1 Introduction

Cryptography is founded on definitions. Results in cryptography are meaningful, clear or useful to the extent that this is true of the definitions they make and target. An unambiguous interpretation of results requires clear and unambiguous definitions.

The pioneering work of Goldwasser and Micali [21] defined the IND-CPA (Indistinguishability under chosen-plaintext attack) notion of security for public-key encryption (PKE). Naor and Yung [31] subsequently defined indistinguishability under non-adaptive chosen-ciphertext attack, where the adversary is allowed access to a decryption oracle prior to seeing the challenge ciphertext but not after. The notion now universally accepted as the “right” target is IND-CCA, indistinguishability under adaptive chosen-ciphertext attack, where the adversary is allowed access to the decryption oracle both before and after seeing the challenge ciphertext, but cannot query the challenge ciphertext itself. The basic idea goes back to Rackoff and Simon [36], but the form of the definition currently in use is from [4, 12]. It is now defined and targeted in hundreds of papers.

There is a consensus, in the community, on what IND-CCA is supposed to mean, yet we see it formalized in different ways in different places. Not only papers, but even textbooks [14, 20, 24, 30] have adopted differing formalisms, yet all seem to think they refer to the same notion. This paper shows that for PKE they do not. It goes on to show that for KEMs they do.

1.1 The PKE Case

We begin by recalling the definitional template. The underlying experiment picks a public key pk and matching secret key sk, and then provides pk to the adversary A. The latter runs in two phases in both of which is has access to an oracle for decryption under sk. It ends its first phase by outputting a pair M 0, M 1 of messages. The experiment picks a challenge bit b at random, encrypts M b under pk, and returns the resulting challenge ciphertext C to A. The latter now enters its second phase, which it ends by outputting a bit b′. We say that A wins if b=b′. Security requires that the probability of winning minus 1/2 is negligible.

If A can query the challenge ciphertext C to its decryption oracle, it can easily win the above game. The definition accordingly disallows such a challenge-decryption query.

At first glance this “no-challenge-decryption” condition seems clear and unambiguous. A closer look shows otherwise. We now discuss two issues or dimensions in the formalization and see how this gives rise to four possible notions of IND-CCA that we will relate.

It is clear that we must disallow a challenge-decryption query in the second phase of the attack, but what about the first? To be more precise, let S j denote the set of all decryption queries made by A in phase j (j=1,2). Then we have two options: at the end of the experiment, when we can evaluate this condition, either disallow C S 2 (denote this “S” for “second”) or disallow C S 1S 2 (denote this “B” for “both”). The basic rationale for the no-challenge-decryption condition, namely that if the adversary queries C it wins trivially, holds true regardless of the phase in which the query is made and thus supports either choice.

The existence of this choice having been pointed out, one’s first reaction may be that it does not matter, meaning the two are equivalent. This turns out not to be true. Before we get there, however, let us discuss another definitional issue. Namely, what exactly does “disallow” mean? Again there are two options. The first option is to have the experiment, after the adversary has completed, test whether C is in an undesired set (S 2 or S 1S 2, depending on whether we do “S” or “B”) and, if so, return false, meaning declaring the adversary to have lost. We call this a penalty (“P”) style notion since the adversary is being penalized, a posteriori, for its actions. In the literature, however, it is more common to not have the experiment impose a penalty but just say, outside of the experiment, that the adversary is “not allowed” or just “may not” make a challenge-decryption query. But what exactly (meaning, formally) does this mean? It seems to us that the natural interpretation, and the one intended by the authors, is that we are quantifying over all (polynomial-time) adversaries that never make a challenge-decryption query, meaning have zero probability of doing so in the experiment. We refer to this as an exclusion (“E”) style notion since certain adversaries are a priori excluded from consideration.

With two options (“B” or “S”) in the first dimension and another two (“P” or “E”) in the second we obtain four notions. Figure 1 summarizes them. The first column shows the winning condition for A, namely, the condition under which the experiment returns true. The second column shows when A is valid, meaning we quantify only over (polynomial-time) adversaries for which the validity condition holds with probability one in the experiment. See Sect. 3 for formal definitions.

Fig. 1.
Fig. 1.

Summary of our IND-CCA notions for PKE.

Full size image

The left-hand side of Fig. 2 summarizes the relations we show between the notions. An implication IND-CCA-XIND-CCA-Y means every PKE scheme that is IND-CCA-X secure is also IND-CCA-Y secure. A separation IND-CCA-XIND-CCA-Y means we give an example of a PKE scheme that is IND-CCA-X secure but not IND-CCA-Y secure. Only a minimal set of relations is explicitly shown; others follow. For example, IND-CCA-BEIND-CCA-SE, since otherwise we would contradict shown separations.

Fig. 2.
Fig. 2.

Relations between the various IND-CCA security notions for PKE schemes (left) and KEMs (right). An arrow IND-CCA-XIND-CCA-Y is an implication and a barred arrow IND-CCA-XIND-CCA-Y is a separation. Dotted lines denote trivial implications. The numbers next to the solid lines indicate the theorems establishing them.

Full size image

These results show that disallowing a challenge-decryption query in both phases results in a strictly weaker notion than disallowing it only in the second phase, and this is true for both penalty- and exclusion-style formulations. That is, IND-CCA-SP and IND-CCA-BP are not equivalent, and also IND-CCA-SE and IND-CCA-BE are not equivalent. Another interesting fact is that if the challenge-decryption query is disallowed only in the second phase then it makes no difference whether this is by penalty or exclusion (that is, IND-CCA-SE and IND-CCA-SP are equivalent), but, in contrast if the challenge-decryption query is disallowed in both phases, an exclusion-style formulation results in a strictly weaker notion than a penalty-style formulation (that is, IND-CCA-BE does not imply IND-CCA-BP). One of the conclusions from this is that the “S” notions should be preferred, not only because they are stronger but also because the penalty- and exclusion-style formulations are equivalent.

One might at first think that (contrary to our claim) IND-CCA-SP and IND-CCA-BP are equivalent. Why? To explain, let us say that a PKE scheme is “smooth” if the number of possible ciphertexts is large (super-polynomial) for any message. (See Sect. 5 for a more precise definition.) Now reason as follows: first, any smooth IND-CCA-BP scheme is IND-CCA-SP since the adversary cannot predict, hence query, the challenge ciphertext in the first phase; second, even an IND-CPA scheme must be smooth, else we could break it by re-encrypting the challenge messages until the challenge ciphertext is seen. What is the catch? It is that the second claim is false. As our proof of Theorem 3.1 shows, even an IND-CCA-BP (let alone IND-CPA) scheme need not be smooth: “weak” messages, meaning ones with few corresponding ciphertexts, can exist without contradicting IND-CCA-BP security as long as they are hard to find without access to a decryption oracle.Footnote 1

Our work was sparked by seeing variations in the formalization of the “no-challenge-decryption” condition in the literature. For example, [4, 12, 18, 28, 29, 37, 38] define what in our taxonomy is IND-CCA-SE. However, many works [10, 11, 19, 3234, 40] simply have a phrase like “the adversary is not allowed to query the challenge ciphertext to the decryption oracle.” On the one hand, since no phase is indicated, this could be interpreted as IND-CCA-BE. On the other hand, since the challenge ciphertext is not defined in the first phase, it could be interpreted as IND-CCA-SE. But our results say that these notions are different.

Penalty-style formulations are rarer, but [2] defines IND-CCA-SP and [1] defines IND-CCA-BP. (This definition is for HIBEs, but this gives PKE for hierarchies of depth 0.) The single-user definition in [3] is IND-CCA-SE but the multi-user definition is in the BE style. Moving to textbooks, Goldreich [20, Sect. 5.4.1.1], Delfs and Knebel [14, Definition 9.17] and Katz and Lindell [24, Sect. 10.6] define IND-CCA-SE while Menezes, Van Oorschot and Vanstone [30, Sect. 8.1.1] seem to define IND-CCA-BE.

In order to have firm foundations—in particular a unique interpretation and common understanding of results—it is important to have definitional unity, meaning that different definitions intending or claiming to represent the same notion should really do so. Our work is a step to this end. Our work also highlights a general definitional issue that we feel needs to be addressed with more care. Namely, in many instances one has a choice between formalizing something in a penalty or exclusion style. One should take care to ascertain that the resulting notions are equivalent, for as our results show this is not always true. Finally, we think our results are an interesting illustration of how seemingly minor definitional elements affect the power of the notion.

1.2 The KEM Case

Cramer and Shoup [13] show that an IND-CCA PKE scheme can be obtained by combining an IND-CCA KEM (Key-Encapsulation Mechanism) with an IND-CCA DEM (Data Encapsulation Algorithm). This has proved to be a powerful and useful paradigm, leading to increased interest in KEMs [7, 15, 25, 26, 39]. When, in this light, we revisit the definition of IND-CCA for KEMs we find that there arise the same issues regarding challenge decryption as in the PKE case. We again obtain four notions that we denote as before, with the notion of [13], in our taxonomy, being IND-CCA-SE. Our results resolving the relations among the notions are depicted on the right-hand side of Fig. 2. We see an interesting contrast with the PKE case of the left side of the same figure, namely that in the KEM case the notions are all equivalent. Intuitively this is true because in the KEM case the role of the encrypted “message” is played by a symmetric key not under adversarial control. Our results make crucial use of smoothness: we show that IND-CCA-BP implies IND-CCA-SP (unlike for PKE) by first showing that any IND-CCA-BP KEM is smooth (unlike for PKE) and then showing that any smooth IND-CCA-BP KEM is IND-CCA-SP (this was true also for PKE).

In addition we show that both the penalty and exclusion versions (IND-CCA-OP and IND-CCA-OE) of a simple one-phase definition of IND-CCA for KEMs are equivalent to all the others, simplifying the task of showing that specific KEMs are IND-CCA secure. IND-CCA-OE was proposed by [26] who showed it is equivalent to IND-CCA-SP when the KEM encapsulation algorithm induces a uniform distribution on the keyspace, an assumption we do not make.

1.3 Extensions and Related Work

The notion of Naor and Yung [31] gives the adversary the decryption oracle only in the first phase. This is sometimes called a non-adaptive attack and the notion has been denoted IND-CCA-1. When we talk of IND-CCA in this paper, we mean under adaptive attack: all our notions give the adversary the decryption oracle in both phases. It was shown in [4] that IND-CCA-1 is strictly weaker than IND-CCA, and this remains true regardless of the forms of IND-CCA we define that one considers.

IND-CCA is often attributed to Rackoff and Simon [36]. They were indeed the first to consider adaptive attacks, but they give the adversary access to the decryption oracle only in the second phase—which, as shown by [34], is strictly weaker than giving access in both phases—and their definition is only for random one bit messages. Dolev, Dwork and Naor [16] do not formally define IND-CCA but their definition of non-malleability under CCA selects the “SE” option. Definitions of IND-CCA of the form that is now common seem to begin with the concurrent 1998 works [4, 12].

Our definitions and results (including the proofs) for PKE extend also to private-key (i.e. symmetric) encryption, IBE (Identity-Based Encryption) and HIBE (Hierarchical IBE). That is, the same four notions again emerge and the relations are as shown on the left-hand-side of Fig. 2. In the (H)IBE case, most works [6, 27] define IND-CCA-SE but [5] defines IND-CCA-BE.

In the context of relaxed CCA security (RCCA security, [9, 22, 35]), a variant of the IND-CCA-SE definition is employed. In the RCCA definition, the adversary gets a completely unrestricted decryption oracle in the first phase. In the second phase, the adversary may ask for arbitrary decryptions. However, if the decrypted message is one of the two adversarially chosen challenge messages m 0, m 1, then the adversary simply gets a special answer “test” (or “invalid” in [22]) that indicates that either m 0 or m 1 is the plaintext. (This rule applies in particular to a decryption of the challenge ciphertext.)

We stress that the RCCA security constitutes a weakening of the IND-CCA-SE definition that is orthogonal to our notion of IND-CCA-BE. In particular, we consider different formalizations that reflect the same intuitive definition (security under unrestricted chosen-ciphertext attacks), while RCCA security captures a different intuition (re-randomizing the challenge ciphertext is explicitly allowed).

The RCCA and IND-CCA security notions have been proven equivalent to realizing ideal functionalities in the framework of Universal Composability [8]. In these proofs [9, 23], the IND-CCA-SE variant of IND-CCA security was used. This is another a hint that the “S” notions are the “right” notions to use.

2 Preliminaries

If x is a string, then |x| denotes its length, while if S is a set then |S| denotes its size. If \(k \in\mathbb{N}\) then 1k denotes the string of k ones. If S is a set then sR S denotes the operation of picking an element s of S uniformly at random. Unless otherwise indicated, algorithms are randomized and (strictly) polynomial time. By \(z \leftarrow_{\mathrm{R}} \mathrm{A}^{\mathcal{O}_{1}, \mathcal{O}_{2}, \ldots}(x,y, \ldots)\) we denote the operation of running algorithm A with inputs x,y,… and access to oracles \(\mathcal{O}_{1}, \mathcal{O}_{2}, \ldots{}\), and letting z be the output. An adversary is an algorithm or a tuple of algorithms.

The advantage of an adversary I in inverting a function f:{0,1}→{0,1} is defined for \(k \in\mathbb{N}\) as

$$\mathbf{Adv}^{{\mathrm{ow}}}_{f,\mathrm{I}}(k) = \Pr\bigl[ f(x)=f(y) : x \leftarrow_{\mathrm {R}} \{0,1\}^k ; y \leftarrow_{\mathrm{R}} \mathrm{I}\bigl(1^k, f(x)\bigr)\bigr]\;. $$

We say that f is one-way if \(\mathbf{Adv}^{{\mathrm {ow}}}_{f,\mathrm{I}}(\cdot)\) is negligible for all adversaries I. We say that f is injective if for all \(k\in\mathbb{N}\) and all x,y∈{0,1}k, f(x)=f(y) implies x=y.

3 Results for Public-Key Encryption

We begin with definitions.

Syntax

An asymmetric encryption scheme PKE=(Kg,Enc,Dec) is a triple of algorithms. The key generation algorithm Kg takes a security parameter 1k and returns a pair (pk,sk) of matching public and secret keys. The encryption algorithm Enc takes a public key pk and a message M∈{0,1} to produce a ciphertext C. The deterministic decryption algorithm Dec takes sk and ciphertext C to produce either a message M∈{0,1} or a special symbol ⊥ to indicate that the ciphertext was invalid. The consistency requirement is that for all \(k \in\mathbb {N}\), for all (pk,sk) which can be output by Kg(1k), for all M∈{0,1}, and for all C that can be output by Enc(pk,M), we have Dec(sk,C)=M.Footnote 2

IND-CCA Security

We first provide formal definitions and then explanations. An IND-CCA adversary A=(A1,A2) is a pair of algorithms such that the output of A1 is always a tuple (M 0,M 1,St) satisfying |M 0|=|M 1|. Let \(\mathcal{A}\) be the class of all such adversaries. Let X∈{SP,BP,SE,BE}. To an adversary \(\mathrm{A}=(\mathrm{A}_{1},\mathrm{A}_{2}) \in \mathcal{A}\), a PKE scheme PKE=(Kg,Enc,Dec) and \(k\in\mathbb{N}\), we associate the experiment \(\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm {cca}\mbox{-}\mathsf{X}}}_{\mathsf{PKE},\mathrm{A}}(k)\) of Fig. 3. We define the advantage of A as

$$\mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {X}}}_{\mathsf{PKE},\mathrm{A}}(k) = 2\Pr\bigl[\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox {-}\mathsf{X}}}_{\mathsf{PKE},\mathrm{A}}(k) \Rightarrow\mathtt {true}\bigr] - 1 . $$

Let \(\mathcal{A}^{\mathsf{SP}}_{\mathsf{PKE}}= \mathcal{A}^{\mathsf{BP}}_{\mathsf{PKE}}=\mathcal{A}\) be the class of all IND-CCA adversaries. Let \(\mathcal {A}^{\mathsf{SE}}_{\mathsf{PKE}}\) be the class of all \(\mathrm{A}\in\mathcal{A}\) such that for all \(k \in\mathbb {N}\), the probability that C S 2 in \(\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox {-}\mathsf{SE}}}_{\mathsf{PKE},\mathrm{A}}(k)\) is 0. Let \(\mathcal {A}^{\mathsf{BE}}_{\mathsf{PKE}}\) be the class of all \(\mathrm{A}\in\mathcal{A}\) such that for all \(k \in \mathbb {N}\), the probability that C S 1S 2 in \(\mathbf{Exp}^{{\mathrm{ind}\mbox {-}\mathrm{cca}\mbox{-}\mathsf{BE}}}_{\mathsf{PKE},\mathrm{A}}(k)\) is 0. We say that PKE is IND-CCA-X secure if \(\mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {X}}}_{\mathsf{PKE},\mathrm{A}}(\cdot)\) is negligible for all \(\mathrm{A} \in\mathcal{A}^{\mathsf{X}}_{\mathsf{PKE}}\).

Fig. 3.
Fig. 3.

Experiment \(\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm {cca}\mbox{-}\mathsf{X}}}_{\mathsf{PKE},\mathrm{A}}(k)\) for X∈{SE,BE,SP,BP}. The experiments differ only in how they compute their final Boolean output, which depends on X as shown.

Full size image

Discussion

These notions reflect the different treatments of challenge-decryption queries along two dimensions. The first dimension is whether decryption of the challenge ciphertext is disallowed in both (“B”) phases or only in the second (“S”) phase. The second dimension is how, technically, to disallow this query. Here the first choice is that the experiment penalizes (“P”) the adversary by returning “false” if it makes a disallowed query, and the second choice (“E”) is that adversaries with non-zero probability of making the disallowed query are simply not considered.

There is another option in the second dimension, namely to consider the class of adversaries that have negligible (rather than zero) probability of making a query of the unallowed type. We do not consider this since we have not found it defined or indicated in the literature. Indeed, the intent of a typical phrase of the form “the adversary is not allowed to query the challenge ciphertext to the decryption oracle” seems to be that such a query is never allowed. Had the writers meant allowed only with negligible probability, one would have expected it precisely stated as such.

Trivial Implications

The trivial implications (dashed arrows) from Fig. 2 should be clear from the definitions. Briefly, IND-CCA-SP implies IND-CCA-SE because if the probability that C S 2 is zero then the winning conditions (b=b′) and (b=b′)∧(C S 2) are equivalent. The reason for IND-CCA-BP implying IND-CCA-BE is analogous. IND-CCA-SP implies IND-CCA-BP because the winning condition of the latter is more stringent than that of the former. IND-CCA-SE implies IND-CCA-BE because \(\mathcal{A}^{\mathsf{BE}}_{\mathsf{PKE}} \subseteq\mathcal{A}^{\mathsf{SE}}_{\mathsf{PKE}}\).

IND-CCA-BPIND-CCA-SP

Theorem 3.1 below shows that for penalty-style notions, disallowing a challenge-ciphertext query in both phases results in a notion strictly weaker than that resulting from disallowing it only in the second phase. That this is also true for the exclusion-style notions will follow by combining Theorems 3.1 and 3.2.

Theorem 3.1

[IND-CCA-BPIND-CCA-SP]

Assume there exist injective one-way functions and a scheme PKE which is IND-CCA-BP secure. Then there exists a scheme \(\overline{\mathsf{PKE}}\) which is IND-CCA-BP secure but not IND-CCA-SP secure.

Proof

We want to design a scheme \(\overline{\mathsf{PKE}}= (\overline {\mathsf{Kg}}, \overline{\mathsf{Enc}}, \overline{\mathsf{Dec}})\) which is IND-CCA-BP secure but not IND-CCA-SP secure. That is, ability to query the challenge ciphertext in the first phase should lead to an attack, but, when this is disallowed, the scheme should be secure. The intuition is as follows. Suppose there was a special message M weak and a special ciphertext C weak such that \(\overline{\mathsf{Enc}}(\mathit{pk}, M_{\mathrm{weak}})\) always (meaning, with probability one) returns C weak. Then an adversary could output as its challenge messages M 0=M weak and some M 1M weak. If the challenge bit is 0 then the challenge ciphertext C must be C weak, and otherwise (by consistency) must be different from C weak, so, given C the adversary can always determine the challenge bit, and the scheme is not IND-CCA-SP. The difficulty is that it is not IND-CCA-BP either. (In fact, it is not even IND-CPA.) To make it IND-CCA-BP, we ensure that M weak can only be found by querying C weak to the decryption oracle in the first phase. However, there is now a difficulty. Namely, the encryption algorithm \(\overline{\mathsf{Enc}}\) needs to return C weak given pk,M weak, meaning it must at some level know M weak. Yet the adversary, who is given pk,C weak, and the description of \(\overline{\mathsf{Enc}}\), must not know M weak. (Unless it queries C weak to the decryption oracle.) To ensure this, we put in pk an image of M weak under an injective one-way function. Then neither pk nor \(\overline{\mathsf{Enc}}\) reveal M weak, but \(\overline {\mathsf{Enc}}\) can test whether a given input equals M weak. We now proceed to the details.

Let f:{0,1}→{0,1} be an injective one-way function and assume that PKE=(Kg,Enc,Dec) is IND-CCA-BP secure. Consider the scheme \(\overline{\mathsf{PKE}}= (\overline{\mathsf{Kg}}, \overline{\mathsf{Enc}}, \overline{\mathsf{Dec}})\) whose constituent algorithms are shown in Fig. 4, where N k is set to {1k}. The ciphertext C weak from the above discussion is (1,1k). Now we want to claim that \(\overline{\mathsf{PKE}}\) is IND-CCA-BP secure but not IND-CCA-SP secure. However, we first check that \(\overline{\mathsf{PKE}}\) is consistent. The reason we want to highlight this (usually trivial) check is that it is the (only) place we use the assumption that f is injective.

Fig. 4.
Fig. 4.

Counterexample scheme \(\overline{\mathsf{PKE}}\) for proofs of Theorems 3.1 and 3.3. In the first case N k ={1k} and in the second case N k ={0,1}k.

Full size image

Claim 1

\(\overline{\mathsf{PKE}}\) is consistent.

Proof

We have to show that \(\overline{\mathsf{Dec}}(\overline{\mathit {sk}},\overline{\mathsf{Enc}}(\overline{\mathit{pk}},M))=M\), always. If f(M)≠Y where \(\overline{\mathit{pk}}=(\mathit{pk}, Y)\), this follows from the consistency of PKE. So suppose f(M)=Y. In that case \(\overline{\mathsf{Enc}}(\mathit{pk}, M)\) returns \(\overline{C}=(1,1^{k})\) which is decrypted by \(\overline{\mathsf {Dec}}\) to M weak. Since f is injective, we have M weak=M. □

Claim 2

\(\overline{\mathsf{PKE}}\) is not IND-CCA-SP secure.

Proof

Consider adversary \(\mathrm{A} = (\mathrm{A}_{1}, \mathrm{A}_{2}) \in \mathcal{A} ^{\mathsf{SP}}_{\overline{\mathsf{PKE}}}\) that proceeds as follows. Given \(\overline{\mathit{pk}}= (\mathit{pk}, Y)\), algorithm A1 queries Dec 1(⋅) on ciphertext C=(1,1k) to obtain M weak. It picks M 1R{0,1}k∖{M weak} and returns M 0=M weak and M 1 as the two challenge messages. A2 obtains a challenge ciphertext C and returns b′=0 if C =(1,1k) and b′=1, otherwise. We have \(\mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm {cca}\mbox{-}\mathsf{SP}}}_{\overline{\mathsf{PKE}},\mathrm{A}}(k) = 1\). Note that with probability 1/2, A queries the challenge ciphertext to the decryption oracle in the first phase which is why this does not show \(\overline{\mathsf{PKE}}\) is IND-CCA-BP insecure. □

Claim 3

\(\overline{\mathsf{PKE}}\) is IND-CCA-BP secure.

Proof

Given an adversary \(\mathrm{B}=(\mathrm{B}_{1},\mathrm{B}_{2})\in \mathcal{A}^{\mathsf{BP}}_{\overline{\mathsf{PKE}}}\) we build \(\mathrm{A} =(\mathrm{A}_{1}, \mathrm{A}_{2})\in\mathcal {A}^{\mathsf{BP}}_{\mathsf{PKE}}\) and an adversary I against the one-wayness of f such that, for all \(k \in\mathbb{N}\),

$$ \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\overline{\mathsf{PKE}},\mathrm{B}}(k) \leq \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\mathsf{PKE},\mathrm{A}}(k)+2\mathbf{Adv}^{{\mathrm {ow}}}_{f,\mathrm{I}}(k). $$
(1)

We start by describing A=(A1,A2) in Fig. 5. Here, A simulates the oracles of B using the shown subroutines (j=1,2). For B, this provides a perfect simulation of experiment \(\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm {cca}\mbox{-}\mathsf{BP}}}_{\overline{\mathsf{PKE}},\mathrm{B}}\) unless M weak∈{M 0,M 1}. This motivates the definition of the following events. Event Bd is that M weak∈{M 0,M 1} (for the M 0,M 1 chosen by B1). Event Ask is that B1 asks for the decryption of \(\overline{C}=(1,1^{k})\). We have

(2)

The following takes care of the first summand and uses that A provides a good view for B unless Bd occurs, and that the probability for Bd is the same in both experiments:

(3)

To bound the second summand of (2), we start with

(4)

We design an adversary I against the one-wayness of f such that

(5)

I gets Y=f(M weak) for uniformly chosen M weak∈{0,1}k and tries to compute M weak. To this end, I proceeds as follows:

figure a

Note that B1 has exactly the same view in experiment \(\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\overline{\mathsf{PKE}},\mathrm{B}}\) and in the simulation inside I unless it asks for a decryption of (1,1k). Also, I is successful in inverting f iff M weak∈{M 0,M 1}. Hence, (5) is true.

Fig. 5.
Fig. 5.

Adversary \(\mathrm{A}=(\mathrm{A}_{1}, \mathrm{A}_{2}) \in \mathcal{A}^{\mathsf{BP}}_{\mathsf{PKE}}\) for the proof of Claim 3.

Full size image

Note that the probability of BdAsk could be high, because nothing prevents B1 from making the decryption query (1,1k) to get M weak and then setting either M 0 or M 1 to M weak. However, we note that if BdAsk does occur, then B loses with probability 1/2 because \(\overline{C}^{*} = (1,1^{k})\) with that probability. That is,

(6)

On the other hand,

(7)

This is because if BdAsk happens then A1 sets bad to true and A2 returns a random decision b′. Here we also use that by consistency of the scheme, picking M 0,M 1 from {0,1}kD 1, ensures that A1 never queries the challenge ciphertext to the decryption oracle in the first phase. Now note that the probability of BdAsk is the same in both experiments (because until BdAsk happens, both experiments proceed identically). Hence, from (6), (7), we get

Combining this with (4) and (5) yields

Combining this with (2) and (3), we finally get (1). □

Remark

We stress that our adversary A against \(\overline{\mathsf{PKE}}\)’s IND-CCA-SP security in the proof of Claim 2 does not query its decryption oracle after receiving the challenge ciphertext. Hence, \(\overline{\mathsf{PKE}}\) is not even IND-CCA-1 secure. (Here IND-CCA-1 security is defined like IND-CCA-SE security, except that the second stage A2 of the adversary does not get access to a decryption oracle [4, 31].) Since any reasonable form of (full) IND-CCA security should imply IND-CCA-1 security, we view this as another indication that IND-CCA-SE security is the “right” definition of IND-CCA security.

IND-CCA-SEIND-CCA-SP

We already noted that IND-CCA-SP implies IND-CCA-SE. Theorem 3.2 below says that the converse is true as well, meaning that in the case where decryption of the challenge ciphertext is disallowed only in the second phase, the exclusion- and penalty-style notions are equivalent. (We will see below that this is not true in the case where the decryption of the challenge ciphertext is disallowed in both phases.) Theorem 3.2 is in fact understood in folklore but we state and prove it for completeness.

Theorem 3.2

[IND-CCA-SEIND-CCA-SP]

If PKE is IND-CCA-SE secure then PKE is IND-CCA-SP secure.

Proof

Given an adversary \(\mathrm{A} \in\mathcal{A}^{\mathsf{SP}}_{\mathsf{PKE}}\) against IND-CCA-SP security of PKE we show how to build an adversary \(\mathrm{B}\in\mathcal{A}^{\mathsf{SE}}_{\mathsf{PKE}}\) against IND-CCA-SE security of PKE such that for all \(k\in\mathbb{N}\),

$$ \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {SP}}}_{\mathsf{PKE},\mathrm{A}}(k) \leq \mathbf{Adv}^{{\mathrm {ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf{SE}}}_{\mathsf {PKE},\mathrm{B}}(k). $$
(8)

We let B1=A1. Algorithm B2, given C ,St, runs A2 on C ,St, and finally returns whatever A2 returns. B2 responds to A2’s oracle queries as follows. When A2 makes a query C, if CC , B2 responds with its own decryption oracle, else it returns ⊥ to A2. This ensures that in \(\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm {cca}\mbox{-}\mathsf{SE}}}_{\mathsf{PKE},\mathrm{B}}\), we have C S 2 with probability 1. Hence \(\mathrm{B}\in\mathcal{A}^{\mathsf{SE}}_{\mathsf{PKE}}\). Furthermore, (8) holds since a decryption query satisfying C=C directly implies that A loses. □

IND-CCA-BEIND-CCA-BP

Our final separation shows that in the case where decryption of the challenge ciphertext is disallowed in both phases, the exclusion- and penalty-style notions are not equivalent. (This is in contrast to the case where decryption of the challenge ciphertext is disallowed only in the second phase, as noted above.)

Theorem 3.3

[IND-CCA-BEIND-CCA-BP]

Assume there exist injective one-way functions and a scheme PKE which is IND-CCA-BE secure. Then there exists a scheme \(\overline{\mathsf{PKE}}\) which is IND-CCA-BE secure but not secure in the sense of IND-CCA-BP.

Proof

Let f:{0,1}→{0,1} be an injective one-way function and assume that PKE=(Kg,Enc,Dec) is IND-CCA-BE secure. Consider the scheme \(\overline{\mathsf{PKE}}= (\overline{\mathsf{Kg}}, \overline{\mathsf{Enc}}, \overline{\mathsf{Dec}})\) of Fig. 4 with N k ={0,1}k. First we show that \(\overline{\mathsf{PKE}}\) is not IND-CCA-BP secure. Adversary A=(A1,A2) against \(\overline{\mathsf{PKE}}\) proceeds as follows. Given \(\overline{\mathit{pk}}= (\mathit{pk}, Y)\), adversary A1 queries Dec 1(⋅) on ciphertext (1,1k) to obtain M weak. It picks M 1R{0,1}k∖{M weak} and returns M 0=M weak and M 1 as the two challenge messages to the experiment. A2 obtains a challenge ciphertext \(\overline{C}^{*}\) which is parsed as (s,C). It returns b′=0 if s=1, and b′=1 otherwise. Adversary A wins with probability 1 as long as \(\overline{C}^{*} \notin S_{1}\) which happens with probability 1−2k. Hence \(\mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\overline{\mathsf{PKE}},\mathrm{A}}(k) = 1-2^{-k}\).

Note that the above adversary A is not contained in \(\mathcal{A} ^{\mathsf{BE}}_{\mathsf{PKE}}\) since, with probability 2k, we have \(\overline{C}^{*} \in S_{1}\). Indeed, we can show that \(\overline{\mathsf{PKE}}\) is IND-CCA-BE secure. The idea is again that an adversary needs to use M weak as one of the challenge messages in order to win. However, an adversary from \(\mathcal{A}^{\mathsf{BE}}_{\mathsf{PKE}}\) using M weak as one of the challenge messages can never make a decryption query \(\overline{C}\) of the form (1,C) in the first phase, since \(\overline{C}^{*} = (1,C)\) with non-zero probability 2k/2. Hence, M weak remains hidden through the one-way function. Details are similar to the proof of Claim 3 and omitted here. □

4 Results for Key-Encapsulation Schemes

Syntax

A keyspace \(\mathcal{K}\) is a map that associates to any \(k \in \mathbb{N}\) a finite set \(\mathcal{K}(k) \subseteq\{0,1\}^{*}\) of strings. The elements of \(\mathcal{K}(k)\) are called keys, and it is required that \(|\mathcal{K}(k)| \geq2\) for all \(k \in\mathbb{N}\). A key-encapsulation mechanism (cf. [13]) KEM=(Kg,Enc,Dec) over \(\mathcal{K}\) is a triple of algorithms. The key generation algorithm Kg takes a security parameter 1k and returns a pair (pk,sk) of matching public and secret keys. The encapsulation algorithm Enc takes pk and produces a key \(K \in\mathcal{K}(k)\) together with an encapsulated ciphertext C. The deterministic decapsulation algorithm Dec takes sk and C to produce either a key \(K \in\mathcal{K}(k)\) or a special symbol ⊥ to indicate that the ciphertext was invalid. The consistency requirement is that for all \(k \in\mathbb{N}\), for all (pk,sk) which can be output by Kg(1k) and for all (C,K) that can be output by Enc(pk), we have Dec(sk,C)=K.

IND-CCA Security

A KEM IND-CCA adversary A=(A1,A2) is a pair of algorithms. Let \(\mathcal{B}\) be the class of all such adversaries. Let X∈{SP,BP,SE,BE}. To an adversary A=(A1,A2) and a KEM scheme KEM, we associate the experiment \(\mathbf{Exp}^{{\mathrm{ind}\mbox {-}\mathrm{cca}\mbox{-}\mathsf{X}}}_{\mathsf{KEM},\mathrm{A}}(k)\) in Fig. 6. We define the advantage of A in the experiment as

$$\mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {X}}}_{\mathsf{KEM},\mathrm{A}}(k) = 2\Pr\bigl[\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox {-}\mathsf{X}}}_{\mathsf{KEM},\mathrm{A}}(k) \Rightarrow\mathtt {true}\bigr] - 1 . $$

Let \(\mathcal{B}^{\mathsf{SP}}_{\mathsf{KEM}}= \mathcal{B}^{\mathsf{BP}}_{\mathsf{KEM}}=\mathcal{B}\) be the class of all IND-CCA adversaries. Let \(\mathcal {B}^{\mathsf{SE}}_{\mathsf{KEM}}\) be the class of all \(\mathrm{A}\in\mathcal{B}\) such that for all \(k \in\mathbb {N}\), the probability that C S 2 in \(\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox {-}\mathsf{SE}}}_{\mathsf{KEM},\mathrm{A}}(k)\) is 0. Let \(\mathcal {B}^{\mathsf{BE}}_{\mathsf{KEM}}\) be the class of all \(\mathrm{A}\in\mathcal{B}\) such that for all \(k \in \mathbb {N}\), the probability that C S 1S 2 in \(\mathbf{Exp}^{{\mathrm{ind}\mbox {-}\mathrm{cca}\mbox{-}\mathsf{BE}}}_{\mathsf{KEM},\mathrm{A}}(k)\) is 0. We say that KEM is IND-CCA-X secure if \(\mathbf{Adv}^{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathrm {X}}_{\mathsf{KEM},\mathrm{A}}(\cdot)\) is negligible for all \(\mathrm{A} \in\mathcal{B}^{\mathsf{X}}_{\mathsf{KEM}}\).

Fig. 6.
Fig. 6.

Experiment \(\mathbf{Exp}^{\mathrm{ind}\mbox{-}\mathrm {cca}\mbox{-}\mathrm{X}}_{\mathsf{KEM},\mathrm{A}}(k)\), for X∈{SE,BE,SP,BP}.

Full size image

We also consider the following simpler one-phase notions. A one-phase KEM IND-CCA adversary A consists of a single algorithm. Let X∈{OP,OE}. To an adversary A and KEM, we associate the one-phase experiment \(\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm {cca}\mbox{-}\mathsf{X}}}_{\mathsf{KEM},\mathrm{A}}(k)\) in Fig. 7. We define the advantage of A as above. Let \(\mathcal{B}^{\mathsf{OP}}_{\mathsf{KEM}}\) be the class of all one-phase KEM IND-CCA adversaries. Let \(\mathcal{B}^{\mathsf{OE}}_{\mathsf{KEM}}\) be the class of all \(\mathrm{A}\in\mathcal{B}^{\mathsf{OP}}_{\mathsf{KEM}}\) such that for all \(k \in\mathbb{N}\), the probability that C S in \(\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm {cca}\mbox{-}\mathsf{OE}}}_{\mathsf{KEM},\mathrm{A}}(k)\) is 0. We say that KEM is IND-CCA-X secure if \(\mathbf{Adv}^{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathrm {X}}_{\mathsf{KEM},\mathrm{A}}(\cdot)\) is a negligible function for all \(\mathrm{A} \in\mathcal{B}^{\mathsf{X}}_{\mathsf{KEM}}\).

Fig. 7.
Fig. 7.

One-phase experiment \(\mathbf{Exp}^{\mathrm{ind}\mbox {-}\mathrm{cca}\mbox{-}\mathrm{X}}_{\mathsf{KEM},\mathrm{A}}(k)\), for X∈{OE,OP}.

Full size image

Smoothness

For \(k \in\mathbb{N}\) we let

$$\mathbf{Smth}_{\mathsf{KEM}}(k) ={{\mathbf{E}} \Bigl[{\max_{C \in\{ 0,1\}^*} \Pr_{(K, C')\leftarrow_{\mathrm{R}} \mathsf{Enc}(\mathit {pk})}\bigl[C'=C\bigr]} \Bigr]} $$

where the expected value is taken over all (pk,sk)←R Kg(k). We refer to Smth KEM (⋅) as the smoothness of KEM and say that KEM is smooth if Smth KEM (⋅) is negliglible. The notion of a smooth KEM scheme will play a crucial role in the proof of Theorem 4.4 and may be of independent interest.Footnote 3

Results

Figure 8 depicts our results, which show that all six notions of IND-CCA security for KEMs are equivalent. The equivalences of the right-hand-side of Fig. 2 are a consequence. The trivial implications (dashed arrows) of Fig. 8 should be clear from the definitions. We now prove the two other implications.

Fig. 8.
Fig. 8.

Relations between an expanded set of IND-CCA security notions for KEMs. The dotted lines are trivial implications, and the numbers annotating the solid line implications indicate the theorems establishing them.

Full size image

IND-CCA-OEIND-CCA-BP

Theorem 4.1 below shows that security under the one-phase exclusion-style notion implies security under the two-phase penalty-style notion that disallows challenge decryption in both phases.

Theorem 4.1

[IND-CCA-OEIND-CCA-BP]

If KEM is IND-CCA-OE secure then KEM is IND-CCA-BP secure.

Proof

Let \(\mathrm{B}=(\mathrm{B}_{1}, \mathrm{B}_{2}) \in\mathcal {B}^{\mathsf{BP}}_{\mathsf{KEM}}\). We build an adversary \(\mathrm{A} \in\mathcal{B}^{\mathsf{OE}}_{\mathsf{KEM}}\) such that for all \(k\in \mathbb{N}\),

$$ \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\mathsf{KEM},\mathrm{B}}(k) \leq \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {OE}}}_{\mathsf{KEM},\mathrm{A}}(k) . $$
(9)

A obtains \((1^{k},\mathit{pk},C^{*}, K^{*}_{b})\) and runs B1 on (1k,pk) and inputs St. Next, A runs B2 on input \((\mathit{St}, C^{*}, K^{*}_{b})\) and outputs whatever B2 returns. During the executions, A needs to answer B1 and B2’s decapsulation queries. Let C be such a decapsulation query made by B1 or B2. If CC then A answers using its own decapsulation oracle. If C=C is queried, then A aborts. This implies (9) since a successful adversary \(\mathrm {B}\in \mathcal{B}^{\mathsf{BP}}_{\mathsf{KEM}}\) is obliged not to submit C to the decapsulation oracle at any time. Furthermore, by construction, \(\mathrm{A} \in\mathcal{B}^{\mathsf{OE}}_{\mathsf{KEM}}\) which proves the theorem. □

IND-CCA-BPIND-CCA-SP

Theorem 4.4 below shows that for penalty-based notions allowing or disallowing a challenge-ciphertext query in the first phase does not make a difference. First, the following useful lemma shows that for smooth KEMs, IND-CCA-BP security and IND-CCA-SP security are indeed equivalent.

Lemma 4.2

If KEM is smooth and IND-CCA-BP secure then it is IND-CCA-SP secure.

Proof

Given an adversary \(\mathrm{A} =(\mathrm{A}_{1}, \mathrm{A}_{2})\in \mathcal{B} ^{\mathsf{SP}}_{\mathsf{KEM}}=\mathcal{B}^{\mathsf{BP}}_{\mathsf{KEM}}\) we show that for all \(k \in\mathbb{N}\),

$$ \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {SP}}}_{\mathsf{KEM},\mathrm{A}}(k) \leq \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\mathsf{KEM},\mathrm{A}}(k) + Q_1(k)\cdot\mathbf {Smth}_{\mathsf{KEM}}(k), $$
(10)

where Q 1(k) is a polynomial upper bound on the number of queries that A1 makes. Details are similar to the proof of Theorem 5.1 and omitted here. □

Next we show that for KEM schemes IND-CCA-BP security implies smoothness. This is in contrast to PKE schemes where the counterexample \(\overline{\mathsf{PKE}}\) from Fig. 4 shows a smooth PKE scheme which is not IND-CCA-BP secure.

Lemma 4.3

If KEM is IND-CCA-BP secure, then it is smooth.

Proof

We show that there exists an adversary \(\mathrm{B}= (\mathrm{B}_{1}, \mathrm{B}_{2})\in \mathcal{B}^{\mathsf{BP}}_{\mathsf{KEM}}\) such that for all \(k \in \mathbb{N}\),

$$ \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\mathsf{KEM},\mathrm{B}}(k) \geq \frac{1}{2} \cdot\mathbf {Smth}_{\mathsf{KEM}}^2(k). $$
(11)

Adversary B1 obtains 1k,pk and returns St=pk. Adversary B2 obtains (pk,C ,K ) and proceeds as follows. It picks random (K′,C′)←R Enc(pk). If C C′ then B2 picks a random bit b′ and returns it. If C =C′ then B2 returns b′=1 if K′=K and b′=0, otherwise.

We now turn to the analysis of B. For any pk and C∈{0,1} let

$$\nu(\mathit{pk},C)=\Pr_{(\tilde{K}, \tilde{C})\leftarrow_{\mathrm{R}} \mathsf{Enc}(\mathit{pk})}[\tilde{C}=C] $$

Ley C max(pk) be such that ν(pk,C max(pk))≥ν(pk,C) for all C∈{0,1}. We define Gd as the event that C′=C max(pk) and C =C max(pk) in \(\mathbf{Exp}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\mathsf{KEM},\mathrm{B}}(k)\). Assume Gd has happened and hence C =C′. If b=1 then B wins with probability 1 since (by consistency) K =K′. If b=0 then B only loses if the two keys K′ and K collide. Since the experiment picks \(K^{*}=K^{*}_{0}\) uniformly distributed from \(\mathcal{K}(k)\) this happens with probability \(1/|\mathcal {K}(k)| \leq1/2\).

On the other hand, Pr[b=b′∣¬Gd]≥1/2 as in both cases, C′=C and C′≠C , we have Pr[b=b′∣¬Gd]≥1/2. Since B never queries the decapsulation oracle we have

It remains to bound Pr[Gd]. To this end let

$$X(\mathit{pk}) = \Pr_{(K, C)\leftarrow_{\mathrm{R}} \mathsf {Enc}(\mathit {pk})}\bigl[ C = C_{\max}(\mathit{pk}) \bigr] . $$

Regard X as a random variable over the choice of pk given by (pk,sk)←R Kg(1k). Then, taking the expectation over the choice of (pk,sk) we have E[X]≥Smth KEM (k) so

due to Jensen’s inequality. This yields (11) and concludes the proof of the claim. □

The preceding two lemmas can be combined to show our main result for KEMs.

Theorem 4.4

[IND-CCA-BPIND-CCA-SP]

If KEM is IND-CCA-BP secure then KEM is IND-CCA-SP secure.

Proof

Combining Lemmas 4.2 and 4.3, we see that there exists an adversary \(\mathrm{B}\in\mathcal{A}^{\mathsf{BP}}_{\mathsf{KEM}}\) (from Lemma 4.3), such that for any given adversary \(\mathrm{A}\in\mathcal{A}^{\mathsf{SP}}_{\mathsf{KEM}}=\mathcal{A}^{\mathsf{BP}}_{\mathsf{KEM}}\) and any \(k\in\mathbb{N}\), we have

$$\begin{aligned} \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {SP}}}_{\mathsf{KEM},\mathrm{A}}(k) \leq& \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\mathsf{KEM},\mathrm{A}}(k) + Q_1(k)\cdot\mathbf {Smth}_{\mathsf{KEM}}(k) \\ \leq& \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\mathsf{KEM},\mathrm{A}}(k) + Q_1(k)\cdot \sqrt{2\mathbf {Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\mathsf{KEM},\mathrm{B}}(k)}, \end{aligned}$$
(12)

where Q 1(k) is a polynomial upper bound on the number of decryption queries that A makes. Since both \(\mathbf{Adv}^{{\mathrm {ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf{BP}}}_{\mathsf{KEM} ,\mathrm{A}}(k)\) and \(\mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\mathsf{KEM},\mathrm{B}}(k)\) are negligible by assumption, this proves the theorem. □

Remark 4.5

The reduction of Theorem 4.4 expressed by (12) is not tight: in general the smoothness of a KEM can only be bounded by the square root of the IND-CCA-BP advantage. However, nearly all practical KEM scheme are unconditionally smooth, i.e. Smth KEM (k)=O(2k). For example, this is true for Diffie–Hellman-based schemes. In this case the reduction is tight, i.e. it only loses an additive factor of Q 1(k)/2k.

5 Relations for Smooth PKE Schemes

We mentioned earlier some intuition for why one might think that disallowing decryption of the challenge ciphertext in both phases is equivalent to disallowing it only in the second phase, namely that, even for IND-CPA schemes, there must be, for every message, a large number of corresponding ciphertexts, and hence an adversary would be unable to predict (and hence query) the challenge ciphertext in the first phase. The counterexample of Theorem 3.1 shows this intuition is false in general; in the scheme \(\overline{\mathsf{PKE}}\) we build there, there is a message, namely M weak, encryption of which can result in just one ciphertext, and yet the scheme is IND-CCA-BP (and hence IND-CPA) secure but not IND-CCA-SP secure. However, we now claim that the basic intuition mentioned above is still right in the sense that if indeed, for every message, there is a large number of corresponding ciphertexts—we will call this property smoothness—then indeed IND-CCA-BP implies IND-CCA-SP. Where the intuition went wrong was in thinking smoothness is implied by security properties like IND-CPA or IND-CCA-BP. (The scheme of Theorem 3.1 shows it is not.) Interestingly, we will, however, see that IND-CCA-BE and IND-CCA-SE are not equivalent even for smooth schemes, indicating the weakness of exclusion-based definitions. To detail all this we now define smoothness formally. For any \(k\in \mathbb{N}\) and any scheme PKE=(Kg,Enc,Dec), we let

$$\mathbf{Smth}_{\mathsf{PKE}}(k) ={{\mathbf{E}} \Bigl[{\max_{M\in\{ 0,1\}^*, C \in\{0,1\}^*} \Pr _{C^*\leftarrow_{\mathrm{R}} \mathsf {Enc}(\mathit{pk},M)}\bigl[C=C^*\bigr]} \Bigr]} $$

where the expected value is taken over all (pk,sk)←R Kg(k). We refer to Smth PKE (k) as the smoothness of PKE and say that PKE is smooth if Smth PKE (⋅) is negliglible.

Smooth practical schemes include the ElGamal scheme [17] and the Cramer–Shoup scheme [12]. For these schemes, Smth PKE (k)≤2k. On the other hand, the scheme \(\overline{\mathsf{PKE}}\) from Theorem 3.1 is not smooth: For any (pk,sk), for the message M weak and the ciphertext C=(1,1) we have Pr[C=Enc(pk,M weak)]=1 so \(\mathbf{Smth}_{\overline{\mathsf{PKE}}}(k)=1\). The relations between the different IND-CCA notions for PKE schemes with smooth ciphertexts are summarized in Fig. 9. The difference between this and Fig. 2 is that IND-CCA-BP now implies IND-CCA-SP.

Fig. 9.
Fig. 9.

Implications and separations between the various IND-CCA security notions for PKE schemes with smooth ciphertexts.

Full size image

Theorem 5.1

If the scheme PKE is IND-CCA-BP secure and smooth, then it is also IND-CCA-SP secure.

Proof

Given an adversary \(\mathrm{A} =(\mathrm{A}_{1}, \mathrm{A}_{2})\in \mathcal{A} ^{\mathsf{SP}}_{\mathsf{PKE}}=\mathcal{A}^{\mathsf{BP}}_{\mathsf{PKE}}\) we show that for all \(k \in\mathbb{N}\),

$$ \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {SP}}}_{\mathsf{PKE},\mathrm{A}}(k) \leq \mathbf{Adv}^{{\mathrm{ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf {BP}}}_{\mathsf{PKE},\mathrm{A}}(k) + 2Q_1(k)\cdot\mathbf {Smth}_{\mathsf{PKE}}(k), $$
(13)

where Q 1(k) is a polynomial upper bound on the number of decryption queries of A1.

We define the event Bd in \(\mathbf{Exp}^{{\mathrm {ind}\mbox{-}\mathrm{cca}\mbox{-}\mathsf{BP}}}_{\mathsf {PKE},\mathrm{A}}\) to hold when C S 1. Then

(14)

On the other hand we have Pr[Bd]≤Q 1(k)⋅Smth PKE (k) because for any given first phase query C, the smoothness property of PKE guarantees that Pr[C=C ]≤Smth PKE (k). Substituting into (14) yields (13), and thus the claimed statement. □

However, Theorem 5.2 below shows that, even for smooth schemes, the equivalence between allowing challenge decryption queries in both or just the second phase does not carry over to the case of exclusion-based definitions.

Theorem 5.2

[IND-CCA-BEIND-CCA-SE]

Assume there exist injective one-way functions and a smooth scheme PKE which is IND-CCA-BE secure. Then there exists a smooth scheme \(\overline{\mathsf{PKE}}\) which is IND-CCA-BE secure but not IND-CCA-SE secure.

Proof

Assume PKE is IND-CCA-BE secure and smooth. We use the IND-CCA-BE secure PKE scheme \(\overline{\mathsf{PKE}}\) from the proof of Theorem 3.3 (Fig. 4 with N k ={0,1}k). Note that \(\mathbf{Smth}_{\overline{\mathsf{PKE}}}(k) \leq\mathbf {Smth}_{\mathsf{PKE}}(k) + 2^{-k}\) and hence \(\overline{\mathsf{PKE}}\) is smooth.

Consider the adversary A=(A1,A2) used in the proof of Theorem 3.3 to attack IND-CCA-BP security of the scheme. Since A2 never queries the decryption oracle we have \(\mathrm{A} \in\mathcal{A}^{\mathsf{SE}}_{\mathsf{PKE}}\). Furthermore, A wins with probability 1, always, and hence \(\overline{\mathsf{PKE}}\) is not IND-CCA-SE secure. □