The CPA security game involves guessing which of `m1`

and `m2`

the encryption oracle encrypted and returned as a challenge. Adversary picks both messages. They win if they do better than `50:50`

random guessing. In simple terms, this means the adversary can distinguish between messages after they're encrypted.

CCA is the same but gives access to a decryption oracle that decrypts anything but the challenge value. Challenge values are obviously blacklisted or the adversary just asks for a decryption and then they know whether it was `m1`

or `m2`

and win trivially. CCA insecurity means the attacker can learn information about one encrypted message by decrypting another different chosen ciphertext.

CBC is malleable

- bit flips in the IV flip bits in the first plaintext block
- bit flips in ciphertext flip bits in the next plaintext block and randomise that plaintext block

So the attacker can decrypt blacklisted messages by flipping one of the IV bits, submitting that to the decryption oracle, and flipping the same bit in the first block of whatever comes back. This gets them around the blacklist and wins the game with 100% probability. The attacker has learned the challenge ciphertext by decrypting a related message.

In real applications malleability has real consequences, attackers can flip bits in the first block for free and the `nth`

block at the cost of trashing the `(n-1)th`

block.