Amplification of Chosen-Ciphertext Security
A central question in the theory of public-key cryptography is to determine which minimal assumptions are sufficient to achieve security against chosen-ciphertext attacks (or CCA-security, for short). Following the large body of work on hardness and correctness amplification, we investigate how far we can weaken CCA security and still be able to efficiently transform any scheme satisfying such a weaker notion into a fully CCA-secure one.
More concretely, we consider a weak CCA-secure bit-encryption scheme with decryption error (1 − α)/2 where an adversary can distinguish encryptions of different messages with possibly large advantage β < 1 − 1/poly. We show that whenever α2 > β, the weak correctness and security properties can be simultaneously amplified to obtain a fully CCA-secure encryption scheme with negligible decryption error. Our approach relies both on a new hardcore lemma for CCA security as well as on revisiting the recently proposed approach to obtain CCA security due to Hohenberger et al (EUROCRYPT ’12).
We note that such amplification results were only known in the simpler case of security against chosen-plaintext attacks.
- 2.Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
- 3.Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: 22nd ACM STOC. ACM Press (May 1990)Google Scholar
- 4.Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. In: 23rd ACM STOC, pp. 542–552. ACM Press (May 1991)Google Scholar
- 5.Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: 40th FOCS, pp. 543–553. IEEE Computer Society Press (October 1999)Google Scholar
- 9.Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 187–196. ACM Press (May 2008)Google Scholar
- 12.Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press (November 1993)Google Scholar
- 14.Yao, A.C.: Theory and applications of trapdoor functions. In: 23rd FOCS, pp. 80–91. IEEE Computer Society Press (November 1982)Google Scholar
- 16.Holenstein, T.: Key agreement from weak bit agreement. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 664–673. ACM Press (May 2005)Google Scholar
- 19.Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your ps and qs: Detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium (2012)Google Scholar
- 21.Myers, S., Shelat, A.: Bit encryption is complete. In: 50th FOCS, pp. 607–616. IEEE Computer Society Press (October 2009)Google Scholar
- 23.Impagliazzo, R.: Hard-core distributions for somewhat hard problems. In: FOCS 1995, pp. 538–545 (1995)Google Scholar
- 26.Impagliazzo, R., Luby, M.: One-way functions are essential for complexity-based cryptography. In: 30th FOCS, pp. 230–235. IEEE Computer Society Press (October / November 1989)Google Scholar