Paper 2009/418

Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?

Mihir Bellare, Dennis Hofheinz, and Eike Kiltz

Abstract

The definition of IND-CCA disallows an adversary from querying the challenge ciphertext to its decryption oracle. We point out that there are several ways to formalize this. We show that, surprisingly, for public-key encryption the resulting notions are not all equivalent. We then consider the same question for key-encapsulation mechanisms (KEMs) and show that in this case the four notions ARE all equivalent. Our discoveries are another manifestation of the subtleties that make the study of cryptography so attractive and are important towards achieving the definitional clarity and unity required for firm foundations.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Published elsewhere. Unknown where it was published
Keywords
Definitionsfoundationsencryptionchosen-ciphertext attack
Contact author(s)
mihir @ cs ucsd edu
History
2009-09-01: received
Short URL
https://ia.cr/2009/418
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2009/418,
      author = {Mihir Bellare and Dennis Hofheinz and Eike Kiltz},
      title = {Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?},
      howpublished = {Cryptology ePrint Archive, Paper 2009/418},
      year = {2009},
      note = {\url{https://eprint.iacr.org/2009/418}},
      url = {https://eprint.iacr.org/2009/418}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.