IND-CCA2

IND-CCA2, indistinguishability under adaptive chosen-ciphertext attack, is the strongest standard security notion for public-key encryption and the target that modern key encapsulation mechanisms are required to meet. In its game a challenger encrypts one of two attacker-chosen plaintexts, or for a KEM produces a real or random shared secret, and the attacker must guess which. The attacker may query a decryption or decapsulation oracle on any ciphertext except the challenge, and may keep querying adaptively after seeing the challenge, which is what the adaptive qualifier denotes.

Why it matters for post-quantum KEMs

Chosen-ciphertext resistance is what allows a single public key to be reused across many encapsulations, and it defends against reaction attacks in which an adversary submits malformed ciphertexts and learns secret information from whether decapsulation succeeds. FIPS 203 specifies ML-KEM and requires IND-CCA2 security; the scheme reaches it by applying a Fujisaki-Okamoto transform to a weaker IND-CPA building block, re-encrypting during decapsulation to reject invalid ciphertexts. Protocols such as HPKE (RFC 9180) assume an IND-CCA2 KEM.

Sources

  1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
  2. RFC 9180: Hybrid Public Key Encryption (IETF, 2022)
Cite this entry
"IND-CCA2." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/ind-cca2@misc{pqwiki-ind-cca2, title = {IND-CCA2}, howpublished = {\url{https://postquantum.wiki/ind-cca2}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }