International Association
for Cryptologic Research

We put forward the concept of "forgetful encryption". A forgetful public-key encryption scheme guarantees that (a limited amount of) information that is leaked through the encryption process does not reveal the whole message. This notion is related to, but different from leakage-resilient encryption (where leakage on the decryption key is considered) and big-key encryption (which is defined for secret-key encryption). Forgetful encryption is useful, e.g., in settings in which a cloud server encrypts data stored for a client, using that client’s public key. In that setting, a limited form of leakage on the encryption process may occur accidentally, through security breaches, or through targeted attacks. In this work, we define the notion of forgetful encryption using the simulation paradigm, and provide a number of instantiations from mild computational assumptions. In the random oracle model, we provide a generic instantiation from “lossy key encapsulation mechanisms”, an existing paradigm that allows for efficient instantiations in the group, RSA, and lattice settings. In the standard model, we provide a somewhat less efficient construction (that can also be instantiated under standard assumptions) from a mild variant of (sender-)deniable encryption.