# Easy explanation of “IND-” security notions?

$\begingroup$ The ideal encoding scheme $E$ would be one that, for every ciphertext $C=E ( K, M )$, if the identify remains privy for the adversary, the probability of identifying $M$ is negligible. Since that is not possible in practice, the moment most reasonable approach is to define constraints potent enough to satisfy some definition of security. The $\operatorname { IND- }$ notation provides such definitions in terms of games, where a rival keeps his identify secret, and an adversary has certain capabilities and his target is to break the encoding organization .
To keep it general, an encoding schema will have a key generation algorithm $KG$, which will generate a key pair $K_E$, $K_D$, an encoding algorithm $E$ and a decoding algorithm $D$. Encryption is constantly revertible, but the encoding and decoding identify can be unlike ( covering public key crypto ) : $D ( K_D, E ( K_E, M ) ) =M$

*IND-CPA: INDistinguishability under Chosen Plaintext Attack

In words: the adversary generates two messages of adequate length. The rival decides, randomly, to encrypt one of them. The adversary tries to guess which of the messages was encrypted.

Algorithm:

1. Challenger: $K_E, K_D$ = KG(security parameter)
2. Adversary: $m_0, m_1 =$ choose two messages of the same length. Send $m_0, m_1$ to the challenger. Perform additional operations in polynomial time including calls to the encryption oracle.
3. Challenger: $b=$ randomly choose between 0 and 1
4. Challenger: $C : =E ( K_E, m_b )$. Send $C$ to the adversary.
5. Adversary: perform additional operations in polynomial time including calls to the encryption oracle. Output $think$.
6. If $guess=b$, the adversary wins

Further comment: the main concept introduced by this scenario is the polynomial adhere. nowadays, our expectations from crypto are weakened from probability of winning is negligible to probability of winning within a reasonable timeframe is negligible. The restriction for the messages to be of the like distance aims to prevent the adversary to trivially win the game by just comparing the distance of the ciphertexts. however, this necessity is besides watery, particularly because it assumes alone a single interaction between the adversary and the rival .

IND-CCA1: INDistinguishability under Chosen Ciphertext Attack

In words: the target of the plot is the same as in IND-CPA. The adversary has an extra capability : to call an encoding or decoding prophet. That means : the adversary can encrypt or decrypt arbitrary messages before obtaining the challenge ciphertext .
Algorithm:

1. Challenger: $K_E, K_D$ = KG(security parameter)
2. Adversary (a polynomially-bounded number of times): call the encryption or decryption oracle for arbitrary plaintexts or ciphertexts, respectively
3. Adversary: $m_0, m_1 =$ choose two messages of the same length
4. Challenger: $b=$ randomly choose between 0 and 1
5. Challenger: $C : =E ( K_E, m_b )$Send $C$

6. Adversary: perform additional operations in polynomial time. Output $guess$
7. If $guess=b$, the adversary wins

Further comment: IND-CCA1 considers the possibility of reprise interaction, implying that security does not weaken with clock time .

IND-CCA2: INDistinguishability under adaptive Chosen Ciphertext Attack

In words: In addition to its capabilities under IND-CCA1, the adversary is now given access to the oracles after receiving $C$, but can not send $C$ to the decoding oracle .
Algorithm:

1. Challenger: $K_E, K_D$ = KG(security parameter)
2. Adversary (as many times as he wants): call the encryption or decryption oracle for an arbitrary plaintext/ciphertext
3. Adversary: $m_0, m_1 =$ choose two messages of the same length
4. Challenger: $b=$ randomly choose between 0 and 1
5. Challenger: $C : =E ( K_E, m_b )$Send $C$ to the adversary.
6. Adversary: perform additional operations in polynomial time, including calls to the oracles, for ciphertexts different than $C$. Output $guess$.
7. If $guess=b$, the adversary wins

Further comment: IND-CCA2 suggests that using the decoding prophet after knowing the ciphertext can give a fair advantage in some schemes, since the requests to the oracle could be customized depending on the specific ciphertext .
The notion of IND-CCA3 is added based on the reference provided by @SEJPM. I add it for completeness, but it seems important to point out that there are few resources about it, and my interpretation could be misleading.

IND-CCA3: (authenticated) INDistinguishability under adaptive Chosen Ciphertext Attack

In words: It is not potential to create a valid forgery with non-negligible probability. The adversary is given two pairs of encryption/decryption oracles. The first base pair performs the intended encoding and decoding operations, while the second one is defined as follows : $\mathcal { E } _K$ : render encryptions of random strings. $\mathcal { D } _K :$ returns INVALID. rather of being presented as a game, it is presented using the mathematical concept of advantage : the improvement of the probability of winning by using the valid oracle against the probability of success under the “ bogus ” oracle.

Formula: $\mathbf { Adv } ^ { ind-cca3 } _ { \pi } ( A ) =Pr\left [ K\overset { \\\$ } { \leftarrow } \mathcal { K } : A^ { \mathcal { E } _K ( \cdot ), \mathcal { D } _K ( \cdot ) } \Rightarrow 1\right ] – Pr\left [ A^ { \mathcal { E } _K ( \\\ $|\cdot| ), \perp ( \cdot ) } \Rightarrow 1\right ]$
Further comment: the newspaper where IND-CCA3 has introduced a stress on one fundamental idea. IND-CCA3 is equivalent to authenticate encoding .
note that in the font of public-key cryptography the adversary is constantly given access to the public key $K_E$ american samoa well as the encoding routine $E ( K_E, \cdot )$ .