Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer-Verlag, 1998. This is the full
paper.
Relations Among Notions of Security for
Public-Key Encryption Schemes
M. Bellare A. Desai y D. Pointcheval z P. Rogaway x June2001 Abstract
We comparetherelativestrengths ofpopularnotionsof securityforpublic-keyencryption
schemes. Weconsider the goals of privacy and non-malleability, each under chosen-plaintext
attackandtwokindsofchosen-ciphertextattack. Foreachof theresultingpairs ofdenitions
we prove either an implication (every scheme meeting one notion must meet the other) or a
separation(thereis ascheme meeting onenotionbut nottheother, assuming therst notion
canbemetatall). Wesimilarlytreatplaintextawareness,anotionofsecurityinthe
random-oraclemodel. An additionalcontribution of this paperis anew denition of non-malleability
which webelieveissimplerthanthepreviousone.
Keywords: Asymmetric encryption, Chosen ciphertext security, Non-malleability,
Racko-Simonattack,Plaintextawareness,Relationsamongdenitions.
Dept.ofComputerScience&Engineering,UniversityofCalifornia atSanDiego,9500 GilmanDrive,La Jolla,
CA92093,USA.E-Mail: mihir @cs.ucsd.edu. URL:http://www-cse.ucsd.edu/use rs/m ihir=. Supportedinpart
byNSFCAREERAwardCCR-9624439anda1996PackardFoundationFellowshipinScienceandEngineering.
y
NTT MultimediaCommunications Laboratories, 250CambridgeAvenue,Suite300, Palo Alto, CA 94306.
E-mail: desai@nttmcl.com. Workdone whileauthorwas atUCSD,supportedinpartbytheabove-mentionedgrants
oftherstauthor.
z
Laboratoired'Informatiquedel'
Ecole NormaleSuperieure, 45rue d'Ulm,F {75230 Paris Cedex 05. E-mail:
david.pointcheval@ens.fr. URL:http://www.dmi.ens.fr/~pointche /.
x
Dept.ofComputerScience,EngineeringIIBldg.,OneShieldsAvenue,UniversityofCaliforniaatDavis,Davis,
CA95616,USA.E-mail: rogaway@cs.ucdavis.edu. URL:http://www.cs.ucdavis.edu/~ro gaway /. Supportedby
1 Introduction 1
1.1 Notions ofEncryption Scheme Security. . . 1
1.2 Implications andSeparations . . . 1
1.3 Plaintext Awareness . . . 2
1.4 DenitionalContributions . . . 3
1.5 Motivation . . . 3
1.6 RelatedWork andDiscussion . . . 4
2 Denitions of Security 5 2.1 Framework . . . 6
2.2 IndistinguishabilityofEncryptions . . . 6
2.3 Non-Malleability . . . 7
3 Relating IND and NM 9 3.1 Results. . . 9
3.2 Notation and Preliminaries . . . 10
3.3 Proof of Theorem3.1 : NM- ATK)IND- ATK . . . 11
3.4 Proof of Theorem3.3 : IND- CCA2)NM- CCA2 . . . 12
3.5 Proof of Theorem3.5 : IND- CCA16)NM- CPA . . . 13
3.6 Proof of Theorem3.6 : NM- CPA6)IND- CCA1 . . . 15
3.7 Proof of Theorem3.7 : NM- CCA16)NM- CCA2 . . . 18
4 Results on PA 22 4.1 Denition . . . 22
4.2 Results. . . 23
4.3 Proof of Theorem4.2 : PA)IND- CCA2 . . . 24
4.4 Proof of Theorem4.4 : IND- CCA26)PA . . . 26
Inthispaperwecomparetherelativestrengthsofvariousnotionsofsecurityforpublic-key
encryp-tion. We wantto understandwhichdenitionsof securityimplywhichothers. Westartbysorting
outsome of thenotionswewillconsider.
1.1 Notions of Encryption Scheme Security
A convenient way to organize denitions of secure encryption is by considering separately the
variouspossiblegoals and thevariouspossibleattack models, andthen obtaineach denitionasa
pairing ofa particular goal anda particular attack model. This viewpoint was suggestedto usby
MoniNaor [25 ].
We consider two dierent goals: indistinguishability of encryptions, due to Goldwasser and
Micali [21 ], and non-malleability, dueto Dolev, Dwork and Naor [13 ]. Indistinguishability(IND )
formalizes an adversary's inability to learn any information about the plaintext x underlying a
challenge ciphertext y,capturing a strongnotionof privacy. Non-malleability(NM ) formalizesan
adversary's inability, given a challenge ciphertext y, to output a dierent ciphertext y 0
such that
the plaintexts x;x 0
underlying these two ciphertexts are \meaningfully related". (For example,
x 0
=x+1.) It capturesa senseinwhichciphertextscan betamper-proof.
Along theother axiswe considerthree dierent attacks. In order of increasing strength these
are chosen-plaintext attack (CPA ), non-adaptive chosen-ciphertext attack (CCA1), and adaptive
chosen-ciphertext attack (CCA2). Under CPA the adversary can obtain ciphertexts of plaintexts
of her choice. In the public-key setting, giving the adversary the public key suÆces to capture
these attacks. Under CCA1, formalized by Naor and Yung [26 ], the adversary gets, in addition
to the public key, access to an oracle for the decryption function. The adversary may use this
decryptionfunctiononlyfortheperiodoftimeprecedingherbeinggiventhechallengeciphertexty.
(Theterm non-adaptive refers to the factthat queriesto thedecryption oracle cannot dependon
the challenge y. Colloquially this attack has also been called a \lunchtime," \lunch-break," or
\midnight" attack.) Under CCA2, due to Racko and Simon [27 ], the adversary again gets (in
addition to the publickey) access to an oracle forthe decryptionfunction, but thistimeshe may
usethisdecryptionfunctionevenon ciphertextschosen afterobtainingthechallenge ciphertext y,
theonlyrestrictionbeingthattheadversarymaynotaskforthedecryptionofy itself. (Theattack
is called adaptive because queriesto the decryption oracle can dependon the challenge y.) As a
mnemonicfor theabbreviations CCA1/ CCA2, justrememberthatthe biggernumbergoeswith
thestronger attack.
Onecan \mix-and-match" thegoals fIND ;NMgand attacksfCPA ;CCA1;CCA2 ginany
com-bination,giving riseto sixnotionsof security:
IND- CPA; IND- CCA1; IND- CCA2; NM-CPA ; NM- CCA1; NM-CCA2 :
Mostarefamiliar(although underdierentnames). IND- CPA isthenotionof[21 ]; 1
IND- CCA1is
thenotionof [26 ];IND- CCA2 isthe notionof [27 ];NM- CPA,NM- CCA1and NM-CCA2 arefrom
[13 , 14 ,15 ].
1.2 Implications and Separations
In this paper we work out the relations between the above six notions. For each pair of notions
A;B 2 fIND- CPA;IND- CCA1;IND-CCA2;NM- CPA;NM- CCA1; NM- CCA2g, we show one of
1
Goldwasser and Micali referred to IND-CPA as polynomial security, and also showed this was equivalent to
IND- CPA IND- CCA1 IND-CCA2 NM- CPA NM- CCA1 NM- CCA2 -? ? ? 6 q i 3.1 3.6 3.5 3.1 3.1 3.3
Figure1: Anarrowisanimplication,andinthedirectedgraphgivenbythearrows,thereisapath
from A toB if andonlyA)B. Thehatched arrows represent separations we actuallyprove; all
others follow automatically. The number on an arrow orhatched arrow refers to the theorem in
thispaperwhich establishesthisrelationship.
thefollowing:
A)B: Aproofthat ifPE is anyencryption scheme meeting notionofsecurityA thenPE
also meetsnotionof securityB.
A6)B: A construction of an encryptionscheme PE that provablymeetsnotionof security
A butprovablydoesnot meet notionof securityB. 2
We call a result of therst type an implication, and aresult of the second type a separation. For
each pair ofnotions we provideone ortheother,sothat no relationremainsopen.
These results are represented diagrammatically in Figure 1 . The (unhatched) arrows
repre-sent implications that are proven or trivial, and the hatched arrows represent explicitly proven
separations. Specically, the non-trivial implication is that IND- CCA2 implies NM-CCA2, and
the separations shown are that IND- CCA1 does not imply NM- CPA; nor does NM-CPA imply
IND- CCA1;nordoesNM- CCA1 implyNM- CCA2.
Figure 1representsacompletepictureof relationsinthefollowingsense. Viewthepictureasa
graph,theedgesbeingthosegivenbythe(unhatched)arrows. (Sothereareeightedges.) Weclaim
thatforanypairofnotionsA;B,itisthecasethatAimpliesB ifandonlyifthereisapathfrom
AtoBinthegraph. The\if"partofthisclaimisofcourseclearfromthedenitionofimplication.
The\onlyif"partofthisclaimcan beveriedforanypairofnotionsbyutilizingthehatchedand
unhatchedarrows. Forexample, we claim that IND- CCA1 doesnot implyIND-CCA2. For ifwe
had that IND- CCA1 impliesIND- CCA2 then this, coupled with NM- CCA1 implyingIND- CCA1
and IND-CCA2 implyingNM- CCA2, wouldgive NM- CCA1 implyingNM- CCA2, whichwe know
to befalse.
That IND-CCA2 impliesall of theother notions helpsbolster the view that adaptive CCA is
the\right" version ofCCA onwhichto focus. (IND- CCA2has alreadyproven to be a better tool
for protocol design.) We thus suggest that, in the future, \CCA" should be understood to mean
adaptiveCCA.
1.3 Plaintext Awareness
Anotheradversarialgoal we willconsiderisplaintext awareness (PA), rst dened byBellare and
Rogaway[6 ]. PA formalizesan adversary'sinabilityto create aciphertexty without\knowing"its
underlyingplaintext x. (In the case that the adversary creates an \invalid" ciphertext what she
shouldknow isthat theciphertext isinvalid.)
2
Thiswill be done undertheassumptionthat thereexists some schememeetingnotion A, sinceotherwise the
thatintheROmodeloneembellishesthecustomarymodelofcomputationbyprovidingallparties
(goodandbad alike)witharandomfunctionH fromstringstostrings. See[5 ] foradescriptionof
therandom-oracle modeland a discussionof its use.
The sixnotionsofsecuritywehavedescribedcan beeasily\lifted"to theROmodel,givingsix
correspondingdenitions. Onceone makessuch denitional analogsit iseasily veriedthat all of
the implications and separations mentioned in Section1.2 and indicated in Figure 1 also hold in
theROsetting. Forexample, theRO versionof IND- CCA2impliestheROversionof NM- CCA2.
Since PA has only been dened in the RO model it only makes sense to compare PA with
other RO notions. Our results in this vein are as follows. Theorem4.2 shows that PA (together
with the RO version of IND- CPA) impliesthe RO version of IND- CCA2. In the other direction,
Theorem4.4 shows thattheROversionof IND- CCA2 doesnotimplyPA.
1.4 Denitional Contributions
Beyondtheimplicationsandseparationswehavedescribed,wehavetwodenitionalcontributions:
a newdenitionof non-malleability,anda renement to thedenitionofplaintextawareness.
The original denitionof non-malleability[13, 14 , 15 ] is in terms of simulation,requiring, for
everyadversary,theexistenceofsomeappropriatesimulator. Webelieveourformulationissimpler.
It is dened via an experiment involving onlythe adversary; there is no simulator. Nonetheless,
thedenitionsare equivalent[7 ], underanyform ofattack.
Thus the results in this paper are not aected by the denitional change. We view the new
denitionasan additional,orthogonal contributionwhichcould simplifythetask ofworkingwith
non-malleability. Wealsonotethatourdenitionalidealiftstoothersettings,likedeningsemantic
security[21 ] againstchosen-ciphertextattacks. (Semantic securityseems notto have beendened
against CCA.)
With regard to plaintext awareness, we make a small but important renement to the
de-nition of [6 ]. The change allows us to substantiate their claim that plaintext awareness implies
chosen-ciphertextsecurityand non-malleability,bygiving usthatPA(plusIND- CPA)impliesthe
RO versions of IND- CCA2 and NM- CCA2. Our renement is to endow the adversary with an
encryptionoracle, thequeries to whichare notgiven tothe extractor. SeeSection4.
1.5 Motivation
In recent years there has been an increasing role played by public-key encryption schemes which
meetnotionsofsecuritybeyondIND- CPA. Wearerealizingthatoneoftheirmostimportantusesis
astoolsfordesigninghigher-levelprotocols. Forexample, encryptionschemesmeeting IND- CCA2
appearto betherighttoolsinthedesignofauthenticatedkeyexchangeprotocolsinthepublic-key
setting [1 ]. As another example, the designers of SET (Secure Electronic Transactions) selected
an encryption scheme which achieves more than IND- CPA [28 ]. This was necessary, insofar as
the SET protocols would be wrong if instantiated by a primitive which achieves only IND- CPA
security. Because encryption schemes which achieve more than IND- CPA make for easier-to-use
(orharder-to-misuse) tools,emergingstandards rightlyfavorthem.
We comment that if one takes the CCA models \too literally" the attacks we describe seem
rather articial. Take adaptive CCA, for example. How could an adversary have access to a
decryption oracle, yet be forbidden to use it on the one point she really cares about? Either she
has the oracle and can use it as she likes, or she does not have it at all. Yet, in fact, just such
these aretherightnotionsforschemesto meetwhen these schemesareto become generally-useful
tools inthedesignof highlevelprotocols.
1.6 Related Work and Discussion
Relations. Themostrecent version ofthe workof Dolev,Dwork and Naor, themanuscript [15 ],
has, independentlyofour work,consideredthe questionofrelations among notionsof encryptions
beyondIND- CPA. Itcontains(currentlyinRemark3.6)variousclaimsthatoverlaptosome extent
with ours. (Public versionsof their work, namely the1991 proceedings version [13 ] and the 1995
technical report[14 ], donot containthese claims.)
Foundations. The theoretical treatment of public-key encryption begins with Goldwasser and
Micali[21]andcontinueswithYao[29 ],Micali,RackoandSloan[24 ],andGoldreich[18,19 ]. These
workstreatprivacyunderchosen-plaintextattack(thenotionwearecapturingviaIND- CPA). They
showthatvariousformalizationsofitareequivalent,invariousmodels. Specically,Goldwasserand
Micaliintroduced,andshowedequivalent,thenotionsofindistinguishabilityandsemanticsecurity;
Yao introduced a notionbased on computational entropy; Micali, Racko and Sloan showed that
appropriatevariantsoftheoriginaldenitionareequivalenttothis;Goldreich[18 ]madeimportant
renements to the notion of semantic security and showed that the equivalences still held; and
Goldreich [19 ]provideddenitions andequivalencesfor thecase of uniformadversaries. We build
onthese foundationsbothconceptuallyandtechnically. Inparticular,thisbodyofworkeectively
justiesouradopting one particularformulation ofprivacyunderchosen-plaintext attack, namely
IND- CPA.
Noneoftheaboveworksconsideredchosen-ciphertextattacksand,inparticular,thequestionof
whether indistinguishabilityand semantic securityareequivalent inthissetting. In fact, semantic
securityunderchosen-ciphertextattackseemstohavenoteven beendened. Asmentionedearlier,
denitionsfor semantic securityunder CCAcan be obtained along thelines of ournew denition
ofnon-malleability. We expect(andhope)that,afterdoing this,theequivalencebetweensemantic
security and indistinguishability continue to hold with respect to CCA, but this has not been
checked.
Recent work on simplifying non-malleability. As noted above, Bellare and Sahai [7 ]
have shown thatthe denitionof non-malleabilitygiven inthispaperis equivalent to theoriginal
one of [13 , 14 , 15 ]. In addition, they provide a novel formulation of non-malleabilityin terms of
indistinguishability, showing that non-malleability is just a form of indistinguishability under a
certaintype ofattackthey callaparallelattack. Theircharacterization can be appliedtosimplify
some of theresultsinthispaper.
Schemes. It isnotthe purposeofthispaperto discussspecic schemesdesigned formeeting any
ofthenotionsofsecuritydescribedinthispaper. Nonetheless,asasnapshotofthestateoftheart,
we attempt to summarize what is known about meeting \beyond-IND- CPA" notions of security.
Schemesproven secureunder standardassumptions includethat of [26 ],which meetsIND- CCA1,
that of [13 ], which meets IND- CCA2, and the much more eÆcient recent scheme of Cramer and
Shoup[10 ], which also meets IND- CCA2. Next are theschemesproven secureina random-oracle
model; here we have those of [5, 6 ], which meet PA and are as eÆcient as schemes in current
standards. Then there are schemes without proofs, such as those of [11 , 30]. Finally, there are
schemesfornon-standard models,like[16,27 ].
We comment that it follows from our resultsthat the above mentioned scheme of [10 ], shown
metric) encryption. The same questions can be asked for private-key (ie. symmetric) encryption.
Denitions forsymmetric encryptionscheme privacy underCPA were given by[2 ]. Thosenotions
can be lifted to deal with CCA.Denitions for non-malleabilityinthe private-key setting can be
obtained by adapting the public-key ones. Again we would expect (and hope) that, if properly
done, theanalogsto therelations we have proven remain.
One feature of denitions in this setting is worth highlighting. Recall that in the public-key
setting,nothingspecialhad to be doneto model CPA; itcorrespondsjustto giving theadversary
the public key. Not soin a private-key setting. The suggestion of [3 ] is to give the adversary an
oracle for encryption under the private key. This must be donein all denitions,and it is under
thisnotionthatweexpectto see ananalog of theresultsforthepublic-keycase.
Goldreich,indiscussionsonthisissue,hasnotedthatintheprivate-keycase,onecanconsideran
attack settingweakerthanCPA,wheretheadversary is notgiven an encryptionoracle. He points
outthatunderthisattackitwillnotevenbetruethatnon-malleabilityimpliesindistinguishability.
Encryptionscheme securitywhichgoesbeyondindistinguishabilityisimportantinthe
private-key case too, and we feel it deserves a full treatment of its own which would explore and clarify
some of theabove issues.
Furtherremarks. We comment that non-malleabilityis ageneral notionthat appliesto
primi-tivesother thanencryption [13 ]. Our discussionis limitedto its useinasymmetric encryption.
Bleichenbacher[8 ] hasrecentlyshownthata popularencryptionscheme, RSAPKCS#1, does
notachieve IND- CCA1. He also describesa popularprotocol forwhich thiscauses problems. His
results reinforce the danger of assuming anything beyond IND- CPA which has not been
demon-strated.
Apreliminaryversionofthispaperappearedas[3]. Weincludeherematerialwhichwasomitted
from thatabstract dueto space limitations.
2 Denitions of Security
Thissectionprovidesformaldenitionsforthesixnotionsofsecurityofanasymmetric(ie.,
public-key)encryptionschemediscussedinSection1.1. PlaintextawarenesswillbedescribedinSection4 .
We begin bydescribing thesyntax of an encryption scheme, divorcingsyntax from thenotions of
security.
Experiments. We use standard notations and conventions for writing probabilistic algorithms
and experiments. If A is a probabilistic algorithm, then A(x
1 ;x
2
;:::;r) is the result of running
A on inputs x
1 ;x
2
;::: and coins r. We let y A(x
1 ;x
2
;::: ) denote the experiment of pickingr
at random and letting y be A(x
1 ;x
2
;:::;r). If S is a nite set then x S is the operation of
pickinganelementuniformlyfromS. If isneitheran algorithmnora setthenx isasimple
assignment statement. We say that y can be output by A(x
1 ;x
2
;::: ) ifthere is some r such that
A(x
1 ;x
2
;:::;r)=y.
Syntaxandconventions. Thesyntaxofanencryptionschemespecieswhatkindsofalgorithms
make it up. Formally,an asymmetric encryption scheme is given by a tripleof algorithms, PE =
(K ;E;D),where
K , the key generation algorithm, is a probabilistic algorithm that takes a security parameter
k 2Nand returns apair (pk;sk)of matchingpublic andsecret keys.
E, the encryption algorithm, is a probabilistic algorithm that takes a public key pk and a
message x2f0;1g
ciphertext ytoproduceeitheramessagex2f0;1g
oraspecialsymbol?toindicatethatthe
ciphertext was invalid.
We require that for all (pk;sk) which can be output by K (k), for all x 2 f0;1g
, and for all y
that can be output by E
pk
(x), we have that D
sk
(y)=x. We also requirethat K , E and D can be
computed in polynomial time. As the notation indicates, the keys are indicated as subscriptsto
thealgorithms.
Recall thata function:N!R isnegligible ifforevery constant c0 there existsaninteger
k c such that (k)k c for allk k c . 2.1 Framework
The formalizations that follow have a common framework that it mayhelp to see at a high level
rst. In formalizing both indistinguishability and non-malleability we regard an adversary A as
a pair of probabilisticalgorithms, A = (A
1 ;A
2
). (We will say that A is polynomial time if both
A
1
and A
2
are.) This correspondsto A runningintwo \stages." The exact purposeof eachstage
dependsontheparticularadversarialgoal,butforbothgoalsthebasicideaisthatintherststage
theadversary,giventhepublickey,seeksandoutputssome\testinstance,"andinthesecondstage
the adversary is issued a challenge ciphertext y generated as a probabilistic function of the test
instance,inamannerdependingonthegoal. (Inaddition A
1
can outputsomestate informations
thatwillbepassedtoA
2
.) AdversaryAissuccessfulifshepassesthechallenge,withwhat\passes"
meansagain dependingon thegoal.
We considerthree types ofattacks underthissetup.
In a chosen-plaintext attack (CPA) the adversary can encrypt plaintexts of her choosing. Of
coursea CPA is unavoidable inthe public-key setting: knowingthe publickey,an adversary can,
on her own, compute a ciphertext for any plaintext she desires. So in formalizing denitions of
securityunder CPA we \do nothing"beyond giving the adversary access to thepublic key; that's
already enoughto make aCPA implicit.
Ina non-adaptive chosen-ciphertextattack (CCA1)wegiveA
1
(thepublickeyand)accessto a
decryption oracle, butwedo notallowA
2
access to a decryption oracle. This is sometimescalled
a non-adaptive chosen-ciphertext attack, in thatthedecryption oracleis usedto generatethe test
instance,buttaken away beforethechallenge appears.
In an adaptive chosen-ciphertext attack (CCA2) we continue to give A
1
(the public key and)
accessto a decryptionoracle, butalso give A
2
accessto thesame decryptionoracle, with theonly
restriction that she cannot query the oracle on the challenge ciphertext y. This is an extremely
strongattackmodel.
As a mnemonic, the number i in CCAi can be regarded as the number of adversarial stages
during which she has access to a decryption oracle. Additionally,the biggernumber corresponds
to thestronger (andchronologicallylater) formalization.
By the way: we do notbother to explicitlygive A
2
the publickey, because A
1
hastheoption
of includingit ins.
2.2 Indistinguishability of Encryptions
Theclassicalgoal ofsecureencryption isto preservethe privacyofmessages: anadversary should
not be able to learn from a ciphertext information about its plaintext beyond the length of that
plaintext. We denea version of thisnotion, indistinguishabilityof encryptions(IND), following
[21 ,24 ],throughasimpleexperiment. AlgorithmA
1
1 0 1
we insistbe of thesame length,and thelastbeingstate information(possiblyincludingpk) which
she wants to preserve. A random one of x
0
and x
1
is now selected, say x
b . A \challenge" y is determined byencrypting x b under pk. It is A 2
's job to try to determine ify wasselected asthe
encryptionof x
0 orx
1
,namelyto determinethebit b. Tomake thisdeterminationA
2
is giventhe
saved state sand thechallenge ciphertext y.
For concision and clarity we simultaneously dene indistinguishability with respect to CPA,
CCA1, and CCA2. The only dierence lies in whether or not A
1
and A
2
are given decryption
oracles. We let the string atk be instantiated by any of the formal symbols cpa ;cca1;cca2, while
ATK is then the corresponding formal symbol from CPA;CCA1 ;CCA2. When we say O
i = ",
wherei2f1;2g, we mean O
i
is thefunctionwhich,on anyinput,returns theemptystring,".
Denition 2.1 [IND-CPA,IND-CCA1,IND-CCA2]LetPE=(K ;E;D) beanencryptionscheme
and letA=(A
1 ;A
2
) be an adversary. Foratk2fcpa;cca1;cca2gand k 2Nlet,
Adv ind- atk PE;A (k) = Pr[Exp ind- atk- 1 PE;A (k)=1] Pr[Exp ind- atk- 0 PE;A (k)=1] where, forb2f0;1g, Experiment Exp ind- atk- b PE;A (k) (pk;sk) R K (k); (x 0 ;x 1 ;s) A O1() 1 (pk); y E pk (x b ); d A O2() 2 (x 0 ;x 1 ;s;y) Returnd and
If atk=cpa then O
1
()=" and O
2 ()="
If atk=cca1 then O
1 ()=D sk () and O 2 ()="
If atk=cca2 then O
1 ()=D sk () and O 2 ()=D sk ()
Aboveitismandatedthatjx
0 j=jx
1
j. InthecaseofCCA2,wefurtherinsistthatA
2
doesnotaskits
oracletodecrypty. WesaythatPE issecureinthesenseofIND-ATKifAbeingpolynomial-time
impliesthatAdv ind- atk
PE;A
() isnegligible.
2.3 Non-Malleability
Notation. We will need to discuss vectors of plaintexts or ciphertexts. A vector is denoted in
boldface,asinx. Wedenotebyjxjthenumberofcomponentsinx,andbyx[i]thei-thcomponent,
so that x = (x[1];:::;x[jxj]). We extend the set membership notation to vectors, writing x 2 x
or x 62 x to mean, respectively, that x is inor is not in theset fx[i] : 1 i jxjg. It will be
convenient to extend the decryption notation to vectors with the understanding that operations
are performed componentwise. Thus x D
sk
(y ) is shorthand for the following: for 1 i jy j
dox[i] D
sk (y [i]).
We will consider relations of arity t where t will be polynomial in the security parameter k.
Rather thanwriting R (x
1 ;:::;x
t
) we writeR (x;x),meaning therst argument is specialand the
rest arebunchedinto avector x withjxj=t 1.
Idea. Thenotionofnon-malleabilitywasintroducedin[13 ],andrenedsubsequently. Thegoalof
the adversary, given a ciphertext y, is not(as with indistinguishability)to learnsomething about
its plaintext x, butonly to output a vector y of ciphertextswhose decryption x is \meaningfully
related" to x, meaning that R (x;x) holdsfor some relation R . The question is how exactly one
existsacertaintypeof\simulator"thatdoesjustaswellastheadversarybutwithout beinggiveny.
Here,we introducea novelformalization whichseems to usto be simpler. Our formalization does
notask forasimulator, butjustconsidersanexperimentinvolvingtheadversary. Itturnsoutthat
ournotionisequivalentto DDN's [7].
Our formalization. Let A = (A
1 ;A
2
) be an adversary. In the rst stage of the adversary's
attack, A
1
, given the public key pk, outputs a description of a message space, described by a
sampling algorithm M. The message space must be valid, which means that it gives non-zero
probability only to strings of some one particular length. In the second stage of the adversary's
attack, A
2
receives an encryption y of a random message, say x
1
, drawn from M. The adversary
then outputs a (description of a) relation R and a vector y (no component of which is y). She
hopesthatR (x;x)holds,wherex D
sk
(y ). Anadversary(A
1 ;A
2
)issuccessful ifshecando this
withaprobabilitysignicantlymore thanthatwithwhichR (x
0
;x) holdsforsome randomhidden
x
0 M.
Denition 2.2 [NM-CPA, NM-CCA1, NM-CCA2] Let PE = (K ;E;D) be an encryption scheme
and letA=(A
1 ;A
2
) be an adversary. Foratk2fcpa;cca1;cca2gand k 2Nlet,
Adv nm-atk PE;A (k) = Pr[Exp nm-atk- 1 PE;A (k)=1] Pr[Exp nm-atk- 0 PE;A (k)=1] where, forb2f0;1g, Experiment Exp nm-atk- b PE;A (k) (pk;sk) R K (k); (M;s) A O 1 () 1 (pk); x 0 ;x 1 M ; y E pk (x 1 ); (R ;y ) A O2() 2 (M;s;y); x D sk (y ); If y62y^?62x^R (x b ;x) thend 1;elsed 0; Returnd and
If atk=cpa then O
1
()=" and O
2 ()="
If atk=cca1 then O
1 ()=D sk () and O 2 ()="
If atk=cca2 then O
1 ()=D sk () and O 2 ()=D sk ()
We insist,above,thatM is valid: jxj=jx 0
jforanyx;x 0
thataregiven non-zeroprobabilityinthe
messagespaceM. InthecaseofCCA2,wefurtherinsistthatA
2
doesnotaskitsoracletodecrypt
y. We say that PE is secure in the sense of NM-ATK if for every polynomial p(k): if A runs in
time p(k), outputs a (valid) message space M samplable in time p(k), and outputs a relation R
computableintime p(k), thenAdv nm-atk
PE;A
() isnegligible.
The condition that y 62 y is made in order to not give the adversary credit for the trivial and
unavoidable action of copying thechallenge ciphertext. Otherwise, she could output the equality
relation R , where R (a;b) holdsi a= b, and output y = (y), and be successful with probability
one. We also declare the adversary unsuccessful when some ciphertext y [i] does nothave a valid
decryption(thatis,?2x),becauseinthiscase,thereceiverissimplygoingtorejecttheadversary's
message anyway. The requirement that M is valid is important; it stems from the fact that
We state more precisely the results summarized in Figure1 and provide proofs. As mentioned
before, we summarize only the main relations (the ones that require proof); all other relations
followascorollaries.
3.1 Results
Therst result,that non-malleabilityimpliesindistinguishabilityunderanytypeof attack, wasof
courseestablishedby[13 ]inthecontext oftheirdenitionofnon-malleability,butsincewehave a
newdenitionof non-malleability,weneedto re-establishit. The (simple)proofof thefollowingis
inSection3.3 .
Theorem 3.1 [NM-ATK) IND- ATK] If a scheme PE issecure inthe senseof NM- ATKthen
PE is secureinthesenseof IND-ATK, foranyattack ATK2fCPA;CCA1 ;CCA2g.
Remark 3.2 Recall that the relation R in Denition 2.2 was allowed to have any polynomially
boundedarity. However,theabovetheoremholdsevenunderaweakernotionofNM- ATKinwhich
therelationR is restrictedto have arity two.
The proofof thefollowingis inSection3.4 .
Theorem 3.3 [IND-CCA2 ) NM- CCA2] If a scheme PE is secure in the sense of IND- CCA2
thenPE issecureinthe senseof NM- CCA2.
Remark 3.4 Theorem 3.3 coupled with Theorem 3.1 and Remark 3.2 says that in the case of
CCA2 attacks, itsuÆces to considerbinary relations,meaning thenotionofNM- CCA2 restricted
to binaryrelations isequivalentto thegeneral one.
Nowweturntoseparations. Adaptivechosen-ciphertextsecurityimpliesnon-malleabilityaccording
to Theorem3.3 . In contrast, thefollowing says thatnon-adaptive chosen-ciphertext security does
not implynon-malleability. Theproofis inSection3.5.
Theorem 3.5 [IND-CCA16)NM- CPA] If there exists an encryption scheme PE which is secure
inthesenseof IND- CCA1,thenthereexistsanencryptionschemePE 0
whichissecureinthesense
of IND-CCA1 butwhichis notsecureinthe senseof NM- CPA.
Now one can ask whether non-malleability implieschosen-ciphertext security. The following says
it does not even implythe non-adaptive form of thelatter. (As a corollary, it certainly doesnot
implytheadaptiveform.) The proofis inSection3.6 .
Theorem 3.6 [NM-CPA 6)IND- CCA1] If there exists an encryption scheme PE which is secure
inthesenseof NM- CPA,thenthere existsan encryption scheme PE 0
whichis secureinthesense
of NM- CPA butwhich isnotsecure inthesenseof IND- CCA1.
Now the only relation that does not immediately follow from the above results or by a trivial
reduction is that the version of non-malleabilityallowing CCA1 does not imply the version that
allows CCA2. SeeSection3.7forthe proofof thefollowing.
Theorem 3.7 [NM-CCA16)NM- CCA2] Ifthere existsanencryptionschemePE whichissecure
inthesenseof NM- CCA1,thenthereexistsanencryptionschemePE 0
whichissecureinthesense
For relations R which could be of arbitrary arity we use the simplifying notation R (a;b) as a
shorthand for R (a;b) when it is clear that b[1] = b and jbj = 1. We let a denote the bitwise
complement(namely thestringobtainedby ippingeach bit) of a.
For an IND-ATK adversary A=(A
1 ;A
2
) we will,whenever convenient,assume that the
mes-sages x 0 ;x 1 that A 1
outputs are distinct. Intuitively thiscannot decrease the advantage because
the contribution to the advantage in case they are equal is zero. Actually one has to be a little
careful. TheclaimwillbethatwecanmodifyAtomakesurethattheoutputmessagesaredistinct,
andonehastobecarefulto makesurethatwhenAoutputsequalmessagesthemodiedadversary
doesnotgetanyadvantage, sothattheadvantageof themodiedadversary isthesame asthatof
theoriginalone. Forcompletenesswe encapsulatetheclaim inthefollowingproposition.
Proposition 3.8 Let A = (A
1 ;A
2
) be any adversary attacking encryption scheme PE in the
senseof IND- ATK. Then there existsanother adversary B =(B
1 ;B
2
) attacking PE in thesense
of IND-ATK such that the two (equal length) messages that B
1
outputs are always distinct,
Adv ind-atk PE;B (k)=Adv ind-atk PE;A
(k),and therunningtime ofB iswithina constant factor ofthat ofA.
Proof: Adversaries A and B have access to an oracle O
1
in their rst stage and an oracle O
2 in
their second stage, these oracles being instantiated according to the attack ATK as described in
thedenitions. Theadversary B=(B
1 ;B 2 ) is asfollows: AlgorithmB O 1 1 (pk) (x 0 ;x 1 ;s) A O 1 1 (pk) ifx 0 6=x 1 thend 0 elsed 1 x 0 0 x 0 ; s 0 skd ifd=0 thenx 0 1 x 1 elsex 0 1 x 0 return(x 0 0 ;x 0 1 ;s 0 ) AlgorithmB O 2 2 (x 0 0 ;x 0 1 ;s 0 ;y) where s 0 =skd if d=0 thenc A O 2 2 (x 0 0 ;x 0 1 ;s;y) elsec f0;1g returnc
Note that by dening x 0
0 ;x
0
1
this way we always have x 0
0 6= x
0
1
. Also note that when x
0 = x 1 we have B 2
outputa randombitc to make sureits advantage inthatcase iszero.
It is easy to see that the running time of B is within a constant factor of that of A. Now we
claim that Adv ind-atk
PE;B
(k) =Adv ind-atk
PE;A
(k). To justify this, considerthe experimentsunderlyingthe
denitionsof theadvantages ofA and B,respectively:
Experiment1 def = (pk;sk) K (k); (x 0 ;x 1 ;s) A 1 (pk); b f0;1g; y E pk (x b ); c A O 2 2 (x 0 ;x 1 ;s;y) Experiment2 def = (pk;sk) K (k); (x 0 ;x 1 ;s) A 1 (pk); b f0;1g; y E pk (x b ); c B O 2 2 (x 0 0 ;x 0 1 ;skd;y):
In thelastexperiment,x 0
0 ;x
0
1
;d are dened interms ofx
0 ;x
1
asperthe code ofB
1
. Let Pr
1 []=
Pr[Experiment1 : ]betheprobabilityfunctionunderExperiment1andPr
2
[]=Pr[Experiment2: ]
bethat underExperiment2. By denition
Adv ind-atk PE;A (k) = 2Pr 1 [b=c] 1 and Adv ind-atk PE;B (k) = 2Pr 2 [b=c] 1:
Thusit suÆces to show that Pr
1
[b=c]=Pr
2
[b=c]. Let E denote the event that x
0 =x
1 , or,
equivalently,that d=1. Then
Pr 1 [b=c] = Pr 1 [b=c j E]Pr 1 [E]+Pr 1 h b=c j E i Pr 1 h E i Pr 2 [b=c] = Pr 2 [b=c j E]Pr 2 [E]+Pr 2 h b=c j E i Pr 2 h E i :
1 2
Pr
1
[E]=Pr
2
[E]since E dependsonlyon A
1 .
Pr
1
[b=c j E]=1=2 because when E is true,A
2
has no informationaboutb. Onthe other
handPr
2
[b=c j E]=1=2 becausewhen E istrue we have B
2
output a randombit.
Pr 1 h b=c j E i =Pr 2 h b=c j E i
becauseinthiscasetheexperimentsarethesame,namely
weare lookingat theoutput ofA
2 .
Thiscompletes theproof of Proposition3.8.
3.3 Proof of Theorem 3.1: NM- ATK)IND- ATK
WeareassumingthatencryptionschemePE issecureintheNM- ATKsense. Wewillshowitisalso
secureintheIND- ATKsense. LetB =(B
1 ;B
2
)beaIND- ATKadversary attackingPE. Wewant
toshowthatAdv ind-atk
PE;B
()isnegligible. Tothisend,wedescribeaNM- ATKadversaryA=(A
1 ;A
2 )
attacking PE. AdversariesA and B have accessto an oracle O
1
in theirrst stage and an oracle
O
2
intheir second stage, these oracles being instantiated according to the attack ATKasperthe
denitions. Recallthatz denotesthebitwise complement of astring z.
AlgorithmA O 1 1 (pk) (x 0 ;x 1 ;s) B O 1 1 (pk) M :=fx 0 ;x 1 g s 0 (x 0 ;x 1 ;pk;s) return(M;s 0 ) AlgorithmA O 2 2 (M;s 0 ;y)where s 0 =(x 0 ;x 1 ;pk;s) c B O 2 2 (x 0 ;x 1 ;s;y) y 0 E pk (x c ) return(R ;y 0 ) whereR (a;b)=1 ia=b ThenotationM :=fx 0 ;x 1
gmeansthatM isbeingassignedtheprobabilityspacewhichassignsto
each of x 0 and x 1 a probabilityof 1=2. A O 2 2
outputs (the descriptionof) the complement relation
R ,whichforanyargumentsa;bis 1 ifa=band 0 otherwise.
We considertheadvantageof A,given by
Adv nm-atk PE;A (k) = Pr[Exp nm-atk- 1 PE;A (k)=1] Pr[Exp nm-atk- 0 PE;A (k)=1] where Exp nm-atk-1 PE;A (k) def = h (pk;sk) K (k); (M;s 0 ) A O 1 1 (pk); x M ; y E pk (x); (R ;y 0 ) A O 2 2 (M;s 0 ;y); x 0 D sk (y 0 ): y6=y 0 ^?6=x 0 ^R (x;x 0 ) i Exp nm-atk-0 PE;A (k) def = h (pk;sk) K (k); (M;s 0 ) A O 1 1 (pk); x;x~ M ; y E pk (x); (R ;y 0 ) A O 2 2 (M;s 0 ;y); x 0 D sk (y 0 ): y6=y 0 ^?6=x 0 ^R (~x;x 0 ) i :
The advantage of B is givenbyAdv ind- atk PE;B (k)=2Pr[Exp ind-atk- b PE;B (k)=b] 1,where Exp ind- atk- b PE;B (k) def = Pr h (pk;sk) K (k); (x 0 ;x 1 ;s) B O1 1 (pk); b f0;1g ; y E pk (x b ); c B O 2 2 (x 0 ;x 1 ;s;y): c=b i :
By Proposition3.8 we mayassume here, withoutloss of generality, that we always have x
0 6=x
1 .
Claim1: Pr[Exp
PE;A
(k)=1]=Pr[Exp
PE;B
(k)=b].
Proof: LookrstatthecodeofA
2 . NotethatR (x;x 0 ) istruei D sk (y)=x c
. Alsonotethatwhen
R (x;x 0
) istrue it must be that x 6=x 0
and hence, by the unique decryptabilityof the encryption
scheme,that y6=y 0
. Alsowe alwayshave ?6=x 0
.
Now, considerExp
ind-atk- b
PE;B
(k). An important observation is thatD
sk
(y)=x
c
i b=c. (Thisuses
thefact that x
0 6=x
1
, and would notbe true otherwise.) Now one can put thistogether withthe
above and see that b=c intheexperiment underlyingp
k exactly when y6=y 0 ^?6=x 0 ^R (x;x 0 )
intheexperimentExp
nm-atk-1 PE;A (k). 2 Claim2: Pr[Exp nm-atk- 0 PE;A (k)=1]=1=2.
Proof: This follows from an informationtheoretic fact, namely that A has no information about
themessage x~ withrespectto whichits success ismeasured.2
Nowwe can applytheclaimsto getAdv ind-atk
PE;B
(k)=2Adv nm-atk
PE;A
(k). ButsincePE issecureinthe
NM- ATKsensewe know that Adv nm-atk
PE;A
() is negligible,and hence theabove impliesAdv ind-atk
PE;B ()
isnegligibletoo. Thisconcludes the proofof Theorem3.1 .
The claimof Remark 3.2isclear fromtheabove becausethe relationR output byA isbinary.
3.4 Proof of Theorem 3.3: IND-CCA2)NM- CCA2
We are assuming that encryption scheme PE is secure in the IND- CCA2 sense. We show it is
also secure intheNM- CCA2 sense. The intuition is simple: sincetheadversary hasaccess to the
decryption oracle, she can decrypt theciphertexts she would output,and so theabilityto output
ciphertextsis notlikelyto add power.
For the proof, let B = (B
1 ;B
2
) be an NM- CCA2 adversary attacking PE. We must show
that Adv nm-cca2
PE;B
() is negligible. To this end, we describe an IND-CCA2 adversary A = (A
1 ;A 2 ) attacking PE. AlgorithmA D sk 1 (pk) (M;s) B D sk 1 (pk) x 0 M ; x 1 M s 0 (M;s) return (x 0 ;x 1 ;s 0 ) AlgorithmA D sk 2 (x 0 ;x 1 ;s 0 ;y) wheres 0 =(M;s) (R ;y ) B D sk 2 (M;s;y); x D sk (y ) if (y62y^?62x^R (x 0 ;x)) thend 0 elsed f0;1g returnd
NoticeAispolynomialtimeundertheassumptionthattherunningtimeofB,thetimetocompute
R , and thetime to sample from M areall boundedbya xed polynomialink. The advantage of
A isgiven byAdv ind- cca2 PE;A (k)=p k (0) p k
(1)where forb2f0;1g we let
p k (b) = Pr h (pk;sk) K (k); (x 0 ;x 1 ;s 0 ) A D sk 1 (pk); y E pk (x b ): A D sk 2 (x 0 ;x 1 ;s 0 ;y)=0 i :
Also forb2f0;1g we let
p 0 k (b) = Pr h (pk;sk) K (k); (M;s) B D sk 1 (pk); x 0 ;x 1 M ; y E pk (x b ); (R ;y ) B D sk 2 (M;s;y); x D sk (y ): y62y^?2= x^R (x 0 ;x) i :
Nowobserve that A
2
mayreturn0 either when xis R -related to x
0
orasa result of thecoin ip.
Continuing withtheadvantagethen,
Adv ind-cca2 PE;A (k)=p k (0) p k (1) = 1 2 [1+p 0 k (0)] 1 2 [1+p 0 k (1)]= 1 2 [p 0 k (0) p 0 k (1)]
2 1 x 0 , is exactly Pr[Exp nm-cca2-0 PE;B
(k)=1]. On the other hand, in case it is x
0 , we are looking at Pr[Exp nm-cca2-1 PE;B (k)=1]. Adv nm-cca2 PE;B (k) = p 0 k (0) p 0 k (1) = 2Adv ind-cca2 PE;A (k):
But we know that Adv ind- cca2
PE;A
() is negligible because PE is secure inthe sense of IND- CCA2. It
follows thatAdv nm- cca2
PE;B
() isnegligible, asdesired.
3.5 Proof of Theorem 3.5: IND-CCA16)NM- CPA
Assume there exists some IND- CCA1 secure encryption scheme PE = (K ;E;D), since otherwise
thetheorem is vacuouslytrue. We now modifyPE to anew encryption scheme PE 0 =(K 0 ;E 0 ;D 0 )
whichisalso IND- CCA1securebutnotsecureintheNM- CPA sense. Thiswillprove thetheorem.
The newencryption scheme PE 0 =(K 0 ;E 0 ;D 0
)is denedasfollows. Here xdenotesthebitwise
complementof stringx, namely thestringobtained by ippingeach bit ofx.
AlgorithmK 0 (k) (pk;sk) K (k) return(pk;sk) AlgorithmE 0 pk (x) y 1 E pk (x); y 2 E pk (x) returny 1 ky 2 AlgorithmD 0 sk (y 1 ky 2 ) returnD sk (y 1 )
In otherwords,a ciphertextinthe newscheme is a pairy
1 ky
2
consistingof theencryption ofthe
messageand itscomplement. Indecrypting,thesecond componentisignored. It isnowquiteeasy
to seethat:
Claim 3.9 PE 0
isnotsecure intheNM- CPA sense.
Proof: Given aciphertext y
1 ky
2
ofamessage x,itiseasyto create aciphertextof x: justoutput
y
2 ky
1
. Thus, thescheme ismalleable.
Formally,wecan specifyapolynomialtimeadversary A=(A
1 ;A 2 )thatbreaksPE 0 inthesenseof
NM- CPA,withprobabilityalmostone,asfollows. A
1
(pk)outputs(M;)whereM putsauniform
distribution on f0;1g k . Then algorithm A 2 (M;;y 1 ky 2 ) outputs (R ;y 2 ky 1 ) where R describes
thebinary relationdened by R (m
1 ;m 2 )=1i m 1 =m 2
. It is easy to see that theplaintext, x 0
,
correspondingto theciphertext that Aoutputsis R -relatedto x withprobability1. Observe that
theprobabilityofsomerandomplaintextx~beingR -relatedtox 0 isatmost2 k . ThusAdv nm-cpa PE 0 ;A (k) is1 2 k
whichisnotnegligible. (Infactitiscloseto one.) Hence Aisasuccessfuladversary and
thescheme is notsecureinthesenseof NM- CPA.
Ontheotherhand, ahybridargumentestablishesthat PE 0
retainstheIND- CCA1securityof PE:
Claim 3.10 PE 0
is secureinthesenseof IND- CCA1.
Proof:LetB =(B
1 ;B
2
)besomepolynomialtimeadversaryattackingPE 0
intheIND- CCA1sense.
We want to show that Adv ind-cca1
PE 0
;B
(k) is negligible. To do so, consider the following probabilities,
denedfori;j 2f0;1g: p k (i;j) = Pr h (pk;sk) K (k); (x 0 ;x 1 ;s) B D sk 1 (pk); y 1 E pk (x i ); y 2 E pk (x j ): B 2 (x 0 ;x 1 ;s;y 1 ky 2 )=1 i :
We know that Adv ind-cca1 PE 0 ;B (k) = p k (1;1) p k
(0;0). The following lemmas state that, under our
assumption that PE is IND- CCA1-secure, it must be that the dierences p
k
(1;1) p
k
k k Adv ind-cca1 PE 0 ;B (k) = p k (1;1) p k (0;0) = [p k (1;1) p k (1;0)]+[p k (1;0) p k (0;0)];
beingthesum oftwo negligiblefunctions,willbenegligible. Soitremainsto (stateand)provethe
lemmas. Lemma1: p k (1;1) p k (1;0) isnegligible.
Proof: We canconstruct anadversary A=(A
1 ;A
2
) thatattacks thescheme PE intheIND- CCA1
sense, asfollows: AlgorithmA D sk 1 (pk) (x 0 ;x 1 ;s) B D 0 sk 1 (pk) m 0 x 0 ; m 1 x 1 return(m 0 ;m 1 ;s) AlgorithmA 2 (m 0 ;m 1 ;s;y) y 1 E pk (m 1 ); y 2 y d B 2 (m 0 ;m 1 ;s;y 1 ky 2 ) returnd The computation B D 0 sk 1 (pk) is done by A 1 simulating the D 0 sk
oracle. It can do this by replying
to query y 1 ky 2 via D sk (y 1
), usingits own D
sk
oracle and the denitionof D 0
sk
. Thisadversary is
polynomialtime. One can nowcheckthefollowing:
Pr h (pk;sk) K (k); (m 0 ;m 1 ;s) A D sk 1 (pk); y E pk (m 1 ): A 2 (m 0 ;m 1 ;s;y)=1 i = p k (1;1) Pr h (pk;sk) K (k); (m 0 ;m 1 ;s) A D sk 1 (pk); y E pk (m 0 ): A 2 (m 0 ;m 1 ;s;y)=1 i = p k (1;0) ThusAdv ind-cca1 PE;A (k)=p k (1;1) p k
(1;0). The assumedsecurityofPE intheIND-CCA1 sensenow
impliesthelatterdierence isnegligible.2
Lemma2: p
k
(1;0) p
k
(0;0) isnegligible.
Proof: We canconstruct anadversary A=(A
1 ;A
2
) thatattacks thescheme PE intheIND- CCA1
sense, asfollows: AlgorithmA D sk 1 (pk) (x 0 ;x 1 ;s) B D 0 sk 1 (pk) return(x 0 ;x 1 ;s) AlgorithmA 2 (x 0 ;x 1 ;s;y) y 1 y and y 2 E pk (x 0 ) d B 2 (x 0 ;x 1 ;s;y 1 ky 2 ) returnd
Again A ispolynomialtimeand can simulate D 0 sk given D sk . Weobserve that Pr h (pk;sk) K (k); (x 0 ;x 1 ;s) A D sk 1 (pk); y E pk (x 1 ): A 2 (x 0 ;x 1 ;s;y)=1 i = p k (1;0) Pr h (pk;sk) K (k); (x 0 ;x 1 ;s) A D sk 1 (pk); y E pk (x 0 ): A 2 (x 0 ;x 1 ;s;y)=1 i = p k (0;0) ThusAdv ind-cca1 PE;A (k)=p k (1;0) p k
(0;0). The assumedsecurityofPE intheIND-CCA1 sensenow
impliesthelatterdierence isnegligible.2
Thiscompletes theproof of Claim3.10 .
Remark 3.11 WecouldhavegivenasimplerschemePE 0
thantheoneabovethatwouldbesecure
intheIND- CCA1sensebutnotintheNM- CPAsense. LetK 0 beasabove,letE 0 pk (x) ykbwhere y E pk (x)andb f0;1gandD 0 sk (bky) D sk
(y). ThemalleabilityofPE 0
This is allowed by Denition2.2 since the onlyrestriction is that the vector of ciphertexts y the
adversary outputsshouldnotcontain ykb. However, thedenitionof[13 ] didnotallow this,and,
in order to have a stronger separation result that also applies to theirnotion, we gave the above
more involved construction.
3.6 Proof of Theorem 3.6: NM- CPA 6)IND-CCA1
Let'srstbackupabitand providesome intuitionaboutwhythetheorem mightbetrueandhow
we can prove it.
Intuitionandfirstattempts. Atrstglance,onemightthinkNM- CPAdoesimplyIND- CCA1
(orevenIND- CCA2), forthefollowingreason. Supposean adversary hasa decryptionoracle, and
isaskedto tellwhetheragivenciphertextyistheencryptionofx
0 orx 1 ,wherex 0 ;x 1 aremessages
shehaschosenearlier. Sheisnotallowedto callthedecryptionoracleon y. Itseemsthentheonly
strategyshecould have isto modifyy to somerelated y 0
,callthe decryptionoracleon y 0
,and use
the answer to somehow help her determine whether the decryption of y was x
0 orx
1
. But ifthe
schemeisnon-malleable,creating ay 0
meaningfullyrelatedto yisnotpossible,sotheschememust
bechosen-ciphertextsecure.
Thereasoningaboveisfallacious. The awisinthinkingthattotellwhethery isanencryption
ofx
0 orx
1
,onemustobtainadecryptionofaciphertexty 0
relatedtothechallengeciphertexty. In
fact, what can happen is thatthere are certain stringswhosedecryption yieldsinformationabout
thesecret keyitself,yet thescheme remainsnon-malleable.
The approach to prove the theorem is to modifya NM- CPA scheme PE =(K ;E;D) to a new
scheme PE 0 =(K 0 ;E 0 ;D 0
)whichis also NM- CPA butcan bebroken under anon-adaptive
chosen-ciphertext attack. (We can assume a NM- CPA scheme exists since otherwisethere is nothingto
prove.) A rst attempt to implement the above idea (of having the decryption of certain strings
carryinformationaboutthesecretkey)isstraightforward. Fixsome ciphertext unotintherange
of E and dene D 0
sk
(u) =sk to return the secret key whenever it is given thisspecial ciphertext.
In all other aspects, the new scheme is the same as the old one. It is quite easy to see that this
scheme fallsto a (non-adaptive) chosen-ciphertext attack, because the adversary need only make
query u of its decryption oracle to recover the entire secret key. The problem is that it is notso
easy to tellwhether thisscheme remainsnon-malleable. (Actually,we don'tknowwhether itisor
not, butwe certainly don'thave a proofthat itis.)
As this example indicates, it is easy to patch PE so that it can be broken in the sense of
IND- CCA1; what we need is that it also be easy to prove that it remains NM-CPA secure. The
idea of ourconstruction belowis to usea level of indirection: sk is returnedbyD 0
inresponseto
a query v which isitself a randomstring that can onlybeobtained byqueryingD 0
at some other
known point u. Intuitively, this scheme will be NM- CPA secure since v will remain unknown to
theadversary.
Our construction. Given a non-malleable encryption scheme PE =(K ;E;D) we dene a new
encryptionscheme PE 0 =(K 0 ;E 0 ;D 0 )asfollows: AlgorithmK 0 (k) (pk;sk) K (k) u;v f0;1g k pk 0 pkku sk 0 skkukv return(pk 0 ;sk 0 ) AlgorithmE 0 pkku (x) y E pk (x) return0ky AlgorithmD 0 skkukv (bky) whereb2f0;1g if b=0 thenreturnD sk (y)
elseif y=u thenreturnv
elseif y=v returnsk
Analysis. The proof of Theorem3.6 is completed by establishing that PE is vulnerable to a
IND- CCA1 attack butremainsNM-CPA secure.
Claim 3.12 PE 0
is notsecureinthesenseof IND- CCA1.
Proof: The adversary queriesD 0
skkukv
() at 1ku to get v, and then queries it at the point 1kv,
to getsk. At thispoint,knowingthesecret key,shecan obviouslyperformthedistinguishingtask
we laterrequireof her.
If you wish to see it more formally, the nd stage A
1
of the adversary gets pk as above and
outputsany two distinct,equal length messagesx
0 ;x
1
. In the next stage, it receives a ciphertext
0ky E 0
pkku (x
b
) where b wasa random bit. Now it can compute D
sk
(y) to recover the message
and thusdetermineb withprobabilityone. It isobviouslypolynomialtime.
Remember thatPE is assumed secure in thesense of NM- CPA. We will use thisto establish the
following:
Claim 3.13 PE 0
is secureinthesenseof NM- CPA.
Proof: To prove this claim we consider a polynomial time adversary B attacking PE 0
in the
NM- CPA sense. We want to show that Adv nm- cpa
PE 0
;B
() is negligible. To do this, we construct an
adversary A=(A
1 ;A
2
)that attacks PE intheNM- CPA sense. Theidea isthatA can runB asa
subroutineand simulate thechoosingofu;v by thekeygenerationalgorithm K 0 forB. AlgorithmA 1 (pk) u;v f0;1g k pk 0 pkku (M;s) B 1 (pk 0 ) s 0 (s;u;v;pk) return(M;s 0 ) AlgorithmA 2 (M;s 0 ;y) where s 0 =(s;u;v;pk) (R ;z) B 2 (M;s;0ky)
for1ijzj do parse z[i]asb
i kz i where b i is abit for1ijzj do if b i =0 theny [i] z i elseif (b i =1) ^ (z i =u)theny [i] E pk (v) elsey [i] y return(R ;y )
We now denetwo experiments. The rst is the one under which Adv nm-cpa
PE;A
(k) is evaluated, and
thesecond isthe one underwhich Adv nm- cpa PE 0 :B (k) is evaluated: Experiment1 def = (pk;sk) K (k); (M;(s;u;v;pk)) A 1 (pk); x;x~ M ; y E pk (x); (R ;y ) A 2 (M;(s;u;v;pk);y); x D sk (y ) Experiment2 def = (pkku;skkukv) K 0 (k); (M;s) B 1 (pkku); x;x~ M ; 0ky E 0 pkku (x); (R ;z) B 2 (M;s;0ky); w D 0 skkukv (z): Let Pr 1
[] = Pr[Experiment1: ] be the probability function under Experiment1 and Pr
2 [] =
Pr[Experiment2 : ]be thatunderExperiment2 . LetE
1 ,E
2
,and E
3
be thefollowingevents:
E 1 def = 8i: (b i =0)_(b i =1^z i =u) E 2 def = 9i: (b i =1^z i =v^u6=v) E 3 def = 9i: (b i =1^z i 6=u^z i 6=v)
p(1;j) = Pr 1 [y62y^?62x^R (x;x) j E j ] Pr 1 [y62y^?62x^R (~x;x) j E j ] p(2;j) = Pr 2 [0ky62z^?62w^R (x;w ) j E j ] Pr 2 [0ky62z^?62w^R (~x;w ) j E j ] : By conditioningwehave: Adv nm-cpa PE;A (k) = P 3 j=1 p(1;j)Pr 1 [E j ] Adv nm-cpa PE 0 ;B (k) = P 3 j=1 p(2;j)Pr 2 [E j ]:
We now upper bound Adv nm- cpa PE 0 ;B (k) in terms of Adv nm- cpa PE;A
(k) by a series of lemmas. The rst
observation isthat theprobabilityofourthree eventsisthe same inbothexperiments.
Lemma1: Pr 1 [E j ]=Pr 2 [E j ]forj=1;2;3.
Proof: These eventsdependonlyon thekeys and B.2
Letq beapolynomialwhichboundstherunningtimeofB. Inparticularwecanassumejzj<q(k).
Lemma2: p(2;1) p(1;1)+q(k)2 k . Proof: By event E 1 every z[i]=b i kz i haseither(b i =0) or(b i =1^z i =u). If b i
=0 thenA willoutput z
i
inExperiment1 ,whileB would beoutputting0kz
i in Experiment2 . But D 0 skkukv (0kz i )=D sk (z i ),and furthermorey =z i
(the challenge to A is equalto this
compo-nent ofA's output)i 0ky =0kz
i
(thechallenge to B is equalto thiscomponent ofB'soutput).
ThusA properlysimulatesB.
If b i =1 and z i =u then D 0 skkukv (b i kz i
) =v is randomand independent of theexecution of B.
To\simulate"itwehaveAoutputan encryptionofrandomv. But,Awillonlybesuccessfulifthe
createdciphertextisdierentfromy. Theprobabilityofthisnothappeningcanbeupperbounded
by the probability that v = D
sk
(y), which is at most 2 k
. The worst case in this event is when
8i: (b
i
=1^z
i
=u). Since jzj q(k), the probability, under thisevent, that A doesnot match
theadvantageof B,is at mostq(k)2 k .2 Lemma3: Pr 1 [E 2 ] q(k)2 k .
Proof: B has no information about v since the latter was chosen independentlyof its execution,
and also uhas a2 k
chance ofequalingv. TheLemma followssincejzj <q(k).2
Lemma4: p(1;3)=p(2;3)=0.
Proof: When event E
3
happensinExperiment1 , one of theciphertextsy [i]that A
2
outputsequals
y and hence there is no contribution to the success probability. When event E
3
happens in
Experiment2 , thedenitionof D 0
skkukv
says that thedecryption ofsome z[i]is ?and hence again
thereisnocontributiontothesuccessprobability. Inotherwords,inbothcases,thereisnosuccess
ineither the\real"orthe\random" experiment.2
FromLemmas 1,2,3,4 we get
Adv nm-cpa PE 0 ;B (k) = P 3 j=1 p(2;j)Pr 1 [E j ] q(k)2 k + p(1;1)Pr 1 [E 1 ] + p(2;2)Pr 1 [E 2 ] + p(1;3)Pr 1 [E 3 ] q(k)2 k + p(1;1)Pr 1 [E 1 ] + p(1;2)Pr 1 [E 2 ] + p(1;3)Pr 1 [E 3 ]
1 2 q(k)2 k + P 3 j=1 p(1;j)Pr 1 [E j ] + Pr 1 [E 2 ] 2q(k)2 k + Adv nm-cpa PE;A (k):
Theassumption thatPE issecureinthesenseof NM- CPA impliesthatAdv nm-cpa
PE;A
(k) isnegligible,
and henceit followsthat Adv nm- cpa
PE 0
;B
(k) isnegligible.
3.7 Proof of Theorem 3.7: NM- CCA1 6)NM- CCA2
The approach, as before, is to take a NM- CCA1 secure encryption scheme PE = (K ;E;D) and
modifyit to a new encryption scheme PE 0 =(K 0 ;E 0 ;D 0
) which is also NM-CCA1 secure, but can
bebroken intheNM-CCA2 sense.
Intuition. Notice that the construction of Section 3.6 will no longer work, because the scheme
constructed there, notbeingsecure inthe senseof IND-CCA1, willcertainly not be secure inthe
senseof NM- CCA1, for thesame reason: the adversary can obtainthedecryption key inthe rst
stage using a coupleof decryption queries. Our task thistime is more complex. We want queries
made in the second stage, after the challenge is received, to be important, meaning they can be
usedtobreakthescheme,yet,somehow, queriesmadeintherststagecannotbeusedtobreakthe
scheme. This meanswe can no longer relyon a simplisticapproach of revealing thesecret keyin
responsetocertainqueries. Instead,the\breaking"queriesinthesecond stagemustbeafunction
ofthechallengeciphertext,andcannotbemadeinadvanceofseeingthisciphertext. Weimplement
thisideabya \tagging"mechanism. Thedecryptionfunctioniscapableof taggingaciphertextso
asto be able to \recognize"it ina subsequent query, and reveal inthat stage informationrelated
specically to the ciphertext, but not directly to the secret key. The tagging is implemented via
pseudorandomfunctionfamilies.
Our construction. LetPE =(K ;E;D) bethe given NM- CCA1secure encryptionscheme. Fix
a family F = fF k
: k 1g of pseudorandom functions as per [20 ]. (Notice that this is not
an extra assumption. We know that the existence of even a IND- CPA secure encryption scheme
impliesthe existence of a one-wayfunction [23 ] whichin turn impliestheexistence of a family of
pseudorandom functions [22 , 20 ].) Here each F k = fF K : K 2 f0;1g k g is a nite collection in
which each key K 2 f0;1g k
indexes a particular function F
K : f0;1g k ! f0;1g k . We dene the
new encryptionscheme PE 0 =(K 0 ;E 0 ;D 0
) asfollows. Recall that"is theemptystring.
AlgorithmK 0 (k) (pk;sk) K (k) K f0;1g k sk 0 skkK return(pk;sk 0 ) AlgorithmE 0 pk (x) y E pk (x) return0kyk" AlgorithmD 0 skkK (bkykz) where bis abit if (b=0) ^(z=") thenreturnD sk (y)
elseif(b=1) ^ (z=") thenreturnF
K (y) elseif(b=1) ^ (z=F K (y))returnD sk (y) elsereturn?
Analysis. The proof of Theorem3.7 is completed by establishing that PE 0
is vulnerable to a
NM- CCA2attackbutremainsNM-CCA1 secure.
Claim 3.14 PE 0
is notsecureinthesenseof NM- CCA2.
Proof: The idea is that while the adversary may not ask for the decryption of the challenge
ciphertext 0kyk"in its second stage, it mayask for the decryptionof 1kykF
K
(y). This is infact
exactly the decryption of 0kyk". The adversary rst needs to compute F
K
(y) withoutaccess to
1 2
space M consisting oftwo distinct stringsx
0 ;x
1
,each havingprobability1=2. A
2
,given challenge
ciphertext 0kyk", makes query 1kyk" to get F
K
(y), and outputs (R ;Z) where R (a;b) = 1 i
a = b is the equality relation, and Z = 1kykF
K
(y). Notice that Z 6= 0kyk" so this is a valid
output, but D 0 skkK (Z) = D 0 skkK (0kyk") so Pr[Exp nm-cca2-1 PE;A
(k)=1] = 1. On the other hand,
Pr[Exp nm-cca2-0 PE;A (k)=1]1=2. So Adv nm- cca2 PE;A
(k)1=2,whichis certainlynotnegligible.
RememberthatPE isassumed secureinthesenseofNM- CCA1. We willusethisto establishthe
following:
Claim 3.15 PE 0
is secureinthesenseof NM- CCA1.
Letusrstgivesome intuitionandthentheproof. Thekeypoint isthattodefeatthescheme,the
adversary mustobtainF
K
(y) where 0kyk"is thechallenge. However, to do thisshe requiresthe
decryption oracle. This is easy for an NM- CCA2 adversary but not for an NM- CCA1 adversary,
which hasadecryption oracleavailableonlyintherst stage,when y isnotyet known. Once y is
provided(in thesecond stage) the possibilityofcomputingF
K
(y) issmallbecause thedecryption
oracle is no longer available to give it for free, and the pseudorandomness of F makes it hard to
computeon one's own.
Proof of Claim 3.15 : Toprovethisclaim we considerapolynomialtimeadversaryB attacking
PE 0
in the NM-CCA1 sense. We want to show that Adv nm-cca1
PE 0
;B
() is negligible. To do this, we
considerthe following adversary A =(A
1 ;A
2
) attacking PE in the NM- CCA1sense. The idea is
thatAcanchoosethekeyKforthekeygenerationalgorithmK 0
ofB andthusprovideasimulation
of thedecryptionoracle ofB.
AlgorithmA D sk 1 (pk) K f0;1g k (M;s) B D 0 skkK 1 (pk) s 0 (s;K ;pk) return(M;s 0 ) AlgorithmA 2 (M;s 0 ;y) wheres 0 =(s;K ;pk) (R ;z) B 2 (M;s;0kyk")
for1ijzj do parsez[i] asb
i ku i kv i where b i is abit for1ijzj do if (b i =0) ^ (v i =")theny [i] u i elseif(b i =1) ^ (v i =")theny [i] E pk (F K (u i )) elseif(b i =1) ^ (v i =F K (u i ))theny [i] u i elsey [i] y return(R ;y )
The analysis follows in spiritthat in the proof of Claim3.13; the key new element is the
pseudo-randomfunction. Roughly we seekto recapture the lemmas inthat proofmodulo thesecurity of
thepseudorandomfunctionfamily.
Forthe proof,we denetwo experiments. The rst isthe one underwhichAdv nm- cca1
PE;A
(k) is
evalu-ated, and thesecond istheone under which Adv nm- cca1 PE 0 ;B (k) isevaluated: Experiment1 def = (pk;sk) K (k); (M;(s;K ;pk)) A D sk 1 (pk); x;x~ M ; y E pk (x); (R ;y ) A 2 (M;(s;K ;pk);y); x D sk (y ) Experiment2 def = (pk;skkK) K 0 (k); (M;s) B D 0 skkK 1 (pk); x;x~ M ; 0kyk" E 0 pkku (x); (R ;z) B 2 (M;s;0kyk"); w D 0 skkK (z):
1 2
Pr[Experiment2 : ]be thatunderExperiment2 . LetE
1 ,E
2
,and E
3
be thefollowingevents:
E 1 def = 8i: (v i =")_(b i =1^v i =F K (u i )^u i 6=y) E 2 def = 9i: (b i =1^v i =F K (u i )^u i =y^v i 6=") E 3 def = 9i: (b i =1^v i 6=F K (u i )^v i 6=")_(b i =0^v i 6=") Forj =1;2;3 let p(1;j) = Pr 1 [y62y^?62x^R (x;x)j E j ] Pr 1 [y62y^?62x^R (~x ;x) j E j ] p(2;j) = Pr 2 [0kyk"62z^?62w^R (x;w ) j E j ] Pr 2 [0kyk"62z^?62w^R (~x;w ) j E j ] : By conditioningwe have: Adv nm-cpa PE;A (k) = P 3 j=1 p(1;j)Pr 1 [E j ] Adv nm-cpa PE 0 ;B (k) = P 3 j=1 p(2;j)Pr 2 [E j ]:
We nowupperboundAdv nm- cpa PE 0 ;B (k) intermsof Adv nm-cpa PE;A (k)bya seriesoflemmas. Lemma1: Pr 1 [E j ]=Pr 2 [E j ]forj=1;2;3.
Proof: These eventsdependonlyon thekeys and B.2
Letq be a polynomialwhich boundstherunningtimeof B andin particularsothat jzj<q(k).
Lemma2: p(2;1) p(1;1)+(k) forsome negligiblefunction dependingon B.
Proof: We considertwo possiblecases forvaluesofz[i]=b
i ku i kv i ,given event E 1 . First suppose (b i = 1^v i = F K (u i )^u i
6= y). Note that v
i = F K (u i ) implies v i 6= " since the outputof F K
isalwaysk bitslong. Now, from thecodeof A
2
,we seethat inthiscase A
2
sets y [i]
to u
i
. Observe that if ciphertext y [i] (respectively z[i]) that A (respectively B) creates equals y
(respectively0kyk")thenthereisnocontributiontothesuccessprobability. Sinceb
i
=1weknow
that z[i] 6= 0kyk". On theother hand the conditionu
i
6=y means that y [i] 6=y too. From the
denitionofD 0 wehaveD 0 skkK (1ku i kF K (u i ))=D sk (u i
),soAisproperlysimulatingB. (Meaning
thecontributionto their respective successprobabilitiesisthe same.)
Forthe secondcase, namelyv
i
=", we considerthetwo possiblevaluesof b
i .
Ifb
i
=0thenAwillsety [i]=u
i
,andfromthedenitionofD 0 wehaveD 0 skkK (0ku i k")=D sk (u i ).
ObservethatAwilloutputaciphertexty [i]thatequalsyifandonlyifB outputsaciphertextz[i]
thatequals 0kyk". Soagain A isproperlysimulatingB.
If b i = 1 then D 0 skkK (1ku i k") = F K (u i ) by denition of D 0
. A correctly \simulates" this by
outputting an encryption of F
K (u
i
). This choice of A contributes to the success probability as
long asitis dierent fromy. The probabilityof thisnothappeningcan be upperboundedbythe
probabilitythatE pk (F K (u i
))=y. Wemustconsidertheworstcase,whichiswhen8i: (b
i =1 ^ v
i =
"),soweareinterestedinboundingtheprobabilitythatthereissomeisuchthatE
pk (F K (u i ))=y.
Intuitively,such\ciphertextcollisions"areunlikelysinceotherwisetheschemewouldnotbesecure
even inthe sense of IND- CCA1. Formally, one can show that the probabilityof such collisions is
at most(k), where() isa negligiblefunction dependingon B,byshowingthatifnot, we could
designan adversary A 0
thatwouldbreakthescheme inthesenseof IND-CCA1. Thisis standard,
In the rst stage A does what A does, picking a key K so that it can provide a simulation of
the decryption oracle of B, similar to the simulation providedby A. It runs the rst stage of B
and picksa pair ofmessages uniformlyfrom the message space output byB. In thesecond stage
it is given an encryption of one of these messages as the challenge. It then obtains a polynomial
numberofencryptionsof one ofthe messagesand checksifanyof theresulting ciphertextsmatch
the challenge ciphertext. If it doesthen it bets that the challenge ciphertext corresponds to this
message, otherwiseit decidesby ippinga coin. Observethat thesuccess ofA 0
is exactlyone half
theprobabilityofthere beingsome isuchthatE
pk (F
K (u
i
))=ysincetheexperimentsdeningthe
success ofA 0
andthe upperboundontheprobabilityinquestionaresimilar. SincePE isgivento
besecureintheNM- CCA1sense(andtherefore intheIND- CCA1sense,seeTheorem 3.1 ),weget
a boundof (k) where isa negligiblefunctiondependingonB.2
Notice that in the above we didnot use the security of the pseudorandom functionfamily. That
comes up only in the next lemma. Accordingly, in the following, for any polynomial f we let
Æ
f
(k) be a negligible function which upper bounds the advantage obtainable by anyadversary in
distinguishingF from a familyof randomfunctions when therunningtime ofthisadversary isat
mostf(k). Lemma3: Pr 1 [E 2 ] q(k)[Æ q
(k)+(k)] forsome negligiblefunction that dependson B.
Proof: Event E 2 occurs if B outputs 1ku i kv i where u i =y and v i = F K
(y). The claim is that
thishappenswithonlya smallprobability.
Note that it is not impossible for B to compute the value of F
K
on a point, even though F is
pseudorandom, because it can compute F
K
(m) on a point m of its choice simply by querying its
decryption oracleon 1kmk". However, thisoracleis onlyavailablein therst stage, and inthat
stageB doesnotknowy. Whenshedoesgettoknowy (inthesecond stage)shenolongerhasthe
decryptionoracle. Thepseudorandomness ofF thensaysherchanceof computingF
K
(y) issmall.
To turn thisintuition into a formal proof, rst imaginethat we use, inthe role of F
K
, a random
function g. (Imagine that D
skkK
has oracle access to g and uses it in the role of F
K
.) In the
resulting scheme and experiment, itis clearthat thechance that B computes g(y) is at most2 k
plusthechancethatshemade aqueryinvolvingy tothedecryptionoracleintherst stage. Since
y isa ciphertextcreatedafter therst stage,we claimthat thechance thatB couldmake aquery
involving y inherrststage isnegligible. Thisistruebecause ifnot,we would contradict thefact
thatPE isIND-CCA1. (Thiscan beargued analogously to theargument intheprevious Lemma.
We omitthe details.)
Let(k)thenbethenegligibleprobabilityof computingg(y). Nowgiven thatF ispseudorandom
innature we can boundtheprobabilityof B correctly computingF
K
(y) byÆ
q
(k)+(k) for some
polynomialq whichdependson B. (Justiedbelow.) SowhileB could always picku
i
to be y,she
would have a negligibleprobability of setting v
i
to be F
K
(y). In the worst case this event could
happen withprobabilityat mostjzj[Æ
q
(k)+(k)].
The bound of Æ
q
(k) +(k) mentioned above is justied using the assumed security of F as a
pseudorandom function family. If the event in question had a higher probability, we would be
abletoconstructadistinguisherbetweenF andthefamilyofrandomfunctions. Thisdistinguisher
wouldgetanoraclegforsomefunctionandhastotellwhethergisfromF k
orisarandomfunction
of k bits to k bits. It would itself pickthesecret keys underlyingExperiment1 orExperiment2 and
run the adversaries A or B. It can test whether or not the event happens because it knows all
decryptionkeys. Ifithappensitbetsthat gispseudorandom,because thechanceunderarandom
functionisat most2 k
Proof: When event E
3
happensinExperiment1 , one of theciphertextsy [i]that A
2
outputsequals
y and hence there is no contribution to the success probability. When event E
3
happens in
Experiment2 , the denition of D 0
skkK
says that the decryption of some z[i] is ? and hence again
thereisnocontributiontothesuccessprobability. Inotherwords,inbothcases,thereisnosuccess
ineither the\real"orthe\random" experiment.2
FromLemmas 1,2,3,4 we get
Adv nm-cca1 PE 0 ;B (k) = P 3 j=1 p(2;j)Pr 1 [E j ] (k) + p(1;1)Pr 1 [E 1 ] + p(2;2)Pr 1 [E 2 ] + p(1;3)Pr 1 [E 3 ] (k) + p(1;1)Pr 1 [E 1 ] + p(1;2)Pr 1 [E 2 ] + p(1;3)Pr 1 [E 3 ] +(p(2;2) p(1;2))Pr 1 [E 2 ] (k) + P 3 j=1 p(1;j)Pr 1 [E j ] + Pr 1 [E 2 ] (k)+q(k)[Æ q (k)+(k)] + Adv nm- cpa PE;A (k): Since Æ q
(k) and (k) are negligible quantities, the assumption that PE is secure in the sense
of NM- CCA1 implies that Adv nm- cca1
PE;A
() is negligible, and hence it follows that Adv nm- cca1 PE 0 ;B () is negligible. 4 Results on PA
In this section we dene plaintext awareness and prove that it impliesthe random-oracle version
of IND-CCA2,butisnotimplied byit.
Throughoutthissection we shallbeworking exclusivelyintheROmodel. Assuch,all notions
of securitydened earlierrefer, inthissection,to theirRO counterparts. These areobtainedin a
simplemanner. TomodifyDenitions2.1and 2.2, begin thespeciedexperiment(theexperiment
whichdenes advantage) bychoosingarandomfunctionH fromthesetofallfunctionsfrom some
appropriatedomaintoappropriaterange. (Thesesetsmightchangefromschemetoscheme.) Then
providean H-oracleto A
1 and A
2
,and allowthatE
pk
andD
sk
maydependonH (which we write
asE H pk and D H sk ). 4.1 Denition
Our denitionof PA isfrom [6], except thatwe make one important renement. An adversary B
for plaintext awareness is given a public key pk and access to the random oracle H. We also
provide B with an oracle for E H
pk
. (This is our renement, and its purpose is explained later.)
The adversary outputs a ciphertext y. To be plaintext aware the adversary B should necessarily
\know"thedecryptionxofitsoutput. Toformalizethisitisdemandedthereexistsome(universal)
algorithm K (the \plaintext extractor") that could have output x just by looking at the public
key,B's H-queries and the answers to them, and theanswers to B's queries to E H
pk
. Let usnow
summarizetheformaldenitionand thendiscussit.
By (hH;C;y) runB H ;E
H
pk
(pk)we meanthefollowing. Run B oninputpk andoracles H and
E H
pk
,recordingB'sinteractionwithits oracles. Form intoa listhH =((h
1 ;H 1 );:::;(h q H ;H q H ))all ofB'sH-oracle queries,h 1 ;:::;h q H
,and thecorrespondinganswers,H
1
;:::;H
q
H
. Form into alist
C =(y
1 ;:::;y
q
E
)theanswers (ciphertexts)received asa resultof E H
pk
-queries. (Themessagesthat