TY - GEN
T1 - Randomness-dependent message security
AU - Birrell, Eleanor
AU - Chung, Kai Min
AU - Pass, Rafael
AU - Telang, Sidharth
PY - 2013
Y1 - 2013
N2 - Traditional definitions of the security of encryption schemes assume that the messages encrypted are chosen independently of the randomness used by the encryption scheme. Recent works, implicitly by Myers and Shelat (FOCS'09) and Bellare et al (AsiaCrypt'09), and explicitly by Hemmenway and Ostrovsky (ECCC'10), consider randomness-dependent message (RDM) security of encryption schemes, where the message to be encrypted may be selected as a function-referred to as the RDM function-of the randomness used to encrypt this particular message, or other messages, but in a circular way. We carry out a systematic study of this notion. Our main results demonstrate the following: Full RDM security-where the RDM function may be an arbitrary polynomial-size circuit-is not possible. Any secure encryption scheme can be slightly modified, by just performing some pre-processing to the randomness, to satisfy bounded-RDM security, where the RDM function is restricted to be a circuit of a priori bounded polynomial size. The scheme, however, requires the randomness r needed to encrypt a message m to be slightly longer than the length of m (i.e., |r| > |m| + ω(logk), where k is the security parameter). We present a black-box provability barrier to compilations of arbitrary public-key encryption into RDM-secure ones using just pre-processing of the randomness, whenever |m| > |r| + ω(logk). On the other hand, under the DDH assumption, we demonstrate the existence of bounded-RDM secure schemes that can encrypt arbitrarily "long" messages using "short" randomness. We finally note that the existence of public-key encryption schemes imply the existence of a fully RDM-secure encryption scheme in an "ultra-weak" Random-Oracle Model-where the security reduction need not "program" the oracle, or see the queries made by the adversary to the oracle; combined with our impossibility result, this yields the first example of a cryptographic task that has a secure implementation in such a weak Random-Oracle Model, but does not have a secure implementation without random oracles.
AB - Traditional definitions of the security of encryption schemes assume that the messages encrypted are chosen independently of the randomness used by the encryption scheme. Recent works, implicitly by Myers and Shelat (FOCS'09) and Bellare et al (AsiaCrypt'09), and explicitly by Hemmenway and Ostrovsky (ECCC'10), consider randomness-dependent message (RDM) security of encryption schemes, where the message to be encrypted may be selected as a function-referred to as the RDM function-of the randomness used to encrypt this particular message, or other messages, but in a circular way. We carry out a systematic study of this notion. Our main results demonstrate the following: Full RDM security-where the RDM function may be an arbitrary polynomial-size circuit-is not possible. Any secure encryption scheme can be slightly modified, by just performing some pre-processing to the randomness, to satisfy bounded-RDM security, where the RDM function is restricted to be a circuit of a priori bounded polynomial size. The scheme, however, requires the randomness r needed to encrypt a message m to be slightly longer than the length of m (i.e., |r| > |m| + ω(logk), where k is the security parameter). We present a black-box provability barrier to compilations of arbitrary public-key encryption into RDM-secure ones using just pre-processing of the randomness, whenever |m| > |r| + ω(logk). On the other hand, under the DDH assumption, we demonstrate the existence of bounded-RDM secure schemes that can encrypt arbitrarily "long" messages using "short" randomness. We finally note that the existence of public-key encryption schemes imply the existence of a fully RDM-secure encryption scheme in an "ultra-weak" Random-Oracle Model-where the security reduction need not "program" the oracle, or see the queries made by the adversary to the oracle; combined with our impossibility result, this yields the first example of a cryptographic task that has a secure implementation in such a weak Random-Oracle Model, but does not have a secure implementation without random oracles.
UR - http://www.scopus.com/inward/record.url?scp=84873967790&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-36594-2_39
DO - 10.1007/978-3-642-36594-2_39
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:84873967790
SN - 9783642365935
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 700
EP - 720
BT - Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Proceedings
T2 - 10th Theory of Cryptography Conference, TCC 2013
Y2 - 3 March 2013 through 6 March 2013
ER -