(1) It would appear to be a triviality, for any primitive, that security in the standard model implies security in the random-oracle model, and it is certainly true, and easily proven, for R-PKE. For D-PKE it is not clear and depends on details of the definition. In particular we can show it in the non-uniform case but not in the uniform case.
(2) The power of selective-opening attacks (SOA) comes from an adversary's ability, upon corrupting a sender, to learn not just the message but also the coins used for encryption. For R-PKE, security is achievable. For D-PKE, where there are no coins, one's first impression may be that SOAs are vacuous and security should be easily achievable. We show instead that SOA-security is impossible, meaning no D-PKE scheme can achieve it.
(3) For R-PKE, single-user security implies multi-user security, but we show that there are D-PKE schemes secure for a single user and insecure with two users.
Category / Keywords: public-key cryptography / Deterministic public-key encryption, random-oracle model, selective-opening attack Original Publication (with major differences): IACR-PKC-2015 Date: received 27 May 2014, last revised 11 Feb 2015 Contact author: mihir at eng ucsd edu Available format(s): PDF | BibTeX Citation Version: 20150212:013733 (All versions of this report) Short URL: ia.cr/2014/376 Discussion forum: Show discussion | Start new discussion