We show how to construct a public-key cryptosystem
that is semanitcally secure against chosen ciphertext attacks in
the following sense: the attackers, get to encrypt or decrypt any sequence
of plaintext/ciphertext of their choice. Then they are faced with a challenge:
distinguish between the ciphertexts of two messages (again of their choice).
The attackers should not have any non-negligible advantage in distinguishing
the ciphertexts. Such an attack is known as 'chosen ciphertext in the preprocessing
mode' or `lunchtime'. It is relevant in many situation, e.g. proving.identification
based on the ability ot decrypt.
The construction is based on (i) a public-key cryptosystem secure against passive eavesdropping (ii) a non-interactive zero-knowledge proof system in the shared string model. No such secure cryptosystems were known before.
Postscript, gzipped Postscript
Related On-Line Papers: