Definitions
CCA-1
An encryption scheme $\Pi = (\Gen, \Enc, \Dec)$ is IND-CCA-1 secure if for all PPT adversaries $A:=(A_1, A_2)$, $\Game_{\Pi, A}^{\CCA 1}( \lambda, 0) \approx_c \Game^{\CCA 1}_{\Pi, A}(\lambda, 1)$, where the game is the following:
\[\begin{aligned} &&& \underline{\Game_{\Pi, A}^{\CCA 1}( \lambda, b)}: \\ & \\ &1. && (pk, sk) \samples \Gen(1^\lambda) \\ &2. && (m_0, m_1, z) \samples A_1^{\Dec(sk, \cdot)}(pk) \\ &3. && c \samples \Enc(pk, m_b) \\ &4. && b' \samples A_2(c, z) \end{aligned}\]CCA-2
An encryption scheme $\Pi = (\Gen, \Enc, \Dec)$ is IND-CCA-2 (or simply IND-CCA) secure if for all valid PPT adversaries $A:=(A_1, A_2)$, $\Game_{\Pi, A}^{\CCA}( \lambda, 0) \approx_c \Game^{\CCA}_{\Pi, A}(\lambda, 1)$, where the game is the following:
\[\begin{aligned} &&& \underline{\Game_{\Pi, A}^{\CCA}( \lambda, b)}: \\ & \\ &1. && (pk, sk) \samples \Gen(1^\lambda) \\ &2. && (m_0, m_1, z) \samples A_1^{\Dec(sk, \cdot)}(pk) \\ &3. && c \samples \Enc(pk, m_b) \\ &4. && b' \samples A_2^{\Dec(sk, \cdot)}(c, z) \end{aligned}\]An adversary A is said to be valid if does not query the decryption oracle with $c$.
Remarks
Note that the main difference with respect to the CPA scenario is that the attacker is also given access to a decryption oracle $\Dec(sk, \cdot)$:
- CCA-1 considers the non-adaptive case, when the adversary may invoke the decryption oracle only before seeing the challenge ciphertext $c$
- CCA-2 captures an adaptive scenario, when the adversary may invoke the decryption oracle whenever it wants. The only restriction is that it cannot ask for the decryption of the challenge ciphertext.
It should be clear that CCA-2 is a stronger notion. Indeed we can prove both that CCA-2 $\Rightarrow$ CCA-1 and CCA-1 $\not\Rightarrow$ CCA-2.