Chosen Ciphertext Attack 1 (CCA1) security, also known as IND-CCA1 or lunchtime attack security, strengthens CPA by giving the adversary access to a decryption oracle before seeing the challenge ciphertext.
The adversary can submit arbitrary ciphertexts for decryption during a learning phase, but once the challenge is issued, the decryption oracle is revoked.
The name “lunchtime attack” comes from the scenario where an attacker has temporary physical access to a decryption device - for example, while its owner is away - and can decrypt ciphertexts of their choosing, but must later break a target ciphertext without further access.
In the FHE setting, CCA1 has gained renewed interest because it is the strongest classical security notion that remains compatible with homomorphic evaluation.
Since homomorphic operations necessarily produce new ciphertexts related to existing ones, CCA2 security (which allows post-challenge decryption queries) is incompatible with homomorphic properties.
More recently, FHE-specific notions such as vCCA and vCCAD have been shown to be strictly stronger than CCA1 while remaining FHE-compatible.
Formal Definition
The IND-CCA1 security game proceeds as follows:
The challenger generates a key pair and gives to .
Phase 1 (pre-challenge): has access to a decryption oracle and may submit arbitrary ciphertexts for decryption.
outputs two equal-length messages .
The challenger samples , computes , and sends to .
Phase 2 (post-challenge):no longer has access to the decryption oracle.
outputs a guess .
The advantage is defined as:
The scheme is IND-CCA1 secure if this advantage is negligible for all PPT adversaries.
Attacks & Relevance
CCA1 security protects against adversaries who can temporarily exploit decryption capabilities to learn structural information about the scheme before attempting to break a target ciphertext.
This covers scenarios such as an attacker with temporary access to a decryption key or device, an insider who loses access privileges before the sensitive message is transmitted, or an adversary who can exploit decryption-related side channels during a setup phase.
In the FHE context, CCA1 is a natural security target for schemes deployed in settings where the adversary may have had prior access to decryption capabilities, as it is the strongest classical indistinguishability-based notion compatible with homomorphic evaluation.
Achieving This Notion
Constructing CCA1-secure FHE is non-trivial. Generic transformations from CPA to CCA1 for standard encryption (e.g., using non-interactive zero-knowledge proofs in the Naor-Yung double encryption paradigm) are known, but adapting these to preserve homomorphic properties requires care, as known FHE schemes are usually not perfectly correct.
Recent constructions make use of lattice trapdoors to try to achieve CCA1 leveled homomorphic encryption like GG-GSW.
Adaptive Chosen Ciphertext Decryption/Verification Attack (CCA1.5) security, introduced by Das, Dutta, and Adhikari at ProvSec 2013, is an indistinguishability notion that interpolates between CCA1 and CCA2 by giving the adversary a full decryption oracle during the first (pre-challenge) query phase and a weaker ciphertext verification oracle during the second (post-challenge) query phase. The verification oracle answers whether a queried ciphertext is valid - i.e. decrypts to a non- plaintext - without returning the plaintext itself.
The motivation is that this two-phase model more faithfully reflects many practical adversaries. After a temporary “lunchtime” window of full decryption access (as in CCA1), an attacker often retains only indirect feedback from a remote decryption device - for example, the network-level accept/reject signal exploited by Bleichenbacher’s attack on RSA-PKCS#1 and by the Hall-Goldberg-Schneier “reaction attack” on the McEliece and Ajtai-Dwork cryptosystems. CCA1.5 captures exactly this setting: an adversary who once had full decryption access and now can only probe whether ciphertexts are “legal”.
Das et al. showed that CCA1.5 sits strictly between CCA1 and CCA2 in the indistinguishability hierarchy, i.e. , and that it is strictly stronger than the CCVA notions of Pandey, Sarkar, and Jhanwar, i.e. . The main technical contribution of the paper is to complete the “implication versus separation” picture among CPA, CCA1, CCA2, CCVA1, CCVA2, RCCA, and the new CCA1.5 notion, resolving several previously open implications as strict separations.
Formal Definition
The IND-CCA1.5 game is defined for a public-key encryption scheme in which returns on any ciphertext outside . It proceeds as follows:
Setup. The challenger generates and gives to .
Phase 1 (pre-challenge): has access to a full decryption oracle and may submit arbitrary ciphertexts for decryption.
Challenge: outputs two equal-length messages . The challenger samples , computes , and sends to .
Phase 2 (post-challenge): has access to a ciphertext verification oracle which, on input , responds
The explicit "" bypass forces the oracle to answer “valid” on the challenge ciphertext itself, independently of what actually returns. This matters as soon as perfect correctness is not available (see the remark below).
Guess: outputs a guess .
The advantage is defined as:
The scheme is IND-CCA1.5 secure if this advantage is negligible for all PPT adversaries.
Compared to CCA2, Phase 2 is weakened from a full decryption oracle to a single-bit validity indicator. Compared to CCA1, Phase 2 is strengthened from no oracle at all to that validity indicator. Compared to CCVA2, Phase 1 is strengthened from a verification oracle to a full decryption oracle. This is exactly the setting in which an attacker first has privileged access to a decryption box and then only retains a “judge” or “reaction” signal from a remote server.
Remark (on the challenge-ciphertext bypass). Not all papers that consider CCA1.5 consistently include the ” valid” test in the verification oracle. Das et al. (ProvSec 2013) and Manulis and Nguyen (Eurocrypt 2024) omit it, implicitly relying on the perfect correctness assumption , under which the bypass is redundant. Renard (PhD thesis, 2025) (Remark 4.1) points out that without the bypass and when correctness only holds with overwhelming-but-not-absolute probability, it is easy to build a scheme that is IND-CCA2 secure but not IND-CCA1.5 secure - which is incompatible with the spirit of CCA1.5 as a strict relaxation of CCA2. We follow Renard’s formulation above and include the bypass explicitly.
Attacks & Relevance
The CCA1.5 model is motivated by network-style adversaries: a protocol that returns distinct error codes (or exhibits timing differences) when a malformed ciphertext is submitted leaks exactly one bit per query - the validity bit captured by . Historic examples include Bleichenbacher’s attack on RSA-PKCS#1 (CRYPTO 1998), the Hall-Goldberg-Schneier reaction attacks on the McEliece and Ajtai-Dwork cryptosystems (ICICS 1999), and the Joye-Quisquater-Yung attack on EPOC (CT-RSA 2001). In all of these, the adversary does not recover plaintexts directly from a queried ciphertext; instead it adaptively probes a validity check. CCA1.5 formalises security against precisely this class of remote adversaries in the regime where they have also had prior lunchtime-level decryption access.
Beyond the motivating model, Das et al. complete the relationship map among the existing indistinguishability notions by proving the following strict separations (in addition to the trivial implications):
(Theorem 1), from which and follow as corollaries.
(Theorem 2), closing a question that had been open since Krohn’s thesis for the class of schemes in which returns on every invalid ciphertext.
and (Corollaries 3 and 4).
(Theorem 3): even the conjunction of a pre-challenge decryption oracle and a both-phase verification oracle does not suffice, ruling out a naive decomposition of the notion into its two individual oracles.
(Theorem 5), instantiated by the Cramer-Shoup Lite scheme under the DDH assumption.
They also show the upward direction (Lemma 1), which transitively gives as well.
Achieving This Notion
The main constructive result of the paper is that CCA1.5 is achievable by group homomorphic cryptosystems. Starting from the generic group-homomorphic framework of Armknecht, Katzenbeisser, and Peter (DCC 2012) - which gives CCA1-secure instantiations of Paillier and GBD under the Splitting Oracle-Assisted Subgroup Membership (SOAP) assumption - Das et al. show that a slight modification (essentially prepending a one-bit tag marking the ciphertext as “honestly generated”) turns any such IND-CCA1-secure group homomorphic scheme into an IND-CCA1.5-secure one while remaining group homomorphic. At the time of publication this was the strongest security level known to be achievable by any group homomorphic cryptosystem, the previous best being CCA1.
Beyond the homomorphic setting, they also prove that Cramer-Shoup Lite (already known to be IND-CCA1 and IND-CCVA2 secure) is additionally IND-CCA1.5 secure under DDH, and give a non-homomorphic variant of Cramer-Shoup Lite to show that the class of IND-CCA1.5-secure schemes is not limited to (group) homomorphic constructions.
In the FHE setting, CCA1.5 is achievable via vCCA. Naively, an unfiltered verification oracle would indeed be dangerous for a homomorphic scheme: given , an adversary could evaluate and ask whether is valid, potentially distinguishing from via plaintext-dependent decryption failures. However, this attack is ruled out as soon as the scheme is IND-vCCA secure in the correct regime. The reduction exploits the fact that vCCA’s witness extractor is a public algorithm (part of the scheme) that the CCA1.5-to-vCCA reducer can run on its own without consulting any oracle: on input , the reducer first runs locally and inspects whether the extracted input ciphertexts contain any challenge ciphertext. If they do, the reducer answers “valid” directly - under correctness, decrypts to the non- value regardless of . If they do not, the reducer forwards to its own vCCA decryption oracle, which will return a plaintext (mapped to “valid”) or (mapped to “invalid”). Hence, under the correctness assumption, , and the SNARK-based FHE constructions of Manulis and Nguyen (Eurocrypt 2024) yield IND-CCA1.5-secure FHE as a direct corollary. In the approximate (general) regime where correctness may fail, the same reasoning goes through with the stronger vCCAD notion in place of vCCA.
A note on formulations. The formal definition above is the classical, single-argument verification oracle of Das et al. In the FHE context, Walter (ePrint 2024/1207) uses a slightly different Definition 8 in which the validation oracle takes and answers whether the extended decryption returns . The two are semantically equivalent for standard FHE under correctness (the extended oracle simply threads the computation description through to ), but they differ in presentation and in what an adversary must supply with each query.
Chosen Ciphertext Attack 2 (CCA2) security, also known as IND-CCA2 or adaptive chosen ciphertext security, is the strongest standard indistinguishability-based security notion for encryption.
It extends CCA1 by allowing the adversary to continue querying the decryption oracle even after receiving the challenge ciphertext, with the sole restriction that it may not submit the challenge ciphertext itself for decryption.
CCA2 sits at the top of the classical hierarchy of indistinguishability notions: IND-CPA IND-CCA1 IND-CCA2, where both implications are strict [BDJR97, BDPR98].
CCA2 captures a very powerful adversary model: one who can adaptively craft decryption queries based on the challenge ciphertext, attempting to extract information through related ciphertexts.
This notion is considered the gold standard for general-purpose public-key encryption, although it is sometimes criticized for being too strong.
As with CPA, the single-challenge and multiple-challenge variants of CCA2 are equivalent [BDPR98].
In the FHE context, CCA2 is incompatible with homomorphic evaluation. Given a challenge ciphertext encrypting , an adversary can homomorphically compute, say, for a known function , then query the decryption oracle on to recover , which trivially distinguishes from if .
Formal Definition
The IND-CCA2 security game proceeds as follows:
The challenger generates a key pair and gives to .
Phase 1 (pre-challenge): has access to a decryption oracle and may submit arbitrary ciphertexts for decryption.
outputs two equal-length messages .
The challenger samples , computes , and sends to .
Phase 2 (post-challenge):retains access to the decryption oracle, but may not query it on .
outputs a guess .
The advantage is defined as:
The scheme is IND-CCA2 secure if this advantage is negligible for all PPT adversaries.
Attacks & Relevance
CCA2 security prevents an adversary from exploiting the malleability of ciphertexts.
Classic attacks thwarted by CCA2 include Bleichenbacher’s attack on RSA PKCS#1 v1.5, where an adversary multiplies a target ciphertext by known values and uses a decryption oracle (via error messages) to gradually recover the plaintext, as well as padding oracle attacks more generally.
For standard (non-homomorphic) encryption, CCA2 is the expected security level in practice.
It is required for secure key transport, hybrid encryption, and any setting where ciphertexts travel over channels controlled by an adversary.
For FHE, this fundamental incompatibility has driven research into relaxed CCA-type notions that accommodate homomorphic evaluation (such as CCA1, funcCPA, CPAD, or vCCA).
Achieving This Notion
For standard public-key encryption, CCA2 security is achieved through several well-known paradigms: the Cramer and Shoup (CRYPTO 1998) scheme (the first practical CCA2-secure scheme without random oracles), the Fujisaki and Okamoto (PKC 1999) transform (in the random oracle model, widely used in post-quantum KEMs such as those in the NIST standards), and OAEP for RSA-based encryption. In the lattice setting, CCA2-secure (non-homomorphic) encryption can be built from LWE using standard transformations.
Non-Adaptive Chosen Ciphertext Verification Attack (CCVA1) security, also known as IND-CCVA1, augments IND-CPA by granting the adversary access to a ciphertext verification oracle during the pre-challenge query phase only. On input , the verification oracle replies “valid” if decrypts to a message in and “invalid” if it decrypts to , but never reveals the underlying plaintext.
Historically, CCVA was first formalised by Krohn in a 1999 Harvard undergraduate thesis under the name illegal ciphertext attack (IND-ICA), motivated by practical attacks that extract information from a single validity bit - notably Bleichenbacher’s attack on RSA-PKCS#1 (CRYPTO 1998) and the Hall-Goldberg-Schneier “reaction attack” on the McEliece and Ajtai-Dwork cryptosystems (ICICS 1999). Pandey, Sarkar, and Jhanwar (SPACE 2012) later re-introduced the notion under the name CCVA, although they only formalised the adaptive variant. The non-adaptive case - our CCVA1 - was revisited together with its adaptive counterpart by Das, Dutta, and Adhikari (ProvSec 2013), who completed the implication and separation picture among the CPA, CCA, and CCVA notions.
CCVA1 is a natural weakening of CCA1: where the CCA1 adversary has a full decryption oracle before seeing the challenge, the CCVA1 adversary only learns a single validity bit per query. Trivially , and Das et al. proved both implications strict for the class of encryption schemes in which returns on every invalid ciphertext: (Corollary 1) and (Theorem 2).
Formal Definition
The IND-CCVA1 game is defined for a public-key encryption scheme in which returns on any ciphertext outside :
Setup. The challenger generates and gives to .
Phase 1 (pre-challenge): has access to a ciphertext verification oracle defined by
Challenge: outputs two equal-length messages . The challenger samples , computes , and sends to .
Phase 2 (post-challenge): has no oracle access.
Guess: outputs a guess .
The advantage is defined as:
The scheme is IND-CCVA1 secure if this advantage is negligible for all PPT adversaries.
The formulation is only meaningful when , i.e. when the ciphertext space is strictly larger than the image of encryption. For full-domain schemes such as plain ElGamal or Paillier, every element of is a legitimate encryption of some message, the verification oracle is the constant “valid” function, and IND-CPA, IND-CCVA1, and IND-CCVA2 all collapse to the same notion [Das et al., Remark 2].
Attacks & Relevance
CCVA1 captures adversaries who, prior to seeing the challenge, can probe a system that distinguishes malformed from well-formed ciphertexts - typically via distinct error codes, timing differences, or protocol-level accept/reject signals - but who lose that access once the target is issued. It is the weakest formal notion that still rules out “reaction” and “judge-oracle” attacks of the Bleichenbacher or Hall-Goldberg-Schneier flavour in a lunchtime-style model.
In the broader CCA/CCVA hierarchy, CCVA1 plays the role of a lower anchor: it is strictly stronger than CPA (when invalid ciphertexts exist), strictly weaker than both CCA1 and CCVA2, and is implied by every stronger notion in the taxonomy (CCA1, CCA1.5, CCA2, vCCA, vCCAD). Its main theoretical interest is as the target of the separation , which closes a question that had remained open since Krohn’s original treatment for the class of schemes in which returns on every invalid ciphertext.
Achieving This Notion
CCVA1 security follows immediately from any IND-CCA1-secure scheme: the decryption oracle can always simulate the verification oracle by checking whether its output equals . It is also implied by any IND-CCVA2-secure scheme (by restricting to pre-challenge queries), and hence by every notion stronger than CCVA2 in the hierarchy.
For full-domain schemes such as plain ElGamal or Paillier, CCVA1 coincides with CPA and is achieved for free. For FHE schemes, where is typically a strict subset of , CCVA1 is a genuinely stronger requirement than CPA, although it remains compatible with homomorphic evaluation: since the CCVA1 adversary has no access to any oracle after the challenge is issued, it cannot use homomorphic evaluation of to mount the noise-based distinguishing attacks that break CCVA2 or CCA2 in the FHE setting.
Further Reading
The CCVA notion was first formalised by Krohn in a 1999 Harvard undergraduate thesis as illegal ciphertext attack (IND-ICA). It was later re-introduced by Pandey, Sarkar, and Jhanwar (SPACE 2012) under the name CCVA, although they only considered the adaptive variant. The non-adaptive variant CCVA1 is revisited alongside CCVA2 in Das, Dutta, and Adhikari (ProvSec 2013), which completes the implication/separation picture among CPA, CCA1, CCA2, CCVA1, and CCVA2, and introduces the intermediate CCA1.5 notion between CCA1 and CCA2. CCVA-style attacks in the symmetric-key setting are discussed by Hu, Sun, and Jiang (Science China 2009).
Adaptive Chosen Ciphertext Verification Attack (CCVA2) security, also known as IND-CCVA2 or simply IND-CCVA, augments IND-CPA by granting the adversary access to a ciphertext verification oracle during both the pre-challenge and post-challenge query phases. On input , the verification oracle replies “valid” if decrypts to a message in and “invalid” if it decrypts to ; it never returns the plaintext itself. As on the CCA1.5 page, we explicitly stipulate that the challenge ciphertext may also be queried and is answered with “valid”.
Historically, the notion was first formalised by Krohn in a 1999 Harvard undergraduate thesis as illegal ciphertext attack (IND-ICA), motivated by practical attacks that leak a single validity bit per query - Bleichenbacher’s attack on RSA-PKCS#1 (CRYPTO 1998), the Hall-Goldberg-Schneier “reaction attack” on the McEliece and Ajtai-Dwork cryptosystems (ICICS 1999), and the Joye-Quisquater-Yung attack on EPOC (CT-RSA 2001). Pandey, Sarkar, and Jhanwar (SPACE 2012) subsequently re-introduced the notion under the name CCVA and focused exclusively on the adaptive case; what they call CCVA corresponds to CCVA2 here. The full implication and separation picture relating CCVA2 to the other CCA-style notions was later established by Das, Dutta, and Adhikari (ProvSec 2013).
CCVA2 sits strictly between CCVA1 and CCA2 in the indistinguishability hierarchy: the trivial chain holds by weakening each oracle in turn. CCVA2 is also not implied by CCA1 as a trivial weakening: Das et al. proved the one explicit separation (Theorem 1) - Construction I of their paper is an explicit scheme that is IND-CCVA2 but not IND-CCA1 - and the trivial chain of implications from CCA1 only gives , not . Das et al. further strengthen the separation in the other direction by showing (Theorem 3): even the conjunction of a pre-challenge decryption oracle and a both-phase verification oracle is not enough to reach the intermediate CCA1.5 notion. A full strict separation between CCA1 and CCVA2 is, to our knowledge, not stated explicitly in the paper.
Formal Definition
The IND-CCVA2 game is defined for a public-key encryption scheme in which returns on any ciphertext outside :
Setup. The challenger generates and gives to .
Phase 1 (pre-challenge): has access to a ciphertext verification oracle defined by
Challenge: outputs two equal-length messages . The challenger samples , computes , and sends to .
Phase 2 (post-challenge):retains access to and may query arbitrary ciphertexts, including the challenge ciphertext itself (which is answered with “valid” by explicit convention).
Guess: outputs a guess .
The advantage is defined as:
The scheme is IND-CCVA2 secure if this advantage is negligible for all PPT adversaries.
As with CCVA1, the notion is only meaningful when . For full-domain schemes such as plain ElGamal or Paillier, every element of is a valid encryption, the verification oracle is the constant “valid” function, and IND-CPA, IND-CCVA1, and IND-CCVA2 all coincide [Das et al., Remark 2].
Attacks & Relevance
The CCVA2 adversary is the classical reaction or judge-oracle attacker: someone who submits ciphertexts to a remote decryption endpoint and observes only accept/reject feedback, adaptively both before and after seeing the target. This is the natural abstraction of Bleichenbacher’s attack, the Hall-Goldberg-Schneier reaction attacks, and the Joye-Quisquater-Yung attack on EPOC, all of which succeed with only a one-bit validity signal.
In contrast to CCA2, which requires resistance against a full post-challenge decryption oracle, CCVA2 only demands resistance to a post-challenge validity check. This weaker requirement makes CCVA2 a useful stepping stone in the hierarchy: many schemes that fail CCA2 still satisfy CCVA2 (e.g. the Cramer-Shoup Lite scheme under DDH), and schemes whose ciphertext space already coincides with satisfy CCVA2 as soon as they are CPA-secure.
The non-trivial relationship with CCA1 is the most subtle feature of CCVA2 and is what motivates the CCA1.5 notion proposed by Das et al.: CCVA2 does not imply CCA1 (Theorem 1), no trivial implication goes from CCA1 to CCVA2, and even the conjunction of CCA1 and CCVA2 falls short of CCA1.5 (Theorem 3).
Achieving This Notion
CCVA2 security is trivially implied by CCA2 (a decryption oracle subsumes a verification oracle in both phases) and by CCA1.5 (whose Phase 1 decryption oracle is strictly stronger than the CCVA2 Phase 1 verification oracle, and whose Phase 2 verification oracle coincides with that of CCVA2). It is therefore also implied by every notion stronger than CCA1.5 in the taxonomy, including vCCA and vCCAD.
For full-domain schemes () such as plain ElGamal or Paillier, CCVA2 collapses to CPA and is achieved as soon as IND-CPA holds. Beyond full-domain schemes, the Cramer-Shoup Lite scheme is known to be IND-CCVA2 secure under the DDH assumption, and is used by Das et al. as a witness for : Cramer-Shoup Lite is simultaneously IND-CCA1, IND-CCVA2, and IND-CCA1.5, but not IND-CCA2.
In the FHE setting, a naive CCVA2 oracle would be dangerous: given a challenge ciphertext , an adversary could homomorphically evaluate a function to obtain whose validity depends on the underlying plaintext - for example via noise growth that triggers a decryption failure on one of the two challenge plaintexts but not on the other - and try to recover the challenge bit from the validity answer. Under the standard correctness assumption, however, is always non-, so such an attack does not go through on a correctly-evaluated, noise-bounded scheme. In practice CCVA2 is therefore achievable for FHE via the same route as CCA1.5: any IND-vCCA-secure scheme is IND-CCVA2-secure under correctness, because CCA1.5 CCVA2 trivially and vCCA CCA1.5 (Manulis–Nguyen). CCA2 remains out of reach for homomorphic schemes - it is the decryption oracle, not the verification oracle, that is incompatible with homomorphic evaluation.
Further Reading
The CCVA notion was first formalised by Krohn in a 1999 Harvard undergraduate thesis as illegal ciphertext attack (IND-ICA). It was later re-introduced and named CCVA by Pandey, Sarkar, and Jhanwar (SPACE 2012), who considered only the adaptive case. Das, Dutta, and Adhikari (ProvSec 2013) completed the implication/separation picture among CPA, CCA1, CCA2, CCVA1, and CCVA2, proved the key separations and , and introduced the intermediate CCA1.5 notion between CCA1 and CCA2. CCVA-style attacks in the symmetric-key setting are discussed by Hu, Sun, and Jiang (Science China 2009).
Chosen Plaintext Attack (CPA) security is the baseline security notion for encryption schemes.
It captures the requirement that an adversary who can choose plaintexts and observe their encryptions should not be able to distinguish which of two chosen messages was encrypted in a challenge ciphertext.
CPA was originally called “polynomial security” by Goldwasser and Micali. It has been shown to be equivalent to semantic security [Goldwasser, Micali (1984); Watanabe, Shikata, Imai (2003)].
The motivation is straightforward: since a public-key adversary can always encrypt messages of their choice, the scheme must remain secure even under this capability.
In the context of FHE, CPA security is the default assumption for most constructions, as homomorphic evaluation does not inherently require stronger guarantees.
A classical result from Bellare, Desai, Jokipii, and Rogaway (FOCS 1997) establishes that the single-challenge (Find-Then-Guess) and multiple-challenge (Left-or-Right) variants of IND-CPA are equivalent.
Formal Definition
The IND-CPA security game proceeds as follows:
The challenger generates a key pair and gives to the adversary .
may encrypt any message of its choice using . In the public-key setting, the adversary implicitly has access to an encryption oracle since it holds . In the private-key setting, an explicit encryption oracle is provided.
outputs two equal-length messages .
The challenger samples a bit , computes , and sends to .
outputs a guess .
The advantage is defined as:
The scheme is IND-CPA secure if this advantage is negligible for all PPT adversaries.
Attacks & Relevance
CPA security prevents any passive eavesdropper from extracting information about the plaintext from the ciphertext.
It rules out deterministic encryption and any scheme where the ciphertext leaks partial information about the message.
Most lattice-based FHE schemes (BGV, BFV, CKKS, TFHE) are proven secure under IND-CPA, relying on the hardness of (Ring-)LWE or related problems.
However, CPA alone does not protect against active adversaries who may tamper with ciphertexts.
Since homomorphic evaluation inherently modifies ciphertexts, CPA security says nothing about the integrity or correctness of computed results.
Achieving This Notion
CPA security is achieved by essentially all modern public-key encryption schemes.
For FHE specifically, the standard constructions based on LWE or RLWE assumptions all satisfy IND-CPA.
Further Reading
The equivalence between semantic security and indistinguishability was established by Goldwasser and Micali (1984).
For a textbook treatment of CPA and its place in the hierarchy of security notions, see Katz and Lindell, Introduction to Modern Cryptography.
In the FHE setting, Gentry (2009) established CPA as the baseline security target, a convention that has persisted throughout subsequent generations of FHE schemes.
Chosen Plaintext Attack with Decryption (CPAD) security is a seemingly mild extension of CPA security introduced for the setting of approximate Fully Homomorphic Encryption.
In the CPAD game, the adversary is granted access to a highly constrained decryption oracle that accepts only legitimate ciphertexts - those produced by the encryption oracle or derived from legitimate ciphertexts through genuine homomorphic operations.
The adversary also controls which homomorphic evaluations are performed.
The initial intuition is that CPAD should be equivalent to CPA: since the adversary knows the plaintext inputs of every homomorphic computation, it should be able to predict every output of this decryption oracle on its own.
However, this reasoning implicitly relies on the correctness of the FHE scheme.
For approximate schemes such as CKKS, decryption returns values that differ slightly from the exact plaintext, and these small differences leak information about the LWE noise embedded in ciphertexts.
Li and Micciancio demonstrated that this leakage is sufficient to practically recover the secret key, showing that CPAD security is strictly stronger than CPA security for approximate FHE.
While initially only targeting CKKS, CPAD attacks have been extended to all LWE/RLWE-based FHE schemes.
Formal Definition
The CPAD security game is a multi-challenge Left-or-Right game.
Given a homomorphic encryption scheme , the game is parameterized by a hidden bit and maintains an initially empty state of message-message-ciphertext triplets:
Key generation. Run and give to .
Encryption request. On query , compute , return to , and set .
Challenge request. On query with , compute , return to , and set .
Evaluation request. On query with indices into , compute , , and . Return to and set .
Decryption request. On query with an index into : if , return . Otherwise return .
Guessing stage. outputs a guess . It wins if .
The scheme is CPAD-secure if the advantage is negligible for all PPT adversaries.
The key subtlety is that the decryption oracle returns rather than .
For correct FHE these coincide, making the oracle useless and CPAD equivalent to CPA.
For approximate FHE, can differ from the exact target value with non-negligible probability, so the oracle may leak information the adversary cannot compute on its own.
Attacks & Relevance
The original attack by Li and Micciancio targeted CKKS: by obtaining decryptions of legitimately computed ciphertexts, an adversary can reconstruct the secret key from the noise patterns.
More recently, Checri, Sirdey, Boudguiga, and Bultel (CRYPTO 2024) as well as Cheon, Choe, Passelègue, Stehlé, and Suvanto (CCS 2024) demonstrated that schemes previously believed immune to CPAD attacks - including the “exact” schemes BFV, BGV, and TFHE - are also CPAD-insecure as soon as decryption errors can occur with non-negligible probability.
This considerably broadened the scope of CPAD as a relevant security notion beyond the approximate FHE setting.
CPAD security is relevant in any FHE deployment where the adversary can observe decrypted results of homomorphic computations it influences.
This covers many practical scenarios: a client outsourcing computation to a server sees the decrypted output, and if it can choose or influence the inputs and the function being evaluated, it is effectively a CPAD adversary.
Achieving This Notion
For CKKS, Li, Micciancio, Schultz, and Sorrell (CRYPTO 2022) proposed achieving CPAD security by applying noise flooding during decryption - adding sufficiently large random noise to the decrypted value to mask the LWE error.
This transforms decryption into a probabilistic algorithm and ensures the decryption oracle output does not leak exploitable information about the noise.
For exact schemes where decryption errors occur, parameter choices must be carefully made so that the error probability is negligible, effectively restoring the correctness assumption that makes CPAD collapse to CPA.
Further Reading
The CPAD notion was introduced by Li and Micciancio (Eurocrypt 2021).
The paper also left open the question of whether single-challenge and multi-challenge CPAD are equivalent. Brzuska et al. (CIC 2025) settled this by proving that multi-challenge CPAD is strictly stronger than single-challenge CPAD in the general (approximate) regime, i.e., .
They further identified intermediate variants forming the following strict hierarchy in the general (approximate FHE) regime:
where:
restricts the decryption oracle to close after the challenge (analogous to CCA1 vs CCA2).
augments with a verification oracle after the challenge, which reveals whether a ciphertext is valid (decrypts to non-) without revealing the plaintext - analogous to the classical CCA1.5 (CCVA) notion of [Das, Dutta, and Adhikari (ProvSec 2013)].
is the single-challenge variant (one challenge request with ).
is the full multi-challenge (Left-or-Right) variant.
All separations are strict [BCF+25, Propositions 4.1, 4.3–4.7]. A more permissive verification variant (which only refuses the challenge ciphertext itself, not all challenge-related ciphertexts) is also strictly stronger than .
In the correct regime, all variants collapse: (all equivalent to CPA).
Functional CPA (funcCPA) security, introduced by Akavia, Gentry, Halevi, and Vald, extends the standard CPA game with a functional re-encryption oracle that models settings where a server performing FHE computations is allowed to interactively delegate part of the computation back to the client (who holds the secret key).
In the funcCPA game, the adversary can submit a ciphertext and a function to a recryption oracle, which decrypts , applies , and returns a fresh encryption of the result.
The motivation comes from practical FHE deployments where bootstrapping - the most expensive operation - can be replaced by a cheaper interactive protocol: the server sends a masked ciphertext to the client (or a local trusted proxy such as a secure enclave), which decrypts and re-encrypts it, and the server removes the mask homomorphically.
The funcCPA notion captures the security requirement in this setting: even with access to this re-encryption oracle, the adversary should not be able to break indistinguishability.
The key result is that funcCPA is strictly stronger than CPA.
Intuitively, the re-encryption oracle is weaker than a full decryption oracle because it only returns encryptions of function outputs, never raw plaintexts.
Akavia et al. provided construction blueprints to turn CPA-secure FHE schemes into funcCPA-secure ones.
Formal Definition
Given a public-key encryption scheme and a family of functions , the funcCPA game proceeds as follows:
The challenger generates and gives to .
has access to a recryption oracle which, on input with and , returns .
outputs two messages .
The challenger samples , computes , and sends to .
retains access to .
outputs a guess .
The scheme is funcCPA-secure if the advantage is negligible for all PPT adversaries.
A multi-input variant, funcCPA, where the oracle accepts multiple ciphertexts and a multi-variate function, has been shown equivalent to the baseline notion by Shinozaki, Tanaka, Tezuka, and Yoshida (ePrint 2024/1166).
Attacks & Relevance
The canonical deployment scenario is an FHE server that outsources bootstrapping to the client or to a secure enclave. Even though the enclave only sees masked values, the funcCPA model captures the adversary’s ability to adaptively choose which ciphertexts get refreshed and through which functions.
Some CPA-secure schemes become insecure when the adversary gains re-encryption access.
Fontaine, Renard, Sirdey, and Stan (ePrint 2025/2036) further showed that funcCPA-style extensions of CCA1 and vCCA (denoted CCA1R, CCA1M, vCCAR, vCCAM) all collapse back to their base notions.
This means that the gap between CPA and funcCPA does not propagate to stronger notions: once a scheme is CCA1 or vCCA secure, adding recryption or multiplication oracles does not weaken it.
Achieving This Notion
Akavia, Gentry, Halevi, and Vald provided blueprints for constructing funcCPA-secure schemes from CPA-secure FHE.
Any vCCA-secure scheme trivially achieves funcCPA.
For concrete constructions, the “two-ciphertexts” construction based on Paillier, which achieves vCCA under a CPA + Linear-Only Homomorphism assumption, also achieves funcCPA as vCCA implies funcCPA.
Generalized Chosen Ciphertext Attack (gCCA) security, introduced by An, Dodis, and Rabin at Eurocrypt 2002, is a very slight relaxation of CCA2 designed to repair a definitional shortcoming of the standard notion.
The authors observed that the usual CCA2 attack model - in which the adversary is disallowed from submitting only the exact challenge ciphertext to the post-challenge decryption oracle - is not robust to harmless syntactic modifications of a scheme.
For example, taking a CCA2-secure scheme and appending a trailing useless random bit to every ciphertext immediately breaks CCA2-security: the adversary can flip that bit on the challenge to obtain a different ciphertext that still decrypts to , ask the oracle to decrypt it, and win trivially. Intuitively, nothing was broken, yet the definition rules the modified scheme “insecure”.
The fix proposed by An, Dodis, and Rabin is to parameterize the CCA2 game by an efficient decryption-respecting equivalence relation over ciphertexts, and to forbid the adversary from submitting any post-challenge query with (rather than only ). Taking to be equality recovers standard CCA2; taking to identify ciphertexts that differ only in a trailing useless bit fixes the counter-example above. A scheme is gCCA-secure if some such relation exists for which the parameterized game is won only with negligible advantage.
An, Dodis, and Rabin argue that gCCA suffices for all known applications of CCA2-secure encryption while no longer suffering from the definitional fragility of CCA2 under syntactic rewrites. The same notion was proposed independently - under the name benign malleability - by Shoup for the ISO 18033-2 public-key encryption standard.
Formal Definition
A binary relation over the ciphertext space is called decryption-respecting if it is reflexive and, for all ciphertexts :
The relation may depend on the public key but must be efficiently computable without knowledge of . The IND-gCCA game for an encryption scheme with respect to proceeds as follows:
The challenger generates and gives to .
Phase 1 (pre-challenge): has access to a decryption oracle and may submit arbitrary ciphertexts for decryption.
outputs two equal-length messages .
The challenger samples , computes , and sends to .
Phase 2 (post-challenge): retains access to the decryption oracle, but any query satisfying is rejected.
outputs a guess .
The advantage is defined as:
The scheme is IND-gCCA-secure if there exists an efficient decryption-respecting relation such that the above advantage is negligible for every PPT adversary . Since reflexivity forces to rule out at least , standard IND-CCA2 is recovered as the special case where is the equality relation, which immediately gives .
An, Dodis, and Rabin also introduce a non-malleability analogue, , obtained by relaxing the standard non-malleability game in the same way (the adversary is not deemed successful if its output ciphertext is -equivalent to the challenge). They show that , mirroring the classical equivalence of Bellare, Desai, Pointcheval, Rogaway (CRYPTO 1998), which justifies using indistinguishability as the primary notion.
Attacks & Relevance
The original motivation for gCCA is definitional, not attack-driven: the aim is to rule out scheme-level syntactic triviality (such as the useless-trailing-bit counter-example) while still preventing every meaningful chosen-ciphertext attack that CCA2 prevents. In particular, classical attacks that CCA2 is designed to thwart - Bleichenbacher-style padding oracles, ciphertext mauling via homomorphic structure, and related-ciphertext attacks - remain blocked under gCCA, since any successful attack on gCCA translates into a meaningful non-equivalent decryption query. An, Dodis, and Rabin use gCCA as the right-level abstraction for proving the security of generic signcryption compositions such as (encrypt-then-sign) and (sign-then-encrypt) in the public-key setting, where CCA2 would have failed the proofs only for the syntactic reasons described above.
In the FHE context, gCCA remains incompatible with homomorphic evaluation for the same reason as CCA2. Given a challenge encrypting , the adversary can homomorphically compute for a function with . Since decrypts to , no decryption-respecting relation can satisfy , so is never rejected by the gCCA oracle and decrypting it trivially reveals . The fundamental tension between adaptive post-challenge decryption access and homomorphic malleability is therefore not resolved by the gCCA relaxation - it is exactly the reason FHE-oriented notions such as vCCA and vCCAD drop the requirement that the filtering relation be decryption-respecting and replace it with a SNARK-based witness extractor over homomorphic derivations.
Achieving This Notion
Any IND-CCA2-secure encryption scheme is immediately IND-gCCA-secure (under the equality relation), so all the classical CCA2 constructions - Cramer-Shoup, Fujisaki-Okamoto, OAEP, and lattice-based KEMs - yield gCCA-secure schemes. The converse does not hold: An, Dodis, and Rabin exhibit gCCA-secure schemes that are not CCA2-secure, precisely the “append a useless bit to a CCA2-secure scheme” family and similar syntactic modifications. They remark, however, that they are not aware of any natural encryption scheme that sits in the gap between gCCA and CCA2 - the separating examples are always obtained by artificially degrading a CCA2-secure scheme.
As a standardized instance, Shoup’s benign malleability variant in ISO 18033-2 uses a concrete efficient relation that identifies ciphertexts differing only in operationally meaningless components, providing a practical gCCA-secure encryption standard without requiring strict CCA2.
Further Reading
The gCCA notion was introduced by An, Dodis, and Rabin (Eurocrypt 2002) as part of their formal study of signcryption, where it was used to prove the security of generic encrypt-then-sign and sign-then-encrypt compositions in the public-key setting (under the original name generalized CCA2, denoted ). The closely related benign malleability formulation was proposed by Shoup for ISO 18033-2. For the classical equivalence between indistinguishability and non-malleability that gCCA preserves (in the form ), see Bellare, Desai, Pointcheval, and Rogaway (CRYPTO 1998). For the FHE-oriented reframing of ciphertext-filtering relaxations, where the decryption-respecting restriction is dropped in favour of a SNARK-based extractor over homomorphic evaluations, see Manulis and Nguyen (Eurocrypt 2024) on vCCA and Brzuska et al. (CIC 2025) on vCCAD.
Filtered adaptive decryption oracle FHE-compatible Univariate only
Homomorphic CCA (HCCA) security, introduced by Prabhakaran and Rosulek, is a security notion for homomorphic schemes that only allow evaluation of univariate (single-ciphertext-input) functions, drawn from a transformation set . Unlike all other notions in this zoo, the challenge in the HCCA game consists of a single plaintext (not a pair), and the adversary distinguishes between a normal encryption of and a “rigged” ciphertext.
The game uses auxiliary procedures - RigEnc, RigExtract, and RigDec - to manage the distinction. A rigged ciphertext looks like a normal encryption but is constructed so that applying a homomorphic transformation to it yields a ciphertext that decrypts normally in the real world () or to in the rigged world (), recovered via RigExtract. The adversary’s task is to determine which world it is in.
A central result of Prabhakaran and Rosulek (Theorem 1 of the paper) is that HCCA generalizes the standard indistinguishability-based CCA notions: when the transformation set is the single identity function, HCCA coincides with IND-CCA2, and more generally HCCA subsumes IND-CCA, gCCA, and RCCA. HCCA is thus not a “weaker” CCA flavor aimed at making homomorphism possible; it is the natural generalization that allows non-trivial while still ruling out all other malleability. For rich , however, HCCA is incomparable to these classical notions, because the classical notions would refuse transformations that HCCA legitimately allow.
HCCA is historically significant as one of the first attempts to define CCA-type security for homomorphic schemes, predating the SNARK-based vCCA approach by over a decade. Section 6 of the paper extends the definitions to binary (two-ciphertext-input) homomorphic operations and proves a negative result (Theorem 5): the natural generalisation of HCCA to binary operations is unachievable for a large class of useful homomorphisms. As a result, the HCCA framework as stated is limited to univariate evaluation, and this restriction is fundamental rather than cosmetic.
Formal Definition
The HCCA game is defined relative to a subset of univariate functions and relies on auxiliary procedures:
: Returns where is a rigged ciphertext indistinguishable from a normal one, and is auxiliary information.
: Determines if was obtained by applying on . Returns if so, otherwise.
: Depends on the challenge bit .
The game proceeds as follows:
The challenger generates and gives to .
Phase 1: has access to a decryption oracle, (which returns rigged ciphertexts), and (which checks if a ciphertext is derived from a rigged one).
outputs a plaintext and state .
Challenge: The challenger samples . If : . If : .
Phase 2: has access to , , and , where:
If : .
If : if , and otherwise.
outputs a guess .
The scheme is HCCA-secure if the advantage is negligible for all PPT adversaries.
Attacks & Relevance
HCCA prevents attacks where the adversary homomorphically transforms the challenge ciphertext and submits the result for decryption. In the rigged world (), such queries return the “expected” value rather than the actual decryption, preventing information leakage through homomorphic manipulation.
The limitation to univariate evaluation means HCCA cannot model modern FHE settings where functions take multiple ciphertext inputs. This restriction is fundamental to the game structure: Theorem 5 of the paper shows that the natural generalization of HCCA to binary homomorphic operations is unachievable for a large class of useful homomorphisms, so the rigged-ciphertext approach does not straightforwardly extend.
Achieving This Notion
Prabhakaran and Rosulek gave an explicit construction of an HCCA-secure scheme under the standard Decisional Diffie-Hellman (DDH) assumption. The construction is a careful generalization of the rerandomizable RCCA-secure scheme of Prabhakaran and Rosulek (TCC 2007) and supports the group operation, as well as several related operations, as its homomorphic feature. Notably, the construction does not require SNARKs or any other non-standard machinery, in contrast to later FHE-oriented notions such as vCCA.
Input-Verifiable CCA (IV-CCA) security, introduced by Yang, Yu, and Susilo, is a CCA security notion that sits strictly between CCA1 and vCCA.
Like vCCA, IV-CCA features a post-challenge decryption oracle that accepts some ciphertexts beyond the CCA1 cutoff.
However, where vCCA relies on a SNARK-based witness extractor to identify challenge-dependent ciphertexts, IV-CCA uses a verification algorithm that is part of the FHE scheme itself: the adversary must supply, alongside the ciphertext to be decrypted, a set of input ciphertexts that “explain” it via a legitimate homomorphic evaluation.
The key distinction from vCCA is that IV-CCA’s verification is explicit and non-compact - the input ciphertexts must be presented to the decryption oracle, making the scheme inherently non-compact.
In exchange, Yang et al. achieved the remarkable result of constructing an IV-CCA-secure FHE scheme in the standard model based solely on the LWE assumption (plus the assumption that perfectly correct FHE can be built from LWE), without requiring SNARKs or any non-falsifiable assumptions.
Formal Definition
An IV-CCA-secure FHE scheme is augmented with a verification algorithm that takes a ciphertext and a tuple of input ciphertexts and checks whether can be explained as a legitimate homomorphic evaluation over those inputs.
The IV-CCA security game proceeds as follows:
The challenger generates and gives to .
Phase 1 (pre-challenge). has access to a decryption oracle .
outputs , receives .
Phase 2 (post-challenge). has access to a decryption oracle that, on input :
Checks that .
Checks that .
If both checks pass, returns ; otherwise returns .
outputs a guess .
The scheme is IV-CCA-secure if the advantage is negligible for all PPT adversaries.
The crucial difference from vCCA is that the adversary must explicitly provide the input ciphertexts - there is no extractor that recovers them automatically.
Attacks & Relevance
IV-CCA prevents the same class of malleability attacks as vCCA: an adversary cannot submit homomorphic transformations of the challenge ciphertext for decryption, because the verification step would require presenting as an input, which is explicitly blocked.
However, IV-CCA provides this protection through a different mechanism - explicit input verification rather than proof-based extraction - which has fundamental implications for achievability.
This makes IV-CCA particularly relevant as a theoretical benchmark: it demonstrates that meaningful beyond-CCA1 security is achievable for FHE without non-falsifiable assumptions, even at the cost of compactness.
Achieving This Notion
Yang, Yu, and Susilo (CRYPTO 2025) gave an explicit construction based on the Naor-Yung paradigm instantiated with LWE-based encryption.
Their construction requires the underlying FHE scheme to satisfy perfect correctness - a strong requirement that they propose to achieve by using truncated discrete Gaussians for the noise distribution to obtain exact norm bounds.
The construction is proven secure in the standard model under the sole LWE assumption, making it the first FHE scheme achieving beyond-CCA1 security without relying on random oracles or non-falsifiable assumptions such as Knowledge-of-Exponent or Linear-Only Homomorphism.
Replayable Chosen Ciphertext Attack (RCCA) security, also known as IND-RCCA, is a strict relaxation of the CCA2 game. Intuitively, while the CCA2 decryption oracle refuses only the challenge ciphertext, the RCCA decryption oracle refuses all ciphertexts that decrypt to one of the plaintext values submitted in the challenge request. In particular, this decryption oracle refuses to decrypt all rerandomizations of the challenge ciphertext in the context of correct schemes.
In the FHE context, RCCA is incompatible with homomorphic evaluation. Indeed, given a challenge ciphertext encrypting , an adversary can homomorphically compute, say, for a known function satisfying , then query the decryption oracle on to recover , which trivially distinguishes from if .
Formal Definition
The IND-RCCA security game proceeds as follows:
The challenger generates a key pair and gives to .
Phase 1 (pre-challenge): has access to a decryption oracle and may submit arbitrary ciphertexts for decryption.
outputs two equal-length messages .
The challenger samples , computes , and sends to .
Phase 2 (post-challenge):retains access to the decryption oracle, but when called on ciphertext , it refuses to answer the request if .
outputs a guess .
The advantage is defined as:
The scheme is IND-RCCA secure if this advantage is negligible for all PPT adversaries.
Attacks & Relevance
RCCA security prevents an adversary from re-randomizing or re-encrypting a challenge ciphertext to circumvent the CCA2 restriction. While the CCA2 oracle only refuses the exact challenge ciphertext , an adversary could re-randomize into a different ciphertext with the same plaintext and submit for decryption. The RCCA oracle blocks this by refusing all ciphertexts that decrypt to or .
RCCA was introduced by Canetti, Krawczyk, and Nielsen as a notion that is strong enough for most practical applications of CCA2 security (key transport, hybrid encryption) while being more permissive toward benign ciphertext transformations such as re-randomization. It is considered by many to be the “right” security notion for encryption in practice.
For FHE, RCCA is incompatible with homomorphic evaluation: given encrypting , the adversary can compute for a function with and , then query the decryption oracle to learn and distinguish.
Achieving This Notion
RCCA security is achieved by any CCA2-secure scheme (the implication CCA2 RCCA is immediate since the CCA2 oracle is strictly more restrictive). Canetti, Krawczyk, and Nielsen also gave direct constructions based on the Cramer-Shoup framework.
For FHE, RCCA is not achievable - the same fundamental incompatibility as CCA2 applies, since the adversary can use homomorphic evaluation to produce ciphertexts with discriminating plaintexts that are not in .
Semi-Active (SA) security, introduced by Walter, is an FHE security notion tailored to deployments in which the client (secret-key holder) keeps full control over which inputs are encrypted and which function the server is asked to evaluate. In such a client-server application, the client already knows the input ciphertexts and the function it wants executed, so it is in a position to check any ciphertext returned by the server against those inputs. SA formalises this “the client has state” setting, and Walter uses it to pin down exactly what extra privacy the client gains by pairing an IND-CPA FHE with a SNARG that proves correct evaluation. Walter’s paper focuses on the symmetric-key case because it simplifies the discussion, but the game itself works identically in the public-key and private-key settings — only whether the evaluation key is revealed to the adversary changes.
Compared to CPAD, the SA decryption oracle accepts externally computed ciphertexts: the adversary submits a ciphertext alongside a function and a list of indices into the encryption state, and the game decrypts provided the claimed computation does not itself reveal the challenge bit. The motivation is that in an FHE+SNARG application, the server returns an arbitrary ciphertext and the SNARG pins down how it was allegedly derived; SA models that pin-down as a constraint checked inside the decryption oracle. Unlike vCCA, no witness extractor is assumed — the adversary itself declares the derivation.
Walter proved that SA sits strictly between IND-CPA and IND-vCCA, and is incomparable with IND-CCA1, IND-CCVA, IND-CCA1.5, and funcCPA. In particular, none of these four notions implies SA and SA implies none of them — SA is a separate axis of strengthening, not a point on the classical CPACCA1CCA2 ladder.
Formal Definition
SA is defined for an FHE scheme whose decryption function is extended to take a ciphertext together with the function and input ciphertexts used to produce it, i.e. . The game is a multiple-challenge game structured like the IND-CPAD game, and it maintains an initially empty state of triples together with a hidden bit :
Key generation. Run and give to . The game works identically in the private-key setting, where is not revealed to .
Encryption request. On query : compute , return to , and set .
Challenge request. On query with : compute , return to , and set .
Decryption request. On query :
If any , return .
Let and .
If , return .
Otherwise return .
Guessing stage. After polynomially many interleaved encryption, challenge, and decryption requests, outputs ; wins if .
The advantage is , and is IND-SA secure if this advantage is negligible for all PPT adversaries.
Two features are worth highlighting. First, the decryption oracle accepts an arbitrary ciphertext — the adversary is not restricted to submitting indices of ciphertexts produced by a game-internal , as in CPAD. Second, the indices must point into the encryption state; the ciphertexts threaded into are always fresh encryptions from the encryption/challenge requests, not intermediate evaluations. This single-hop structure is what keeps the game checkable without the game itself having to run .
Attacks & Relevance
Walter’s main reason to define SA is to answer the question “does a SNARG for correct evaluation actually buy any input privacy on top of the IND-CPA FHE it wraps?”. Under a CPA-secure FHE alone, a malicious server could tamper with the returned ciphertext and a decryption failure could leak information. The SNARG forces the server to commit to a function and input ciphertexts, which the client checks against what it sent; the SA game abstracts exactly this check into the test. Walter’s Lemma 6 formalises the positive result: an IND-CPA FHE paired with a sound SNARG for the “correct evaluation” relation is IND-SA secure.
Walter also establishes the following relational picture (§4 of the paper):
CPA SA vCCA (Lemma 1): SA is strictly stronger than CPA and strictly weaker than vCCA.
SA and CCA1 are incomparable. is Walter’s Lemma 3, instantiated by the §5 FHE+SNARG construction — essentially the [VKH23] scheme that Manulis and Nguyen showed not to be IND-CCA1 secure. The reverse follows from Lemma 2 combined with the trivial implication .
SA and CCVA are incomparable (Lemma 4 for the direction; the other direction follows from Lemma 2 and ).
SA and CCA1.5 are incomparable (Lemma 2 for ; Lemma 3 via gives the other direction since CCA1.5 CCA1).
SA and FuncCPA are incomparable (Lemma 5).
The practical takeaway is that SA is the right security target for a client-authoritative FHE+SNARG deployment, but is not a substitute for CCA1, CCVA, or CCA1.5 in settings where those apply — it sits on a different axis of the hierarchy.
Achieving This Notion
Walter’s Lemma 6 is the headline positive result. Let be an IND-CPA secure FHE scheme for function family with ciphertext space , and let be a sound SNARG for the relation
Define by having output where , and by having first run and return if verification rejects. Then is IND-SA secure. Crucially, the proof only needs ordinary SNARG soundness — no simulation-extractability, straightline extraction, or other non-black-box properties — which is a key practical advantage over the vCCA construction of Manulis and Nguyen.
Strong Chosen Plaintext Attack with Decryption (sCPAD) security is a strengthening of CPAD security introduced to address a mismatch between the CPAD security model and practical public-key FHE deployments.
In the CPAD game, fresh ciphertexts in the adversary’s state can only be produced by the encryption oracle, which samples its own randomness internally.
However, in real-world public-key settings, an adversary possesses the public key and can encrypt messages using randomness of its choosing - it may only be required to prove that the resulting ciphertext is well-formed, not that the randomness was sampled honestly.
The sCPAD game closes this gap by giving the adversary an additional encryption oracle that accepts adversarially chosen randomness.
The key insight is that even though a public-key adversary can always compute encryptions on its own, the ability to inject ciphertexts with chosen randomness into the game state - and then request their decryption after homomorphic operations - can leak information that the standard CPAD model does not capture.
Bernard, Joye, Smart, and Walter proved that sCPAD is strictly stronger than CPAD: there exist schemes that are CPAD-secure but completely sCPAD-insecure, even in the public-key setting.
Formal Definition
The sCPAD security game extends the CPAD game by adding a second encryption oracle that takes adversarially chosen randomness.
Given a public-key FHE scheme with message space and encryption randomness space , the game is parameterized by a hidden bit and maintains an initially empty state :
Key generation. Run and give to .
Challenge encryption request. On query with , compute , return to , and set .
Randomness-controlled encryption request. On query with and , compute , return to , and set .
Evaluation request. On query with indices into , compute , , and . Return to and set .
Decryption request. On query with an index into : if , return . Otherwise return .
Guessing stage. outputs a guess . It wins if .
The scheme is sCPAD-secure if the advantage is negligible for all PPT adversaries.
Note that the randomness-controlled oracle can only be used for non-challenge queries (both plaintext components are identical), since allowing the adversary to choose randomness for left-or-right challenge queries would make the notion trivially unachievable.
Separation from CPAD
The implication sCPAD CPAD is immediate, since the CPAD adversary’s oracles are a strict subset of those available in the sCPAD game.
The reverse does not hold.
For symmetric-key schemes, the separation is straightforward: in Regev-type encryption, choosing the encryption randomness means the adversary knows the noise term and can remove it, yielding a linear equation in the secret key that is recoverable after queries.
For public-key schemes, one might expect the two notions to coincide since the adversary already holds the public key and can encrypt on its own.
Bernard et al. showed this intuition is false by constructing an explicit counterexample.
Starting from any CPAD-secure public-key FHE scheme over , they modify encryption to accept an additional randomness string of length : if , the scheme encrypts the complement of the message; otherwise it behaves normally.
The modified scheme remains CPAD-secure because the probability of any ciphertext in the game state having is negligible when randomness is sampled honestly.
However, an sCPAD adversary can deliberately set , causing the oracle to insert a ciphertext that decrypts to the complement of the submitted message, which breaks the scheme via a standard distinguishing attack.
Achieving This Notion
Bernard et al. introduced a new correctness definition called ACER correctness (statistical correctness under Adversarially Chosen Encryption Randomness) tailored to the sCPAD setting.
A scheme is ACER correct if fresh ciphertexts decrypt perfectly for all choices of randomness, and the failure probability after homomorphic evaluation is negligible even when input ciphertexts were produced with adversarially chosen randomness.
The central result is that IND-CPA security combined with ACER correctness implies sCPAD security.
In contrast, IND-CPA security combined with ordinary statistical correctness suffices for CPAD but does not imply sCPAD.
Achieving ACER correctness is non-trivial.
A naive approach of hashing the input randomness through a random oracle to force uniform encryption randomness does not work, because an adversary can use rejection sampling to bias the noise (e.g., selecting ciphertexts whose noise terms all share the same sign, amplifying the failure probability after addition).
The paper gives a sufficient condition: if a statistically correct scheme has re-randomizable ciphertexts and fresh ciphertexts are perfectly correct, then re-randomizing each input ciphertext before evaluation yields ACER correctness.
Concretely, the evaluation algorithm is modified to , where produces a distribution statistically close to a fresh encryption.
Combining this with an IND-CPA-secure scheme immediately yields sCPAD security.
For TFHE specifically, re-randomization can be performed by adding an encryption of zero (using the public key), and the paper shows that their new modulus-switching techniques - the probabilistic and exact drift defenses - enable TFHE parameter sets originally designed for IND-CPA security to achieve sCPAD security with negligible overhead.
Verifiable Chosen Ciphertext Attack (vCCA) security, introduced by Manulis and Nguyen, is a relaxation of CCA2 security designed to be compatible with the malleable nature of FHE.
The core idea is to augment the FHE scheme with machinery that proves the well-formedness of ciphertexts - both fresh ciphertexts (direct outputs of encryption) and evaluated ciphertexts (derived through genuine homomorphic operations).
The decryption function rejects any ciphertext that fails verification.
The motivation arises from the fundamental tension between CCA2 security and homomorphic evaluation: CCA2 prevents any meaningful ciphertext transformation, which is exactly what FHE enables.
Meanwhile, CCA1 does not provide post-challenge decryption access.
vCCA occupies a middle ground: it grants the adversary a post-challenge decryption oracle (like CCA2), but this oracle rejects any ciphertext that is a byproduct of the challenge ciphertext - identified by means of a witness extractor derived from an underlying SNARK.
This filters out exactly the queries that would allow trivial wins via homomorphic manipulation of the challenge, while still permitting decryption of unrelated ciphertexts.
Manulis and Nguyen proved that vCCA is strictly stronger than CCA1 and strictly weaker than CCA2.
Importantly, the single-challenge and multi-challenge variants of vCCA are equivalent, as the standard hybrid argument applies: the extractor-based filtering prevents an adversary from detecting the transition point in a hybrid game.
Formal Definition
The vCCA security game assumes the encryption scheme is augmented with a PPT witness extractor such that for an evaluated ciphertext , we have , and for a fresh ciphertext, .
The game proceeds as a standard CCA2 game with two decryption phases:
Phase 1 (pre-challenge). On query : return .
The adversary issues the challenge query and receives .
Phase 2 (post-challenge). On query : compute . If , return . Otherwise return .
The multi-challenge (LOR) variant replaces the single challenge ciphertext check with , where is the set of all challenge ciphertexts.
Manulis and Nguyen’s original definition is single-challenge (denoted in the literature); Brzuska et al. proved that .
The scheme is vCCA-secure if the adversary’s advantage is negligible for all PPT adversaries.
Attacks & Relevance
In an FHE deployment, a decryption oracle naturally arises whenever the secret key holder decrypts results - if an adversary can influence what gets decrypted, it can submit homomorphically modified challenge ciphertexts (e.g., ) to learn the underlying plaintext.
The vCCA decryption oracle blocks exactly these queries.
However, vCCA was originally defined and studied under the correctness assumption.
In the correct regime (negligible decryption errors), vCCA and vCCAD are equivalent [BCF+25, Prop. 5.6]. In the general regime (approximate FHE), vCCAD is strictly stronger [BCF+25, Prop. 5.7].
In the general regime where approximate FHE schemes are allowed, vCCA does not imply CPAD security - it only implies the weaker variant.
Conversely, CPAD does not imply vCCA.
This means that for approximate FHE deployments, vCCA alone may be insufficient: the decryption oracle leakage exploited by CPAD attacks is orthogonal to the malleability attacks that vCCA prevents.
Achieving This Notion
Manulis and Nguyen proposed several construction blueprints for achieving vCCA from a CPA-secure and correct FHE scheme.
The general strategy is to augment the scheme with proof machinery: fresh ciphertexts are made verifiable (via signatures in the private-key setting, or Naor-Yung double encryption in the public-key setting), and evaluated ciphertexts carry SNARK proofs of correct homomorphic derivation from well-formed inputs.
The decryption function returns when verification fails.
Specific blueprints include Encrypt-then-Sign (private key, using SUF-CMA signatures), Encrypt-then-MAC (private key, using a MAC), CCA2-Companion-Ciphertext (public key, designated verifier, pairing an FHE ciphertext with a CCA2-encrypted copy of the message and randomness), and a Naor-Yung-based construction (public key, public verifier).
A fifth blueprint, Encrypt-then-Prove [Brzuska et al., CIC 2025], replaces the signature with a publicly verifiable zk-SNARK for the well-formedness language, achieving the first compact, publicly verifiable vCCAD (and hence vCCA) construction in the public-key setting.
All require a SNARK for the language of correct homomorphic evaluations.
Further Reading
The vCCA notion was introduced in Manulis and Nguyen (Eurocrypt 2024).
Brzuska et al. (CIC 2025) clarified the relationship between vCCA and CPAD: implies but neither implies nor is implied by or full , contrary to informal claims in the original paper.
They also established that (the multi-challenge variant adds no strength) and that in the general regime - motivating the stronger vCCAD notion.
For the broader landscape of CCA relaxations for FHE, see also Viand, Knabenhans, and Hithnawi (arXiv 2023) who proposed CCA1-secure verifiable FHE constructions.
Verifiable Chosen Ciphertext Attack with Decryption
Implies:vCCA, sCPAD
Implied by:RCCA
Overview
Verifiable Chosen Ciphertext Attack with Decryption (vCCAD) security, introduced by Brzuska, Canard, Fontaine, Phan, Pointcheval, Renard, and Sirdey, is a strengthening of vCCA security designed to cover the full spectrum of FHE schemes, including approximate ones.
While vCCA was defined and studied by Manulis and Nguyen only under the correctness assumption, vCCAD adapts the approach to the general regime by incorporating the CPAD-style decryption oracle semantics into the vCCA framework.
The key insight is that vCCA’s post-challenge decryption oracle filters ciphertexts based on whether the challenge ciphertext appears among their extracted inputs (a syntactic check).
vCCAD instead uses a semantic check: it filters ciphertexts based on whether the left and right plaintext evaluations (corresponding to the two challenge messages) differ.
A ciphertext derived from the challenge is accepted by the vCCAD oracle if the homomorphic function evaluated on it produces the same result regardless of which challenge message was encrypted - meaning the decryption result cannot help the adversary distinguish.
This semantic filtering is strictly more permissive than vCCA’s syntactic filtering (every ciphertext accepted by vCCA is also accepted by vCCAD, but not vice versa), making vCCAD a seemingly weaker game.
Yet because vCCAD also inherits CPAD-style tracking of left and right messages across all oracle queries, it captures both the malleability attacks that vCCA prevents and the noise-leakage attacks that CPAD prevents.
Brzuska et al. proved that vCCAD is the strongest CCA security notion known to be achievable by FHE in the general regime, with strict implications and .
In the correct regime, however, vCCAD and vCCA are all equivalent.
Formal Definition
The vCCAD game is a multi-challenge game maintaining the same state of message-message-ciphertext triplets as the CPAD game, and assumes the same extractor as the vCCA game.
In the private-key setting, the decryption oracle is defined as follows:
Decryption request. On query :
Compute .
If , return .
Otherwise, return .
Where if is registered at index in the state, and otherwise (symmetrically for ). By convention, whenever any argument is .
In the public-key setting, an additional extractor is needed to recover the message and randomness from fresh ciphertexts the adversary generated on its own (since these are not registered in the game state).
The and functions fall back to when a ciphertext is not found in the state.
In the public-key setting, the vCCAD adversary can encrypt with chosen randomness on its own and submit the resulting ciphertexts for decryption via . This subsumes the sCPAD model’s randomness-controlled encryption oracle, hence vCCAD implies sCPAD.
Encryption, challenge, and evaluation requests follow the same structure as the CPAD game.
The scheme is vCCAD-secure if the adversary’s advantage is negligible for all PPT adversaries.
Attacks & Relevance
Like vCCA, vCCAD prevents malleability-based attacks where an adversary homomorphically transforms the challenge ciphertext and submits the result for decryption.
Like CPAD, it also prevents noise-leakage attacks where the adversary exploits decryptions of legitimately derived ciphertexts to recover secret key material from approximate decryption errors.
The separation results established by Brzuska et al. show that neither vCCA nor CPAD alone is sufficient in the approximate FHE setting.
vCCA does not imply (the decryption noise leakage is invisible to the vCCA game), and does not imply vCCA (the CPAD game provides no decryption oracle for adversary-crafted ciphertexts).
vCCAD subsumes both. Furthermore, unlike vCCA where the single-challenge and multi-challenge variants are equivalent, the multi-challenge variant of vCCAD is strictly stronger than its single-challenge counterpart () in the general regime.
Achieving This Notion
Brzuska et al. showed that several of the construction blueprints from Manulis and Nguyen can be adapted to achieve vCCAD security, provided the underlying FHE is CPAD-secure (or sCPAD-secure in the public-key case) rather than merely CPA-secure.
The Encrypt-then-Sign blueprint (private key) achieves vCCAD from a CPAD-secure FHE, a SUF-CMA signature scheme, and a straightline-extractable SNARK.
The lighter Encrypt-then-MAC variant can be upgraded in the same way in the private-key setting, with the same compactness and input-privacy tradeoff as in the original vCCA construction.
The CCA2-Companion-Ciphertext blueprint (public key, designated verifier) achieves vCCAD from an sCPAD-secure FHE, a CCA2-secure companion scheme, and a straightline-extractable SNARK.
For the public-key, public-verifier setting, the Naor-Yung-based blueprint from Manulis and Nguyen cannot be used when perfect correctness does not hold.
Brzuska et al. therefore proposed a new Encrypt-then-Prove blueprint that replaces the signature with a publicly verifiable zk-SNARK for the well-formedness language, achieving vCCAD security from an sCPAD-secure FHE under simulation-extractability of the well-formedness SNARK and straightline-extractability of the evaluation SNARK.