LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the four classic attack models in cryptanalysis, ordered by attacker power?

Ciphertext-only → known-plaintext → chosen-plaintext → chosen-ciphertext, each strictly more powerful than the last.

Model What the attacker has Real-world example
Ciphertext-only (COA) Only some ciphertexts Sniffing an encrypted radio channel without knowing what was said
Known-plaintext (KPA) Some plaintext/ciphertext pairs Decrypted a few stored files (e.g. WW2 weather reports made the same plaintext start)
Chosen-plaintext (CPA) Can encrypt arbitrary plaintexts of their choice A user-facing web app that encrypts user-provided input with the server key (BEAST, CRIME)
Chosen-ciphertext (CCA) Can submit ciphertexts and get them decrypted (or get an error / behavioural signal) Padding-oracle attacks (Vaudenay 2002, POODLE 2014)

Why the order matters: modern cryptographic schemes target CCA security — security against the strongest model. Anything weaker is considered broken because real-world systems do expose chosen-ciphertext oracles (TLS endpoints, message brokers, etc.).

Tip: When a paper says "secure under CPA but not CCA", treat it as broken for any real deployment. Authenticated encryption (AES-GCM, ChaCha20-Poly1305) was invented to provide CCA security by default.

From Quiz: ISF / Symmetric Cryptography | Updated: Jul 14, 2026