Home > Chosen plaintext attack

This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an attacker could persuade a human cryptographer to encrypt large amounts of plaintexts of the attacker's choosing. Modern cryptography, on the other hand, is implemented in software or hardware and is used for a diverse range of applications; for many cases, a chosen-plaintext attack is often very feasible. In addition, any cipher that can prevent chosen-plaintext attacks is then also guaranteed to be secure against known-plaintext and ciphertext-only attacks; this is a conservative approach to security.

Two forms of chosen-plaintext attack can be distinguished:

• Batch chosen-plaintext attack, where the cryptanalyst chooses all plaintexts before any of them is encrypted. This is often the meaning of an unqualified use of "chosen-plaintext attack".
• Adaptive chosen-plaintext attack, where the cryptanalyst makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions.

Conventional symmetric ciphers, in which the same key is used to encrypt and decrypt a text, are often vulnerable to this type of attack, for example, differential cryptanalysis of block ciphers.

A technique termed Gardening was used by Allied codebreakers in World War II who were solving messages encrypted on the Enigma machine. Gardening can be viewed as a chosen plaintext attack.

See also

• Chosen ciphertext attack
• Adaptive chosen-ciphertext attack
• Related key attack