Back to taxonomy
Pre-challenge decryption oracle FHE-compatible

CCA1

Chosen Ciphertext Attack 1

Introduced In

Relations

Implied By

CCA1.5 IV-CCA

Implies

CCVA1

Overview

Chosen Ciphertext Attack 1 (CCA1) security, also known as IND-CCA1 or lunchtime attack security, strengthens CPA by giving the adversary access to a decryption oracle before seeing the challenge ciphertext. The adversary can submit arbitrary ciphertexts for decryption during a learning phase, but once the challenge is issued, the decryption oracle is revoked.

The name “lunchtime attack” comes from the scenario where an attacker has temporary physical access to a decryption device - for example, while its owner is away - and can decrypt ciphertexts of their choosing, but must later break a target ciphertext without further access.

In the FHE setting, CCA1 has gained renewed interest because it is the strongest classical security notion that remains compatible with homomorphic evaluation. Since homomorphic operations necessarily produce new ciphertexts related to existing ones, CCA2 security (which allows post-challenge decryption queries) is incompatible with homomorphic properties. More recently, FHE-specific notions such as vCCA and vCCAD have been shown to be strictly stronger than CCA1 while remaining FHE-compatible.

Formal Definition

The IND-CCA1 security game proceeds as follows:

  1. The challenger generates a key pair and gives to .
  2. Phase 1 (pre-challenge): has access to a decryption oracle and may submit arbitrary ciphertexts for decryption.
  3. outputs two equal-length messages .
  4. The challenger samples , computes , and sends to .
  5. Phase 2 (post-challenge): no longer has access to the decryption oracle.
  6. outputs a guess .

The advantage is defined as:

The scheme is IND-CCA1 secure if this advantage is negligible for all PPT adversaries.

Attacks & Relevance

CCA1 security protects against adversaries who can temporarily exploit decryption capabilities to learn structural information about the scheme before attempting to break a target ciphertext. This covers scenarios such as an attacker with temporary access to a decryption key or device, an insider who loses access privileges before the sensitive message is transmitted, or an adversary who can exploit decryption-related side channels during a setup phase.

In the FHE context, CCA1 is a natural security target for schemes deployed in settings where the adversary may have had prior access to decryption capabilities, as it is the strongest classical indistinguishability-based notion compatible with homomorphic evaluation.

Achieving This Notion

Constructing CCA1-secure FHE is non-trivial. Generic transformations from CPA to CCA1 for standard encryption (e.g., using non-interactive zero-knowledge proofs in the Naor-Yung double encryption paradigm) are known, but adapting these to preserve homomorphic properties requires care, as known FHE schemes are usually not perfectly correct. Recent constructions make use of lattice trapdoors to try to achieve CCA1 leveled homomorphic encryption like GG-GSW.

Further Reading

The notion was originally described in a paper from Naor and Yung (1990).