Quiz Entry - updated: 2026.07.14
What are the four classic attack models in cryptanalysis, ordered by attacker power?
Ciphertext-only → known-plaintext → chosen-plaintext → chosen-ciphertext, each strictly more powerful than the last.
| Model | What the attacker has | Real-world example |
|---|---|---|
| Ciphertext-only (COA) | Only some ciphertexts | Sniffing an encrypted radio channel without knowing what was said |
| Known-plaintext (KPA) | Some plaintext/ciphertext pairs | Decrypted a few stored files (e.g. WW2 weather reports made the same plaintext start) |
| Chosen-plaintext (CPA) | Can encrypt arbitrary plaintexts of their choice | A user-facing web app that encrypts user-provided input with the server key (BEAST, CRIME) |
| Chosen-ciphertext (CCA) | Can submit ciphertexts and get them decrypted (or get an error / behavioural signal) | Padding-oracle attacks (Vaudenay 2002, POODLE 2014) |
Why the order matters: modern cryptographic schemes target CCA security — security against the strongest model. Anything weaker is considered broken because real-world systems do expose chosen-ciphertext oracles (TLS endpoints, message brokers, etc.).
Tip: When a paper says "secure under CPA but not CCA", treat it as broken for any real deployment. Authenticated encryption (AES-GCM, ChaCha20-Poly1305) was invented to provide CCA security by default.