Security under Chosen-Plaintext Attacks (CPA)

Until now we have considered a relatively weak adversary who only pas-sively eavesdrops on the communication between two honest parties. (Of course, our actual definition of PrivK^eav allows the adversary to choose the plaintexts that are to be encrypted. Nevertheless, beyond this capability the adversary is completely passive.) In this section, we formally introduce a more powerful type of adversarial attack, called achosen-plaintext attack(CPA). As compared to Definition 3.9, the definition of a break remains the same but the adversary’s capabilities are strengthened.

The basic idea behind a chosen-plaintext attack is that the adversaryAis allowed to ask for encryptions of multiple messages that it chooses “on-the-fly” in an adaptive manner. This is formalized by allowingAto interact freely with anencryption oracle, viewed as a “black-box” that encrypts messages of A’s choice (these encryptions are computed using the secret keyk unknown to A). Following standard notation in computer science, we denote byA^O(·) the computation of A given access to an oracleO, and thus in this case we denote the computation ofAwith access to an encryption oracle byA^Enck(·). When A queries its oracle by providing it with a plaintext message m as input, the oracle returns a ciphertextc←Enck(m) as the reply. WhenEncis randomized, the oracle uses fresh random coins each time it answers a query.

The definition of security requires thatAshould not be able to distinguish the encryption of two arbitrary messages, even when A is given access to an encryption oracle. We present the definition and afterwards discuss what real-world adversarial attacks the definition is meant to model.

We first define an experiment for any private-key encryption scheme Π = (Gen,Enc,Dec), any adversaryA, and any valuenfor the security parameter:

The CPA indistinguishability experimentPrivK^cpa_A,Π(n):

1. A random key kis generated by runningGen(1ⁿ).

2. The adversaryAis given input1ⁿand oracle access toEnck(·), and outputs a pair of messagesm0, m1 of the same length.

3. A random bit b ← {0,1} is chosen, and then a ciphertext c ← Enck(mb) is computed and given to A. We call c the challenge ciphertext.

4. The adversaryA continues to have oracle access toEnck(·), and outputs a bit b⁰.

5. The output of the experiment is defined to be 1 if b⁰ = b, and 0 otherwise. (In case PrivK^cpa_A,Π(n) = 1, we say that A succeeded.)

DEFINITION 3.22 A private-key encryption schemeΠ = (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (or is CPA-secure) if for all probabilistic polynomial-time adversaries A there exists a negligible functionneglsuch that

Prh

PrivK^cpa_A,Π(n) = 1i

≤ 1

2+negl(n),

where the probability is taken over the random coins used byA, as well as the random coins used in the experiment.

Before proceeding to discuss the definition, we remark that any scheme that is secure under chosen-plaintext attacks is clearly secure in the presence of an eavesdropping adversary. This holds becausePrivK^eav is a special case ofPrivK^cpawhere the adversary doesn’t use its oracle at all.

At first sight, it may appear that Definition 3.22 is impossible to achieve.

In particular, consider an adversary that outputs (m0, m1) and then receives c←Enck(mb). Since the adversary has oracle access toEnck(·), it can request that this oracle encrypt the messages m0 and m1 and A can thus obtain c0 ← Enck(m0) and c1 ← Enck(m1). It can then compare c0 and c1 to its

“challenge ciphertext”c; ifc=c0then it knows thatb= 0, and ifc=c1then it knows thatb= 1. Why doesn’t this strategy allowAto determine b with probability 1?

The answer is that indeed, as with security under multiple encryptions, no deterministic encryption scheme can be secure against chosen-plaintext attacks. Rather, any CPA-secure encryption scheme must be probabilistic.

That is, it must use random coins as part of the encryption process in order to ensure that two encryptions of the same message are different.⁷

Chosen-plaintext attacks in the real world. Definition 3.22 is at least as strong as our earlier Definition 3.9, and so certainly no security is lost by working with this newer definition. In general, however, there may be a price for using a definition that is too strong if it causes us to use less efficient schemes or to reject highly-efficient schemes that would suffice for

“real-world applications”. We should therefore ask ourselves whether chosen-plaintext attacks represent a realistic adversarial threat that we should be worried about.

In fact, chosen-plaintext attacks (in one form or another) are a realistic threat in many scenarios. We demonstrate this by first looking at some mil-itary history from World War II. In May 1942, US Navy cryptanalysts had discovered that Japan was planning an attack on Midway island in the Cen-tral Pacific. They had learned this by intercepting a communication message containing the ciphertext fragment “AF” that they believed corresponded to the plaintext “Midway island”. Unfortunately, their attempts to convince Washington planners that this was indeed the case were futile; the general belief was that Midway could not possibly be the target. The Navy crypt-analysts then devised the following plan. They instructed the US forces at Midway to send a plaintext message that their freshwater supplies were low.

The Japanese intercepted this message and immediately reported to their su-periors that “AF” was low on water. The Navy cryptanalysts now had their proof that “AF” was indeed Midway, and the US forces dispatched three air-craft carriers to the location. The result is that Midway was saved, and the Japanese incurred great losses. It is even said that this battle was the turning point in the war by the US against Japan in the Pacific. (See [87, 131] for more information.)

Coming back to the relevance of this for us here, note that the Navy crypt-analysts here carried out exactly a chosen-plaintext attack. They essentially were able to “request” (albeit in a roundabout way) the Japanese to encrypt the word “Midway” in order to learn information about another ciphertext that they had previously intercepted. If the Japanese encryption scheme had been secure against chosen-plaintext attacks, this strategy by the US crypt-analysts would not have worked (and history may have turned out very differ-ently!). We stress that the Japanese never intended to act as an “encryption oracle” for the US and thus were they to analyze the necessity for CPA se-curity, it is unlikely that they would have concluded that it was necessary.⁸

7As we have seen, if the encryption process maintains state between successive encryptions (as in the synchronized mode for stream ciphers), random coin tosses may not be necessary.

As per Definition 3.8, we typically consider only stateless schemes (which are preferable).

8It is a worthwhile mental exercise to think whether you would have anticipated such an attack.

We therefore strongly encourage always using encryption that is secure under chosen plaintext attacks.

We warn against thinking that chosen-plaintext attacks are only relevant to military applications. In fact there are many cases when an adversary can influence what is encrypted by an honest party (even if it is more unusual for the adversary to be in complete control over what is encrypted). Consider the following example: many servers communicate with each other today in a secured way (i.e., using encryption). However, the messages that these servers send to each other are based on internal and external requests that they re-ceive, which are in turn chosen by users that may actually be attackers. These attackers can therefore influence the plaintext messages that the servers en-crypt, sometimes to a great extent. Such systems must therefore be protected by using an encryption scheme that is secure against chosen-plaintext attacks.

CPA security for multiple encryptions. The extension of Definition 3.22 to the case of multiple encryptions is straightforward and is the same as the extension of Definition 3.9 to Definition 3.19. That is, we define an experiment which is exactly the same asPrivK^cpa except thatAoutputs a pair ofvectors of plaintexts. Then, we require that no polynomial-timeAcan succeed in the experiment with probability that is non-negligibly greater than 1/2.

Importantly, CPA security for a single encryption automatically implies CPA security for multiple encryptions. (This stands in contrast to the case of eavesdropping adversaries; see Claim 3.20.) We state the claim here with-out proof (a similar claim, but in the public-key setting, is proved in Sec-tion 10.2.2):

CLAIM 3.23 Any private-key encryption scheme that has indistinguishable encryptions under a chosen-plaintext attack also has indistinguishablemultiple encryptions under a chosen-plaintext attack.

This is a significant technical advantage of the definition of CPA security, since it suffices to prove that a scheme is secure for a single encryption and we then obtain “for free” that it is secure for multiple encryptions as well.

Fixed-length vs. arbitrary-length messages. Another advantage of work-ing with the definition of CPA-security is that it allows us to treat fixed-length encryption schemes without much loss of generality. In particular, we claim that given any CPA-secure fixed-length encryption scheme Π = (Gen,Enc,Dec) it is possible to construct a CPA-secure encryption scheme Π⁰ = (Gen⁰,Enc⁰,Dec⁰) for arbitrary-length messages quite easily. For sim-plicity, say Π has length parameter 1 so that it only encrypts messages that are 1-bit long (though everything we say extends in the natural way for any length parameter). LeaveGen⁰ the same asGen. DefineEnc⁰_kfor any message m(having some arbitrary length `) in the following way:

Enc⁰_k(m) =Enck(m1), . . . ,Enck(m`),

where m = m1· · ·m` and mi ∈ {0,1} for all i. Decryption is done in the natural way. We claim that Π⁰ is CPA-secure if and only if Π is. A proof is left as an easy exercise for the reader.

Notwithstanding the above, there may in practice be more efficient ways to encrypt messages of arbitrary length than by adapting a fixed-length en-cryption scheme in the above manner. We treat other ways of encrypting arbitrary-length messages in Section 3.6.4.