Bounded Key-Dependent Message Security

Barak, Boaz; Haitner, Iftach; Hofheinz, Dennis; Ishai, Yuval

doi:10.1007/978-3-642-13190-5_22

Cited by 107 publications

(113 citation statements)

References 28 publications

(64 reference statements)

Supporting

Mentioning

112

Contrasting

Order By: Relevance

“…Specifically, our construction is based on (i) a two-move semi-honest oblivious transfer (OT) protocol with receiver adaptive security, in combination with (ii) a projective garbling scheme leaking only the circuit size [Yao86,BHR12], and (iii) multiple-message, receiver-non-committing public-key encryption (which is a stronger version of single-message receiver-non-committing encryption introduced in [JL00]). Next, we first recall the high-level idea of [Gen09b,GHV10,BHHI10], and then explain how to upgrade the building blocks to achieve our goal.…”

Section: Feasibility Resultsmentioning

confidence: 99%

Feasibility and Infeasibility of Adaptively Secure Fully Homomorphic Encryption

Katz

Thiruvengadam

Zhou

2013

Public-Key Cryptography – PKC 2013

View full text Add to dashboard Cite

Fully homomorphic encryption (FHE) is a form of public-key encryption that enables arbitrary computation over encrypted data. The past few years have seen several realizations of FHE under different assumptions, and FHE has been used as a building block in many cryptographic applications.Adaptive security for public-key encryption schemes is an important security notion that was proposed by Canetti et al. over 15 years ago. It is intended to ensure security when encryption is used within an interactive protocol, and parties may be adaptively corrupted by an adversary during the course of the protocol execution. Due to the extensive applications of FHE to protocol design, it is natural to understand whether adaptively secure FHE is achievable.In this paper we show two contrasting results in this direction. First, we show that adaptive security is impossible for FHE satisfying the (standard) compactness requirement. On the other hand, we show a construction of adaptively secure FHE that is not compact, but which does achieve circuit privacy.

show abstract

Section: Feasibility Resultsmentioning

confidence: 99%

Feasibility and Infeasibility of Adaptively Secure Fully Homomorphic Encryption

Katz

Thiruvengadam

Zhou

2013

Public-Key Cryptography – PKC 2013

View full text Add to dashboard Cite

show abstract

“…In fact, this gap can be further expanded as follows. First, we can achieve length-dependent KDM security [10], which means that the target family G can be taken to be the family of all polynomial-size circuits whose size grows with their input and output lengths via a fixed polynomial rate (e.g., the circuit size is quadratic in the input and output lengths). This family is very powerful and it was shown to be rich enough for most known applications of KDM security [10] 2 .…”

Section: Our Resultsmentioning

confidence: 99%

“…(These details required some effort in previous works. See the appendices in [14,10,13].) This, together with the simple proof of our main theorem, allows to simplify the proofs of [10,13] for the existence of lengthdependent KDM secure encryption scheme under the Decisional Diffie-Hellman (DDH) assumption [12], the Learning With Errors assumptions (LWE) [5], and the Quadratic Residuosity (QR) assumption [13].…”

Section: Our Resultsmentioning

confidence: 99%

“…First, we consider the case of simulatable KDM security [10], in which it should be possible to simulate an encryption of f (sk) given only the corresponding public-key in a way that remains indistinguishable even to someone who knows the secret-key.…”

Section: Our Resultsmentioning

confidence: 99%

“…In [10], it was shown that if an encryption scheme is both simulatable circularsecure and fully-homomorphic then it is also simulatable fully-KDM secure. We show that the other direction holds as well, and so the two notions are equivalent.…”

Section: On Full Kdm Securitymentioning

confidence: 99%

See 2 more Smart Citations

Key-Dependent Message Security: Generic Amplification and Completeness

Applebaum

2011

Advances in Cryptology – EUROCRYPT 2011

View full text Add to dashboard Cite

Abstract. Key-dependent message (KDM) secure encryption schemes provide secrecy even when the attacker sees encryptions of messages related to the secret-key sk. Namely, the scheme should remain secure even when messages of the form f (sk) are encrypted, where f is taken from some function class F. A KDM amplification procedure takes an encryption scheme which satisfies F-KDM security and boost it into a G-KDM secure scheme, where the function class G should be richer than F. It was recently shown by Brakerski et al. (TCC 2011) and Barak et al. (EUROCRYPT 2010), that a strong form of amplification is possible, provided that the underlying encryption scheme satisfies some special additional properties.In this work, we prove the first generic KDM amplification theorem which relies solely on the KDM security of the underlying scheme without making any other assumptions. Specifically, we show that an elementary form of KDM security against functions in which each output bit either copies or flips a single bit of the key (aka projections) can be amplified into KDM security with respect to any function family that can be computed in arbitrary fixed polynomial-time. Furthermore, our amplification theorem and its proof are insensitive to the exact setting of KDM security, and they hold in the presence of multiple-keys and in the symmetric-key/public-key and the CPA/CCA cases. As a result, we can amplify the security of all known KDM constructions, including ones that could not be amplified before.Finally, we study the minimal conditions under which full-KDM security (with respect to all functions) can be achieved. We show that under strong notion of KDM security, the existence of cyclic-secure fullyhomomorphic encryption is not only sufficient for full-KDM security, as shown by Barak et al., but also necessary. On the other hand, we observe that for standard KDM security, this condition can be relaxed by adopting Gentry's bootstrapping technique (STOC 2009) to the KDM setting.

show abstract

Public‐Key Encryption and Security Notions

Attrapadung

Matsuda

2022

Asymmetric Cryptography

View full text Add to dashboard Cite

Bounded Key-Dependent Message Security

Cited by 107 publications

References 28 publications

Feasibility and Infeasibility of Adaptively Secure Fully Homomorphic Encryption

Feasibility and Infeasibility of Adaptively Secure Fully Homomorphic Encryption

Key-Dependent Message Security: Generic Amplification and Completeness

Public‐Key Encryption and Security Notions

Contact Info

Product

Resources

About