One approach toward basing public-key encryption (PKE) schemes on weak and credible assumptions is to build “stronger” or more general schemes generically from “weaker” or more restricted ones. One particular line of work in this context was initiated by Myers and Shelat (FOCS ’09) and continued by Hohenberger, Lewko, and Waters (Eurocrypt ’12), who provide constructions of multi-bit CCA-secure PKE from single-bit CCA-secure PKE. It is well known that encrypting each bit of a plaintext string independently is not CCA-secure—the resulting scheme is malleable. We therefore investigate whether this malleability can be dealt with using the conceptually simple approach of applying a suitable non-malleable code (Dziembowski et al., ICS ’10) to the plaintext and subsequently encrypting the resulting codeword bit by bit. We find that an attacker’s ability to ask multiple decryption queries requires that the underlying code be continuously non-malleable (Faust et al., TCC ’14). Since, as we show, this flavor of non-malleability can only be achieved if the code is allowed to “self-destruct,” the resulting scheme inherits this property and therefore only achieves a weaker variant of CCA security. We formalize this new notion of so-called indistinguishability under self-destruct attacks (IND-SDA) as CCA security with the restriction that the decryption oracle stops working once the attacker submits an invalid ciphertext. We first show that the above approach based on non-malleable codes yields a solution to the problem of domain extension for IND-SDA-secure PKE, provided that the underlying code is continuously non-malleable against (a reduced form of) bit-wise tampering. Then, we prove that the code of Dziembowski et al. is actually already continuously non-malleable against bit-wise tampering. We further investigate the notion of security under self-destruct attacks and combine IND-SDA security with non-malleability under chosen-ciphertext attacks (NM-CPA) to obtain the strictly stronger notion of non-malleability under self-destruct attacks (NM-SDA). We show that NM-SDA security can be obtained from basic IND-CPA security by means of a black-box construction based on the seminal work by Choi et al. (TCC ’08). Finally, we provide a domain extension technique for building a multi-bit NM-SDA scheme from a single-bit NM-SDA scheme. To achieve this goal, we define and construct a novel type of continuous non-malleable code, called secret-state NMC, since, as we show, standard continuous NMCs are insufficient for the natural “encode-then-encrypt-bit-by-bit” approach to work.

中文翻译：

---

不可延展的加密：更简单、更短、更强

将公钥加密 (PKE) 方案建立在弱且可信的假设基础上的一种方法是从“较弱”或更受限制的方案中构建“更强”或更通用的方案。Myers 和 Shelat (FOCS '09) 发起了在此上下文中的一项特定工作，并由 Hohenberger、Lewko 和 Waters (Eurocrypt '12) 继续，他们提供了从单比特 CCA 构建多比特 CCA 安全 PKE - 安全的PKE。众所周知，单独加密明文字符串的每一位并不是 CCA 安全的——由此产生的方案是可塑的。因此，我们研究是否可以使用概念上简单的方法来处理这种延展性，该方法将合适的非延展性代码（Dziembowski 等，ICS '10）应用于明文，然后逐位加密生成的代码字。我们发现攻击者要求多个解密查询的能力要求底层代码持续不可延展（Faust 等人，TCC '14）。由于，正如我们所展示的，只有在允许代码“自毁”的情况下才能实现这种不可延展性，因此最终方案继承了这个属性，因此只能实现 CCA 安全性的较弱变体。我们将这种所谓的自毁攻击下的不可区分性 (IND-SDA) 的新概念形式化为 CCA 安全性，其限制是一旦攻击者提交无效的密文，解密预言机就会停止工作。我们首先表明，上述基于不可延展代码的方法可以解决 IND-SDA 安全 PKE 的域扩展问题，前提是底层代码对​​于（一种简化形式的）逐位篡改是持续不可延展的。然后，我们证明 Dziembowski 等人的代码。实际上对于逐位篡改已经是连续不可延展的。我们进一步研究了自毁攻击下的安全性概念，并将 IND-SDA 安全性与选择密文攻击下的非延展性 (NM-CPA) 相结合，以获得严格更强的自毁攻击下的非延展性概念 (NM- SDA）。我们表明，NM-SDA 安全性可以通过基于 Choi 等人的开创性工作的黑盒构造从基本的 IND-CPA 安全性中获得。(TCC '08)。最后，我们提供了一种域扩展技术，用于从单比特 NM-SDA 方案构建多比特 NM-SDA 方案。为了实现这一目标，