Generic conversions from CPA to CCA without ciphertext expansion for threshold ABE with constant-size ciphertexts

CCA security is desirable when designing encryption schemes because it captures active attackers. One efficient approach for achieving CCA security is to use generic conversions. We first design a CPA secure scheme, and then transform it into a CCA secure scheme using the Fujisaki-Okamoto technique (CRYPTO ’99) in the random oracle model or the Canetti-Halevi-Katz technique (EUROCRYPT ’04) in the standard model if the CPA secure scheme satisfies some conditions. These transformations are generic so they can be applied to encryption primitives such as IBE and ABE. Nevertheless, both techniques result in an inevitable ciphertext expansion. Subsequent generic constructions mainly follow the idea surrounding these two techniques. The ciphertext expansion becomes a tradeoff in the existing conversions where it raises an inherently interesting question: do we have to sacrifice the size of the ciphertext during security transformation for all encryption primitives? In this work we will explore, for the first time, new generic conversions from CPA to CCA security without ciphertext expansion. By utilizing the properties of encryption in a novel way we will show that these generic conversions exist in the encryption primitive; they are called constant-size threshold ABE that satisfy verifiability or delegatability. Given a CPA secure threshold ABE that fulfills this requirement, we can convert it into a CCA secure threshold ABE without increasing the size of the ciphertext, albeit our conversions are restricted to the random oracle model. Our conversions are also applicable for transforming selective CPA to selective CCA security. We also show two instantiations of our conversions and obtain the shortest ciphertexts among all threshold ABE schemes with (selective) CCA security in the literature, even for other expressive access structures in the ABE setting. The ciphertext of the converted CCA secure scheme consists of three group elements only: two elements in group G₁ (or G in symmetric pairing) and one element in group G_T.