Cryptography Reference
In-Depth Information
each encryption). In such a scheme, the same plaintext would produce a different
ciphertext each time it is encrypted due to the different values of the state, so
that the above argument does not apply. We remark that the encryption schemes
introduced in Definition 3.20 are
stateless
(i.e., not stateful) and we will usually
work with stateless schemes.
The fact that deterministic encryption does not allow indistinguishable multiple
encryptions has enormous importance in practice since it means that to encrypt
multiple messages, only probabilistic or stateful encryption should be used. We
record this fact as follows:
Proposition 3.2
is an encryption scheme such that
Enc
is
a deterministic function of the key and the message, then
If
E
=
(
Gen
,
Enc
,
Dec
)
does not have multiple
indistinguishable encryptions in the presence of an eavesdropper.
E
3.5.3 CPA Security and CCA Security
In the previous discussion of security we have only considered a weak adver-
sary eavesdropping on the communication between the parties using the encryp-
tion scheme. The eavesdropper is a passive attacker except for the fact that it can
choose the two messages it will try to distinguish. Since it is only given one cipher-
text whose corresponding plaintext it does not know, such an attack qualifies as a
“ciphertext-only” attack.
We are now going to consider a muchmore powerful adversary
, namely one that
can mount a
chosen plaintext attack
(CPA). This adversary will be able to adaptively
choose multiple messages and receive the corresponding ciphertexts (this is also
called an
adaptive chosen plaintext attack
because the adversary can choose each
message as a function of the earlier answers). This type of attack is formalized by
allowing the adversary
A
A
to interact with an
encryption oracle
which acts as a “black
box” that responds to
A
's queries by returning encryptions of the messages that
A
submits (always with a key
k
unknown to
A
). This interaction continues even after
A
has received the challenge ciphertext corresponding to one of a pair of messages
of the same length chosen by
should
not be able to distinguish which of these two messages was encrypted even when it
is given free access to the encryption oracle.
A
. The idea of the next definition is then that
A
Definition 3.24
We define the
private-key CPA indistinguishability experiment
PrivK
ind-cpa
A
,
E
(
n
)
, where
E
=
(
Gen
,
Enc
,
Dec
)
is a private-key encryption scheme,
A
a PPT adversary, and
n
any value of the security parameter, as follows:
1
n
is given input 1
n
1. A key
k
←
Gen
(
)
is generated.
A
and oracle access to
Enc
(
k
,
−
)
. Then
A
outputs a pair of messages of the same length:
m
0
,
m
1
.
2. A random bit
b
is chosen and the
challenge ciphertext c
←
Enc
(
k
,
m
b
)
is com-
puted and given to
A
.
