Chosen plaintext attack

A chosen plaintext attack is an attack[?] on a cryptosystem[?] in which the cryptanalyst chooses plaintext to be encrypted as a way further the attack. The name is somewhat misleading as few cryptanalysts are in a position to request their victims to do such things. More commonly information is leaked which is expected to be encrypted and transmitted over an eavesdroppable channel (this is called a known plaintext attack[?]). There are two kinds:

• batch chosen-plaintext attack, where the cryptanalyst chooses all plaintexts before any of them is encrypted, and
• adaptive chosen-plaintext attack, where the cryptanalyst sees the ciphertext of a chosen plaintext before choosing another plaintext.

Conventional (symmetric cipher[?] or secret key) encryption systems, in which the same key is used to encrypt and decrypt a text, are sometimes vulnerable to this attack. If you know that f(foo) = bar, and you know both foo and bar, (because you chose foo and arranged to have the encryption system (f() in this case) convert it to bar), it is often possible to recover the value of f. One of the advantages of hybrid crypto systems[?] such as Pretty Good Privacy is that they are less often subject to this form of attack. The 'message' encrypted with using an asymmetric key algorithm (aka public key / private key algorithm[?]) is a session key which should have been randomly chosen, or the hash of plaintext message, not the plaintext itself.

But note that the RSA asymmetric key algorithm is inherently susceptible to a chosen ciphertext attack.

See also:

• chosen ciphertext attack
• chosen key attack[?].