Counter Mode (CTR) and mult-CPA

Question

I am not sure if Counter Mode (CTR) encryption is mult-CPA (chosen-plaintext attack) secure or not.

Answer 1

CTR mode encryption, instantiated with a secure block cipher, is IND-CPA secure under the usual definition (Bellare et al., 1997; Rogaway, 2011).

The term "mult-CPA" does not appear to be in widespread use, but it's found e.g. in these German lecture slides (Kiltz, 2011). In the slides, it is defined (on slide 66) in a similar way as ordinary IND-CPA security, except that, instead of just single messages $m_0$ and $m_1$, the attacker is allowed to submit two vectors of messages $M_0 = (m_0^1, m_0^2, \dots, m_0^t)$ and $M_1 = (m_1^1, m_1^2, \dots, m_1^t)$ of length $t$ to the challenger, where the individual messages $m_0^i$ and $m_1^i$ have the same length for all $i$, and receives a vector of encrypted messages $(E(m_b^1), E(m_b^2), \dots, E(m_b^t))$ in return.

The same slides also contain a proof that mult-CPA security, as defined above, is equivalent to ordinary IND-CPA security. The proof takes the form of a hybrid argument, and essentially shows that, if an attacker can distinguish encrypted vectors of length $t$ in the mult-CPA game with advantage $\epsilon$ over random guessing, then they can also distinguish individual encrypted messages in the ordinary IND-CPA game with advantage $\frac\epsilon t$.