Limits on the provable consequences of one-way permutations
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
Public-key cryptosystems provably secure against chosen ciphertext attacks
STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
Encryption-Scheme Security in the Presence of Key-Dependent Messages
SAC '02 Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography
An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation
EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security
FOCS '99 Proceedings of the 40th Annual Symposium on Foundations of Computer Science
Foundations of Cryptography: Volume 2, Basic Applications
Foundations of Cryptography: Volume 2, Basic Applications
A Simpler Construction of CCA2-Secure Public-Key Encryption under General Assumptions
Journal of Cryptology
Circular-Secure Encryption from Decision Diffie-Hellman
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
On the (Im)Possibility of Key Dependent Encryption
TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
Fully homomorphic encryption using ideal lattices
Proceedings of the forty-first annual ACM symposium on Theory of computing
Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Black-box circular-secure encryption beyond affine functions
TCC'11 Proceedings of the 8th conference on Theory of cryptography
Key-dependent message security: generic amplification and completeness
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
Efficient Fully Homomorphic Encryption from (Standard) LWE
FOCS '11 Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science
Cryptographic agility and its relation to circular encryption
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Bounded key-dependent message security
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
New definitions and separations for circular security
PKC'12 Proceedings of the 15th international conference on Practice and Theory in Public Key Cryptography
Protecting data confidentiality in cloud systems
Proceedings of the Fourth Asia-Pacific Symposium on Internetware
Black-box obfuscation for d-CNFs
Proceedings of the 5th conference on Innovations in theoretical computer science
| Hi-index | 0.00 |
Motivated by recent developments in fully homomorphic encryption, we consider the folklore conjecture that every semantically-secure bit-encryption scheme is circular secure, or in other words, that every bit-encryption scheme remains secure even when the adversary is given encryptions of the individual bits of the private-key. We show the following obstacles to proving this conjecture: 1 We construct a public-key bit-encryption scheme that is plausibly semantically secure, but is not circular secure. The circular security attack manages to fully recover the private-key. The construction is based on an extension of the Symmetric External Diffie-Hellman assumption (SXDH) from bilinear groups, to ℓ-multilinear groups of order p where ℓ≥c ·logp for some c1. While there do exist ℓ-multilinear groups (unconditionally), for ℓ≥3 there are no known candidates for which the SXDH problem is believed to be hard. Nevertheless, there is also no evidence that such groups do not exist. Our result shows that in order to prove the folklore conjecture, one must rule out the possibility that there exist ℓ-multilinear groups for which SXDH is hard. 2 We show that the folklore conjecture cannot be proved using a black-box reduction. That is, there is no reduction of circular security of a bit-encryption scheme to semantic security of that very same scheme that uses both the encryption scheme and the adversary as black-boxes. Both of our negative results extend also to the (seemingly) weaker conjecture that every CCA secure bit-encryption scheme is circular secure. As a final contribution, we show an equivalence between three seemingly distinct notions of circular security for public-key bit-encryption schemes. In particular, we give a general search to decision reduction that shows that an adversary that distinguishes between encryptions of the bits of the private-key and encryptions of zeros can be used to actually recover the private-key.