Deterministic Public-Key Encryption for Adaptively-Chosen Plaintext Distributions



Bellare, Boldyreva, and O’Neill (CRYPTO ’07) initiated the study of deterministic public-key encryption as an alternative in scenarios where randomized encryption has inherent drawbacks. The resulting line of research has so far guaranteed security only for adversarially chosen-plaintext distributions that are independent of the public key used by the scheme. In most scenarios, however, it is typically not realistic to assume that adversaries do not take the public key into account when attacking a scheme. We show that it is possible to guarantee meaningful security even for plaintext distributions that depend on the public key. We extend the previously proposed notions of security, allowing adversaries to adaptively choose plaintext distributions after seeing the public key, in an interactive manner. The only restrictions we make are that: (1) plaintext distributions are unpredictable (as is essential in deterministic public-key encryption), and (2) the number of plaintext distributions from which each adversary is allowed to adaptively choose is upper bounded by \(2^{p}\), where p can be any predetermined polynomial in the security parameter and plaintext length. For example, with \(p = 0\) we capture plaintext distributions that are independent of the public key, and with \(p = O(s \log s)\) we capture, in particular, all plaintext distributions that are samplable by circuits of size s. Within our framework we present both constructions in the random oracle model based on any public-key encryption scheme, and constructions in the standard model based on lossy trapdoor functions (thus, based on a variety of number-theoretic assumptions). Previously known constructions heavily relied on the independence between the plaintext distributions and the public key for the purposes of randomness extraction. In our setting, however, randomness extraction becomes significantly more challenging once the plaintext distributions and the public key are no longer independent. Our approach is inspired by research on randomness extraction from seed-dependent distributions. Underlying our approach is a new generalization of a method for such randomness extraction, originally introduced by Trevisan and Vadhan (FOCS ’00) and Dodis (Ph.D. Thesis, MIT, ’00).


Public-key encryption Deterministic encryption Randomness extraction 



We thank David Xiao and Damien Vergnaud for a discussion regarding the parameters stated in Theorem 7.1, and the anonymous referees for their many useful comments.


  1. 1.
    D. Boneh, X. Boyen, Secure identity based encryption without random oracles, in Advances in Cryptology—CRYPTO ’04, 2004, pp. 443–459Google Scholar
  2. 2.
    M. Bellare, Z. Brakerski, M. Naor, T. Ristenpart, G. Segev, H. Shacham, S. Yilek, Hedged public-key encryption: how to protect against bad randomness, in Advances in Cryptology—ASIACRYPT ’09, 2009, pp. 232–249Google Scholar
  3. 3.
    M. Bellare, A. Boldyreva, A. O’Neill, Deterministic and efficiently searchable encryption, in Advances in Cryptology—CRYPTO ’07, 2007, pp. 535–552Google Scholar
  4. 4.
    M. Bellare, M. Fischlin, A. O’Neill, T. Ristenpart, Deterministic encryption: definitional equivalences and constructions without random oracles, in Advances in Cryptology—CRYPTO ’08, 2008, pp. 360–378Google Scholar
  5. 5.
    A. Boldyreva, S. Fehr, A. O’Neill, On notions of security for deterministic encryption, and efficient constructions without random oracles, in Advances in Cryptology—CRYPTO ’08, 2008, pp. 335–359Google Scholar
  6. 6.
    M. Bellare, J. Rompel, Randomness-efficient oblivious sampling, in Proceedings of the 35th Annual IEEE Symposium on Foundations of Computer Science, 1994, pp. 276–287Google Scholar
  7. 7.
    Z. Brakerski, G. Segev, Better security for deterministic public-key encryption: the auxiliary-input setting, in Advances in Cryptology—CRYPTO ’11, 2011, pp. 543–560Google Scholar
  8. 8.
    E. Boyle, G. Segev, D. Wichs, Fully leakage-resilient signatures, in Advances in Cryptology—EUROCRYPT ’11, 2011, pp 89–108Google Scholar
  9. 9.
    D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in Advances in Cryptology—EUROCRYPT ’10, 2010, pp. 523–552Google Scholar
  10. 10.
    Y. Dodis, Exposure-Resilient Cryptography. PhD thesis, MIT, 2000Google Scholar
  11. 11.
    Y. Dodis, A. Smith, Correcting errors without leaking partial information, in Proceedings of the 37th Annual ACM Symposium on Theory of Computing, 2005, pp. 654–663Google Scholar
  12. 12.
    Y. Dodis, A. Smith, Entropic security and the encryption of high entropy messages, In Proceedings of the 2nd Theory of Cryptography Conference, 2005, pp. 556–577Google Scholar
  13. 13.
    D. M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, G. Segev, More constructions of lossy and correlation-secure trapdoor functions. J. Cryptol. 26(1), 39–74 (2013)MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    B. Fuller, A. O’Neill, L. Reyzin, A unified approach to deterministic encryption: New constructions and a connection to computational entropy, In Proceedings of the 9th Theory of Cryptography Conference, 2012, pp. 582–599Google Scholar
  15. 15.
    S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    E. Kaplan, M. Naor, O. Reingold, Derandomized constructions of \(k\)-wise (almost) independent permutations. Algorithmica 55(1), 113–133 (2009)MathSciNetCrossRefMATHGoogle Scholar
  17. 17.
    E. Kiltz, A. O’Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in Advances in Cryptology—CRYPTO ’10, 2010, pp. 295–313Google Scholar
  18. 18.
    I. Mironov, O. Pandey, O. Reingold, G. Segev, Incremental deterministic public-key encryption, in Advances in Cryptology—EUROCRYPT ’12, 2012, pp. 628–644Google Scholar
  19. 19.
    C. Peikert, B. Waters, Lossy trapdoor functions and their applications. SIAM J. Comput. 40(6), 1803–1844 (2011)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    J. Rompel, Techniques for computing with low-independence randomness. PhD thesis, Massachusetts Institute of Technology, 1990Google Scholar
  21. 21.
    A. Russell, H. Wang, How to fool an unbounded adversary with a short key. IEEE Trans. Inf. Theory 52(3), 1130–1140 (2006)MathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    L. Trevisan, S.P. Vadhan, Extracting randomness from samplable distributions, in Proceedings of the 41st Annual IEEE Symposium on Foundations of Computer Science, 2000, pp. 32–42Google Scholar
  23. 23.
    S. Vadhan, Pseudorandomness (draft survey)., 2012
  24. 24.
    B. Waters, Efficient identity-based encryption without random oracles, in Advances in Cryptology—EUROCRYPT ’05, 2005, pp. 114–127Google Scholar
  25. 25.
    H. Wee, Dual projective hashing and its applications—lossy trapdoor functions and more, in Advances in Cryptology—EUROCRYPT ’12, 2012, pp. 246–262Google Scholar
  26. 26.
    D. Wichs, Barriers in cryptography with weak, correlated and leaky sources, in Proceedings of the 4th Innovations in Theoretical Computer Science Conference, 2013Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.GoogleMountain ViewUSA
  2. 2.School of Computer Science and EngineeringHebrew University of JerusalemJerusalemIsrael
  3. 3.Center for Research on Computation and Society, School of Engineering and Applied SciencesHarvard UniversityCambridgeUSA

Personalised recommendations