Chosen-Plaintext Attack (CPA)

Introduction

This is the most natural security definition for public-key encryption schemes, since the public key $k_e$ is available for anyone to see. Any realistic adversary would have access to it, and, since they know the encryption algorithm, they can use $k_e$ to encrypt any message they like. This is the reason why chosen-plaintext security is the minimal security guarantee which is expected of public-key encryption schemes.

Definition: CPA-Security

The efficient adversary $\text{Eve}$ is given the public key $k_e$ and can use it to encrypt $q$ messages of her choice $m_1,...,m_q$ to obtain their corresponding ciphertexts $c_1,...,c_q$.

A public-key encryption scheme $(\text{Gen},\text{Enc},\text{Dec})$ is CPA-secure if for any two messages $({\mu }_0,{\mu }_1)$, public key $k_e$ generated by $\text{Gen}$ and ciphertext $c:=\text{Enc}(k_e,\cdot )$ which is the encryption of either ${\mu }_0$ or ${\mu }_1$, the probability that Eve can guess whether $c$ belongs to ${\mu }_0$ or ${\mu }_1$ is at most negligibly greater than $\frac{1}{2}$.

$$\underset{k_e\leftarrow \text{Gen}(),b{\leftarrow }_R\{0,1\}}{\mathrm{Pr}}[\text{Eve}(k_e,\text{Enc}(k_e,{\mu }_b))={\mu }_b]\le \frac{1}{2}+\text{negl}()$$

INTUITION

The adversary Eve is not explicitly given access to an encryption oracle because she has the public key, knows the encryption algorithm and can thus encrypt any messages she likes. She is also free to choose the messages ${\mu }_0,{\mu }_1$. The public-key encryption scheme is considered CPA-secure if no matter what Eve does, she cannot guess if a ciphertext $c$ is the encryption of ${\mu }_0$ or ${\mu }_1$ with significantly better probability than $\frac{1}{2}$.

As with private-key CPA-security, any public-key encryption scheme must use a nondeterministic $\text{Enc}$ function.

THEOREM

There is no CPA-secure public-key encryption scheme with a deterministic encryption function $\text{Enc}$.

PROOF

If the encryption algorithm $\text{Enc}$ were deterministic, then Eve would be able to simply pass ${\mu }_0$ and ${\mu }_1$ to it and compare $c$ with the resulting ciphertexts. Non-determinism protects against this by producing a different ciphertext every time that the same message is encrypted.