Cryptology ePrint Archive: Report 2009/418

Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?

Mihir Bellare and Dennis Hofheinz and Eike Kiltz

Abstract: The definition of IND-CCA disallows an adversary from querying the challenge ciphertext to its decryption oracle. We point out that there are several ways to formalize this. We show that, surprisingly, for public-key encryption the resulting notions are not all equivalent. We then consider the same question for key-encapsulation mechanisms (KEMs) and show that in this case the four notions ARE all equivalent. Our discoveries are another manifestation of the subtleties that make the study of cryptography so attractive and are important towards achieving the definitional clarity and unity required for firm foundations.

Category / Keywords: foundations / Definitions, foundations, encryption, chosen-ciphertext attack

Date: received 27 Aug 2009

Contact author: mihir at cs ucsd edu

Available formats: PDF | BibTeX Citation

Version: 20090901:065518 (All versions of this report)

Discussion forum: Show discussion | Start new discussion