Separations in Circular Security for Arbitrary Length Key Cycles. Venkata Koppula! Kim Ramchen! Brent Waters

Separations in Circular Security for Arbitrary Length Key Cycles Venkata Koppula! Kim Ramchen! Brent Waters

Circular Security

Circular Security

Circular Security Choose pk, sk! Encrypt using pk!

Circular Security Choose pk, sk! Encrypt using pk!

Circular Security sk Choose pk, sk! Encrypt using pk!

Circular Security sk Choose pk, sk! Encrypt using pk! Choose pk, sk'! Encrypt using pk!

Circular Security sk sk Choose pk, sk! Encrypt using pk! Choose pk, sk'! Encrypt using pk!

Circular Security sk sk Choose pk, sk! Encrypt using pk! Choose pk, sk'! Encrypt using pk!

Circular Security

Circular Security pk pk

Circular Security pk pk Enc(pk, sk ) Enc(pk, sk)

Circular Security pk pk Enc(pk, sk ) Enc(pk, sk) Optimistic Enc(pk, sk ), Enc(pk, sk)! " Enc(pk, 0), Enc(pk, 0)

Circular Security pk pk Enc(pk, sk ) Enc(pk, sk) Optimistic Enc(pk, sk ), Enc(pk, sk)! " Enc(pk, 0), Enc(pk, 0) Does not learn sk/sk

n-circular Security [CL01] pk 1,, pk n Enc(pk 1, sk 2 ) Enc(pk 2, sk 3 ).!.!. Enc(pk n, sk 1 )

n-circular Security [CL01]

n-circular Security [CL01] Challenger Adversary

n-circular Security [CL01] Challenger Adversary Choose bit b.

n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ).

n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ). y i = Enc(pk i, 0) or Enc(pk i, sk i+1 )

n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ). y i = Enc(pk i, 0) or Enc(pk i, sk i+1 ) (pk 1,, pk n, y 1,, y n )

n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ). y i = Enc(pk i, 0) or Enc(pk i, sk i+1 ) (pk 1,, pk n,! (pk 1,, pk n, y 1,, y n ) y 1,, y n )

n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ). y i = Enc(pk i, 0) or Enc(pk i, sk i+1 ) (pk 1,, pk n,! (pk 1,, pk n, y 1,, y n ) y 1,, y n ) b

n-circular Security [CL01] Challenger Adversary Choose bit b. Choose n key pairs (pk i, sk i ). y i = Enc(pk i, 0) or Enc(pk i, sk i+1 ) (pk 1,, pk n,! (pk 1,, pk n, y 1,, y n ) y 1,, y n ) b

Applications of n-circular Security

Applications of n-circular Security Disk Encryption Utilities

Applications of n-circular Security Disk Encryption Utilities Anonymous Credential System - Camenisch & Lysyanskaya [CL01]

Applications of n-circular Security Disk Encryption Utilities Anonymous Credential System - Camenisch & Lysyanskaya [CL01] Bootstrapping HE - Gentry [G09]

n - Circular Secure Schemes

n - Circular Secure Schemes Boneh, Hamburg, Halevi & Ostrovsky! DDH based construction [BHHO08]

n - Circular Secure Schemes Boneh, Hamburg, Halevi & Ostrovsky! DDH based construction [BHHO08] Applebaum, Cash, Peikert & Sahai! LWE based construction [ACPS09]

n - Circular Secure Schemes Boneh, Hamburg, Halevi & Ostrovsky! DDH based construction [BHHO08] Applebaum, Cash, Peikert & Sahai! LWE based construction [ACPS09] Extending Functionalities - [BG10, BHHI10, BGK11, App11, MTY11, BV11, AP12]

Is circular security implied by semantic security?

Circular Security - Negative Results

Circular Security - Negative Results n=1

Circular Security - Negative Results n=1 Folklore: Any IND-CPA secure encryption scheme can be transformed into one that is IND-CPA secure, but not 1-circular secure.

Circular Security - Negative Results n=2

Circular Security - Negative Results n=2 Acar, Belenkiy, Bellare & Cash [ABBC10]! Semantic Security circular security

Circular Security - Negative Results n=2 Acar, Belenkiy, Bellare & Cash [ABBC10]! Semantic Security circular security Cash, Green & Hohenberger [CGH12]! Semantic Security weak circular security

Circular Security - Negative Results n=2 Acar, Belenkiy, Bellare & Cash [ABBC10]! Semantic Security circular security Bilinear Groups Cash, Green & Hohenberger [CGH12]! Semantic Security weak circular security

Is circular security implied by semantic security for n>2?

Our Results

Our Results Theorem 1: (io + PRGs) (Semantic Security n-circular Security).

Our Results Theorem 1: (io + PRGs) (Semantic Security n-circular Security). Theorem 2: (io + PRGs) (Semantic Security n-circular Security for bit encryption).

Our Results Theorem 1: (io + PRGs) (Semantic Security n-circular Security). Theorem 2: (io + PRGs) (Semantic Security n-circular Security for bit encryption). Theorem 3: ( IND-CPA secure, n-circular insecure scheme) ( IND-CPA secure scheme where cycle results in key recovery)

Circular Security pk pk Enc(pk, sk ) Enc(pk, sk) Optimistic Enc(pk, sk ), Enc(pk, sk)! " Enc(pk, 0), Enc(pk, 0) Does not learn sk/sk

Circular Security pk pk Enc(pk, sk ) Enc(pk, sk) Optimistic Enc(pk, sk ), Enc(pk, sk)! " Enc(pk, 0), Enc(pk, 0) Does not learn sk/sk Theorem 1

Circular Security pk pk Enc(pk, sk ) Enc(pk, sk) Optimistic Enc(pk, sk ), Enc(pk, sk)! " Enc(pk, 0), Enc(pk, 0) Does not learn sk/sk Theorem 1 Theorem 1 & 3

Our Results Theorem 1: (io + PRGs) (Semantic Security n-circular Security). This talk!

Code Obfuscation

Code Obfuscation Goal: Make programs maximally unintelligible.

Code Obfuscation Goal: Make programs maximally unintelligible. P

Code Obfuscation Goal: Make programs maximally unintelligible. P Obfuscator

Code Obfuscation Goal: Make programs maximally unintelligible. P Obfuscator P

Code Obfuscation Goal: Make programs maximally unintelligible. P Obfuscator P

Code Obfuscation Goal: Make programs maximally unintelligible. P Virtual Black Box Obfuscator! Having obfuscated code!! Having black box access to code Obfuscator P

Code Obfuscation Goal: Make programs maximally unintelligible. P Virtual Black Box Obfuscator! Having obfuscated code!! Having black box access to code [BGIRSVY01] Obfuscator P

Code Obfuscation Goal: Make programs maximally unintelligible.

Code Obfuscation Goal: Make programs maximally unintelligible. Indistinguishability Obfuscator! C 0, C 1 functionally identical circuits.! io(c 0 ) io(c 1 )

Code Obfuscation Goal: Make programs maximally unintelligible. [BGIRSVY01] negative result does not apply for io. Indistinguishability Obfuscator! C 0, C 1 functionally identical circuits.! io(c 0 ) io(c 1 )

Code Obfuscation Goal: Make programs maximally unintelligible. [BGIRSVY01] negative result does not apply for io. Indistinguishability Obfuscator! C 0, C 1 functionally identical circuits.! io(c 0 ) io(c 1 ) [GGHRSW13] gave a candidate construction for io.

Transform IND-CPA scheme E to n-circular insecure scheme E.

Transform IND-CPA scheme E to n-circular insecure scheme E. Prove E is IND-CPA secure

Transform IND-CPA scheme E to n-circular insecure scheme E. Prove E is IND-CPA secure Using VBB obfuscation

Transform IND-CPA scheme E to n-circular insecure scheme E. Prove E is IND-CPA secure Using VBB obfuscation Modify E to use Indistinguishability Obfuscation

IND-CPA Scheme E Setup Enc(pk, m) Dec(sk, ct) pk sk ct m

IND-CPA Scheme E Scheme E Setup Enc(pk, m) Dec(sk, ct) pk sk ct m

IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Dec(sk, ct) m

IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Enc (pk, m) ct Dec(sk, ct) m

IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Enc (pk, m) ct aux Dec(sk, ct) m

IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Enc (pk, m) ct aux Dec(sk, ct) m Dec(sk, ct) m

IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Enc (pk, m) ct aux Dec(sk, ct) m Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

IND-CPA Scheme E Scheme E Setup pk sk Setup pk sk Enc(pk, m) ct Enc (pk, m) ct aux Dec(sk, ct) m Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

Scheme E Setup pk sk Enc (pk, m) ct aux Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

Scheme E Setup pk sk Enc (pk, m) ct aux Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

Scheme E Setup pk sk Enc (pk, m) ct io(p) Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

Scheme E Program P Setup pk sk Enc (pk, m) ct io(p) Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

Scheme E Program P Constants: m, pk Setup pk sk Enc (pk, m) ct io(p) Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

Scheme E Program P Constants: m, pk Setup pk sk Inputs: ct 1,, ct n Enc (pk, m) ct io(p) Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

Scheme E Program P Constants: m, pk Setup pk sk Inputs: ct 1,, ct n Enc (pk, m) ct io(p) 1. sk 2 = m. Dec(sk, ct) m Helps detect cycles, but shouldn t break IND-CPA!

Scheme E Program P Constants: m, pk Setup pk sk Inputs: ct 1,, ct n Enc (pk, m) Dec(sk, ct) ct m io(p) 1. sk 2 = m. 2. For i=2 to n sk i+1 = Dec(sk i, ct i ). Helps detect cycles, but shouldn t break IND-CPA!

Scheme E Program P Constants: m, pk Setup pk sk Inputs: ct 1,, ct n Enc (pk, m) Dec(sk, ct) ct m io(p) Helps detect cycles, but shouldn t break IND-CPA! 1. sk 2 = m. 2. For i=2 to n sk i+1 = Dec(sk i, ct i ). 3. Check sk n+1 is secret key for pk. If yes, output 1.

Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Program P! Constants: m, pk!! Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Program P! Constants: m, pk!! sk 2 Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Program P! Constants: m, pk!! sk 2 pk 1 Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure Program P! Constants: m, pk! sk 2 pk 1! P 1 pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Inputs: ct 1,, ct n!! ct * 1 ct * n 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure Program P! Constants: m, pk! sk 2 pk 1! P 1 pk 1, Enc (pk 1, sk 2 ) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, sk 3 ) = (ct 2*, io(p 2 )). pk n, Enc (pk n, sk 1 ) = (ct n*, io(p n )) Inputs: ct 1,, ct n!! ct * 1 ct * n 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Program P! Constants: m, pk!! Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Program P! Constants: m, pk!! 0 Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Program P! Constants: m, pk!! 0 pk 1 Inputs: ct 1,, ct n! P 1! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure Program P! Constants: m, pk! 0 pk 1! P 1 pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Inputs: ct 1,, ct n!! ct * 1 ct * n 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure Program P! Constants: m, pk! 0 pk 1! P 1 pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Inputs: ct 1,, ct n!! ct * 1 ct * n 1. sk 2 = m.! Fails w.h.p. 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

E is n-circular insecure Program P! Constants: m, pk! 0 pk 1! P 1 pk 1, Enc (pk 1, 0) = (ct 1*, io(p 1 )) pk 2, Enc (pk 2, 0) = (ct 2*, io(p 2 )). pk n, Enc (pk n, 0) = (ct n*, io(p n )) Inputs: ct 1,, ct n!! ct * 1 ct * n 1. sk 2 = m.! Fails w.h.p. 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

Is E IND-CPA secure? Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

Is E IND-CPA secure? Assuming io is a virtual black box obfuscator? Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

Is E IND-CPA secure? Assuming io is a virtual black box obfuscator? Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

Is E IND-CPA secure? Assuming io is a virtual black box obfuscator? Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

Is E IND-CPA secure? Assuming io is a virtual black box obfuscator? Assuming io is indistinguishability obfuscator?? Program P! Constants: m, pk!! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! sk i+1 = Dec(sk i, ct i ).! 3. Check sk n+1 is secret key for pk. If yes, output 1.!

Scheme E

Scheme E Setup (sk, r) (pk, t=prg(r))

Scheme E Setup Enc (pk, m) (sk, r) (pk, t=prg(r)) ct, io(p )

Scheme E Setup Enc (pk, m) (sk, r) (pk, t=prg(r)) ct, io(p ) Dec(sk, ct) m

Scheme E Program P Setup Enc (pk, m) (sk, r) (pk, t=prg(r)) ct, io(p ) Dec(sk, ct) m

Scheme E (sk, r) Setup (pk, t=prg(r)) Program P Constants: m, pk t PRG(r) Enc (pk, m) ct, io(p ) Dec(sk, ct) m

Scheme E (sk, r) Setup (pk, t=prg(r)) Program P Constants: m, pk t PRG(r) Inputs: ct 1,, ct n Enc (pk, m) ct, io(p ) Dec(sk, ct) m

Scheme E (sk, r) Setup (pk, t=prg(r)) Program P Constants: m, pk t PRG(r) Inputs: ct 1,, ct n Enc (pk, m) ct, io(p ) 1. sk 2 = m. Dec(sk, ct) m

Scheme E (sk, r) Setup (pk, t=prg(r)) Program P Constants: m, pk t PRG(r) Inputs: ct 1,, ct n Enc (pk, m) Dec(sk, ct) ct, io(p ) m 1. sk 2 = m. 2. For i=2 to n (sk i+1, r i+1 ) = Dec(sk i, ct i ).

Scheme E (sk, r) Setup (pk, t=prg(r)) Program P Constants: m, pk t PRG(r) Inputs: ct 1,, ct n Enc (pk, m) Dec(sk, ct) ct, io(p ) m 1. sk 2 = m. 2. For i=2 to n (sk i+1, r i+1 ) = Dec(sk i, ct i ). 3. Check sk n+1 is secret key for pk. Check PRG(r n+1 ) = t. If yes, output 1.

Proving E n-circular insecure: Same as E

Proving E n-circular insecure: Same as E Proving E IND-CPA secure: Follows from io + PRG security

Theorem 1: Assuming io + PRGs exist, there exists a scheme E that is IND-CPA secure but not n-circular secure.

Theorem 1: Assuming io + PRGs exist, there exists a scheme E that is IND-CPA secure but not n-circular secure. Related concurrent work: [MO13] showed a different construction using VBB obfuscation.

Conclusions and Open Problems

Conclusions and Open Problems IND-CPA security does not imply n-circular security.

Conclusions and Open Problems IND-CPA security does not imply n-circular security. Our solution uses indistinguishability obfuscation.

Conclusions and Open Problems IND-CPA security does not imply n-circular security. Our solution uses indistinguishability obfuscation. Can we get these counterexamples from weaker assumptions? From multilinear maps?

Conclusions and Open Problems IND-CPA security does not imply n-circular security. Our solution uses indistinguishability obfuscation. Can we get these counterexamples from weaker assumptions? From multilinear maps? Rothblum s counterexample [R13] for bit encryption comes close.

Thank you! Questions?

IND-CPA Adversary

IND-CPA Adversary public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

IND-CPA Adversary public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. PRG public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

public key = (pk, t=prg(r)) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. PRG public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1.

public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. Fails w.h.p.

public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. Output. 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. Fails w.h.p.

public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. sk 2 = m.! 2. For i=2 to n! (sk i+1, r i+1 ) = Dec(sk i, ct i ).! 3. Check PRG(r n+1 ) = t. If yes, output 1. Fails w.h.p. io public key = (pk, t : random) Enc (m, pk)= (ct, io(p )) Program P! Constants: m, t! Inputs: ct 1,, ct n!! 1. Output.