What does "semantic security" mean for a block cipher mode?
A cipher mode is semantically secure if an attacker cannot distinguish between encryptions of two chosen plaintexts — essentially, ciphertexts reveal nothing about plaintexts beyond their length.
The value of this definition is that it turns the vague idea of "unreadable" into a concrete indistinguishability game — and a game can be reasoned about and proven. It also makes randomization essential: any deterministic scheme (like ECB) loses the game immediately, because encrypting the same message twice yields the same ciphertext and gives the attacker a tell.
Formal definition: Given two messages M0 and M1 of the same length, and the encryption of one of them, no efficient adversary can determine which one was encrypted with probability significantly better than 1/2.
Which modes achieve semantic security?
- ECB: No — identical blocks produce identical ciphertext
- CBC with random IV: Yes
- OFB with unique IV: Yes
- CTR with unique nonce: Yes
Why ECB fails: An attacker can see when two blocks (even across different messages) have the same plaintext. This violates the requirement that ciphertexts look random.
Semantic security is the minimum bar for any encryption scheme used in practice. ECB does not meet it, which is why it should never be used for more than a single block.
Go deeper:
Semantic security (Wikipedia) — the indistinguishability game and IND-CPA.