IV-CCA

Overview

Input-Verifiable CCA (IV-CCA) security, introduced by Yang, Yu, and Susilo, is a CCA security notion that sits strictly between CCA1 and vCCA. Like vCCA, IV-CCA features a post-challenge decryption oracle that accepts some ciphertexts beyond the CCA1 cutoff. However, where vCCA relies on a SNARK-based witness extractor to identify challenge-dependent ciphertexts, IV-CCA uses a verification algorithm that is part of the FHE scheme itself: the adversary must supply, alongside the ciphertext to be decrypted, a set of input ciphertexts that “explain” it via a legitimate homomorphic evaluation.

The key distinction from vCCA is that IV-CCA’s verification is explicit and non-compact - the input ciphertexts must be presented to the decryption oracle, making the scheme inherently non-compact. In exchange, Yang et al. achieved the remarkable result of constructing an IV-CCA-secure FHE scheme in the standard model based solely on the LWE assumption (plus the assumption that perfectly correct FHE can be built from LWE), without requiring SNARKs or any non-falsifiable assumptions.

Formal Definition

An IV-CCA-secure FHE scheme is augmented with a verification algorithm that takes a ciphertext and a tuple of input ciphertexts and checks whether can be explained as a legitimate homomorphic evaluation over those inputs. The IV-CCA security game proceeds as follows:

1. The challenger generates and gives to .
2. Phase 1 (pre-challenge). has access to a decryption oracle .
3. outputs , receives .
4. Phase 2 (post-challenge). has access to a decryption oracle that, on input :
   • Checks that .
   • Checks that .
   • If both checks pass, returns ; otherwise returns .
5. outputs a guess .

The scheme is IV-CCA-secure if the advantage is negligible for all PPT adversaries.

The crucial difference from vCCA is that the adversary must explicitly provide the input ciphertexts - there is no extractor that recovers them automatically.

Attacks & Relevance

IV-CCA prevents the same class of malleability attacks as vCCA: an adversary cannot submit homomorphic transformations of the challenge ciphertext for decryption, because the verification step would require presenting as an input, which is explicitly blocked. However, IV-CCA provides this protection through a different mechanism - explicit input verification rather than proof-based extraction - which has fundamental implications for achievability.

This makes IV-CCA particularly relevant as a theoretical benchmark: it demonstrates that meaningful beyond-CCA1 security is achievable for FHE without non-falsifiable assumptions, even at the cost of compactness.

Achieving This Notion

Yang, Yu, and Susilo (CRYPTO 2025) gave an explicit construction based on the Naor-Yung paradigm instantiated with LWE-based encryption. Their construction requires the underlying FHE scheme to satisfy perfect correctness - a strong requirement that they propose to achieve by using truncated discrete Gaussians for the noise distribution to obtain exact norm bounds. The construction is proven secure in the standard model under the sole LWE assumption, making it the first FHE scheme achieving beyond-CCA1 security without relying on random oracles or non-falsifiable assumptions such as Knowledge-of-Exponent or Linear-Only Homomorphism.

Further Reading

The IV-CCA notion was introduced by Yang, Yu, and Susilo (CRYPTO 2025). For the relationship with other CCA notions, Fontaine, Renard, Sirdey, and Stan (ePrint 2025/2036) place IV-CCA in the hierarchy as CCA1 IV-CCA vCCA. The requirement of perfect correctness connects to the work of Dwork, Naor, and Reingold (EUROCRYPT 2004) on immunizing encryption schemes from decryption errors, which underpins the Naor-Yung approach used in the construction.