Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG

Steve Schear schear at
Sat Feb 8 23:50:41 EST 2003

[Apologies if this item was passed through the list.  It was news to me.]

Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG
K. Jallad, J. Katz, and B. Schneier

Information Security Conference 2002 Proceedings, Springer-Verlag, 2002, to 

ABSTRACT: We recently noted that PGP and other e-mail encryption protocols 
are, in theory, highly vulnerable to chosen-ciphertext attacks in which the 
recipient of the e-mail acts as an unwitting "decryption oracle." We argued 
further that such attacks are quite feasible and therefore represent a 
serious concern. Here, we investigate these claims in more detail by 
attempting to implement the suggested attacks. On one hand, we are able to 
successfully implement the described attacks against PGP and GnuPG (two 
widely-used software packages) in a number of different settings. On the 
other hand, we show that the attacks largely fail when data is compressed 
before encryption.

Interestingly,the attacks are unsuccessful for largely fortuitous reasons; 
resistance to these attacks does not seem due to any conscious effort made 
to prevent them. Based on our work, we discuss those instances in which 
chosen-ciphertext attacks do indeed represent an important threat and hence 
must be taken into account in order to maintain confidentiality. We also 
recommend changes in the OpenPGP standard to reduce the effectiveness of 
our attacks in these settings.

"Reality must take precedence over public relations, for nature cannot be 
-- Richard P. Feynman

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list