Subtleties in the Definition of IND-CCA: When and How Should Challenge Decryption Be Disallowed?

IND-CCA (indistinguishability under adaptive chosen-ciphertext attacks) is a central notion of security for public-key encryption, defined and targeted in many papers. Non-triviality of the notion requires that the adversary not query the challenge ciphertext to the decryption oracle. We point out that this “no-challenge-decryption” condition can be formalized in several different ways and the literature is not consistent, sometimes doing it one way, sometimes another, and assuming it makes no difference. We show that the latter perception is incorrect. It does make a difference, for the resulting notions are not equivalent. Specifically, we consider four notions corresponding to whether challenge decryption is disallowed in both phases of the adversary’s attack or just in the second, and, orthogonally, whether the disallowance is “penalty” or “exclusion” based. We show that the notions are not all equivalent for public-key encryption (PKE). We then show that, in contrast, they are equivalent for key-encapsulation mechanisms (KEMs). Our work shows that subtle foundational issues exist even with notions that are supposedly well-established and unambiguous, and highlights the need to be careful and precise with regard to “minor” definitional “details”.