A chosen plaintext attack is any form of cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The attack would gain some further information, typically the secret key.

This appears, at first glance, to be an unrealistic model; it would certainly be unlikely that an attacker could persuade a human cryptographer to encrypt large amounts of plaintexts of the attacker's choosing. Modern cryptography, on the other hand, is implemented in software or hardware and is used for a diverse range of applications; for many cases, a chosen-plaintext attack is often very feasible. In addition, any cipher that can prevent chosen-plaintext attacks is then also guaranteed to be secure against known-plaintext and ciphertext-only attacks; this is a conservative approach to security.

Two forms of chosen-plaintext attack can be distinguished:

• Batch chosen-plaintext attack, where the cryptanalyst chooses all plaintexts before any of them is encrypted. This is often the meaning of an unqualified use of "chosen-plaintext attack".
• Adaptive chosen-plaintext attack, where the cryptanalyst makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions.

Conventional symmetric ciphers, in which the same key is used to encrypt and decrypt a text, are often vulnerable to this type of attack, for example, differential cryptanalysis of block ciphers.

A technique termed Gardening was used by Allied codebreakers in World War II who were solving messages encrypted on the Enigma machine. Gardening can be viewed as a chosen plaintext attack.

See also

• Chosen ciphertext attack
• Adaptive chosen-ciphertext attack
• Related key attack