cryptography lecture 11 stefan dziembowski [email protected]
TRANSCRIPT
![Page 2: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/2.jpg)
Plan
1. Definition of CCA-security
2. Construction of the CCA-secure schemes
1. in the private-key settings,
2. in the public-key settings.
![Page 3: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/3.jpg)
Problem
How to encode a message m before encrypting it (with RSA, for example)?
m
x := encode(m)
xe mod N
decode(v)
v := zd mod N
z
![Page 4: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/4.jpg)
Remember the chosen-plaintext attack?
oracle
has to guess b
m0,m1
c = Enc(pk,mb)
chooses m0,m1
security parameter1n
1. selects random (pk,sk) = Gen(1n)
2. chooses a random b = 0,1
challenge phase:
pk
![Page 5: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/5.jpg)
The PKCS #1 v1.5 encoding
We observed that encoding has to be randomized.
This is the encoding that we presented:
00000000 00000002 r 00000000 m
(k - D - 3) random bytes D bytes
k bytes
![Page 6: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/6.jpg)
Today’s lecture
The PKCS #1 v1.5 encoding looks ad-hoc...
Today we present a more “scientific” encoding.
For this, we are going to use a stronger security definition.
![Page 7: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/7.jpg)
Chosen Ciphertext Attack (CCA)
The adversary may also choose a ciphertext and learn the corresponding plaintext.
Does it make sense?– Aren’t we too paranoid?– How to formalize it?
![Page 8: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/8.jpg)
Aren’t we too paranoid?
No!
Bleichenbacher [1998] showed a “practical” chosen ciphertext attack on encoding proposed for the PKCS #1 v.2 standard.
[see also: Bleichenbacher, D., Kaliski B., Staddon J., "Recent results on PKCS #1: RSA encryption standard", RSA Laboratories' bulletin #7, ftp://ftp.rsasecurity.com/pub/pdfs/bulletn7.pdf ]
Why is Blaichenbacher’s attack practical?
Because it assumes that the adversary can get only one bit of information about the plaintext...
![Page 9: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/9.jpg)
PKCS #1: RSA Encryption Standard Version 2
public-key: (N,e)let k := length on N in bytes.let D := length of the plaintextrequirement: D ≤ k - 11.
Enc((N,e), m) := xe mod N, where x is equal to
00000000 00000002 r 00000000 m
(k - D - 3) random bytes D bytes
k bytes
![Page 10: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/10.jpg)
Bleichenbacher’s attack – the scenario
sk = (N,d)
c1 computesx = c1
d mod Nand checks if x is a correct PKCS #1 v2 encoding
pk = (N,d)
yes/no
. . .
c
Goal:compute cd mod N
Bleichenbacher [1998]:
There exists a successful attack that requires k = 220 questions for N = 1024.
ck
yes/no
![Page 11: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/11.jpg)
So, chosen ciphertext attacks are practical!
In Bleichenbacher’s attack the adversary could obtain just one bit of information.
Conservative approach:
assume that he can get the entire plaintext.
![Page 12: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/12.jpg)
Idea
1. Provide a security definition that “covers” this type of an attack.
2. Propose a scheme that is “provably secure” according to this definition.
This will lead to an encoding that is less ad-hoc than PKCS #1 v1.5
![Page 13: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/13.jpg)
CCA - security
It makes sense to consider CCA-security in
• private-key settings
• public-key settings more interesting
![Page 14: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/14.jpg)
Decryption oracle
To define the CCA-security we consider a decryption oracle.
skc1
Dsk(c1)
. . .
c2
Dsk(c2)
ck
Dsk(ck)
Dsk(ci) := error
if ci cannot be decrypted
![Page 15: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/15.jpg)
Decryption/encryption oracle
Two types of queries:
(sk,pk)Decrypt ci
Dsk(ci)
Encrypt mi
Epk(mi)
We assume that also CPA is allowed.
![Page 16: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/16.jpg)
CCA-security– the game
oracle
has to guess b
m0,m1
c = Enc(pk,mb)
chooses m0,m1
security parameter1n
1. selects random (pk,sk) = Gen(1n)
2. chooses a random b = 0,1
challenge phase:
pk (in the public-key settings)
CCA-attack
CCA-attack |m0| = |m1|
Here Eve cannot ask for decryption of c.
in the private-key settings: pk = sk
![Page 17: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/17.jpg)
CCA-security
Security definition:
We say that (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-ciphertext attack (CCA) if any
randomized polynomial time adversary
guesses b correctly
with probability at most 0.5 + ε(n), where ε is negligible.
Alternative name: CCA-secure
![Page 18: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/18.jpg)
CCA in practice (1/2)
Some actions of the receiver may depend on the decrypted message.
For example, the receiver may communicate an error if the message “looks strange”.
(like in the Bleichenbacher’s attack)
![Page 19: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/19.jpg)
CCA in practice (2/2)m := “Some top-secret information”
Alice
Alice: c := E(pk,m)
wants to decrypt c
Eve: c’
replies quoting
m’=D(sk,c’)
Alice (pk,sk)
Why Eve cannot just set c’ := c ?Because Bob would get suspicious (why message from Eve has Alice’s name inside?)
replies (in an encrypted way) to Alice quoting m
![Page 20: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/20.jpg)
CCA in the private-key settings
CCA-security in the private-key settings can be achieved by adding authentication.
How to combine authentication with encryption?
We already considered this problem some time ago.
![Page 21: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/21.jpg)
Authentication and EncryptionOptions:
• Encrypt-and-authenticate:
c ← Enck1(m) and t ← Mack2 (m)• Authenticate-then-encrypt:
t ← Mack2 (m) and c ← Enck1(m||t)• Encrypt-then-authenticate:
c ← Enck1(m) and t ← Mack2 (c)
wrong
better
the best
![Page 22: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/22.jpg)
A CCA-secure encryption scheme
(Gen,Enc,Dec) – a CPA-secure encryption scheme(GenMAC,Tag,Vrfy) – a MAC.
Create a new encryption scheme (Gen’,Enc’,Dec’) where:
• Gen’(1n) := (Gen(1n),GenMAC(1n)),• Enc’((k0,k1),m) :=
(Enc(k0,m), Tag(k1,Enc(k0,m)))• Dec’((k0,k1),m) := decrypt and verify the tag
![Page 23: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/23.jpg)
Why is it secure?
IntuitionAn adversary cannot create a new valid pair
(Enc(k0,m), Tag(k1,Enc(k0,m)))
without knowing k1.So he will always receive an error message from
the oracle
(unless he replays the ciphertexts that he already received from the oracle – but this gives him no extra information)
![Page 24: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/24.jpg)
Is authenticate-then-encrypt secure?
Authenticate-then-encrypt:
t ← Mack2 (m) and c ← Enck1(m||t)
Not always!
There exists (artificial) counter-examples...
![Page 25: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/25.jpg)
The first counter-exampleAuthenticate-then-encrypt:
t ← Mack2 (m) and c ← Enck1(m||t)
Suppose the encryption scheme adds a random bit at the end of the ciphertext.
Enck1(m || Mack2 (m)) B
Enck1(m || Mack2 (m)) neg B
Then
is a different ciphertext and the adversary is allowed to ask the oracle to decrypt it.
This example is really artificial. There exist better ones...
![Page 26: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/26.jpg)
The second counter-exampleConsider the following transformation
T : {0,1}* → {0,1}*defined on every (x1,x2,...,xn) as
T(x1,x2,...,xn) = (U(x1),U(x2),...,U(xn)), where• U(0) = 00• U(1) = 01, or 10, randomly.
This transformation is of course invertible.
Example:
1 1 0 0 1
0 1 1 0 0 0 0 0 0 1
T
![Page 27: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/27.jpg)
Remember the stream ciphers?
m
s
G(IV,s)
G(IV,s) xor m
IV
xor
IV
Enc(s,m)
![Page 28: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/28.jpg)
Our new (artificial) encryption schemeTo encrypt a message m do the following:
T(m)
s
G(IV,s)
G(IV,s) xor T(m)
IV
xor
IV
Enc(s,m)
If Enc is CPA-secure then also this scheme is CPA-secure.
![Page 29: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/29.jpg)
CCA-security?Suppose we use this encryption scheme with the authenticate-then-encrypt method:
t ← Mack2 (m) and c ← Enck1(m||t)
T(m, Mack2 (m))
s
G(IV,s)
G(IV,s) xor T(m, Mack2 (m) )
IV
xor
IV
Enc(s,m)
![Page 30: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/30.jpg)
How does the ciphertext look?
T(m)
pad1
T(Mack2 (m))
xor
T(m) xor pad1 T(Mack2 (m)) xor pad2
pad2
![Page 31: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/31.jpg)
C’
The attackThe adversary that wants to decrypt the first bit of
C1 C2
can modify the ciphertext by flipping the first two bits:
C1 C2
xor
X X C2
1 1
If the first two bits are 01 or 10 then the corresponding plaintext doesn’t change.
If the first two bits are 00 then the plaintext changes and the tag becomes invalid!
![Page 32: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/32.jpg)
The chosen-ciphertext attack(just based on the error messages)
The adversary is given c and wants to learn the first bit of the corresponding plaintext.
Let c’ be the ciphertext c with the first two bits flipped.
The adversary sends c’ to the oracle.
If the oracle answers “error” then the adversary knows that the first bit was 0.
The same can be done for any other bit.
![Page 33: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/33.jpg)
These examples are artificial
It is likely that for many “normal” schemes this combination is secure.
However, these examples show that the authenticate-then-encrypt method cannot be proven secure...
(from the standard assumptions)
![Page 34: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/34.jpg)
How does it look in the public-key settings
There are many constructions of a CCA-secure public-key encryption scheme.
Probably the most famous is the one of Cramer and Shoup:[Ronald Cramer and Victor Shoup: "A practical public key cryptosystem provably
secure against adaptive chosen ciphertext attack." 1998].
It is based on hardness of discrete logarithm and is quite efficient.
Still, many practitioners prefer more efficient schemes (with a weaker security proof).
![Page 35: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/35.jpg)
Plan
We present two CCA-secure schemes based on RSA.
1. efficient and simple,
2. even more efficient and a bit less simple.
![Page 36: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/36.jpg)
First attempt
Idea: take the symmetric-key CCA-secure scheme (Enc’,Dec’) and use something similar to hybrid encryption.
public key: (N,e) private key: (N,d)
Enc((N,e),m) := (re mod N, Enc’(r,m))
Dec((N,d),(c0,c1)) := Dec’(c0d mod N, c1)
r is random
![Page 37: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/37.jpg)
ProblemEnc((N,e),m) := (re mod N, Enc’(r,m))
|N| is normally much larger than the length of a key for symmetric encryption.
Typically |N| = 1024 and length of the key is 128.
First idea: truncate.
But is it secure?
It may be the case that
• RSA is hard to invert, but• 128 first bits are easy to compute...
![Page 38: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/38.jpg)
Idea
Instead of truncating – hash!
t – length of the symmetric keyH : {0,1}* → {0,1}t – a hash function
Enc((N,e),m) := (re mod N, Enc’(H(r),m))
Dec((N,d),(c0,c1)) := Dec’((H(c0)d mod N, c1)
But can we prove anything about it?
depends...
![Page 39: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/39.jpg)
Which properties should H have?
If we just assume that H is collision-resistant we cannot prove anything...
We have to assume that H “outputs random values on different inputs”.
This can be formalized by modeling H as random oracle.
This is also called a Random Oracle Model.
And it is controversial.
![Page 40: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/40.jpg)
The Random Oracle Model (ROM)
In the proofs we model the hash function as a random oracle.
real protocol:
SHA1
in the proof:
oracle Ω
![Page 41: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/41.jpg)
The oracle Ω
oracle Ωhas a random function
H : {0,1}* → {0,1}n
Everybody (including the adversary) can query the oracle:
x
H(x)
In the proof:every call to the hash function is replaced with the query to the oracle Ω
![Page 42: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/42.jpg)
Problems with the ROM
This model is too strong.
Random Oracle cannot be implemented in real-life.
Moreover, there are examples of protocols that are secure in ROM,
butthey are not secure if the random oracle is replaced with
any hash function.
[The Random-Oracle Model, Revisited. R. Canetti, O. Goldreich and S. Halevi. J. ACM 51(4): 557-594 (2004).]
![Page 43: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/43.jpg)
Security proof – the intuitionH – a hash function
Enc((N,e),m) := (re mod N, Enc’(H(r), m))
Why is this scheme secure in the random oracle model?
Because, as long as the adversary did not query the oracle on r, the value of H(r) is completely random.
To learn r the adversary would need to compute it from re mod N, so he would need to invert RSA.
So (with a very high probability) from the point of view of the adversary H(r) is random.
Therefore the CCA security of (Enc,Dec) follows from the CCA-security of (Enc’,Dec’).
![Page 44: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/44.jpg)
Disadvantages of this method
Enc((N,e),m) := (re mod N, Enc’(H(r), m))
The ciphertext is longer than the plaintext.
This is especially important if the message is short.
Therefore in practice another method is used:
Optimal Asymmetric Encryption Padding (OAEP).
![Page 45: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/45.jpg)
Optimal Asymmetric Encryption Padding (OAEP) – the history
• Introduced in:[M. Bellare, P. Rogaway. Optimal Asymmetric Encryption -- How to encrypt with RSA. Eurocrypt '94]
• An error in the security proof was spoted in[V. Shup. OAEP Reconsidered. Crypto ’01]
• This error was repaired in[E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern. RSA-OAEP is secure under the RSA assumption. Crypto ’01]
It is now a part of a PKCS#1 v. 2.0 standard.
![Page 46: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/46.jpg)
OAEPG,H – hash functions
OAEP(m) :=
m 000...0 random r
G
H
X Y
n/4n/4 n/4
![Page 47: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/47.jpg)
How to invert?
m Z
G
H
X Y
check if Z = 000...0
![Page 48: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/48.jpg)
RSA-OAEP
private key: (N,d)
public key: (N,e)
Enc((N,e),m) = (OAEP(m))e mod N
Dec((N,e),m) = (OAEP-1(m))d mod N
![Page 49: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/49.jpg)
Security – the intuition
m 000...0 random r
G
H
X Y
1. OAEP is hard to invert if you don’t know X and Y completely.
![Page 50: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/50.jpg)
Why?
m Z
G
H
X Y
Assume G and H are random oracles...
![Page 51: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/51.jpg)
Security – the intuition
m 000...0 random r
G
H
X Y
2. It is hard to produce a valid (X,Y) “without knowing m”
![Page 52: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/52.jpg)
Why?
m Z
G
H
X Y
Again, look at OAEP-1 and assume that G and H are random oracles.
requirement: Z = 000...0
![Page 53: Cryptography Lecture 11 Stefan Dziembowski stefan@dziembowski.net](https://reader035.vdocuments.net/reader035/viewer/2022081421/56649efc5503460f94c0f286/html5/thumbnails/53.jpg)
Security – the conclusion
If it is hard to produce a valid (X,Y) “without knowing m”, then CCA should not help the adversary.
Because he will only receive the error messages from the oracle.
(that was just an intuition – in reality the proof is complicated)