About CCA-Security Until now we have defined security against two types of attacks: passive eavesdropping and chosen-plaintext attacks. A chosen-ciphertert attack is even more powerful. In a chosen-ciphertext attack, the adversary has the ability not only to obtain encryptions of messages of its choice (as in a chosen- plaintext attack), but also to obtain the decryption of ciphertexts of its choice with one exception discussed later). Formally, we give the adversary access to a decryption oracle in addition to an encryption oracle. We present the formal definition and defer further discussion. Consider the following experiment for any private-key encryption scheme 11 = (Gen. Enc. Dec), adversary A. and value n for the security parameter The CCA indistinguishability experiment PrivKan(n): 1. A key k is generated by running Gen (1") 2. Adversary A is given inpu and oracle access to Enck) and Deck(). It outputs a pair of messages mo, m same length. of the 3. A uniform bit b {0,1} is chosen, and then a ciphertext cEnck(mb) is computed and given to A. We call c the challenge ciphertext. 4. The adversary A continues to have oracle access to Enck() and Deck(.), but is not allowed to query the latter on the challenge ciphertert itself. Eventually, A outputs a bit b' 5. The output of the experiment is defined to be 1 ifbb, and 0 otherwise. If the output of the erperiment is 1, we say that A succeeds Use your own words to define CCA-Security and describe why the Cipher Block Chaining mode is not CCA secure. About CCA-Security Until now we have defined security against two types of attacks: passive eavesdropping and chosen-plaintext attacks. A chosen-ciphertert attack is even more powerful. In a chosen-ciphertext attack, the adversary has the ability not only to obtain encryptions of messages of its choice (as in a chosen- plaintext attack), but also to obtain the decryption of ciphertexts of its choice with one exception discussed later). Formally, we give the adversary access to a decryption oracle in addition to an encryption oracle. We present the formal definition and defer further discussion. Consider the following experiment for any private-key encryption scheme 11 = (Gen. Enc. Dec), adversary A. and value n for the security parameter The CCA indistinguishability experiment PrivKan(n): 1. A key k is generated by running Gen (1") 2. Adversary A is given inpu and oracle access to Enck) and Deck(). It outputs a pair of messages mo, m same length. of the 3. A uniform bit b {0,1} is chosen, and then a ciphertext cEnck(mb) is computed and given to A. We call c the challenge ciphertext. 4. The adversary A continues to have oracle access to Enck() and Deck(.), but is not allowed to query the latter on the challenge ciphertert itself. Eventually, A outputs a bit b' 5. The output of the experiment is defined to be 1 ifbb, and 0 otherwise. If the output of the erperiment is 1, we say that A succeeds Use your own words to define CCA-Security and describe why the Cipher Block Chaining mode is not CCA secure