1

In three different, highly reputable sources (e.g. "Introduction to Modern Cryptography" by Katz and Lindell, 2007), the definition of CCA attack doesn't allow the adversary to decrypt the challenge, but also doesn't require the adversary to send never-before seen messages.

I'm assuming that this is a mistake, and that the CCA security definition is supposed to disallow the replay of previously seen messages as well (seeing as that would be equivalent to asking for their decryptions)? Or is there a subtlety I'm missing?

If it is indeed allowed to send previously seen messages, then I don't see why the following is not a simpler CCA attack for Rabin than the one described in this post:

  1. Ask for encryptions and decryptions of two messages $m_0, m_1$.
  2. Send these to the challenger.
  3. Compare $Enc(m_b)$ to saved decryptions of $m_0$,$m_1$.

Even if random padding is added, we can look at the deterministic part of the decryptions.

Ievgeni
  • 2,585
  • 1
  • 10
  • 32
Anon
  • 403
  • 1
  • 8
  • Here our Canonical Q/A for this. Easy explanation of "IND-" security notions? and Don't forgot that there was a name change in the history on CCAs. And, your good! highly reputable sources need a link here. – kelalaka Aug 16 '22 at 10:00
  • @kelalaka Thanks. So if I understand correctly, CCA (as it appears in "Introduction to Modern Cryptography" by Katz and Lindell, 2007) is actually IND-CCA1 in your link, and that it DOES allow replaying messages and therefore my Rabin attack is valid? – Anon Aug 16 '22 at 10:11
  • Correction: I can actually see the book's description matches IND-CCA2, but I'm still doubting whether I got this right, i.e. under IND-CCA2, is the adversary indeed allowed to replay m_i rendering the above attack valid? – Anon Aug 16 '22 at 10:27
  • 1
    It is not clear how one can look at the deterministic part of the decryptions? – kelalaka Aug 16 '22 at 12:37
  • To expand on what Kelalaka said: different encryptions of the same message produce entirely different ciphertexts. The challenger picks the nonce, not the adversary. So step 3 will not match either $m_0$ nor $m_1$'s ciphertext from when they were first encrypted. – SAI Peregrinus Aug 17 '22 at 03:02
  • @SAIPeregrinus why not? There's random padding, as in RSA, so if we know which bits are not random - why wouldn't they be the same? Just disregard the padding bits in the ciphertext, and compare the rest. I don't see why these should be different. – Anon Aug 17 '22 at 15:10
  • 1
    Padding (or a nonce for symmetric systems) is applied before encryption, not after. Since each bit of the plaintext influences every bit of the ciphertext (any IND-CPA secure cryptosystem will exhibit this "avalanche" property) changing the padding will randomize the entire ciphertext. There are no "padding bits" in the ciphertext. ALL the bits are random. – SAI Peregrinus Aug 17 '22 at 17:37
  • Missed the edit window: meant to say each bit of the padding influences the entire ciphertext, not plaintext. – SAI Peregrinus Aug 19 '22 at 00:55

0 Answers0