Talk:Chosen-plaintext attack

I removed the 'foo' and 'bar' things; i'm didn't think hybrid cryptosystems were inherently less susceptible to chosen-plaintext attacks than a symmetric-key system. Matt 13:16, 11 Mar 2004 (UTC)

Abbreviation
Should not all the instances of chosen-plaintext attack be replaced with CPA? Otherwise, should the abbreviation not be mentioned at all?

Known-plaintext attack vs. Chosen-plaintext attack
I'm a little confused. What exactly is the difference between a Known-plaintext attack and a Chosen-plaintext attack? As far as I understood the articles, both attacks rely on the ability to somehow get encrypted versions of a chosen text. Are they perhaps the same attack and the articles should be merged? If not, could someone more knowledgeable add a sentence explaining the difference? -- Drangon 19:43, 2 February 2007 (UTC)
 * The difference is exactly that implied by the words; the attacker chooses chosen plaintexts, but has no control over known plaintexts. It can certainly be easier to find out a plaintext and corresponding ciphertext than to get someone to encrypt the plaintext of your choice. Ntsimp 03:38, 3 February 2007 (UTC)
 * One thing that may indeed be confusing is that "gardening" is used as an example for a known-plaintext attack as well as an example for a chosen-plaintext attack. Since the Enigma could be broken with known plaintext it seems that we should find a better example for chosen-plaintext attacks. 85.0.106.171 05:28, 3 February 2007 (UTC)


 * Thanks for the explanation. Looking back at the article, it seems kinda obvious now... ("attacker has the capability to choose arbitrary plaintexts") -- Drangon 14:36, 3 February 2007 (UTC)

Non-randomized public key algorithms "vulnerable" to CPA
I removed the following paragraph:
 * Non-randomized (deterministic) public key encryption algorithms are vulnerable to simple "dictionary"-type attacks, where the attacker builds a table of likely messages and their corresponding ciphertexts. To find the decryption of some observed ciphertext, the attacker simply looks the ciphertext up in the table. As a result, public-key definitions of security under chosen-plaintext attack require probabilistic encryption (i.e., randomized encryption).  Conventional symmetric ciphers, in which the same key is used to encrypt and decrypt a text, may also be vulnerable to other forms of chosen-plaintext attack, for example, differential cryptanalysis of block ciphers.

This statement seems to be confusing the ideas of "inherently subject to" and "vulnerable to". The argument of a dictionary attack is also nonsense: every system in which a CPA applies is subject to a dictionary attack, including symmetric key algorithms, and the way in which the dictionary attack is described tries to suggest that it is feasible. Just how large is this dictionary supposed to be to attack 1024-bit RSA encryption as described? I'd suggest working from secondary sources, not just reinserting what might seem obvious. — Quondum 07:23, 19 January 2013 (UTC)

CCA more powerful than CPA?
I understand that, at least in the context of symmetric block cyphers, a CC attacker has access to the decryption function as a "black box" while a CP attacker has access to the encryption function as a "black box." Why is a CCA more powerful than a CPA? Isn't the most powerful attacker one who has access to both "black boxes," a (CC&CP)A? — Preceding unsigned comment added by 74.98.210.142 (talk) 14:07, 25 June 2016 (UTC)

Attack on one-time pad
In this revision an (unfortunately unregistered) user added a paragraph on the "absolute and provably secure nature" of the one-time pad. The OTP is of course not secure against the CPA attack as defined by textbooks (as shown in that paragraph), so it would be technically correct to revert this edit. I don't want to do that though because I think this is a common misunderstanding of the CPA attack. Instead I have replaced the paragraph with a weaker "disclaimer" on the security of the OTP. While I don't want to mislead people into thinking OTP is somehow a totally insecure cipher in practice because it doesn't have CPA security, at the same time it *is* broken under this model and in a technical article that should not be left out or relativized too much. Yawkat (talk) 12:41, 7 July 2020 (UTC)