(1) Simulation-sound adaptive proofs exist.
(2) The ``encrypt-then-prove'' construction with a simulation-sound adaptive proof yields CCA security. This appears to be a ``folklore'' result but which has never been proven in the random oracle model. As a corollary, we obtain a new class of CCA-secure encryption schemes.
(3) We show that the Fiat-Shamir transformed Schnorr protocol is _not_ adaptively secure and discuss the implications of this limitation.
Our result not only separates adaptive proofs from proofs of knowledge, but also gives a strong hint why Signed ElGamal as the most prominent encrypt-then-prove example has not been proven CCA-secure without making further assumptions.
Category / Keywords: foundations / proofs of knowledge, sigma protocols, schnorr, fiat-shamir, metareduction Original Publication (with major differences): IACR-PKC-2015 Date: received 30 Jun 2015 Contact author: bernhard at cs bris ac uk Available format(s): PDF | BibTeX Citation Version: 20150701:010314 (All versions of this report) Short URL: ia.cr/2015/648 Discussion forum: Show discussion | Start new discussion