Compact CCA-Secure Encryption With Ciphertext Verifiability
While CCA secure encryption schemes that provide ciphertext indistinguishability offer strongest form of message secrecy, the integrity of the ciphertext is often overlooked. In most of the practical applications it is required that the ciphertext should be verifiable with respect to the decrypted message in order to check whether the ciphertext components are intacts after traveling through insecure channels. In this paper, the authors first point out that all the existing schemes with compact ciphertext provide ciphertext indistinguishability, but do not provide ciphertext verification during the decryption process. Thus, while the adversary does not gain any knowledge about the message, he is capable of altering the ciphertext into another ciphertext which will decrypt to an arbitrary message.