Ciphertext Integrity (CI)

Ciphertext integrity is a notion which closely resembles message authentication codes (MACs) and is the cipher analogue of CMA-security for them.

Definition: Ciphertext Integrity (CI)

The adversary Eve is given oracle access ${\text{Enc}}_k$ and can query it with $q$ messages $m_1,m_2,...,m_q$ in order to obtain their ciphertexts $c_1,c_2,...,c_q$. Her goal is to produce a new valid ciphertext $c\notin \{c_1,c_2,...,c_q\}$, i.e. a ciphertext such that ${\text{Dec}}_k(c)\ne \text{error}$.

A cipher $({\text{Enc}}_k,{\text{Dec}}_k)$ provides ciphertext integrity (CI), if for all keys $k\in \mathcal{K}$, the probability that Mallory achieves her goal is negligible, i.e.

$$\underset{k{\leftarrow }_R\mathcal{K}}{\mathrm{Pr}}[{\text{Dec}}_k(\text{Eve}())\ne \text{error}]\le \text{negl(n)}$$

INTUITION

Similarly to MACs, Eve has access to a bunch of messages and their ciphertexts and she strives to produce a new valid ciphertext which does not cause the decryption function to error. A cipher has CI if she cannot succeed with significant probability.