11  IND-CCA security

So far we have worked mostly with the IND-CPA security definition, which informally states that you cannot tell apart Enc(\(m\)) from Enc(\(m'\)), therefore nothing leaks about the plaintext. This, however, does not say anything if the adversary can get decryptions of arbitrarily chosen ciphertexts.

For example, suppose we want to attack the encryption of a mail server that always processes ciphertexts of the format Enc(\(pk\), “to: [name] [body]”). Suppose that it has an error message for invalid messages, like “Invalid user: [name]”. For some encryption schemes it might be further possible to transform Enc(“to: [name] [body]”) into Enc(“to: [body] [name]”), where \(pk\) is left implicit (e.g. if the ciphertext consists just of the encryption of each plaintext bit separately). If we have this transformation available, an adversary can intercept Enc(“to: [name] [body]”), send instead Enc(“to: [body] [name]”) to the server, and obtain the error message “Invalid user: [body]”, whereby it leaks the body of the encrypted messsage. That is, we used the mail server to partially decrypt the ciphertext.

We need a security definition that forbids cases like this. This is illustrated below:

The setup for IND-CCA

Intuitively, this means that the Adversary cannot distinguish between Enc(\(m_0\)) and Enc(\(m_1\)) even if in the worst case scenario it can decrypt everything else.

Definition 11.1 ((\(t,q,\epsilon\))-IND-CCA) For each \(t\)-time \(q\)-query adversary \(A\):

\[|\Pr[b'=1:\textrm{Game 1}]-\Pr[b'=1:\textrm{Game 2}]|\leq\epsilon\]

With the following definitions:

Game 1: Game 2: Oracle DecOra(\(c\)):

Of the schemes we have studied so far, are any of them IND-CCA secure?