Circular Security

IND-WCIRC-CPAⁿ

A natural extension to IND-CPA for a cycle of $n$ pairs $(sk_i, pk_i)$ is the following.

An encryption scheme $\Pi := (\Gen, \Enc, \Dec)$ is IND-WCIRC-CPA$^n$ secure if for all PPT adversaries $A:=(A_1, A_2)$, $\Game_{\Pi, A, n}^{\CPA}( \lambda, 0) \approx_c \Game^{\CPA}_{\Pi, A, n}(\lambda, 1)$, where the game is defined as:

\[\begin{aligned} &&& \underline{\Game_{\Pi, A, n}^{\CPA}( \lambda, b)}: \\ & \\ &1. && (pk_i, sk_i) \samples \Gen(1^\lambda), \forall i \in [n] \\ &2. && y_i:= \Enc(pk_i, sk_{(i \; mod \; n) + 1}), \forall i \in [n] \\ &3. && (j, m_0, m_1, z) \samples A_1(pk, y) \\ &4. && c \samples \Enc(pk_j, m_b) \\ &5. && b' \samples A_2(c, z) \end{aligned}\]

IND-CIRC-CPAⁿ

In this scenario, instead, we do not allow the attacker to choose:

an index $j$
a pair $(m_0, m_1)$,

and we do not publish the cycle of encryptions $y$; instead, the challenger gives either $y$ or a cycle of encryptions of $0^{|sk_i|}$. The goal is now to distinguish between these two distributions.

References

David Cash, Matthew Green, Susan Hohenberger. New Definitions and Separations for Circular Security. 2012

NEXTIND-CPA Security

IND-WCIRC-CPAn

IND-CIRC-CPAn

References

IND-WCIRC-CPAⁿ

IND-CIRC-CPAⁿ