Separations in circular security for arbitrary length key cycles, revisited

The circular security of public key encryptions has been drawn great attentions in recent years. The relationship of notions between circular securities and standard ones such as chosen plaintext security (CPA-security) and chosen ciphertext security (CCA-security) deserve to be clarified. For any integer n>0 and n2, whether the notions of n-circular securities can be implied by that of their standard correspondences, such as CPA or CCA security in public key setting, has largely remained open. Koppula, Ramchen, and Waters in TCC'15 recently made a separation in CPA case by proposing a CPA secure scheme that is not n-circular secure based on the recent candidate constructions of indistinguishable obfuscation. In this work, we consider the CCA case. In particular, inspired by the indistinguishable-obfuscation-based construction of Koppula et al., we obtain the following results: We make a separation between the n-circular CCA security and CCA security for anyn>0. Specifically, we propose a hybrid encryption scheme that achieves the CCA security but fails even in the n-circular CPA security. Hence, that makes a separation between the CCA security and the n-circular CCA security (and even the n-circular CPA security). By revising the previous construction, we also present a CCA secure (hybrid encryption) scheme, which allows an adversary to recover all secret keys when obtaining an encrypted key cycle. Hence, that implies that: if a key cycle arises in a system, then a passive adversary might be able to recover all secret keys even if CCA-secure encryptions are used. The results in this work, together with that of Koppula et al., confirm that notions of circular securities are stronger than their standard correspondences. Copyright (C) 2016 John Wiley & Sons, Ltd.