Classical Attacks

The history of cryptanalysis is the history of mathematicians and intelligence services finding leaks in ciphers their authors thought unbreakable. The vocabulary developed in that era — ciphertext-only attack, known-plaintext attack, chosen-plaintext attack — still drives modern cryptographic threat models. This lesson is the conceptual taxonomy that ties together everything you've learned in this area.

Attack models — the threat-model hierarchy

A cryptosystem's "security" depends on what the attacker is allowed to do. Strongest cryptanalytic results are those that succeed under the weakest attack assumptions, because those are the conditions every system faces.

Ciphertext-only attack (COA)

The attacker has nothing but the encrypted text. No plaintext. No oracle. They have to break the cipher using statistical properties of the ciphertext alone.

Examples in classical cryptanalysis:

• Frequency analysis on a long substitution cipher.
• Kasiski / Friedman period detection on a Vigenère cipher.
• IoC analysis to distinguish substitution from polyalphabetic.

A cipher that resists COA still might fall to a stronger attack — but if it doesn't even resist COA, it's broken in the most basic sense. Modern AEAD ciphers (AES-GCM, ChaCha20-Poly1305) trivially resist COA.

Known-plaintext attack (KPA)

The attacker has some plaintext-ciphertext pairs. They want to recover the key (or decrypt other captured ciphertexts under the same key).

This is the most common real-world attack model. Examples:

• A captured email has a standardised header ("FROM:", "TO:", "Subject:") whose plaintext you can guess.
• The Bletchley Park "cribs" against Enigma — guessing standard German phrases ("WETTERBERICHT", weather report) at predictable positions.
• A WWI crib: knowing that the German army's daily report always started with "AN ALLE" (to all).

A classical cipher with a fixed key is generally MUCH weaker against KPA than against COA. A few hundred letters of known plaintext will recover the key for almost any classical cipher.

Chosen-plaintext attack (CPA)

The attacker can submit arbitrary plaintexts to the cipher and get back the matching ciphertexts. This is a stronger attack than KPA — the attacker chooses the plaintexts most useful for analysis.

Examples:

• An attacker has temporary access to a sender's encryption device. They feed it carefully-chosen plaintexts to learn the key structure.
• An RSA-style oracle attack: the attacker submits chosen ciphertexts to a decryption service that leaks information.
• The infamous "tea-time" attacks against ECB-mode AES: the attacker observes their own controlled plaintext block produce identical ciphertext blocks for repeated content.

A cipher that's "secure against CPA" is stronger than one that's only secure against KPA — because CPA includes KPA as a special case.

Chosen-ciphertext attack (CCA / CCA2)

The attacker can submit arbitrary ciphertexts to the cipher's decryption oracle and observe the output (or a yes/no validity indicator). Modern AEAD aims for IND-CCA2 security, meaning even adaptive chosen-ciphertext attacks fail.

Real-world cases: Bleichenbacher's 1998 attack on RSA PKCS#1 v1.5 padding (a CCA), the POODLE attack on SSLv3 (a CCA on the padding oracle), DROWN (cross-protocol CCA against SSLv2-still-supported servers).

For classical ciphers, CCA isn't usually relevant — there's typically no "decryption service" the attacker can query. CCA matters mostly for modern systems with networked decryption endpoints.

The cryptanalysts' tools (Vigenère family)

For polyalphabetic ciphers, two specific techniques deserve their own names:

Kasiski examination (1863)

If two identical plaintext trigrams happen to be encrypted with the same key letters, they produce identical ciphertext trigrams. So the distance between any pair of identical trigrams in the ciphertext must be a multiple of the key length.

Procedure:

1. Find all repeated trigrams in the ciphertext.
2. For each, note the distance(s) between its occurrences.
3. Compute the GCD of all those distances.
4. The GCD (or one of its small factors) is the key length.

Once you know the key length L, the cipher reduces to L independent Caesar ciphers — break each by frequency analysis. Total cryptanalysis takes minutes.

Friedrich Kasiski's 1863 paper Die Geheimschriften und die Dechiffrir-Kunst presented the method publicly. It had likely been known privately to British intelligence for at least 20 years before that — Charles Babbage independently discovered it around 1854 but never published.

Friedman test / Index of Coincidence

The IoC of a text is the probability that two letters drawn at random from it are equal:

IoC = Σ (n_i × (n_i − 1)) / (N × (N − 1))

where n_i is the count of each letter and N is the total length.

Reference values:

Distribution	IoC
English plaintext	~0.067
Uniform random	~0.038
Substitution cipher (mono-alphabetic) of English	~0.067 (preserved)
Vigenère with key length L (long)	~0.038 + (0.067 - 0.038) / L

The Friedman test exploits this: try every key length L, split the ciphertext into L columns (every L-th letter), and compute the average IoC per column. The L for which the columns most closely match English IoC (~0.067) is the key length.

This is more robust than Kasiski for short messages or when repeated trigrams are sparse. Friedman published it in his 1922 paper The Index of Coincidence and Its Applications in Cryptography.

Combining the tools

The classical-cipher attacker's full toolkit:

Step 1: Establish what kind of cipher you have.
   - Frequency histogram looks like English? → substitution
   - Frequency flat (~3.85% per letter)? → polyalphabetic or transposition
   - Letter set unchanged but unreadable? → transposition
   - Letter set changed AND flat distribution? → polyalphabetic

Step 2: If polyalphabetic, find the key length.
   - Run Kasiski + Friedman in parallel.
   - Cross-check the answers.

Step 3: For substitution / per-column-Caesar, apply frequency analysis.
   - ETAOIN SHRDLU mapping.
   - Bigram / trigram crib refinement.

Step 4: Iterate. Each guess unlocks the next.

Modern CTF "classical cipher" challenges run this exact pipeline in software in seconds. The same techniques scale up to all the way through Enigma — Bletchley Park's Bombe was an electromechanical version of this systematic search.

Modern relevance

Today's threat models are direct descendants of these attack types:

• IND-CPA (indistinguishability under chosen-plaintext attack) — minimum acceptable bar for symmetric ciphers.
• IND-CCA2 (adaptive chosen ciphertext) — required for AEAD modes (GCM, Poly1305).
• EUF-CMA (existential unforgeability under chosen-message attack) — required for signature schemes.

Understanding "what can the attacker do?" is the first question for any new cryptographic protocol — and it's the question the classical cryptanalysts were asking 150 years before the formal definitions existed.

What this lesson asks of you

The playground asks you to classify five real attack scenarios into the right model (COA / KPA / CPA / CCA) — including a few modern ones that map onto the classical taxonomy. The visualizer animates the Kasiski examination process: it highlights repeated trigrams in a sample ciphertext and tabulates the inter-position distances so you can see the GCD emerging.