Black-Box Circular-Secure Encryption beyond Affine Functions

  • Zvika Brakerski
  • Shafi Goldwasser
  • Yael Tauman Kalai
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6597)


We show how to achieve public-key encryption schemes that can securely encrypt nonlinear functions of their own secret key. Specifically, we show that for any constant d ∈ ℕ, there exists a public-key encryption scheme that can securely encrypt any function f of its own secret key, assuming f can be expressed as a polynomial of total degree d. Such a scheme is said to be key-dependent message (KDM) secure w.r.t. degree-d polynomials. We also show that for any constants c,e, there exists a public-key encryption scheme that is KDM secure w.r.t. all Turing machines with description size clogλ and running time λ e , where λ is the security parameter. The security of such public-key schemes can be based either on the standard decision Diffie-Hellman (DDH) assumption or on the learning with errors (LWE) assumption (with certain parameters settings).

In the case of functions that can be expressed as degree-d polynomials, we show that the resulting schemes are also secure with respect to key cycles of any length. Specifically, for any polynomial number n of key pairs, our schemes can securely encrypt a degree-d polynomial whose variables are the collection of coordinates of all n secret keys. Prior to this work, it was not known how to achieve this for nonlinear functions.

Our key idea is a general transformation that amplifies KDM security. The transformation takes an encryption scheme that is KDM secure w.r.t. some functions even when the secret keys are weak (i.e. chosen from an arbitrary distribution with entropy k), and outputs a scheme that is KDM secure w.r.t. a richer class of functions. The resulting scheme may no longer be secure with weak keys. Thus, in some sense, this transformation converts security with weak keys into amplified KDM security.


  1. 1.
    Adão, P., Bana, G., Herzog, J., Scedrov, A.: Soundness of formal encryption in the presence of key-cycles. In: di Vimercati, S.D.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 374–396. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold [25], pp. 474–495Google Scholar
  3. 3.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi [18], pp. 595–618Google Scholar
  4. 4.
    Backes, M., Dürmuth, M., Unruh, D.: OAEP is secure under key-dependent messages. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 506–523. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Backes, M., Pfitzmann, B., Scedrov, A.: Key-dependent message security under active attacks - brsim/uc-soundness of symbolic encryption with key cycles. In: CSF, pp. 112–124. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  6. 6.
    Barak, B., Haitner, I., Hofheinz, D., Ishai, Y.: Bounded key-dependent message security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 423–444. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Black, J., Rogaway, P., Shrimpton, T.: Encryption-scheme security in the presence of key-dependent messages. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 62–75. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision diffie-hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008)Google Scholar
  9. 9.
    Brakerski, Z., Goldwasser, S.: Circular and leakage resilient public-key encryption under subgroup indistinguishability - (or: Quadratic residuosity strikes back). In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 1–20. Springer, Heidelberg (2010)Google Scholar
  10. 10.
    Brakerski, Z., Goldwasser, S., Kalai, Y.: Black-box circular-secure encryption beyond affine functions (full version of this paper). Cryptology ePrint Archive, Report 2009/485 (2009),
  11. 11.
    Camenisch, J., Chandran, N., Shoup, V.: A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 351–368. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Camenisch, J.L., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Canetti, R., Tauman Kalai, Y., Varia, M., Wichs, D.: On symmetric encryption and point obfuscation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 52–71. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  15. 15.
    Goldreich, O.: Foundations of Cryptography - Basic Applications. Cambridge University Press, Cambridge (2004)Google Scholar
  16. 16.
    Goldwasser, S., Kalai, Y., Peikert, C., Vaikuntanathan, V.: Robustness of the learning with errors assumption (2009) (manuscript) Google Scholar
  17. 17.
    Haitner, I., Holenstein, T.: On the (im)possibility of key dependent encryption. In: Reingold [25], pp. 202–219Google Scholar
  18. 18.
    Halevi, S. (ed.): CRYPTO 2009. LNCS, vol. 5677. Springer, Heidelberg (2009)MATHGoogle Scholar
  19. 19.
    Halevi, S., Krawczyk, H.: Security under key-dependent inputs. In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) ACM Conference on Computer and Communications Security, pp. 466–475. ACM, New York (2007)Google Scholar
  20. 20.
    Hofheinz, D., Unruh, D.: Towards key-dependent message security in the standard model. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 108–126. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Laud, P., Corin, R.: Sound computational interpretation of formal encryption with composed keys. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 55–66. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi [18], pp. 18–35Google Scholar
  23. 23.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Mitzenmacher, M. (ed.) STOC, pp. 333–342. ACM, New York (2009)CrossRefGoogle Scholar
  24. 24.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) STOC, pp. 84–93. ACM, New York (2005)Google Scholar
  25. 25.
    Reingold, O. (ed.): TCC 2009. LNCS, vol. 5444. Springer, Heidelberg (2009)MATHGoogle Scholar
  26. 26.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)CrossRefMATHMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Zvika Brakerski
    • 1
  • Shafi Goldwasser
    • 1
    • 2
  • Yael Tauman Kalai
    • 3
  1. 1.Weizmann Institute of ScienceIsrael
  2. 2.MITUSA
  3. 3.Microsoft ResearchUSA

Personalised recommendations