36:
857:
490:
cryptosystem, this security only holds under security definitions weaker than CPA security. This is because under the formal definition of CPA security the encryption oracle has no state. This vulnerability may not be applicable to all practical implementations – the one-time pad can still be made
511:
had codewords that began with "A". To prove their hypothesis that "AF" corresponded to "Midway Island" they asked the US forces at Midway to send a plaintext message about low supplies. The
Japanese intercepted the message and immediately reported to their superiors that "AF" was low on water,
194:
It may seem infeasible in practice that an attacker could obtain ciphertexts for given plaintexts. However, modern cryptography is implemented in software or hardware and is used for a diverse range of applications; for many cases, a chosen-plaintext attack is often very feasible (see also
580:, because the attacker can directly target specific terms or patterns without having to wait for these to appear naturally, allowing faster gathering of data relevant to cryptanalysis. Therefore, any cipher that prevents chosen-plaintext attacks is also secure against
565:. To be considered CPA-secure, the symmetric cipher must not be vulnerable to chosen-plaintext attacks. Thus, it is important for symmetric cipher implementors to understand how an attacker would attempt to break their cipher and make relevant improvements.
273:
Based on the plaintext–ciphertext pairs, the attacker can attempt to extract the key used by the oracle to encode the plaintexts. Since the attacker in this type of attack is free to craft the plaintext to match his needs, the attack complexity may be
847:
535:
to encrypt a warning message about the mines and an "all clear" message after they were removed, giving the allies enough information about the message to break the German naval Enigma. This process of
218:, where the adversary chooses all of the plaintexts before seeing any of the corresponding ciphertexts. This is often the meaning intended by "chosen-plaintext attack" when this is not qualified.
845:
531:
to lay mines at a position that didn't have any abbreviations or alternatives in the German naval system's grid reference. The hope was that the
Germans, seeing the mines, would use an
339:
846:
822:. "The first code which Garbo was given by the Germans for his wireless communications turned out to be the identical code which was currently in use in the German circuits"
441:
With more intricate or complex encryption methodologies the decryption method becomes more resource-intensive, however, the core concept is still relatively the same.
568:
For some chosen-plaintext attacks, only a small part of the plaintext may need to be chosen by the attacker; such attacks are known as plaintext injection attacks.
909:
595:, where the attacker can obtain the plaintexts of arbitrary ciphertexts. A CCA-attacker can sometimes break a CPA-secure system. For example, the
902:
417:
The adversary can then work through to recover the key in the same way as a Caesar cipher. The adversary could deduce the substitutions
387:
The following examples demonstrate how some ciphers that meet other security definitions may be broken with a chosen-plaintext attack.
183:) ask for the ciphertexts of arbitrary plaintext messages. This is formalized by allowing the adversary to interact with an encryption
100:
503:
US Navy cryptanalysts discovered that Japan was planning to attack a location referred to as "AF". They believed that "AF" might be
72:
53:
895:
554:
for transmission to Berlin. This helped the codebreakers decrypt the code used on the second leg, having supplied the original
79:
779:
228:), where the adversary can request the ciphertexts of additional plaintexts after seeing the ciphertexts for some plaintexts.
86:
712:
700:
270:
ciphertexts back from the oracle, in such a way that the attacker knows which ciphertext corresponds to each plaintext.
1008:
960:
955:
119:
68:
943:
862:
487:
17:
985:
737:
57:
167:, and they are therefore, by design, generally immune to chosen-plaintext attacks if correctly implemented.
550:, whose encrypted radio reports were received in Madrid, manually decrypted, and then re-encrypted with an
600:
306:
649:
599:
is secure against chosen plaintext attacks, but vulnerable to chosen ciphertext attacks because it is
881:
542:
263:
The encryption oracle will then encrypt the attacker's plaintexts and send them back to the attacker.
93:
437:
and so on. This would lead the adversary to determine that 13 was the key used in the Caesar cipher.
950:
592:
176:
562:
200:
46:
967:
933:
581:
577:
453:
allows full recovery of the secret key. Suppose the message length and key length are equal to
877:
808:
The Nazis believed Pujol, whom they code named Alaric Arabel, was one of their prize assets
661:
203:
where the encryption key is public and so attackers can encrypt any plaintext they choose.
547:
8:
972:
376:
665:
27:
Attack model for cryptanalysis with presumed access to ciphertexts for chosen plaintexts
980:
612:
596:
180:
512:
confirming the Navy's hypothesis and allowing them to position their force to win the
775:
718:
708:
677:
648:
Barrera, John Fredy; Vargas, Carlos; Tebaldi, Myrian; Torroba, Roberto (2010-10-15).
469:
669:
513:
508:
887:
673:
585:
528:
156:. The goal of the attack is to gain information that reduces the security of the
795:
551:
532:
524:
278:
Consider the following extension of the above situation. After the last step,
191:. The attacker’s goal is to reveal all or a part of the secret encryption key.
184:
738:"How Cryptology enabled the United States to turn the tide in the Pacific War"
1002:
922:
767:
722:
681:
504:
396:
145:
865:
was created from a revision of this article dated 28 December 2023
918:
650:"Chosen-plaintext attack on a joint transform correlator encrypting system"
636:
520:
500:
472:
450:
250:
141:
351:, and attempts to "guess" which plaintext it received, and outputs a bit
199:). Chosen-plaintext attacks become extremely important in the context of
633:
Security
Engineering: A Guide to Building Dependable Distributed Systems
561:
In modern day, chosen-plaintext attacks (CPAs) are often used to break
157:
149:
745:
546:. Allied codebreakers also helped craft messages sent by double agent
555:
188:
153:
237:
A general batch chosen-plaintext attack is carried out as follows :
35:
491:
secure if key reuse is avoided (hence the name "one-time" pad).
163:
Modern ciphers aim to provide semantic security, also known as
766:
Morris, Christopher (1993), "Navy Ultra's Poor
Relations", in
705:
Introduction to Modern
Cryptography: Principles and Protocols
361:
indistinguishable encryptions under a chosen-plaintext attack
165:
ciphertext indistinguishability under chosen-plaintext attack
647:
591:
However, a chosen-plaintext attack is less powerful than a
309:
486:While the one-time pad is used as an example of an
60:. Unsourced material may be challenged and removed.
917:
333:
211:There are two forms of chosen-plaintext attacks:
1000:
787:
774:, Oxford: Oxford University Press, p. 235,
772:Codebreakers: The inside story of Bletchley Park
576:A chosen-plaintext attack is more powerful than
148:which presumes that the attacker can obtain the
232:
903:
571:
328:
316:
813:
699:
461:The adversary sends a string consisting of
363:if after running the above experiment with
910:
896:
729:
403:Suppose the adversary sends the message:
344:The adversary receives the encryption of
120:Learn how and when to remove this message
873:, and does not reflect subsequent edits.
856:
695:
693:
691:
637:http://www.cl.cam.ac.uk/~rja14/book.html
399:allows full recovery of the secret key:
367:=1 the adversary can't guess correctly (
796:"The piece of paper that fooled Hitler"
14:
1001:
765:
891:
793:
688:
475:of the key with the string of zeroes.
282:The adversary outputs two plaintexts
707:. Boca Raton: Chapman and Hall/CRC.
260:plaintexts to the encryption oracle.
58:adding citations to reliable sources
29:
625:
334:{\displaystyle b\leftarrow \{0,1\}}
24:
843:
735:
478:The string returned by the oracle
206:
25:
1020:
507:, because other locations in the
175:In a chosen-plaintext attack the
855:
488:information-theoretically secure
444:
390:
253:, it may or may not be bounded.)
222:Adaptive chosen-plaintext attack
196:
34:
170:
45:needs additional citations for
794:Kelly, Jon (27 January 2011).
759:
641:
494:
313:
303:is chosen uniformly at random
256:The attacker then sends these
13:
1:
618:
540:a known-plaintext was called
216:Batch chosen-plaintext attack
674:10.1016/j.optcom.2010.06.009
635:. The first edition (2001):
395:The following attack on the
249:is specified as part of the
245:plaintexts. (This parameter
7:
819:
606:
382:
233:General method of an attack
10:
1025:
703:; Lindell, Yehuda (2007).
449:The following attack on a
929:
744:. US Navy. Archived from
601:unconditionally malleable
572:Relation to other attacks
523:, Allied codebreakers at
433:
429:
423:
419:
411:
404:
69:"Chosen-plaintext attack"
1009:Chosen-plaintext attacks
593:chosen-ciphertext attack
527:would sometimes ask the
241:The attacker may choose
770:; Stripp, Alan (eds.),
468:The oracle returns the
410:and the oracle returns
375:) with probability non-
201:public key cryptography
134:chosen-plaintext attack
851:
831:Listen to this article
578:known-plaintext attack
335:
266:The attacker receives
850:
654:Optics Communications
465:zeroes to the oracle.
336:
882:More spoken articles
307:
54:improve this article
736:Weadon, Patrick D.
666:2010OptCo.283.3917B
852:
613:GMR (cryptography)
331:
996:
995:
951:Chosen-ciphertext
848:
781:978-0-19-280132-6
660:(20): 3917–3921.
563:symmetric ciphers
548:Juan Pujol GarcĂa
379:better than 1/2.
130:
129:
122:
104:
16:(Redirected from
1016:
977:Open key models
939:Chosen-plaintext
912:
905:
898:
889:
888:
872:
870:
859:
858:
849:
839:
837:
832:
823:
817:
811:
810:
805:
803:
791:
785:
784:
763:
757:
756:
754:
753:
733:
727:
726:
697:
686:
685:
645:
639:
629:
509:Hawaiian Islands
436:
435:
431:
426:
425:
421:
413:
406:
340:
338:
337:
332:
125:
118:
114:
111:
105:
103:
62:
38:
30:
21:
18:Chosen plaintext
1024:
1023:
1019:
1018:
1017:
1015:
1014:
1013:
999:
998:
997:
992:
968:Known-plaintext
934:Ciphertext-only
925:
916:
886:
885:
874:
868:
866:
863:This audio file
860:
853:
844:
841:
835:
834:
830:
827:
826:
818:
814:
801:
799:
792:
788:
782:
764:
760:
751:
749:
734:
730:
715:
698:
689:
646:
642:
631:Ross Anderson,
630:
626:
621:
609:
597:El Gamal cipher
586:ciphertext-only
582:known-plaintext
574:
529:Royal Air Force
497:
482:the secret key.
464:
456:
447:
428:
418:
393:
385:
374:
370:
366:
354:
350:
347:
308:
305:
304:
302:
295:
292:
288:
285:
235:
209:
207:Different forms
173:
126:
115:
109:
106:
63:
61:
51:
39:
28:
23:
22:
15:
12:
11:
5:
1022:
1012:
1011:
994:
993:
991:
990:
989:
988:
983:
975:
970:
965:
964:
963:
958:
948:
947:
946:
936:
930:
927:
926:
915:
914:
907:
900:
892:
875:
861:
854:
842:
829:
828:
825:
824:
812:
786:
780:
758:
728:
714:978-1584885511
713:
701:Katz, Jonathan
687:
640:
623:
622:
620:
617:
616:
615:
608:
605:
573:
570:
552:Enigma machine
533:Enigma machine
525:Bletchley Park
496:
493:
484:
483:
476:
466:
462:
454:
446:
443:
439:
438:
415:
412:Nggnpx ng qnja
408:
405:Attack at dawn
392:
389:
384:
381:
372:
368:
364:
357:
356:
352:
348:
345:
342:
330:
327:
324:
321:
318:
315:
312:
300:
297:
293:
290:
286:
283:
276:
275:
271:
264:
261:
254:
234:
231:
230:
229:
219:
208:
205:
187:, viewed as a
179:can (possibly
172:
169:
152:for arbitrary
128:
127:
42:
40:
33:
26:
9:
6:
4:
3:
2:
1021:
1010:
1007:
1006:
1004:
987:
984:
982:
979:
978:
976:
974:
971:
969:
966:
962:
959:
957:
954:
953:
952:
949:
945:
942:
941:
940:
937:
935:
932:
931:
928:
924:
923:cryptanalysis
920:
919:Attack models
913:
908:
906:
901:
899:
894:
893:
890:
883:
879:
864:
821:
820:Seaman (2004)
816:
809:
797:
790:
783:
777:
773:
769:
768:Hinsley, F.H.
762:
748:on 2015-01-31
747:
743:
739:
732:
724:
720:
716:
710:
706:
702:
696:
694:
692:
683:
679:
675:
671:
667:
663:
659:
655:
651:
644:
638:
634:
628:
624:
614:
611:
610:
604:
602:
598:
594:
589:
587:
583:
579:
569:
566:
564:
559:
557:
553:
549:
545:
544:
539:
534:
530:
526:
522:
517:
515:
510:
506:
505:Midway Island
502:
492:
489:
481:
477:
474:
471:
467:
460:
459:
458:
452:
445:One-time pads
442:
416:
409:
402:
401:
400:
398:
397:Caesar cipher
391:Caesar cipher
388:
380:
378:
362:
359:A cipher has
343:
325:
322:
319:
310:
298:
281:
280:
279:
272:
269:
265:
262:
259:
255:
252:
248:
244:
240:
239:
238:
227:
223:
220:
217:
214:
213:
212:
204:
202:
198:
192:
190:
186:
182:
178:
168:
166:
161:
159:
155:
151:
147:
146:cryptanalysis
143:
139:
135:
124:
121:
113:
110:November 2015
102:
99:
95:
92:
88:
85:
81:
78:
74:
71: –
70:
66:
65:Find sources:
59:
55:
49:
48:
43:This article
41:
37:
32:
31:
19:
973:Side-channel
938:
815:
807:
800:. Retrieved
789:
771:
761:
750:. Retrieved
746:the original
742:www.navy.mil
741:
731:
704:
657:
653:
643:
632:
627:
590:
575:
567:
560:
541:
537:
521:World War II
519:Also during
518:
501:World War II
498:
485:
479:
473:exclusive-or
451:one-time pad
448:
440:
394:
386:
360:
358:
277:
267:
257:
251:attack model
246:
242:
236:
225:
221:
215:
210:
193:
174:
171:Introduction
164:
162:
142:attack model
137:
133:
131:
116:
107:
97:
90:
83:
76:
64:
52:Please help
47:verification
44:
981:Related-key
495:In practice
197:In practice
150:ciphertexts
878:Audio help
869:2023-12-28
752:2015-02-19
619:References
377:negligibly
181:adaptively
158:encryption
154:plaintexts
80:newspapers
986:Known-key
961:Lunchtime
802:1 January
723:893721520
682:0030-4018
588:attacks.
543:gardening
314:←
189:black box
177:adversary
1003:Category
956:Adaptive
944:Adaptive
880: ·
607:See also
538:planting
383:Examples
274:reduced.
160:scheme.
140:) is an
867: (
838:minutes
662:Bibcode
470:bitwise
94:scholar
778:
721:
711:
680:
514:battle
299:A bit
185:oracle
96:
89:
82:
75:
67:
798:. BBC
101:JSTOR
87:books
804:2012
776:ISBN
719:OCLC
709:ISBN
678:ISSN
584:and
556:text
289:and
226:CPA2
144:for
73:news
921:in
670:doi
658:283
499:In
138:CPA
56:by
1005::
836:11
806:.
740:.
717:.
690:^
676:.
668:.
656:.
652:.
603:.
558:.
516:.
480:is
457:.
432:→
427:,
422:→
373:b'
353:b'
132:A
911:e
904:t
897:v
884:)
876:(
871:)
840:)
833:(
755:.
725:.
684:.
672::
664::
463:n
455:n
434:G
430:T
424:N
420:A
414:.
407:,
371:=
369:b
365:n
355:.
349:b
346:m
341:.
329:}
326:1
323:,
320:0
317:{
311:b
301:b
296:.
294:1
291:m
287:0
284:m
268:n
258:n
247:n
243:n
224:(
136:(
123:)
117:(
112:)
108:(
98:·
91:·
84:·
77:·
50:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.