Randomness-Dependent message security

Traditional definitions of the security of encryption schemes assume that the messages encrypted are chosen independently of the randomness used by the encryption scheme. Recent works, implicitly by Myers and Shelat (FOCS'09) and Bellare et al (AsiaCrypt'09), and explicitly by Hemmenway and Ostrovsky (ECCC'10), consider randomness-dependent message (RDM) security of encryption schemes, where the message to be encrypted may be selected as a function—referred to as the RDM function—of the randomness used to encrypt this particular message, or other messages, but in a circular way. We carry out a systematic study of this notion. Our main results demonstrate the following: · Full RDM security—where the RDM function may be an arbitrary polynomial-size circuit—is not possible. · Any secure encryption scheme can be slightly modified, by just performing some pre-processing to the randomness, to satisfy bounded-RDM security, where the RDM function is restricted to be a circuit of a priori bounded polynomial size. The scheme, however, requires the randomness r needed to encrypt a message m to be slightly longer than the length of m (i.e., |r||m|+ω(logk), where k is the security parameter). · We present a black-box provability barrier to compilations of arbitrary public-key encryption into RDM-secure ones using just pre-processing of the randomness, whenever |m||r|+ω(logk). On the other hand, under the DDH assumption, we demonstrate the existence of bounded-RDM secure schemes that can encrypt arbitrarily 'long' messages using 'short' randomness. We finally note that the existence of public-key encryption schemes imply the existence of a fully RDM-secure encryption scheme in an 'ultra-weak' Random-Oracle Model—where the security reduction need not 'program' the oracle, or see the queries made by the adversary to the oracle; combined with our impossibility result, this yields the first example of a cryptographic task that has a secure implementation in such a weak Random-Oracle Model, but does not have a secure implementation without random oracles.