2

IND-CCA is an abbreviation of "Indistinguishability under chosen ciphertext attack" and generally, an adversary carrying out the chosen ciphertext attack is given a decryption oracle only. However, in the IND-CCA game, the adversary is allowed to make both encryption and decryption queries in the pre-querying phase.

Why is the adversary in the IND-CCA game allowed to make encryption queries even though the attacker is not assumed to be able to make encryption queries in the chosen cipher attack?

kelalaka
  • 48,443
  • 11
  • 116
  • 196
MLER
  • 23
  • 3
  • Welcome to Cryptography. This is our canonical question about this topic. Easy explanation of "IND-" security notions?. Does this provide answer to your question? – kelalaka Oct 21 '23 at 10:54
  • 2
    Could you provide link to this; generally an adversary carrying out the chosen ciphertext attack is given a decryption oracle only. – kelalaka Oct 21 '23 at 10:56
  • 1
    I'm guessing the naming has confused you. IND-CCA also includes all the capabilities of IND-CPA, it might be better to call it Indistinguishability under Chosen Plaintext and Chosen Ciphertext Attack, or IND-CPCCA, but that isn't as pretty a format. – SAI Peregrinus Oct 21 '23 at 15:29
  • I think that a well written answer would be nice even though the answer linked to by @kelalaka does contain the information to provide that answer. – Maarten Bodewes Oct 22 '23 at 02:47
  • @kelalaka I don't have a specific reference that explicitly states, 'An adversary in a chosen ciphertext attack doesn't have the ability to perform encryption other than decryption.' However, my understanding is based on the fundamental differences between chosen plaintext attacks (CPA) and chosen ciphertext attacks (CCA), which are distinct concepts. In a CPA, the attacker does indeed have encryption capabilities, while in a CCA, the focus is primarily on the adversary's decryption oracle access. – MLER Oct 22 '23 at 05:46
  • @kelala (continued) Of course, I agree that, in many cases, particularly when a public key encryption scheme is employed, it is not difficult for the attacker to obtain access to an encryption oracle. – MLER Oct 22 '23 at 05:47
  • @SAIPeregrinus I got it. Thank you for the answer! – MLER Oct 22 '23 at 05:50
  • 1
    We want Ind-CCA > Ind-CPA, so if the attacker's capabilities are decreased then we cannot make the order. Keep in mind that in public key cryptography, the encryption is free. – kelalaka Oct 22 '23 at 11:44
  • @MaartenBodewes OK, I've given it a shot and hope it made it clear. – kelalaka Oct 22 '23 at 18:32
  • Notice that when we deal with asymmetric encryption (with public/private key pair), encryption is possible with the public key, thus having access to an encryption oracle is implied. Therefore, most definitions of IND-CPA and IND-CCA applied to asymmetric encryption omit access to an encryption oracle. However, it is part of all definitions of IND-CPA and IND-CCA applied to symmetric encryption. – fgrieu Oct 23 '23 at 09:37

1 Answers1

2

  • In the Ind-CPA security we give access to the adversary to the encryption oracle as a black box.

    Ind-CPA also includes the Known-Plaintext Attack, and KPA < IND-CPA

    There are historical examples of Ind-CPA attacks. Directly quoting one from Wikipedia

    In World War II US Navy cryptanalysts discovered that Japan was planning to attack a location referred to as "AF". They believed that "AF" might be Midway Island, because other locations in the Hawaiian Islands had codewords that began with "A". To prove their hypothesis that "AF" corresponded to "Midway Island" they asked the US forces at Midway to send a plaintext message about low supplies. The Japanese intercepted the message and immediately reported to their superiors that "AF" was low on water, confirming the Navy's hypothesis and allowing them to position their force to win the battle.

    This is a real example of how one can query an encryption oracle in real life. There are more examples on the Wikipedia.

    Ind-CPA adversaries are considered passive adversaries. One might argue that they are allowed to access the encryption oracle as a black box, but they are still in the setting of observing passively transmitted ciphertexts.

    From the passive attacker, we want to go further to the active attacker, in which the attacker can modify the ciphertexts, too ( modify and query to decryption oracle). The padding oracle attack is one of the examples, though the attacker cannot get the decryption, still, they can get information to decrypt the blocks one by one.

  • In the Ind-CCA security we give access to the adversary to the encryption and decryption oracle as a black box.

    If we don't allow the encryption oracle, then we did not further on the Ind-CPA security, instead, we would have created a branch on the definitions; There might be a hypothetical algorithm that Ind-CCA secure but not Ind-CPA secure. Well, consider the historical example, except for creating noise in the air, CCA attackers cannot work without the encryption oracle and we might say(!) that it was secure against the CCA attacker *.

    Now, in the current definitions we have Ind-CPA < Ind-CCA and this is a nice ordering. For example, we can simply say that without authentication you cannot achieve Ind-CCA. Like all classical block-cipher modes of operations CTR, CBC, CFB, and OFB. ( except ECB ) we can achieve Ind-CPA however none can achieve Ind-CCA without a MAC.

And keep in mind that, in public key cryptography, the encryption oracle is free. Therefore, not allowing is also complicates things here.

Why is the adversary in the IND-CCA game allowed to make encryption queries even though the attacker is not assumed to be able to make encryption queries in the chosen cipher attack?

If we can achieve Ind-CPA security then in the current setting the CCA attacker might find that the encryption oracle might not be useful at all. Consider the Ind-CPA secure CBC mode, the padding oracle attacker cannot achieve anything with the encryption oracle since CBC mode is Ind-CPA secure. On the other hand with the (partial) decryption oracle (padding incorrect), it can achieve success.

The above case must not limit the CCA attacker so that they must not use encryption oracle. They are given power over CPA attackers they are active and can access the encryption and decryption oracle. So, whenever they can gain an advantage they can use both.

*I know that atmospheric noise can change radio signals in the air, however, this is not my subject, so there might be an improvement that one can change bits in the air. Still, at that time, I considered that it was not possible.

kelalaka
  • 48,443
  • 11
  • 116
  • 196