# SIM-CCA security

SIM-CCA security is a security definition for private- or public-key encryption schemes. At a high level, SIM-CCA security means that sending messages over an insecure channel via the encryption scheme is equivalent to sending those messages through a secure channel, from the point of view of a certain class of adversaries.

The "SIM" part of the name SIM-CCA comes from the fact that it is a simulation-based security definition. The "CCA" part stands for chosen ciphertext attack, because in the SIM-CCA model, adversaries are allowed to send ciphertexts of their choice to a party who performs decryptions.

SIM-CCA can be viewed as a modification of SIM-CPA security, where the adversary is allowed use a decryption functionality.

## Definition

Consider the following two experiments among two honest parties Alice and Bob, an adversary Eve, and an environment, in which Alice gets a message from the environment and tries to send it to Bob. The behaviors of Alice and Bob in each experiment are fixed, but Eve and the environment may be any arbitrary non-uniform PPT machines (polynomial in the encryption scheme's security parameter).

The environment models an arbitrary influence Eve might have over the messages that Alice sends to Bob, as well as arbitrary criteria for whether Eve has succeeded in doing something "malicious."

Real world experiment:
1. In the case of private-key encryption, Alice and Bob share a key k chosen according to the encryption scheme's key generation algorithm $\mathsf{KeyGen}$. In the case of public-key encryption, Bob generates a public-key/private-key pair, so that the public-key k is made available to both Alice and the adversary.
2. Repeatedly do:
• The adversary Eve arbitrarily interacts with the environment (i.e, to influence its choice of message in the next step), and also sends ciphertexts of its choice to Bob. If Bob has not previously received this ciphertext from Alice, he decrypts it (using the shared key or his private key) and sends it to the environment.
• The environment sends a message m to Alice.
• Alice sends $\mathsf{Enc}_k(m)$ to Bob, and Eve also receives a copy. Bob decrypts it and sends it to the environment.
3. The environment outputs a bit (whether Eve caused a particular observable effect on the environment).

The adversary is said to "succeed" in the experiment if the environment outputs 1.

Note that Eve cannot use Bob's decryption capabilities to decrypt messages from Alice, as these will be rejected.

Ideal world experiment:
1. Repeatedly do:
• The adversary Eve arbitrarily interacts with the environment, and also sends (plaintext) messages of its choice to Bob. Bob relays these messages to the environment.
• The environment sends a message m to Alice.
• Alice sends the message m to Bob through a secure channel. Bob sends it to the environment.
• Eve receives notification that a message was sent through the channel. (Here we assume that the messages come from a finite message space. Otherwise, Eve is notified the length of the message as well.) Eve continues to arbitrarily interact with the environment.
2. The environment outputs a bit (whether Eve caused a particular observable effect -- same as above -- on the environment).

The adversary is said to "succeed" in the experiment if the environment outputs 1.

The encryption scheme is SIM-CCA secure if:

For all real-world adversaries $A\,$, there exists an ideal-world adversary $A'\,$, such that for all environments, the success probabilities in these two experiments differ by a negligible amount (in the scheme's security parameter).