Paper 2017/123

Separating IND-CPA and Circular Security for Unbounded Length Key Cycles

Rishab Goyal, Venkata Koppula, and Brent Waters


A public key encryption scheme is said to be n-circular secure if no PPT adversary can distinguish between encryptions of an n length key cycle and n encryptions of zero. One interesting question is whether circular security comes for free from IND-CPA security. Recent works have addressed this question, showing that for all integers n, there exists an IND-CPA scheme that is not n-circular secure. However, this leaves open the possibility that for every IND-CPA cryptosystem, there exists a cycle length l, dependent on the cryptosystem (and the security parameter) such that the scheme is l-circular secure. If this is true, then this would directly lead to many applications, in particular, it would give us a fully homomorphic encryption scheme via Gentry’s bootstrapping. In this work, we show that is not true. Assuming indistinguishability obfuscation and leveled homomorphic encryption, we construct an IND-CPA scheme such that for all cycle lengths l, the scheme is not l-circular secure.

Available format(s)
Publication info
Published by the IACR in PKC 2017
Circular Security
Contact author(s)
rgoyal @ cs utexas edu
2017-02-16: received
Short URL
Creative Commons Attribution


      author = {Rishab Goyal and Venkata Koppula and Brent Waters},
      title = {Separating IND-CPA and Circular Security for Unbounded Length Key Cycles},
      howpublished = {Cryptology ePrint Archive, Paper 2017/123},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.