Amplification of chosen-ciphertext security

Abstract

A central question in the theory of public-key cryptography is to determine which minimal assumptions are sufficient to achieve security against chosen-ciphertext attacks (or CCA-security, for short). Following the large body of work on hardness and correctness amplification, we investigate how far we can weaken CCA security and still be able to efficiently transform any scheme satisfying such a weaker notion into a fully CCA-secure one. More concretely, we consider a weak CCA-secure bit-encryption scheme with decryption error (1 - α)/2 where an adversary can distinguish encryptions of different messages with possibly large advantage β < 1 - 1/poly. We show that whenever α2 > β, the weak correctness and security properties can be simultaneously amplified to obtain a fully CCA-secure encryption scheme with negligible decryption error. Our approach relies both on a new hardcore lemma for CCA security as well as on revisiting the recently proposed approach to obtain CCA security due to Hohenberger et al (EUROCRYPT '12). We note that such amplification results were only known in the simpler case of security against chosen-plaintext attacks. © 2013 International Association for Cryptologic Research.