Chosen-plaintext attack

From Wikipedia, the free encyclopedia
Jump to: navigation, search

A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts.[1] The goal of the attack is to gain some further information which reduces the security of the encryption scheme.


The main point of the attack is that the adversary is allowed to ask for encryption of multiple messages that he may sometimes choose on-the-fly in an adaptive manner. This is formalized by allowing the adversary to interact (one or several times) with an encryption oracle, viewed as a black box.

This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an attacker could persuade a human cryptographer to encrypt large amounts of plaintexts of the attacker's choosing. Modern cryptography, on the other hand, is implemented in software or hardware and is used for a diverse range of applications; for many cases, a chosen-plaintext attack is often very feasible. Chosen-plaintext attacks become extremely important in the context of public key cryptography, where the encryption key is public and attackers can encrypt any plaintext they choose.

In the worst case, a chosen-plaintext attack could reveal the scheme's secret key. For some chosen-plaintext attacks, only a small part of the plaintext needs to be chosen by the attacker: such attacks are known as plaintext injection attacks.

The forms of attack[edit]

Two forms of chosen-plaintext attack can be distinguished:

  • Batch chosen-plaintext attack, where the cryptanalyst chooses all plaintexts before any of them are encrypted. This is often the meaning of an unqualified use of "chosen-plaintext attack".
  • Adaptive chosen-plaintext attack (CPA2), where the cryptanalyst makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions.

A technique termed "Gardening" was used by Allied codebreakers in World War II who were solving messages encrypted on the Enigma machine. Gardening can be viewed as a plaintext injection attack.

Another WWII story took place, when US Navy cryptoanalysts had discovered that Japan was planning an attack on Midway Island. To prove their hypothesis that cipertext "AF" corresponds to plaintext "Midway Island" they asked the US forces at Midway to send a plaintext message about low supplies. The Japanese intercepted the message and immediately reported to their superiors that "AF" was low on water; so that the hypothesis was confirmed.[2]

Relation to other attacks[edit]

Chosen-plaintext attack is more powerful than known-plaintext attack, because the attacker obtains several different pairs of plaintext and ciphertext under the same key (instead of one pair), therefore he has more data for cryptoanalysis. Any cipher that can prevent chosen-plaintext attacks is then also guaranteed to be secure against known-plaintext and ciphertext-only attacks; this is a conservative approach to security.

But chosen-plaintext attack is less powerful than chosen-ciphertext attack. An CCA-attacker can sometimes break a CPA-secure system.[2]

See also[edit]


  1. ^ Ross Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems. The first edition (2001):
  2. ^ a b Katz, Jonathan; Lindell, Yehuda (2007). Introduction to Modern Cryptography: Principles and Protocols. Chapman and Hall/CRC.