glossary:
CCA:Chosen-Cipertext-Attack.

CPA:Chosen-Plaintext-Attack.

The notion of security includes the assumed abilities of the attacker and what constitutes a successful attack.

How to define security for encryption:

  1. give the attacker a challenge ciphertext $c$, that is generated by encrypting one of two possible messages $m_0,m_1$.
  2. consider the scheme to be broken if the attacker can determine which message was encrypted with probability better than 1/2.

Definition of CPA-Secure

The attacker's capabilities in the present setting:

  1. able to obtain the encryption of messages of its choice(access to a encryption oracle $Enc_k(\cdot)$).

The CPA indistinguishability experiment $PrivK_{\mathcal{A},\Pi}^{cpa}(n)$

  1. A key $k$ is generated by running $Gen(1^n)$
  2. $\mathcal{A}$ is given input $1^n$ and oracle access to $Enc_k(\cdot)$ . It outputs a pair of equal-length message $m_0,m_1$.
  3. $\mathcal{A}$ uniform bit $b\in {0,1}$ is chosen, and then a challenge ciphertext $c \leftarrow Enc_k(m_b)$ is computed and given to $\mathcal{A}$.
  4. $\mathcal{A}$ have oracle access, and outputs a bit $b^{'}$
  5. 1 if $b^{'}=b$, and 0 otherwise.If the result is 1, the $\mathcal{A}$ succeeds.

### Definition of CPA-Secure with CPA indistinguishability experiment

A private-key encryption schema $\Pi=(Gen,Enc,Dec)$ has indistinguishable encryptions under a CPA, or is CPA-secure, if for all probabilistic polynomial-time adversaries $\mathcal{A}$ ther is a negligible function negl such that:

$$ Pr[PrivK_{\mathcal{A},\Pi}^{cpa}(n)=1]\leq 1/2 +negl(n), $$

where the probability is taken over all randomness used in the expiriment, as well as the randomness used in the experiment.

CPA-security is nowadays the minimal notion of security an encryption scheme should satisfy.

Definition of CCA-Secure

The attacker's capabilities in the present setting:

  1. able to obtain the encryption of messages of its choice(access to a encryption oracle $Enc_k(\cdot)$) as in a CPA.
  2. able to obtain the decryption of cipertexts of its choice(access to a decryption orcle $Dec_k(\cdot)$).

The CCA indistinguishability experiment $PrivK_{\mathcal{A},\Pi}^{cca}(n)$

  1. A key $k$ is generated by running $Gen(1^n)$
  2. $\mathcal{A}$ is given input $1^n$ and oracle access to $Enc_k(\cdot)$ and $Dec_k(\cdot)$. It outputs a pair of equal-length message $m_0,m_1$.
  3. $\mathcal{A}$ uniform bit $b\in {0,1}$ is chosen, and then a challenge ciphertext $c \leftarrow Enc_k(m_b)$ is computed and given to $\mathcal{A}$.
  4. $\mathcal{A}$ have oracle access, but is not allow to query the latter on the challenge ciphertext. Eventually $\mathcal{A}$ outputs a bit $b^{'}$
  5. 1 if $b^{'}=b$, and 0 otherwise.If the result is 1, the $\mathcal{A}$ succeeds.

### Definition of CCA-Secure with CCA indistinguishability experiment

A private-key encryption schema $\Pi$ has indistinguishable encryptions under a CCA, or is CCA-secure, if for all probabilistic polynomial-time adversaries $\mathcal{A}$ ther is a negligible function negl such that:

$$ Pr[PrivK_{\mathcal{A},\Pi}^{cca}(n)=1]\leq 1/2 +negl(n), $$ *where the probability is taken over all randomness used in the expiriment.* > if a schema has indistinguishable encryptions under a CCA then it has indistinguishable *multiple* excryptions under a CCA, defined appropriately. **None of the encryption schemes we have seen thus far is CCA-secure.** ## Reference 1. [Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell](http://www.cs.umd.edu/~jkatz/imc.html)