Cryptography Reference
In-Depth Information
of messages to be distinguished instead of just two messages. But there is not
much point in doing this because, as it can easily be seen, CPA security as above
defined already implies CPA security for multiple encryptions. In particular, we
also see that CPA security implies indistinguishable multiple encryptions in the
presence of an eavesdropper.
4. It might seem at first sight that the notion of CPA security is too strong as it is
hardly conceivable that honest parties will provide an adversary
A
with encryp-
tions of the messages that
A
chooses. But there are many indirect ways in which
A
could obtain information about these encryptions without the voluntary coop-
eration of the honest parties and this information might be sufficient to make
the probability of a successful attack non-negligible. For example, in [108, pp.
566-573] a historical episode from World War II that included such an attack
is mentioned. In May, 1942, American cryptanalysts had information about an
upcoming Japanese attack in the Pacific but there was some disagreement about
what the objective might be. Some believed that Midway island was the target
but the Chief of Naval Operations in Washington concluded that it was Oahu
instead. The cryptanalysts learned that the target coordinates were represented by
af
in Japanese ciphertexts and, to convince their top chief that this really meant
Midway, they sent an unencrypted message in which Midway reported that its
fresh-water distillation plant had broken down. Two days later they intercepted
a Japanese ciphertext stating that
was short of fresh water. Thus the Japanese
acted as an unwilling encryption oracle that revealed the ciphertext correspond-
ing to the plaintext 'Midway' and the fact that their encryption scheme was not
CPA secure allowed the Americans to learn information which was decisive in
winning the Midway battle.
5. CPA security behaves as expected in relation to other security properties. For
example, CPA security implies security against CPA plaintext recovery, i.e., a
PPT adversary with oracle access to encryption cannot recover the plaintext
from the ciphertext with non-negligibly probability. Indeed, if
af
A
is an adver-
sary able to recover the plaintext corresponding to the challenge ciphertext in
PrivK
ind-cpa
A
,
E
(
n
)
, then there exists an adversary
A
with the ability to decide which
A
as a subroutine that provides the plaintext
corresponding to the challenge ciphertext and then makes its guess by comparing
this plaintext to
m
0
and
m
1
. Moreover, as we shall soon see, the most important
symmetric encryption schemes in use today can be shown to be CPA secure
under reasonable hypotheses. For these reasons, CPA security is often regarded
as the “right” definition of security for private-key encryption schemes.
of
m
0
,
m
1
was encrypted.
A
runs
Before ending this quick review of security properties for symmetric encryption
schemes, we are going to mention a more powerful type of attack: chosen cipher-
text attacks (CCA). In this case, in addition to access to an encryption oracle, the
adversary will also have access to a decryption oracle, with the sole exception that
the oracle cannot be queried about the challenge ciphertext. The definition is the
following:
