# Reproducible Circularly Secure Bit Encryption: Applications and Realizations

- 251 Downloads

## Abstract

We give generic constructions of several fundamental cryptographic primitives based on a new encryption primitive that combines *circular security* for bit encryption with the so-called *reproducibility property* (Bellare et al. in Public key cryptography—PKC 2003, vol. 2567, pp. 85–99, Springer, 2003). At the heart of our constructions is a novel technique which gives a way of de-randomizing reproducible public-key bit encryption schemes and also a way of reducing one-wayness conditions of a constructed trapdoor function family (TDF) to circular security of the base scheme. The main primitives that we build from our encryption primitive include *k-wise one-way* TDFs (Rosen and Segev in SIAM J Comput 39(7):3058–3088, 2010), chosen-ciphertext-attack-secure encryption and deterministic encryption. Our results demonstrate a new set of applications of circularly secure encryption beyond fully homomorphic encryption and symbolic soundness. Finally, we show the plausibility of our assumptions by showing that the decisional Diffie–Hellman-based circularly secure scheme of Boneh et al. (Advances in cryptology—CRYPTO 2008, vol. 5157, Springer, 2008) and the subgroup indistinguishability-based scheme of Brakerski and Goldwasser (Advances in cryptology—CRYPTO 2010, vol. 6223, pp. 1–20, Springer, 2010) are both reproducible.

## Keywords

Circular security Correlated-input security Trapdoor functions (Non-)shielding CCA construction Deterministic encryption## Notes

### Acknowledgements

We would like to thank Venkatesh Srinivasan for comments on an earlier version of this paper. We are also grateful to the anonymous reviewers for their comments that improved the presentation of this paper.

## References

- 1.A. Akavia, S. Goldwasser, and V. Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks, in O. Reingold, editor,
*Proceedings of the Theory of Cryptography, 6th Theory of Cryptography Conference, TCC 2009*, San Francisco, CA, USA, March 15–17, 2009. Lecture Notes in Computer Science, vol. 5444 (Springer, 2009), pp. 474–495Google Scholar - 2.B. Applebaum. Key-dependent message security: Generic amplification and completeness.
*J. Cryptol.*, 27(3):429–451, 2014MathSciNetCrossRefMATHGoogle Scholar - 3.B. Applebaum, D. Cash, C. Peikert, and A. Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems, in S. Halevi, editor,
*Proceedings of the Advances in Cryptology—CRYPTO 2009, 29th Annual International Cryptology Conference*, Santa Barbara, CA, USA, August 16–20, 2009. Lecture Notes in Computer Science, vol. 5677 (Springer, 2009), pp. 595–618Google Scholar - 4.B. Barak, I. Haitner, D. Hofheinz, and Y. Ishai. Bounded key-dependent message security, in H. Gilbert, editor,
*Proceedings of the Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques*, French Riviera, May 30–June 3, 2010. Lecture Notes in Computer Science, vol. 6110 (Springer, 2010), pp. 423–444Google Scholar - 5.M. Bellare, A. Boldyreva, and A. ONeill. Deterministic and efficiently searchable encryption, in A. Menezes, editor,
*Proceedings of the Advances in Cryptology—CRYPTO 2007, 27th Annual International Cryptology Conference*, Santa Barbara, CA, USA, August 19–23, 2007. Lecture Notes in Computer Science, vol. 4622 (Springer, 2007), pp. 535–552Google Scholar - 6.M. Bellare, A. Boldyreva, and J. Staddon. Randomness re-use in multi-recipient encryption schemeas, in Y. Desmedt, editor,
*Proceedings of the Public Key Cryptography—PKC 2003, 6th International Workshop on Theory and Practice in Public Key Cryptography*, Miami, FL, USA, January 6–8, 2003. Lecture Notes in Computer Science, vol. 2567 (Springer, 2003), pp. 85–99Google Scholar - 7.M. Bellare, M. Fischlin, A. ONeill, and T. Ristenpart. Deterministic encryption: Definitional equivalences and constructions without random oracles. In Wagner [41], pp. 360–378Google Scholar
- 8.E. Birrell, K.-M. Chung, R. Pass, and S. Telang. Randomness-dependent message security, in A. Sahai, editor,
*Proceedings of the Theory of Cryptography, The Tenth Theory of Cryptography Conference*,*TCC 2013*, Tokyo, Japan, March 3–6, 2013. Lecture Notes in Computer Science, vol. 7785 (Springer, 2013), pp. 700–720Google Scholar - 9.J. Black, P. Rogaway, and T. Shrimpton. Encryption-scheme security in the presence of key-dependent messages, in K. Nyberg and H.M. Heys, editors,
*Selected Areas in Cryptography, 9th Annual International Workshop, SAC 2002*, St. John’s, Newfoundland, Canada, August 15–16, 2002. Revised Papers, Lecture Notes in Computer Science, vol. 2595 (Springer, 2002), pp. 62–75Google Scholar - 10.A. Boldyreva, S. Fehr, and A. ONeill. On notions of security for deterministic encryption, and efficient constructions without random oracles. In Wagner [41], pp. 335–359Google Scholar
- 11.D. Boneh, R. Canetti, S. Halevi, and J. Katz. Chosen-ciphertext security from identity-based encryption.
*SIAM J. Comput.*, 36(5):1301–1328, 2006MathSciNetCrossRefMATHGoogle Scholar - 12.D. Boneh, S. Halevi, M. Hamburg, and R. Ostrovsky. Circular-secure encryption from decision diffie–hellman. In Wagner [41], pp. 108–125Google Scholar
- 13.Z. Brakerski and S. Goldwasser. Circular and leakage resilient public-key encryption under subgroup indistinguishability—(or: Quadratic residuosity strikes back), in T. Rabin, editor,
*Proceedings of the Advances in Cryptology—CRYPTO 2010, 30th Annual Cryptology Conference*, Santa Barbara, CA, USA, August 15–19, 2010. Lecture Notes in Computer Science, vol. 6223 (Springer, 2010), pp. 1–20Google Scholar - 14.Z. Brakerski, S. Goldwasser, and Y. T. Kalai. Black-box circular-secure encryption beyond affine functions. IACR Cryptol. ePrint Arch. 2009:485, 2009.MATHGoogle Scholar
- 15.Z. Brakerski, S. Goldwasser, and Y. T. Kalai. Black-box circular-secure encryption beyond affine functions, in Y. Ishai, editor,
*Proceedings of the Theory of Cryptography, 8th Theory of Cryptography Conference, TCC 2011*, Providence, RI, USA, March 28–30, 2011. Lecture Notes in Computer Science, vol. 6597 (Springer, 2011), pp. 201–218Google Scholar - 16.Z. Brakerski and G. Segev. Better security for deterministic public-key encryption: The auxiliary-input setting.
*J. Cryptol.*, 27(2):210–247, 2014MathSciNetCrossRefMATHGoogle Scholar - 17.J. Camenisch, N. Chandran, and V. Shoup. A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks, in A. Joux, editor,
*Proceedings of the Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques*, Cologne, Germany, April 26–30, 2009. Lecture Notes in Computer Science, vol. 5479 (Springer, Berlin, 2009), pp. 351–368Google Scholar - 18.J. Camenisch and A. Lysyanskaya. An efficient system for non-transferable anonymous credentials with optional anonymity revocation, in B. Pfitzmann, editor,
*Proceeding of the Advances in Cryptology—EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques*, Innsbruck, Austria, May 6–10, 2001. Lecture Notes in Computer Science, vol. 2045 (Springer, 2001), pp. 93–118Google Scholar - 19.S. G. Choi and H. Wee. Lossy trapdoor functions from homomorphic reproducible encryption.
*Inf. Process. Lett.*, 112(20):794–798, 2012MathSciNetCrossRefMATHGoogle Scholar - 20.Y. Dodis, S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan. Public-key encryption schemes with auxiliary inputs. In Micciancio [31], pp. 361–381Google Scholar
- 21.Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data.
*SIAM J. Comput.*, 38(1):97–139, 2008MathSciNetCrossRefMATHGoogle Scholar - 22.D. M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, and G. Segev. More constructions of lossy and correlation-secure trapdoor functions.
*J. Cryptol.*, 26(1):39–74, 2013MathSciNetCrossRefMATHGoogle Scholar - 23.B. Fuller, A. ONeill, and L. Reyzin. A unified approach to deterministic encryption: New constructions and a connection to computational entropy.
*J. Cryptol.*, 28(3):671–717, 2015MathSciNetCrossRefMATHGoogle Scholar - 24.Y. Gertner, T. Malkin, and S. Myers. Towards a separation of semantic and CCA security for public key encryption, in S.P. Vadhan, editor,
*Proceedings of the Theory of Cryptography, 4th Theory of Cryptography Conference, TCC 2007*, Amsterdam, The Netherlands, February 21–24, 2007. Lecture Notes in Computer Science, vol. 4392 (Springer, 2007), pp. 434–455Google Scholar - 25.Y. Gertner, T. Malkin, and O. Reingold. On the impossibility of basing trapdoor functions on trapdoor predicates, in M. Naor, editor,
*42nd Annual Symposium on Foundations of Computer Science, FOCS 2001*, Las Vegas, Nevada, USA, October 14–17, 2001 (IEEE Computer Society, 2001), pp. 126–135Google Scholar - 26.O. Goldreich and L. A. Levin. A hard-core predicate for all one-way functions, in D.S. Johnson, editor,
*Proceedings of the 21st Annual ACM Symposium on Theory of Computing*, Seattle, Washigton, USA, May 14–17, 1989 (ACM, 1989), pp. 25–32Google Scholar - 27.B. Hemenway and R. Ostrovsky. Building injective trapdoor functions from oblivious transfer.
*Electron. Colloq. Comput. Complex. (ECCC)*, 17:127, 2010Google Scholar - 28.B. Hemenway and R. Ostrovsky. Building lossy trapdoor functions from lossy encryption, in K. Sako and P. Sarkar, editors,
*Proceedings of the Advances in Cryptology—ASIACRYPT 2013, 19th International Conference on the Theory and Application of Cryptology and Information Security*, Bengaluru, India, December 1–5, 2013. Lecture Notes in Computer Science, Part II, vol. 8270 (Springer, 2013), pp. 241–260Google Scholar - 29.D. Hofheinz. Circular chosen-ciphertext security with compact ciphertexts, in T. Johansson and P.Q. Nguyen, editors,
*Proceedings of the Advances in Cryptology—EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques*, Athens, Greece, May 26–30, 2013. Lecture Notes in Computer Science, vol. 7881 (Springer, 2013), pp. 520–536Google Scholar - 30.T. Malkin, I. Teranishi, and M. Yung. Efficient circuit-size independent public key encryption with KDM security, in K.G. Paterson, editor,
*Proceedings of the Advances in Cryptology—EUROCRYPT 2011, 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques*, Tallinn, Estonia, May 15–19, 2011. Lecture Notes in Computer Science, vol. 6632 (Springer, 2011), pp. 507–526Google Scholar - 31.D. Micciancio, editor.
*Proceedings of the Theory of Cryptography, 7th Theory of Cryptography Conference, TCC 2010*, Zurich, Switzerland, February 9–11, 2010. Lecture Notes in Computer Science, vol. 5978 (Springer, 2010)Google Scholar - 32.S. Myers and A. Shelat. Bit encryption is complete, in D. Spielman, editor,
*50th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2009,*Atlanta, Georgia, USA, October 25–27, 2009 (IEEE Computer Society, 2009), pp. 607–616Google Scholar - 33.M. Naor and G. Segev. Public-key cryptosystems resilient to key leakage.
*SIAM J. Comput.*, 41(4):772–814, 2012MathSciNetCrossRefMATHGoogle Scholar - 34.N. Nisan and D. Zuckerman. Randomness is linear in space.
*J. Comput. Syst. Sci.*, 52(1):43–52, 1996MathSciNetCrossRefMATHGoogle Scholar - 35.P. Paillier. Public-key cryptosystems based on composite degree residuosity classes, in J. Stern, editor,
*Proceeding of the Advances in Cryptology—EUROCRYPT ’99, International Conference on the Theory and Application of Cryptographic Techniques*, Prague, Czech Republic, May 2–6, 1999. Lecture Notes in Computer Science, vol. 1592 (Springer, 1999), pp. 223–238Google Scholar - 36.C. Peikert and B. Waters. Lossy trapdoor functions and their applications.
*SIAM J. Comput.*, 40(6):1803–1844, 2011MathSciNetCrossRefMATHGoogle Scholar - 37.O. Reingold, L. Trevisan, and S. Vadhan. Notions of reducibility between cryptographic primitives, in M. Naor, editor,
*Proceedings of the Theory of Cryptography, First Theory of Cryptography Conference, TCC 2004*, Cambridge, MA, USA, February 19–21, 2004. Lecture Notes in Computer Science, vol. 2951 (Springer, 2004), pp. 1–20Google Scholar - 38.A. Rosen and G. Segev. Chosen-ciphertext security via correlated products.
*SIAM J. Comput.*, 39(7):3058–3088, 2010MathSciNetCrossRefMATHGoogle Scholar - 39.R. D. Rothblum. On the circular security of bit-encryption, in A. Sahai, editor,
*Proceedings of the Theory of Cryptography, The Tenth Theory of Cryptography Conference, TCC 2013*, Tokyo, Japan, March 3–6, 2013. Lecture Notes in Computer Science, vol. 7785 (Springer, 2013), pp. 579–598Google Scholar - 40.Y. Vahlis. Two is a crowd? a black-box separation of one-wayness and security under correlated inputs. In Micciancio [31], pp. 165–182Google Scholar
- 41.D. Wagner, editor.
*Proceedings of the Advances in Cryptology—CRYPTO 2008, 28th Annual International Cryptology Conference*, Santa Barbara, CA, USA, August 17–21, 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, 2008)Google Scholar - 42.H. Wee. Dual projective hashing and its applicationslossy trapdoor functions and more, in D. Pointcheval and T. Johansson, editors,
*Proceedings of the Advances in Cryptology—EUROCRYPT 2012, 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques*, Cambridge, UK, April 15–19, 2012. Lecture Notes in Computer Science, vol. 7237 (Springer, 2012), pp. 246–262Google Scholar