Chosen Ciphertext Security from Zero Knowledge Proofs

Abstract

When designing encryption schemes, there are different levels of security that one can achieve. Of the two main security levels, cryptographers generally strive for the stronger notion of chosen ciphertext attack (CCA) security, which considers attackers who have the ability to obtain decryptions of their choice, over the weaker notion of chosen plaintext attack (CPA) security, which only considers attackers who have encryption abilities. However, it is much easier to find public key encryption schemes (PKEs) that satisfy CPA security. For this reason, a common technique for developing CCA-secure PKEs is to apply a CPA-to-CCA transformation to an existing CPA-secure PKE. The general idea behind such a transform is to somehow ensure that anyone who is capable of producing a valid ciphertext must already know the corresponding plaintext, which renders the additional powers that a CCA adversary has over a CPA adversary entirely useless. All existing transforms achieve this property by performing a re-encryption check in the decryption algorithm. However, this leaves the resulting PKE vulnerable to side-channel attacks, which can be used to carry out chosen ciphertext attacks on the underlying PKE.

In this thesis, we present a generic CPA-to-CCA transform that uses a zero-knowledge proof of knowledge in place of a re-encryption check. We prove security of our generic construction in the random oracle model, and we provide an instantiation of it using existing schemes. For the instantiation, we use ElGamal as our underlying PKE, and an application of Fischlin's transfomation to a variant of Schnorr's protocol for our zero-knowledge proof of knowledge, and prove that these protocols satisfy the required security definitions.