DEFINITIONS AND PRELIMINARIES 45 Next we must consider what access an attacker has to the scheme Ob-

viously the attacker must have access to a description of the algorithms in the scheme and the public key pk. This means that an attacker will be able to encrypt messages for himself. However, just as we allowed an attacker to request the signatures of certain messages when considering the security of digital signatures, we may allow an attacker to decrypt certain ciphertexts of his choice. Obviously care must be taken to make sure that the attacker isn’t allowed to decrypt the challenge ciphertext!

An attacker requests the decryption of a ciphertextCby outputtingCand then entering a special freeze state. The attacker is then given the response to his query and re-started. In this way we can think of an attackerA= (A1,A2) as consisting of two algorithms A1 andA2 that each work in the same way as the forger for a digital signature (see Definition II.3). The first algorithm

A1 runs in multiple rounds, each consisting of two plays, the first made by the challenger and the second by the attacker. In Round 0, the challenger starts by generating a valid key-pair (pk, sk). A1 is then given the public keypk and some predetermined initial stateX0. It then outputs a state X1 and either a request for the decryption of a ciphertext C or, in the case of the indistinguishability game, two messages (m0, m1). In the case of the one- way game, A1 halts without any extra output when it terminates. IfA1 has requested the decryption of a ciphertext, then the challenger computes the decryption m of C using the private key sk and re-starts A1 with state X1 and inputm. The second algorithmA2 works similarly but initially takes as input the challenge ciphertextC∗ and an initial state Xi that was given by

A1 in its final round (this is equivalent to the state informations). WhenA2 terminates it must output its guess for either σ (in the indistinguishability game) orm(in the one-way game).

Whilst this is one way of thinking about an attacker’s ability to request decryptions, it will suit our purposes to be a little more relaxed and merely to think of an attacker having the ability to ask a god-like oracle for them. If an attacker is allowed to request decryptions, then it is said to have access to a decryption oracle, and these requests are assumed to take a single unit of time to answer (such is the power of the oracle).

There are three models that are used to characterise an attacker’s access to a decryption oracle.

Definition_III.4. _{Consider an attacker A= (A1,A2).}

If the attacker has no access to a decryption oracle, then it is said to be running a chosen plaintext attack (CPA), because it has the ability to choose which plaintexts (messages) it wishes to encrypt. Remember, it knows the public key and can therefore encrypt any message it wants to. Here the attacker cannot request the decryption of any ciphertext.

If the first algorithmA1has access to a decryption oracle (i.e., can request

decryption oracle then the attacker is said to be running a chosen ciphertext attack(CCA1).1

If both the first algorithm A1 and the second algorithm A2 have access

to a decryption oracle, then the attacker is said to be running an adaptive

chosen ciphertext attack (CCA2). In this case we must assume that the

second algorithm only has access to an imperfect decryption oracle that will not decrypt the challenge ciphertextC∗. This is the strongest notion of access that we will consider here.

It is easy to see that if an attacker can break a scheme using a chosen plaintext (CPA) attack, then there is an attacker who can break that scheme with a chosen ciphertext (CCA1) attack. Hence, if we can show that a scheme is secure against attackers running CCA1 attacks, then we can be sure that that scheme is also secure against attackers running CPA attacks. Similarly, a scheme that resists attacks made by CCA2 attackers is also resistant to CCA1 attackers and CPA attackers.

To completely define the level of security that an algorithm has we must look at the best attackers in a certain model, i.e., we must specify whether the attacker is playing the indistinguishability game or the one-way game and what kind of access the attacker has. We often abbreviate these definitions to their initials. For example, attackers playing the indistinguishability game using adaptive chosen ciphertext attacks are often referred to as IND-CCA2 attackers and are said to be making an IND-CCA2 attack.

These days, it is generally agreed that a public-key encryption scheme is only secure if it resists attackers making IND-CCA2 attacks, and it is in its resistance to this kind of attack that we will be examining ECIES. More information about attack models can be found in [20].

III.1.2. Underlying Mathematical Problems. Up to now cryptogra- phers have been unable to find security proofs that prove the security of an algorithm directly (without the need to rely on any assumptions or sim- plifications). There are several good reasons for this. The first has to do with the very nature of public-key cryptography. The way public-key cryptogra- phy works means that it is impossible to find a proof of security in which the attacker has access to infinite computational resources – given the public key of an algorithm, there can only be one corresponding private key, and so an attacker with unlimited time and computational resources could check each possible private key in turn until he finds the correct one (thus breaking the

1_{Attacks that use CCA1 access to a decryption oracle are also sometimes known as}

midnight attacks orlunchtimeattacks because it is the sort of attack that could be used by an intruder who breaks into an office either at night or whilst the proper occupant is at lunch. If the intruder was unable to recover the occupant’s private key directly, then he might try and run some kind of program that makes use of the proper occupant’s decryption rights and that would henceforth allow the intruder to decrypt messages meant for the occupant without having to know his private key.

III.1. DEFINITIONS AND PRELIMINARIES 47