Advances in Cryptology — ASIACRYPT 2001

Volume 2248 of the series Lecture Notes in Computer Science pp 351-368


Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks

  • Pierre-Alain FouqueAffiliated withDépartement d’Informatique, École Normale Supérieure
  • , David PointchevalAffiliated withDépartement d’Informatique, École Normale Supérieure


Semantic security against chosen-ciphertext attacks (IND-CCA) is widely believed as the correct security level for public-key encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the decryption ability. However, only two efficient such schemes have been proposed so far for achieving IND-CCA. Both are El Gamal-like schemes and thus are based on the same intractability assumption, namely the Decisional Diffie-Hellman problem.

In this article we rehabilitate the twin-encryption paradigm proposed by Naor and Yung to present generic conversions from a large family of (threshold) IND-CPA scheme into a (threshold) IND-CCA one in the random oracle model. An efficient instantiation is also proposed, which is based on the Paillier cryptosystem. This new construction provides the first example of threshold cryptosystem secure against chosen-ciphertext attacks based on the factorization problem. Moreover, this construction provides a scheme where the “homomorphic properties” of the original scheme still hold. This is rather cumbersome because homomorphic cryptosystems are known to be malleable and therefore not to be CCA secure. However, we do not build a “homomorphic cryptosystem”, but just keep the homomorphic properties.


Threshold Cryptosystems Chosen-Ciphertext Attacks