Obfuscation ⇒ ( IND - CPA Security 6 ⇒ Circular Security )
نویسندگان
چکیده
Circular security is an important notion for public-key encryption schemes and is needed by several cryptographic protocols. In circular security the adversary is given an extra “hint” consisting of a cycle of encryption of secret keys i.e., (Epk1(sk2), . . . , Epkn(sk1)). A natural question is whether every IND-CPA encryption scheme is also circular secure. It is trivial to see that this is not the case when n = 1. In 2010 a separation for n = 2 was shown by [ABBC10,GH10] under standard assumptions in bilinear groups. In this paper we finally settle the question showing that for every n there exist an IND-CPA secure scheme which is not n-circular secure. Our result relies on the recent progress in cryptographic obfuscation.
منابع مشابه
Separating IND-CPA and Circular Security for Unbounded Length Key Cycles
A public key encryption scheme is said to be n-circular secure if no PPT adversary can distinguish between encryptions of an n length key cycle and n encryptions of zero. One interesting question is whether circular security comes for free from IND-CPA security. Recent works have addressed this question, showing that for all integers n, there exists an IND-CPA scheme that is not n-circular secu...
متن کاملObfuscation ⇒ (IND-CPA Security !⇒ Circular Security)
Circular security is an important notion for public-key encryption schemes and is needed by several cryptographic protocols. In circular security the adversary is given an extra “hint” consisting of a cycle of encryption of secret keys i.e., (Epk1(sk2), . . . , Epkn(sk1)). A natural question is whether every IND-CPA encryption scheme is also circular secure. It is trivial to see that this is no...
متن کاملSeparations in Circular Security for Arbitrary Length Key Cycles
While standard notions of security suffice to protect any message supplied by an adversary, in some situations stronger notions of security are required. One such notion is n-circular security, where ciphertexts Enc(pk1, sk2), Enc(pk2, sk3), . . . , Enc(pkn, sk1) should be indistinguishable from encryptions of zero. In this work we prove the following results for n-circular security, based upon...
متن کاملCircular Security Counterexamples for Arbitrary Length Cycles from LWE
We describe a public key encryption that is IND-CPA secure under the Learning with Errors (LWE) assumption, but that is not circular secure for arbitrary length cycles. Previous separation results for cycle length greater than 2 require the use of indistinguishability obfuscation, which is not currently realizable under standard assumptions.
متن کاملCircular Security Separations for Arbitrary Length Cycles from LWE
We describe a public key encryption that is IND-CPA secure under the Learning with Errors (LWE) assumption, but that is not circular secure for arbitrary length cycles. Previous separation results for cycle length greater than 2 require the use of indistinguishability obfuscation, which is not currently realizable under standard assumptions.
متن کامل