glossary:
CCA:Chosen-Cipertext-Attack.
CPA:Chosen-Plaintext-Attack.
The notion of security includes the assumed abilities of the attacker and what constitutes a successful attack.
How to define security for encryption:
- give the attacker a challenge ciphertext $c$, that is generated by encrypting one of two possible messages $m_0,m_1$.
- consider the scheme to be broken if the attacker can determine which message was encrypted with probability better than 1/2.
Definition of CPA-Secure
The attacker's capabilities in the present setting:
- able to obtain the encryption of messages of its choice(access to a encryption oracle $Enc_k(\cdot)$).
The CPA indistinguishability experiment $PrivK_{\mathcal{A},\Pi}^{cpa}(n)$
- A key $k$ is generated by running $Gen(1^n)$
- $\mathcal{A}$ is given input $1^n$ and oracle access to $Enc_k(\cdot)$ . It outputs a pair of equal-length message $m_0,m_1$.
- $\mathcal{A}$ uniform bit $b\in {0,1}$ is chosen, and then a challenge ciphertext $c \leftarrow Enc_k(m_b)$ is computed and given to $\mathcal{A}$.
- $\mathcal{A}$ have oracle access, and outputs a bit $b^{'}$
- 1 if $b^{'}=b$, and 0 otherwise.If the result is 1, the $\mathcal{A}$ succeeds.
### Definition of CPA-Secure with CPA indistinguishability experiment
A private-key encryption schema $\Pi=(Gen,Enc,Dec)$ has indistinguishable encryptions under a CPA, or is CPA-secure, if for all probabilistic polynomial-time adversaries $\mathcal{A}$ ther is a negligible function negl such that:
$$ Pr[PrivK_{\mathcal{A},\Pi}^{cpa}(n)=1]\leq 1/2 +negl(n), $$
where the probability is taken over all randomness used in the expiriment, as well as the randomness used in the experiment.
CPA-security is nowadays the minimal notion of security an encryption scheme should satisfy.
Definition of CCA-Secure
The attacker's capabilities in the present setting:
- able to obtain the encryption of messages of its choice(access to a encryption oracle $Enc_k(\cdot)$) as in a CPA.
- able to obtain the decryption of cipertexts of its choice(access to a decryption orcle $Dec_k(\cdot)$).
The CCA indistinguishability experiment $PrivK_{\mathcal{A},\Pi}^{cca}(n)$
- A key $k$ is generated by running $Gen(1^n)$
- $\mathcal{A}$ is given input $1^n$ and oracle access to $Enc_k(\cdot)$ and $Dec_k(\cdot)$. It outputs a pair of equal-length message $m_0,m_1$.
- $\mathcal{A}$ uniform bit $b\in {0,1}$ is chosen, and then a challenge ciphertext $c \leftarrow Enc_k(m_b)$ is computed and given to $\mathcal{A}$.
- $\mathcal{A}$ have oracle access, but is not allow to query the latter on the challenge ciphertext. Eventually $\mathcal{A}$ outputs a bit $b^{'}$
- 1 if $b^{'}=b$, and 0 otherwise.If the result is 1, the $\mathcal{A}$ succeeds.
### Definition of CCA-Secure with CCA indistinguishability experiment
A private-key encryption schema $\Pi$ has indistinguishable encryptions under a CCA, or is CCA-secure, if for all probabilistic polynomial-time adversaries $\mathcal{A}$ ther is a negligible function negl such that:
$$ Pr[PrivK_{\mathcal{A},\Pi}^{cca}(n)=1]\leq 1/2 +negl(n), $$ *where the probability is taken over all randomness used in the expiriment.* > if a schema has indistinguishable encryptions under a CCA then it has indistinguishable *multiple* excryptions under a CCA, defined appropriately. **None of the encryption schemes we have seen thus far is CCA-secure.** ## Reference 1. [Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell](http://www.cs.umd.edu/~jkatz/imc.html)