Chosen-ciphertext security via correlated products

Alon Rosen*, Gil Segev

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

27 Scopus citations


We initiate the study of one-wayness under correlated products. We are interested in identifying necessary and sufficient conditions for a function f and a distribution on inputs (X1, ⋯, xk) so that the function (F(X1), ⋯, f(xk)) is one-way. The main motivation of this study is the construction of public-key encryption schemes that are secure against chosen-ciphertext attacks (CCAs). We show that any collection of injective trapdoor functions that is secure under a very natural correlated product can be used to construct a CCA-secure public-key encryption scheme. The construction is simple, black-box, and admits a direct proof of security. It can be viewed as a simplification of the seminal work of Dolev, Dwork, and Naor [SIAM J. Comput., 30 (2000), pp. 391-437], while relying on a seemingly incomparable assumption. We provide evidence that security under correlated products is achievable by demonstrating that lossy trapdoor functions [Peikert and Waters, Proceedings of the 40th Annual ACM Symposium on Theory of Computing, 2008, pp. 187-196] yield injective trapdoor functions that are secure under the above-mentioned correlated product. Although we currently base security under correlated products on existing constructions of lossy trapdoor functions, we argue that the former notion is potentially weaker as a general assumption. Specifically, there is no fully black-box construction of lossy trapdoor functions from trapdoor functions that are secure under correlated products.

Original languageAmerican English
Pages (from-to)3058-3088
Number of pages31
JournalSIAM Journal on Computing
Issue number7
StatePublished - 2010
Externally publishedYes


  • Chosen-ciphertext attacks
  • Public-key encryption
  • Trapdoor functions


Dive into the research topics of 'Chosen-ciphertext security via correlated products'. Together they form a unique fingerprint.

Cite this