# Key-Dependent Message Security: Generic Amplification and Completeness

- 585 Downloads
- 8 Citations

## Abstract

Key-dependent message (KDM) secure encryption schemes provide secrecy even when the attacker sees encryptions of messages related to the secret-key sk. Namely, the scheme should remain secure even when messages of the form *f*(sk) are encrypted, where *f* is taken from some function class \(\mathcal{F}\). A KDM *amplification* procedure takes an encryption scheme which satisfies \(\mathcal{F}\)-KDM security, and boosts it into a \(\mathcal{G}\)-KDM secure scheme, where the function class \(\mathcal{G}\) should be richer than \(\mathcal{F}\). It was recently shown by Brakerski et al. (TCC 2011) and Barak et al. (EUROCRYPT 2010) that a strong form of amplification is possible, provided that the underlying encryption scheme satisfies some special additional properties.

In this work, we prove the first *generic* KDM amplification theorem which relies solely on the KDM security of the underlying scheme without making any other assumptions. Specifically, we show that an elementary form of KDM security against functions in which each output bit either copies or flips a single bit of the key (a.k.a. *projections*) can be amplified into KDM security with respect to any function family that can be computed in arbitrary fixed polynomial-time. Furthermore, our amplification theorem and its proof are insensitive to the exact setting of KDM security, and they hold in the presence of multiple-keys and in the symmetric-key/public-key and the CPA/CCA cases. As a result, we can amplify the security of most known KDM constructions, including ones that could not be amplified before.

Finally, we study the minimal conditions under which full-KDM security (with respect to all functions) can be achieved. We show that under strong notion of KDM security, the existence of fully homomorphic encryption which allows to encrypt the secret-key (i.e., “cyclic-secure”) is not only sufficient for full-KDM security, as shown by Barak et al., but also necessary. On the other hand, we observe that for standard KDM security, this condition can be relaxed by adopting Gentry’s bootstrapping technique (STOC 2009) to the KDM setting.

## Key words

Key-dependent message Cyclic-security Randomized encoding Garbled circuits## Notes

### Acknowledgement

We thank Iftach Haitner, Yuval Ishai, and the anonymous referees for their helpful comments.

## References

- [1]M. Abadi, P. Rogaway, Reconciling two views of cryptography (the computational soundness of formal encryption).
*J. Cryptol.***20**(3), 395 (2007) CrossRefGoogle Scholar - [2]T. Acar, M. Belenkiy, M. Bellare, D. Cash, Cryptographic agility and its relation to circular encryption, in
*Advances in Cryptology—EUROCRYPT 2010*(2010), pp. 403–422 CrossRefGoogle Scholar - [3]P. Adão, G. Bana, J. Herzog, A. Scedrov, Soundness and completeness of formal encryption: the cases of key cycles and partial information leakage.
*J. Comput. Secur.***17**(5), 737–797 (2009) Google Scholar - [4]B. Applebaum, Y. Ishai, E. Kushilevitz, Computationally private randomizing polynomials and their applications.
*J. Comput. Complex.***15**(2), 115–162 (2006) CrossRefMATHMathSciNetGoogle Scholar - [5]B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in NC
^{0}.*SIAM J. Comput.***36**(4), 845–888 (2006) CrossRefMATHMathSciNetGoogle Scholar - [6]B. Applebaum, D. Cash, C. Peikert, A. Sahai, Fast cryptographic primitives and circular-secure encryption based on hard learning problems, in
*Advances in Cryptology—CRYPTO 2009*(2009), pp. 595–618 CrossRefGoogle Scholar - [7]M. Backes, B. Pfitzmann, A. Scedrov, Key-dependent message security under active attacks—BRSIM/UC-soundness of symbolic encryption with key cycles, in
*Proceedings of 20th IEEE Computer Security Foundation Symposium (CSF)*(2007) Google Scholar - [8]M. Backes, M. Dürmuth, D. Unruh, OAEP is secure under key-dependent messages, in
*Advances in Cryptology—ASIACRYPT 2008*(2008), pp. 506–523 CrossRefGoogle Scholar - [9]B. Barak, I. Haitner, D. Hofheinz, Y. Ishai, Bounded key-dependent message security, in
*Advances in Cryptology—EUROCRYPT 2010*(2010), pp. 423–444 CrossRefGoogle Scholar - [10]A. Beimel, A. Gál, On arithmetic branching programs.
*J. Comput. Syst. Sci.***59**(2), 195–220 (1999) CrossRefMATHGoogle Scholar - [11]J. Black, P. Rogaway, T. Shrimpton, Encryption-scheme security in the presence of key-dependent messages, in
*SAC 2002: 9th Annual International Workshop on Selected Areas in Cryptography*(2002), pp. 62–75 Google Scholar - [12]D. Boneh, S. Halevi, M. Hamburg, R. Ostrovsky, Circular-secure encryption from decision Diffie–Hellman, in
*Advances in Cryptology—CRYPTO 2008*(2008), pp. 108–125 CrossRefGoogle Scholar - [13]Z. Brakerski, S. Goldwasser, Circular and leakage resilient public-key encryption under subgroup indistinguishability (or: Quadratic residuosity strikes back), in
*Advances in Cryptology—CRYPTO 2010*(2010), pp. 1–20 CrossRefGoogle Scholar - [14]Z. Brakerski, V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, in
*52nd Annual Symposium on Foundations of Computer Science (FOCS)*(2011), pp. 97–106 Google Scholar - [15]Z. Brakerski, S. Goldwasser, Y. Kalai, Circular-secure encryption beyond affine functions, in
*TCC 2011: 8th Theory of Cryptography Conference*(2011) Google Scholar - [16]J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anonymous credentials with optional anonymity revocation, in
*Advances in Cryptology—EUROCRYPT 2001*(2001), pp. 93–118 CrossRefGoogle Scholar - [17]J. Camenisch, N. Chandran, V. Shoup, A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks, in
*Advances in Cryptology—EUROCRYPT 2009*(2009), pp. 351–368 CrossRefGoogle Scholar - [18]R. Cramer, S. Fehr, Y. Ishai, E. Kushilevitz, Efficient multi-party computation over rings, in
*Advances in Cryptology—EUROCRYPT 2003*(2003), pp. 596–613 CrossRefGoogle Scholar - [19]D. Dolev, C. Dwork, M. Naor, Non-malleable cryptography (extended abstract), in
*23rd Annual ACM Symposium on Theory of Computing (STOC)*(1991), pp. 542–552 Google Scholar - [20]S. Even, O. Goldreich, A. Lempel, A randomized protocol for signing contracts,
*Commun. Assoc. Comput. Mach*.**28**(1985) Google Scholar - [21]C. Gentry, Fully homomorphic encryption using ideal lattices, in
*41st Annual ACM Symposium on Theory of Computing (STOC)*(2009), pp. 169–178 CrossRefGoogle Scholar - [22]C. Gentry, S. Halevi, Fully homomorphic encryption without squashing using depth-3 arithmetic circuits, in
*52nd Annual Symposium on Foundations of Computer Science (FOCS)*(2011), pp. 107–109 Google Scholar - [23]Y. Gertner, S. Kannan, T. Malkin, O. Reingold, M. Viswanathan, The relationship between public key encryption and oblivious transfer, in
*41st Annual Symposium on Foundations of Computer Science (FOCS)*(2000) Google Scholar - [24]O. Goldreich,
*Foundations of Cryptography: Basic Tools*(Cambridge University Press, Cambridge, 2001) CrossRefGoogle Scholar - [25]O. Goldreich,
*Foundations of Cryptography: Basic Applications*(Cambridge University Press, Cambridge, 2004) CrossRefGoogle Scholar - [26]S. Goldwasser, S. Micali, Probabilistic encryption.
*J. Comput. Syst. Sci.***28**(2), 270–299 (1984) CrossRefMATHMathSciNetGoogle Scholar - [27]I. Haitner, T. Holenstein, On the (im)possibility of key dependent encryption, in
*TCC 2009: 6th Theory of Cryptography Conference*(2009), pp. 202–219 Google Scholar - [28]S. Halevi, H. Krawczyk, Security under key-dependent inputs, in
*ACM CCS 07: 14th Conference on Computer and Communications Security*(2007), pp. 466–475 CrossRefGoogle Scholar - [29]D. Hofheinz, D. Unruh, Towards key-dependent message security in the standard model, in
*Advances in Cryptology—EUROCRYPT 2008*(2008), pp. 108–126 CrossRefGoogle Scholar - [30]R. Impagliazzo, S. Rudich, Limits on the provable consequences of one-way permutations, in
*Advances in Cryptology—CRYPTO’88*(1988), pp. 8–26 Google Scholar - [31]Y. Ishai, E. Kushilevitz, Randomizing polynomials: a new representation with applications to round-efficient secure computation, in
*41st Annual Symposium on Foundations of Computer Science (FOCS)*(2000), pp. 294–304 CrossRefGoogle Scholar - [32]Y. Ishai, E. Kushilevitz, Perfect constant-round secure computation via perfect randomizing polynomials, in
*ICALP 2002: 29th International Colloquium on Automata, Languages and Programming*(2002), pp. 244–256 Google Scholar - [33]M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in
*22nd Annual ACM Symposium on Theory of Computing (STOC)*(1990), pp. 427–437 Google Scholar - [34]M. Rabin, Digitalized signatures and public key functions as intractable as factoring. Tech. Rep. 212, LCS, MIT, 1979 Google Scholar
- [35]C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in
*Advances in Cryptology—CRYPTO’91*(1991), pp. 433–444 Google Scholar - [36]V. Vaikuntanathan, Computing blind folded: new developments in fully homomorphic encryption, in
*52nd Annual Symposium on Foundations of Computer Science (FOCS)*(2011), pp. 5–16 Google Scholar - [37]A.C. Yao, How to generate and exchange secrets, in
*27th Annual Symposium on Foundations of Computer Science (FOCS)*(1986), pp. 162–167 CrossRefGoogle Scholar