Separating Selective Opening Security from Standard Security, Assuming Indistinguishability Obfuscation
摘要
Assuming the hardness of LWE and the existence of indistinguishability obfuscation (IO), we construct a public-key encryption scheme that is IND-CCA secure but fails to satisfy even a weak notion of indistinguishability security with respect to selective opening attacks. Prior to our work, such a separation was known only from stronger assumptions such as differing inputs obfuscation (Hofheinz, Rao, and Wichs, TCC 2016). Central to our separation is a new hash family, which may be of independent interest. Specifically, for any \(S(\lambda ) = \lambda ^{O(1)}\) , any \(n(\lambda ) = \lambda ^{O(1)}\) , and any \(m(\lambda ) = \lambda ^{\varTheta (1)}\) , we construct a hash family mapping \(n(\lambda )\) bits to \(m(\lambda )\) bits that is somewhere statistically correlation intractable (SS-CI) for all relations \(R_\lambda \subseteq \{0,1\}^{n(\lambda )} \times \{0,1\}^{m(\lambda )}\) that are enumerable by circuits of size \(S(\lambda )\) . We give two constructions of such a hash family. Our first construction uses IO, and generically “boosts” any hash family that is SS-CI for the smaller class of functions that are computable by circuits of size \(S(\lambda )\) . This weaker hash variant can be constructed based solely on LWE (Peikert and Shiehian, CRYPTO 2019). Our second construction is based on the existence of a circular secure FHE scheme, and follows the construction of Canetti et al. (STOC 2019).