Inferensys

Glossary

IND-CPA Security

Indistinguishability under Chosen-Plaintext Attack (IND-CPA) is a cryptographic security definition ensuring an adversary cannot distinguish between encryptions of two chosen plaintexts, guaranteeing no partial information is leaked.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
SEMANTIC SECURITY

What is IND-CPA Security?

IND-CPA, or Indistinguishability under Chosen-Plaintext Attack, is the standard definition of semantic security for public-key encryption schemes, ensuring that an adversary cannot distinguish between the encryptions of two chosen plaintexts.

IND-CPA security is a formal cryptographic game where an adversary submits two distinct plaintexts of equal length and receives a ciphertext of one. The scheme is secure if the adversary cannot determine which plaintext was encrypted with a probability significantly better than random guessing. This property guarantees that a ciphertext reveals no partial information about the underlying plaintext, even when the attacker can encrypt arbitrary messages of their choosing. For homomorphic encryption schemes, IND-CPA is the baseline requirement, ensuring that encrypted data remains semantically secure at rest and during computation.

The security relies on probabilistic encryption, meaning the same plaintext encrypts to different ciphertexts each time due to randomized padding or noise. In lattice-based schemes like BFV or CKKS, this randomness is the error term sampled from a discrete Gaussian distribution. IND-CPA does not protect against active attacks where an adversary manipulates ciphertexts and observes decryption results; that stronger guarantee requires IND-CCA2 security. However, for privacy-preserving machine learning and encrypted inference, IND-CPA suffices because the computation output is typically returned to the key holder, not the adversary.

Semantic Security Foundations

Core Properties of IND-CPA Security

Indistinguishability under Chosen-Plaintext Attack (IND-CPA) is the standard security definition for encryption schemes, ensuring that an adversary cannot distinguish between the encryptions of two chosen plaintexts. For homomorphic encryption, this property guarantees that ciphertexts reveal no information about the underlying data.

01

The IND-CPA Game

The formal security definition is modeled as a game between a challenger and a probabilistic polynomial-time adversary.

  • Setup: The challenger generates a key and provides the public key to the adversary.
  • Challenge: The adversary submits two equal-length plaintexts, m0 and m1.
  • Encryption: The challenger randomly selects a bit b and returns the encryption of mb.
  • Guess: The adversary must determine b. A scheme is IND-CPA secure if the adversary's advantage over a random guess is negligible.
02

Probabilistic Encryption

A fundamental requirement for IND-CPA security is that encryption must be non-deterministic. Encrypting the same plaintext multiple times must produce distinct ciphertexts.

  • Randomized Padding: Schemes like OAEP add random bits before encryption.
  • Initialization Vectors (IVs): A unique, random nonce ensures semantic security.
  • HE Realization: Lattice-based HE schemes inherently achieve this by adding a fresh, random noise component during encryption. Without this, an adversary could trivially win the game by comparing ciphertexts.
03

Malleability vs. Security

IND-CPA security explicitly does not guarantee non-malleability. Homomorphic encryption is, by design, malleable.

  • Definition: A scheme is malleable if an adversary can transform a ciphertext c (encrypting m) into a new ciphertext c' (encrypting f(m)) without knowing m.
  • HE Context: This is a feature, not a bug. It enables computation on encrypted data.
  • Implication: IND-CPA guarantees input privacy but not output integrity. An adversary can blindly modify an encrypted result. Circuit privacy or verifiable computation is required to detect such tampering.
04

Limitations: Active Attacks

IND-CPA provides security only against a passive adversary (eavesdropper). It offers zero protection against active attacks.

  • Chosen-Ciphertext Attack (CCA): An adversary with a decryption oracle can break IND-CPA schemes. They can submit manipulated ciphertexts and observe the decrypted results to extract information.
  • Real-World Risk: In cloud-based HE inference, a malicious client could send crafted ciphertexts to probe the model.
  • Mitigation: For active security, one must upgrade to IND-CCA1 or IND-CCA2 secure schemes, though these are fundamentally incompatible with standard homomorphic operations.
05

Lattice-Based Instantiation

Modern HE schemes achieve IND-CPA security by relying on the hardness of the Learning With Errors (LWE) or Ring-LWE problems.

  • Mechanism: A ciphertext is a pair (a, b) where b = <a, s> + m + e. The secret key s is a vector, m is the encoded plaintext, and e is a small random noise term.
  • Security Reduction: Distinguishing this from a random pair (a, u) is exactly the LWE problem. The noise e provides the probabilistic property.
  • Quantum Resistance: This construction is believed to be secure against both classical and quantum adversaries, making it a post-quantum standard.
06

Key Reuse and Hybrid Systems

A critical operational constraint of IND-CPA is the prohibition on key reuse across distinct protocol sessions.

  • Symmetric HE: Some schemes use a single secret key for encryption and decryption. Reusing this key for multiple independent data streams can leak relationships.
  • Hybrid Encryption: In practice, a standard IND-CPA public-key scheme (like RSA-OAEP) encrypts a one-time symmetric key, which then encrypts the bulk data.
  • HE Best Practice: Always generate fresh encryption randomness for each message. For multi-party HE, use distributed key generation protocols to avoid a single point of failure.
SEMANTIC SECURITY

Frequently Asked Questions

Clear answers to the most common questions about IND-CPA security, the foundational semantic security definition for modern homomorphic encryption schemes.

IND-CPA, or Indistinguishability under Chosen-Plaintext Attack, is the standard security definition for encryption schemes that guarantees a ciphertext reveals no information about the underlying plaintext, even to an adversary who can encrypt arbitrary messages of their choosing. The security is formalized through a challenge-response game between an adversary and a challenger. The adversary submits two distinct plaintexts of equal length. The challenger randomly selects one, encrypts it, and returns the ciphertext. If the adversary cannot determine which plaintext was encrypted with probability significantly better than random guessing, the scheme is IND-CPA secure. This inherently requires probabilistic encryption—encrypting the same message twice must produce different ciphertexts—which is why deterministic encryption schemes can never satisfy this definition.

SECURITY NOTION COMPARISON

IND-CPA vs. Other Security Notions

Comparison of indistinguishability under chosen-plaintext attack against stronger and weaker adversarial models for encryption schemes.

FeatureIND-CPAIND-CCA1IND-CCA2

Adversary Access to Encryption Oracle

Adversary Access to Decryption Oracle

Decryption Oracle Access After Challenge

Non-Malleability Guarantee

Resistant to Chosen-Ciphertext Attack

Sufficient for FHE Schemes

Typical Use Case

Encrypted computation

Static ciphertext storage

Active network protocols

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.