CPA Security and Limitations

Consider Pr [ A( ,Uk,·) ( 1, E ( 1,Uk,m k )) = 1 ] for b = 0, 1 (we will refer to this as Pr [A0] and Pr [A1] for convenience). Suppose that the oracle is queried at most p (k) times for some polynomial p (k). The i-th time the oracle is queried, it picks some random c0 (call it ci,0) and then returns ci,0,Uk (ci,0) ⊕m. Let E be the event that ci,0 = c 0 for any i. Since each ci,0 is chosen at random, the probability of E is 2−k for each i and by the union bound at most p (k) 2−k overall, and this is a polynomial times an inverse exponential and therefore negligible. Now consider the case where E does not occur. Then what is the advantage of the algorithm, i.e. ∣∣Pr [A0|E]− Pr [A1|E]∣∣? The advantage is necessarily zero: because ci,0 6= c 0 for all i, and U is uniformly random, the value of b is independent from all of the data that A has seen. That is to say, for every scenario where A answers correctly, the scenario where A answers incorrectly, on the exact same inputs and answers from the oracle, occurs with the same probability, and A answers correctly with probability precisely 1 2 . So, following the total probability law, we have