IND-CPA and IND-CCA Concepts Summary 1 Basic Encryption Security Definition: IND-CPA Strong Encryption Security Definition: IND-CCA IND-CPA, IND-CCA and encryption modes Credit: The slides (2-5) from Prof. Dr. Anupam Dutta, CMU, the rest is from Attila A. Yavuz with additions. Symmetric Encryption Scheme Key generation algorithm Input: security parameter n Output: a key that is used for encryption and decryption Algorithm to encrypt a message Algorithm to decrypt a ciphertext Correctness: Decrypting a ciphertext obtained by encrypting message m with the corresponding key k returns m dec(enc(m,k),k) = m What is a secure encryption scheme? List of possible properties 3 Given a list of message, ciphertext pairs, it should not be possible to recover the key Given ciphertext, it should not be possible recover plaintext Given ciphertext, it should not be possible to recover 1st bit of plaintext All of the above, but what else? Given ciphertext, adversary should have no information about underlying plaintext (not true because of apriori information) IND-EAV security definition (eavesdropping attacks) k, b m0, m1 C enc(k, mb) A d IND-EAV security: PPT attackers A negligible function f n0 security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n) Example 5 General sends an encrypted message where the plaintext is either “attack” or “don’t attack”. Adversary should not be able to figure out what the plaintext is although she knows that it is one of these two values. Indistinguishability Under Chosen Plaintext Attack (IND-CPA) -A is given encryption oracle under private k. A queries oracle adaptively - A gives challenges (m0,m1) to oracle, oracle selects a bit b and encrypts mb. -A adaptively queries after that, and finally outputs a bit d mi k, b enc(k, mi) Oracle m0, m1 enc(k, mb) mi enc(k, mi) A A cannot distinguish which plaintext is encrypted with a prob. no more than ½+\eps. d IND-CPA security: PPT attackers A, negligible function f security parameter n, Prob [d = b | A plays by the rules] <= ½ + f(n) 6 IND-CPA (Cont’) No deterministic encryption scheme can achieve IND-CPA In WWII, Japan comm. includes ciphertext “AF”, US suspects it corresponds “Midway Island”, but cannot prove. US broadcast plaintext “AF” low supply, Japan comm. intercepted the message and report to the center. “AF” is proven to be the target. IND-CPA can be achieved with multiple challenge messages, and therefore traditional encryption modes (e.g., CBC, CTR, …) can achieve IND-CPA security 7 A can ask (m0,m1) to the oracle later in adaptive phase and learn the bit b Any deterministic scheme leaks info about plaintext Provided that they rely on probabilistic encryption schemes with good PRF property (e.g., AES) Indistinguishability Under Chosen Ciphertext Attack (IND-CCA) -A is given encryption/decryption oracle under private k. A gives challenges (m0,m1) to oracle, oracle selects a bit b and encrypts mb. A adaptively queries after that, and finally outputs a bit d mi or ci k, b enc(k, mi) or dec(k,ci) m0, m1 C enc(k, mb) mi or ci A A cannot submit enc(k,mb) to the decryption oracle enc(k, mi) or dec(k,ci) d IND-CCA security: PPT attackers A negligible function f with security parameter n s.t. Prob [d = b | A plays by the rules] <= ½ + f(n) 8 IND-CCA (Cont) 9 Practicality of IND-CCA: Send ciphertext and analyze the behavior of adversary (e.g., ship movements). In encrypted commercial transactions, if authentication is not provided, adversary queries bank with ciphertext and learn about bank’s reaction. (Why we need certificates in PKC!) Any scheme that allows predictable ciphertext manipulation is not INDCCA (malleability property like plain ElGamal encryption) IND-CPA to IND-CCA: Provide explicit authentication for queries! Render Decryption Oracle Useless: Two keys (k1,k2), x=enc(k1,m), t=MAC(k2,x). Use (x,t) pair. Since adversary does not know k2, he cannot create valid decryption queries on ciphertext (predictable or not) None of the traditional encryption modes (as is) can achieve IND-CCA
© Copyright 2025 Paperzz