On Generic Constructions of CircularlySecure, LeakageResilient PublicKey Encryption Schemes
 4 Citations
 917 Downloads
Abstract
We propose generic constructions of publickey encryption schemes, satisfying keydependent message (KDM) security for projections and different forms of keyleakage resilience, from CPAsecure privatekey encryption schemes with two main abstract properties: (1) a form of (additive) homomorphism with respect to both plaintexts and randomness, and (2) reproducibility, providing a means for reusing encryption randomness across independent secret keys. More precisely, our construction transforms a privatekey scheme with the stated properties (and one more mild condition) into a publickey one, providing:

KDMprojection security, an extension of circular security, where the adversary may also ask for encryptions of negated secret key bits;

a (\(1o(1)\)) resilience rate in the boundedmemory leakage model of Akavia et al. (TCC 2009); and

Auxiliaryinput security against subexponentiallyhard functions.
We introduce homomorphic weak pseudorandom functions, a homomorphic version of the weak PRFs proposed by Naor and Reingold (FOCS ’95) and use them to realize our base encryption scheme. We in turn obtain homomorphic weak PRFs from homomorphic hashproof systems (HHPS). We also show how the base encryption scheme may be realized using subgroup indistinguishability (implied, in particular, by quadratic residuosity (QR) and decisional composite residuosity (DCR)). As corollaries of our results, we obtain (1) the first multiplekey projectionsecure bitencryption scheme (as well as the first scheme with a (\(1o(1)\)) resilience rate) based solely on the HHPS assumption, and (2) a unifying approach explaining the results of Boneh et al. (CRYPTO ’08) and Brakerski and Goldwasser (CRYPTO ’10). Finally, by observing that Applebaum’s KDM amplification method (EUROCRYPT ’11) preserves both types of leakage resilience, we obtain schemes providing at the same time high leakage resilience and KDM security against any fixed polynomialsized circuit family.
Keywords
Encryption Scheme Randomness Space Projection Security Subgroup Indistinguishability Resilience Rate1 Introduction
A central goal in cryptography is to build a variety of cryptographic primitives with a high degree of versatility from assumptions that are as general as possible. Encryption in particular has been defined, starting with the seminal paper of Goldwasser and Micali [23], with respect to successively strong models of security. However, standard notions of encryption security (i.e., CPA and different forms of CCA security [17, 23, 36, 38]) fall short in certain applications, in particular, where the adversary may obtain some side information about the internal secret parameters (e.g., the secret key) of the scheme. This leakage of side information may occur due to some unforeseen attacks on the scheme (sidechannel attacks), or more fundamentally, when encryption is used as a primitive in a complex protocol which may inherently expose inside information. These observations have led to the definition and realization of stronger notions of encryption security, such as security against different forms of leakage [1, 2, 9, 14, 15, 19, 25, 32, 35], and keydependent message (KDM) security [3, 4, 5, 7, 8, 9, 10, 27, 31]. Our goal is to construct schemes realizing these security properties from general assumptions. Our results concern a basic model of leakage, known as the boundedleakage model [1] and a basic model of KDM security, known as projection security (which is slightly stronger than circular security). We will also consider a model of auxiliaryinput security [14, 15]. We first provide some background on these models and then describe our results.
For all definitions below (unless otherwise stated) we assume we are encrypting the secret key (or functions thereof) bitbybit, i.e., the scheme is either bit encryption, or there is a mapping from bits to two fixed plaintext messages.
KDM Security. KDM security is defined with respect to a function family F: informally, an encryption scheme (G, E, Dec) is FKDM\(^{(1)}\) secure if no adversary can distinguish between two oracles, where the first one, on input \(f \in F\), returns \(E_{pk}(f(sk))\) (for a random (pk, sk) chosen at the beginning), and the second one, regardless of the input, returns an encryption of a fixed message. A basic form of KDM\(^{(1)}\) security is 1circular security, allowing the adversary to obtain encryptions of any bit of the secret key. Another basic notion is projection security, which also allows the adversary to obtain encryptions of negations of secret key bits. KDM\(^{(1)}\) security generalizes naturally to the case of multiple pairs of keys, giving rise to the notion of FKDM\(^{(n)}\)security, where in a system with the pairs of keys \((pk_1, sk_1), \ldots , (pk_n, sk_n)\) a chosen function \(f \in F\) comes with an index j, and as a result \(f(sk_1, \ldots , sk_n)\) is encrypted under \(pk_j\). For example, nprojection security allows the adversary to see encryptions of any bit of any secret key or its negation under (possibly) any other public key.
KDM security was originally defined by Black et al. [7], who built a fullyKDMsecure scheme (i.e., KDMsecurity with respect to all functions) in the random oracle model. In [8] Boneh et al. gave the first construction in the standard model, based on the DDH assumption, of a publickey scheme that was proved KDM\(^{(n)}\) secure with respect to affine functions. This positive result led to a series of subsequent works, focusing on building affineKDM\(^{(n)}\) security under alternate specific assumptions (i.e., LPN/LWE [4], and QR/DCR and more generally subgroup indistinguishability (SG) assumptions [9]), and on developing KDMamplification methods for transforming schemes with basic forms of KDM security into schemes with more sophisticated forms of KDM security [3, 5, 10]. These amplification methods in turn employ techniques such as garbled circuits [5], randomized encoding of functions [3] and entropicKDM security [10] to enable KDM transformations. Most relevant to our work are the results of Applebaum [3], showing that, informally speaking, projection security is sufficient to obtain KDM security with respect to any fixed circuit family whose size is polybounded. Thus, a fundamental question regarding KDM security is to study general assumptions sufficient for realizing projection security, which is one of the main goals in our paper.
It turns out that realizing even 1circular security for bit encryption is considerably more difficult than the case where the secretkey space is a subset of the plaintext space (so one can encrypt the whole key at once). In the latter case, through simple modifications to the encryption algorithm, one can make any CPAsecure scheme 1circularly secure. Currently, the only constructions that provide bitwise 1circular security are those of [4, 8, 10], which are based on specific assumptions. Also, it was shown in [41] that the implication that “any CPAsecure bit encryption scheme is also 1circularly secure” is not provable using reductions that use both the adversary and the scheme in a blackbox way.^{1} Moreover, under widelybelieved assumptions, there exist CPAsecure bitencryption schemes that are not 1circularly secure [30, 41].
Leakage Resilience. Akavia et al. [1] introduce the notion of encryption security against bounded memory leakage, wherein an adversary (after seeing the public key) may obtain arbitrary information about the secret key, of the form f(sk) for adaptively chosen f, as long as the total number of bits leaked does not exceed an a priori fixed quantity, \(\ell \). (We refer to the fraction \(\ell /sk\) as the resilience rate.) They showed that Regev’s scheme [39] and the identity based encryption scheme of [20], both under the LWE assumption, provide resilience rate O(1 / polylog (sk)). Naor and Segev [35] showed how to obtain encryption schemes resilient to high leakage lengths (but with low resilience rates) from any hashproof system [13] and how to obtain schemes with \((1o(1))\)resilience rates from dlinear assumptions; moreover, they showed that the circularlysecure scheme of [8] provides a \((1o(1))\) resilience rate. Brakerski and Goldwasser [9], under the subgroup indistinguishability assumption, implied in turn by the QR and DCR assumptions, showed how to obtain encryption schemes that are affineKDM secure, with a \((1o(1))\) resilience rate.
AuxiliaryInput Security. In the auxiliaryinput model [14, 15] the adversary is given some side information of the form h(pk, sk), and the goal is to guarantee security as long as recovering sk from h(pk, sk) is sufficiently, computationally hard. For publickey encryption Dodis et al. [14] build schemes based on LWE and DDH (where their DDHbased scheme is a variant of [8]) secure against subexponentiallyhardtoinvert functions. Brakerski and Goldwasser [9] present schemes with the same level of auxiliaryinput security under the subgroup indistinguishability assumption.
1.1 Our Results (Assumptions and Constructions)
As pointed our earlier, the only constructions of circularlysecure/projectionsecure bit encryption (even 1circular security) are based on specific assumptions [4, 8, 9]. Moreover, the schemes of [8, 9], referred to as BHHO and BG henceforth, besides KDM security, also provide security against different forms of leakage (as shown in [9, 14, 35]). Therefore, a natural question is whether there exist more general constructions that encompass all these specific constructions.
We will try to answer these questions by building leakageresilient, projectionsecure encryption schemes from CPAsecure privatekey schemes with some special properties, which we now informally describe. Then we will use this privatekey encryption abstraction as a stepping stone toward obtaining our results under other primitives.
The first property is a generalized version of additive homomorphism, where homomorphism is required to hold also with respect to randomness (let Hom denote the associated function). The second property is what Bellare et al. [6] call reproducibility, requiring that given a message \(m_2\), secret key \(sk_2\) and ciphertext \(c = E_{sk_1}(m_1; r)\), where \(sk_1\), \(m_1\) and r are unknown, one can efficiently obtain \(E_{sk_2}(m_2; r)\), i.e., there is a way to efficiently transfer the randomness from one encryption to another, provided the secret key for the second encryption is known.^{2} We denote this efficient computation by \(Rep(c, m_2,sk_2)\). Note that if an encryption algorithm reveals its randomness in the clear, then reproducibility is trivially satisfied, e.g., the standard way of building CPAsecure privatekey encryption from a pseudorandom function family F, defining encryption as \(E_{sk}(m) = (r , F_{sk}(r) \oplus m)\), provides reproducibility. In fact, we will later use this idea to obtain our encryption primitive, based on the existence of homomorphic weak pseudorandom functions. Note that for homomorphism, we are assuming that the message and randomness spaces must form groups. For technical reasons, we will also require the following property: from any encryption \(E_{sk}(b ;r)\), for unknown sk, b, r, one can obtain \(E_{sk}(1;0)\), i.e., the encryption of bit 1 under key sk based on the identity element of the randomness group.^{3} We see this as a form of degenerate homomorphism.
We introduce a construction C (formalized in Sect. 3 and sketched in Subsect. 1.4) that transforms a privatekey scheme with the stated properties into a publickey one and show the following result.
Theorem (Informal). Assume that \(\mathcal {E} = (G, E, Dec, Hom, Rep)\) is a CPAsecure privatekey, bitencryption scheme that is degenerate additively homomorphic and reproducible. Then the constructed scheme \(\mathcal {E}' = C(\mathcal {E})\) is a publickey bitencryption scheme that satisfies the following properties.

For any integer n, by appropriately choosing the system parameters, \(\mathcal {E}'\) is nprojection secure. (Formalized in Theorem 2)

By appropriately choosing the system parameters, \(\mathcal {E}'\) provides a \((1 o(1))\)leakage resilience rate. (Formalized in Theorem 3)

\(\mathcal {E}'\) provides auxiliaryinput leakage resilience against subexponentiallyhard functions. (Formalized in Theorem 6 and Remark 1)
We will also discuss generalizations of the above construction to the case the base scheme is not bitencryption.
1.2 Realizations
From Homomorphic Weak Pseudorandom Functions. Pseudorandom function families (PRFs) provide a convenient way of realizing reproducible CPAsecure privatekey encryption via the standard PRFbased encryption construction. Towards providing homomorphism for a PRFbased scheme, we call a function family homomorphic if both the domain and range of the underlying functions form groups, and each function acts as a homomorphism. A standard PRF cannot, however, be homomorphic since with high probability a truly random function will not be homomorphic and an adversary with the power to (even) nonadaptively query a function oracle may easily exploit this fact. To prevent this type of attack, we work with weak PRFs, defined by Naor and Reingold [34], which allow an adversary to see values of the function only on a sequence of random inputs. Formally, \(f_k\) is weakly pseudorandom if no adversary can distinguish between \((d_1, f_k(d_1)), \ldots , (d_p , f_k(d_p))\) and \((d_1, r_1), \ldots , (d_p , r_p)\), where all \(d_i\)’s and \(r_i\)’s are chosen independently at random. As we see next, not only is the notion of homomorphic weak PRFs meaningful, it is naturally realizable under specific assumptions. We also note that the standard construction of privatekey encryption from a PRF, when applied to homomorphic weak PRFs, results in a scheme that satisfies the properties we need from our base encryption primitive (Lemma 4).
For a DDHhard group \(\mathbb {G}\) with \(o = \mathbb {G}\), define \(F = \{f_k :\mathbb {G} \rightarrow \mathbb {G} \}_{k \in \mathbb {Z}_o}\) by \(f_k(g) = g^{k}\). This function family was introduced and proved to be weakly pseudorandom by Naor, Pinkas and Reingold [33]; the proof of weak pseudorandomness uses standard techniques related to randomselfreducibility of DDH. The fact that \(f_k\) is homomorphic is clear. Interestingly, by plugging this PRF into our general construction, we obtain a scheme which is a close variant of the BHHO scheme. We also give a realization of weak homomorphic PRFs under homomorphic hashproof systems (HHPS) [13]: here the PRF is simply the family of hash functions on valid points (Theorem 4). A corollary of our results is the following.
Corollary. Under the HHPS assumption and for any integer n, there exists a publickey encryption scheme that provides, at the same time, nprojection security and a \((1 o(1))\)leakage resilience rate.
To the best of our knowledge, our results give the first HHPSbased encryption scheme that provides (even individually) nprojection security and a \((1 o(1))\)leakage resilience rate. (See Subsect. 1.4 for a comparison of our results with those of the recent work of [42].) Naor and Segev [35] show how to construct schemes with high tolerated leakage lengths (but low rates of leakage resilience) from any hashproof system, and also how to obtain schemes with \((1 o(1))\) leakageresilience rates from k linear assumptions. Our results can be thought of as complementing those of [35], by saying that if we add homomorphism to a HPS, we obtain schemes with high resilience rates. Hazay et al. [26] show how to obtain schemes withstanding high leakage lengths from any CPAsecure publickey encryption (which is the minimal assumption). Their construction, however, produces a scheme with low leakageresilience rates, and does not imply our leakage resilience result based on HHPS.
From Subgroup Indistinguishability. We show how to instantiate our encryption primitive under the subgroup indistinguishability (SG) assumption [9], of which QR and DCR are special cases (Lemma 5). Our current formulation of homomorphic weak PRFs does not seem to be realizable under the SG assumption. It is, however, possible to formulate a more relaxed version of such PRFs, one that is still sufficient for realizing our encryption assumptions and is also realizable under the SG assumption. We choose not to pursue this direction since there is already an easy way to realize our encryption primitive under the SG assumption.
1.3 KDM Amplification and Leakage Resilience
We prove that Applebaum’s KDM amplification method [3] for obtaining KDMsecurity for any fixed family of bounded circuits from projection security also preserves both types of leakage resilience (Theorem 9). We were not, however, able to show this for the KDM amplification methods of [5, 10]. Applebaum’s transformation has the key property that it only modifies the encryption and decryption algorithms of the base scheme, by applying randomized encoding and decoding, which are fixed mappings constructed based on the target function family, inside the encryption and decryption algorithms. This property facilitates reducing leakage resilience and auxiliary input security of the constructed scheme to the same requirements (i.e., with the same parameters) on the base scheme. As a corollary, for any fixed bounded function family F and any integer n, assuming the existence of privatekey schemes with the stated properties, we obtain schemes that at the same time provide (1) FKDM\(^{(n)}\) security, (2) a \((1  o(1))\)leakage resilience rate, and (3) auxiliaryinput security against subexponentiallyhard functions (Corollary 1).
1.4 Construction Technique and Further Discussion
Construction and Proof Techniques. We now give a sketch of the construction, C, and proof techniques. Fix \(\mathcal {E} = (G , E , D, Rep, Hom)\) to be a privatekey bitencryption scheme that provides reproducibility and the generalized homomorphism condition. The latter, using additive notation, states the following condition that \(Hom(E_{sk}(b_1; r_1) , E_{sk}(b_2 ; r_2)) = E_{sk}(b_1+b_2 ; r_1 + r_2)\). (Note that because of our additive notation our message space is \(\mathbb {Z}_2\), and 0 is the identity element of the randomness space.)
Some notes are in order. Firstly, under \(G'\), the secret key of the old scheme, sk, is used only to compute the encryptions needed to form \(\mathbf {pk}\). Roughly, the fact that \(\mathbf {s}\) is independent of sk underlies the circular security of \(\mathcal {E}'\). Secondly, \(E'\) has the somewhat unusual property that it calls G, with the returned values comprising all the randomness used in encryption.
KDM Security. A main idea used in the proof of 1circular security (for simplicity) is that if one possesses \(\mathbf {s}\), then the encryption of a bit b may be equivalently computed as \(\mathbf {c} = (c_1, \ldots , c_l , Hom(c_{i_1}, \ldots , c_{i_w}, c') )\), where \(sk' \leftarrow G(1^{\lambda })\), \(c_j \leftarrow E_{sk'}(0)\) for \(1 \le j \le l\), \((i_1, \ldots , i_w)\) are the indices of nonzero bits of \(\mathbf {s}\) and \(c' = E_{sk'}(b ; 0)\) (i.e., \(c'\) is the encryption of b where the randomness value is fixed to the group identity 0.) Now we consider an intermediate hybrid, \(W_1\), in which to encrypt the hth bit of \(\mathbf {s}\), we return \((c_1, \ldots , c_l , Hom(c_{i_1}, \ldots , c_{i_w}, c') )\), where now \(c_h\) is an encryption of 1, but every other \(c_j\) is an encryption of 0 (and \(c'\) is an encryption of \(\mathbf {s}_h\) under the identity randomness). We will show that \(W_1\) provides a view computationally indistinguishable from the real view, \(W_0\); the main idea is that any distinguisher between \(W_0\) and \(W_1\) can be reduced to an adversary \(\mathcal {A}\) that wins in a special vectorencryption game (performed under \(\mathcal {E}\)), in which \(\mathcal {A}\) may adaptively issue fixedlength vectors of bits (of a certain form), and in response to each vector query \(\mathbf {v}\), either \(\mathbf {v}\) or the allzero vector (depending on the challenge bit) is componentwise encrypted under a fresh secret key, but by reusing randomness across each fixed component of vectors (that is the ith component of each vector is always encrypted under a fixed random \(r_i\)). In Lemma 3 we show any \(\mathcal {A}\) has a negligible advantage under this game, and use this to prove the indistinguishability of \(W_0\) and \(W_1\). (It turns out this last step also requires us to use degenerate homomorphism to compute \(E_{sk'}(1;0)\) obliviously to \(sk'\).) Having proved the indistinguishability of \(W_0\) and \(W_1\) we notice that under \(W_1\) the reply to “encrypt the hth bit of \(\mathbf {s}\)” is indeed formed as \((E_{sk'}(0 ; r_1) , \ldots , E_{sk'}(0 ; r_{h1}), E_{sk'}(1 ; r_h), E_{sk'}(0 ; r_{h+1}), \ldots , E_{sk'}(0 ; r_l) , E_{sk}(0 ; \mathbf {s} \cdot \mathbf {r}) )\), and in particular is independent of \(\mathbf {s}\) beyond \(\mathbf {s} \cdot \mathbf {r} \), which makes the rest of the proof follow smoothly using ideas described for the CPA case.
The described techniques might be called simulated KDM encryptions, originally introduced in [8], used also in subsequent works [4, 9], which show how to simulate KDM responses under public information. The main challenge in our setting is how to enable such properties under our general assumptions.
Final Remarks. Instantiating the above construction using homomorphic weak PRFs provides an improvement in efficiency, matching the same level of efficiency as [8] if the base PRF (in turn) is instantiated under the corresponding assumption. Technically, in this case, it would suffice to define the public key to be \((d_1, \ldots , d_l , \mathbf {s} \cdot (d_1, \ldots , d_l))\), i.e., instead of putting the whole ciphertext in each component, we only give the underlying randomness, which would have been given out by the ciphertext itself in the clear. Also, to encrypt m under \(\mathbf {pk} = (d_1, \ldots ,d_l , d_{l+1})\), we simply output \((F_{sk}(d_1), \ldots , F_{sk}(d_l), F_{sk}(d_{l+1})+m)\), where sk is a fresh PRF key.
While our results enable us to explain those of [8, 9, 35], regarding KDM security and leakage resilience of the BHHO and BG schemes, they suffer from the same limitations as those of [9], in that, in order to achieve KDM\(^{(n)}\) security, we must choose the parameters of our constructed scheme based on n. Boneh et al. [8] get around this dependency by using the random selfreducibility of DDH and strong keyhomomorphism properties of DDHbased schemes. Similar dependencies for (even specific) nonDDHbased assumptions occur in other settings as well, e.g., [11]. We leave it as an open problem to resolve this dependency. We should also mention that the BHHO and BG schemes were proved affineKDM secure; under the current assumptions, we were not able to extend our results to the affineKDM setting. Finally, we note that just the fact that we can build a CPAsecure (as opposed to KDM secure) publickey scheme from our privatekey assumptions is not unheard of since even weaker forms of homomorphism are known to be sufficient to bridge this gap [40].
Comparison with [42]. Concurrently with our work, Wee [42] recently showed that the original HHPSbased encryption scheme of Cramer and Shoup [13] provides FKDM\(^{(1)}\) security, where F is a function class defined based on the underlying hash functions. (Specifically, following notation in Subsect. 6.2, \(F = \{f_{\mathsf {c}, \mathsf {k}} :\mathsf {SK} \mapsto \mathsf {K}\}\), where \(f_{\mathsf {c}, \mathsf {k}}(sk) = \mathsf {\Lambda _{sk}(c)}+\mathsf {k}\).) We note that the basic KDM setting of [42] is different from ours in that we are concerned with KDMsecurity with respect to bitprojections of the secret key. Nevertheless, by instantiating that framework under specific DDH/SGbased HHPSs, [42] obtains schemes that are close variants of BHHO and BG. Moreover, the results of [42] also explain the bitaffinesecurity of BHHO and BG, while our results only explain the projection security. On the other hand, we obtain HHPSbased schemes that are nprojection secure, while the results of [42] do not seem to extend to the multiplekey setting (as noted there). Moreover, by using an encryptionbased primitive as our base assumptions, we are able to obtain generic constructions under homomorphic weak PRFs, that is a weaker abstraction than the HHPS, as we show.
Other Related Work. Choi and Wee [12] show how to construct lossy trapdoor functions from homomorphic reproducible encryption by abstracting the matrixbased construction of Peikert and Waters [37]. This shows one more application of homomorphic weak PRFs as a general primitive. We mention, however, that the main difference between our constructions and those of [12, 37] is that in [12, 37] the trapdoor key of the constructed schemes consists of secret keys produced under the base scheme, while in our setting, the main challenge (and novelty) is to come up with a construction whose encryption function still somehow calls that of the base scheme (in order to inherit its security), but in such a way that the secret keys of the base scheme are not included in the constructed secret key.
2 Definitions
2.1 Standard Notation and Definitions
For a finite set S we use \(x \leftarrow S\) to denote sampling x uniformly at random from S and denote by \(U_S\) or U(S) the uniform distribution on S. If D is a distribution then \(x \leftarrow D\) denotes choosing x according to D. We denote the support set of a distribution D by Sup(D), and write \(x \in D\) to indicate \(x \in Sup(D)\). The notions of computational indistinguishability and statistical indistinguishability are standard. We use \(\equiv ^c\) to refer to computational indistinguishability, \(\equiv ^s\) to statistical indistinguishability and \(\equiv \) to identity of two distributions. We use the term PPT in this paper in the standard sense. We will often omit the adjective PPT/efficient when discussing functions – by default we assume all such functions are efficient.
We denote the length of \(x \in \{0,1\}^{*}\) by x and the ith bit of x, for \(1 \le i \le x\), by \(x_i\). We denote the nth Cartesian power of a set S by \(S^n\). We call \(f : \mathbb {N} \rightarrow \mathbb {R}\) negligible if \(f(\lambda ) < 1/P(\lambda )\), for any poly P and sufficiently large \(\lambda \).
All groups are assumed to admit efficient group operations, and to be commutative, but not necessarily cyclic, unless otherwise indicated.
2.2 Syntax of Encryption Schemes
We first start with some notation. We use \(A(a_1, a_2, \ldots ; r)\) to denote the deterministic output of randomized function A on inputs \(a_1, a_2, \ldots \) and randomness r, and use \(x \leftarrow A(a_1, a_2, \ldots )\) to denote the distribution formed by first choosing r uniformly at random and then outputting \(A(a_1, a_2, \ldots ; r)\).
We assume that all cryptographic primitives (encryption, PRFs, etc.) discussed in this paper, besides their usual algorithms, have a parametergeneration algorithm that produces public parameters (e.g., a group) used by all other algorithms. In situations where we talk about generating many keys it should be understood that all keys are sampled under the same public parameters, which were generated randomly at the beginning. We now give the syntax of encryption schemes.
A publickey encryption scheme \(\mathcal {E}\) is given by algorithms (Param , G, E, Dec), all taking as input a security parameter \(1^{\lambda }\) (that we make it explicit for Param and G and implicit for other algorithms.) Param takes input \(1^{\lambda }\), and outputs a public parameter, par. The keygeneration algorithm, takes \(1^{\lambda }\) and par and outputs public/secret keys, \((pk , sk) \leftarrow G(1^{\lambda } , par)\). The encryption algorithm E, takes a public key pk, a plaintext \(m \in \mathcal {M}_{\lambda }\) (where \(\mathcal {M}_{\lambda }\) is the plaintext space) and randomness \(r \in \mathcal {R}_{\lambda }\) (where \(\mathcal {R}_{\lambda }\) is the randomness space), and deterministically produces ciphertext \(c = E_{pk}(b ; r)\). Finally, the decryption algorithm takes a secret key sk and ciphertext c, and deterministically outputs \(m = Dec_{sk}(c)\). For correctness, we require, for every \(par \in Param(1^{\lambda })\), \((pk , sk) \in G(1^{\lambda }, param)\), every m and \(c \in E_{pk}(m)\), that \( Dec_{sk}(E_{pk}(m)) = m \). We typically use \(\mathcal {PK}_{\lambda }\) and \(\mathcal {SK}_{\lambda }\) to refer to the publickey and secretkey spaces. Formally, \((\mathcal {PK}_{\lambda } , \mathcal {SK}_{\lambda }) = Sup(G(1^{\lambda }))\). We make the inclusion of Param implicit henceforth.
2.3 KeyDependentMessage Security
In this paper we consider encryption schemes, whose generated secret keys are always bitstrings, but whose plaintext space may or may not be the singlebit space, e.g., it may be a group space. For the latter case, in order to make the notion of bitwise encryption of the secret key meaningful, we assume that a fixed mapping (\(\{ 0 ,1\} \rightarrow \mathcal {M}_{\lambda }\)) is already in place. In the following, when we say \(E_{pk}(b)\), where b is a bit, if E is a bit encryption algorithm, then we are encrypting the actual bit b, and otherwise, we are encrypting the element that b is mapped to. We now proceed to describe the notion of KDM\(^{(n)}\) security for an arbitrary encryption scheme \(\mathcal {E} = ( G, E , Dec)\) (bit encryption or otherwise).
Assume that \(F = \{ F_{\lambda }\}_{\lambda \in \mathbb {N}}\) is an ensemble of sets of functions, where for each \(f \in F_{\lambda } \), it holds that \(f : \mathcal {SK}_{\lambda }^n \rightarrow \{0,1\}\).

If \(b = 0\), the challenger returns \(E_{pk_i}(f(sk_1, \ldots , sk_n))\) in response to (i, f) and \(E_{pk_i}(m)\) in response to (i, m); and

If \(b = 1\), the challenger returns \(E_{pk_i}(0)\).
We say that \(\mathcal {E}\) is F KDM\(^{(n)}\)secure if for any \(\mathcal {A}\) in the above game, it holds that \(Adv^{F \text {KDM}^{(n)}}(\mathcal {A}) = negl\).
Assume \(\mathcal {SK}_{\lambda } = \{0,1\}^{l(\lambda )}\) and let \(l = l(\lambda )\). For \(1 \le i \le n \) and \(1 \le j \le l\), define \(Sel_{i,j} :\mathcal {SK}_{\lambda }^n \mapsto \{0,1\}\) to be the function that on input \((sk_1, \ldots , sk_n)\) returns the jth bit of \(sk_i\). Similarly, define \(NSel_{i,j}\) to be the function that on input \((sk_1, \ldots , sk_n)\) returns the negation of the jth bit of \(sk_i\). Finally, define \(S_\lambda = \{ Sel_{i,j} :1 \le i \le n , 1 \le j \le l\}\) and \(\hat{S}_\lambda = \{ {NSel_{i,j}} :1 \le i \le n , 1 \le j \le l \}\). We now give the following definitions.

We call \(\mathcal {E}\) ncircularly secure if \(\mathcal {E}\) is F KDM\(^{(n)}\) secure, where \(F_{\lambda }=S_{\lambda }\).

We call \(\mathcal {E}\) nprojection secure if \(\mathcal {E}\) is F KDM\(^{(n)}\) secure for \(F_{\lambda } = S_\lambda \cup \hat{S}_\lambda \).
2.4 Leakage Resilience
We define the notion of leakage resilience. For \(\pounds = \pounds (\lambda )\), we say that the publickey encryption scheme \(\mathcal {E} = (G , E , Dec)\) is \(\pounds \)length leakage resilient if, for any adversary \(\mathcal {A}\), the \(\pounds \)leakageadvantage of \(\mathcal {A}\), \(Adv^{\pounds \text {}leak}(\mathcal {A})\), defined via the following game, is negligible.

Setup: The challenger generates \((pk , sk) \leftarrow G(1^{\lambda })\) and gives pk to \(\mathcal {A}\).

Leakage queries: \(\mathcal {A}\) sends function \(f : \mathcal {SK}_{\lambda } \rightarrow \{ 0 ,1\}^*\) to the challenger, where \(f(sk) \le \pounds \), and receives, in response, f(sk).

Challenge: \(\mathcal {A}\) submits \((m_0 , m_1) \in \mathcal {M}_{\lambda }^2\), and the challenger, samples \(b \leftarrow \{ 0 , 1\}\), and returns \(E_{pk}(m_b)\) to \(\mathcal {A}\). Finally, \(\mathcal {A}\) returns an output bit \(b'\).
We define \( Adv^{\pounds \text {}leak}(\mathcal {A}) = \left \Pr [ b' = 1  b = 0 ]  \Pr [b' = 1  b = 1 ] \right .\) We say that \(\mathcal {E}\) is r rate leakage resilient (or has resilience rate r) if \(\mathcal {E}\) is \(r \cdot \log \mathcal {SK}\)length leakage resilient.
Finally, we note that restricting \(\mathcal {A}\) in the above game to a single leakage query is without loss of generality. In particular, the security definition does not become stronger if \(\mathcal {A}\) is allowed to adaptively make multiple leakage queries provided that the total length of the bits leaked is bounded by \(\pounds (\lambda )\). The proof of this fact is straightforward; see [1] for a proof.
2.5 Properties of the Base Scheme
We give the definitions of the main properties that we need from the base privatekey encryption scheme.
Definition 1
Definition 2
Henceforth, when discussing encryption schemes, we will use “homomorphic” as shorthand for “PRadditively homomorphic.”
3 Construction
We first fix some notation. Throughout this section we will be working with additive notation for groups with 0 denoting the identity element. For \(\mathbf {g} \) \(= (g_1 , \ldots , g_p) \in \mathbb {G}^p\) and \( \mathbf {b}\) \(= (b_1, \ldots , b_p) \in \{0 , 1 \}^p\) we define \(\mathbf {b} \cdot \mathbf {g} \) \( = b_1 \cdot g_1 + \ldots + b_p \cdot g_p \in \mathbb {G}\), where, \(0 \cdot g = 0\), and for \(n \in \mathbb {N}\), we define \(n \cdot g = g + (n1) \cdot g\).
We present a generic construction that transforms a reproducible, homomorphic privatekey encryption scheme into a publickey bitencryption scheme. This always produces a bitencryption scheme even if the base scheme is not. In the full version we show how to adjust the construction, to maintain the plaintext space, at the cost of additional syntactic assumptions (which are satisfied by our specific instantiations).
For simplicity, we present (and prove the security of) the bitencryption construction for the case where the base scheme is also bit encryption.
Let \(\mathcal {E} = (G, E, Dec , Hom , Rep)\) be a CPAsecure privatekey bitencryption scheme providing reproducibility (with the associated function Rep) and homomorphism (with the associated function Hom). Recall for homomorphism, both the message space, \(\{0,1\}\), and the randomness space, \(\mathcal {R}_{\lambda }\), form groups, which implies the plaintext group is just \(\mathbb {Z}_2\). We now present the construction.
Construction 1
(Single bit encryption): Let \(\mathcal {E} = (G, E, Dec , Hom , Rep) \) be as above and let \(l = l(\lambda )\) be a value that we instantiate later.

Key generation \(G'\): Choose the secret key as \(\mathbf {s} \leftarrow \{ 0 , 1 \}^l\) and the public key as \(\left( E_{sk}(0 ; r_1), \ldots , E_{sk}(0 ; r_l) , E_{sk}(0 ; \mathbf {s} \cdot \mathbf {r}) \right) \), where \(sk \leftarrow G(1^{\lambda })\), \(r_1, \ldots , r_l \leftarrow \mathcal {R}_{\lambda }\) and \(\mathbf {r}= (r_1, \ldots , r_l) \).

Encryption \(E'\): To encrypt bit b under public key \((c_1, \ldots , c_l , c_{l+1})\), do the following: choose \(sk' \leftarrow G(1^{\lambda })\) and return \((c'_1, \ldots , c'_l , c'_{l+1})\), where \(c'_i = Rep (c_i , 0 , sk')\), for \(1 \le i \le l\), and \(c'_{l+1} = Rep (c_{l+1} , b , sk' )\).

Decryption \(Dec'\): To decrypt \(( c'_1, \ldots , c'_l , c'_{l+1})\) under secret key \(\mathbf {s}\), letting \((i_{1} , \ldots , i_{w})\) be the indices of nonzero bits of s, output 0 if \(c'_{l+1} = Hom \left( c'_{i_1} , \ldots , c'_{i_w} \right) \), and 1 otherwise.
The completeness of the scheme follows immediately. A few comments are in order. First, the encryption algorithm of the constructed scheme uses that of the base scheme, but by reusing the randomness values of the ciphertexts given in the public key. Second, the constructed decryption function does not need any secret keys of the base scheme, e.g., sk, for its computation. Roughly, this is why proving circular security for the constructed scheme should not be much harder than proving CPA security. In our security proofs, we will rely on the fact that we may use the homomorphism properties of the base primitive to form public keys and encryptions in alternate, equivalent ways as described below.
Proposition 1
 1.
The public key may be computed as \((c_1, \ldots , c_l , c_{l+1})\), where \(c_i \leftarrow E_{sk}(0 )\), for \(1 \le i \le l\), and \(c_{l+1} = Hom \left( c_{i_1} , \ldots , c_{i_w} \right) \), where \((i_1, \ldots , i_w)\) are the indices of nonzero bits of \(\mathbf {s}\).
 2.
Let \(\mathbf {s}\), \(sk'\) and \(c'_1, \ldots , c'_{l}\) be as in the definition of encryption in Construction 1. Then, \(c'_{l+1}\) may be computed as \(c'_{l+1} = Hom(c_{i_1}, \ldots , c_{i_w} , E_{sk'}(b ; 0) ),\) where \((i_1, \ldots , i_w)\) are the indices of nonzero bits of \(\mathbf {s}\).
4 Proof of Projection Security
In this section we give the proof of projection security of our constructed scheme. This section is organized as follows. In Subsect. 4.1 we reviews some facts related to entropy which are needed by our proofs. In Subsect. 4.2 we introduce an intermediate lemma that will be used in the proofs of our main theorems. Finally, in Subsect. 4.3 we give the proof for projection security.
4.1 InformationTheoretic Tools
Lemma 1
[16]. For any (X, Y, Z) it holds that \({\tilde{H}}_{\infty }(X  Y, Z) \ge {\tilde{H}}_{\infty }(X  Z)  \log Sup(Y)\).
Lemma 2
4.2 A Useful Lemma
We begin by introducing a game that will be used in proving our main results. Intuitively, the following experiment corresponds to a vectorencryption game, in which an adversary may interactively issue vectors of bits (of certain forms) to be encrypted, and each vector is componentwise encrypted under a fresh secret key while reusing randomness across each fixed component of vectors.
The RandomnessSharing (RS) Game. Let (G, E, Dec) be a privatekey bitencryption scheme. As some notation, for \(l \in \mathbb {N}\), we let \(\mathbf {e}_i^l \), for \(1 \le i \le l\), be the the vector of size l which has 1 in the ith position and 0 everywhere else, and \(\mathbf {e'}_i^l \), for \(1 \le i \le l\), be the vector of size l which has 1 in both its ith position and last position, and 0 everywhere else. We let \(\mathbf {0}^l\) be the all0 vector of size l. Finally, for \(\mathbf {b} = (b_1, \ldots , b_l)\) and \(\mathbf {r} = (r_1, \ldots , r_l)\), we define \(E_{sk } (\mathbf {b} ; \mathbf {r}) = (E_{sk}(b_1; r_1), \ldots , E_{sk}(b_l ; r_l))\).
The game is parameterized over \(l = l({\lambda })\) and is played as follows.
Lemma 3
Assume \(\mathcal {E} = (G , E, Dec , Rep)\) is a CPAsecure, privatekey bitencryption scheme that provides reproducibility. For any polynomial functions \(l(\cdot )\), any adversary \(\mathcal {A}\) in the lRS game has a negligible advantage.
Proof
Assume that \(\mathcal {A}'\) can distinguish between \(W_i\) and \(W_{i+1}\) with a nonnegligible advantage. Noting that \(W_i\) and \(W_{i+1}\) only differ in the way that the answer to the ith query is made, and that each query vector can take at most \(2 l+1\) different values, we guess the ith query vector (that is going to be issued by \(\mathcal {A}'\)), call the LORCPA oracle, which is parameterized over an unknown secret key, on the guessed vector to receive \(\mathbf {c} = (c_1, \ldots , c_l)\), and start simulating \(\mathcal {A}'\) as follows: in response to the j’th query, \(\mathbf {q}_j\), for \(1 \le j < i\), we generate \(sk_j \leftarrow G(1^{\lambda })\) and return \(Rep(\mathbf {c} , \mathbf {q}_j , sk_j)\); in response to the ith query we return \(\mathbf {c}\) (if our guess for \(\mathbf {q}_i\) was incorrect, we stop and return a random bit); and in response to the w’th query, \(\mathbf {q}_w\), for \( w > i\), we generate \(sk_w \leftarrow G(1^{\lambda })\) and return \(Rep(\mathbf {c} , \mathbf {0}^l , sk_w)\). Now it is easy to see that, if our guessing for the ith query was correct, depending on whether the CPAchallenge bit was zero or one, the resulting experiment matches exactly either \(W_i\) or \(W_{i+1}\). This completes the proof. \(\square \)
4.3 Proof of Projection Security
We first give the proof of 1projection security of our scheme, building on techniques from [9], which in turn generalize the DDHbased techniques of [8].
Theorem 1
Let \(\mathcal {E} = (G , E , Dec , Hom, Rep )\) be a CPAsecure privatekey bitencryption scheme providing degenerate homomorphism and reproducibility. Then, by taking \(l = l({\lambda })= \omega (\log \lambda ) + \log \left(  \mathcal {R}_{\lambda }  \right) \), the scheme built in Construction 1 is 1projection secure.
Proof

encsecret(i) encrypt the ith bit of the secret key; and

enc\(secret(\bar{i})\) encrypt the negation of the ith bit of the secret key.
We introduce a series of hybrid games and show no adversary can distinguish between any two adjacent games. The first game corresponds to the realencryption circularsecurity game, while the last game is the one where we always encrypt 0. Letting \(x_i\) be the adversary’s output in Game i, we write Game \(i \equiv ^G\) Game j to indicate \(\left \Pr [x_i = 1]  \Pr [x_j = 1] \right = negl\). In all these games, whenever we write, say, \(sk' \leftarrow G(1^{\lambda })\) we mean that \(sk'\) is chosen freshly, so we may keep using the same variable \(sk'\) inside each game whenever we are producing a new key. Let \(\mathcal {R} = \mathcal {R}_{\lambda }\) for the following discussion. Also, recall the notation \(E_{sk}(\mathbf {b}, \mathbf {r})\) introduced in Subsect. 4.2. Below we write \(\mathbf {e}_i\) as shorthand for \(\mathbf {e}_i^l\).
\(\underline{Game{\text {}0\!: \mathrm{Real\, Encryption.}}}\) This game provides the adversary with a view that is identical to that under the projection security game in which the challenge bit is zero. The identical view is produced by using the algorithm Hom to produce the public key and to reply to encryption queries (See Proposition 1).
 the adversary is given \((c_1, \ldots , c_l, Hom(c_{i_1}, \ldots , c_{i_w})) \) as the public key, whereand \(sk \leftarrow G(1^{\lambda })\).$$(c_1, \ldots , c_l) = E_{sk}(\mathbf {0}^l ; \mathbf {r})$$
 In response to encsecret(i) we return \((c'_1, \ldots , c'_l , Hom(c'_{i_1}, \ldots , c'_{i_w}, E_{sk'}(\mathbf {s}_i; 0)))\), whereand \(sk' \leftarrow G(1^{\lambda })\). Again we emphasize \(sk'\) is chosen freshly for each query.$$(c'_1, \ldots , c'_l) = E_{sk'}(\mathbf {0}^l ; \mathbf {r})$$
 In response to enc\(secret(\bar{i})\) we return \((c''_1, \ldots , c''_l , Hom(c''_{i_1}, \ldots , c''_{i_w}, E_{sk''}(\bar{\mathbf {s}_i} ; 0)))\), whereand \(sk'' \leftarrow G(1^{\lambda })\).$$(c''_1, \ldots , c''_l) = E_{sk''}(\mathbf {0}^l ; \mathbf {r})$$

the adversary is given \((c_1, \ldots , c_l, Hom(c_{i_1}, \ldots , c_{i_w})) \) as the public key, where \((c_1, \ldots , c_l) = E_{sk}(\mathbf {0}^l ; \mathbf {r})\), for \(sk \leftarrow G(1^{\lambda })\).

In response to encsecret(i) we return \((c'_1, \ldots , c'_l , Hom(c'_{i_1}, \ldots , c'_{i_w}, E_{sk'}(\mathbf {s}_i; 0)))\), where \((c'_1, \ldots , c'_l) = E_{sk'}(\mathbf {e}_i ; \mathbf {r})\) and \(sk' \leftarrow G(1^{\lambda })\).

In response to enc\(secret(\bar{i})\) we return \((c''_1, \ldots , c''_l , Hom(c''_{i_1}, \ldots , c''_{i_w}, E_{sk''}(\bar{\mathbf {s}_i}; 0)))\), where \((c''_1, \ldots , c''_l) = E_{sk''}(\mathbf {e}_i; \mathbf {r})\) and \(sk'' \leftarrow G(1^{\lambda })\).
We claim that the difference between Game0 and Game1 can be simulated through the lRS game. The reason is if we know \(\mathbf {s}\), then we can compute \(Hom(c'_{i_1}, \ldots , c'_{i_w}, E_{sk'}(\mathbf {s}_i; 0))\) from \((c'_1, \ldots , c'_l)\) even if we do not have \(sk'\): note that here we are using the degenerate condition of the homomorphism property. A similar argument holds with respect to c and \(c''\). Moreover, for every \(1 \le j \le l\), the ciphertexts \(c_j\), \(c'_j\) and \(c''_j\) were formed under the same randomness. Thus, we can reduce any distinguisher betweenGame0 and Game1 to an lRS game adversary \(\mathcal {A}\) as follows: \(\mathcal {A}\) samples \(\mathbf {s} \leftarrow \{0,1\}^l\) and lets \((i_1, \ldots , i_w)\) be the indices of nonzero bits of \(\mathbf {s}\); it calls its RSoracle on \(\mathbf {0}^l\) to receive \((c_1, \ldots , c_l)\) and then returns \((c_1, \ldots , c_l, Hom(c_{i_1}, \ldots , c_{i_w}) )\) as the public key; it responds to encsecret(i) by first calling its oracle on \(\mathbf {e}_i\) to get \((c'_1, \ldots , c'_l)\) and then returning \((c'_1, \ldots , c'_l , Hom(c'_{i_1}, \ldots , c'_{i_w}, E_{sk'}(\mathbf {s}_i; 0)))\); it responds to enc\(secret(\bar{i})\) in a similar way. Thus, by Lemma 3 we obtain that Game \(0 \equiv ^G\) Game1.
\(\underline{Game{\text {}2}}\): This game proceeds exactly as in Game1, except we now sample \(r_{l+1}\) independently of all other \(r_i\)’s. Namely, we sample \((r_1, \ldots , r_l , r_{l+1}) \leftarrow \mathcal {R}^{l+1}\) and run the game by forming the public key and responses to the adversary’s queries exactly as in Eq. 1. Notice that the entire game can be simulated by only knowing \((r_1, \ldots , r_l, r_{l+1})\): we generate the public key and we answer to \(enc\text {}secret\) queries by sampling \(sk, sk'\) and \(sk''\) on our own and forming the outputs as spelled out by Eq. 1. (Here we are exploiting the fact that the bits of \(\mathbf {s}\) never appear as a plaintext under E in Eq. 1.) Thus, since \(l = \omega (\log \lambda ) + \log \left(  \mathcal {R}  \right) \) and the inner product is a family of universal hash functions, by Lemma 2 (indeed by the Leftover Hash Lemma, which is a special case of Lemma 2) we obtain that the statistical distance between \((\mathbf {r}, \mathbf {s} \cdot \mathbf {r})\) and a tuple chosen uniformly at random from \(\mathcal {R}_{\lambda }^l\) is at most \(\sqrt{ 1 /2^{\omega (\log \lambda )}} = negl(\lambda )\), and thus Game \(1 \equiv ^G\) Game2.
We give the statement of nprojection security below, and give the proof in the full version [24].
Theorem 2
Let \(\mathcal {E} = (G , E , Dec, Hom, Rep )\) be a CPAsecure privatekey bitencryption scheme providing degenerate homomorphism and reproducibility. For any constant \(c > 1\), by taking \(l = n \log \left(  \mathcal {R}_{\lambda }  \right) + \omega (\log \lambda ) \), the scheme built in Construction 1 is nprojection secure.
5 Proof of Leakage Resilience
The following theorem shows the leakage resilience property of our scheme.
Theorem 3
Let \(\mathcal {E} = (G , E , Dec, Hom, Rep )\) be a CPAsecure privatekey bitencryption scheme providing degenerate homomorphism and reproducibility. Then, the scheme built in Construction 1 is \((l  \log  \mathcal {R}_{\lambda }u )\)length leakage resilient, for any \(u \in \omega (\log \lambda )\). Moreover, by taking \(l = \omega (\log \mathcal {R}_{\lambda } + u )\), the constructed scheme achieves a \( (1  o(1))\) resilience rate.
Proof
\(\underline{Game{\text {}0}}\): In this game we reply to the adversary’s queries exactly as in the actual leakage game, where the challenge bit is b. Thus, at the end of the game, the view of the adversary is \((c_1, \ldots , c_l, c_{l+1} , f(\mathbf {s}) , c'_1, \ldots , c'_l , c'_{l+1})\), produced as follows: \(\mathbf {s} \leftarrow \{0,1\}^l\), \(\mathbf {r} = (r_1, \ldots , r_l) \leftarrow \mathcal {R}_{\lambda }^l\), \(r_{l+1} = \mathbf {s} \cdot \mathbf {r} \), \(sk \leftarrow G(1^{\lambda })\), \(sk' \leftarrow G(1^{\lambda })\), \(c_i = E_{sk}(0; r_i)\), for \(1 \le i \le l+1\), \(c'_j = E_{sk'}(0; r_j)\), for \(1 \le j \le l\), and \(c'_{l+1} = E_{sk'}(b ; r_{l+1})\).

form the public key as \((c_1, \ldots , c_l, c''_{l+1})\), where \(sk \leftarrow G(1^{\lambda })\), \(c_i = E_{sk}(0; r_i)\), for \(1 \le i \le l\), and \(c''_{l+1} = Hom(c_{h_1} , \ldots , c_{h_w})\);

reply to the leakage query f with \(f(\mathbf {s})\);
 return \((c'_1, \ldots , c'_l , c'''_{l+1})\) as the challenge ciphertext, where \(\mathbf {b} = (b_1, \ldots , b_l) \leftarrow \{0,1\}^l\), \(sk' \leftarrow G(1^{\lambda })\), \(c'_j = E_{sk'}(b_j; r_j)\), for \(1 \le j \le l\), and$$c'''_{l+1} = Hom(c'_{h_1} , \ldots , c'_{h_w} , E_{sk'}(b; 0)).$$
6 Realizations
We show how to realize our base encryption primitive under various numbertheoretic assumptions. In Subsect. 6.1 we formulate an abstraction, called homomorphic weak pseudorandom functions, and use them to realize our encryption primitive. Then in Subsect. 6.2 we give realizations of such pseudorandom functions using homomorphic hashproof systems. Finally, in Subsect. 6.3 we show how to realize our encryption primitive under subgroup indistinguishably.
6.1 Realizations from Homomorphic Weak PRFs
We introduce the notion of homomorphic weak pseudorandom functions (PRFs), which is a homomorphic version of the notion of weak PRFs, introduced by Naor and Reingold [34].
Let \(K = \{ K_{\lambda }\}_{\lambda \in \mathbb {N}}\), \(D = \{ D_{\lambda } \}_{\lambda \in \mathbb {N}}\) and \(R = \{ R_{\lambda }\}_{\lambda \in \mathbb {N}}\) be ensembles of sets. For each security parameter \(\lambda \) and each \(k \in K_{\lambda }\) we have an associated function \(f_k : D_{\lambda } \rightarrow R_{\lambda }\). We let \(F_{\lambda } = \{ f_k \mid k \in K_{\lambda } \}\) and \(F = \{ F_{\lambda }\}_{\lambda \in \mathbb {N}}\). The following is the definition of weak pseudorandomness for a function family.
Definition 3
Note that a PRF in the standard sense is trivially a weak PRF.
Let F be as above. We call F homomorphic if for every \(\lambda \in \mathbb {N}\), both \(D_{\lambda }\) and \(R_{\lambda }\) are groups, and that for every \(k \in K_{\lambda }\), the function \(f_k \) is a homomorphism from \(D_{\lambda }\) to \(R_{\lambda }\).
Now we show that the standard method of constructing CPAsecure privatekey encryption from a PRF, when applied to a homomorphic weak PRF, results in the kind of encryption primitive we need.
Lemma 4
Assuming the existence of a homomorphic weak pseudorandom function family, there exists a CPAsecure privatekey encryption scheme which is degenerately homomorphic and reproducible.
Proof
Let F be a homomorphic weak PRF with the associated set parameters given above (i.e., \(K_{\lambda }\), etc.). Construct \(\mathcal {E} = (G , E , Dec)\), with plaintext space \(R_{\lambda }\) and randomness spaces \(D_{\lambda }\) as follows: \(G(1^{\lambda })\) returns \(k \leftarrow K_{\lambda }\); \(E_{k}(p_1 ; d_1) \) returns \((d_1 , f_k(d_1)+p_1)\); and \(Dec_{k}(d, r)\) returns \(r  f_k(d)\). CPAsecurity, homomorphism and reproducibility of \(\mathcal {E}\) are clear. Finally, note that since \(f_k(0) = 0\), we have \(E_{k}(p ; 0) = (0 , p)\), which verifies the degenerate case of homomorphism. \(\square \)
6.2 Homomorphic HashProof Systems to Homomorphic Weak PRFs
We first review the notion of a homomorphic hashproof system (HHPS), originally defined in [13]. Then we realize homomorphic weak PRFs using an HHPS.
The efficient private evaluation algorithm \(\mathsf {Priv}\) takes as input \(\mathsf {sk} \in \mathsf {SK}\) and \(\mathsf {c} \in \mathsf {C}\), and deterministically computes \(\mathsf {Priv}_{\mathsf {sk}}(\mathsf {c}) = \mathsf {\Lambda }( \mathsf {sk} , \mathsf {c})\). The efficient public evaluation algorithm \(\mathsf {Pub}\), takes as input \(\mathsf {pk} = \mathsf {\mu }(\mathsf {sk})\), \(\mathsf {c} \in \mathsf {C}_v\) and a witness \(\mathsf {w}\) for \(\mathsf {c}\), and deterministically computes \( \mathsf {Pub}_{\mathsf {pk}} ( \mathsf {c} , \mathsf {w_c}) = \mathsf {\Lambda }( \mathsf {sk} , \mathsf {c}) \). Finally, we require \(\mathsf {HHPS}\) to satisfy the following properties.
Smoothness: It holds that \(\varDelta \left[ \left( \mathsf {pk} , \mathsf {Priv}_{\mathsf {sk}}(\mathsf {c}) , \mathsf {c} \right) , \left( \mathsf {pk} , \mathsf {k} , \mathsf {c} \right) \right] = negl(\lambda ),\) where \(\mathsf {c} \leftarrow \mathsf {C} \setminus \mathsf {C}_v\), \(\mathsf {k} \leftarrow \mathsf {K}\), \(\mathsf {sk} \leftarrow \mathsf {SK}\) and \(\mathsf {pk} = \mu (\mathsf {sk})\).
Theorem 4
Assuming the existence of a HHPS, there exists a homomorphic weak PRF.
Proof
6.3 Realization Under Subgroup Indistinguishability Assumptions
For the sake of clarity, in this section we give an instantiation of our encryption primitive based only on the quadratic residuosity assumption, which is a special case of the subgroup indistinguishability (SG) assumption. We leave the general SGbased instantiation to the full version [24].
We first start by reviewing the quadratic residuosity assumption. For an RSA number N (i.e., \(N = p q\), where p and q are distinct odd primes) we use \(\mathcal {QR}_N\) to denote the subset of \(\mathbb {Z}^*_{\mathbb {N}}\) consisting of quadratic residues modulo N, and let \(\mathcal {J}_N\) denote the set of elements in \(\mathbb {Z}^*_{\mathbb {N}}\) with Jacobi symbol one. Finally, we define \(\mathcal {QNR}_N = \mathcal {J}_N \setminus \mathcal {QR}_N \).
Assume that \(\mathsf {RSAGen} (1^{\lambda })\) is a PPT algorithm that on input \(1^{\lambda }\) generates a Blum integer N, i.e., \(N = p q\) with p and q being distinct primes satisfying \(p, q \equiv 3 \pmod {4}\). We stress here that we do not need \(\mathsf {RSAGen} (1^{\lambda })\) to output the factorization of N as well. We say that the quadratic residuosity (QR) problem is hard under RSAGen if \(\{N , U (\mathcal {QR}_N ) \}_{\lambda \in \mathbb {N}}\) is computationally indistinguishable from \(\{ N , U ( \mathcal {QNR}_N ) \}_{\lambda \in \mathbb {N}}\), where N is generated according to \(RSAGen(1^{\lambda })\).
Theorem 5
Assuming the quadratic residuosity assumption holds for \(\mathsf {RSAGen}\) there exists a CPAsecure privatekey bit encrypiton scheme that is both reproducible and homomorphic.
Proof

\(G(1^{\lambda })\): Choose the secret key as \(x \leftarrow \mathbb {Z}_{N^2}\);

\(E_{x}(b ; g)\): return \((g , (1)^b g^{x})\);

\(Dec_{x}(g_1 , g_2)\): return \(b \in \{0,1\}\) if \(g_2 = (1)^b g_1^x\).
We first verify the syntactic properties required of the scheme. Notice that given an encryption \((g , (1)^b g^{x_1}) \) (of an arbitrary bit b) under \(x_1\), we can efficiently obtain the encryption of an arbitrary bit \(b_1\) under the same randomness, g, relative to a secret key \(x_2\) by simply outputting \((g , (1)^{b_1} g^{x_2} )\). This verifies the reproducibility property. As for homomorphism, from \((g_1 , (1)^{b_1} g_1^{x}) \) and \((g_{2} , (1)^{b_2} g_2^{x}) \), we can easily derive \((g_1 g_2 , (1)^{b_1+b_2} (g_1 g_2)^x)\), which is the encryption of \(b_1+b_2\) under randomness \(g_1 g_2\) (relative to the same unknown secret key x). Note that as the randomness group here is multiplicative, we will denote the identity element by 1. We then have that \(E_{x}(b; 1) = (1, (1)^b)\), independently of x. This verifies the degenerate case of homomorphism.
7 Extensions
In this section we discuss some extensions and complementary results. In Subsect. 7.1 we show that our constructed scheme provides auxiliaryinput security. In Subsect. 7.2 we show that an existing KDMamplification construction preserves leakage resilience.
7.1 AuxiliaryInput Security
We first give the definitions related to auxiliaryinput security.
Background. Let \(\mathcal {E} = (G, E, Dec)\) be an encryption scheme with publickey, secretkey and message spaces, respectively, \(\mathcal {PK}_{\lambda }\), \(\mathcal {SK}_{\lambda }\) and \(\mathcal {M}_{\lambda }\). Throughout this Section we use f to refer to a function with domain \((\mathcal {PK}_{\lambda } , \mathcal {SK}_{\lambda } )\) and range \(\mathcal {SK}_{\lambda }\). We follow the notation of [9]. For \(\mathcal {E} = (G, E , Dec)\) we define f weak inversion and f strong inversion as follows. We say that f is \(\epsilon \) stronglyuninvertible under \(\mathcal {E}\) if for any adversary \(\mathcal {A}\), the probability that \(\mathcal {A}\) outputs sk when given (f(pk , sk) , pk) is at most \(\epsilon (\lambda )\), where the probability is taken over \(\mathcal {A}\)’s random coins and \((pk ,sk) \leftarrow G(1^{\lambda })\). Also, we say that f is \(\epsilon \) weaklyuninvertible under \(\mathcal {E}\) if for any adversary \(\mathcal {A}\), the probability that \(\mathcal {A}\) outputs sk when given f(pk, sk) is at most \(\epsilon (\lambda )\), where the probability is taken over \(\mathcal {A}\)’s random coins and \((pk ,sk) \leftarrow G(1^{\lambda })\). Let \(Aux_{\epsilon }^{st}\) be the class of all \(\epsilon \)stronglyuninvertible functions and \(Aux_{\epsilon }^{wk}\) be the class of all \(\epsilon \)weaklyuninvertible functions. Note that \(Aux_{\epsilon }^{st} \subseteq Aux_{\epsilon }^{wk}\).
We now show that the encryption scheme produced by Construction 1 provides auxiliaryinput security. We first consider weakauxiliaryinput security and then discuss the extension to the strongauxiliary case.
Theorem 6
Let \(\mathcal {E} = (G , E , Dec, Hom, Rep )\) be a CPAsecure privatekey bitencryption scheme providing degenerate homomorphism and reproducibility. Let \(\mathcal {E}'\) be the scheme constructed from \(\mathcal {E}\) using Construction 1. For any polybounded \(l = l(\lambda )\) and negligible function \(\epsilon = \epsilon (\lambda )\), it holds that \(\mathcal {E}'\) is \(\epsilon \)weaklyauxiliaryinput secure.^{6}
The proof of Theorem 6 follows similarly to that of Theorem 3, except for one step, where we replace realrandomness extraction with pseudorandomness extraction. We first give the following theorem, due to Goldreich and Levin [22], where we follow the presentation of [14], adapted to the binary field.
Theorem 7
We now give the proof of Theorem 6, using ideas from [14].
Proof
By the assumption of the theorem, we know that it is \(\epsilon \)hard to recover \(\mathbf {s}\) from \((PK , f(PK , \mathbf {s}) )\). Now Eq. 14 follows from Theorem 7, by defining the randomized function \(h(\mathbf {s}) = ( PK , f( PK , \mathbf {s}))\), where all the variables are sampled as above. Formally, if there is an adversary that can distinguish between the distributions in Eq. 14 with a nonnegligible probability, then there exists an adversary that, with a nonnegligible probability, recovers \(\mathbf {s}\) from \(h(\mathbf {s}) = ( PK , f( PK , \mathbf {s}))\), which is a contradiction to the first sentence of this paragraph.
Remark 1
As in previous work [9, 14] we can prove strong auxiliaryinput security for \(\mathcal {E}'\) with respect to subexponentiallyhard functions by working with a modification of Construction 1, letting \((c_1, \ldots , c_l) = (E_{sk}(0; r_1), \ldots , E_{sk}(0; r_l))\) be the public parameters of the scheme, and letting the public key be computed, under secret key \(\mathbf {s}\), as \(Hom(c_{i_1}, \ldots , c_{i_w})\), where \(( i_1, \ldots , i_w )\) are the indices of nonzero bits of \(\mathbf {s}\). Now since a public key under the new scheme has at most \(l' =\mathcal {R}_{\lambda }\) different values we can obtain \(\frac{\epsilon }{l'}\)strong auxiliaryinput security from \(\epsilon \)weakauxiliaryinput security. This last step follows since, for any scheme with \(l'\) different public keys, if recovering sk from f(pk, sk) is \(\epsilon /l'\)hard (i.e., succeeds with a probability at most \(\epsilon /l'\)), recovering sk from (f(pk, sk) , pk) is \(\epsilon \)hard. Finally, we mention that the proof of multiplekey circular security (Theorem 2) extends to the setting above which contains public parameters.
7.2 KDM Amplification
We show that Applebaum’s KDMamplification method [3], which, informally speaking, shows that projection security is sufficient for obtaining “richKDM” security, preserves both types of leakage resilience. For simplicity, we focus on the case of bit encryption and 1KDM security.
As notation, we identify an efficiently computable function \(f = \{f_{\lambda } :\{0,1\}^{l(\lambda )} \mapsto \{0 , 1\}\}_{\lambda \in \mathbb {N}}\) with an ensemble of circuits \(\{c_{\lambda } \}_{\lambda \in \mathbb {N}}\), and say that f has size \(p = p(\lambda ) \) if, for any \(\lambda \), the circuit \(c_{\lambda }\) has size at most p. We say an ensemble of sets of functions \(F = \{F_{\lambda } \}_{\lambda \in \mathbb {N}}\) is pbounded if for every \(\lambda \) and every \(f \in F_{\lambda }\), f has size p. The following theorem is a special case of the results of [3].
Theorem 8
[3]. Assume that \(F = \{F_{\lambda } \}_{\lambda }\) is a fixed pbounded ensemble of sets of functions and \(\mathcal {E} = (G , E , Dec)\) is a 1projectionsecure publickey encryption scheme. The scheme \(\mathcal {E}' = (G , E', D')\), constructed below, is FKDM\(^{(1)}\) secure: \(E'_{pk}(b) = E_{pk}(Sim(b))\) and \(D'_{sk}(C) = Rec(D_{sk}(C))\). Here Sim is a randomized function and Rec is a deterministic function, both of which are constructed based on F, through the procedure of randomized encoding of functions. The details of Sim and Rec are not important for our analysis, bu we refer the reader to [3] for further details.
Theorem 9
Let \(\mathcal {E}\) and \(\mathcal {E}'\) be as in Theorem 8. Then assuming that \(\mathcal {E}\) is rrate leakage resilient (resp., \(\epsilon \)auxiliary input secure) then \(\mathcal {E}'\) is rrate leakage resilient (resp., \(\epsilon \)auxiliary input secure).
Proof
This follows by noting that the constructed scheme \(\mathcal {E}'\) has the same key generation algorithm as that \(\mathcal {E}\). We consider the leakage resilience case; the proof for the auxiliaryinput case is entirely the same. Assume \(\mathcal {A}'\) wins against \(\ell \)length leakage resilience of \(\mathcal {E}'\); we build \(\mathcal {A}\) that breaks the \(\ell \)length leakage resilience of \(\mathcal {E}'\) by simulating \(\mathcal {A}'\) as follows: \(\mathcal {A}\) runs \(\mathcal {A}'(pk)\), where pk is the public key that \(\mathcal {A}\) receives; when \(\mathcal {A}'\) sub,its the leakage query f, \(\mathcal {A}\) makes the same query from its oracle and gives f(sk) to \(\mathcal {A}'\); finally, when \(\mathcal {A}'\) submits \((b_0, b_1)\), \(\mathcal {A}\) submits \((Sim(b_0), Sim(b_1))\) to its oracle and gives the returned ciphertext to \(\mathcal {A}'\). Thus, \(\mathcal {A}\) achieves the same advantage as \(\mathcal {A}'\) does, and the proof is complete. \(\square \)
We now obtain the following corollary, by combining Theorems 2, 3, 6 and 9.
Corollary 1
Assuming the existence of a CPAsecure privatekey scheme with reproducibility and degenerate homomorphism, for any poly p and any fixed pbounded function family F, there exists a scheme \(\mathcal {E}'\) which (at the same time) (1) is FKDM secure, (2) achieves a \((1  o(1))\) resilience rate, and (3) is auxiliaryinput secure against subexponentiallyhard functions.
Footnotes
 1.
Note that this is different from asking whether CPAsecure bit encryption implies the existence of circularlysecure bit encryption.
 2.
Both these conditions were used implicitly by Peikert and Waters as the main building blocks for their construction of lossytrapdoor functions [37].
 3.
The actual assumption we need is substantially weaker. However, we leave it this way for the sake of readability. In fact, under all concrete schemes we present, \(E_{sk}(m; 0)\) depends only on m and is independent of sk.
 4.
The domain and the key spaces may themselves come with an associated distribution, but we leave this point implicit for simplicity.
 5.
We remark that in many settings the homomorphism of \(\mathsf {C}_v\) is implied by that of \(\mathsf {C}\): Especially in the standard setting, where the set of valid ciphertexts is defined as those, for which the value of \(\mathsf {\Lambda } (\mathsf {sk} , \cdot )\), for any \(\mathsf {sk}\) is determined solely from the ciphertexts itself and \( \mathsf {\mu }(\mathsf {sk})\). However, we put it as a separate condition just to be as general as possible.
 6.
In order for statement to be useful, it should hold that \(\frac{1}{2^l} \le \epsilon \), because otherwise the statement will be vacuously true, as \(Aux_{\epsilon }^{st} = Aux_{\epsilon }^{wk} = \emptyset \).
Notes
Acknowledgments
We would like to thank Josh Benaloh and Dan Boneh for helpful discussions.
References
 1.Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 2.Alwen, J., Dodis, Y., Naor, M., Segev, G., Walfish, S., Wichs, D.: Publickey encryption in the boundedretrieval model. In: Gilbert [21], pp. 113–134Google Scholar
 3.Applebaum, B.: Keydependent message security: generic amplification and completeness. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 527–546. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 4.Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circularsecure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 5.Barak, B., Haitner, I., Hofheinz, D., Ishai, Y.: Bounded keydependent message security. In: Gilbert [21], pp. 423–444Google Scholar
 6.Bellare, M., Boldyreva, A., Staddon, J.: Randomness reuse in multirecipient encryption schemeas. Public Key Crypt.PKC 2003, 85–99 (2003)Google Scholar
 7.Black, J., Rogaway, P., Shrimpton, T.: Encryptionscheme security in the presence of keydependent messages. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 62–75. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 8.Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circularsecure encryption from decision diffiehellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 9.Brakerski, Z., Goldwasser, S.: Circular and leakage resilient publickey encryption under subgroup indistinguishability. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 1–20. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 10.Brakerski, Z., Goldwasser, S., Kalai, Y.T.: Blackbox circularsecure encryption beyond affine functions. In: Ishai [28], pp. 201–218Google Scholar
 11.Brakerski, Z., Segev, G.: Better security for deterministic publickey encryption: the auxiliaryinput setting. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 543–560. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 12.Choi, S.G., Wee, H.: Lossy trapdoor functions from homomorphic reproducible encryption. Inf. Process. Lett. 112(20), 794–798 (2012)CrossRefMathSciNetzbMATHGoogle Scholar
 13.Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure publickey encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 14.Dodis, Y., Goldwasser, S., Tauman Kalai, Y., Peikert, C., Vaikuntanathan, V.: Publickey encryption schemes with auxiliary inputs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 361–381. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 15.Dodis, Y., Kalai, Y.T., Lovett, S.: On cryptography with auxiliary input. In: STOC 2009, pp. 621–630 (2009)Google Scholar
 16.Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)CrossRefMathSciNetzbMATHGoogle Scholar
 17.Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography (extended abstract). In: STOC 1991, pp. 542–552 (1991)Google Scholar
 18.Dwork, C. (ed.): Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada. ACM, 17–20 May 2008Google Scholar
 19.Dziembowski, S., Pietrzak, K.: Leakageresilient cryptography. In: FOCS 2008, pp. 293–302 (2008)Google Scholar
 20.Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Dwork [18], pp. 197–206Google Scholar
 21.Gilbert, H. (ed.): EUROCRYPT 2010. LNCS, vol. 6110. Springer, Heidelberg (2010)zbMATHGoogle Scholar
 22.Goldreich, O., Levin, L.A.: A hardcore predicate for all oneway functions. In: Johnson, D.S. (ed.) Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 25–32, Seattle, Washigton, USA. ACM, 14–17 May 1989Google Scholar
 23.Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)CrossRefMathSciNetzbMATHGoogle Scholar
 24.Hajiabadi, M., Kapron, B.M., Srinivasan, V.: On generic constructions of circularlysecure, leakageresilient publickey encryption schemes. IACR Cryptology ePrint Archive 2015, p. 741 (2015)Google Scholar
 25.Halevi, S., Lin, H.: Afterthefact leakage in publickey encryption. In: Ishai [28], pp. 107–124Google Scholar
 26.Hazay, C., LópezAlt, A., Wee, H., Wichs, D.: Leakageresilient cryptography from minimal assumptions. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 160–176. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 27.Hofheinz, D., Unruh, D.: Towards keydependent message security in the standard model. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 108–126. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 28.Ishai, Y. (ed.): TCC 2011. LNCS, vol. 6597. Springer, Heidelberg (2011)zbMATHGoogle Scholar
 29.Kiltz, E., Pietrzak, K., Stam, M., Yung, M.: A new randomness extraction paradigm for hybrid encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 590–609. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 30.Koppula, V., Ramchen, K., Waters, B.: Separations in circular security for arbitrary length key cycles. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 378–400. Springer, Heidelberg (2015)Google Scholar
 31.Malkin, T., Teranishi, I., Yung, M.: Efficient circuitsize independent public key encryption with KDM security. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 507–526. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 32.Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 33.Naor, M., Pinkas, B., Reingold, O.: Distributed pseudorandom functions and KDCs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 327–346. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 34.Naor, M., Reingold, O.: Synthesizers and their application to the parallel construction of pseudorandom functions. J. Comput. Syst. Sci. 58(2) (1999)Google Scholar
 35.Naor, M., Segev, G.: Publickey cryptosystems resilient to key leakage. SIAM J. Comput. 41(4), 772–814 (2012)CrossRefMathSciNetzbMATHGoogle Scholar
 36.Naor, M., Yung, M.: Publickey cryptosystems provably secure against chosen ciphertext attacks. In: STOC 1990, pp. 427–437 (1990)Google Scholar
 37.Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Dwork [18], pp. 187–196Google Scholar
 38.Rackoff, C., Simon, D.R.: Noninteractive zeroknowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
 39.Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005, pp. 84–93 (2005)Google Scholar
 40.Rothblum, R.: Homomorphic encryption: from privatekey to publickey. In: Ishai [28], pp. 219–234Google Scholar
 41.Rothblum, R.D.: On the circular security of bitencryption. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 579–598. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 42.Wee, H.: KDMsecurity via homomorphic smooth projective hashing. IACR Cryptology ePrint Archive 2015, p. 721 (2015)Google Scholar