Because it ’ sulfur unmanageable to formalize the definition above, we typically use a different definition that ’ mho known to be equivalent. This definition is called “ Indistinguishability under Chosen Plaintext Attack ”, or just “ IND-CPA ” for short .
The definition is formalized as a game between an adversary and some honest “ Challenger ”. For the subject of populace identify encoding the plot looks like this :
- First the challenger generates an encryption keypair, and sends the public key
to the adversary. (It keeps the secret key.)
- Next, the adversary selects a pair of messages
(of equal length) and sends them to the challenger.
- The challenger picks a random bit
and encrypts one of the two messages as
. It sends back
to the adversary.
- Finally, the adversary outputs a guess
. We say the adversary “wins” if it guesses correctly: that is, if
.
As mentioned in early articles, the adversary can always win with probability 1/2, precisely by guessing randomly in step ( 4 ). So we ’ re not interested in whether the adversary wins at all. alternatively we ’ re concern in the adversary ’ randomness advantage, which is to say : how much better he does than he would if he good guessed randomly.
We can express this advantage as | Probability Adversary Wins – 1/2|. ( This probability is taken over many runs of the experiment and all the randomness used — it ’ s not just the adversary ’ s success after one plot. ) An attacker who wins with probability precisely 1/2 will have “ zero ” advantage in the IND-CPA game. In general for a scheme to be IND-CPA dependable it must hold that for all possible ( time-bounded ) adversaries, the adversary ’ s advantage will be negligibly small .
One obvious bill about the IND-CPA game is that the attacker has the public key. ( Recall that he gets it in footstep [ 1 ] ). So sometimes people, upon seeing this definition for the inaugural time, propose the following strategy for winning the game :
- The adversary picks two messages and then encrypts both of them using the public key.
- When the adversary receives the ciphertext in step (3), he just compares that ciphertext to the two he generated himself.
- Voila, the adversary can always figure out which message was encrypted!
If the encoding scheme is not randomized — mean that every prison term you encrypt a message using a given public winder, you get the same accurate ciphertext — this attack works perfectly. In fact it works therefore well that an attacker who uses this scheme will constantly win the IND-CPA plot, meaning that such a system can not possibly satisfy the IND-CPA security definition .
The implication therefore, is that in order to satisfy the IND-CPA definition, any public-key encoding outline must be randomized. That is, it must take in some random bits as region of the encoding algorithm — and it must use these bits in generating a ciphertext. Another way to think about this is that for every possible public key and message 
Read more: A Few Thoughts on Cryptographic Engineering
We see this practice of randomization in many real-world encoding schemes. For example, most RSA encoding is done using some sort of “ encoding padding ” schema, like OAEP or ( the identical unwrap ) PKCS # 1v1.5. Algorithms like Elgamal ( and derivatives like ECIES ) besides use randomness in their encoding .
The authoritative takeaway here is that this use of randomness in the encoding algorithm international relations and security network ’ triiodothyronine just for playfulness : it ’ randomness required in order to get semantic security .
The case of symmetric encryption. As a annotate, it ’ mho besides worth mentioning that IND-CPA can be applied to symmetrical encoding. The major differences in that definition are ( A ) that in step ( 1 ) there is no populace key to give to the adversary, and ( B ) to replace this lost functionality, the rival must provide an “ encoding ” oracle to the adversary. specifically, that means that the rival must, when requested, code messages of the adversary ’ mho choice using its clandestine key. This can happen at any decimal point in the game.
The caveats about deterministic encoding besides enforce in the symmetrical font, and for basically the lapp reason. In short : ciphertexts must be diversified in some room so that two different encryptions of the same plaintext do not produce the lapp ciphertext. If this was not the shell, then the adversary could easily win the game .
The only major remainder is that in the symmetrical jell, this diversification doesn ’ metric ton always need to be done with randomness. Some schemes use “ express ”. For exercise, it ’ s possible to build an encoding outline where the rival keeps a elementary counter between messages, and uses this buffet in place of “ true ” randomness. ( A good model of this is CTR mode encoding, where the attacker ensures that initial counters [ IVs ] never recur. ) This obviously merely works in settings where there is a individual encryptor, or all encryptors are guaranteed to not repeat unlike counters .