Journal of Cryptology

, Volume 28, Issue 1, pp 29–48 | Cite as

Subtleties in the Definition of IND-CCA: When and How Should Challenge Decryption Be Disallowed?

  • Mihir BellareEmail author
  • Dennis Hofheinz
  • Eike Kiltz


IND-CCA (indistinguishability under adaptive chosen-ciphertext attacks) is a central notion of security for public-key encryption, defined and targeted in many papers. Non-triviality of the notion requires that the adversary not query the challenge ciphertext to the decryption oracle. We point out that this “no-challenge-decryption” condition can be formalized in several different ways and the literature is not consistent, sometimes doing it one way, sometimes another, and assuming it makes no difference. We show that the latter perception is incorrect. It does make a difference, for the resulting notions are not equivalent. Specifically, we consider four notions corresponding to whether challenge decryption is disallowed in both phases of the adversary’s attack or just in the second, and, orthogonally, whether the disallowance is “penalty” or “exclusion” based. We show that the notions are not all equivalent for public-key encryption (PKE). We then show that, in contrast, they are equivalent for key-encapsulation mechanisms (KEMs). Our work shows that subtle foundational issues exist even with notions that are supposedly well-established and unambiguous, and highlights the need to be careful and precise with regard to “minor” definitional “details”.

Key words

Definitions Foundations Encryption Chosen-ciphertext attack 


  1. [1]
    M. Abdalla, D. Catalano, A. Dent, J. Malone-Lee, G. Neven, N. Smart, Identity-based encryption gone wild, in ICALP 2006: 33rd International Colloquium on Automata, Languages and Programming, Part II, ed. by M. Bugliesi, B. Preneel, V. Sassone, I. Wegener. Lecture Notes in Computer Science, vol. 4052 (Springer, Berlin, 2006), pp. 300–311 Google Scholar
  2. [2]
    M. Abe, Combining encryption and proof of knowledge in the random oracle model. Comput. J. 47(1), 58–70 (2004) CrossRefzbMATHGoogle Scholar
  3. [3]
    M. Bellare, A. Boldyreva, S. Micali, Public-key encryption in a multi-user setting: Security proofs and improvements, in Advances in Cryptology—EUROCRYPT 2000, ed. by B. Preneel. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 259–274 CrossRefGoogle Scholar
  4. [4]
    M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for public-key encryption schemes, in Advances in Cryptology—CRYPTO’98, ed. by H. Krawczyk. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 26–45 Google Scholar
  5. [5]
    D. Boneh, R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007) CrossRefMathSciNetGoogle Scholar
  6. [6]
    D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, in Advances in Cryptology—CRYPTO 2001, ed. by J. Kilian. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 213–229 CrossRefGoogle Scholar
  7. [7]
    X. Boyen, Q. Mei, B. Waters, Direct chosen ciphertext security from identity-based techniques, in ACM CCS 05: 12th Conference on Computer and Communications Security, ed. by V. Atluri, C. Meadows, A. Juels (ACM, New York, 2005), pp. 320–329 CrossRefGoogle Scholar
  8. [8]
    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd Annual Symposium on Foundations of Computer Science (IEEE Comput. Soc., Los Alamitos, 2001), pp. 136–145 Google Scholar
  9. [9]
    R. Canetti, H. Krawczyk, J.B. Nielsen, Relaxing chosen-ciphertext security, in Advances in Cryptology—CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 565–582 CrossRefGoogle Scholar
  10. [10]
    B. Chevallier-Mames, D.H. Phan, D. Pointcheval, Optimal asymmetric encryption and signature paddings, in ACNS 05: 3rd International Conference on Applied Cryptography and Network Security, ed. by J. Ioannidis, A. Keromytis, M. Yung. Lecture Notes in Computer Science, vol. 3531 (Springer, Berlin, 2005), pp. 254–268 CrossRefGoogle Scholar
  11. [11]
    J.-S. Coron, H. Handschuh, M. Joye, P. Paillier, D. Pointcheval, C. Tymen, Optimal chosen-ciphertext secure encryption of arbitrary-length messages, in PKC 2002: 5th International Workshop on Theory and Practice in Public Key Cryptography, ed. by D. Naccache, P. Paillier. Lecture Notes in Computer Science, vol. 2274 (Springer, Berlin, 2002), pp. 17–33 Google Scholar
  12. [12]
    R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in Advances in Cryptology—CRYPTO’98, ed. by H. Krawczyk. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 13–25 Google Scholar
  13. [13]
    R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003) CrossRefzbMATHMathSciNetGoogle Scholar
  14. [14]
    H. Delfs, H. Knebl, Introduction to Cryptography: Principles and Applications (Springer, Berlin, 2002) CrossRefGoogle Scholar
  15. [15]
    A.W. Dent, A designer’s guide to KEMs, in 9th IMA International Conference on Cryptography and Coding, ed. by K.G. Paterson. Lecture Notes in Computer Science, vol. 2898 (Springer, Berlin, 2003), pp. 133–151 CrossRefGoogle Scholar
  16. [16]
    D. Dolev, C. Dwork, M. Naor, Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000) CrossRefzbMATHMathSciNetGoogle Scholar
  17. [17]
    T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in Advances in Cryptology—CRYPTO’84, ed. by G.R. Blakley, D. Chaum. Lecture Notes in Computer Science, vol. 196 (Springer, Berlin, 1985), pp. 10–18 CrossRefGoogle Scholar
  18. [18]
    E. Fujisaki, T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, in Advances in Cryptology—CRYPTO’99, ed. by M.J. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 537–554 Google Scholar
  19. [19]
    E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, RSA-OAEP is secure under the RSA assumption. J. Cryptol. 17(2), 81–104 (2004) CrossRefzbMATHMathSciNetGoogle Scholar
  20. [20]
    O. Goldreich, Foundations of Cryptography: Basic Applications, vol. 2 (Cambridge University Press, Cambridge, 2004) CrossRefGoogle Scholar
  21. [21]
    S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984) CrossRefzbMATHMathSciNetGoogle Scholar
  22. [22]
    J. Groth, Rerandomizable and replayable adaptive chosen ciphertext attack secure cryptosystems, in TCC 2004: 1st Theory of Cryptography Conference, ed. by M. Naor. Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 152–170 Google Scholar
  23. [23]
    D. Hofheinz, J. Müller-Quade, R. Steinwandt, On modeling ind-cca security in cryptographic protocols. Tatra Mt. Math. Publ. 33, 83–97 (2006) zbMATHMathSciNetGoogle Scholar
  24. [24]
    J. Katz, J. Lindell, Introduction to Modern Cryptography (Chapman & Hall/CRC Press, London/Boca Raton, 2007) Google Scholar
  25. [25]
    E. Kiltz, Chosen-ciphertext security from tag-based encryption, in TCC 2006: 3rd Theory of Cryptography Conference, ed. by S. Halevi, T. Rabin. Lecture Notes in Computer Science, vol. 3876 (Springer, Berlin, 2006), pp. 581–600 Google Scholar
  26. [26]
    E. Kiltz, Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie–Hellman, in PKC 2007: 10th International Conference on Theory and Practice of Public Key Cryptography, ed. by T. Okamoto, X. Wang. Lecture Notes in Computer Science, vol. 4450 (Springer, Berlin, 2007), pp. 282–297 CrossRefGoogle Scholar
  27. [27]
    E. Kiltz, D. Galindo, Direct chosen-ciphertext secure identity-based key encapsulation without random oracles, in ACISP 06: 11th Australasian Conference on Information Security and Privacy, ed. by L.M. Batten, R. Safavi-Naini. Lecture Notes in Computer Science, vol. 4058 (Springer, Berlin, 2006), pp. 336–347 CrossRefGoogle Scholar
  28. [28]
    K. Kurosawa, Y. Desmedt, A new paradigm of hybrid encryption scheme, in Advances in Cryptology—CRYPTO 2004, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 426–442 CrossRefGoogle Scholar
  29. [29]
    Y. Lindell, A simpler construction of CCA2-secure public-key encryption under general assumptions. J. Cryptol. 19(3), 359–377 (2006) CrossRefzbMATHMathSciNetGoogle Scholar
  30. [30]
    A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography. The CRC Press Series on Discrete Mathematics and Its Applications (CRC Press, Boca Raton, 2000). N.W. Corporate Blvd., Boca Raton, FL 33431-9868, USA (1997) Google Scholar
  31. [31]
    M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in 22nd Annual ACM Symposium on Theory of Computing (ACM, New York, 1990) Google Scholar
  32. [32]
    T. Okamoto, D. Pointcheval, REACT: rapid enhanced-security asymmetric cryptosystem transform, in Topics in Cryptology—CT-RSA 2001, ed. by D. Naccache. Lecture Notes in Computer Science, vol. 2020 (Springer, Berlin, 2001), pp. 159–175 CrossRefGoogle Scholar
  33. [33]
    P. Paillier, J.L. Villar, Trading one-wayness against chosen-ciphertext security in factoring-based encryption, in Advances in Cryptology—ASIACRYPT 2006, ed. by X. Lai, K. Chen. Lecture Notes in Computer Science, vol. 4284 (Springer, Berlin, 2006), pp. 252–266 CrossRefGoogle Scholar
  34. [34]
    D.H. Phan, D. Pointcheval, On the security notions for public-key encryption schemes, in SCN 04: 4th International Conference on Security in Communication Networks, ed. by C. Blundo, S. Cimato. Lecture Notes in Computer Science, vol. 3352 (Springer, Berlin, 2004), pp. 33–46 Google Scholar
  35. [35]
    M. Prabhakaran, M. Rosulek, Rerandomizable RCCA encryption, in Advances in Cryptology—CRYPTO 2007, ed. by A. Menezes. Lecture Notes in Computer Science, vol. 4622 (Springer, Berlin, 2007), pp. 517–534 CrossRefGoogle Scholar
  36. [36]
    C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in Advances in Cryptology—CRYPTO’91, ed. by J. Feigenbaum. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1992), pp. 433–444 Google Scholar
  37. [37]
    A. Sahai, Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security, in 40th Annual Symposium on Foundations of Computer Science (IEEE Comput. Soc., Los Alamitos, 1999), pp. 543–553 Google Scholar
  38. [38]
    V. Shoup, OAEP reconsidered. J. Cryptol. 15(4), 223–249 (2002) CrossRefzbMATHMathSciNetGoogle Scholar
  39. [39]
    V. Shoup, ISO 18033-2: An emerging standard for public-key encryption., Dec. 2004. Final Committee Draft
  40. [40]
    N.P. Smart, The exact security of ECIES in the generic group model, in Cryptography and Coding, 8th IMA International Conference, ed. by B. Honary. Lecture Notes in Computer Science, vol. 2260 (Springer, Berlin, 2001), pp. 73–84 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Department of Computer Science & Engineering 0404University of California San DiegoLa JollaUSA
  2. 2.Institut für Kryptographie und Sicherheit (IKS)Karlsruher Institut für Technologie (KIT)KarlsruheGermany
  3. 3.Horst Görtz Institut für IT-SicherheitRuhr-Universität BochumBochumGermany

Personalised recommendations