How many encrypted messages can we know, so that scheme is secure?

Question

Let $G$ be a secure PRG and let $s$ be a private key. We can define $\mathrm{Enc}(s,m) = G(s)\oplus m$. As long as we know only one encrypted message this scheme is secure, since $G(s)\oplus m \sim r\oplus m \sim r$, where $r$ is a random string. I have several questions:

• If we know two encrypted messages $G(s)\oplus m_{1}$ and $G(s)\oplus m_{2}$, then clearly we know $m_{1}\oplus m_{2}$. Does it follow that this scheme is not secure, when using two times (in terms of computational indistinguishability)? We do leak $m_{1}\oplus m_{2}$, but how much information do we get?
• Is there a way to construct a scheme, such that it is secure for one and two messages, but fails to be secure for three messages?

Answer 1

Here is a symmetric-key encryption scheme that is secure for $t$ encryptions but not $t+1$. Suppose $\textsf{Enc}$ is a CPA-secure symmetric encryption scheme with $\lambda$-bit secret keys. We will use $\textsf{Enc}$ to construct the following scheme $\textsf{Enc}^*$:

• The key is a vector $\langle K_0, K_1, \ldots, K_t\rangle$ where each $K_i \in \{0,1\}^\lambda$. (These can all be derived from a single, short key using a PRG, if you prefer.)
• To encrypt a plaintext $M$:
  • Sample $R \gets \{0,1\}^\lambda$
  • Compute $U = K_0 + K_1 \cdot R + K_2 \cdot R^2 + \cdots + K_t \cdot R^t$. In other words, treat the key vector as coefficients of a degree-$t$ polynomial, and evaluate that polynomial at point $R$ (in the finite field of $2^\lambda$ elements).
  • Output ciphertext $(R, U, \textsf{Enc}(K_0, M))$.

Each $(R,U)$ is a secret share in a threshold-$t$ Shamir secret sharing scheme, and $K_0$ (used as the key for $\textsf{Enc}$) is the corresponding secret. So, given only $t$ shares, nothing is leaked about $K_0$, and the scheme inherits the CPA security of $\textsf{Enc}$. But given any $t+1$ shares (with overwhelming probability, avoiding a collision in the $R$ values), we can reconstruct $K_0$ and security is lost.