cryptanalysis question: Does knowing some of the content of the message make the full message vulnerable to decryption?

Michael Anders micha137 at
Fri Jan 31 08:39:07 CET 2014

Short answer: No.
This would be a form of a (partially) known plaintext attack.
Semantically secure ciphers are safe against this attack and it is not
possible to extract information on the key. To be precise, you may of
course be able guess a lot in the plaintext domain: "Edward Snowden is a
%&@µ" does leak further information and could easily be "fully
deciphered". But this has nothing to do with cryptography.

However, in plain CBC ore counter mode(CTR) for the symmetric encryption
it would be possible to change the blocks of known content against
content of your liking. This is especially easy and undetectable to the
recipient for CTR-mode(just XOR it out). In CBC mode it is more
complicated and you would usually mess up some other parts of the
decrypted message to unreadable gobbledonk.
That is why you need special provisions to protect the authenticity of
the cipher in transit if you are using symmetric cryptography only. In
this case knowledge of the shared symmetric key is sort of proof that
you are a legitimate sender. I don't know how gpg does it, in academic
signature I use an hmac to protect solely symmetrically enciphered
messages. There are standardized modes you might use to achieve that
e.g. EAX or CCM.
In an asymmetrically enciphered message it makes sense only to use
digital signatures to protect the message or cipher(as opposed to the
EAX, CCM or other symmetrically authenticated modes). Here the symmetric
key is created on the fly for just this message and knowledge of the
symmetric key alone would be no proof of anything other than that the
sender is the sender. 
If you have a shaky system that might get disrupted by feeding it
maliciously crafted information, it would make sense to asymmetrically
sign the cipher and only decrypt if the signature is valid. Generally it
is logically more sound to sign the content and then symmetrically
encipher content and signature. Again I don't know how gpg does it. May
be someone knowing the gpg internals might supply the information.

Some people may disagree on the content of this last paragraph regarding
usefullness of authenticated symmetric encryption in combination with
asymmetric cryptography. There is even a proposed standard "ECIES" which
combines asymmetric cryptography with symmetrically authenticated
ciphers. I do not consider ECIES to be logically sound. 

If you are interested in this topic, you may have fun listening into Dan
Bonehs great lectures on cryptography in coursera (for free).

   Michael Anders

More information about the Gnupg-users mailing list