874:
2065:
25:
233:(IND-CCA2). Security under either of the latter definition implies security under the previous ones: a scheme which is IND-CCA1 secure is also IND-CPA secure, and a scheme which is IND-CCA2 secure is both IND-CCA1 and IND-CPA secure. Thus, IND-CCA2 is the strongest of the three definitions of security.
1248:
under the same attack scenario (NM-CCA2). This equivalence is not immediately obvious, as non-malleability is a property dealing with message integrity, rather than confidentiality. In other cases, it has been demonstrated that indistinguishability can be combined with certain other definitions, in
1234:
Most applications don't require an encryption algorithm to produce encrypted messages that are indistinguishable from random bits. However, some authors consider such encryption algorithms to be conceptually simpler and easier to work with, and more versatile in practice—and most IND-CPA encryption
1057:
which decrypts arbitrary ciphertexts at the adversary's request, returning the plaintext. In the non-adaptive definition, the adversary is allowed to query this oracle only up until it receives the challenge ciphertext. In the adaptive definition, the adversary may continue to query the decryption
1243:
Indistinguishability is an important property for maintaining the confidentiality of encrypted communications. However, the property of indistinguishability has in some cases been found to imply other, apparently unrelated security properties. Sometimes these implications go in both directions,
195:
considered secure in terms of indistinguishability. This definition encompasses the notion that in a secure scheme, the adversary should learn no information from seeing a ciphertext. Therefore, the adversary should be able to do no better than if it guessed randomly.
1050:
Indistinguishability under non-adaptive and adaptive Chosen
Ciphertext Attack (IND-CCA1, IND-CCA2) uses a definition similar to that of IND-CPA. However, in addition to the public key (or encryption oracle, in the symmetric case), the adversary is given access to a
1041:
863:
170:
if no adversary, given an encryption of a message randomly chosen from a two-element message space determined by the adversary, can identify the message choice with probability significantly better than that of random guessing
610:
442:
1197:
Some people building encrypted communication links prefer to make the contents of each encrypted datagram indistinguishable from random data, in order to make traffic analysis more difficult.
1244:
making two definitions equivalent; for example, it is known that the property of indistinguishability under adaptive chosen ciphertext attack (IND-CCA2) is equivalent to the property of
2045:
1875:
1058:
oracle even after it has received a challenge ciphertext, with the caveat that it may not pass the challenge ciphertext for decryption (otherwise, the definition would be trivial).
898:
1332:
1302:
1413:
1440:
1356:
1276:
796:
772:
748:
645:
1386:
471:
212:
if no adversary can win the game with significantly greater probability than an adversary who must guess randomly. The most common definitions used in cryptography are
42:
526:
204:
Security in terms of indistinguishability has many definitions, depending on assumptions made about the capabilities of the attacker. It is normally presented as a
801:
1728:
495:
1249:
order to imply still other useful definitions, and vice versa. The following list summarizes a few known implications, though it is by no means complete.
531:
885:
oracle which returns a ciphertext encrypting one of the messages. An adversary's advantage is determined by its probability of guessing the value of
89:
1608:
61:
1085:
The adversary may perform any number of calls to the encryptions and decryption oracle based on arbitrary ciphertexts, or other operations.
1231:
systems, a few cryptographic algorithms are specifically designed to make ciphertext messages indistinguishable from random bit strings.
242:
148:
68:
1693:
1457:
133:
703:
and comparing the resulting ciphertexts with the challenge ciphertext does not afford any non-negligible advantage to the adversary.
1721:
1635:
1526:
1467:
229:
156:
108:
393:
1200:
Some people building systems to store encrypted data prefer to make the data indistinguishable from random data in order to make
75:
1187:
Sometimes we need encryption schemes in which the ciphertext string is indistinguishable from a random string by the adversary.
2093:
1924:
46:
1156:
case (IND-CCA2), the adversary may make further calls to the decryption oracle, but may not submit the challenge ciphertext
57:
254:
879:
As many times as it would like, an adversary selects two plaintext messages of its own choosing and provides them to the
390:" over random guessing. An adversary is said to have a negligible "advantage" if it wins the above game with probability
1714:
2040:
1995:
1808:
1419:
1392:
1365:
1245:
181:). If any adversary can succeed in distinguishing the chosen ciphertext with a probability significantly greater than
1919:
35:
2035:
2025:
2015:
1870:
1462:
1173:
A scheme is IND-CCA1/IND-CCA2 secure if no adversary has a non-negligible advantage in winning the above game.
387:
222:
191:, then this adversary is considered to have an "advantage" in distinguishing the ciphertext, and the scheme is
152:
82:
2020:
2010:
1813:
1773:
1766:
1756:
1751:
1201:
889:
a value chosen at random at the beginning of the game which determines the message that is encrypted in the
246:
215:
141:
1235:
algorithms apparently do, in fact, produce encrypted messages that are indistinguishable from random bits.
1046:
Indistinguishability under chosen ciphertext attack/adaptive chosen ciphertext attack (IND-CCA1, IND-CCA2)
1761:
250:
1490:
1311:
2068:
1914:
1860:
1452:
1281:
1191:
1182:
723:
714:, which retains the secret encryption key and encrypts arbitrary plaintexts at the adversary's request.
1398:
1053:
249:(IND-CPA) is defined by the following game between an adversary and a challenger. For schemes based on
1425:
1341:
1190:
If an adversary is unable to tell if a message even exists, it gives the person who wrote the message
2030:
1954:
722:
The adversarial process of performing a chosen-plaintext attack is usually outlined in the form of a
707:
209:
1255:
873:
777:
753:
729:
615:
1793:
1228:
706:
While the above definition is specific to an asymmetric key cryptosystem, it can be adapted to the
474:
1675:
1371:
447:
1899:
1883:
1830:
1220:
attempt to hide data by making it match the statistical characteristics of the innocent "random"
1543:
1036:{\displaystyle \operatorname {Adv} _{\mathcal {SE}}^{\mathrm {ind-cpa} }(A)=2\cdot \Pr \left-1}
1959:
1949:
1820:
1689:
1681:
1631:
1604:
1522:
1358:
160:
145:
1894:
1596:
858:{\displaystyle {\mathcal {S}}{\mathcal {E}}=({\mathcal {K}},{\mathcal {E}},{\mathcal {D}})}
504:
314:
The adversary may perform a polynomially bounded number of encryptions or other operations.
1205:
1969:
1889:
1850:
1798:
1783:
1138:
The adversary is free to perform any number of additional computations or encryptions.
711:
480:
257:
1652:
1591:
Möller, Bodo (2004). "A Public-Key
Encryption Scheme with Pseudo-random Ciphertexts".
371:
The adversary is free to perform any number of additional computations or encryptions.
159:. Indistinguishability under chosen plaintext attack is equivalent to the property of
2087:
2050:
2005:
1964:
1944:
1840:
1803:
1778:
1217:
2000:
1845:
1835:
1825:
1788:
1737:
1568:
1515:
Chakraborty, Debrup; Rodríguez-Henríquez., Francisco (2008). Çetin Kaya Koç (ed.).
1213:
605:{\displaystyle |\epsilon (k)|\;<\;\left|{\tfrac {1}{\mathrm {poly(k)} }}\right|}
129:
1625:
1600:
1516:
1979:
1569:"Elligator: Elliptic-curve points indistinguishable from uniform random strings"
1564:
1221:
24:
386:
attack if every probabilistic polynomial time adversary has only a negligible "
1939:
1909:
1904:
1865:
1212:
attempt to hide data in the innocent random data left over from some kinds of
140:
based on the message they encrypt. The property of indistinguishability under
137:
125:
1929:
1685:
1209:
726:. To test for symmetric IND-CPA, the game described above is defined. Let
1974:
1934:
1595:. Lecture Notes in Computer Science. Vol. 3193. pp. 335–351.
163:, and many cryptographic proofs use these definitions interchangeably.
1491:"Introduction to Modern Cryptography, Chapter 5: Symmetric Encryption"
1855:
685:
will be only one of many valid ciphertexts, and therefore encrypting
1088:
Eventually, the adversary submits two distinct chosen plaintexts
317:
Eventually, the adversary submits two distinct chosen plaintexts
205:
1710:
237:
Indistinguishability under chosen-plaintext attack (IND-CPA)
151:, though some schemes also provide indistinguishability under
18:
1677:
Introduction to Modern
Cryptography: Principles and Protocols
1334:
means that property A does not necessarily imply property B.
710:
case by replacing the public key encryption function with an
437:{\displaystyle \left({\tfrac {1}{2}}\right)\,+\,\epsilon (k)}
264:
within a polynomial number of time steps. In this definition
994:
991:
911:
908:
847:
837:
827:
814:
807:
783:
759:
735:
136:, then an adversary will be unable to distinguish pairs of
1114:
uniformly at random, and sends the "challenge" ciphertext
1165:
Finally, the adversary outputs a guess for the value of
374:
Finally, the adversary outputs a guess for the value of
1876:
Cryptographically secure pseudorandom number generator
567:
402:
260:, meaning that it must complete the game and output a
1563:
Bernstein, Daniel J.; Hamburg, Mike; Krasnova, Anna;
1428:
1401:
1374:
1344:
1314:
1284:
1258:
901:
804:
780:
756:
732:
618:
534:
507:
483:
450:
396:
1702:
1988:
1744:
49:. Unsourced material may be challenged and removed.
1434:
1407:
1380:
1350:
1326:
1296:
1270:
1035:
857:
790:
766:
742:
639:
604:
520:
497:, that is for every (nonzero) polynomial function
489:
465:
436:
1489:Bellare, Mihir; Rogaway, Phillip (May 11, 2005).
963:
895:oracle. Therefore, its advantage is defined as:
1722:
8:
1624:Moore, Cristopher; Mertens, Stephan (2011).
1149:make further calls to the decryption oracle.
865:be a symmetric encryption scheme. The game
144:is considered a basic requirement for most
1729:
1715:
1707:
1703:
1278:means that property A implies property B.
1074:(e.g., a key size in bits), and publishes
872:
626:
622:
561:
557:
303:(e.g., a key size in bits), and publishes
221:indistinguishability under (non-adaptive)
1427:
1422:under adaptive chosen ciphertext attack)
1400:
1373:
1343:
1313:
1283:
1257:
1078:to the adversary. The challenger retains
1008:
999:
990:
989:
972:
917:
916:
907:
906:
900:
846:
845:
836:
835:
826:
825:
813:
812:
806:
805:
803:
782:
781:
779:
758:
757:
755:
734:
733:
731:
631:
617:
572:
566:
552:
535:
533:
512:
506:
482:
449:
421:
417:
401:
395:
307:to the adversary. The challenger retains
109:Learn how and when to remove this message
1674:Katz, Jonathan; Lindell, Yehuda (2007).
384:indistinguishable under chosen plaintext
1478:
279:represents the encryption of a message
208:, where the cryptosystem is considered
168:secure in terms of indistinguishability
7:
1484:
1482:
1216:. As another example, some kinds of
1062:The challenger generates a key pair
291:The challenger generates a key pair
47:adding citations to reliable sources
1327:{\displaystyle A\not \Rightarrow B}
1204:easier. For example, some kinds of
1177:Indistinguishable from random noise
1145:case (IND-CCA1), the adversary may
343:uniformly at random, and sends the
243:asymmetric key encryption algorithm
1653:"Nonce-Based Symmetric Encryption"
1458:Computational indistinguishability
1304:means that properties A and B are
1297:{\displaystyle A\Leftrightarrow B}
1018:
1015:
1012:
1009:
985:
982:
979:
976:
973:
936:
933:
930:
924:
921:
918:
718:Symmetric IND-CPA Game, Formalized
588:
582:
579:
576:
573:
14:
1468:Adaptive chosen ciphertext attack
1408:{\displaystyle \not \Rightarrow }
1070:based on some security parameter
299:based on some security parameter
230:adaptive chosen ciphertext attack
157:adaptive chosen ciphertext attack
58:"Ciphertext indistinguishability"
2064:
2063:
1593:Computer Security – ESORICS 2004
1435:{\displaystyle \Leftrightarrow }
1351:{\displaystyle \Leftrightarrow }
253:, the adversary is modeled by a
23:
1651:Rogaway, Phillip (2004-02-01).
1544:"Indistinguishable from random"
1395:under chosen plaintext attack)
1368:under chosen plaintext attack)
774:be an encryption function, and
122:Ciphertext indistinguishability
34:needs additional citations for
1925:Information-theoretic security
1429:
1375:
1345:
1288:
1271:{\displaystyle A\Rightarrow B}
1262:
1005:
951:
945:
852:
822:
798:be a decryption function. Let
791:{\displaystyle {\mathcal {D}}}
767:{\displaystyle {\mathcal {E}}}
750:be a key generation function,
743:{\displaystyle {\mathcal {K}}}
672:, the probabilistic nature of
640:{\displaystyle k\;>\;k_{0}}
591:
585:
553:
549:
543:
536:
460:
454:
431:
425:
16:Property of some cryptosystems
1:
1239:Equivalences and implications
1107:The challenger selects a bit
676:means that the encryption of
650:Although the adversary knows
336:The challenger selects a bit
255:probabilistic polynomial time
245:, indistinguishability under
166:A cryptosystem is considered
1601:10.1007/978-3-540-30108-0_21
1381:{\displaystyle \Rightarrow }
466:{\displaystyle \epsilon (k)}
2041:Message authentication code
1996:Cryptographic hash function
1809:Cryptographic hash function
228:indistinguishability under
214:indistinguishability under
128:schemes. Intuitively, if a
2112:
1920:Harvest now, decrypt later
1180:
477:in the security parameter
132:possesses the property of
2059:
2036:Post-quantum cryptography
1706:
1627:The Nature of Computation
1518:Cryptographic Engineering
2026:Quantum key distribution
2016:Authenticated encryption
1871:Random number generation
1463:Chosen ciphertext attack
1135:) back to the adversary.
368:) back to the adversary.
223:chosen ciphertext attack
153:chosen ciphertext attack
149:public key cryptosystems
2021:Public-key cryptography
2011:Symmetric-key algorithm
1814:Key derivation function
1774:Cryptographic primitive
1767:Authentication protocol
1757:Outline of cryptography
1752:History of cryptography
247:chosen plaintext attack
219:(abbreviated IND-CPA),
216:chosen plaintext attack
142:chosen plaintext attack
2094:Theory of cryptography
1762:Cryptographic protocol
1436:
1409:
1382:
1352:
1328:
1298:
1272:
1037:
859:
792:
768:
744:
641:
606:
522:
491:
467:
438:
251:computational security
124:is a property of many
1915:End-to-end encryption
1861:Cryptojacking malware
1453:Distinguishing attack
1437:
1410:
1383:
1353:
1329:
1299:
1273:
1192:plausible deniability
1183:Distinguishing attack
1038:
860:
793:
769:
745:
642:
607:
523:
521:{\displaystyle k_{0}}
492:
468:
439:
2031:Quantum cryptography
1955:Trusted timestamping
1426:
1399:
1372:
1342:
1312:
1282:
1256:
899:
802:
778:
754:
730:
616:
532:
505:
481:
448:
394:
241:For a probabilistic
134:indistinguishability
43:improve this article
1794:Cryptographic nonce
1542:iang (2006-05-20).
1229:deniable encryption
1224:in digital photos.
1004:
941:
475:negligible function
1900:Subliminal channel
1884:Pseudorandom noise
1831:Key (cryptography)
1682:Chapman & Hall
1432:
1405:
1378:
1348:
1324:
1294:
1268:
1104:to the challenger.
1033:
971:
902:
855:
788:
764:
740:
724:Cryptographic Game
637:
602:
596:
518:
487:
463:
434:
411:
382:A cryptosystem is
333:to the challenger.
200:Formal definitions
2081:
2080:
2077:
2076:
1960:Key-based routing
1950:Trapdoor function
1821:Digital signature
1610:978-3-540-22987-2
1359:semantic security
1054:decryption oracle
712:encryption oracle
595:
490:{\displaystyle k}
410:
161:semantic security
119:
118:
111:
93:
2101:
2067:
2066:
1895:Insecure channel
1731:
1724:
1717:
1708:
1704:
1699:
1667:
1666:
1664:
1663:
1657:
1648:
1642:
1641:
1621:
1615:
1614:
1588:
1582:
1581:
1579:
1578:
1573:
1560:
1554:
1553:
1551:
1550:
1539:
1533:
1532:
1512:
1506:
1505:
1503:
1501:
1495:
1486:
1441:
1439:
1438:
1433:
1420:non-malleability
1414:
1412:
1411:
1406:
1393:non-malleability
1387:
1385:
1384:
1379:
1366:non-malleability
1357:
1355:
1354:
1349:
1333:
1331:
1330:
1325:
1303:
1301:
1300:
1295:
1277:
1275:
1274:
1269:
1246:non-malleability
1227:To support such
1168:
1159:
1134:
1113:
1103:
1081:
1077:
1073:
1069:
1065:
1042:
1040:
1039:
1034:
1026:
1022:
1021:
1003:
998:
997:
988:
940:
939:
915:
914:
894:
888:
884:
876:
868:
864:
862:
861:
856:
851:
850:
841:
840:
831:
830:
818:
817:
811:
810:
797:
795:
794:
789:
787:
786:
773:
771:
770:
765:
763:
762:
749:
747:
746:
741:
739:
738:
702:
693:
684:
675:
671:
667:
658:
646:
644:
643:
638:
636:
635:
611:
609:
608:
603:
601:
597:
594:
568:
556:
539:
527:
525:
524:
519:
517:
516:
500:
496:
494:
493:
488:
472:
470:
469:
464:
443:
441:
440:
435:
416:
412:
403:
377:
367:
342:
332:
310:
306:
302:
298:
294:
286:
282:
278:
226:(IND-CCA1), and
190:
189:
185:
180:
179:
175:
114:
107:
103:
100:
94:
92:
51:
27:
19:
2111:
2110:
2104:
2103:
2102:
2100:
2099:
2098:
2084:
2083:
2082:
2073:
2055:
1984:
1740:
1735:
1696:
1673:
1670:
1661:
1659:
1655:
1650:
1649:
1645:
1638:
1623:
1622:
1618:
1611:
1590:
1589:
1585:
1576:
1574:
1571:
1562:
1561:
1557:
1548:
1546:
1541:
1540:
1536:
1529:
1521:. p. 340.
1514:
1513:
1509:
1499:
1497:
1493:
1488:
1487:
1480:
1476:
1449:
1424:
1423:
1397:
1396:
1370:
1369:
1340:
1339:
1310:
1309:
1280:
1279:
1254:
1253:
1241:
1206:disk encryption
1185:
1179:
1166:
1157:
1133:
1115:
1108:
1102:
1095:
1089:
1079:
1075:
1071:
1067:
1063:
1048:
970:
966:
897:
896:
890:
886:
880:
869:is defined as:
866:
800:
799:
776:
775:
752:
751:
728:
727:
720:
701:
695:
692:
686:
683:
677:
673:
669:
666:
660:
657:
651:
627:
614:
613:
562:
530:
529:
508:
503:
502:
498:
479:
478:
446:
445:
397:
392:
391:
375:
366:
348:
337:
331:
324:
318:
308:
304:
300:
296:
292:
284:
280:
265:
239:
202:
187:
183:
182:
177:
173:
172:
146:provably secure
115:
104:
98:
95:
52:
50:
40:
28:
17:
12:
11:
5:
2109:
2108:
2105:
2097:
2096:
2086:
2085:
2079:
2078:
2075:
2074:
2072:
2071:
2060:
2057:
2056:
2054:
2053:
2048:
2046:Random numbers
2043:
2038:
2033:
2028:
2023:
2018:
2013:
2008:
2003:
1998:
1992:
1990:
1986:
1985:
1983:
1982:
1977:
1972:
1970:Garlic routing
1967:
1962:
1957:
1952:
1947:
1942:
1937:
1932:
1927:
1922:
1917:
1912:
1907:
1902:
1897:
1892:
1890:Secure channel
1887:
1881:
1880:
1879:
1868:
1863:
1858:
1853:
1851:Key stretching
1848:
1843:
1838:
1833:
1828:
1823:
1818:
1817:
1816:
1811:
1801:
1799:Cryptovirology
1796:
1791:
1786:
1784:Cryptocurrency
1781:
1776:
1771:
1770:
1769:
1759:
1754:
1748:
1746:
1742:
1741:
1736:
1734:
1733:
1726:
1719:
1711:
1701:
1700:
1695:978-1584885511
1694:
1669:
1668:
1658:. pp. 5–6
1643:
1636:
1616:
1609:
1583:
1567:(2013-08-28).
1555:
1534:
1527:
1507:
1477:
1475:
1472:
1471:
1470:
1465:
1460:
1455:
1448:
1445:
1444:
1443:
1431:
1416:
1404:
1389:
1377:
1362:
1347:
1323:
1320:
1317:
1293:
1290:
1287:
1267:
1264:
1261:
1240:
1237:
1181:Main article:
1178:
1175:
1171:
1170:
1163:
1162:
1161:
1150:
1136:
1131:
1105:
1100:
1093:
1086:
1083:
1047:
1044:
1032:
1029:
1025:
1020:
1017:
1014:
1011:
1007:
1002:
996:
993:
987:
984:
981:
978:
975:
969:
965:
962:
959:
956:
953:
950:
947:
944:
938:
935:
932:
929:
926:
923:
920:
913:
910:
905:
854:
849:
844:
839:
834:
829:
824:
821:
816:
809:
785:
761:
737:
719:
716:
699:
690:
681:
664:
655:
634:
630:
625:
621:
600:
593:
590:
587:
584:
581:
578:
575:
571:
565:
560:
555:
551:
548:
545:
542:
538:
515:
511:
486:
462:
459:
456:
453:
433:
430:
427:
424:
420:
415:
409:
406:
400:
380:
379:
372:
369:
364:
334:
329:
322:
315:
312:
283:under the key
258:Turing machine
238:
235:
201:
198:
117:
116:
99:September 2014
31:
29:
22:
15:
13:
10:
9:
6:
4:
3:
2:
2107:
2106:
2095:
2092:
2091:
2089:
2070:
2062:
2061:
2058:
2052:
2051:Steganography
2049:
2047:
2044:
2042:
2039:
2037:
2034:
2032:
2029:
2027:
2024:
2022:
2019:
2017:
2014:
2012:
2009:
2007:
2006:Stream cipher
2004:
2002:
1999:
1997:
1994:
1993:
1991:
1987:
1981:
1978:
1976:
1973:
1971:
1968:
1966:
1965:Onion routing
1963:
1961:
1958:
1956:
1953:
1951:
1948:
1946:
1945:Shared secret
1943:
1941:
1938:
1936:
1933:
1931:
1928:
1926:
1923:
1921:
1918:
1916:
1913:
1911:
1908:
1906:
1903:
1901:
1898:
1896:
1893:
1891:
1888:
1885:
1882:
1877:
1874:
1873:
1872:
1869:
1867:
1864:
1862:
1859:
1857:
1854:
1852:
1849:
1847:
1844:
1842:
1841:Key generator
1839:
1837:
1834:
1832:
1829:
1827:
1824:
1822:
1819:
1815:
1812:
1810:
1807:
1806:
1805:
1804:Hash function
1802:
1800:
1797:
1795:
1792:
1790:
1787:
1785:
1782:
1780:
1779:Cryptanalysis
1777:
1775:
1772:
1768:
1765:
1764:
1763:
1760:
1758:
1755:
1753:
1750:
1749:
1747:
1743:
1739:
1732:
1727:
1725:
1720:
1718:
1713:
1712:
1709:
1705:
1697:
1691:
1687:
1683:
1679:
1678:
1672:
1671:
1654:
1647:
1644:
1639:
1637:9780191620805
1633:
1629:
1628:
1620:
1617:
1612:
1606:
1602:
1598:
1594:
1587:
1584:
1570:
1566:
1559:
1556:
1545:
1538:
1535:
1530:
1528:9780387718170
1524:
1520:
1519:
1511:
1508:
1492:
1485:
1483:
1479:
1473:
1469:
1466:
1464:
1461:
1459:
1456:
1454:
1451:
1450:
1446:
1421:
1417:
1402:
1394:
1390:
1367:
1363:
1360:
1337:
1336:
1335:
1321:
1318:
1315:
1307:
1291:
1285:
1265:
1259:
1252:The notation
1250:
1247:
1238:
1236:
1232:
1230:
1225:
1223:
1219:
1218:steganography
1215:
1211:
1207:
1203:
1198:
1195:
1193:
1188:
1184:
1176:
1174:
1164:
1155:
1151:
1148:
1144:
1140:
1139:
1137:
1130:
1126:
1122:
1118:
1111:
1106:
1099:
1092:
1087:
1084:
1061:
1060:
1059:
1056:
1055:
1045:
1043:
1030:
1027:
1023:
1000:
967:
960:
957:
954:
948:
942:
927:
903:
893:
883:
877:
875:
870:
842:
832:
819:
725:
717:
715:
713:
709:
704:
698:
689:
680:
663:
654:
648:
632:
628:
623:
619:
598:
569:
563:
558:
546:
540:
513:
509:
501:there exists
484:
476:
457:
451:
428:
422:
418:
413:
407:
404:
398:
389:
385:
373:
370:
363:
359:
355:
351:
346:
340:
335:
328:
321:
316:
313:
290:
289:
288:
276:
272:
268:
263:
259:
256:
252:
248:
244:
236:
234:
232:
231:
225:
224:
218:
217:
211:
207:
199:
197:
194:
169:
164:
162:
158:
154:
150:
147:
143:
139:
135:
131:
127:
123:
113:
110:
102:
91:
88:
84:
81:
77:
74:
70:
67:
63:
60: –
59:
55:
54:Find sources:
48:
44:
38:
37:
32:This article
30:
26:
21:
20:
2001:Block cipher
1846:Key schedule
1836:Key exchange
1826:Kleptography
1789:Cryptosystem
1738:Cryptography
1676:
1660:. Retrieved
1646:
1626:
1619:
1592:
1586:
1575:. Retrieved
1565:Lange, Tanja
1558:
1547:. Retrieved
1537:
1517:
1510:
1498:. Retrieved
1496:. p. 93
1305:
1251:
1242:
1233:
1226:
1214:data erasure
1199:
1196:
1189:
1186:
1172:
1153:
1146:
1143:non-adaptive
1142:
1128:
1124:
1120:
1116:
1109:
1097:
1090:
1052:
1049:
891:
881:
878:
871:
721:
705:
696:
687:
678:
661:
652:
649:
383:
381:
361:
357:
353:
349:
344:
338:
326:
319:
274:
270:
266:
261:
240:
227:
220:
213:
203:
192:
167:
165:
130:cryptosystem
121:
120:
105:
96:
86:
79:
72:
65:
53:
41:Please help
36:verification
33:
1989:Mathematics
1980:Mix network
1222:image noise
1202:data hiding
347:ciphertext
138:ciphertexts
1940:Ciphertext
1910:Decryption
1905:Encryption
1866:Ransomware
1662:2014-08-07
1577:2015-01-23
1549:2014-08-06
1474:References
1361:under CPA.
1306:equivalent
528:such that
126:encryption
69:newspapers
1930:Plaintext
1686:CRC Press
1442:IND-CCA2.
1430:⇔
1418:NM-CCA2 (
1415:IND-CCA2.
1376:⇒
1346:⇔
1289:⇔
1263:⇒
1210:TrueCrypt
1028:−
1006:⇒
961:⋅
943:
928:−
708:symmetric
541:ϵ
452:ϵ
423:ϵ
388:advantage
345:challenge
2088:Category
2069:Category
1975:Kademlia
1935:Codetext
1878:(CSPRNG)
1447:See also
1403:⇏
1391:NM-CPA (
1388:IND-CPA.
1364:NM-CPA (
1338:IND-CPA
1319:⇏
1208:such as
1154:adaptive
1112:∈ {0, 1}
612:for all
444:, where
341:∈ {0, 1}
1745:General
1500:6 April
1152:In the
1141:In the
186:⁄
176:⁄
83:scholar
1856:Keygen
1692:
1634:
1607:
1525:
499:poly()
210:secure
85:
78:
71:
64:
56:
1886:(PRN)
1656:(PDF)
1572:(PDF)
1494:(PDF)
867:Guess
473:is a
262:guess
90:JSTOR
76:books
1690:ISBN
1632:ISBN
1605:ISBN
1523:ISBN
1502:2020
668:and
624:>
559:<
206:game
155:and
62:news
1597:doi
1147:not
904:Adv
193:not
45:by
2090::
1688:.
1684:/
1680:.
1630:.
1603:.
1481:^
1308:.
1194:.
1127:,
1125:PK
1119:=
1096:,
1080:SK
1076:PK
1068:SK
1066:,
1064:PK
964:Pr
892:LR
887:b,
882:LR
694:,
670:PK
659:,
647:.
360:,
358:PK
352:=
325:,
309:SK
305:PK
297:SK
295:,
293:PK
287::
285:PK
273:,
271:PK
1730:e
1723:t
1716:v
1698:.
1665:.
1640:.
1613:.
1599::
1580:.
1552:.
1531:.
1504:.
1322:B
1316:A
1292:B
1286:A
1266:B
1260:A
1169:.
1167:b
1160:.
1158:C
1132:b
1129:M
1123:(
1121:E
1117:C
1110:b
1101:1
1098:M
1094:0
1091:M
1082:.
1072:k
1031:1
1024:]
1019:e
1016:u
1013:r
1010:t
1001:A
995:E
992:S
986:s
983:s
980:e
977:u
974:G
968:[
958:2
955:=
952:)
949:A
946:(
937:a
934:p
931:c
925:d
922:n
919:i
912:E
909:S
853:)
848:D
843:,
838:E
833:,
828:K
823:(
820:=
815:E
808:S
784:D
760:E
736:K
700:1
697:M
691:0
688:M
682:b
679:M
674:E
665:1
662:M
656:0
653:M
633:0
629:k
620:k
599:|
592:)
589:k
586:(
583:y
580:l
577:o
574:p
570:1
564:|
554:|
550:)
547:k
544:(
537:|
514:0
510:k
485:k
461:)
458:k
455:(
432:)
429:k
426:(
419:+
414:)
408:2
405:1
399:(
378:.
376:b
365:b
362:M
356:(
354:E
350:C
339:b
330:1
327:M
323:0
320:M
311:.
301:k
281:M
277:)
275:M
269:(
267:E
188:2
184:1
178:2
174:1
171:(
112:)
106:(
101:)
97:(
87:·
80:·
73:·
66:·
39:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.