A Twist on the Naor-Yung Paradigm and Its Application to E cient CCA-Secure Encryption from Hard Search Problems

The Naor-Yung (NY) paradigm shows how to build a chosen-ciphertext secure encryption scheme from three conceptual ingredients: a weakly (i.e., IND-CPA) secure encryption scheme, a replication strategy that speci es how to use the weakly secure encryption scheme; concretely, a NY-encryption contains several weak encryptions of the same plaintext, a non-interactive zero-knowledge (NIZK) proof system to show that a given ciphertext is consistent, i.e., contains weak encryptions of the same plaintext. The NY paradigm served both as a breakthrough proof-of-concept, and as an inspiration to subsequent constructions. However, the NY construction leads to impractical encryption schemes, due to the usually prohibitively expensive NIZK proof. In this contribution, we give a variant of the NY paradigm that leads to practical, fully IND-CCA secure encryption schemes whose security can be based on a generic class of algebraic complexity assumptions. Our approach re nes NY's approach as follows: Our sole computational assumption is that of a Di e-Hellman (DH) type twomove key exchange protocol, interpreted as a weakly secure key encapsulation mechanism (KEM). Our replication strategy is as follows. Key generation consists of replicating the KEM several times, but only the rst pass. Encryption then consists of performing the second pass with respect to all of these, but with the same random coins in each instance. For proving consistency of a given ciphertext, we employ a practical universal hash proof system, case-tailored to our KEM and replication strategy. We instantiate our paradigm both from computational Di e-Hellman (CDH) and from RSA type assumptions. This way, practical IND-CCA secure encryption schemes based on search problems can be built and explained in a generic, NY-like fashion. We would like to stress that while we generalize universal hash proof systems as a proof system, we do not follow or generalize the approach of Cramer and Shoup to build INDCCA secure encryption. Their approach uses speci c hash proof systems that feature, on top of a NIZK property, a computational indistinguishability property. Hence they necessarily build upon decisional assumptions, whereas we show how to implement our approach with search assumptions. Our approach uses hash proof systems in the NY way, namely solely as a device to prove consistency. In our case, secrecy is provided by the weak encryption component, which allows us to embed search problems.