A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme [chapter]

Dana Dachman-Soled
2014 Lecture Notes in Computer Science  
We present a construction of a CCA2-secure encryption scheme from a plaintext aware (sPA1), weakly simulatable public key encryption scheme. The notion of plaintext aware, weakly simulatable public key encryption has been considered previously by Myers, Sergi and shelat (SCN, 2012) and natural encryption schemes such as the Damgård Elgamal Scheme (Damgård, Crypto, 1991) and the Cramer-Shoup Lite Scheme (Cramer and Shoup, SIAM J. Comput., 2003) were shown to satisfy these properties. Recently,
more » ... ers, Sergi and shelat (SCN, 2012) defined an extension of non-malleable CCA1 security, called cNM-CCA1, and showed how to construct a cNM-CCA1-secure encryption scheme from a plaintext aware and weakly simulatable public key encryption scheme. Our work extends and improves on this result by showing that a full CCA2-secure encryption scheme can be constructed from the same assumptions. 1 A CCA1-encryption scheme is one where the adversary has oracle access to the decryption oracle up to the point that it receives the challenge ciphertext. 2 We can remove the requirement of perfect correctness by using the transformation of [15] to transform a public key encryption scheme with decryption error to a public key encryption scheme with perfect correctness. Note that each transformation in the sequence of transformations given in the proof of Theorem 3 of [15] preserves both simulatability and plaintext awareness of the underlying encryption scheme. 3 We note that prior to the work of [4], Herzog et al. [21] considered a notion of plaintext awareness in the key registration model.
doi:10.1007/978-3-642-54631-0_3 fatcat:44fbm6a67jbijpu6532midiy7q