How Secure is Deterministic Encryption?

This paper presents three curious findings about deterministic public-key encryption (D-PKE) that further our understanding of its security, in particular because of the contrast with standard, randomized public-key encryption (R-PKE): • It would appear to be a triviality, for any primitive, that security in the standard model implies security in the random-oracle model, and it is certainly true, and easily proven, for R-PKE. For D-PKE it is not clear and depends on details of the definition. In particular we can show it in the non-uniform case but not in the uniform case. • The power of selective-opening attacks (SOA) comes from an adversary’s ability, upon corrupting a sender, to learn not just the message but also the coins used for encryption. For R-PKE, security is achievable. For D-PKE, where there are no coins, one’s first impression may be that SOAs are vacuous and security should be easily achievable. We show instead that SOA-security is impossible, meaning no D-PKE scheme can achieve it. • For R-PKE, single-user security implies multi-user security, but we show that there are D-PKE schemes secure for a single user and insecure with two users. 1 Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. Email: [email protected]. URL: http://www.cs.ucsd.edu/users/mihir. Supported in part by NSF grants CNS-1228890 and CNS-1116800. 2 Institute of Theoretical Informatics, Karlsruhe Institute of Technology, Am Fasanengarten 5, Geb. 50.34 76131 Karlsruhe, Germany. Email: [email protected]. URL: https://crypto.iti.kit.edu/?id=dowsley. 3 Work done while at UCSD, supported in part by NSF grants CNS-1228890 and CNS-1116800. Email: [email protected]. URL: http://www.cs.ucsd.edu/users/skeelvee.