Nonce-Based Cryptography: Retaining Security when Randomness Fails.

We take nonce-based cryptography beyond symmetric encryption, developing it as a broad and practical way to mitigate damage caused by failures in randomness, whether inadvertent bugs or malicious subversion. We focus on definitions and constructions for nonce-based public-key encryption and briefly treat nonce-based signatures. We introduce and construct hedged extractors as a general tool in this domain. Our nonce-based PKE scheme guarantees that if the adversary wants to violate IND-CCA security then it must do both of the following: 1 fully compromise the RNG 2 penetrate the sender system to exfiltrate a seed used by the sender.