Score:2

The essential differences between IND-CCA1 and IND-CCA2?

kr flag

For some encryption scheme $(\mathcal{E}, \mathcal{D})$:

In the definition of IND-CCA, the adversary $\mathcal{A}$ can access the decryption oracle $\mathcal{D}$. The deep reason of this setting is to make sure that our scheme is able to "protect the ciphertexts" (e.g. the integrity and authenticity).

So "protecting the ciphertexts" is what an IND-CPA secure scheme can not offer. And that's why IND-CCA is stronger than IND-CPA. Furthermore, IND-CCA2 allows $\mathcal{A}$ to make queries to $\mathcal{D}$ after $\mathcal{A}$ receives the challenge ciphertext $c^{*}$, which is so called "adaptive" query.

Then my question is:

  • How should we describe this distinctive ability of resisting adaptive queries in IND-CCA2, in a pellucid way ?

In other words, "random bits-like ciphertexts" leads to IND-CPA security, "the protection of ciphertexts" leads to IND-CCA1 security. Then what leads to IND-CCA2 security?

Thanks in advance!

kelalaka avatar
in flag
Does this answer your question? [Easy explanation of "IND-" security notions?](https://crypto.stackexchange.com/questions/26689/easy-explanation-of-ind-security-notions)
meshcollider avatar
gb flag
"protect the ciphertexts" is very imprecise, I don't think such a definition is enlightening at all.
Max1z avatar
kr flag
Hi kelalaka and meshcollider ! I am aware of the definitions and security proofs of these models. So the content of that post is not very helpful to me. What I am looking for is **some words** to summarize the core differences between CCA1 and CCA2 in a short way just like "protect the ciphertexts "does (though it might not be that precise :-). Thus, this question is actually not an academic problem and doesn't have the standard answer.
cn flag
The issue is that you're understanding of CCA1 security is already flawed. "protecting the ciphertexts" as you phrase it is neither sufficient nor necessary for CCA1 security.
us flag
CCA1 = Making decryption queries before seeing $c^*$ doesn't help you learn what's inside $c^*$; CCA2 = Making decryption queries before/after seeing $c^*$ doesn't help you learn what's inside $c^*$
AYun avatar
es flag
In case of symmetric crypto, there are IND-CCA encryption schemes where all strings are valid ciphertexts: no decryption error. I think the intuition 'protect the ciphertext' could be hard to be applied to this case. https://www.iacr.org/archive/crypto2000/18800395/18800395.pdf
Score:0
ng flag

IND-CCA1 is INDistinguishability under Chosen Ciphertext Attack.

IND-CCA2 is INDistinguishability under adaptive Chosen Ciphertext Attack.

In both, an adversary attempts to decipher a ciphertext $C$ by making queries to a decryption oracle that will decrypt anything. The difference is that in IND-CCA1, the queries are made without knowledge of $C$ (given to adversary after the queries), when in IND-CCA2 queries can be made with knowledge of $C$ (given to adversary early on, with prohibition to give $C$ to the decryption oracle).

IND-CCA1 models a decryption device temporarily made available to adversaries. IND-CCA2 makes that permanent.

Here are situations where IND-CCA2 encryption is desirable:

  • There's a server that decrypts, then parses the deciphered plaintext as a (message, signature) pair and checks it against a public key (unrelated to the encryption/encryption key). If OK, the server acts according to message; otherwise it outputs "I won't do " message.
  • Embassy A knows it's messages to B are intercepted by E and relayed (with the prefix INTERCEPT) encrypted to F; F deciphers then relays what starts with INTERCEPT to G, that A has penetrated. This puts A in an IND-CCA2 situation to attack the cipher from E to F (within the restriction that A can only submit messages starting with INTERCEPT).
  • There's a server that decrypts, then remove padding, and a timing attack allows to know how much padding was removed.
Max1z avatar
kr flag
Very inspiring! The words "temporarily" and "permanently" are exactly what I want. Thanks!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.