Randomness-dependent message security

Eleanor Birrell*, Kai Min Chung, Rafael Pass, Sidharth Telang

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

11 Scopus citations

Abstract

Traditional definitions of the security of encryption schemes assume that the messages encrypted are chosen independently of the randomness used by the encryption scheme. Recent works, implicitly by Myers and Shelat (FOCS'09) and Bellare et al (AsiaCrypt'09), and explicitly by Hemmenway and Ostrovsky (ECCC'10), consider randomness-dependent message (RDM) security of encryption schemes, where the message to be encrypted may be selected as a function-referred to as the RDM function-of the randomness used to encrypt this particular message, or other messages, but in a circular way. We carry out a systematic study of this notion. Our main results demonstrate the following: Full RDM security-where the RDM function may be an arbitrary polynomial-size circuit-is not possible. Any secure encryption scheme can be slightly modified, by just performing some pre-processing to the randomness, to satisfy bounded-RDM security, where the RDM function is restricted to be a circuit of a priori bounded polynomial size. The scheme, however, requires the randomness r needed to encrypt a message m to be slightly longer than the length of m (i.e., |r| > |m| + ω(logk), where k is the security parameter). We present a black-box provability barrier to compilations of arbitrary public-key encryption into RDM-secure ones using just pre-processing of the randomness, whenever |m| > |r| + ω(logk). On the other hand, under the DDH assumption, we demonstrate the existence of bounded-RDM secure schemes that can encrypt arbitrarily "long" messages using "short" randomness. We finally note that the existence of public-key encryption schemes imply the existence of a fully RDM-secure encryption scheme in an "ultra-weak" Random-Oracle Model-where the security reduction need not "program" the oracle, or see the queries made by the adversary to the oracle; combined with our impossibility result, this yields the first example of a cryptographic task that has a secure implementation in such a weak Random-Oracle Model, but does not have a secure implementation without random oracles.

Original languageEnglish
Title of host publicationTheory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Proceedings
Pages700-720
Number of pages21
DOIs
StatePublished - 2013
Externally publishedYes
Event10th Theory of Cryptography Conference, TCC 2013 - Tokyo, Japan
Duration: 3 Mar 20136 Mar 2013

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7785 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference10th Theory of Cryptography Conference, TCC 2013
Country/TerritoryJapan
CityTokyo
Period3/03/136/03/13

Fingerprint

Dive into the research topics of 'Randomness-dependent message security'. Together they form a unique fingerprint.

Cite this