Amplification of Chosen-Ciphertext Security

Understanding the minimal assumptions from which we can build a publickey encryption scheme secure against chosen-ciphertext attacks (a CCA-secure scheme, for short) is a central question in both practical and theoretical cryptography. Following the large body of work on hardness and correctness amplification, we ask the question of how far we can weaken a CCA-secure encryption scheme so that an efficient construction of a fully CCA-secure scheme from it can still be given. We consider a weak CCA-secure encryption scheme that has decryption error (1 − α)/2 and is only weakly CCA secure in the sense that an adversary can distinguish encryptions of different messages with possibly large advantage β < 1−1/poly. We show that whenever α2 > β, the weak correctness and the weak CCA security properties can be simultaneously amplified to obtain a fully CCA-secure encryption scheme with negligible decryption error. Our approach relies both on a new hardcore lemma for the setting of CCA security, and on an extension of a recently proposed approach to obtain CCA security by Hohenberger, Lewko, and Waters (EUROCRYPT ’12) to handle large decryption errors. Previously, such an amplification result was only known in the simpler case of security against chosen-plaintext attacks, as shown by Dwork, Naor, and Reingold (EUROCRYPT ’04) and by Holenstein and Renner (CRYPTO ’05).