Reproducible Circularly Secure Bit Encryption: Applications and Realizations

Mohammad Hajiabadi, Bruce M. Kapron
2016 Journal of Cryptology  
We give generic constructions of several fundamental cryptographic primitives based on a new encryption primitive that combines circular security for bit encryption with the so-called reproducibility property (Bellare et al. PKC 2003). At the heart of our constructions is a novel technique which gives a way of de-randomizing reproducible public-key bit-encryption schemes and also a way of reducing one-wayness conditions of a constructed trapdoor-function family (TDF) to circular security of the
more » ... base scheme. The main primitives that we build from our encryption primitive include k-wise oneway TDFs ( Rosen and Segev TCC 2009), CCA2-secure encryption and deterministic encryption. Our results demonstrate a new set of applications of circularly-secure encryption beyond fully-homomorphic encryption and symbolic soundness. Finally, we show the plausibility of our assumptions by showing that the DDH-based circularly-secure scheme of Boneh et al. (Crypto 2008) and the subgroup indistinguishability based scheme of Brakerski and Goldwasser (Crypto 2010) are both reproducible. 2. We show how to extract many hardcore bits for our constructed TDFs, and by applying the results of [36] we obtain a blackbox (BB) construction of CCA2-secure encryption from our assumptions. Our CCA2 construction is non-shielding in the sense of [23] . We partially justify this fact by showing wrt a weaker encryption primitive than ours, a non-shielding BB CCA2 construction is possible, while a shielding CCA2 construction is BB impossible. 3. By slightly extending our base primitive, we show how to obtain deterministic encryption schemes secure under block-source inputs, as defined by [10]. 4. We realize our base encryption primitive by showing the circularly-secure schemes of [12,13] are reproducible. In what follows, we provide some background, give a more detailed exposition of our results and describe our constructions and proof techniques. First of all, we assume the following notation and conventions throughout the introduction. Unless otherwise stated, an encryption scheme is bit encryption with randomness space {0, 1} ρ and secret-key space {0, 1} l , where l = l(n) and ρ = ρ(n); by E pk (m), for m ∈ {0, 1} * , we mean bitwise encryption of m.
doi:10.1007/s00145-016-9246-4 fatcat:pq6mkmii6rg63jesjem6nvtp7y