Relations Among Notions of Security for Public Key Encryption Schemes

Notes in Computer Science Vol. 1462, H. Krawczyk ed., Springer-Verlag, 1998. This is the full

paper.

Relations Among Notions of Security for

Public-Key Encryption Schemes

M. Bellare  A. Desai y D. Pointcheval z P. Rogaway x June2001 Abstract

We comparetherelativestrengths ofpopularnotionsof securityforpublic-keyencryption

schemes. Weconsider the goals of privacy and non-malleability, each under chosen-plaintext

attackandtwokindsofchosen-ciphertextattack. Foreachof theresultingpairs ofdenitions

we prove either an implication (every scheme meeting one notion must meet the other) or a

separation(thereis ascheme meeting onenotionbut nottheother, assuming therst notion

canbemetatall). Wesimilarlytreatplaintextawareness,anotionofsecurityinthe

random-oraclemodel. An additionalcontribution of this paperis anew denition of non-malleability

which webelieveissimplerthanthepreviousone.

Keywords: Asymmetric encryption, Chosen ciphertext security, Non-malleability,

Racko-Simonattack,Plaintextawareness,Relationsamongdenitions.



Dept.ofComputerScience&Engineering,UniversityofCalifornia atSanDiego,9500 GilmanDrive,La Jolla,

CA92093,USA.E-Mail: mihir @cs.ucsd.edu. URL:http://www-cse.ucsd.edu/use rs/m ihir=. Supportedinpart

byNSFCAREERAwardCCR-9624439anda1996PackardFoundationFellowshipinScienceandEngineering.

y

NTT MultimediaCommunications Laboratories, 250CambridgeAvenue,Suite300, Palo Alto, CA 94306.

E-mail: desai@nttmcl.com. Workdone whileauthorwas atUCSD,supportedinpartbytheabove-mentionedgrants

oftherstauthor.

z

Laboratoired'Informatiquedel' 

Ecole NormaleSuperieure, 45rue d'Ulm,F {75230 Paris Cedex 05. E-mail:

david.pointcheval@ens.fr. URL:http://www.dmi.ens.fr/~pointche /.

x

Dept.ofComputerScience,EngineeringIIBldg.,OneShieldsAvenue,UniversityofCaliforniaatDavis,Davis,

CA95616,USA.E-mail: rogaway@cs.ucdavis.edu. URL:http://www.cs.ucdavis.edu/~ro gaway /. Supportedby

1 Introduction 1

1.1 Notions ofEncryption Scheme Security. . . 1

1.2 Implications andSeparations . . . 1

1.3 Plaintext Awareness . . . 2

1.4 DenitionalContributions . . . 3

1.5 Motivation . . . 3

1.6 RelatedWork andDiscussion . . . 4

2 Denitions of Security 5 2.1 Framework . . . 6

2.2 IndistinguishabilityofEncryptions . . . 6

2.3 Non-Malleability . . . 7

3 Relating IND and NM 9 3.1 Results. . . 9

3.2 Notation and Preliminaries . . . 10

3.3 Proof of Theorem3.1 : NM- ATK)IND- ATK . . . 11

3.4 Proof of Theorem3.3 : IND- CCA2)NM- CCA2 . . . 12

3.5 Proof of Theorem3.5 : IND- CCA16)NM- CPA . . . 13

3.6 Proof of Theorem3.6 : NM- CPA6)IND- CCA1 . . . 15

3.7 Proof of Theorem3.7 : NM- CCA16)NM- CCA2 . . . 18

4 Results on PA 22 4.1 Denition . . . 22

4.2 Results. . . 23

4.3 Proof of Theorem4.2 : PA)IND- CCA2 . . . 24

4.4 Proof of Theorem4.4 : IND- CCA26)PA . . . 26

Inthispaperwecomparetherelativestrengthsofvariousnotionsofsecurityforpublic-key

encryp-tion. We wantto understandwhichdenitionsof securityimplywhichothers. Westartbysorting

outsome of thenotionswewillconsider.

1.1 Notions of Encryption Scheme Security

A convenient way to organize denitions of secure encryption is by considering separately the

variouspossiblegoals and thevariouspossibleattack models, andthen obtaineach denitionasa

pairing ofa particular goal anda particular attack model. This viewpoint was suggestedto usby

MoniNaor [25 ].

We consider two dierent goals: indistinguishability of encryptions, due to Goldwasser and

Micali [21 ], and non-malleability, dueto Dolev, Dwork and Naor [13 ]. Indistinguishability(IND )

formalizes an adversary's inability to learn any information about the plaintext x underlying a

challenge ciphertext y,capturing a strongnotionof privacy. Non-malleability(NM ) formalizesan

adversary's inability, given a challenge ciphertext y, to output a dierent ciphertext y 0

such that

the plaintexts x;x 0

underlying these two ciphertexts are \meaningfully related". (For example,

x 0

=x+1.) It capturesa senseinwhichciphertextscan betamper-proof.

Along theother axiswe considerthree dierent attacks. In order of increasing strength these

are chosen-plaintext attack (CPA ), non-adaptive chosen-ciphertext attack (CCA1), and adaptive

chosen-ciphertext attack (CCA2). Under CPA the adversary can obtain ciphertexts of plaintexts

of her choice. In the public-key setting, giving the adversary the public key suÆces to capture

these attacks. Under CCA1, formalized by Naor and Yung [26 ], the adversary gets, in addition

to the public key, access to an oracle for the decryption function. The adversary may use this

decryptionfunctiononlyfortheperiodoftimeprecedingherbeinggiventhechallengeciphertexty.

(Theterm non-adaptive refers to the factthat queriesto thedecryption oracle cannot dependon

the challenge y. Colloquially this attack has also been called a \lunchtime," \lunch-break," or

\midnight" attack.) Under CCA2, due to Racko and Simon [27 ], the adversary again gets (in

addition to the publickey) access to an oracle forthe decryptionfunction, but thistimeshe may

usethisdecryptionfunctionevenon ciphertextschosen afterobtainingthechallenge ciphertext y,

theonlyrestrictionbeingthattheadversarymaynotaskforthedecryptionofy itself. (Theattack

is called adaptive because queriesto the decryption oracle can dependon the challenge y.) As a

mnemonicfor theabbreviations CCA1/ CCA2, justrememberthatthe biggernumbergoeswith

thestronger attack.

Onecan \mix-and-match" thegoals fIND ;NMgand attacksfCPA ;CCA1;CCA2 ginany

com-bination,giving riseto sixnotionsof security:

IND- CPA; IND- CCA1; IND- CCA2; NM-CPA ; NM- CCA1; NM-CCA2 :

Mostarefamiliar(although underdierentnames). IND- CPA isthenotionof[21 ]; 1

IND- CCA1is

thenotionof [26 ];IND- CCA2 isthe notionof [27 ];NM- CPA,NM- CCA1and NM-CCA2 arefrom

[13 , 14 ,15 ].

1.2 Implications and Separations

In this paper we work out the relations between the above six notions. For each pair of notions

A;B 2 fIND- CPA;IND- CCA1;IND-CCA2;NM- CPA;NM- CCA1; NM- CCA2g, we show one of

1

Goldwasser and Micali referred to IND-CPA as polynomial security, and also showed this was equivalent to

IND- CPA IND- CCA1 IND-CCA2 NM- CPA NM- CCA1 NM- CCA2     -? ? ? 6 q i 3.1 3.6 3.5 3.1 3.1 3.3

Figure1: Anarrowisanimplication,andinthedirectedgraphgivenbythearrows,thereisapath

from A toB if andonlyA)B. Thehatched arrows represent separations we actuallyprove; all

others follow automatically. The number on an arrow orhatched arrow refers to the theorem in

thispaperwhich establishesthisrelationship.

thefollowing:

 A)B: Aproofthat ifPE is anyencryption scheme meeting notionofsecurityA thenPE

also meetsnotionof securityB.

 A6)B: A construction of an encryptionscheme PE that provablymeetsnotionof security

A butprovablydoesnot meet notionof securityB. 2

We call a result of therst type an implication, and aresult of the second type a separation. For

each pair ofnotions we provideone ortheother,sothat no relationremainsopen.

These results are represented diagrammatically in Figure 1 . The (unhatched) arrows

repre-sent implications that are proven or trivial, and the hatched arrows represent explicitly proven

separations. Specically, the non-trivial implication is that IND- CCA2 implies NM-CCA2, and

the separations shown are that IND- CCA1 does not imply NM- CPA; nor does NM-CPA imply

IND- CCA1;nordoesNM- CCA1 implyNM- CCA2.

Figure 1representsacompletepictureof relationsinthefollowingsense. Viewthepictureasa

graph,theedgesbeingthosegivenbythe(unhatched)arrows. (Sothereareeightedges.) Weclaim

thatforanypairofnotionsA;B,itisthecasethatAimpliesB ifandonlyifthereisapathfrom

AtoBinthegraph. The\if"partofthisclaimisofcourseclearfromthedenitionofimplication.

The\onlyif"partofthisclaimcan beveriedforanypairofnotionsbyutilizingthehatchedand

unhatchedarrows. Forexample, we claim that IND- CCA1 doesnot implyIND-CCA2. For ifwe

had that IND- CCA1 impliesIND- CCA2 then this, coupled with NM- CCA1 implyingIND- CCA1

and IND-CCA2 implyingNM- CCA2, wouldgive NM- CCA1 implyingNM- CCA2, whichwe know

to befalse.

That IND-CCA2 impliesall of theother notions helpsbolster the view that adaptive CCA is

the\right" version ofCCA onwhichto focus. (IND- CCA2has alreadyproven to be a better tool

for protocol design.) We thus suggest that, in the future, \CCA" should be understood to mean

adaptiveCCA.

1.3 Plaintext Awareness

Anotheradversarialgoal we willconsiderisplaintext awareness (PA), rst dened byBellare and

Rogaway[6 ]. PA formalizesan adversary'sinabilityto create aciphertexty without\knowing"its

underlyingplaintext x. (In the case that the adversary creates an \invalid" ciphertext what she

shouldknow isthat theciphertext isinvalid.)

2

Thiswill be done undertheassumptionthat thereexists some schememeetingnotion A, sinceotherwise the

thatintheROmodeloneembellishesthecustomarymodelofcomputationbyprovidingallparties

(goodandbad alike)witharandomfunctionH fromstringstostrings. See[5 ] foradescriptionof

therandom-oracle modeland a discussionof its use.

The sixnotionsofsecuritywehavedescribedcan beeasily\lifted"to theROmodel,givingsix

correspondingdenitions. Onceone makessuch denitional analogsit iseasily veriedthat all of

the implications and separations mentioned in Section1.2 and indicated in Figure 1 also hold in

theROsetting. Forexample, theRO versionof IND- CCA2impliestheROversionof NM- CCA2.

Since PA has only been dened in the RO model it only makes sense to compare PA with

other RO notions. Our results in this vein are as follows. Theorem4.2 shows that PA (together

with the RO version of IND- CPA) impliesthe RO version of IND- CCA2. In the other direction,

Theorem4.4 shows thattheROversionof IND- CCA2 doesnotimplyPA.

1.4 Denitional Contributions

Beyondtheimplicationsandseparationswehavedescribed,wehavetwodenitionalcontributions:

a newdenitionof non-malleability,anda renement to thedenitionofplaintextawareness.

The original denitionof non-malleability[13, 14 , 15 ] is in terms of simulation,requiring, for

everyadversary,theexistenceofsomeappropriatesimulator. Webelieveourformulationissimpler.

It is dened via an experiment involving onlythe adversary; there is no simulator. Nonetheless,

thedenitionsare equivalent[7 ], underanyform ofattack.

Thus the results in this paper are not aected by the denitional change. We view the new

denitionasan additional,orthogonal contributionwhichcould simplifythetask ofworkingwith

non-malleability. Wealsonotethatourdenitionalidealiftstoothersettings,likedeningsemantic

security[21 ] againstchosen-ciphertextattacks. (Semantic securityseems notto have beendened

against CCA.)

With regard to plaintext awareness, we make a small but important renement to the

de-nition of [6 ]. The change allows us to substantiate their claim that plaintext awareness implies

chosen-ciphertextsecurityand non-malleability,bygiving usthatPA(plusIND- CPA)impliesthe

RO versions of IND- CCA2 and NM- CCA2. Our renement is to endow the adversary with an

encryptionoracle, thequeries to whichare notgiven tothe extractor. SeeSection4.

1.5 Motivation

In recent years there has been an increasing role played by public-key encryption schemes which

meetnotionsofsecuritybeyondIND- CPA. Wearerealizingthatoneoftheirmostimportantusesis

astoolsfordesigninghigher-levelprotocols. Forexample, encryptionschemesmeeting IND- CCA2

appearto betherighttoolsinthedesignofauthenticatedkeyexchangeprotocolsinthepublic-key

setting [1 ]. As another example, the designers of SET (Secure Electronic Transactions) selected

an encryption scheme which achieves more than IND- CPA [28 ]. This was necessary, insofar as

the SET protocols would be wrong if instantiated by a primitive which achieves only IND- CPA

security. Because encryption schemes which achieve more than IND- CPA make for easier-to-use

(orharder-to-misuse) tools,emergingstandards rightlyfavorthem.

We comment that if one takes the CCA models \too literally" the attacks we describe seem

rather articial. Take adaptive CCA, for example. How could an adversary have access to a

decryption oracle, yet be forbidden to use it on the one point she really cares about? Either she

has the oracle and can use it as she likes, or she does not have it at all. Yet, in fact, just such

these aretherightnotionsforschemesto meetwhen these schemesareto become generally-useful

tools inthedesignof highlevelprotocols.

1.6 Related Work and Discussion

Relations. Themostrecent version ofthe workof Dolev,Dwork and Naor, themanuscript [15 ],

has, independentlyofour work,consideredthe questionofrelations among notionsof encryptions

beyondIND- CPA. Itcontains(currentlyinRemark3.6)variousclaimsthatoverlaptosome extent

with ours. (Public versionsof their work, namely the1991 proceedings version [13 ] and the 1995

technical report[14 ], donot containthese claims.)

Foundations. The theoretical treatment of public-key encryption begins with Goldwasser and

Micali[21]andcontinueswithYao[29 ],Micali,RackoandSloan[24 ],andGoldreich[18,19 ]. These

workstreatprivacyunderchosen-plaintextattack(thenotionwearecapturingviaIND- CPA). They

showthatvariousformalizationsofitareequivalent,invariousmodels. Specically,Goldwasserand

Micaliintroduced,andshowedequivalent,thenotionsofindistinguishabilityandsemanticsecurity;

Yao introduced a notionbased on computational entropy; Micali, Racko and Sloan showed that

appropriatevariantsoftheoriginaldenitionareequivalenttothis;Goldreich[18 ]madeimportant

renements to the notion of semantic security and showed that the equivalences still held; and

Goldreich [19 ]provideddenitions andequivalencesfor thecase of uniformadversaries. We build

onthese foundationsbothconceptuallyandtechnically. Inparticular,thisbodyofworkeectively

justiesouradopting one particularformulation ofprivacyunderchosen-plaintext attack, namely

IND- CPA.

Noneoftheaboveworksconsideredchosen-ciphertextattacksand,inparticular,thequestionof

whether indistinguishabilityand semantic securityareequivalent inthissetting. In fact, semantic

securityunderchosen-ciphertextattackseemstohavenoteven beendened. Asmentionedearlier,

denitionsfor semantic securityunder CCAcan be obtained along thelines of ournew denition

ofnon-malleability. We expect(andhope)that,afterdoing this,theequivalencebetweensemantic

security and indistinguishability continue to hold with respect to CCA, but this has not been

checked.

Recent work on simplifying non-malleability. As noted above, Bellare and Sahai [7 ]

have shown thatthe denitionof non-malleabilitygiven inthispaperis equivalent to theoriginal

one of [13 , 14 , 15 ]. In addition, they provide a novel formulation of non-malleabilityin terms of

indistinguishability, showing that non-malleability is just a form of indistinguishability under a

certaintype ofattackthey callaparallelattack. Theircharacterization can be appliedtosimplify

some of theresultsinthispaper.

Schemes. It isnotthe purposeofthispaperto discussspecic schemesdesigned formeeting any

ofthenotionsofsecuritydescribedinthispaper. Nonetheless,asasnapshotofthestateoftheart,

we attempt to summarize what is known about meeting \beyond-IND- CPA" notions of security.

Schemesproven secureunder standardassumptions includethat of [26 ],which meetsIND- CCA1,

that of [13 ], which meets IND- CCA2, and the much more eÆcient recent scheme of Cramer and

Shoup[10 ], which also meets IND- CCA2. Next are theschemesproven secureina random-oracle

model; here we have those of [5, 6 ], which meet PA and are as eÆcient as schemes in current

standards. Then there are schemes without proofs, such as those of [11 , 30]. Finally, there are

schemesfornon-standard models,like[16,27 ].

We comment that it follows from our resultsthat the above mentioned scheme of [10 ], shown

metric) encryption. The same questions can be asked for private-key (ie. symmetric) encryption.

Denitions forsymmetric encryptionscheme privacy underCPA were given by[2 ]. Thosenotions

can be lifted to deal with CCA.Denitions for non-malleabilityinthe private-key setting can be

obtained by adapting the public-key ones. Again we would expect (and hope) that, if properly

done, theanalogsto therelations we have proven remain.

One feature of denitions in this setting is worth highlighting. Recall that in the public-key

setting,nothingspecialhad to be doneto model CPA; itcorrespondsjustto giving theadversary

the public key. Not soin a private-key setting. The suggestion of [3 ] is to give the adversary an

oracle for encryption under the private key. This must be donein all denitions,and it is under

thisnotionthatweexpectto see ananalog of theresultsforthepublic-keycase.

Goldreich,indiscussionsonthisissue,hasnotedthatintheprivate-keycase,onecanconsideran

attack settingweakerthanCPA,wheretheadversary is notgiven an encryptionoracle. He points

outthatunderthisattackitwillnotevenbetruethatnon-malleabilityimpliesindistinguishability.

Encryptionscheme securitywhichgoesbeyondindistinguishabilityisimportantinthe

private-key case too, and we feel it deserves a full treatment of its own which would explore and clarify

some of theabove issues.

Furtherremarks. We comment that non-malleabilityis ageneral notionthat appliesto

primi-tivesother thanencryption [13 ]. Our discussionis limitedto its useinasymmetric encryption.

Bleichenbacher[8 ] hasrecentlyshownthata popularencryptionscheme, RSAPKCS#1, does

notachieve IND- CCA1. He also describesa popularprotocol forwhich thiscauses problems. His

results reinforce the danger of assuming anything beyond IND- CPA which has not been

demon-strated.

Apreliminaryversionofthispaperappearedas[3]. Weincludeherematerialwhichwasomitted

from thatabstract dueto space limitations.

2 Denitions of Security

Thissectionprovidesformaldenitionsforthesixnotionsofsecurityofanasymmetric(ie.,

public-key)encryptionschemediscussedinSection1.1. PlaintextawarenesswillbedescribedinSection4 .

We begin bydescribing thesyntax of an encryption scheme, divorcingsyntax from thenotions of

security.

Experiments. We use standard notations and conventions for writing probabilistic algorithms

and experiments. If A is a probabilistic algorithm, then A(x

1 ;x

2

;:::;r) is the result of running

A on inputs x

1 ;x

2

;::: and coins r. We let y A(x

1 ;x

2

;::: ) denote the experiment of pickingr

at random and letting y be A(x

1 ;x

2

;:::;r). If S is a nite set then x S is the operation of

pickinganelementuniformlyfromS. If isneitheran algorithmnora setthenx isasimple

assignment statement. We say that y can be output by A(x

1 ;x

2

;::: ) ifthere is some r such that

A(x

1 ;x

2

;:::;r)=y.

Syntaxandconventions. Thesyntaxofanencryptionschemespecieswhatkindsofalgorithms

make it up. Formally,an asymmetric encryption scheme is given by a tripleof algorithms, PE =

(K ;E;D),where

 K , the key generation algorithm, is a probabilistic algorithm that takes a security parameter

k 2Nand returns apair (pk;sk)of matchingpublic andsecret keys.

 E, the encryption algorithm, is a probabilistic algorithm that takes a public key pk and a

message x2f0;1g 

ciphertext ytoproduceeitheramessagex2f0;1g 

oraspecialsymbol?toindicatethatthe

ciphertext was invalid.

We require that for all (pk;sk) which can be output by K (k), for all x 2 f0;1g 

, and for all y

that can be output by E

pk

(x), we have that D

sk

(y)=x. We also requirethat K , E and D can be

computed in polynomial time. As the notation indicates, the keys are indicated as subscriptsto

thealgorithms.

Recall thata function:N!R isnegligible ifforevery constant c0 there existsaninteger

k c such that (k)k c for allk k c . 2.1 Framework

The formalizations that follow have a common framework that it mayhelp to see at a high level

rst. In formalizing both indistinguishability and non-malleability we regard an adversary A as

a pair of probabilisticalgorithms, A = (A

1 ;A

2

). (We will say that A is polynomial time if both

A

1

and A

2

are.) This correspondsto A runningintwo \stages." The exact purposeof eachstage

dependsontheparticularadversarialgoal,butforbothgoalsthebasicideaisthatintherststage

theadversary,giventhepublickey,seeksandoutputssome\testinstance,"andinthesecondstage

the adversary is issued a challenge ciphertext y generated as a probabilistic function of the test

instance,inamannerdependingonthegoal. (Inaddition A

1

can outputsomestate informations

thatwillbepassedtoA

2

.) AdversaryAissuccessfulifshepassesthechallenge,withwhat\passes"

meansagain dependingon thegoal.

We considerthree types ofattacks underthissetup.

In a chosen-plaintext attack (CPA) the adversary can encrypt plaintexts of her choosing. Of

coursea CPA is unavoidable inthe public-key setting: knowingthe publickey,an adversary can,

on her own, compute a ciphertext for any plaintext she desires. So in formalizing denitions of

securityunder CPA we \do nothing"beyond giving the adversary access to thepublic key; that's

already enoughto make aCPA implicit.

Ina non-adaptive chosen-ciphertextattack (CCA1)wegiveA

1

(thepublickeyand)accessto a

decryption oracle, butwedo notallowA

2

access to a decryption oracle. This is sometimescalled

a non-adaptive chosen-ciphertext attack, in thatthedecryption oracleis usedto generatethe test

instance,buttaken away beforethechallenge appears.

In an adaptive chosen-ciphertext attack (CCA2) we continue to give A

1

(the public key and)

accessto a decryptionoracle, butalso give A

2

accessto thesame decryptionoracle, with theonly

restriction that she cannot query the oracle on the challenge ciphertext y. This is an extremely

strongattackmodel.

As a mnemonic, the number i in CCAi can be regarded as the number of adversarial stages

during which she has access to a decryption oracle. Additionally,the biggernumber corresponds

to thestronger (andchronologicallylater) formalization.

By the way: we do notbother to explicitlygive A

2

the publickey, because A

1

hastheoption

of includingit ins.

2.2 Indistinguishability of Encryptions

Theclassicalgoal ofsecureencryption isto preservethe privacyofmessages: anadversary should

not be able to learn from a ciphertext information about its plaintext beyond the length of that

plaintext. We denea version of thisnotion, indistinguishabilityof encryptions(IND), following

[21 ,24 ],throughasimpleexperiment. AlgorithmA

1

1 0 1

we insistbe of thesame length,and thelastbeingstate information(possiblyincludingpk) which

she wants to preserve. A random one of x

0

and x

1

is now selected, say x

b . A \challenge" y is determined byencrypting x b under pk. It is A 2

's job to try to determine ify wasselected asthe

encryptionof x

0 orx

1

,namelyto determinethebit b. Tomake thisdeterminationA

2

is giventhe

saved state sand thechallenge ciphertext y.

For concision and clarity we simultaneously dene indistinguishability with respect to CPA,

CCA1, and CCA2. The only dierence lies in whether or not A

1

and A

2

are given decryption

oracles. We let the string atk be instantiated by any of the formal symbols cpa ;cca1;cca2, while

ATK is then the corresponding formal symbol from CPA;CCA1 ;CCA2. When we say O

i = ",

wherei2f1;2g, we mean O

i

is thefunctionwhich,on anyinput,returns theemptystring,".

Denition 2.1 [IND-CPA,IND-CCA1,IND-CCA2]LetPE=(K ;E;D) beanencryptionscheme

and letA=(A

1 ;A

2

) be an adversary. Foratk2fcpa;cca1;cca2gand k 2Nlet,

Adv ind- atk PE;A (k) = Pr[Exp ind- atk- 1 PE;A (k)=1] Pr[Exp ind- atk- 0 PE;A (k)=1] where, forb2f0;1g, Experiment Exp ind- atk- b PE;A (k) (pk;sk) R K (k); (x 0 ;x 1 ;s) A O1(
) 1 (pk); y E pk (x b ); d A O2(
) 2 (x 0 ;x 1 ;s;y) Returnd and

If atk=cpa then O

1

(
)=" and O

2 (
)="

If atk=cca1 then O

1 (
)=D sk (
) and O 2 (
)="

If atk=cca2 then O

1 (
)=D sk (
) and O 2 (
)=D sk (
)

Aboveitismandatedthatjx

0 j=jx

1

j. InthecaseofCCA2,wefurtherinsistthatA

2

doesnotaskits

oracletodecrypty. WesaythatPE issecureinthesenseofIND-ATKifAbeingpolynomial-time

impliesthatAdv ind- atk

PE;A

(
) isnegligible.

2.3 Non-Malleability

Notation. We will need to discuss vectors of plaintexts or ciphertexts. A vector is denoted in

boldface,asinx. Wedenotebyjxjthenumberofcomponentsinx,andbyx[i]thei-thcomponent,

so that x = (x[1];:::;x[jxj]). We extend the set membership notation to vectors, writing x 2 x

or x 62 x to mean, respectively, that x is inor is not in theset fx[i] : 1 i jxjg. It will be

convenient to extend the decryption notation to vectors with the understanding that operations

are performed componentwise. Thus x D

sk

(y ) is shorthand for the following: for 1  i jy j

dox[i] D

sk (y [i]).

We will consider relations of arity t where t will be polynomial in the security parameter k.

Rather thanwriting R (x

1 ;:::;x

t

) we writeR (x;x),meaning therst argument is specialand the

rest arebunchedinto avector x withjxj=t 1.

Idea. Thenotionofnon-malleabilitywasintroducedin[13 ],andrenedsubsequently. Thegoalof

the adversary, given a ciphertext y, is not(as with indistinguishability)to learnsomething about

its plaintext x, butonly to output a vector y of ciphertextswhose decryption x is \meaningfully

related" to x, meaning that R (x;x) holdsfor some relation R . The question is how exactly one

existsacertaintypeof\simulator"thatdoesjustaswellastheadversarybutwithout beinggiveny.

Here,we introducea novelformalization whichseems to usto be simpler. Our formalization does

notask forasimulator, butjustconsidersanexperimentinvolvingtheadversary. Itturnsoutthat

ournotionisequivalentto DDN's [7].

Our formalization. Let A = (A

1 ;A

2

) be an adversary. In the rst stage of the adversary's

attack, A

1

, given the public key pk, outputs a description of a message space, described by a

sampling algorithm M. The message space must be valid, which means that it gives non-zero

probability only to strings of some one particular length. In the second stage of the adversary's

attack, A

2

receives an encryption y of a random message, say x

1

, drawn from M. The adversary

then outputs a (description of a) relation R and a vector y (no component of which is y). She

hopesthatR (x;x)holds,wherex D

sk

(y ). Anadversary(A

1 ;A

2

)issuccessful ifshecando this

withaprobabilitysignicantlymore thanthatwithwhichR (x

0

;x) holdsforsome randomhidden

x

0 M.

Denition 2.2 [NM-CPA, NM-CCA1, NM-CCA2] Let PE = (K ;E;D) be an encryption scheme

and letA=(A

1 ;A

2

) be an adversary. Foratk2fcpa;cca1;cca2gand k 2Nlet,

Adv nm-atk PE;A (k) = Pr[Exp nm-atk- 1 PE;A (k)=1] Pr[Exp nm-atk- 0 PE;A (k)=1] where, forb2f0;1g, Experiment Exp nm-atk- b PE;A (k) (pk;sk) R K (k); (M;s) A O 1 (
) 1 (pk); x 0 ;x 1 M ; y E pk (x 1 ); (R ;y ) A O2(
) 2 (M;s;y); x D sk (y ); If y62y^?62x^R (x b ;x) thend 1;elsed 0; Returnd and

If atk=cpa then O

1

(
)=" and O

2 (
)="

If atk=cca1 then O

1 (
)=D sk (
) and O 2 (
)="

If atk=cca2 then O

1 (
)=D sk (
) and O 2 (
)=D sk (
)

We insist,above,thatM is valid: jxj=jx 0

jforanyx;x 0

thataregiven non-zeroprobabilityinthe

messagespaceM. InthecaseofCCA2,wefurtherinsistthatA

2

doesnotaskitsoracletodecrypt

y. We say that PE is secure in the sense of NM-ATK if for every polynomial p(k): if A runs in

time p(k), outputs a (valid) message space M samplable in time p(k), and outputs a relation R

computableintime p(k), thenAdv nm-atk

PE;A

(
) isnegligible.

The condition that y 62 y is made in order to not give the adversary credit for the trivial and

unavoidable action of copying thechallenge ciphertext. Otherwise, she could output the equality

relation R , where R (a;b) holdsi a= b, and output y = (y), and be successful with probability

one. We also declare the adversary unsuccessful when some ciphertext y [i] does nothave a valid

decryption(thatis,?2x),becauseinthiscase,thereceiverissimplygoingtorejecttheadversary's

message anyway. The requirement that M is valid is important; it stems from the fact that

We state more precisely the results summarized in Figure1 and provide proofs. As mentioned

before, we summarize only the main relations (the ones that require proof); all other relations

followascorollaries.

3.1 Results

Therst result,that non-malleabilityimpliesindistinguishabilityunderanytypeof attack, wasof

courseestablishedby[13 ]inthecontext oftheirdenitionofnon-malleability,butsincewehave a

newdenitionof non-malleability,weneedto re-establishit. The (simple)proofof thefollowingis

inSection3.3 .

Theorem 3.1 [NM-ATK) IND- ATK] If a scheme PE issecure inthe senseof NM- ATKthen

PE is secureinthesenseof IND-ATK, foranyattack ATK2fCPA;CCA1 ;CCA2g.

Remark 3.2 Recall that the relation R in Denition 2.2 was allowed to have any polynomially

boundedarity. However,theabovetheoremholdsevenunderaweakernotionofNM- ATKinwhich

therelationR is restrictedto have arity two.

The proofof thefollowingis inSection3.4 .

Theorem 3.3 [IND-CCA2 ) NM- CCA2] If a scheme PE is secure in the sense of IND- CCA2

thenPE issecureinthe senseof NM- CCA2.

Remark 3.4 Theorem 3.3 coupled with Theorem 3.1 and Remark 3.2 says that in the case of

CCA2 attacks, itsuÆces to considerbinary relations,meaning thenotionofNM- CCA2 restricted

to binaryrelations isequivalentto thegeneral one.

Nowweturntoseparations. Adaptivechosen-ciphertextsecurityimpliesnon-malleabilityaccording

to Theorem3.3 . In contrast, thefollowing says thatnon-adaptive chosen-ciphertext security does

not implynon-malleability. Theproofis inSection3.5.

Theorem 3.5 [IND-CCA16)NM- CPA] If there exists an encryption scheme PE which is secure

inthesenseof IND- CCA1,thenthereexistsanencryptionschemePE 0

whichissecureinthesense

of IND-CCA1 butwhichis notsecureinthe senseof NM- CPA.

Now one can ask whether non-malleability implieschosen-ciphertext security. The following says

it does not even implythe non-adaptive form of thelatter. (As a corollary, it certainly doesnot

implytheadaptiveform.) The proofis inSection3.6 .

Theorem 3.6 [NM-CPA 6)IND- CCA1] If there exists an encryption scheme PE which is secure

inthesenseof NM- CPA,thenthere existsan encryption scheme PE 0

whichis secureinthesense

of NM- CPA butwhich isnotsecure inthesenseof IND- CCA1.

Now the only relation that does not immediately follow from the above results or by a trivial

reduction is that the version of non-malleabilityallowing CCA1 does not imply the version that

allows CCA2. SeeSection3.7forthe proofof thefollowing.

Theorem 3.7 [NM-CCA16)NM- CCA2] Ifthere existsanencryptionschemePE whichissecure

inthesenseof NM- CCA1,thenthereexistsanencryptionschemePE 0

whichissecureinthesense

For relations R which could be of arbitrary arity we use the simplifying notation R (a;b) as a

shorthand for R (a;b) when it is clear that b[1] = b and jbj = 1. We let a denote the bitwise

complement(namely thestringobtainedby ippingeach bit) of a.

For an IND-ATK adversary A=(A

1 ;A

2

) we will,whenever convenient,assume that the

mes-sages x 0 ;x 1 that A 1

outputs are distinct. Intuitively thiscannot decrease the advantage because

the contribution to the advantage in case they are equal is zero. Actually one has to be a little

careful. TheclaimwillbethatwecanmodifyAtomakesurethattheoutputmessagesaredistinct,

andonehastobecarefulto makesurethatwhenAoutputsequalmessagesthemodiedadversary

doesnotgetanyadvantage, sothattheadvantageof themodiedadversary isthesame asthatof

theoriginalone. Forcompletenesswe encapsulatetheclaim inthefollowingproposition.

Proposition 3.8 Let A = (A

1 ;A

2

) be any adversary attacking encryption scheme PE in the

senseof IND- ATK. Then there existsanother adversary B =(B

1 ;B

2

) attacking PE in thesense

of IND-ATK such that the two (equal length) messages that B

1

outputs are always distinct,

Adv ind-atk PE;B (k)=Adv ind-atk PE;A

(k),and therunningtime ofB iswithina constant factor ofthat ofA.

Proof: Adversaries A and B have access to an oracle O

1

in their rst stage and an oracle O

2 in

their second stage, these oracles being instantiated according to the attack ATK as described in

thedenitions. Theadversary B=(B

1 ;B 2 ) is asfollows: AlgorithmB O 1 1 (pk) (x 0 ;x 1 ;s) A O 1 1 (pk) ifx 0 6=x 1 thend 0 elsed 1 x 0 0 x 0 ; s 0 skd ifd=0 thenx 0 1 x 1 elsex 0 1 x 0 return(x 0 0 ;x 0 1 ;s 0 ) AlgorithmB O 2 2 (x 0 0 ;x 0 1 ;s 0 ;y) where s 0 =skd if d=0 thenc A O 2 2 (x 0 0 ;x 0 1 ;s;y) elsec f0;1g returnc

Note that by dening x 0

0 ;x

0

1

this way we always have x 0

0 6= x

0

1

. Also note that when x

0 = x 1 we have B 2

outputa randombitc to make sureits advantage inthatcase iszero.

It is easy to see that the running time of B is within a constant factor of that of A. Now we

claim that Adv ind-atk

PE;B

(k) =Adv ind-atk

PE;A

(k). To justify this, considerthe experimentsunderlyingthe

denitionsof theadvantages ofA and B,respectively:

Experiment1 def = (pk;sk) K (k); (x 0 ;x 1 ;s) A 1 (pk); b f0;1g; y E pk (x b ); c A O 2 2 (x 0 ;x 1 ;s;y) Experiment2 def = (pk;sk) K (k); (x 0 ;x 1 ;s) A 1 (pk); b f0;1g; y E pk (x b ); c B O 2 2 (x 0 0 ;x 0 1 ;skd;y):

In thelastexperiment,x 0

0 ;x

0

1

;d are dened interms ofx

0 ;x

1

asperthe code ofB

1

. Let Pr

1 [
]=

Pr[Experiment1 :
]betheprobabilityfunctionunderExperiment1andPr

2

[
]=Pr[Experiment2:
]

bethat underExperiment2. By denition

Adv ind-atk PE;A (k) = 2
Pr 1 [b=c] 1 and Adv ind-atk PE;B (k) = 2
Pr 2 [b=c] 1:

Thusit suÆces to show that Pr

1

[b=c]=Pr

2

[b=c]. Let E denote the event that x

0 =x

1 , or,

equivalently,that d=1. Then

Pr 1 [b=c] = Pr 1 [b=c j E]
Pr 1 [E]+Pr 1 h b=c j E i
Pr 1 h E i Pr 2 [b=c] = Pr 2 [b=c j E]
Pr 2 [E]+Pr 2 h b=c j E i
Pr 2 h E i :

1 2

 Pr

1

[E]=Pr

2

[E]since E dependsonlyon A

1 .

 Pr

1

[b=c j E]=1=2 because when E is true,A

2

has no informationaboutb. Onthe other

handPr

2

[b=c j E]=1=2 becausewhen E istrue we have B

2

output a randombit.

 Pr 1 h b=c j E i =Pr 2 h b=c j E i

becauseinthiscasetheexperimentsarethesame,namely

weare lookingat theoutput ofA

2 .

Thiscompletes theproof of Proposition3.8.

3.3 Proof of Theorem 3.1: NM- ATK)IND- ATK

WeareassumingthatencryptionschemePE issecureintheNM- ATKsense. Wewillshowitisalso

secureintheIND- ATKsense. LetB =(B

1 ;B

2

)beaIND- ATKadversary attackingPE. Wewant

toshowthatAdv ind-atk

PE;B

(
)isnegligible. Tothisend,wedescribeaNM- ATKadversaryA=(A

1 ;A

2 )

attacking PE. AdversariesA and B have accessto an oracle O

1

in theirrst stage and an oracle

O

2

intheir second stage, these oracles being instantiated according to the attack ATKasperthe

denitions. Recallthatz denotesthebitwise complement of astring z.

AlgorithmA O 1 1 (pk) (x 0 ;x 1 ;s) B O 1 1 (pk) M :=fx 0 ;x 1 g s 0 (x 0 ;x 1 ;pk;s) return(M;s 0 ) AlgorithmA O 2 2 (M;s 0 ;y)where s 0 =(x 0 ;x 1 ;pk;s) c B O 2 2 (x 0 ;x 1 ;s;y) y 0 E pk (x c ) return(R ;y 0 ) whereR (a;b)=1 ia=b ThenotationM :=fx 0 ;x 1

gmeansthatM isbeingassignedtheprobabilityspacewhichassignsto

each of x 0 and x 1 a probabilityof 1=2. A O 2 2

outputs (the descriptionof) the complement relation

R ,whichforanyargumentsa;bis 1 ifa=band 0 otherwise.

We considertheadvantageof A,given by

Adv nm-atk PE;A (k) = Pr[Exp nm-atk- 1 PE;A (k)=1] Pr[Exp nm-atk- 0 PE;A (k)=1] where Exp nm-atk-1 PE;A (k) def = h (pk;sk) K (k); (M;s 0 ) A O 1 1 (pk); x M ; y E pk (x); (R ;y 0 ) A O 2 2 (M;s 0 ;y); x 0 D sk (y 0 ): y6=y 0 ^?6=x 0 ^R (x;x 0 ) i Exp nm-atk-0 PE;A (k) def = h (pk;sk) K (k); (M;s 0 ) A O 1 1 (pk); x;x~ M ; y E pk (x); (R ;y 0 ) A O 2 2 (M;s 0 ;y); x 0 D sk (y 0 ): y6=y 0 ^?6=x 0 ^R (~x;x 0 ) i :

The advantage of B is givenbyAdv ind- atk PE;B (k)=2
Pr[Exp ind-atk- b PE;B (k)=b] 1,where Exp ind- atk- b PE;B (k) def = Pr h (pk;sk) K (k); (x 0 ;x 1 ;s) B O1 1 (pk); b f0;1g ; y E pk (x b ); c B O 2 2 (x 0 ;x 1 ;s;y): c=b i :

By Proposition3.8 we mayassume here, withoutloss of generality, that we always have x

0 6=x

1 .

Claim1: Pr[Exp

PE;A

(k)=1]=Pr[Exp

PE;B

(k)=b].

Proof: LookrstatthecodeofA

2 . NotethatR (x;x 0 ) istruei D sk (y)=x c

. Alsonotethatwhen

R (x;x 0

) istrue it must be that x 6=x 0

and hence, by the unique decryptabilityof the encryption

scheme,that y6=y 0

. Alsowe alwayshave ?6=x 0

.

Now, considerExp

ind-atk- b

PE;B

(k). An important observation is thatD

sk

(y)=x

c

i b=c. (Thisuses

thefact that x

0 6=x

1

, and would notbe true otherwise.) Now one can put thistogether withthe

above and see that b=c intheexperiment underlyingp

k exactly when y6=y 0 ^?6=x 0 ^R (x;x 0 )

intheexperimentExp

nm-atk-1 PE;A (k). 2 Claim2: Pr[Exp nm-atk- 0 PE;A (k)=1]=1=2.

Proof: This follows from an informationtheoretic fact, namely that A has no information about

themessage x~ withrespectto whichits success ismeasured.2

Nowwe can applytheclaimsto getAdv ind-atk

PE;B

(k)=2
Adv nm-atk

PE;A

(k). ButsincePE issecureinthe

NM- ATKsensewe know that Adv nm-atk

PE;A

(
) is negligible,and hence theabove impliesAdv ind-atk

PE;B (
)

isnegligibletoo. Thisconcludes the proofof Theorem3.1 .

The claimof Remark 3.2isclear fromtheabove becausethe relationR output byA isbinary.

3.4 Proof of Theorem 3.3: IND-CCA2)NM- CCA2

We are assuming that encryption scheme PE is secure in the IND- CCA2 sense. We show it is

also secure intheNM- CCA2 sense. The intuition is simple: sincetheadversary hasaccess to the

decryption oracle, she can decrypt theciphertexts she would output,and so theabilityto output

ciphertextsis notlikelyto add power.

For the proof, let B = (B

1 ;B

2

) be an NM- CCA2 adversary attacking PE. We must show

that Adv nm-cca2

PE;B

(
) is negligible. To this end, we describe an IND-CCA2 adversary A = (A

1 ;A 2 ) attacking PE. AlgorithmA D sk 1 (pk) (M;s) B D sk 1 (pk) x 0 M ; x 1 M s 0 (M;s) return (x 0 ;x 1 ;s 0 ) AlgorithmA D sk 2 (x 0 ;x 1 ;s 0 ;y) wheres 0 =(M;s) (R ;y ) B D sk 2 (M;s;y); x D sk (y ) if (y62y^?62x^R (x 0 ;x)) thend 0 elsed f0;1g returnd

NoticeAispolynomialtimeundertheassumptionthattherunningtimeofB,thetimetocompute

R , and thetime to sample from M areall boundedbya xed polynomialink. The advantage of

A isgiven byAdv ind- cca2 PE;A (k)=p k (0) p k

(1)where forb2f0;1g we let

p k (b) = Pr h (pk;sk) K (k); (x 0 ;x 1 ;s 0 ) A D sk 1 (pk); y E pk (x b ): A D sk 2 (x 0 ;x 1 ;s 0 ;y)=0 i :

Also forb2f0;1g we let

p 0 k (b) = Pr h (pk;sk) K (k); (M;s) B D sk 1 (pk); x 0 ;x 1 M ; y E pk (x b ); (R ;y ) B D sk 2 (M;s;y); x D sk (y ): y62y^?2= x^R (x 0 ;x) i :

Nowobserve that A

2

mayreturn0 either when xis R -related to x

0

orasa result of thecoin ip.

Continuing withtheadvantagethen,

Adv ind-cca2 PE;A (k)=p k (0) p k (1) = 1 2
[1+p 0 k (0)] 1 2
[1+p 0 k (1)]= 1 2
[p 0 k (0) p 0 k (1)]

2 1 x 0 , is exactly Pr[Exp nm-cca2-0 PE;B

(k)=1]. On the other hand, in case it is x

0 , we are looking at Pr[Exp nm-cca2-1 PE;B (k)=1]. Adv nm-cca2 PE;B (k) = p 0 k (0) p 0 k (1) = 2
Adv ind-cca2 PE;A (k):

But we know that Adv ind- cca2

PE;A

(
) is negligible because PE is secure inthe sense of IND- CCA2. It

follows thatAdv nm- cca2

PE;B

(
) isnegligible, asdesired.

3.5 Proof of Theorem 3.5: IND-CCA16)NM- CPA

Assume there exists some IND- CCA1 secure encryption scheme PE = (K ;E;D), since otherwise

thetheorem is vacuouslytrue. We now modifyPE to anew encryption scheme PE 0 =(K 0 ;E 0 ;D 0 )

whichisalso IND- CCA1securebutnotsecureintheNM- CPA sense. Thiswillprove thetheorem.

The newencryption scheme PE 0 =(K 0 ;E 0 ;D 0

)is denedasfollows. Here xdenotesthebitwise

complementof stringx, namely thestringobtained by ippingeach bit ofx.

AlgorithmK 0 (k) (pk;sk) K (k) return(pk;sk) AlgorithmE 0 pk (x) y 1 E pk (x); y 2 E pk (x) returny 1 ky 2 AlgorithmD 0 sk (y 1 ky 2 ) returnD sk (y 1 )

In otherwords,a ciphertextinthe newscheme is a pairy

1 ky

2

consistingof theencryption ofthe

messageand itscomplement. Indecrypting,thesecond componentisignored. It isnowquiteeasy

to seethat:

Claim 3.9 PE 0

isnotsecure intheNM- CPA sense.

Proof: Given aciphertext y

1 ky

2

ofamessage x,itiseasyto create aciphertextof x: justoutput

y

2 ky

1

. Thus, thescheme ismalleable.

Formally,wecan specifyapolynomialtimeadversary A=(A

1 ;A 2 )thatbreaksPE 0 inthesenseof

NM- CPA,withprobabilityalmostone,asfollows. A

1

(pk)outputs(M;)whereM putsauniform

distribution on f0;1g k . Then algorithm A 2 (M;;y 1 ky 2 ) outputs (R ;y 2 ky 1 ) where R describes

thebinary relationdened by R (m

1 ;m 2 )=1i m 1 =m 2

. It is easy to see that theplaintext, x 0

,

correspondingto theciphertext that Aoutputsis R -relatedto x withprobability1. Observe that

theprobabilityofsomerandomplaintextx~beingR -relatedtox 0 isatmost2 k . ThusAdv nm-cpa PE 0 ;A (k) is1 2 k

whichisnotnegligible. (Infactitiscloseto one.) Hence Aisasuccessfuladversary and

thescheme is notsecureinthesenseof NM- CPA.

Ontheotherhand, ahybridargumentestablishesthat PE 0

retainstheIND- CCA1securityof PE:

Claim 3.10 PE 0

is secureinthesenseof IND- CCA1.

Proof:LetB =(B

1 ;B

2

)besomepolynomialtimeadversaryattackingPE 0

intheIND- CCA1sense.

We want to show that Adv ind-cca1

PE 0

;B

(k) is negligible. To do so, consider the following probabilities,

denedfori;j 2f0;1g: p k (i;j) = Pr h (pk;sk) K (k); (x 0 ;x 1 ;s) B D sk 1 (pk); y 1 E pk (x i ); y 2 E pk (x j ): B 2 (x 0 ;x 1 ;s;y 1 ky 2 )=1 i :

We know that Adv ind-cca1 PE 0 ;B (k) = p k (1;1) p k

(0;0). The following lemmas state that, under our

assumption that PE is IND- CCA1-secure, it must be that the dierences p

k

(1;1) p

k

k k Adv ind-cca1 PE 0 ;B (k) = p k (1;1) p k (0;0) = [p k (1;1) p k (1;0)]+[p k (1;0) p k (0;0)];

beingthesum oftwo negligiblefunctions,willbenegligible. Soitremainsto (stateand)provethe

lemmas. Lemma1: p k (1;1) p k (1;0) isnegligible.

Proof: We canconstruct anadversary A=(A

1 ;A

2

) thatattacks thescheme PE intheIND- CCA1

sense, asfollows: AlgorithmA D sk 1 (pk) (x 0 ;x 1 ;s) B D 0 sk 1 (pk) m 0 x 0 ; m 1 x 1 return(m 0 ;m 1 ;s) AlgorithmA 2 (m 0 ;m 1 ;s;y) y 1 E pk (m 1 ); y 2 y d B 2 (m 0 ;m 1 ;s;y 1 ky 2 ) returnd The computation B D 0 sk 1 (pk) is done by A 1 simulating the D 0 sk

oracle. It can do this by replying

to query y 1 ky 2 via D sk (y 1

), usingits own D

sk

oracle and the denitionof D 0

sk

. Thisadversary is

polynomialtime. One can nowcheckthefollowing:

Pr h (pk;sk) K (k); (m 0 ;m 1 ;s) A D sk 1 (pk); y E pk (m 1 ): A 2 (m 0 ;m 1 ;s;y)=1 i = p k (1;1) Pr h (pk;sk) K (k); (m 0 ;m 1 ;s) A D sk 1 (pk); y E pk (m 0 ): A 2 (m 0 ;m 1 ;s;y)=1 i = p k (1;0) ThusAdv ind-cca1 PE;A (k)=p k (1;1) p k

(1;0). The assumedsecurityofPE intheIND-CCA1 sensenow

impliesthelatterdierence isnegligible.2

Lemma2: p

k

(1;0) p

k

(0;0) isnegligible.

Proof: We canconstruct anadversary A=(A

1 ;A

2

) thatattacks thescheme PE intheIND- CCA1

sense, asfollows: AlgorithmA D sk 1 (pk) (x 0 ;x 1 ;s) B D 0 sk 1 (pk) return(x 0 ;x 1 ;s) AlgorithmA 2 (x 0 ;x 1 ;s;y) y 1 y and y 2 E pk (x 0 ) d B 2 (x 0 ;x 1 ;s;y 1 ky 2 ) returnd

Again A ispolynomialtimeand can simulate D 0 sk given D sk . Weobserve that Pr h (pk;sk) K (k); (x 0 ;x 1 ;s) A D sk 1 (pk); y E pk (x 1 ): A 2 (x 0 ;x 1 ;s;y)=1 i = p k (1;0) Pr h (pk;sk) K (k); (x 0 ;x 1 ;s) A D sk 1 (pk); y E pk (x 0 ): A 2 (x 0 ;x 1 ;s;y)=1 i = p k (0;0) ThusAdv ind-cca1 PE;A (k)=p k (1;0) p k

(0;0). The assumedsecurityofPE intheIND-CCA1 sensenow

impliesthelatterdierence isnegligible.2

Thiscompletes theproof of Claim3.10 .

Remark 3.11 WecouldhavegivenasimplerschemePE 0

thantheoneabovethatwouldbesecure

intheIND- CCA1sensebutnotintheNM- CPAsense. LetK 0 beasabove,letE 0 pk (x) ykbwhere y E pk (x)andb f0;1gandD 0 sk (bky) D sk

(y). ThemalleabilityofPE 0

This is allowed by Denition2.2 since the onlyrestriction is that the vector of ciphertexts y the

adversary outputsshouldnotcontain ykb. However, thedenitionof[13 ] didnotallow this,and,

in order to have a stronger separation result that also applies to theirnotion, we gave the above

more involved construction.

3.6 Proof of Theorem 3.6: NM- CPA 6)IND-CCA1

Let'srstbackupabitand providesome intuitionaboutwhythetheorem mightbetrueandhow

we can prove it.

Intuitionandfirstattempts. Atrstglance,onemightthinkNM- CPAdoesimplyIND- CCA1

(orevenIND- CCA2), forthefollowingreason. Supposean adversary hasa decryptionoracle, and

isaskedto tellwhetheragivenciphertextyistheencryptionofx

0 orx 1 ,wherex 0 ;x 1 aremessages

shehaschosenearlier. Sheisnotallowedto callthedecryptionoracleon y. Itseemsthentheonly

strategyshecould have isto modifyy to somerelated y 0

,callthe decryptionoracleon y 0

,and use

the answer to somehow help her determine whether the decryption of y was x

0 orx

1

. But ifthe

schemeisnon-malleable,creating ay 0

meaningfullyrelatedto yisnotpossible,sotheschememust

bechosen-ciphertextsecure.

Thereasoningaboveisfallacious. The awisinthinkingthattotellwhethery isanencryption

ofx

0 orx

1

,onemustobtainadecryptionofaciphertexty 0

relatedtothechallengeciphertexty. In

fact, what can happen is thatthere are certain stringswhosedecryption yieldsinformationabout

thesecret keyitself,yet thescheme remainsnon-malleable.

The approach to prove the theorem is to modifya NM- CPA scheme PE =(K ;E;D) to a new

scheme PE 0 =(K 0 ;E 0 ;D 0

)whichis also NM- CPA butcan bebroken under anon-adaptive

chosen-ciphertext attack. (We can assume a NM- CPA scheme exists since otherwisethere is nothingto

prove.) A rst attempt to implement the above idea (of having the decryption of certain strings

carryinformationaboutthesecretkey)isstraightforward. Fixsome ciphertext unotintherange

of E and dene D 0

sk

(u) =sk to return the secret key whenever it is given thisspecial ciphertext.

In all other aspects, the new scheme is the same as the old one. It is quite easy to see that this

scheme fallsto a (non-adaptive) chosen-ciphertext attack, because the adversary need only make

query u of its decryption oracle to recover the entire secret key. The problem is that it is notso

easy to tellwhether thisscheme remainsnon-malleable. (Actually,we don'tknowwhether itisor

not, butwe certainly don'thave a proofthat itis.)

As this example indicates, it is easy to patch PE so that it can be broken in the sense of

IND- CCA1; what we need is that it also be easy to prove that it remains NM-CPA secure. The

idea of ourconstruction belowis to usea level of indirection: sk is returnedbyD 0

inresponseto

a query v which isitself a randomstring that can onlybeobtained byqueryingD 0

at some other

known point u. Intuitively, this scheme will be NM- CPA secure since v will remain unknown to

theadversary.

Our construction. Given a non-malleable encryption scheme PE =(K ;E;D) we dene a new

encryptionscheme PE 0 =(K 0 ;E 0 ;D 0 )asfollows: AlgorithmK 0 (k) (pk;sk) K (k) u;v f0;1g k pk 0 pkku sk 0 skkukv return(pk 0 ;sk 0 ) AlgorithmE 0 pkku (x) y E pk (x) return0ky AlgorithmD 0 skkukv (bky) whereb2f0;1g if b=0 thenreturnD sk (y)

elseif y=u thenreturnv

elseif y=v returnsk

Analysis. The proof of Theorem3.6 is completed by establishing that PE is vulnerable to a

IND- CCA1 attack butremainsNM-CPA secure.

Claim 3.12 PE 0

is notsecureinthesenseof IND- CCA1.

Proof: The adversary queriesD 0

skkukv

(
) at 1ku to get v, and then queries it at the point 1kv,

to getsk. At thispoint,knowingthesecret key,shecan obviouslyperformthedistinguishingtask

we laterrequireof her.

If you wish to see it more formally, the nd stage A

1

of the adversary gets pk as above and

outputsany two distinct,equal length messagesx

0 ;x

1

. In the next stage, it receives a ciphertext

0ky E 0

pkku (x

b

) where b wasa random bit. Now it can compute D

sk

(y) to recover the message

and thusdetermineb withprobabilityone. It isobviouslypolynomialtime.

Remember thatPE is assumed secure in thesense of NM- CPA. We will use thisto establish the

following:

Claim 3.13 PE 0

is secureinthesenseof NM- CPA.

Proof: To prove this claim we consider a polynomial time adversary B attacking PE 0

in the

NM- CPA sense. We want to show that Adv nm- cpa

PE 0

;B

(
) is negligible. To do this, we construct an

adversary A=(A

1 ;A

2

)that attacks PE intheNM- CPA sense. Theidea isthatA can runB asa

subroutineand simulate thechoosingofu;v by thekeygenerationalgorithm K 0 forB. AlgorithmA 1 (pk) u;v f0;1g k pk 0 pkku (M;s) B 1 (pk 0 ) s 0 (s;u;v;pk) return(M;s 0 ) AlgorithmA 2 (M;s 0 ;y) where s 0 =(s;u;v;pk) (R ;z) B 2 (M;s;0ky)

for1ijzj do parse z[i]asb

i kz i where b i is abit for1ijzj do if b i =0 theny [i] z i elseif (b i =1) ^ (z i =u)theny [i] E pk (v) elsey [i] y return(R ;y )

We now denetwo experiments. The rst is the one under which Adv nm-cpa

PE;A

(k) is evaluated, and

thesecond isthe one underwhich Adv nm- cpa PE 0 :B (k) is evaluated: Experiment1 def = (pk;sk) K (k); (M;(s;u;v;pk)) A 1 (pk); x;x~ M ; y E pk (x); (R ;y ) A 2 (M;(s;u;v;pk);y); x D sk (y ) Experiment2 def = (pkku;skkukv) K 0 (k); (M;s) B 1 (pkku); x;x~ M ; 0ky E 0 pkku (x); (R ;z) B 2 (M;s;0ky); w D 0 skkukv (z): Let Pr 1

[
] = Pr[Experiment1:
] be the probability function under Experiment1 and Pr

2 [
] =

Pr[Experiment2 :
]be thatunderExperiment2 . LetE

1 ,E

2

,and E

3

be thefollowingevents:

E 1 def = 8i: (b i =0)_(b i =1^z i =u) E 2 def = 9i: (b i =1^z i =v^u6=v) E 3 def = 9i: (b i =1^z i 6=u^z i 6=v)

p(1;j) = Pr 1 [y62y^?62x^R (x;x) j E j ] Pr 1 [y62y^?62x^R (~x;x) j E j ] p(2;j) = Pr 2 [0ky62z^?62w^R (x;w ) j E j ] Pr 2 [0ky62z^?62w^R (~x;w ) j E j ] : By conditioningwehave: Adv nm-cpa PE;A (k) = P 3 j=1 p(1;j)
Pr 1 [E j ] Adv nm-cpa PE 0 ;B (k) = P 3 j=1 p(2;j)
Pr 2 [E j ]:

We now upper bound Adv nm- cpa PE 0 ;B (k) in terms of Adv nm- cpa PE;A

(k) by a series of lemmas. The rst

observation isthat theprobabilityofourthree eventsisthe same inbothexperiments.

Lemma1: Pr 1 [E j ]=Pr 2 [E j ]forj=1;2;3.

Proof: These eventsdependonlyon thekeys and B.2

Letq beapolynomialwhichboundstherunningtimeofB. Inparticularwecanassumejzj<q(k).

Lemma2: p(2;1)  p(1;1)+q(k)
2 k . Proof: By event E 1 every z[i]=b i kz i haseither(b i =0) or(b i =1^z i =u). If b i

=0 thenA willoutput z

i

inExperiment1 ,whileB would beoutputting0kz

i in Experiment2 . But D 0 skkukv (0kz i )=D sk (z i ),and furthermorey =z i

(the challenge to A is equalto this

compo-nent ofA's output)i 0ky =0kz

i

(thechallenge to B is equalto thiscomponent ofB'soutput).

ThusA properlysimulatesB.

If b i =1 and z i =u then D 0 skkukv (b i kz i

) =v is randomand independent of theexecution of B.

To\simulate"itwehaveAoutputan encryptionofrandomv. But,Awillonlybesuccessfulifthe

createdciphertextisdierentfromy. Theprobabilityofthisnothappeningcanbeupperbounded

by the probability that v = D

sk

(y), which is at most 2 k

. The worst case in this event is when

8i: (b

i

=1^z

i

=u). Since jzj q(k), the probability, under thisevent, that A doesnot match

theadvantageof B,is at mostq(k)
2 k .2 Lemma3: Pr 1 [E 2 ]  q(k)
2 k .

Proof: B has no information about v since the latter was chosen independentlyof its execution,

and also uhas a2 k

chance ofequalingv. TheLemma followssincejzj <q(k).2

Lemma4: p(1;3)=p(2;3)=0.

Proof: When event E

3

happensinExperiment1 , one of theciphertextsy [i]that A

2

outputsequals

y and hence there is no contribution to the success probability. When event E

3

happens in

Experiment2 , thedenitionof D 0

skkukv

says that thedecryption ofsome z[i]is ?and hence again

thereisnocontributiontothesuccessprobability. Inotherwords,inbothcases,thereisnosuccess

ineither the\real"orthe\random" experiment.2

FromLemmas 1,2,3,4 we get

Adv nm-cpa PE 0 ;B (k) = P 3 j=1 p(2;j)
Pr 1 [E j ]  q(k)
2 k + p(1;1)
Pr 1 [E 1 ] + p(2;2)
Pr 1 [E 2 ] + p(1;3)
Pr 1 [E 3 ]  q(k)
2 k + p(1;1)
Pr 1 [E 1 ] + p(1;2)
Pr 1 [E 2 ] + p(1;3)
Pr 1 [E 3 ]

1 2  q(k)
2 k + P 3 j=1 p(1;j)
Pr 1 [E j ] + Pr 1 [E 2 ]  2q(k)
2 k + Adv nm-cpa PE;A (k):

Theassumption thatPE issecureinthesenseof NM- CPA impliesthatAdv nm-cpa

PE;A

(k) isnegligible,

and henceit followsthat Adv nm- cpa

PE 0

;B

(k) isnegligible.

3.7 Proof of Theorem 3.7: NM- CCA1 6)NM- CCA2

The approach, as before, is to take a NM- CCA1 secure encryption scheme PE = (K ;E;D) and

modifyit to a new encryption scheme PE 0 =(K 0 ;E 0 ;D 0

) which is also NM-CCA1 secure, but can

bebroken intheNM-CCA2 sense.

Intuition. Notice that the construction of Section 3.6 will no longer work, because the scheme

constructed there, notbeingsecure inthe senseof IND-CCA1, willcertainly not be secure inthe

senseof NM- CCA1, for thesame reason: the adversary can obtainthedecryption key inthe rst

stage using a coupleof decryption queries. Our task thistime is more complex. We want queries

made in the second stage, after the challenge is received, to be important, meaning they can be

usedtobreakthescheme,yet,somehow, queriesmadeintherststagecannotbeusedtobreakthe

scheme. This meanswe can no longer relyon a simplisticapproach of revealing thesecret keyin

responsetocertainqueries. Instead,the\breaking"queriesinthesecond stagemustbeafunction

ofthechallengeciphertext,andcannotbemadeinadvanceofseeingthisciphertext. Weimplement

thisideabya \tagging"mechanism. Thedecryptionfunctioniscapableof taggingaciphertextso

asto be able to \recognize"it ina subsequent query, and reveal inthat stage informationrelated

specically to the ciphertext, but not directly to the secret key. The tagging is implemented via

pseudorandomfunctionfamilies.

Our construction. LetPE =(K ;E;D) bethe given NM- CCA1secure encryptionscheme. Fix

a family F = fF k

: k  1g of pseudorandom functions as per [20 ]. (Notice that this is not

an extra assumption. We know that the existence of even a IND- CPA secure encryption scheme

impliesthe existence of a one-wayfunction [23 ] whichin turn impliestheexistence of a family of

pseudorandom functions [22 , 20 ].) Here each F k = fF K : K 2 f0;1g k g is a nite collection in

which each key K 2 f0;1g k

indexes a particular function F

K : f0;1g k ! f0;1g k . We dene the

new encryptionscheme PE 0 =(K 0 ;E 0 ;D 0

) asfollows. Recall that"is theemptystring.

AlgorithmK 0 (k) (pk;sk) K (k) K f0;1g k sk 0 skkK return(pk;sk 0 ) AlgorithmE 0 pk (x) y E pk (x) return0kyk" AlgorithmD 0 skkK (bkykz) where bis abit if (b=0) ^(z=") thenreturnD sk (y)

elseif(b=1) ^ (z=") thenreturnF

K (y) elseif(b=1) ^ (z=F K (y))returnD sk (y) elsereturn?

Analysis. The proof of Theorem3.7 is completed by establishing that PE 0

is vulnerable to a

NM- CCA2attackbutremainsNM-CCA1 secure.

Claim 3.14 PE 0

is notsecureinthesenseof NM- CCA2.

Proof: The idea is that while the adversary may not ask for the decryption of the challenge

ciphertext 0kyk"in its second stage, it mayask for the decryptionof 1kykF

K

(y). This is infact

exactly the decryption of 0kyk". The adversary rst needs to compute F

K

(y) withoutaccess to

1 2

space M consisting oftwo distinct stringsx

0 ;x

1

,each havingprobability1=2. A

2

,given challenge

ciphertext 0kyk", makes query 1kyk" to get F

K

(y), and outputs (R ;Z) where R (a;b) = 1 i

a = b is the equality relation, and Z = 1kykF

K

(y). Notice that Z 6= 0kyk" so this is a valid

output, but D 0 skkK (Z) = D 0 skkK (0kyk") so Pr[Exp nm-cca2-1 PE;A

(k)=1] = 1. On the other hand,

Pr[Exp nm-cca2-0 PE;A (k)=1]1=2. So Adv nm- cca2 PE;A

(k)1=2,whichis certainlynotnegligible.

RememberthatPE isassumed secureinthesenseofNM- CCA1. We willusethisto establishthe

following:

Claim 3.15 PE 0

is secureinthesenseof NM- CCA1.

Letusrstgivesome intuitionandthentheproof. Thekeypoint isthattodefeatthescheme,the

adversary mustobtainF

K

(y) where 0kyk"is thechallenge. However, to do thisshe requiresthe

decryption oracle. This is easy for an NM- CCA2 adversary but not for an NM- CCA1 adversary,

which hasadecryption oracleavailableonlyintherst stage,when y isnotyet known. Once y is

provided(in thesecond stage) the possibilityofcomputingF

K

(y) issmallbecause thedecryption

oracle is no longer available to give it for free, and the pseudorandomness of F makes it hard to

computeon one's own.

Proof of Claim 3.15 : Toprovethisclaim we considerapolynomialtimeadversaryB attacking

PE 0

in the NM-CCA1 sense. We want to show that Adv nm-cca1

PE 0

;B

(
) is negligible. To do this, we

considerthe following adversary A =(A

1 ;A

2

) attacking PE in the NM- CCA1sense. The idea is

thatAcanchoosethekeyKforthekeygenerationalgorithmK 0

ofB andthusprovideasimulation

of thedecryptionoracle ofB.

AlgorithmA D sk 1 (pk) K f0;1g k (M;s) B D 0 skkK 1 (pk) s 0 (s;K ;pk) return(M;s 0 ) AlgorithmA 2 (M;s 0 ;y) wheres 0 =(s;K ;pk) (R ;z) B 2 (M;s;0kyk")

for1ijzj do parsez[i] asb

i ku i kv i where b i is abit for1ijzj do if (b i =0) ^ (v i =")theny [i] u i elseif(b i =1) ^ (v i =")theny [i] E pk (F K (u i )) elseif(b i =1) ^ (v i =F K (u i ))theny [i] u i elsey [i] y return(R ;y )

The analysis follows in spiritthat in the proof of Claim3.13; the key new element is the

pseudo-randomfunction. Roughly we seekto recapture the lemmas inthat proofmodulo thesecurity of

thepseudorandomfunctionfamily.

Forthe proof,we denetwo experiments. The rst isthe one underwhichAdv nm- cca1

PE;A

(k) is

evalu-ated, and thesecond istheone under which Adv nm- cca1 PE 0 ;B (k) isevaluated: Experiment1 def = (pk;sk) K (k); (M;(s;K ;pk)) A D sk 1 (pk); x;x~ M ; y E pk (x); (R ;y ) A 2 (M;(s;K ;pk);y); x D sk (y ) Experiment2 def = (pk;skkK) K 0 (k); (M;s) B D 0 skkK 1 (pk); x;x~ M ; 0kyk" E 0 pkku (x); (R ;z) B 2 (M;s;0kyk"); w D 0 skkK (z):

1 2

Pr[Experiment2 :
]be thatunderExperiment2 . LetE

1 ,E

2

,and E

3

be thefollowingevents:

E 1 def = 8i: (v i =")_(b i =1^v i =F K (u i )^u i 6=y) E 2 def = 9i: (b i =1^v i =F K (u i )^u i =y^v i 6=") E 3 def = 9i: (b i =1^v i 6=F K (u i )^v i 6=")_(b i =0^v i 6=") Forj =1;2;3 let p(1;j) = Pr 1 [y62y^?62x^R (x;x)j E j ] Pr 1 [y62y^?62x^R (~x ;x) j E j ] p(2;j) = Pr 2 [0kyk"62z^?62w^R (x;w ) j E j ] Pr 2 [0kyk"62z^?62w^R (~x;w ) j E j ] : By conditioningwe have: Adv nm-cpa PE;A (k) = P 3 j=1 p(1;j)
Pr 1 [E j ] Adv nm-cpa PE 0 ;B (k) = P 3 j=1 p(2;j)
Pr 2 [E j ]:

We nowupperboundAdv nm- cpa PE 0 ;B (k) intermsof Adv nm-cpa PE;A (k)bya seriesoflemmas. Lemma1: Pr 1 [E j ]=Pr 2 [E j ]forj=1;2;3.

Proof: These eventsdependonlyon thekeys and B.2

Letq be a polynomialwhich boundstherunningtimeof B andin particularsothat jzj<q(k).

Lemma2: p(2;1)  p(1;1)+(k) forsome negligiblefunction dependingon B.

Proof: We considertwo possiblecases forvaluesofz[i]=b

i ku i kv i ,given event E 1 . First suppose (b i = 1^v i = F K (u i )^u i

6= y). Note that v

i = F K (u i ) implies v i 6= " since the outputof F K

isalwaysk bitslong. Now, from thecodeof A

2

,we seethat inthiscase A

2

sets y [i]

to u

i

. Observe that if ciphertext y [i] (respectively z[i]) that A (respectively B) creates equals y

(respectively0kyk")thenthereisnocontributiontothesuccessprobability. Sinceb

i

=1weknow

that z[i] 6= 0kyk". On theother hand the conditionu

i

6=y means that y [i] 6=y too. From the

denitionofD 0 wehaveD 0 skkK (1ku i kF K (u i ))=D sk (u i

),soAisproperlysimulatingB. (Meaning

thecontributionto their respective successprobabilitiesisthe same.)

Forthe secondcase, namelyv

i

=", we considerthetwo possiblevaluesof b

i .

Ifb

i

=0thenAwillsety [i]=u

i

,andfromthedenitionofD 0 wehaveD 0 skkK (0ku i k")=D sk (u i ).

ObservethatAwilloutputaciphertexty [i]thatequalsyifandonlyifB outputsaciphertextz[i]

thatequals 0kyk". Soagain A isproperlysimulatingB.

If b i = 1 then D 0 skkK (1ku i k") = F K (u i ) by denition of D 0

. A correctly \simulates" this by

outputting an encryption of F

K (u

i

). This choice of A contributes to the success probability as

long asitis dierent fromy. The probabilityof thisnothappeningcan be upperboundedbythe

probabilitythatE pk (F K (u i

))=y. Wemustconsidertheworstcase,whichiswhen8i: (b

i =1 ^ v

i =

"),soweareinterestedinboundingtheprobabilitythatthereissomeisuchthatE

pk (F K (u i ))=y.

Intuitively,such\ciphertextcollisions"areunlikelysinceotherwisetheschemewouldnotbesecure

even inthe sense of IND- CCA1. Formally, one can show that the probabilityof such collisions is

at most(k), where(
) isa negligiblefunction dependingon B,byshowingthatifnot, we could

designan adversary A 0

thatwouldbreakthescheme inthesenseof IND-CCA1. Thisis standard,

In the rst stage A does what A does, picking a key K so that it can provide a simulation of

the decryption oracle of B, similar to the simulation providedby A. It runs the rst stage of B

and picksa pair ofmessages uniformlyfrom the message space output byB. In thesecond stage

it is given an encryption of one of these messages as the challenge. It then obtains a polynomial

numberofencryptionsof one ofthe messagesand checksifanyof theresulting ciphertextsmatch

the challenge ciphertext. If it doesthen it bets that the challenge ciphertext corresponds to this

message, otherwiseit decidesby ippinga coin. Observethat thesuccess ofA 0

is exactlyone half

theprobabilityofthere beingsome isuchthatE

pk (F

K (u

i

))=ysincetheexperimentsdeningthe

success ofA 0

andthe upperboundontheprobabilityinquestionaresimilar. SincePE isgivento

besecureintheNM- CCA1sense(andtherefore intheIND- CCA1sense,seeTheorem 3.1 ),weget

a boundof (k) where isa negligiblefunctiondependingonB.2

Notice that in the above we didnot use the security of the pseudorandom functionfamily. That

comes up only in the next lemma. Accordingly, in the following, for any polynomial f we let

Æ

f

(k) be a negligible function which upper bounds the advantage obtainable by anyadversary in

distinguishingF from a familyof randomfunctions when therunningtime ofthisadversary isat

mostf(k). Lemma3: Pr 1 [E 2 ]  q(k)
[Æ q

(k)+(k)] forsome negligiblefunction  that dependson B.

Proof: Event E 2 occurs if B outputs 1ku i kv i where u i =y and v i = F K

(y). The claim is that

thishappenswithonlya smallprobability.

Note that it is not impossible for B to compute the value of F

K

on a point, even though F is

pseudorandom, because it can compute F

K

(m) on a point m of its choice simply by querying its

decryption oracleon 1kmk". However, thisoracleis onlyavailablein therst stage, and inthat

stageB doesnotknowy. Whenshedoesgettoknowy (inthesecond stage)shenolongerhasthe

decryptionoracle. Thepseudorandomness ofF thensaysherchanceof computingF

K

(y) issmall.

To turn thisintuition into a formal proof, rst imaginethat we use, inthe role of F

K

, a random

function g. (Imagine that D

skkK

has oracle access to g and uses it in the role of F

K

.) In the

resulting scheme and experiment, itis clearthat thechance that B computes g(y) is at most2 k

plusthechancethatshemade aqueryinvolvingy tothedecryptionoracleintherst stage. Since

y isa ciphertextcreatedafter therst stage,we claimthat thechance thatB couldmake aquery

involving y inherrststage isnegligible. Thisistruebecause ifnot,we would contradict thefact

thatPE isIND-CCA1. (Thiscan beargued analogously to theargument intheprevious Lemma.

We omitthe details.)

Let(k)thenbethenegligibleprobabilityof computingg(y). Nowgiven thatF ispseudorandom

innature we can boundtheprobabilityof B correctly computingF

K

(y) byÆ

q

(k)+(k) for some

polynomialq whichdependson B. (Justiedbelow.) SowhileB could always picku

i

to be y,she

would have a negligibleprobability of setting v

i

to be F

K

(y). In the worst case this event could

happen withprobabilityat mostjzj
[Æ

q

(k)+(k)].

The bound of Æ

q

(k) +(k) mentioned above is justied using the assumed security of F as a

pseudorandom function family. If the event in question had a higher probability, we would be

abletoconstructadistinguisherbetweenF andthefamilyofrandomfunctions. Thisdistinguisher

wouldgetanoraclegforsomefunctionandhastotellwhethergisfromF k

orisarandomfunction

of k bits to k bits. It would itself pickthesecret keys underlyingExperiment1 orExperiment2 and

run the adversaries A or B. It can test whether or not the event happens because it knows all

decryptionkeys. Ifithappensitbetsthat gispseudorandom,because thechanceunderarandom

functionisat most2 k

Proof: When event E

3

happensinExperiment1 , one of theciphertextsy [i]that A

2

outputsequals

y and hence there is no contribution to the success probability. When event E

3

happens in

Experiment2 , the denition of D 0

skkK

says that the decryption of some z[i] is ? and hence again

thereisnocontributiontothesuccessprobability. Inotherwords,inbothcases,thereisnosuccess

ineither the\real"orthe\random" experiment.2

FromLemmas 1,2,3,4 we get

Adv nm-cca1 PE 0 ;B (k) = P 3 j=1 p(2;j)
Pr 1 [E j ]  (k) + p(1;1)
Pr 1 [E 1 ] + p(2;2)
Pr 1 [E 2 ] + p(1;3)
Pr 1 [E 3 ]  (k) + p(1;1)
Pr 1 [E 1 ] + p(1;2)
Pr 1 [E 2 ] + p(1;3)
Pr 1 [E 3 ] +(p(2;2) p(1;2))
Pr 1 [E 2 ]  (k) + P 3 j=1 p(1;j)
Pr 1 [E j ] + Pr 1 [E 2 ]  (k)+q(k)
[Æ q (k)+(k)] + Adv nm- cpa PE;A (k): Since Æ q

(k) and (k) are negligible quantities, the assumption that PE is secure in the sense

of NM- CCA1 implies that Adv nm- cca1

PE;A

(
) is negligible, and hence it follows that Adv nm- cca1 PE 0 ;B (
) is negligible. 4 Results on PA

In this section we dene plaintext awareness and prove that it impliesthe random-oracle version

of IND-CCA2,butisnotimplied byit.

Throughoutthissection we shallbeworking exclusivelyintheROmodel. Assuch,all notions

of securitydened earlierrefer, inthissection,to theirRO counterparts. These areobtainedin a

simplemanner. TomodifyDenitions2.1and 2.2, begin thespeciedexperiment(theexperiment

whichdenes advantage) bychoosingarandomfunctionH fromthesetofallfunctionsfrom some

appropriatedomaintoappropriaterange. (Thesesetsmightchangefromschemetoscheme.) Then

providean H-oracleto A

1 and A

2

,and allowthatE

pk

andD

sk

maydependonH (which we write

asE H pk and D H sk ). 4.1 Denition

Our denitionof PA isfrom [6], except thatwe make one important renement. An adversary B

for plaintext awareness is given a public key pk and access to the random oracle H. We also

provide B with an oracle for E H

pk

. (This is our renement, and its purpose is explained later.)

The adversary outputs a ciphertext y. To be plaintext aware the adversary B should necessarily

\know"thedecryptionxofitsoutput. Toformalizethisitisdemandedthereexistsome(universal)

algorithm K (the \plaintext extractor") that could have output x just by looking at the public

key,B's H-queries and the answers to them, and theanswers to B's queries to E H

pk

. Let usnow

summarizetheformaldenitionand thendiscussit.

By (hH;C;y) runB H ;E

H

pk

(pk)we meanthefollowing. Run B oninputpk andoracles H and

E H

pk

,recordingB'sinteractionwithits oracles. Form intoa listhH =((h

1 ;H 1 );:::;(h q H ;H q H ))all ofB'sH-oracle queries,h 1 ;:::;h q H

,and thecorrespondinganswers,H

1

;:::;H

q

H

. Form into alist

C =(y

1 ;:::;y

q

E

)theanswers (ciphertexts)received asa resultof E H

pk

-queries. (Themessagesthat