexts
without specifying the values of the plaintexts. This type of information
is presumably easier to collect.

The most practical attack, but perhaps the most difficult to actually
discover, is a *ciphertext-only* attack. In such an attack, the cryptanalyst
merely intercepts a number of encrypted messages and subsequent analysis
somehow reveals the key used for encryption. Note that some knowledge of
the statistical distribution of the plaintext is required for a ciphertext-only
attack to succeed.

An added level of sophistication to the chosen text attacks is to make
them *adaptive*. By this we mean that the cryptanalyst has the additional
power to choose the text that is to be encrypted or decrypted after seeing
the results of previous requests.

The computational effort and resources together with the amount and
type of data required are all important features in assessing the practicality
of some attack.