This is the most natural security definition for public-key encryption schemes, since the public key
The efficient adversary $\textit{Eve}$ is given the public key $k_e$ and can use it to encrypt $q$ messages of her choice $m_1, ..., m_q$ to obtain their corresponding ciphertexts $c_1, ..., c_q$.
A public-key encryption scheme $(\textit{Gen}, \textit{Enc}, \textit{Dec})$ is *CPA-secure* if for any two messages $(\mu_0, \mu_1)$, public key $k_e$ generated by $\textit{Gen}$ and ciphertext $c \coloneqq \textit{Enc}(k_e, \cdot)$ which is the encryption of either $\mu_0$ or $\mu_1$, the probability that Eve can guess whether $c$ belongs to $\mu_0$ or $\mu_1$ is at most negligibly greater than $\frac{1}{2}$.
$$\Pr_{k_e \leftarrow \textit{Gen}(), b \leftarrow_R \{0,1\}}[\textit{Eve}(k_e, \textit{Enc}(k_e, \mu_b)) = \mu_b] \le \frac{1}{2} + \textit{negl}()$$
The adversary Eve is not explicitly given access to an encryption oracle because she has the public key, knows the encryption algorithm and can thus encrypt any messages she likes. She is also free to choose the messages $\mu_0, \mu_1$. The public-key encryption scheme is considered CPA-secure if no matter what Eve does, she cannot guess if a ciphertext $c$ is the encryption of $\mu_0$ or $\mu_1$ with significantly better probability than $\frac{1}{2}$.
As with private-key CPA-security, any public-key encryption scheme must use a nondeterministic
There is no CPA-secure public-key encryption scheme with a deterministic encryption function $\textit{Enc}$.
If the encryption algorithm