Toward fine-grained blackbox separations between semantic and circular-security notions

Abstract

We address the problems of whether t-circular-secure encryption can be based on (t − 1)-circular-secure encryption or on semantic (CPA) security, if t = 1. While for t = 1 a folklore construction, based on CPA-secure encryption, can be used to build a 1-circular-secure encryption with the same secret-key and message space, no such constructions are known for the bit-encryption case, which is of particular importance in fully-homomorphic encryption. Also, all constructions of t-circular encryption (bitwise or otherwise) are based on specific assumptions. We make progress toward these problems by ruling out all fully blackbox constructions of – 1-seed-circular-secure bit encryption from CPA-secure encryption; – t-seed-circular-secure encryption from (t − 1)-seed-circular secure encryption, for any t > 1. Informally, seed-circular security is a variant of the circular security notion in which the seed of the key-generation algorithm, instead of the secret key, is encrypted. We also show how to extend our first result to rule out a large and non-trivial class of constructions of 1-circular-secure bit encryption, which we dub key-isolating constructions. Our separations follow the model of Gertner, Malkin and Reingold (FOCS’01), which is a weaker separation model than that of Impagliazzo and Rudich.