Editing Chosen-plaintext attack (section)

==Examples==

The following examples demonstrate how some ciphers that meet other security definitions may be broken with a chosen-plaintext attack.

===Caesar cipher===
The following attack on the [[Caesar cipher]] allows full recovery of the secret key:
# Suppose the adversary sends the message: {{code|Attack at dawn}},
# and the oracle returns {{code|Nggnpx ng qnja}}.
# The adversary can then work through to recover the key in the same way as a Caesar cipher. The adversary could deduce the substitutions {{nowrap|{{code|A}} → {{code|N}}}}, {{nowrap|{{code|T}} → {{code|G}}}} and so on. This would lead the adversary to determine that 13 was the key used in the Caesar cipher.

With more intricate or complex encryption methodologies the decryption method becomes more resource-intensive, however, the core concept is still relatively the same.

===One-time pads===

The following attack on a [[one-time pad]] allows full recovery of the secret key. Suppose the message length and key length are equal to {{var|n}}.
# The adversary sends a string consisting of {{var|n}} zeroes to the oracle.
# The oracle returns the [[Bitwise operation|bitwise]] [[Exclusive or|exclusive-or]] of the key with the string of zeroes.
# The string returned by the oracle ''is'' the secret key. 

While the one-time pad is used as an example of an [[information-theoretically secure]] cryptosystem, this security only holds under security definitions weaker than CPA security. This is because under the formal definition of CPA security the encryption oracle has no state. This vulnerability may not be applicable to all practical implementations – the one-time pad can still be made secure if key reuse is avoided (hence the name "one-time" pad).