On the (Im)Possibility of Key Dependent Encryption

  • Iftach Haitner
  • Thomas Holenstein
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5444)


We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results that hold both in the private and in the public key settings:

  • Let \(\mathcal{H}\) be the family of poly(n)-wise independent hash-functions. There exists no fully-black-box reduction from an encryption scheme secure against key-dependent messages to one-way permutations (and also to families of trapdoor permutations) if the adversary can obtain encryptions of h(k) for \(h \in \mathcal{H}\).

  • There exists no reduction from an encryption scheme secure against key-dependent messages to, essentially, any cryptographic assumption, if the adversary can obtain an encryption of g(k) for an arbitraryg, as long as the reduction’s proof of security treats both the adversary and the function g as black boxes.


Key-dependent input Black-box separations One-way functions 


  1. [AR02]
    Abadi, M., Rogaway, P.: Reconciling two views of cryptography (the computational soundness of formal encryption). JoC 15(2), 103–127 (2002)MATHMathSciNetGoogle Scholar
  2. [Bar01]
    Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd FOCS, pp. 106–115. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  3. [BHHO08]
    Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision diffie-hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008)Google Scholar
  4. [BRS02]
    Black, J., Rogaway, P., Shrimpton, T.: Encryption-scheme security in the presence of key-dependent messages. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 62–75. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. [CL01]
    Camenisch, J.L., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 93. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. [CW79]
    Carter, J.L., Wegman, M.N.: Universal classes of hash functions. JCSS 18(2), 143–154 (1979)MATHMathSciNetGoogle Scholar
  7. [DOP05]
    Dodis, Y., Oliveira, R., Pietrzak, K.: On the generic insecurity of the full domain hash. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 449–466. Springer, Heidelberg (2005)Google Scholar
  8. [DY83]
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)MATHCrossRefMathSciNetGoogle Scholar
  9. [GGKT05]
    Gennaro, R., Gertner, Y., Katz, J., Trevisan, L.: Bounds on the efficiency of generic cryptographic constructions. S. J. on Comp. 35(1), 217–246 (2005)MATHCrossRefMathSciNetGoogle Scholar
  10. [GKM+00]
    Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: FOCS 2000 (2000)Google Scholar
  11. [GT00]
    Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: FOCS 2000 (2000)Google Scholar
  12. [HHRS07]
    Haitner, I., Hoch, J.J., Reingold, O., Segev, G.: Finding collisions in interactive protocols – A tight lower bound on the round complexity of statistically-hiding commitments. In: FOCS 2007 (2007)Google Scholar
  13. [HH08]
    Haitner, I., Holenstein, T.: On the (Im) Possibility of Key Dependent Encryption (full version), http://eprint.iacr.org/2008/164
  14. [HK05]
    Horvitz, O., Katz, J.: Bounds on the efficiency of “black-box” commitment schemes. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 128–139. Springer, Heidelberg (2005)Google Scholar
  15. [HK07]
    Halevi, S., Krawczyk, H.: Security under key-dependent inputs. In: 14th ACM CCS (2007)Google Scholar
  16. [Hof08]
    Hofheinz, D.: Possibility and impossibility results for selective decommitments. Technical Report 2008/168, eprint.iacr.org (April 2008)Google Scholar
  17. [HU08]
    Hofheinz, D., Unruh, D.: Towards key-dependent message security in the standard model. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 108–126. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. [IJK07]
    Impagliazzo, R., Jaiswal, R., Kabanets, V.: Chernoff-type direct product theorems. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 500–516. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. [IR89]
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: STOC 1989 (1989)Google Scholar
  20. [KST99]
    Kim, J.H., Simon, D.R., Tetali, P.: Limits on the efficiency of one-way permutation-based hash functions. In: FOCS 1999 (1999)Google Scholar
  21. [RTV04]
    Reingold, O., Trevisan, L., Vadhan, S.P.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004)Google Scholar
  22. [Rud88]
    Rudich, S.: Limits on the Provable Consequences of One-Way Functions. PhD thesis, U.C. Berkeley (1988)Google Scholar
  23. [Sim98]
    Simon, D.R.: Findings collisions on a one-way street: Can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  24. [Wee07]
    Wee, H.M.: One-way permutations, interactive hashing and statistically hiding commitments. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 419–433. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Iftach Haitner
    • 1
  • Thomas Holenstein
    • 2
  1. 1.Microsoft Research 
  2. 2.Department of Computer SciencePrinceton University 

Personalised recommendations