# Symmetric Encryption (SE)

A Symmetric Encryption (SE) scheme is a primitive that allows someone to encrypt plaintext into a ciphertext under a key and then to decrypt the ciphertext under the same key. It is a widely used primitive with many formal definitions of strengths.

## Formal Definition

### Syntax

A Symmetric Encryption (SE) scheme is a tuple of efficient functions , with respect to a keyspace , plaintext space , and ciphertext space , such that:

- , is a randomized function that takes a security parameter, and outputs a key ,
- , is a randomized function that takes a key and plaintext message , and outputs a ciphertext ,
- , is a deterministic function that takes a key and ciphertext , and outputs a plaintext message .

### Correctness

A SE scheme is *correct* if for all , there exists a negligible function , such that

where .

### Chosen Plaintext Attack (CPA) Security

A SE scheme is *CPA-secure* if for all efficient adversaries , there exists a negligible function , such that

where , is a uniformly random bit, and .

### Chosen Ciphertext Attack (CCA) Security

A SE scheme is *CCA-secure* if for all admissible efficient adversaries , there exists a negligible function , such that

where , is a uniformly random bit, and . Further, we say an adversary is admissible if it never queries on an output of .

The difference in this definition is that we additionally give the adversary access to a decryption oracle. This is a strictly stronger definition than SE#CPA-security.

### Indistinguishable from Random CPA (IND-CPA) Security

A SE scheme is *IND-CPA-secure* if for all efficient adversaries , there exists a negligible function , such that

where and is a random function from .

This security definition is also a stronger definition than CPA-security as it additionally restricts the distribution of ciphertexts produced by an encryption algorithm.

## Relationship to other primitives

## Sufficient assumptions

See the sufficient assumptions for OWFs.

## Variations

## Other Notes

- Other security definitions, named CCA1 and CCA2, exist and have historically been confused with the CCA notion outlined above