Shortening Ciphertext Length Of Bounded-CCA2Security And Building Bounded-CCA2Scheme Based On PDLP

In provably secure public key encryption system, the attacks are divided into cho-sen plaintext attack(CPA) and chosen ciphertext attack(CCA) based on the adversarycapacity.In public key encryption system, the adversary can always arbitrary queriesthe encryption oracle.So the chosen plaintext attack is trivial. CPA security is the mostbasic safety requirements for the public-key encryption. The chosen ciphertext attackbecomesthesafetystandardsinpublickeyencryptionsystem. Chosenciphertextattackis divided into two types: non-adaptive chosen ciphertext attack(CCA1) and adaptivechosen ciphertext attack(CCA2). The diference between them is the CCA2adversarycan access the decryption oracle after he sees the challenge ciphertext. CCA1is calledlunch attack. CCA2is named as breakfast attack.Security objectives for public key en-cryptionsystemisgenerallydividedintociphertextindistinguishability(IND),semanticsecurity(SS) and non-malleable(NM). Now it is conclusion that in many cases cipher-text indistinguishability is equivalent to semantic security. The ciphertext indistin-guishability is equivalent to the non-malleable under CCA2attacks.Generally,public key encryption needs IND-CCA2security. We can easily buildtheIND-CPAsecuritysystem. ItisopenthathowtobuildanIND-CCAschemefromanIND-CPA scheme. In [1], a Bounded-CCA2concept which is weaker than IND-CCA2was showed. The model is limited a priority-number times to query the decryptionoracle. The argument needs to set in advance. This paper put forward a black-boxscheme that can build a IND-q-CCA scheme from a IND-CPA scheme. However intheir scheme, the ciphertext length is quadratic with the query. This security modelis not applicable on all occasions. But in some specifc occasion is applicable,such as multi-party computation. The IND-q-CCA scheme is simpler and more efcient thanIND-CCA scheme. So the security model has some theoretical value and practicalsignifcance.As the ciphertext is too long and the encryption efciency is not high, we pro-pose the use of AONT(All-Or-Nothing Transform)to improve the encryption efcien-cy. AONT is a reversible randomized conversion(T). If we know the all output of thetransformation, wecanfndthepreimage, butnotcompletelyknow(thresholdl)theout-put value, you cannot know any information about preimage. We can use AONT intothe original encryption scheme. The plaintext length is shorten to increase the encryp-tion efciency. One thing to note is the efciency of AONT is high. So a small amountofincreaseintheoriginalscheme. Atthesametime, wewilldiscusshowtheparameterin AONT afect the original scheme to get the optimal ones. Partial discrete logarithmproblem(PDLP)is a difcult problem. We will build a IND-q-CCA scheme based onPDLP. This scheme is better than Cramer’s black-box construction. The efciency isincreased. The scheme is also take advantage of the cover-free family to satisfy theIND-q-CCA security. This scheme also takes advantage of hybrid encryption systemto get the fnal ciphertext. The proof is similar to the Cramer’s.The paper made the following work.1using the exposed-resistance function pro-totypetoconstructtheAONTtransformation.2usingAONTtoimprovetheencryptionefciency in Cramer’s scheme and to shorten the length of ciphertext.3discussing andoptimizing the parameters of AONT to get the best result.4simplify Pascal Paillier’sIND-CPA encryption scheme based on composite degree residuosity class.5build-ing the IND-q-CCA scheme based on partial discrete logarithm problem.6discuss thesafety and efciency of the scheme.