Impossibility of Strong KDM Security with Auxiliary Input.

We show that a strong notion of KDM security cannot be obtained by any encryption scheme in the auxiliary input setting, assuming Learning With Errors (LWE) and one-way permutations. The notion of security we deal with guarantees that for any (possibly inefficient) function f, it is computationally hard to distinguish between an encryption of \(\mathbf {0}\) and an encryption of \(f(\mathsf {pk}, z)\), where \(\mathsf {pk} \) is the public key and z is the auxiliary input. Furthermore, we show that this holds even when restricted to bounded-length auxiliary input where z is much shorter than \(\mathsf {pk} \) under the additional assumption that (non-leveled) fully homomorphic encryption exists.