For block ciphers, a chosen ciphertext attack is no better than a chosen plaintext attack and harder to mount in practice. For a self-synchronizing stream cipher, a chosen ciphertext attack can be useful as the key used to encipher each byte depends on the previous ciphertext. It is possible to use a chosen ciphertext attack to get an arbitrary message signed with RSA, if messages are signed without hashing.

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Chosen Ciphertext".