2

Under which conditions is it secure to publish an encryption of the secret key $s$ under itself in terms of an $RLWE_s(s)$ ciphertext? Because for some schemes this is (repeatedly) used in bootstrapping or key switching, it seems to be secure (or at least it is assumed to be so).

On the other hand, if multiple encryptions $RLWE_{s_i}(s_k)$ are published it seems to be critical that there is no ``cycle'', i.e., it is insecure to publish $RLWE_{s_1}(s_2), RLWE_{s_2}(s_3), \dots, RLWE_{s_k}(s_1)$ as indicated by https://eprint.iacr.org/2016/110.pdf

However, it is secure if the published encryptions are ``cycle-free''? Based on the example above, is it safe to publish $$ RLWE_{s_1}(s_2), RLWE_{s_2}(s_3), \dots, RLWE_{s_{k-1}}(s_k)? $$ How about all under the same key $$ RLWE_{s_1}(s_2), RLWE_{s_1}(s_3), \dots, RLWE_{s_1}(s_k)? $$

opag
  • 63
  • 3

1 Answers1

2

Some schemes, like ACPS, are proven to be circular secure, i.e., they can encrypt sk under sk itself. But most of schemes just assume cicular security.

Also, notice that if the scheme is homomorphic, then assuming that you can publish Enc_sk(sk) implies you can publish Enc_sk(f(sk)) for all the functions the scheme can evaluate, so, you can construct the key-switching and bootstrapping keys with a standard circular security assumption.

Finally, notice that the paper you cited shows that there exists schemes that are not (k-cycle) circular secure. It does not mean that any scheme is circular insecure (actually, it is hard to construct schemes such insecure schemes. You can find some discussion about this here).

Hilder Vitor Lima Pereira
  • 6,484
  • 21
  • 40