Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks

Whether it is possible to construct a chosen ciphertext secure (CCA secure) public key encryption (PKE) scheme only from a chosen plaintext secure (CPA secure) one is a fundamental open problem, and the best known positive results regarding this problem are the constructions of so-called bounded CCA secure schemes. Since we can achieve the best possible security in the bounded CCA security notions, in order to further tackle the problem, we would need other new security notions that capture intermediate security notions that lie between CPA and CCA security. Motivated by this situation, we focus on “parallel” decryption queries (originally introduced by Bellare and Sahai) for the extension of bounded CCA security, and introduce a new security notion which we call mixed CCA security. It captures security against adversaries that make single and parallel decryption queries in a predetermined order, where each parallel query can contain unboundedly many ciphertexts. Moreover, how the decryption oracle is available before and after the challenge is also taken into account in this new security definition, which enables us to capture existing major security notions that lie between CPA and CCA security in a unified security notion. We investigate the relations among mixed CCA security notions, and show a necessary and sufficient condition of implications/separations between any two notions in mixed CCA security. We also show two black-box constructions of PKE schemes with improved security only using CPA secure schemes as building blocks.