IND-CCA security

From CRYPTUTOR

IND-CCA security (sometimes called IND-CCA2, see below) is a security definition for private- or public-key encryption schemes. At a high level, IND-CCA security means that no adversary can distinguish between encryptions of different messages, even when allowed to make encryptions and decryptions of its choice.

The "IND" part of the name IND-CCA comes from the fact that it is an indistinguishability-based security definition (the adversary tries to distinguish between encryptions of two different messages). The "CCA" part stands for chosen ciphertext attack, because in the IND-CCA model, adversaries are allowed to decrypt ciphertexts of their choice.

IND-CCA can be viewed as a modification of IND-CPA security, where the adversary is allowed use a decryption oracle.

Contents 1 Definition 1.1 Private-key encryption 1.2 Public-key encryption 2 Adaptive vs. non-adaptive CCA terminology 3 See also

Definition

Let A be an adversary, which we model as an arbitrary non-uniform PPT machine (polynomial in the implicit security parameter of the encryption scheme). The security of the encryption scheme is modeled by an experiment to be played against the adversary.

As in IND-CPA security, there are several equivalent variants of the security experiment. For simplicity, we present the variants where the adversary only gives one "challenge".

Private-key encryption

IND-CCA Distinguishability Experiment (for private-key encryption):

1. We (privately) choose a key k according to the key generation algorithm: .
2. We (privately) choose a random bit .
3. A is allowed (any number of times) to query oracles that compute the functionalities and .
4. Challenge: A outputs two messages, m₀ and m₁.
5. Response: We give A the ciphertext
6. Same as step 3, but with the restriction that A cannot ask the decryption oracle for the decryption of c.
7. A outputs b' (i.e, a guess for our b).

We say that the advantage of A in this experiment is .

When we say that A can query an oracle for the functionality F, we mean that A may give any input x and receive the output of F(x) in response. Note that it can ask for encryptions and decryptions according to the same key k as the "challenge response."

An encryption scheme is ε-IND-CCA secure if:

For all adversaries A, the advantage of A in the IND-CCA experiment is at most ε

When ε is negligible in the encryption scheme's security parameter, we omit it and simply call the scheme IND-CCA secure.

Public-key encryption

The definition of IND-CCA for public-key encryption schemes is the same, except that we use the following experiment:

IND-CCA Distinguishability Experiment (for public-key encryption):

1. We choose a key pair (PK,SK) according to the key generation algorithm , and give PK to A.
2. We (privately) choose a random bit .
3. A is allowed (any number of times) to query an oracle that computes the functionality .
4. Challenge: A outputs two messages, m₀ and m₁.
5. Response: We give A the ciphertext
6. Same as step 3, but with the restriction that A cannot ask the decryption oracle for the decryption of c.
7. A outputs b' (i.e, a guess for our b).

We say that the advantage of A in this experiment is .

As in IND-CPA security, there is no need to provide an encryption oracle in a public-key encryption scheme.

Adaptive vs. non-adaptive CCA terminology

The definitions given above are often refered to in the literature as adaptive CCA or IND-CCA2 security. If we remove access to the decryption oracle after the "challenge" phase, then we have a definition of non-adaptive CCA, which is often refered to in the literature (confusingly) as IND-CCA or a lunchtime attack.

In this wiki, we rarely have a need to consider the non-adaptive definition. Thus, we will let the CCA acronym refer to the adaptive definition by default, and disambiguate with the term non-adaptive CCA when needed.

See also

• SIM-CCA security
• Equivalence of SIM-CCA and IND-CCA
• IND-CPA security