A Unified Approach to Deterministic Encryption: New Constructions and a Connection to Computational Entropy

Fuller, Benjamin; O’Neill, Adam; Reyzin, Leonid

doi:10.1007/s00145-013-9174-5

Cited by 24 publications

(14 citation statements)

References 62 publications

(174 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This simple transformation meets the strongest notion of security that has been proposed for deterministic encryption (that is, PRIV security) in the ROM if the underlying encryption scheme is IND-CPA secure. Standard-model constructions, on the other hand, achieve weaker levels of security, e.g., security against block sources [10,22] or q-bounded adversaries [38,29]. To this end, we ask if any hash function can be used to instantiate the random oracle within the EwH transform.…”

Section: Overview Of Bfmmentioning

confidence: 99%

Random-Oracle Uninstantiability from Indistinguishability Obfuscation

Brzuska

Farshim

Mittelbach

2015

Theory of Cryptography

View full text Add to dashboard Cite

Assuming the existence of indistinguishability obfuscation (iO), we show that a number of prominent transformations in the randomoracle model are uninstantiable in the standard model. We start by showing that the Encrypt-with-Hash transform of Bellare, Boldyreva and O'Neill (CRYPTO 2007) for converting randomized public-key encryption schemes to deterministic ones is not instantiable in the standard model. To this end, we build on the recent work of Brzuska, Farshim and Mittelbach (CRYPTO 2014) and rely on the existence of iO for Turing machines or for circuits to derive two flavors of uninstantiability. The techniques that we use to establish this result are flexible and lend themselves to a number of other transformations such as the classical Fujisaki-Okamoto transform (CRYPTO 1998) and transformations akin to those by Bellare and Keelveedhi (CRYPTO 2011) and Douceur et al. (ICDCS 2002) for obtaining KDM-secure encryption and de-duplication schemes respectively. Our results call for a re-assessment of scheme design in the random-oracle model and highlight the need for new transforms that do not suffer from iO-based attacks.

show abstract

Section: Overview Of Bfmmentioning

confidence: 99%

Random-Oracle Uninstantiability from Indistinguishability Obfuscation

Brzuska

Farshim

Mittelbach

2015

Theory of Cryptography

View full text Add to dashboard Cite

show abstract

“…The notion of public-key deterministic encryption was introduced by Bellare, Boldyreva, and O'Neill [2], and then further studied by Bellare, Fischlin, O'Neill, and Ristenpart [4], Boldyreva, Fehr, and O'Neill [8], Brakerski and Segev [10], Wee [26], and Fuller, O'Neill and Reyzin [18]. Bellare et al [2] proved their constructions in the random oracle model; subsequent papers demonstrated schemes secure in the standard model based on trapdoor permutations [4] and lossy trapdoor functions [8].…”

Section: Related Workmentioning

confidence: 99%

“…Brakerski and Segev [10] and Wee [26] address the question of security of public-key deterministic encryption in the presence of auxiliary input. Fuller et al [18] presented a construction based on any trapdoor function that admits a large number of simultaneous hardcore bits, and a construction that is secure for a bounded number of possibly related plaintexts.…”

Section: Related Workmentioning

confidence: 99%

Incremental Deterministic Public-Key Encryption

Mironov

Pandey

Reingold

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Motivated by applications in large storage systems, we initiate the study of incremental deterministic public-key encryption. Deterministic public-key encryption, introduced by Bellare, Boldyreva, and O'Neill (CRYPTO '07), provides a realistic alternative to randomized public-key encryption in various scenarios where the latter exhibits inherent drawbacks. A deterministic encryption algorithm, however, cannot satisfy any meaningful notion of security for low-entropy plaintexts distributions, and Bellare et al. demonstrated that a strong notion of security can in fact be realized for relatively high-entropy plaintext distributions. In order to achieve a meaningful level of security, a deterministic encryption algorithm should be typically used for encrypting rather long plaintexts for ensuring a sufficient amount of entropy. This requirement may be at odds with efficiency constraints, such as communication complexity and computation complexity in the presence of small updates. Thus, a highly desirable property of deterministic encryption algorithms is incrementality: small changes in the plaintext translate into small changes in the corresponding ciphertext. We present a framework for modeling the incrementality of deterministic public-key encryption. Within our framework we propose two schemes, which we prove to enjoy an optimal tradeoff between their security and incrementality up to small polylogarithmic factors. Our first scheme is a generic method which can be based on any deterministic public-key encryption scheme, and in particular, can be instantiated with any semantically-secure (randomized) public-key encryption scheme in the random oracle model. Our second scheme is based on the Decisional Diffie-Hellman assumption in the standard model. The approach underpinning our schemes is inspired by the fundamental "sample-then-extract" technique due to Nisan and Zuckerman (JCSS '96) and refined by Vadhan (J. Cryptology '04), and by the closely related notion of "locally-computable extractors" due to Vadhan. Most notably, whereas Vadhan used such extractors to construct private-key encryption schemes in the bounded-storage model, we show that techniques along these lines can also be used to construct incremental public-key encryption schemes.

show abstract

“…Deterministic Encryption. Deterministic public-key encryption (where the encryption algorihtm is deterministic) was introduced by Bellare, Boldyreva and O'Neil [3], with additional constructions given in [7,4,11] and in concurrent works [19,26]. Deterministic encryption has a number of practical applications, such as efficient search on encrypted data and securing legacy protocols.…”

Section: Lossy Trapdoor Functions Lossy Trapdoor Functions (Tdf)mentioning

confidence: 99%

Dual Projective Hashing and Its Applications — Lossy Trapdoor Functions and More

Wee

2012

Advances in Cryptology – EUROCRYPT 2012

View full text Add to dashboard Cite

We introduce the notion of dual projective hashing. This is similar to Cramer-Shoup projective hashing, except that instead of smoothness, which stipulates that the output of the hash function looks random on NO instances, we require invertibility, which stipulates that the output of the hash function on NO instances uniquely determine the hashing key, and moreover, that there is a trapdoor which allows us to efficiently recover the hashing key.-We show a simple construction of lossy trapdoor functions via dual projective hashing. Our construction encompasses almost all known constructions of lossy trapdoor functions, as given in the works of Peikert and Waters (STOC '08) and Freeman et al. (PKC '10).-We also provide a simple construction of deterministic encryption schemes secure with respect to hard-to-invert auxiliary input, under an additional assumption about the projection map. Our construction clarifies and encompasses all of the constructions given in the recent work of Brakerski and Segev (Crypto '11). In addition, we obtain a new deterministic encryption scheme based on LWE. Supported by NSF CAREER Award CNS-0953626.

show abstract

A Unified Approach to Deterministic Encryption: New Constructions and a Connection to Computational Entropy

Cited by 24 publications

References 62 publications

Random-Oracle Uninstantiability from Indistinguishability Obfuscation

Random-Oracle Uninstantiability from Indistinguishability Obfuscation

Incremental Deterministic Public-Key Encryption

Dual Projective Hashing and Its Applications — Lossy Trapdoor Functions and More

Contact Info

Product

Resources

About