Challenge generation: Based on the information obtained so far, the adversary spec- spec-ifies a challenge template and is given an actual challenge

When defining semantic security, the challenge template is a triplet of circuits (S_m, h_m, f_m), where S_m specifies a distribution of m-bit long plaintexts (and hm, fm:{0, 1}^m → {0, 1}^∗), and the actual challenge is a pair (Ee(x), hm(x)) where x is distributed according to S_m(U_poly(n)). When defining indistinguishability of en-cryptions, the challenge template is merely a pair of equal-length strings, and the actual challenge is an encryption of one of these two strings.

4. Additional encryption requests: Based on the information obtained so far, the ad-versary may request the encryptions of additional plaintexts of its choice. These requests are handled as in Step 2. After making several such requests, the adversary produces an output and halts.

In the actual definition, the adversary’s strategy will be decoupled into two parts cor-responding to its actions before and after the generation of the actual challenge. Each part will be represented by a (probabilistic polynomial-time) oracle machine, where the oracle is an “encryption oracle” (with respect to the key generated in Step 1). The

5.4* BEYOND EAVESDROPPING SECURITY

first part, denoted A₁, represents the adversary’s behavior during Step 2. It is given a security parameter (and possibly an encryption-key), and its output is a pair (τ, σ), whereτ is the template generated in the beginning of Step 3 and σ is state information passed to the second part of the adversary. The second part of the adversary, denoted A2, represents the adversary’s behavior during Step 4. It is given the stateσ (of the first part), as well as the actual challenge (generated Step 3), and produces the actual output of the adversary.

In accordance with the use of non-uniform formulations, we let each of the two oracle machines have a (non-uniform) auxiliary input. In fact, it suffices to provide only the first machine with such a (non-uniform) auxiliary input, because it can pass auxiliary input to the second machine in the state informationσ . (Similarly, in the case of public-key schemes, it suffices to provide only the first machine with the encryption-key.) We comment that we provide these machines with probabilistic oracles; that is, in response to a plaintext query x, the oracle Eereturns a random ciphertext Ee(x) (i.e., the result of a probabilistic process applied to e and x). Thus, in the case of public-key schemes, the four-step attack process can be written as follows:

(e, d)← G(1ⁿ) (τ, σ ) ← A₁^Ee(e, z)

c ^def= an actual challenge generated according to the template τ output← A2^Ee(σ, c)

where z denotes (non-uniform) auxiliary input given to the adversary. In the case of private-key schemes, the adversary (i.e., A1) is given 1ⁿinstead of e.

Semantic Security. Instantiating this framework to derive a definition of semantic security amounts to specifying the challenge generation and to postulating that the success probability in such an attack should be met by a corresponding benign process.

As hinted in the preceding discussion, the challenge generation consists of the adversary specifying a triplet of circuits, denoted (Sm, hm, fm), and being presented with an encryption of x ← Sm(U_poly(n))∈ {0, 1}^m along with the partial information h_m(x).

The adversary’s goal is to guess fm(x), and semantic security amounts to saying that the adversary’s success probability can be matched by a corresponding algorithm that is only given hm(x) and 1^|x| = 1^m. Like the adversary, the corresponding algorithm is decoupled into two parts; the first is in charge of outputting a challenge template, and the second is in charge of solving the challenge (without being given a ciphertext), where state information is passed from the first part to the second part. It is important to require that the challenge template produced by the corresponding algorithm be distributed exactly as the challenge template produced by the adversary. (See further discussion following Definition 5.4.8.)

Definition 5.4.8 (semantic security under chosen plaintext attacks):

For public-key schemes: A public-key encryption scheme, (G, E, D), is said to be se-mantically secure under chosen plaintext attacksif for every pair of probabilistic

polynomial-time oracle machines, A₁ and A₂, there exists a pair of probabilistic polynomial-time algorithms, A^₁and A^₂, such that the following two conditions hold:

1. For every positive polynomial p, and all sufficiently large n and z∈ {0, 1}^poly(n) it holds that foregoing description, and that x is a sample from the distribution induced by S_m. 2. For every n and z, the first elements (i.e., the (Sm, hm, fm) part) in the random

variables A^₁(1ⁿ, z) and A₁^{EG1(1n )}(G₁(1ⁿ), z) are identically distributed.

For private-key schemes: The definition is identical except that algorithm A₁ gets the security parameter 1ⁿinstead of the encryption-key e.

Note that as in almost all other definitions of semantic security (with the exception of Definition 5.4.1), algorithm A^₁does not get a (random) encryption-key as input (but may rather generate one by itself).²⁸Since the challenge template is not fixed (or determined by e) but, rather, is chosen by A and A^ themselves, it is very important to require that in both cases, the challenge template be distributed identically (or approximately so): There is no point in relating the success probability of A and A^, unless these probabilities refer to same distribution of problems (i.e., challenge templates).²⁹(The issue arises also in Definition 5.4.1 where it was resolved by forcing A^to refer to the challenge template determined by the public-key e.)³⁰

Definition 5.4.8 implies Definition 5.4.1, but this may not be evident from the def-initions themselves (most importantly, because here fm is computationally bounded whereas in Definition 5.4.1 the function is computationally unbounded). Still, the va-lidity of the claim follows easily from the equivalence of the two definitions to the

28In fact, A^₁is likely to start by generating e← G1(1ⁿ), because it has to generate a challenge template that is distributed as the one produced by A1on input e← G1(1ⁿ).

29Failure to make this requirement would have resulted in a fundamentally bad definition (by which every encryp-tion scheme is secure). For example, algorithm A^₁could have set hmto equal the function fmselected by A1(in a corresponding attack). Doing so, the success of A to guess the value of fm(x) from the (insecure) encryption of x and a (possibly) useless value hm(x) (e.g., for a constant function hm) would have been met by the success of A^to “guess” the value of fm(x) from fm(x) itself (without being given the encryption of x). An alternative approach, which follows the formulation of Definition 5.4.1, is presented in Exercise 34.

30Indeed, an alternative solution could have been the one adopted here and in the sequel; that is, in an alternative to Definition 5.4.1, one may allow A^to select the challenge template by itself, provided that the selection yields a distribution similar to the one faced by A (as induced by the public-key e). For details, see Exercise 30.

5.4* BEYOND EAVESDROPPING SECURITY

corresponding notions of indistinguishability of encryptions (and the fact that the im-plication is evident for the latter formulations).

Indistinguishability of Encryptions. Deriving the corresponding definition of indis-tinguishability of encryptions (from the previous framework) is considerably simpler.

Here, the challenge generation consists of the adversary specifying two equal-length strings and the adversary being presented with the encryption of one of them. The adversary’s goal is to distinguish the two possible cases.

Definition 5.4.9 (indistinguishability of encryptions under chosen plaintext attacks):

For public-key schemes: A public-key encryption scheme, (G, E, D), is said to have indistinguishable encryptions under chosen plaintext attacks if for every pair of probabilistic polynomial-time oracle machines, A₁ and A₂, for every positive polynomial p, and for all sufficiently large n and z∈ {0, 1}^poly(n)it holds that

|p_{n, z}⁽¹⁾− p_{n, z}⁽²⁾| < 1 p(n) where

p_{n, z}^{(i ) def}=^Pr

⎡

⎢⎢

⎢⎢

⎣

v = 1 where

(e, d)← G(1ⁿ)

((x⁽¹⁾, x⁽²⁾),σ) ← A₁^Ee(e, z) c← Ee(x^{(i )})

v ← A^E₂^e(σ, c)

⎤

⎥⎥

⎥⎥

⎦

where|x⁽¹⁾| = |x⁽²⁾|.

For private-key schemes: The definition is identical except that A₁ gets the security parameter 1ⁿinstead of the encryption-key e.

Clearly, Definition 5.4.9 implies Definition 5.4.2 as a special case. Furthermore, for public-key schemes, the two definitions are equivalent (see Proposition 5.4.10), whereas for private-key schemes, Definition 5.4.9 is strictly stronger (see Exercise 33).

Proposition 5.4.10: Let (G, E , D) be a public-key encryption scheme that has indis-tinguishable encryptions under key-dependent passive attacks. Then (G, E, D) has indistinguishable encryptions under chosen plaintext attack.

Proof Sketch: The key observation is that in the public-key model, a chosen plaintext attack can be emulated by a passive key-dependent attack. Specifically, the (passive) attacker can emulate access to an encryption oracle by itself (by using the encryption-key given to it). Thus, we obtain an attacker as in Definition 5.4.9, with the important exception that it never makes oracle calls (but rather emulates E_eby itself ). In other words, we have an attacker as in Definition 5.4.2, with the minor exception that it is a probabilistic polynomial-time machine with auxiliary input z (rather than being a polynomial-size circuit) and that it distinguishes a pair of plaintext distributions rather than a pair of (fixed) plaintexts (which depend on the encryption-key). However, fixing

the best-possible coins for this attacker (and incorporating them as well as z in an adequate circuit), we obtain an attacker exactly as in Definition 5.4.2 such that its distinguishing gap is at least as large as the one of the (initial) chosen plaintext attacker.

(For details, see Exercise 30.)

Equivalence of Semantic Security and Ciphertext-Indistinguishability. As in pre-vious cases, we show that the two formulations of (chosen plaintext attack) security (i.e., semantic security and indistinguishability of encryptions) are in fact equivalent.

Theorem 5.4.11 (equivalence of definitions for chosen plaintext attacks): A public-key (resp., private-key) encryption scheme (G, E, D) is semantically secure under cho-sen plaintext attacks if and only if it has indistinguishable encryptions under chocho-sen plaintext attacks.

Proof Sketch: In order to show that indistinguishabity of encryptions implies semantic security, we follow again the ideas underlying the proof of Proposition 5.2.6. Specif-ically, for both the private-key and public-key cases, A^₁ and A^₂ are constructed as follows:

1. A^₁(1ⁿ, z)^def= (τ, σ^), where (τ, σ^) is generated as follows:

First, A^₁ generates an instance of the encryption scheme; that is, A^₁ lets (e, d)← G(1ⁿ). Next, A^₁ invokes A1, while emulating the oracle Ee, and sets (τ, σ ) ← A₁^Ee(1ⁿ, z). Finally, A^₁setsσ^{ def}= (e, σ ).

We warn that the generation of the key-pair by A^₁should not be confused with the generation of the key-pair in the probabilistic experiment referring to the combined algorithm A= (A1, A₂). In particular, the generated encryption-key e allows A^₁to emulate the encryption oracle E_e (also in the private-key case). Furthermore, A^₁ outputs the encryption-key e as part of the state passed by it to A^₂, whereas A₁does not necessarily do so (and, in fact, cannot do so in the case of the private-key model).

This will allow A^₂, too, to emulate the encryption oracle Ee.

2. A^₂((e,σ ), 1^m,γ )^def= A₂^Ee(σ, (Ee(1^m),γ )), where typically γ = hm(x) and m= |x|.

Since A^₁merely emulates the generation of a key-pair and the actions of A1with respect to such a pair, the equal distribution condition (i.e., Item 2 in Definition 5.4.8) holds.

Using the (corresponding) indistinguishability of encryption hypothesis, we show that (even in the presence of an encryption oracle E_e) the distributions (σ, (Ee(x), h(x))) and (σ, (Ee(1^|x|), h(x))) are indistinguishable, where (e, d)← G(1ⁿ), ((S, h, f ),σ ) ←

A₁^Ee(y, z) (with y= e or y = 1ⁿdepending on the model), and x ← S(Upoly(n)).

Details: Suppose that given ((S, h, f ),σ) generated by A1^Ee(y, z) and oracle access to Ee, where e← G1(1ⁿ), one can distinguish (σ, (Ee(x), h(x))) and (σ, (Ee(1^|x|), h(x))), where x ← S(Upoly(n)). Then we obtain a distinguisher as in Definition 5.4.9 as follows. The first part of the distinguisher invokes A1 (while answering its oracle queries by forwarding these queries to its own Ee oracle), and obtains ((S, h, f ),σ) ← A^E₁^e(y, z). It sets x⁽¹⁾← S(Upoly(n)) and x⁽²⁾= 1^|x(1)|,

5.4* BEYOND EAVESDROPPING SECURITY

and outputs ((x⁽¹⁾, x⁽²⁾), (σ, h(x⁽¹⁾))). That is, (x⁽¹⁾, x⁽²⁾) is the challenge template, and it is answered with Ee(x^{(i )}), where i is either 1 or 2. The second part of the new distinguisher gets as input a challenge ciphertextα ← Ee(x^{(i )}) and the state generated by the first part (σ, h(x⁽¹⁾)), and invokes the distinguisher of the contra-diction hypothesis with input (σ, (α, h(x⁽¹⁾))), while answering its oracle queries by forwarding these queries to its own Eeoracle. Thus, the new distinguisher violates the condition in Definition 5.4.9, in contradiction to the hypothesis that (G, E, D) has indistinguishable encryptions.

It follows that indistinguishability of encryptions (as per Definition 5.4.9) implies se-mantic security (as per Definition 5.4.8). (Here, this implication is easier to prove than in previous cases because the function f is computable via a circuit that is generated as part of the challenge template [and, without loss of generality, is part ofσ].)

We now turn to the opposite direction. Suppose that (G, E, D) does not have in-distinguishable encryptions, and consider the pairs (x⁽¹⁾, x⁽²⁾) produced as a challenge template by the distinguishing adversary. Following the ideas of the proof of Proposi-tion 5.2.7, we let the semantic-security adversary generate a corresponding challenge template (S, h, f ) such that

rThe circuit S samples uniformly in{x⁽¹⁾, x⁽²⁾}.

rThe function f satisfies f (x⁽¹⁾)= 1 and f (x⁽²⁾)= 0.

rThe function h is defined arbitrarily subject to h(x⁽¹⁾)= h(x⁽²⁾).

Note that here we do not need to use h for passing non-uniform information (e.g., a description of the distinguisher). Instead, non-uniform information (i.e., the auxiliary input z to the distinguisher) is passed explicitly by other means (i.e., as the auxiliary input to the semantic-security adversary).

We stress that when the semantic-security adversary invokes the distinguishing adver-sary, the former uses its own oracle to answer the queries made by the latter. (Likewise, the former passes its auxiliary input z to the latter.) The reader may easily verify that the semantic-security adversary has a noticeable advantage in guessing f (S(Upoly(n))) (by using the distinguishing gap between E_e(x⁽¹⁾) and E_e(x⁽²⁾)), whereas no algorithm that only gets h(S(Upoly(n))) can have any advantage in such a guess. We derive a con-tradiction to the hypothesis that (G, E, D) satisfies Definition 5.4.8, and the theorem follows.

Multiple-Message Security. Definitions 5.4.8 and 5.4.9 can be easily generalized to handle challenges in which multiple plaintexts are encrypted. As in previous cases, the corresponding (multiple-plaintext) definitions are equivalent. Furthermore, the multiple-plaintext definitions are equivalent to the single-plaintext definition, both for public-key and private-key schemes. We stress the equivalence for private-key schemes (which does not hold for the basic definitions presented in Section 5.1; see Proposi-tion 5.2.12). To see the equivalence, it is best to consider the noProposi-tion of indistinguisha-bility of encryptions. In this case, the argument used in the proof of Theorem 5.2.11 (i.e., the public-key case) can be applied here by using the encryption oracle in order to produce the ciphertexts needed for the hybrid argument (rather than by generating

these ciphertexts using knowledge of the encryption-key, which is only possible in the public-key setting).

5.4.3.2. Constructions

In view of Proposition 5.4.10 (and Theorem 5.4.11), we focus on private-key encryption schemes (because a public-key encryption scheme is secure under chosen plaintext attacks if and only if it is secure under passive key-dependent attacks). All the results presented in Section 5.3.3 extend to security under chosen plaintext attacks. Specifically, we prove that Constructions 5.3.9 and 5.3.12 remain secure also under a chosen plaintext attack.

Proposition 5.4.12: Let F and (G, E , D) be as in Construction 5.3.9, and suppose that F is pseudorandom with respect to polynomial-size circuits. Then the private-key encryption scheme (G, E, D) is secure under chosen plaintext attacks. The same holds with respect to Construction 5.3.12.

Proof Sketch: We focus on Construction 5.3.9 and follow the technique underlying the proof of Proposition 5.3.10. That is, we consider an idealized version of the scheme, in which one uses a uniformly selected functionφ :{0, 1}ⁿ→{0, 1}ⁿ, rather than the pseu-dorandom function f_s. Essentially, all that the adversary obtains by encryption queries in the ideal version is pairs (r,φ(r)), where the r’s are uniformly and independently distributed in{0, 1}ⁿ. As to the challenge itself, the plaintext is “masked” by the value ofφ at another uniformly and independently distributed element in {0, 1}ⁿ. Thus, unless the latter element happens to equal one of the r ’s used by the encryption oracle (which happens with negligible probability), the challenge plaintext is perfectly masked. Thus, the ideal version is secure under a chosen plaintext attack, and the same holds for the real scheme (since otherwise one derives a contradiction to the hypothesis that F is pseudorandom).

Summary. Private-key and public-key encryption schemes that are secure under cho-sen plaintext attacks exist if and only if corresponding schemes that are secure under passive (key-dependent) attacks exist.³¹

5.4.4. Chosen Ciphertext Attack

We now turn to stronger forms of active attacks in which the adversary may obtain (from some legitimate user) plaintexts corresponding to ciphertexts of its choice. We consider two types of such attacks, called chosen ciphertext attacks: In the milder type, called a priori chosen ciphertext attacks, such decryption requests can be made only before the challenge ciphertext (for which the adversary should gain knowledge) is presented. In the stronger type, called a posteriori chosen ciphertext attacks, such decryption requests can also be made after the challenge ciphertext is presented, so long as one does not request a decryption of this very (challenge) ciphertext.

31Hint: When establishing the claim for the private-key case, use Exercise 2.

5.4* BEYOND EAVESDROPPING SECURITY

Both types of attacks address security threats in realistic applications: In some set-tings, the adversary may experiment with the decryption module, before the actual ciphertext in which it is interested is sent. Such a setting corresponds to an a priori chosen ciphertext attack. In other settings, one may invoke the decryption module on inputs of one’s choice at any time, but all these invocations are recorded, and real damage is caused only by knowledge gained with respect to a ciphertext for which a decryption request was not recorded. In such a setting, protection against a posteriori chosen ciphertext attacks is adequate. Furthermore, in both cases, decryption requests can also be made with respect to strings that are not valid ciphertexts, in which case the decryption module returns a special error symbol.

Typically, in settings in which a mild or strong form of a chosen ciphertext attack is possible, a chosen plaintext attack is possible, too. Thus, we actually consider combined attacks in which the adversary may ask for encryption and decryption of strings of its choice. Indeed (analogously to Proposition 5.4.10), in the case of public-key schemes (but not in the case of private-key schemes), the combined attack is equivalent to a

“pure” chosen ciphertext attack.

Organization. We start by providing security definitions for the two types of attacks discussed here. In Section 5.4.4.2, we further extend the definitional treatment of se-curity (and derive a seemingly stronger notion that is in fact equivalent to the notions in Section 5.4.4.1). In Section 5.4.4.3 (resp., Section 5.4.4.4) we discuss the construc-tion of private-key (resp., public-key) encrypconstruc-tion schemes that are secure under chosen ciphertext attacks.

5.4.4.1. Definitions for Two Types of Attacks

Following Section 5.4.3.1 and bearing in mind that we wish to define two types of chosen ciphertext attacks (i.e., a priori and a posteriori ones), we first formulate the framework of chosen ciphertext attacks. As in the case of chosen plaintext attacks, we consider attacks that proceed in four stages corresponding to the generation of a pair of keys (by a legitimate party), the adversary’s requests (answered by the legitimate party) to encrypt and/or decrypt strings under the corresponding key, the generation of a challenge ciphertext (under this key and according to a template specified by the adversary), and additional requests to encrypt and/or decrypt strings. That is, achosen ciphertext attackproceeds as follows:

1. Key generation: A key-pair (e, d)← G(1ⁿ) is generated (by a legitimate party). In the public-key setting the adversary is given e, whereas in the private-key setting the adversary is only given 1ⁿ.

2. Encryption and decryption requests: Based on the information obtained so far, the