Toward Fine-Grained Blackbox Separations Between Semantic and Circular-Security Notions

We address the problems of whether t-circular-secure encryption can be based on (t − 1)-circular-secure encryption or on semantic (CPA) security, if t = 1. While for t = 1 a folklore construction, based on CPA-secure encryption, can be used to build a 1-circular-secure encryption with the same secret-key and message space, no such constructions are known for the bit-encryption case, which is of particular importance in fully homomorphic encryption. Also, for t ≥ 2, all constructions of t-circular-secure encryption (bitwise or otherwise) are based on specific assumptions. We make progress toward these problems by ruling out all fully blackbox constructions of – 1-seed circular-secure public-key bit encryption from CPA-secure public-key encryption; – t-seed circular-secure public-key encryption from (t−1)-seed circular secure public-key encryption, for any t ≥ 2. Informally, seed-circular security is a variant of circular security in which the seed of the key-generation algorithm, rather than the secret key itself, is encrypted. We also show how to extend our first result to rule out a large and non-trivial class of constructions of 1-circular-secure bit encryption, which we dub key-isolating constructions. Our separation model follows that of Gertner, Malkin and Reingold (FOCS’01), which is a weaker separation model than that of Impagliazzo and Rudich.