Journal of Cryptology

, Volume 27, Issue 3, pp 429–451 | Cite as

Key-Dependent Message Security: Generic Amplification and Completeness

  • Benny Applebaum


Key-dependent message (KDM) secure encryption schemes provide secrecy even when the attacker sees encryptions of messages related to the secret-key sk. Namely, the scheme should remain secure even when messages of the form f(sk) are encrypted, where f is taken from some function class \(\mathcal{F}\). A KDM amplification procedure takes an encryption scheme which satisfies \(\mathcal{F}\)-KDM security, and boosts it into a \(\mathcal{G}\)-KDM secure scheme, where the function class \(\mathcal{G}\) should be richer than \(\mathcal{F}\). It was recently shown by Brakerski et al. (TCC 2011) and Barak et al. (EUROCRYPT 2010) that a strong form of amplification is possible, provided that the underlying encryption scheme satisfies some special additional properties.

In this work, we prove the first generic KDM amplification theorem which relies solely on the KDM security of the underlying scheme without making any other assumptions. Specifically, we show that an elementary form of KDM security against functions in which each output bit either copies or flips a single bit of the key (a.k.a. projections) can be amplified into KDM security with respect to any function family that can be computed in arbitrary fixed polynomial-time. Furthermore, our amplification theorem and its proof are insensitive to the exact setting of KDM security, and they hold in the presence of multiple-keys and in the symmetric-key/public-key and the CPA/CCA cases. As a result, we can amplify the security of most known KDM constructions, including ones that could not be amplified before.

Finally, we study the minimal conditions under which full-KDM security (with respect to all functions) can be achieved. We show that under strong notion of KDM security, the existence of fully homomorphic encryption which allows to encrypt the secret-key (i.e., “cyclic-secure”) is not only sufficient for full-KDM security, as shown by Barak et al., but also necessary. On the other hand, we observe that for standard KDM security, this condition can be relaxed by adopting Gentry’s bootstrapping technique (STOC 2009) to the KDM setting.

Key words

Key-dependent message Cyclic-security Randomized encoding Garbled circuits 



We thank Iftach Haitner, Yuval Ishai, and the anonymous referees for their helpful comments.


  1. [1]
    M. Abadi, P. Rogaway, Reconciling two views of cryptography (the computational soundness of formal encryption). J. Cryptol. 20(3), 395 (2007) CrossRefGoogle Scholar
  2. [2]
    T. Acar, M. Belenkiy, M. Bellare, D. Cash, Cryptographic agility and its relation to circular encryption, in Advances in Cryptology—EUROCRYPT 2010 (2010), pp. 403–422 CrossRefGoogle Scholar
  3. [3]
    P. Adão, G. Bana, J. Herzog, A. Scedrov, Soundness and completeness of formal encryption: the cases of key cycles and partial information leakage. J. Comput. Secur. 17(5), 737–797 (2009) Google Scholar
  4. [4]
    B. Applebaum, Y. Ishai, E. Kushilevitz, Computationally private randomizing polynomials and their applications. J. Comput. Complex. 15(2), 115–162 (2006) CrossRefzbMATHMathSciNetGoogle Scholar
  5. [5]
    B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in NC0. SIAM J. Comput. 36(4), 845–888 (2006) CrossRefzbMATHMathSciNetGoogle Scholar
  6. [6]
    B. Applebaum, D. Cash, C. Peikert, A. Sahai, Fast cryptographic primitives and circular-secure encryption based on hard learning problems, in Advances in Cryptology—CRYPTO 2009 (2009), pp. 595–618 CrossRefGoogle Scholar
  7. [7]
    M. Backes, B. Pfitzmann, A. Scedrov, Key-dependent message security under active attacks—BRSIM/UC-soundness of symbolic encryption with key cycles, in Proceedings of 20th IEEE Computer Security Foundation Symposium (CSF) (2007) Google Scholar
  8. [8]
    M. Backes, M. Dürmuth, D. Unruh, OAEP is secure under key-dependent messages, in Advances in Cryptology—ASIACRYPT 2008 (2008), pp. 506–523 CrossRefGoogle Scholar
  9. [9]
    B. Barak, I. Haitner, D. Hofheinz, Y. Ishai, Bounded key-dependent message security, in Advances in Cryptology—EUROCRYPT 2010 (2010), pp. 423–444 CrossRefGoogle Scholar
  10. [10]
    A. Beimel, A. Gál, On arithmetic branching programs. J. Comput. Syst. Sci. 59(2), 195–220 (1999) CrossRefzbMATHGoogle Scholar
  11. [11]
    J. Black, P. Rogaway, T. Shrimpton, Encryption-scheme security in the presence of key-dependent messages, in SAC 2002: 9th Annual International Workshop on Selected Areas in Cryptography (2002), pp. 62–75 Google Scholar
  12. [12]
    D. Boneh, S. Halevi, M. Hamburg, R. Ostrovsky, Circular-secure encryption from decision Diffie–Hellman, in Advances in Cryptology—CRYPTO 2008 (2008), pp. 108–125 CrossRefGoogle Scholar
  13. [13]
    Z. Brakerski, S. Goldwasser, Circular and leakage resilient public-key encryption under subgroup indistinguishability (or: Quadratic residuosity strikes back), in Advances in Cryptology—CRYPTO 2010 (2010), pp. 1–20 CrossRefGoogle Scholar
  14. [14]
    Z. Brakerski, V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, in 52nd Annual Symposium on Foundations of Computer Science (FOCS) (2011), pp. 97–106 Google Scholar
  15. [15]
    Z. Brakerski, S. Goldwasser, Y. Kalai, Circular-secure encryption beyond affine functions, in TCC 2011: 8th Theory of Cryptography Conference (2011) Google Scholar
  16. [16]
    J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anonymous credentials with optional anonymity revocation, in Advances in Cryptology—EUROCRYPT 2001 (2001), pp. 93–118 CrossRefGoogle Scholar
  17. [17]
    J. Camenisch, N. Chandran, V. Shoup, A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks, in Advances in Cryptology—EUROCRYPT 2009 (2009), pp. 351–368 CrossRefGoogle Scholar
  18. [18]
    R. Cramer, S. Fehr, Y. Ishai, E. Kushilevitz, Efficient multi-party computation over rings, in Advances in Cryptology—EUROCRYPT 2003 (2003), pp. 596–613 CrossRefGoogle Scholar
  19. [19]
    D. Dolev, C. Dwork, M. Naor, Non-malleable cryptography (extended abstract), in 23rd Annual ACM Symposium on Theory of Computing (STOC) (1991), pp. 542–552 Google Scholar
  20. [20]
    S. Even, O. Goldreich, A. Lempel, A randomized protocol for signing contracts, Commun. Assoc. Comput. Mach. 28 (1985) Google Scholar
  21. [21]
    C. Gentry, Fully homomorphic encryption using ideal lattices, in 41st Annual ACM Symposium on Theory of Computing (STOC) (2009), pp. 169–178 CrossRefGoogle Scholar
  22. [22]
    C. Gentry, S. Halevi, Fully homomorphic encryption without squashing using depth-3 arithmetic circuits, in 52nd Annual Symposium on Foundations of Computer Science (FOCS) (2011), pp. 107–109 Google Scholar
  23. [23]
    Y. Gertner, S. Kannan, T. Malkin, O. Reingold, M. Viswanathan, The relationship between public key encryption and oblivious transfer, in 41st Annual Symposium on Foundations of Computer Science (FOCS) (2000) Google Scholar
  24. [24]
    O. Goldreich, Foundations of Cryptography: Basic Tools (Cambridge University Press, Cambridge, 2001) CrossRefGoogle Scholar
  25. [25]
    O. Goldreich, Foundations of Cryptography: Basic Applications (Cambridge University Press, Cambridge, 2004) CrossRefGoogle Scholar
  26. [26]
    S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984) CrossRefzbMATHMathSciNetGoogle Scholar
  27. [27]
    I. Haitner, T. Holenstein, On the (im)possibility of key dependent encryption, in TCC 2009: 6th Theory of Cryptography Conference (2009), pp. 202–219 Google Scholar
  28. [28]
    S. Halevi, H. Krawczyk, Security under key-dependent inputs, in ACM CCS 07: 14th Conference on Computer and Communications Security (2007), pp. 466–475 CrossRefGoogle Scholar
  29. [29]
    D. Hofheinz, D. Unruh, Towards key-dependent message security in the standard model, in Advances in Cryptology—EUROCRYPT 2008 (2008), pp. 108–126 CrossRefGoogle Scholar
  30. [30]
    R. Impagliazzo, S. Rudich, Limits on the provable consequences of one-way permutations, in Advances in Cryptology—CRYPTO’88 (1988), pp. 8–26 Google Scholar
  31. [31]
    Y. Ishai, E. Kushilevitz, Randomizing polynomials: a new representation with applications to round-efficient secure computation, in 41st Annual Symposium on Foundations of Computer Science (FOCS) (2000), pp. 294–304 CrossRefGoogle Scholar
  32. [32]
    Y. Ishai, E. Kushilevitz, Perfect constant-round secure computation via perfect randomizing polynomials, in ICALP 2002: 29th International Colloquium on Automata, Languages and Programming (2002), pp. 244–256 Google Scholar
  33. [33]
    M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in 22nd Annual ACM Symposium on Theory of Computing (STOC) (1990), pp. 427–437 Google Scholar
  34. [34]
    M. Rabin, Digitalized signatures and public key functions as intractable as factoring. Tech. Rep. 212, LCS, MIT, 1979 Google Scholar
  35. [35]
    C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in Advances in Cryptology—CRYPTO’91 (1991), pp. 433–444 Google Scholar
  36. [36]
    V. Vaikuntanathan, Computing blind folded: new developments in fully homomorphic encryption, in 52nd Annual Symposium on Foundations of Computer Science (FOCS) (2011), pp. 5–16 Google Scholar
  37. [37]
    A.C. Yao, How to generate and exchange secrets, in 27th Annual Symposium on Foundations of Computer Science (FOCS) (1986), pp. 162–167 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.School of Electrical EngineeringTel-Aviv UniversityTel AvivIsrael

Personalised recommendations