What Makes a Crypto System IND-CCA2 Secure?

Written by escholar | Published 2025/09/09
Tech Story Tags: lightweight-cryptography | post-quantum-cryptography | public-key-encryption | elliptic-curve-cryptography | isogeny-based-cryptography | internet-of-things-security | rsa-oaep-vulnerabilities | ind-cca-security

TLDRThis article presents a proof that the proposed cryptographic schema is secure against both non-adaptive (IND-CCA1) and adaptive (IND-CCA2) chosen ciphertext attacks. The proof avoids reliance on zero-knowledge assumptions, instead leveraging the DDH assumption to establish robustness. By ensuring negligible attacker advantage, the schema demonstrates resilience against active attack vectors. Its efficiency, small key size, and adaptability make it particularly suitable for hybrid systems, IoT devices, banking applications, and mobile environments with low transmission bandwidth.via the TL;DR App

Table of Links

Abstract and 1 Introduction

  1. Scenario and Requirements

  2. History and Related Work

  3. Concept of Cramer-Shoup with Elliptic Curve and 4.1 Prerequisite

    4.2 Public Key Generation by Receiver

    4.3 Encryption by Sender

    4.4 Decryption by Receiver

  4. Evaluation and 5.1 Proof of Correctness

    5.2 Preliminary Performance Comparison

  5. Proof: Secure against adaptive-chosen ciphertext attacks

    6.1 DDH Assumption and 6.2 CCA Assumption

    6.3 IND-CCA 1 - non-adaptive Security

    6.4 IND-CCA 2 - adaptive Security (Validity Checking Failure)

  6. Security discussion: Post-Quantum Cryptography

  7. Summary, References, and Authors

6 Proof: Secure against adaptive-chosen ciphertext attacks

Our presented crypto schema is cryptographic strong, so we can proven the resistance against CCA. The evidence for CPA is therefore obsolete. In short, even without having to get too deep into the proof, we refer to existing once for the fundamental CS schema [11,55,5]. However, against ECC have been identified some theoretical attack approaches [56]. A part of them use the currently strongest attack vector based on active attacks, which is directly countered by our schema.

The proof on security is given by contradiction based on the EC F(x) and follows [55,57]. The main advantage of the proof is that it does not relay on a zero-knowledge assumption.

6.1 DDH Assumption

6.2 CCA Assumption

We assume a decryption ”oracle” that correctly decrypts any given ciphertext. An attacker chooses two messages m1 and m2, where m1 ̸= m2. These both messages are send to an encryption service, which only returns randomly one of the messages encrypted. The attacker is allowed a polynomial-time access to our decryption ”oracle”, also after obtaining a ciphertext returned from the encryption service. The direct transmission of a ciphertext is excluded in this case. The attacker now guesses which message the encryption service has provided. If this fits better with a probability than 1/2 + δ, then the opponent has an advantage defined by δ.

A crypto system is said to be indistinguishable chosen ciphertext attacks (IND-CCA) secure, if the advantage δ is negligible for any polynomial time attacker.

6.3 IND-CCA 1 - non-adaptive Security

From the public key, the attacker can get the information:

Since these equations are linearly independent, this happens with only negligible probability. Based on the validity check, the cases can be proved and the schema is IND-CCA 1 secure.

6.4 IND-CCA 2 - adaptive Security (Validity Checking Failure)

For this proof, we need to divide the value of the secret key z in z1 and z2. From the public key V , the attacker can get the following information:

Suppose that this is not a DDH tuple:

Then the challenge ciphertext is as follows:

Therefore, the attacker can get the following information:

If the attacker queries an invalid ciphertext to the decryption oracle, say:

As for this decryption query, we should consider the followings cases:

Based on the validity check, all cases can be proved and the schema is IND-CCA 2 secure. This is currently the strongest notion of security. In addition, our cryptographic system is highly efficient in terms of computation, especially in the context of hybrid systems for encryption and signature. In addition, the comparatively small key size enables the system to be used in mobile and wireless applications with low transmission bandwidth, such as smart cards. This also makes it ideal for the Internet of Things and banking.

Author:

(1) Peter Hillmann, University of the Bundeswehr Munich, Department of Computer Science, Werner-Heisenberg-Weg 39, 85577 Neubiberg, Germany.


This paper is available on arxiv under ATTRIBUTION-NONCOMMERCIAL-SHAREALIKE 4.0 INTERNATIONAL license.


Written by escholar | We publish the best academic work (that's too often lost to peer reviews & the TA's desk) to the global tech community
Published by HackerNoon on 2025/09/09