glossary:

CCA:Chosen-Cipertext-Attack.

CPA:Chosen-Plaintext-Attack.

The notion of security includes the assumed **abilities of the attacker** and what constitutes **a successful attack**.

How to define security for encryption:

- give the attacker a
**challenge**ciphertext $c$, that is generated by encrypting one of two possible messages $m_0,m_1$. - consider the scheme to be broken if the attacker can determine which message was encrypted with probability better than 1/2.

## Definition of CPA-Secure

The attacker's capabilities in the present setting:

- able to obtain the encryption of messages of its choice(access to a
**encryption oracle**$Enc_k(\cdot)$).

### The CPA indistinguishability experiment $PrivK_{\mathcal{A},\Pi}^{cpa}(n)$

- A key $k$ is generated by running $Gen(1^n)$
- $\mathcal{A}$ is given input $1^n$ and oracle access to $Enc_k(\cdot)$ . It outputs a pair of equal-length message $m_0,m_1$.
- $\mathcal{A}$ uniform bit $b\in {0,1}$ is chosen, and then a challenge ciphertext $c \leftarrow Enc_k(m_b)$ is computed and given to $\mathcal{A}$.
- $\mathcal{A}$ have oracle access, and outputs a bit $b^{'}$
- 1 if $b^{'}=b$, and 0 otherwise.If the result is 1, the $\mathcal{A}$ succeeds.

### Definition of CPA-Secure with CPA indistinguishability experiment

A private-key encryption schema $\Pi=(Gen,Enc,Dec)$ has indistinguishable encryptions under a CPA, or is CPA-secure, if for all probabilistic polynomial-time adversaries $\mathcal{A}$ ther is a negligible function negl such that:

$$ Pr[PrivK_{\mathcal{A},\Pi}^{cpa}(n)=1]\leq 1/2 +negl(n), $$

where the probability is taken over all randomness used in the expiriment, as well as the randomness used in the experiment.

**CPA-security is nowadays the minimal notion of security an encryption scheme should satisfy.**

## Definition of CCA-Secure

The attacker's capabilities in the present setting:

- able to obtain the encryption of messages of its choice(access to a
**encryption oracle**$Enc_k(\cdot)$) as in a CPA. - able to obtain the decryption of cipertexts of its choice(access to a
**decryption orcle**$Dec_k(\cdot)$).

### The CCA indistinguishability experiment $PrivK_{\mathcal{A},\Pi}^{cca}(n)$

- A key $k$ is generated by running $Gen(1^n)$
- $\mathcal{A}$ is given input $1^n$ and oracle access to $Enc_k(\cdot)$ and $Dec_k(\cdot)$. It outputs a pair of equal-length message $m_0,m_1$.
- $\mathcal{A}$ uniform bit $b\in {0,1}$ is chosen, and then a challenge ciphertext $c \leftarrow Enc_k(m_b)$ is computed and given to $\mathcal{A}$.
- $\mathcal{A}$ have oracle access, but is not allow to query the latter on the challenge ciphertext. Eventually $\mathcal{A}$ outputs a bit $b^{'}$
- 1 if $b^{'}=b$, and 0 otherwise.If the result is 1, the $\mathcal{A}$ succeeds.

### Definition of CCA-Secure with CCA indistinguishability experiment

*A private-key encryption schema $\Pi$ has indistinguishable encryptions under a CCA, or is CCA-secure, if for all probabilistic polynomial-time adversaries $\mathcal{A}$ ther is a negligible function negl such that:*

$$ Pr[PrivK_{\mathcal{A},\Pi}^{cca}(n)=1]\leq 1/2 +negl(n), $$ *where the probability is taken over all randomness used in the expiriment.* > if a schema has indistinguishable encryptions under a CCA then it has indistinguishable *multiple* excryptions under a CCA, defined appropriately. **None of the encryption schemes we have seen thus far is CCA-secure.** ## Reference 1. [Introduction to Modern Cryptography by Jonathan Katz and Yehuda Lindell](http://www.cs.umd.edu/~jkatz/imc.html)