Score:2

Security of RLWE encryptions of secret keys

us flag

Under which conditions is it secure to publish an encryption of the secret key $s$ under itself in terms of an $RLWE_s(s)$ ciphertext? Because for some schemes this is (repeatedly) used in bootstrapping or key switching, it seems to be secure (or at least it is assumed to be so).

On the other hand, if multiple encryptions $RLWE_{s_i}(s_k)$ are published it seems to be critical that there is no ``cycle'', i.e., it is insecure to publish $RLWE_{s_1}(s_2), RLWE_{s_2}(s_3), \dots, RLWE_{s_k}(s_1)$ as indicated by https://eprint.iacr.org/2016/110.pdf

However, it is secure if the published encryptions are ``cycle-free''? Based on the example above, is it safe to publish $$ RLWE_{s_1}(s_2), RLWE_{s_2}(s_3), \dots, RLWE_{s_{k-1}}(s_k)? $$ How about all under the same key $$ RLWE_{s_1}(s_2), RLWE_{s_1}(s_3), \dots, RLWE_{s_1}(s_k)? $$

Score:2
us flag

Some schemes, like ACPS, are proven to be circular secure, i.e., they can encrypt sk under sk itself. But most of schemes just assume cicular security.

Also, notice that if the scheme is homomorphic, then assuming that you can publish Enc_sk(sk) implies you can publish Enc_sk(f(sk)) for all the functions the scheme can evaluate, so, you can construct the key-switching and bootstrapping keys with a standard circular security assumption.

Finally, notice that the paper you cited shows that there exists schemes that are not (k-cycle) circular secure. It does not mean that any scheme is circular insecure (actually, it is hard to construct schemes such insecure schemes. You can find some discussion about this here).

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.