1. IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA and encryption modes  Credit: The slides (2-5) from Prof. Dr. Anupam Dutta, CMU, the rest is from Attila A. Yavuz with additions. 1

2. Symmetric Encryption Scheme  Key generation algorithm  Input: security parameter n  Output: a key that is used for encryption and decryption  Algorithm to encrypt a message  Algorithm to decrypt a ciphertext  Correctness:  Decrypting a ciphertext obtained by encrypting message m with the corresponding key k returns m dec(enc(m,k),k) = m

3. What is a secure encryption scheme?  List of possible properties  Given a list of message, ciphertext pairs, it should not be possible to recover the key  Given ciphertext, it should not be possible recover plaintext  Given ciphertext, it should not be possible to recover 1 st bit of plaintext  All of the above, but what else?  Given ciphertext, adversary should have no information about underlying plaintext (not true because of apriori information) 3

4. IND-EAV security definition (eavesdropping attacks) C A enc(k, mb) m0, m1 d k, b IND-EAV security:  PPT attackers A  negligible function f  n0  security parameters n ≥ n0 Prob [d = b | A plays by the rules] <= ½ + f(n)

5. Example  General sends an encrypted message where the plaintext is either “attack” or “don’t attack”.  Adversary should not be able to figure out what the plaintext is although she knows that it is one of these two values. 5

6. Indistinguishability Under Chosen Plaintext Attack (IND-CPA) Oracle A enc(k, mb) m0, m1 d k, b IND-CPA security:  PPT attackers A,  negligible function f security parameter n, Prob [d = b | A plays by the rules] <= ½ + f(n) enc(k, mi) mi enc(k, mi) mi -A is given encryption oracle under private k. A queries oracle adaptively - A gives challenges (m0,m1) to oracle, oracle selects a bit b and encrypts mb. -A adaptively queries after that, and finally outputs a bit d A cannot distinguish which plaintext is encrypted with a prob. no more than ½+\eps. 6

7. IND-CPA (Cont’)  No deterministic encryption scheme can achieve IND-CPA A can ask (m0,m1) to the oracle later in adaptive phase and learn the bit b Any deterministic scheme leaks info about plaintext  In WWII, Japan comm. includes ciphertext “AF”, US suspects it corresponds “Midway Island”, but cannot prove. US broadcast plaintext “AF” low supply, Japan comm. intercepted the message and report to the center. “AF” is proven to be the target.  IND-CPA can be achieved with multiple challenge messages, and therefore traditional encryption modes (e.g., CBC, CTR, …) can achieve IND-CPA security Provided that they rely on probabilistic encryption schemes with good PRF property (e.g., AES) 7

8. Indistinguishability Under Chosen Ciphertext Attack (IND-CCA) -A is given encryption/decryption oracle under private k. A gives challenges (m0,m1) to oracle, oracle selects a bit b and encrypts mb. A adaptively queries after that, and finally outputs a bit d C A enc(k, mb) m0, m1 d k, b IND-CCA security:  PPT attackers A  negligible function f with security parameter n s.t. Prob [d = b | A plays by the rules] <= ½ + f(n) enc(k, mi) or dec(k,ci) mi or ci A cannot submit enc(k,mb) to the decryption oracle mi or ci enc(k, mi) or dec(k,ci) 8

9. IND-CCA (Cont)  Practicality of IND-CCA: Send ciphertext and analyze the behavior of adversary (e.g., ship movements). In encrypted commercial transactions, if authentication is not provided, adversary queries bank with ciphertext and learn about bank’s reaction. (Why we need certificates in PKC!)  Any scheme that allows predictable ciphertext manipulation is not IND- CCA (malleability property like plain ElGamal encryption)  IND-CPA to IND-CCA: Provide explicit authentication for queries!  Render Decryption Oracle Useless: Two keys (k1,k2), x=enc(k1,m), t=MAC(k2,x). Use (x,t) pair. Since adversary does not know k2, he cannot create valid decryption queries on ciphertext (predictable or not)  None of the traditional encryption modes (as is) can achieve IND-CCA 9