© The Author(s) 2019. Published by Oxford University Press on behalf of The British Computer Society.

All rights reserved. For permissions, please e-mail: journals.permissions@oup.com

doi:10.1093/comjnl/bxy144

Continuous Leakage-Resilient Identity-

Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019

Based Encryption with Tight Security
YANWEI ZHOU1,2,3, BO YANG1,2,3*, HONGXIA HOU1,3, LINA ZHANG1,3,
TAO WANG1,3 AND MINGXIAO HU4
1
School of Computer Science, Shaanxi Normal University, Xi’an 710119, China
2
State Key Laboratory of Cryptology, PO Box 5159, Beijing 100878, China
3
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy
of Sciences, Beijing 100093, China
4
College of Mathematics, Physics and Electronic Information Engineering, Wenzhou University,
Wenzhou 325035, China
*
Corresponding author: byang@snnu.edu.cn

In the actual applications, an adversary can break the security of cryptography scheme through
various leakage attacks (e.g. side-channel attacks, cold-boot attacks, etc.), even the continuous
leakage attacks. That is, a practical cryptography scheme must maintain its claimed security in the
continuous leakage setting. However, the previous constructions on the leakage-resilient identity-
based encryption (IBE) scheme could tolerate a leakage that is bounded, and cannot resist the con-
tinuous leakage attacks. In order to further achieve the better security, a novel method to build
the continuous leakage-resilient IBE scheme with tight security is presented in this paper, and the
scheme’s security is proved, in the standard model, based on a stronger security assumption that
depends on the number of queries made by the adversary. In addition, our proposal has several
advantages over previous such constructions, e.g. shorter public parameters, higher communica-
tion efficiency, tight security, etc.

Keywords: continuous leakage resilience; identity-based encryption; tight security

Received 4 April 2018; revised 18 December 2018; editorial decision 19 December 2018
Handling editor: Chris Mitchell

1. INTRODUCTION
In the traditional security model, such as chosen-plaintext
attacks (CPA), chosen-ciphertext attacks, etc., an efficient adver-
sary can only see the appointed input and output of a crypto-
graphic scheme, but it has no other ability to access the internal
secret information (e.g. private key, etc.). In other words, these
models are the ideal security model, and the leakage on internal
secret states does not consider. In the real world, an adversary
can learn a certain amount of leakage information on the internal
secret information through various leakage attacks, e.g. side-
channel attacks, cold-boot attacks, etc. That is, the traditional
cryptography schemes whose security is proved in an idealized
setting, and may not be able to maintain their claimed security
in the leakage setting. To further improve practicability, the
leakage-resilient cryptographic schemes were constructed by
many researcher in the past fews years, including the leakage-
resilient public-key encryption (PKE) scheme [1, 2], the
leakage-resilient identity-based encryption (IBE) scheme [3–5],
the leakage-resilient certificate-based encryption (CBE) scheme
[6–8], the leakage-resilient signcryption scheme [9], the leakage-
resilient certificateless public-key encryption (CL-PKE) scheme
[10, 11], etc. Thus, the leakage-resilient cryptography has led to
constructions of many cryptographic primitives which can
be proven secure even against these adversaries who can
obtain limited additional information about the private key
or other internal secret states. However, any adversary can
make continuous leakage attacks in the actual application,
and a cryptography scheme with continuous leakage resili-
ence is more practical. In summary, (continuous) leakage
resilience provides a powerful tool, allowing us to easily
analyze the security of such constructions, and we believe
that (continuous) leakage resilience is an interesting prop-
erty of cryptographic primitives. Thus, in this paper, we
research the continuous leakage resilience on the IBE
scheme, and design the concrete construction of continuous
leakage-resilient IBE scheme in the standard model.

SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS

THE COMPUTER JOURNAL, 2019
2 Y. ZHOU et al.

1.1. Leakage model leakage-resilient IBE schemes, which were constructed from
Boneh et al.’ IBE scheme [26], Lewko et al.’ IBE scheme
In recent years, the bounded-leakage model has received
[27] and Waters’s IBE scheme [28]. Also, the first construc-
much attention [1–4, 6]. In this model, an adversary can learn

Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019

tion was proved in the selective identity security model. In
arbitrary information about the private key, as long as the
EUROCRYPT 2012, Yuen et al. [29] proposed a new
total number of bits leaked is bounded by some parameter l ,
leakage-resilient IBE scheme in the auxiliary input model,
called it leakage parameter. We formalize this security notion
which can tolerate a more general form of leakage. In add-
by giving the adversary access to a leakage oracle  lSK, kid ()
ition, Li et al. [3] presented a provably secure IBE scheme
(the formal definition is described in Section 3.2) that she can
resilient to post-challenge continuous auxiliary input leakage.
repeatedly and adaptively query; each query to the leakage
In TCC 2011, Lewko et al. [30] showed that the leakage
oracle  lSK, kid () consists of an efficient computable leakage
resilience for cryptography schemes can be obtained quite
function fi (), and the leakage oracle  lSK, kid () responds with
naturally within the methodology of dual system encryption.
the ‘leakage information’ fi (SKid ) computed on the private
Sun et al. [31] designed the first leakage-resilient wicked IBE
key SKid , and the total number of bits leakage on the same
scheme over the composite order groups, and the security
private key is bounded by l .
proof of this scheme is achieved via the dual system encryp-
In the continuous leakage model, the entire lifetime of
tion technique. Recently, Li et al. [20] developed a leakage-
cryptosystem is partitioned into some periods, and at the end
resilient identity-based broadcast encryption scheme based on
of each period, the internal secret states are updated, and
the dual system encryption technique. Furthermore, a continu-
some new randomness is pushed into the internal secret states
ous leakage-resilient IBE scheme was created by Zhou et al.
by performing this additional update operation. Then, for an
[19] However, the analysis shows that the above IBE
adversary, the internal secret states are uniform random even
schemes [3, 19–21, 25, 29–31] with (continuous) leakage
if a certain amount of addition information on the internal
resilience have the following deficiencies:
secret states was captured by the adversary. Thus, in this
model, the adversary is allowed to obtain bounded leakage
(1) These constructions [3, 20, 21, 25, 29–31] were only
from the entire internal secret states during each time period,
proved CPA security. Because of security against adap-
as in the bound leakage model, but the total leakage over the
tive chosen ciphertext attacks is a strong and very use-
lifetime of the scheme is unbounded. Hence, the main advan-
ful notion of security for IBE schemes, Li et al. [4]
tage of continuous leakage model is that the problem of con-
applied a hash proof technique in the existing CCA
tinuous leakage attacks can be reduced to the simple single
secure variant of the Gentry’s IBE [23] scheme to con-
round bounded leakage-resilient property. Because of the
struct a new leakage-resilient IBE scheme, and Sun
continuous leakage resilience is more close to the real life,
et al. [5] presented a new leakage-resilient IBE scheme
and several constructions have captured continuous leakage
with Gentry’s method [23], which also can achieve
resilience in their security consideration, such as the continuous
CCA security. However, the above constructions [4, 5]
leakage-resilient PKE schemes [12–14], the continuous leakage-
with CCA security can only achieve the bounded leak-
resilient key exchange protocol [15], the continuous leakage-
age resilience, and cannot keep their original security in
resilient signature scheme [16], the continuous leakage-resilient
the continuous leakage setting.
CBE scheme [17], the continuous leakage-resilient CL-PKE
(2) The practicability of the corresponding constructions
scheme [18], the continuous leakage-resilient IBE scheme
[20, 29–31] created based on dual system encryption
[19], the continuous leakage-resilient attribute-based encryp-
technique is lower, because of the security of the
tion (ABE) scheme [20], etc.
proposed schemes is proved under the subgroup deci-
sional assumptions over the composite order bilinear
groups. Also, CPA security can only be obtained while
1.2. Prior constructions
the corresponding constructions were built over the
In EUROCRYPT 2010, to resist the leakage attacks for the composite order bilinear groups.
IBE scheme, Alwen et al. [21] generalized hash proof sys- (3) Although, these constructions [29, 30] can achieve
tems in the identity-based setting and referred to it as continuous leakage resilience, and only obtain CPA
identity-based hash proof system (IB-HPS). Also, they security. To obtain the continuous leakage-resilient
showed how to construct leakage-resilient IBE scheme from CCA security, Zhou et al. [19] created a novel con-
IB-HPS. That is, the generic construction of leakage-resilient struction of continuous leakage-resilient IBE scheme,
IBE is designed from IB-HPS. In particular, they presented however, its CCA security is proved in the selective
three instantiations based on Boneh et al.’ IBE scheme [22], identity security model.
Gentry’s IBE scheme [23] and Gentry et al.’ IBE scheme
[24], respectively. In CCS 2010, based on the conclusions of To sum up, in the identity-based setting, some continuous
Alwen et al. [21], Chow et al. [25] constructed three new leakage-resilient IBE schemes [29, 30] can only achieve CPA

SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS

THE COMPUTER JOURNAL, 2019
 CONTINUOUS LEAKAGE-RESILIENT IDENTITY-BASED ENCRYPTION
security, and the CCA security of continuous leakage-
resilient IBE scheme proposed in [19] is proved in the select-
ive identity security model, and can only achieve selective
identity CCA security. Therefore, there is no practical IBE
scheme with CCA security in the literature, which has
adopted the continuous leakage attacks. In order to further
obtain the better performance, we will put focus on the con-
struction of the practical CCA secure continuous leakage-
resilient IBE scheme with tight security reduction. Also, the
CCA security is proved in the standard model.
1.3. Our contributions
Prior constructions of (continuous) leakage-resilient IBE
scheme [3, 21, 25, 29–31] could either tolerate a leakage that
is bounded or only achieve the CPA security. Moreover, the
selective identity CCA security was only obtained in [19]. To
further solve the above problems, our work shows how to
construct CCA secure IBE scheme with continuous leakage
resilience. In practical, we first put forward a basic continuous
leakage-resilient IBE scheme P with CPA security, in the
standard model, under the truncated augmented bilinear
Diffie–Hellman exponent (q -TABDHE) assumption. After
that, we develop a novel construction of continuous leakage-
resilient IBE scheme P¢, and the CCA security of P¢ can be
proved with the same method in P. Compare with these (con-
tinuous) leakage-resilient IBE schemes [4, 5, 19], our pro-
posal enjoys better performance, e.g. higher communication
efficiency, shorter public parameters, tight security, etc.
2. PRELIMINARIES
2.1. Notations
Let k Î  denote the security parameter. If S is a string, then
∣S∣ denotes its length, while if S is a set then ∣S∣ denotes its
size and s ¬R S denotes the operation of picking an element
s uniformly at random from S . We denote y ¬  (x) the
operation of running  with input x and assigning y as the
result. We use negl (k) to denote the set of all functions that
are negligible in security parameter k .
2.2. Bilinear groups
Let  (1k ) be a probability polynomial time (PPT) group gen-
eration algorithm that takes as input a security parameter k ,
and outputs a tuple  = ( p, G, G T , e (·,·) , g), such that: (i)
G and G T are two (multiplicative) cyclic groups of prime
order p; (ii) g is a generator of G ; (iii) e: G ´ G  G T is an
efficiently computable bilinear pairing with the following
properties:
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS
THE COMPUTER JOURNAL, 2019
3
(1) Bilinear: e (ua , v b) = e (u, v)ab , for all a, b ¬R *p
and u, v ¬R G T ;
(2) Non-degeneracy: e (g, g) ¹ 1GT , where 1GT is the
Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019
generator of G T ;
(3) Computable: e (u, v) can be computed efficiently
for all v, u Î G .
2.3. Security assumption
The security of our constructions is based on a complexity
assumption that we call the decisional augmented bilinear
Diffie–Hellman exponent assumption (decisional ABDHE).
The q -ABDHE problem is described as follows: Given a
vector of 2q + 2 elements
q + 2)
(g¢ , g¢ (a
q + 2)
, g , ga, ¼, g(a ), g(a , ¼, g(a ) ) Î G 2q + 2
q 2q
q+1
as input, output e (g, g¢)a Î G T .
Now, we use gi and gi¢ to denote g(a ) and g¢ (a ). The deci-
i i
sional version of truncated q -ABDHE is defined as follows:
Let 1 = (g¢, gq¢+ 2 , g, g1, ¼, gq , T1) and  0 = (g¢, gq¢+ 2 ,
g, g1, ¼, gq , T0), where T1 = e (gq + 1, g¢) and T0 ¬R G T , then,
the advantage of adversary  in solving q -ABDHE problem
is defined as
Adv q-ABDHE (k) = ∣ Pr [ (1) = 1] - Pr [ ( 0) = 1] ∣ ,
where the probability is over the random choice of generators
g, g¢ in G , the random choice of a in *p , the random choice
of T0 ¬R G T , and the random bits consumed by  .
The q -ABDHE assumption is captured in the following
distinguishability game performed by a challenger  and an
adversary  .
Setup. The challenger  runs  ¬  (1k ), and gives
 = ( p, G, G T , e (·,·) , g) to the adversary  .
Challenge Stage.  does the following operations:
(1) Computes gi = g(a ) and gi¢ = g¢ (a ), where
i i
g, g¢ ¬R G , i = 1,2,…,q and a ¬R *q .
(2) Sets 1 = (g¢, gq¢+ 2 , g , g1, ¼, gq , T1) and  0 = (g¢, gq¢+ 2 ,
g , g1, ¼, gq , T0), where T1 = e (gq + 1, g¢) and T0 ¬R GT .
(3) Sends challenge tuple  v to  , where v ¬R {0, 1}.
Output.  outputs a bit v¢ Î {0, 1} as the guess of random
bit v chosen by the challenger  . If v¢ = v , then  wins in
this game. That is, the adversary  can distinguish a
q -ABDHE tuple and a random tuple.
DEFINITION 2.1 (q -ABDHE). We say that the q -ABDHE
assumption holds if for all PPT adversaries  , we have
Adv q-ABDHE (k) £ negl (k).
4 Y. ZHOU et al.

2.4. Randomness extractor LEMMA 2.3 (Generalized leftover hash lemma [32]). Let
X , Y be random variables such that X ¬R {0, 1 }ln and
The basic notions such as universal hash, min-entropy ~
H¥ (X∣Y ) ³ k . Let  be a family of universal hash func-
H¥ (A), statistical distance SD (A, B) and average conditional
~ tions from {0, 1 }ln to {0, 1 }lm . Then, for S ¬R  and

Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019

min-entropy H¥ (A∣C ) are omitted in the presentation. The
Um ¬R {0, 1 }lm , we can obtain
reader could refer to [1, 2, 32] for more details. By the defin-
~
ition of H¥ (A∣C ), for any PPT adversary  , we obtain
SD ((Y , S , HS (X )) , (Y , S , Um)) £ e
Pr ( (C ) = A) = Ec [Pr ( (C ) = A)]
£ Ec [2-H¥ (A ∣ C = c) ] as long as lm £ k - 2 log (1/e).
~
= 2-H¥ (A ∣ C),
By Lemmas 2.2 and 2.3, we have that, for an index
where Ec denotes the mathematical expectation over C . i ¬R  , the universal hash function i :    can be
employed as an average-case strong randomness extractor.
LEMMA 2.1 ([32]). Let X , Y and Z be random variables, if
Y has at most 2l possible values, then
~ ~
H¥ (X∣ (Y , Z )) ³ H¥ (X∣Z ) - l. 3. IDENTITY-BASED ENCRYPTION
3.1. Definition
Similar to previous works [4, 5, 25, 33], an IBE scheme con-
DEFINITION 2.2 (Randomness extractor). An efficient comput- sists of four algorithms: Setup, Keygen, Enc and Dec . These
able function Ext : {0, 1 }ln ´ {0, 1 }lt  {0, 1 }lm is an algorithms are described as follows:
average-case (k, e)-strong randomness extractor if for
all pairs of random variables (X , Y ) such that X Î {0, 1 }ln • (Params, Smsk ) ¬ Setup (1k ). The setup algorithm
~ takes as input a security parameter k , and outputs the
and H¥ (X∣Y ) ³ k , we have SD ((Ext (X , S ) , S , Y ) , (Um,
S , Y )) £ e where S ¬R {0, 1 }lt and Um ¬R {0, 1 }lm . public parameters Params and the master secret key
Smsk , where Params is a common input of the follow-
DEFINITION 2.3 (Universal hash function). For i Î  and ing algorithms.
all distinct x1 ¹ x2 Î  , if we have Pri ¬ [Hi (x1) = • SKid ¬ KeyGen (Smsk , id ). The key generation algo-
rithm takes Smsk and an identity id Î ID (where ID
Hi (x2)] £ 1
, then the hash function  :    is
∣∣ denotes identity space) as input, and generates the pri-
universal.
vate key SKid for the identity id .
• c ¬ Enc (id , M ). On input a message M Î  (where
EXAMPLE 1 ([2]). The family of functions {Hk1, k 2, ¼ , kl :
 denotes message space) and an identity id , the
lp+ 1  p }ki Î p, i = 1, ¼ , l is universal, where Hk1, k 2, ¼ , kl (x 0 ,
encryption algorithm Enc outputs the corresponding
x1, ¼, xl ) = x 0 + k1 x1 +  + kl xl . All operations are in the
ciphertext c .
prime field p .
• M /^ ¬ Dec (SKid , c). The recipient with identity id
decrypts the ciphertext c by using decryption algo-
EXAMPLE 2 ([2]). Let G be a multiplicative group of
rithm Dec , with the ciphertext c and her private key
prime order p, and g Î G, g ¹ 1. The family of functions
SKid as input, and outputs the corresponding message
{Hk1, k 2, ¼ , kl : G l + 1  G }ki Î p, i = 1, ¼ , l is universal, where
M or a special symbol ^.
Hk1, k 2, ¼ , kl (g0 , g1, ¼, gl ) = g0 g1k1glkl .
In the continuous leakage setting, an additional key update
LEMMA 2.2 (Leftover hash lemma [32]). Let  =
algorithm will be used to push some new randomness into the
{HS :    }S Î  be a family of universal hash functions. Let
private key, which can be described as follows:
Uy is a uniform distribution over  . For two random vari-
ables X ¬R  and C , it holds that
• SKid¢ ¬ Update (SKid , String). The key update algo-
1 -H¥ (X) rithm takes a private key SKid and the corresponding
SD ((HS (X ) , S ) , (Uy , S )) £ 2 ∣∣ ; parameter String as input, and generates a new private
2
1 -H~¥ (X ∣ C) key SKid¢ for the identity id . Also, for any adversary,
SD ((HS (X ) , S , C ) , (Uy , S , C )) £ 2 ∣∣ . we have SD (SKid , SKid¢ ) £ negl (k).
2

SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS

THE COMPUTER JOURNAL, 2019
 CONTINUOUS LEAKAGE-RESILIENT IDENTITY-BASED ENCRYPTION
3.2. Leakage oracle
We model the adversary’s leakage attacks on the private key
SKid , by giving the adversary access to a leakage oracle
 lSK, kid (), and the adversary can query to gain the leakage
information about SKid .
DEFINITION 3.1 (Leakage oracle). A leakage oracle  lSK, kid ()
is parameterized by a private key SKid , a leakage parameter
l and a security parameter k . A query to the leakage oracle
consists of an efficient computable leakage function
fi : {0, 1}*  {0, 1 }li . The leakage oracle  lSK, kid () checks if
the sum of li , over all queries received so far, exceeds the
leakage parameter l and ignores the query if this is the case.
The leakage oracle computes the function fi (SKid ) for at
most polynomial steps, and if the computation completes,
responds with the output. Otherwise, it responds with the
dummy value ^.
Without loss of generality, we can assume that the adver-
sary can access the leakage oracle only once, and obtain at
most l bits leakage.
3.3. Security model with (continuous) leakage resilience
In the (continuous) leakage setting, we require that the secur-
ity of IBE scheme remains intact even if an adversary can
obtain some additional information on the private key of user.
According to the previous works [4, 5, 25], our (continuous)
leakage-resilient security definition of IBE scheme only
allows leakage attacks against the private keys of the various
identities, but not the master secret key. Just as noted by
[1, 4, 5, 25], we only allow the adversary to make leakage quer-
ies before seeing the challenge ciphertext. This is a necessary
restriction as otherwise, the adversary could leak the first bit of
the message and easily win the distinguishing game.
An IBE scheme P = (Setup, KeyGen, Enc , Dec) with
identity space ID and message space , we illustrate the
security notion of leakage-resilient chosen-ciphertext attacks
(LR-CCA) security which performed by the following game
between an adversary  and a simulator  under a security
parameter k and a leakage parameter l . The message
exchange process is described as follows:
Setup.  runs (Params, Smsk ) ¬ Setup (1k ), and sends
Params to  while keeps Smsk as a secret.
Test stage 1. In this stage,  can make the following three
kinds of queries. These queries may be made adaptively, i.e.
each query may depend on the answers to the previous
queries.
(1) Key generation queries. On input an identity id Î ID,
 runs SKid ¬ KeyGen (Smsk , id ), and replies with
the private key SKid . We stress that, in the leakage
and decryption queries, the corresponding private key
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS
THE COMPUTER JOURNAL, 2019
5
can be obtained by computing key generation
algorithm.
(2) Leakage queries. On input an identity id and an effi-
cient computable leakage function fi : {0, 1}* 
Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019
{0, 1 }li ,  returns the corresponding leakage informa-
tion fi (SKid ) on the private key SKid by using a leak-
age oracle  lSK, kid (·), where SKid ¬ KeyGen (Smsk , id ).
However, the total length of leakage on the same pri-
vate key SKid must be less than the leakage parameter,
i.e. åij= 1 fi (SKid ) £ l . Otherwise, an invalid answer ^
will be outputted.
(3) Decryption queries. On input a ciphertext C and an iden-
tity id ,  decrypts C using the private key SKid of iden-
tity id , and sends the corresponding result M /^ =
Dec (SKid , C ) to  , where SKid ¬ KeyGen (Smsk , id ).
Challenge. Once  decides that Test stage 1 is over it outputs
two equal length messages M0 , M1 Î  and a challenge identity
id * Î ID, which never appeared in a key generation query and
appeared in the leakage queries with at most l bits leakage. 
chooses a bit b ¬R {0, 1}, and produces Cb* ¬ Enc (id *, Mb),
and then sends Cb* as the challenge ciphertext to  .
Test stage 2. This stage is similar to Test Stage 1, with the
restriction that neither key generation queries on id* nor decryp-
tion queries on (Cb*, id *) are allowed to make. Also, as men-
tioned above, no leakage query is allowed to make in this stage.
Output. Finally,  outputs b¢ Î {0, 1} as the guess of ran-
dom bit b picked by  . We say that  wins if b¢ = b .
The advantage Adv LR IBE,  (k , l) of adversary  in attack-
-CCA
ing an IBE scheme is defined as
1
IBE,  (k , l) =
Adv LR Pr [ wins] -
-CCA
2
The leakage-resilient CCA (LR-CCA) security is described as
follows:
DEFINITION 3.2 (LR-CCA security). An IBE scheme P is
secure against adaptive posteriori leakage-resilient chosen-
ciphertext attacks if for any PPT adversary  the advantage
LR-CCA
Adv P , (k, l) in above game is negligible, and the total
amount of leakage on the same private key has to be bounded
by the leakage parameter l .
In FOCS 2010, Dodis et al. [12] showed that a cryptographic
scheme with bounded leakage resilience can resist the continuous
leakage attacks, if it allows users to refresh their private keys by
using only fresh local randomness while the public parameters and
the function keep unchanged. Therefore, the continuous leakage-
resilient CCA (CLR-CCA) security is described as follows:
DEFINITION 3.3 (CLR-CCA security). An IBE scheme P with
key update function is secure against adaptive posteriori con-
tinuous leakage-resilient chosen-ciphertext attacks if for any
6 Y. ZHOU et al.
PPT adversary  the advantage Adv P LR-CCA
, (k, l) in above
game is negligible. Furthermore, in each round of leakage
attacks, the total amount of leakage on the same private key
has to be bounded by l .
We stress that, in the (continuous) leakage-resilient CPA
security model, the decryption queries cannot be submitted
by the adversary. Due to the space limitation, the correspond-
ing descriptions are omitted.
Specially, in this paper, we only prove the bounded
leakage-resilient CPA/CCA security of our proposals, and
the continuous leakage resilience is naturally obtained by run-
ning update algorithm, since the advantage of continuous
leakage resilience is that which can be reduced to the simple
single round bounded leakage-resilient property by perform-
ing an additional key update algorithm.
4. CONTINUOUS LEAKAGE-RESILIENT IBE
SCHEME WITH CPA SECURITY
A CPA secure IBE scheme P = (Setup, KeyGen, Update,
Enc , Dec) is constructed in the continuous leakage model,
which is described in the following.
4.1. Concrete construction
Setup. The setup algorithm (Params, Smsk ) ¬ Setup (1k ) is
described as follows:
(1) Run the group sampling algorithm  (1k ) to obtain
 = ( p, G, G T , e (·,·) , g).
(2) Let Ext : G ´ {0, 1 }lt  {0, 1 }lm be an average case
(log p - l, e)-strong randomness extractor, where l
is the leakage parameter and e is negligible.
(3) Choose a ¬R *p and h ¬R G , and then compute
g1 = ga .
(4) Let the master secret key be Smsk = a, and set the pub-
lic parameters Params = <  , g1, h, Ext> as the com-
mon input of the following algorithms. In addition, let
the identity space be ID = *p and the message space
be  = {0, 1 }lm . Notice that, we can let identities be
a bit strings of arbitrary length and *p be the output of a
collision-resistant hash function  : {0, 1}*  *p .
Key generation. The key generation algorithm
(SKid , tkid ) ¬ KeyGen (id , Smsk ) is described as follows:
1 4.2.
(1) Choose t ¬R *p , and compute skid ,1 = (hg-t )a - id
and skid,2 = t .
(2) Output the private key SKid = (skid ,1, skid ,2) asso-
ciated with the identity id . In
1
addition, return an
update key tkid = g a- id , which be used in the key
update algorithm.
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS
THE COMPUTER JOURNAL, 2019
We stress that, if a = id , then the key generation algorithm
aborts. Moreover, the update key is only used in the key
update algorithm, and the corresponding leakage is omitted.
Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019
In other words, the adversary cannot perform leakage queries
for the master secret key and the update key.
Key update. The key update algorithm SKidj ¬ Update
(SKidj- 1, tkid ) is described as follows:
(1) Choose t j ¬R *p , and compute skidj ,1 = skidj-,11 tk-t j
and skidj ,2 = skidj-,21 + t j . Then, for any update index
1
j Î *p , we have skid ,1 = (hg-(t +åi= 1 ti) )a - id and
j
skid ,2 = t + åij= 1ti .
(2) Output the new private key SKidj = (skidj ,1, skidj ,2)
associated with the identity id . Also, for any adver-
sary, we have SD (SKidj , SKidj- 1) £ negl (k), since t j
is uniformly random and independent from the adver-
sary’s view.
Encryption. The encryption algorithm C ¬ Enc (id , M ) is
described as follows:
(1) Choose r ¬R *p and S ¬R {0, 1 }lt , and then
compute c1 = g1r g-r·id , c2 = e (g, g)r and c3 =
Ext (e (g, h)r , S ) Å M , where S is a randomness seed.
(2) Set C = (c1, c2 , c3, S ) as the ciphertext of M , and
output the ciphertext C .
Notice that, encryption operation does not require any pairing
computations once e (g, g) and e (g, h) have been pre-
computed. Alternatively, e (g, g) and e (g, h) can be included in
the system public parameters, in which case h can be dropped.
Decryption. The decryption algorithm M ¬ Dec (SKid , C )
is described as follows:
(1) Compute w = e (c1, skid ,1) c2skid,2 .
(2) Output M = Ext (w , S ) Å c3 as the plaintext of C .
Correctness. From the following equation, it is easy for us
to see that the decryption algorithm is consistent with the
encryption algorithm.
1
= e (g1r g-r·id , (hg-t )a - id ) e (g , g)rt
sk id,2
w = e (c1, skid ,1) c2
= e (g r , h) e (g r , g-t ) e (g , g)rt = e (g , h)r .
Proof of security
Based on the Dodis et al.’s conclusions [12], we obtain that
the continuous leakage-resilient IBE scheme can be obtained
from an IBE scheme P = (Setup, KeyGen, Enc , Dec) with
the bounded leakage resilience by running an additional key
update algorithm Update. Therefore, in this section, we only
 CONTINUOUS LEAKAGE-RESILIENT IDENTITY-BASED ENCRYPTION 7

proof the bounded leakage-resilient property of our construc- and returns the corresponding answers fi (SKid ) by
tion, and the continuous leakage resilience is naturally using the private key SKid , where fi : {0, 1}* 
achieve by performing key update operation. {0, 1 }li is an efficient computable leakage function

Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019

THEOREM 4.1. Under the q -ABDHE assumption (where
q = qk + 1, any adversary submits at most qk private
key generation queries.), for any leakage parameter
l £ 2 log p - lm - w (log k), our construction P is a con-
tinuous leakage-resilient IBE scheme with CPA security.
Proof. The simulator  takes as input a random truncated
decision q -ABDHE challenge
 v = (g¢ , gq¢+ 2 , g , g1, g2, ¼, gq , Tv) ,
where g, g¢ ¬R G , gi = g(a ) and gi¢ = g¢ (a ) for an unknown
i i
a Î *p , and Tv is either e (gq + 1, g¢) or a random element of
G T . That is, in the beginning,  receives a challenge tuple
from the challenger  of the q -ABDHE problem.
 simulates the leakage-resilient CPA security game for
the adversary  as follows:
Setup.  generates a random polynomial f (z) Î p [z ] of
degree q , and sets h = g f (a). It sends the public parameter
Params = (g, g1 = ga , h = g f (a), Ext) to  , where Ext :
G ´ {0, 1 }lt  {0, 1 }lm is an average case strong random-
ness extractor. Let ID = *p be the identity space and
 = {0, 1 }lm be the message space. The master secret key
is impliedly set as Smsk = a.
Notice that, since a is chosen uniformly at random, h and
submitted by the adversary  and the private key
SKid can be created with the same method as the key
generation queries. In the process of leakage queries,
the total length of fi (SKid ) which all returned from
the leakage oracle  lSK, kid (·) on the same private key
SKid must be less than the leakage parameter l .
Otherwise, an invalid answer ^ will be outputted.
Challenge stage. In this stage,  will submit a challenge
identity id * Î ID and two equal length challenge messages
M0 , M1 Î  to  , where id* never appeared in a key gener-
ation query and appeared in the leakage queries with at most
l bits leakage. If id = a,  uses a to solve truncated decision
q -ABDHE immediately. Otherwise,  computes SKid * =
(sk id *,1, sk id *,2) as in the simulation of private key queries for
id*, and does the following operations:
¢ ¢
(1) Let Fid¢ * (z) = f (z) - f (id *) be a polynomial of degree
z - id *
q + 1, where f ¢ (z) = z q + 2 . Furthermore, let Fid¢ *, i
be the coefficient of x i in Fid¢ * (z).
(2) Choose b ¬R {0, 1}, and compute
¢ (a)- f ¢ (id *)
c1* = (g¢) f ,
q
¢
 g Fid *, i a ) ,
i
c2* = Tv e (g¢ ,
i=0

g1 are uniformly random and this system public parameter has c3* = Ext (e (c1*, sk id *,1) c2*sk id *,2 , S*) Å Mb,
a distribution identical to that in the actual construction. In where S* ¬R {0, 1 }lt . That is,  computes the
other words, a is chosen by the challenger  from *p , and a challenge ciphertext Cb* = (c1*, c2*, c3*, S*) from
is uniformly random from the simulator  ’s view. (g, g1, g2, ¼, gq), and without knowledge of a.
Test stage 1. In this stage, the following two kinds of quer-
(3) Send Cb* = (c1*, c2*, c3*, S*) to the adversary  as
ies are adaptively submitted by  , and the query depends on
the challenge ciphertext.
the previous queries, as well as the corresponding responses.
We have to stress that, in the challenge ciphertext Cb* = (c1*,
(1) Key generation queries. For the key generation queries
c2 , c3*, S*), the elements c1* and c2* can be written as follows:
*
of any identity id Î ID, if id = a,  uses a to solve
truncated decision q -ABDHE immediately; otherwise, ¢ (a)- f ¢ (id *) ¢
let Fid (z) denote the (q - 1)-degree polynomial c1* = (g¢) f = g(logg g ) Fid¢ * (a)(a - id *)
¢
f (z) - f (id )
.  outputs the corresponding private key = (g1g-id *)(logg g ) Fid¢ * (a)
z - id q
¢
SKidi = (g Fid (a), f (id )). This is a valid private key for  g Fid *, i a )
i
c2* = Tv e (g¢ ,
the identity id , since i=0
q
¢
 g Fid *, i a ) e (ga
i q+1

f (a)- f (id )
= e (g¢ , , g¢)
g Fid (a) = g a - id i=0
(logg g¢) ¢ q+1
, g å i = 0 Fid *, i a + a
q i
1 = e (g )
= (g f (a) g-f (id) )a - id
(logg g¢) å qi =+01 Fid¢ *, i a i
1 = e (g ,g )
= (hg-f (id) )a - id . (logg g¢) Fid¢ * (a)
= e (g , g ) .
(2) Leakage queries. For the leakage queries of any iden- For ease of exposition we let r = (logg g¢) Fid¢ * (a). Notice
tity id Î ID,  operates the leakage oracle  lSK, kid (·) that, a and g¢ are chosen by the challenger  from *p and G ,

SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS

THE COMPUTER JOURNAL, 2019
8 Y. ZHOU et al.
respectively, i.e. a ¬R *p and g¢ ¬R G . Thus, for any
adversary, a and logg g¢ are uniformly random, where g is a
generator of the group G . In other words, the random values
a and g¢ were sent to the simulator  from the challenger 
through the public parameters of q -ABDHE problem.
However, for any adversary, it can not know a and g¢.
Hence, in the view of any adversary, (logg g¢) Fid¢ * (a) is uni-
form and random.
Now, we consider the following two cases:
(1) If Tv = e (gp + 1, g¢), then c1* = g1r g-r·id *,
c2* = e (g, g) and c3* = Ext (e (g, h)r , S*) Å Mb ,
r
since
¢ Then, we can obtain that if there exists an adversary 
c1* = (g1 g-id *)(logg g ) Fid¢ * (a) = (g1 g-id *)r
= g1r g-r·id *;
(logg g¢) Fid¢ * (a)
c2* = e (g , g)
= e (g , g)r .
Based on the correctness of our construction P, we
have
e (c1*, sk id *,1) c2*sk id *,2
1 That is, we prove that the advantage of  in breaking the
= e (g1r g-r·id *, (hg-f (id *) )a - id * ) e (g , g)rf (id *)
= e (g r , h) e (g r , g-f (id *) ) e (g , g)rf (id *)
= e (g , h)r .
Thus, the challenge ciphertext Cb* = (c1*, c2*, c3*, S*)
is a valid encryption ciphertext for id* and Mb under
randomness r = (logg g¢) Fid¢ * (a). Since a and logg g¢
are uniformly random, r is uniformly random, and so
Cb* is a valid, appropriately-distributed challenge
ciphertext.
(2) If Tv ¬R G T , then (c1*, c2*) is a uniformly random and
independent element of G ´ G T . In this case, the
1
inequalities c2* ¹ e (c1*, g)a- id * hold with probability
1 - 1 . When this inequality hold, the value of
p 1
e (c1*, sk id *,1) c2*skid*,2 = e (c1*, (hg-f (id *) )a - id * ) c2* f (id *)
is uniformly random and independent from  ’s view,
since f (id *) is uniformly random and independent
from  ’s view. Thus, c3* is uniformly random and inde-
pendent, and Cb* = (c1*, c2*, c3*, S*) can impart no
information regarding the bit b .
Test stage 2. In this stage, the simulator  calculates the
complete private key of any identity (except the challenge
identity id*) as he did in Test Stage 1. Furthermore, the leak-
age queries for any identity are omitted.
Output. Eventually,  outputs a guess b¢ of the random
value b picked by  .
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS
THE COMPUTER JOURNAL, 2019
It is easy to see that the simulation is perfect, and Cb* is a
valid encryption ciphertext of the message Mb if
Tv = e (gp + 1, g¢). On the other hand, if Tv ¬R G T , then Cb* is
a uniformly random message in the  ’s view, and gives no
Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019
information about the random value b picked by  , except
the probability 1 .
p
Assuming that no queried identity equals a, we obtain that
1 1
Pr [ ( 0) = 1] - £ ,
2 p
where T0 ¬R G T . However, we have that Pr [ (1) = 1] - 1
³
2
Adv LR -CCA
, P (k) where T1 = e (gp + 1, g¢).
who can break the leakage-resilient CPA security of our con-
struction P with a non-negligible advantage Adv ,LR-CPA
(k),
P
and then, we can build a simulator  who can break the
security of q -ABDHE assumption with an obvious advantage
Adv q-ABDHE (k) = ∣ Pr [ (1) = 1] - Pr [ ( 0) = 1] ∣
1
³ Adv LR -CPA
, P (k) - .
p
decisional version of truncated q -ABDHE assumption is neg-
ligibly close to the advantage of  in the leakage-resilient
CPA security game.
In the continuous leakage setting, the adversary cannot
obtain any information on the SKid * from the public parameter
Params, the challenge plaintexts M0 , M1, and the challenge
identity id*. Besides the knowledge previously, the adversary
also obtains at most l bits leakage Leak on the private key
SKid *. By Lemma 2.1, we can obtain
~
H¥ (sk id *,1, sk id *,2∣Cb*, Leak)
~
= H¥ (sk id *,1, sk id *,2∣Leak)
³ 2 log p - l ,
where sk id *,1 ¬R G and sk id *,2 ¬R *p .
In practice, given public parameters Params , challenge
identity id*, challenge plaintext M0 , M1, challenge ciphertext
Cb*, and l bits leakage on the private key SKid *, the average
min-entropy of the variable e (c1*, sk id *,1) c2*skid*,2 is at least
2 log p - l . In addition, Ext : G ´ {0, 1 }lt  {0, 1 }lm is an
average case (log p - l,  ) strong randomness extractor.
Therefore, the average min-entropy of e (c1*, sk id *,1) c2*skid*,2
satisfies the requirement of randomness extractor Ext : G ´
{0, 1 }lt  {0, 1 }lm .
By the generalized leftover hash lemma (Lemma 2.3),
 ()
we have lm £ 2 log p - l - 2 log 1 . Taking into account
that  is negligible in the security parameter k , i.e.
 CONTINUOUS LEAKAGE-RESILIENT IDENTITY-BASED ENCRYPTION 9

()
2 log 1 = w (log k), thus, we have l £ 2 log p - lm -

Key update. The key update algorithm SKidj ¬ Update¢
w (log k). (SKidj- 1, tkid ) is described as follows:
To sum up, based on the randomness of key update
(1) Choose aj , bj ¬R *p , and compute

Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019

algorithm, we have, for any leakage parameter l £ 2 log p -
lm - w (log k), our construction P is a continuous leakage-
resilient CPA secure IBE scheme. □ skidj ,1 = skidj-,11tk-aj, skidj ,2 = skidj-,21 + a j ,

skidj ,3 = skidj-,31tk-bj, skidj ,4 = skidj-,41 + bj .

Then, for any update index j Î *p , we have

5. CONTINUOUS LEAKAGE-RESILIENT IBE
SCHEME WITH CCA SECURITY 1
skidj ,1 = (h1g-(t1+å i = 1 a i) )a - id ,
j

In our construction P, we only achieve continuous leakage- j

resilient CPA securiy. In this section, to improve the secur- skidj ,2 = t1 + åa i ,
ity level of continuous leakage-resilient IBE scheme, we i=1
will develop a continuous leakage-resilient CCA secure IBE
scheme P¢ = (Setup¢, KeyGen¢ , Update¢, Enc¢, Dec¢) in the 1
skidj ,3 = (h2 g-(t2+å i = 1 bi) )a - id ,
j

standard model. Similarly, in our new scheme, the adversary

j
only allows make leakage queries for the private key of
identity, but not the master secret key and the update key.
skidj ,4 = t2 + åbi.
i=1

(2) Output the new private key SKidj = (skidj ,1, skidj ,2,
5.1. Concrete construction skidj ,3, skidj ,4) associated with the identity id . Also, for
any adversary, we have SD (SKidj , SKidj- 1) £ negl (k),
Setup. The setup algorithm (Params, Smsk ) ¬ Setup¢ (1k ) is since aj and bj are uniformly random and independent
described as follows: from the adversary’s view.

(1) Run the algorithm  (1k ) to obtain  = ( p, G, G T , Encryption. The encryption algorithm C ¬ Enc¢ (id , M )
e (·,·) , g). is described as follows:
(2) Choose a ¬R *p and h1, h2 ¬R G , and then com-
pute g1 = ga . (1) Choose r ¬R *p , and compute
(3) Let the master secret key be Smsk = a, and set the
public parameters Params = <  , h1, h2 , g1, > as c1 = g1r g-r·id , c2 = e (g , g)r .
the common input of the following algorithms, where
: G ´ G T ´ G T ´ *p  *p is an one-way crypt- (2) Choose s ¬R *p , and compute
ography hash function. In addition, let the identity
space be ID = *p and the message space be c3 = e (g , h1)rs e (g , h2)r M .
 = GT .
(3) Compute
Key generation. The key generation algorithm (SKid ,
c4 = e (g , h1)r e (g , h2)rb ,
tkid ) ¬ KeyGen¢ (id , Smsk ) is described as follows:
1 where b =  (c1, c2 , c3, s).
– Choose t1, t2 ¬R *p , and compute skid ,1 = (h1 g-t1)a - id ,
1 (4) Set C = (c1, c2 , c3, c4 , s) as the ciphertext of M , and
skid,2 = t1, skid ,3 = (h2 g-t2)a - id and t4 = t2 . output the ciphertext C .
– Output the private key SKid = (skid ,1, skid ,2, skid,3,
skid,4) associated with the identity id . In addition, return Notice that, in this construction, the random extract is
1
an update key tkid = g a- id , which be used in the key implemented by a special universal hash functions Hs (x, y) =
update algorithm. xy s as average-case strong extractor, where s Î *p , x =
e (g, h2)r and y = e (g, h1)r . Similarly, the element c4 in
We stress that, if a = id , then the key generation algorithm C = (c1, c2 , c3, c4 , s) is created by a universal hash functions
aborts. Hb ( y, x) = yx b , where b Î *p .

SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS

THE COMPUTER JOURNAL, 2019
10 Y. ZHOU et al.

Decryption. The decryption algorithm M ¬ Dec (SKid , C )  v = (g¢ , gq¢+ 2 , g , g1, g2, ¼, gq , Tv) ,
is described as follows:
where gi = g(a ) and gi¢ = g¢ (a ) for an unknown a Î *p , and
i i

Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019

(1) Compute Tv is either e (gq + 1, g¢) or a random element of G T . That is, in
sk id ,2 sk id ,4 the begining,  receives a challenge tuple from the challenger
w1 = e (c1, skid ,1) c2 and w 2 = e (c1, skid ,3) c2 .
 of the q -ABDHE problem.
 simulates the leakage-resilient CCA security game for
(2) If c4 = w1 w2b , where b =  (c1, c2 , c3, s), then out-
the adversary  as follows:
put M = (w1s w 2)-1c3 as the plaintext of C ; other-
Setup. To setup the system environment of our IBE
wise, return a symbol ^.
scheme P¢,  does the following operations:
Correctness. From the following equations, it is easy for
(1) Generates two random polynomials f1 (z), f2 (z) Î
us to see that the decryption algorithm is consistent with the
p [z ] of degree q , and sets
encryption algorithm.
sk id ,2 h1 = g f1 (a) and h2 = g f2 (a).
w1 = e (c1, skid ,1) c2
= e (g1r g-r·id , (h1g-t1)a - id ) e (g , g)rt1
1
(2) Sends the public parameter Params = (g, g1 =
ga , h1 = g f1 (a), h2 = g f2 (a), ) to  , where : G ´
= e (g r ,h1) e (g r , g-t1) e (g , g)rt1 = e (g , h1)r .
G T ´ G T ´ *p  *p is an one-way cryptography
sk
w2 = e (c1, skid ,3) c2 id,4 hash function.
1
= e (g1r g-r·id , (h2 g-t2)a - id ) e (g , g)rt2
Let ID = *p be the identity space and  = G T be the
= e (g r , h2) e (g r , g-t2) e (g , g)rt2 = e (g , h2)r . message space. The master secret key is impliedly set as
Smsk = a.
In addition, for the updated private key SKidj = (skidj ,1, Notice that, since a is chosen uniformly at random, h1, h2
skidj ,2, skidj ,3, skidj ,4), we can have and g1 are uniformly random and this system public parameter
j has a distribution identical to that in the actual construction.
sk id ,2
w1 = e (c1, skidj ,1) c2 Test stage 1. In this stage, the following three kinds of quer-
1 ies are adaptively submitted by  , and the query depends on
= e (g1r g-r·id , (h1g-(t1+å i = 1 a i) )a - id ) e (g , g)r (t1+å i = 1 a i)
j j

the previous queries, as well as the corresponding responses.

= e (g , h1)r .
j
sk id ,4 (1) Key generation queries. For the key generation queries
w 2 = e (c1, skidj ,3) c2
of any identity id Î ID, if id = a,  uses a to solve
1
= e (g1r g-r·id , (h2 g-(t2+å i = 1 bi) )a - id ) e (g , g)r (t2+å i = 1 bi) truncated decision q -ABDHE immediately; otherwise,
j j

let Fid1 (z), Fid2 (z) denote two (q - 1)-degree polyno-

= e (g , h2)r . f (z) - f (id ) f (z) - f (id )
mials 1 1
and 2 2
.  outputs the corre-
z - id z - id
sponding private key SKid = (g Fid (a), f1 (id ) , g Fid (a),
1 2

f2 (id )). This is a valid private key for the identity

id , since
5.2. Proof of security
f1 (a)- f1 (id )
g Fid (a) = g
1
Similarly, in this section, we only proof the bounded leakage- a - id
resilient CCA security of our proposal P¢, and the continuous 1
= (g f1 (a) g-f1 (id) )a - id
leakage-resilient CCA security is naturally achieve by per-
1
forming key update operation. = (h1g-f1 (id) )a - id .
f2 (a)- f2 (id )
g Fid (a) = g
2
THEOREM 5.1. Under the q -ABDHE assumption (where a - id
q = qk + 1, any adversary submits at most qk private key 1
= (g f2 (a) g-f2 (id) )a - id
generation queries), for any leakage parameter l £ 3 log p -
1
w (log k), our construction P¢ is a continuous leakage- = (h2 g-f2 (id) )a - id .
resilient IBE scheme with CCA security.
(2) Leakage queries. For the leakage queries of any iden-
Proof. The simulator  takes as input a random truncated tity id Î ID,  operates the leakage oracle  lSK, kid (·)
decision q -ABDHE challenge and returns the corresponding answers fi (SKid ) by

SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS

THE COMPUTER JOURNAL, 2019
 CONTINUOUS LEAKAGE-RESILIENT IDENTITY-BASED ENCRYPTION
using the private key SKid , where fi : {0, 1}* 
{0, 1 }li is an efficient computable leakage function
submitted by the adversary  . In the process of leak-
age queries, the total length of fi (SKid ) which all
returned from the leakage oracle  lSK, kid (·) on the
same private key SKid must be less than the leakage
parameter l . Otherwise, an invalid answer ^ will be
outputted. Notice that, in the leakage query, the cor-
responding private key SKid of an identity id is cre-
ated with the same method in the key generation
query.
(3) Decryption queries. When the adversary  makes
a decryption query for the ciphertext C and an iden-
tity id , then  returns the corresponding answer
Dec¢ (C , SKid ) to  , where the private key SKid can
be created with the same method as the key gener-
ation queries. That is, for a decryption query on the
tuple (C , id ), the simulator  can output the corre-
sponding result M /^ by running decryption algo-
rithm Dec¢ (), i.e. M /^ = Dec¢ (C , SKid ).
Challenge stage. In this stage,  will submit a challenge
identity id * Î ID and two equal length challenge messages
M0 , M1 Î  to  , where id* never appeared in a key gener-
ation query and appeared in the leakage queries with at most
l bits leakage. If id = a,  uses a to solve truncated decision
q -ABDHE immediately. Otherwise,  computes SKid * =
(sk id *,1, sk id *,2, sk id *,3, sk id *,4) as in the simulation of private
key queries for id*, and does the following operations:
f ¢ (z) - f ¢ (id *)
(1) Let Fid¢ * (z) = be a polynomial of degree
z - id *
q + 1, where f ¢ (z ) = z 2 .
Furthermore, let Fid¢ *, i
q +
be the coefficient of x i in Fid¢ * (z).
(2) Choose b ¬R {0, 1}, and compute
¢ (a)- f ¢ (id *)
c1* = (g¢) f ,
q identity id* and any ciphertext C ¢ ¹ Cb*,  can return the cor-
¢
 g Fid *, i a ) ,
i
c2* = Tv e (g¢ ,
i=0
c3* = (e (c1*, sk id *,1) c2*sk id *,2)s*
e (c1*, sk id *,3) c2*sk id *,4 Mb,
c4* = e (c1*, sk id *,1) c2*sk id *,2
(e (c1*, sk id *,3) c2*sk id *,4)b * ,
where s* ¬R *p and b * =  (c1*, c2*, c3*, s*). That
is,  computes the challenge ciphertext Cb* = (c1*,
c2*, c3*, c4*, s*) from (g, g1, g2, ¼, gq), and without
knowledge of a.
(3) Send Cb* = (c1*, c2*, c3*, c4*, s*) to the adversary 
as the challenge ciphertext.
Now, let r = (logg g¢) Fid¢ * (a), and we consider the follow-
ing two cases:
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS
THE COMPUTER JOURNAL, 2019
11
(1) If Tv = e (gp + 1, g¢), then c1* = g1r g-r·id *, c2* = e (g , g)r ,
c3* = e (g, h1)rs* e (g, h 2)r Mb and c4* = e (g, h1)r e (g, h2)rb* ,
since
Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019
¢ (a)- f ¢ (id *)
c1* = (g¢) f = g1r g-r·id *;
q
¢
g Fid *, i a )

i
c2* = Tv e (g¢ ,
i=0
(logg g¢) Fid¢ * (a)
= e (g , g) = e (g , g)r .
In addition, based on the correctness of our construc-
tion P, we have the following equations are valid.
e (c1*, sk id *,1) c2*sk id *,2 = e (g , h1)r ;
e (c1*, sk id *,3) c2*sk id *,4 = e (g , h2)r .
Thus, the challenge ciphertext Cb* = (c1*, c2*, c3*,
c4*, s*) is a valid encryption ciphertext for id* and Mb
under randomness r = (logg g¢) Fid¢ * (a). Similarly, r is
uniformly random and independent from the adver-
sary’s view.
(2) If Tv ¬R G T , then (c1*, c2*) is a uniformly random and
independent element of G ´ G T . Based on Theorem
4.1, we obtain c3* and c4* are uniformly random and
independent, thus, Cb* = (c1*, c2*, c3*, c4*, s*) can
impart no information regarding the bit b .
Test stage 2. In this stage,  may continue to make
decryption oracle queries, and these are answered as before.
Notice that, in this stage,  may not query the decryption
oracle on the challenge ciphertext itself, and cannot make key
generation query for the challenge identity. In addition, the
leakage queries for any identity are omitted.
We stress that, for a decryption query on the challenge
responding result M ¢/^ by performing decryption algorithm
Dec with the private key SKid *, i.e. M ¢/^ = Dec (SKid *, C ¢),
where SKid * can be generated through the same method in
key generation query.
Output. Eventually,  outputs a guess b¢ of the random
value b picked by  .
It is easy to see that the simulation is perfect, and Cb* is
a valid encryption ciphertext of the message Mb if Tv =
e (gp + 1, g¢). On the other hand, if Tv ¬R G T , then Cb* is a uni-
formly random message in the  ’s view, and gives no infor-
mation about the random value b picked by  .
According to Theorem 4.1, we can obtain that if there
exists an adversary  who can break the leakage-resilient
CCA security of our construction P¢ with a non-negligible
advantage Adv , LR-CCA
P (k), then, we can build a simulator 
who can break the security of q -ABDHE assumption with an
obvious advantage
12 Y. ZHOU et al.

Adv q-ABDHE (k) = ∣ Pr [ (1) = 1] - Pr [ ( 0) = 1] ∣ computation efficiency. The basic performance is determined
by the private key length (SKLen), ciphertext length (Len),
1
³ Adv LR -CCA
, P (k) - . leakage model (Model), security and the upper bound of the
p bit-size of allowed leakage (l) which are listed in Table 1. The

Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019

By Theorem 4.1, we can obtain
~
H¥ (sk id *,1, sk id *,2, sk id *,3, sk id *,4∣Cb*, Leak)
~ ous) leakage-resilient IBE schemes proposed in [4, 5, 19] ‘LR-
= H¥ (sk id *,1, sk id *,2, sk id *,3, sk id *,4∣Leak)
³ 4 log p - l ,
where, for the adversary  , sk id *,1 ¬R G , sk id *,2 ¬R *p ,
sk id *,3 ¬R G and sk id *,4 ¬R *p .
Because the random extract operation is performed by a
special universal hash function, and by the generalized left-
over hash lemma (Lemma 2.3), we have log p £ 4 log p -
l - 2 log ( ), where  is negligible in the security parameter
1
k , i.e. 2 log ( ) = w (log k), thus, we have l £ 3 log p -
1
 schemes look worse than CLR-IBE-Zhou, however, our pro-
w (log k).
As discussed above, based on the randomness of key
update algorithm, we have, for any leakage parameter
l £ 3 log p - w (log k), our construction P¢ is a continuous
leakage-resilient CCA secure IBE scheme. □
5.3. Comparisons
In this part, we will give two comparisons of our construction
with the previous works [4, 5] in the basic performance and
computation efficiency is determined by the computational costs
of algorithms KeyGen, Enc and Dec , which are listed in
Table 2. For presentation simplicity, we will call the (continu-
IBE-Li’, ‘LR-IBE-Sun’ and ‘CLR-IBE-Zhou’, respectively.
Performance analysis. Table 1 shows that, in the previous
constructions [4, 5, 19], LR-IBE-Li and LR-IBE-Sun only
achieve bounded leakage resilience, and the continuous
leakage-resilient security of CLR-IBE-Zhou is proved in the
selective identity security model. However, our constructions
not only can resist the continuous leakage attacks, but alos
achieves adaptive security. Also, in our new proposal P¢, the
upper bound of permitted leakakge can achieve 3 log p -
w (log k). We stress that, the computational assumption of our
posal can achieve the continuous leakage resilience in the
standard model while CLR-IBE-Zhou obtains it in the selective
identity model.
Efficiency analysis. Table 2 summarizes the computational
costs of the above mentioned schemes. When evaluating the
computation efficiency, the hash function and XOR opera-
tions are ignored. From Table 2, we obtain that our proposal
P has the comparable computational efficiency with the other
schemes [4, 5, 19], but our construction with better perform-
ance than these schemes [4, 5, 19], e.g. shorter public para-
meters, tight security, etc.

TABLE 1. Comparison of basic parameters with previous works.

SKLen Len Assumption Model l Security

LR-IBE-Li 2∣G∣ + 2∣p∣ ∣G∣ + 2∣GT ∣ + lm + lt q -ABDHE BLM log p - lm - w (log k) CCA
LR-IBE-Sun 3∣G∣ + 3∣p∣ 2∣G∣ + 2∣GT ∣ + ∣p∣ q -ABDHE BLM log p - w (log k) CCA
CLR-IBE-Zhou 2∣G∣ + 2∣p∣ 2∣G∣ + 2∣GT ∣ + ∣p∣ DBDH CLM 2 log p - w (log k) CCA
Our Scheme P ∣G∣ + ∣p∣ ∣G∣ + ∣GT ∣ + lm + lt q -ABDHE CLM 2 log p - lm - w (log k) CPA
Our Scheme P¢ 2∣G∣ + 2∣p∣ ∣G∣ + 3∣GT ∣ + ∣p∣ q -ABDHE CLM 3 log p - w (log k) CCA
Let lt be the length of randomness seed, lm the length of message and ∣p∣ the length of element in *p . Let ∣G∣, ∣GT ∣ be the length of element in
the group G and GT , respectively. Let BLM be the bounded leakage model, and CLM be the continuous leakage model.

TABLE 2. Comparison of computation efficiency with previous works.

KeyGen Enc Dec

LR-IBE-Li 4Es Es + 2Ed + Ee + EExt 2Ed + 2Ee + EExt

LR-IBE-Sun 6Es 1Es + 3Ed + 3Ee 2Es + 2Ed + 2Ee
CLR-IBE-Zhou 2Es + 2Es 2Es + 2Ed 2Ed + 4Ee
Our Scheme P 1Ed 2Es + 2Ed + 1EExt 1Es + 1Ee + 1EExt
Our Scheme P¢ 2Ed 1Es + 3Ed 2Ee + 4Ed
Let EExt be the cost of the randomness extractor operation, Es the cost of single exponentiation operation, Ed the cost of double exponentiation
operation and Ee the cost of the pairing operation, where Ee > Ed > Es .

SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS

THE COMPUTER JOURNAL, 2019
 CONTINUOUS LEAKAGE-RESILIENT IDENTITY-BASED ENCRYPTION
6. CONCLUSION
In the real life, an adversary can break the security of crypto-
graphic primitives through continuous leakage attacks. Because
of the previous constructions [3, 20, 29, 30] only achieve con-
tinuous leakage-resilient CPA security, we design a novel con-
struction of continuous leakage-resilient CCA secure IBE
scheme based on a non-static security assumption in the stand-
ard model. Compared with the previous constructions, our con-
tinuous leakage-resilient IBE scheme has better performance,
e.g. shorter public parameters, tight security, etc.
In this paper, the leakage on master secret key is omitted.
However, in the actual applications, some leakage of master
secret key can be obtained by the adversary, thus, an IBE
scheme with CCA security, which can resist the continuous
leakage attacks on the master secret key, is very practical.
Therefore, in the next research stage, the continuous leakage
resilience of the master secret key be considered. Furthermore,
a new construction of continuous leakage-resilient IBE scheme
will be researched in the standard model based on the classic
static security assumption.
FUNDING
This work is supported by the National Key R&D Program of
China (No. 2017YFB0802000), the National Natural Science
Foundation of China (61802242, 61572303, 61772326,
61802241, 61872087, 61702259), the Natural Science Basic
Research Plan in Shaanxi Province of China (2018JQ6088),
the National Cryptography Development Foundation during
the 13th Five-year Plan Period (MMJJ20180217), the
Foundation of State Key Laboratory of Information Security
(2017-MS-03) and the Fundamental Research Funds for the
Central Universities (GK201803064), the Natural Science
Foundation of Zhejiang Province of China (LY14F020032).
ACKNOWLEDGMENTS
The authors would like to thank the anonymous reviewer for
your helpful comments.
REFERENCES
[1] Naor, M. and Segev, G. (2009) Public-key Cryptosystems
Resilient to Key Leakage. Advances in Cryptology—CRYPTO
2009, 29th Annual International Cryptology Conference, Santa
Barbara, CA, USA, August 16–20, 2009. Proceedings, pp.
18–35.
[2] Liu, S., Weng, J. and Zhao, Y. (2013) Efficient Public Key
Cryptosystem Resilient to Key Leakage Chosen Ciphertext
Attacks. CT-RSA 2013, San Francisco, CA, USA, February
25–March 1, 2013, pp. 84–100.
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS
THE COMPUTER JOURNAL, 2019
13
[3] Li, J., Guo, Y., Yu, Q., Lu, Y. and Zhang, Y. (2016) Provably
secure identity-based encryption resilient to post-challenge con-
tinuous auxiliary input leakage. Secur. Commun. Netw., 9,
1016–1024.
Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019
[4] Li, J., Teng, M., Zhang, Y. and Yu, Q. (2016) A leakage-
resilient CCA-secure identity-based encryption scheme. Comput.
J., 59, 1066–1075.
[5] Sun, S., Gu, D. and Liu, S. (2013) Efficient Leakage-Resilient
Identity-Based Encryption with CCA Security. 6th Int. Conf.
Pairing-Based Cryptography—Pairing 2013, Beijing, China,
November 22–24, 2013, Revised Selected Papers, pp.
149–167.
[6] Yu, Q., Li, J. and Zhang, Y. (2015) Leakage-resilient certifi-
cate-based encryption. Secur. Commun. Netw., 8, 3346–3355.
[7] Yu, Q., Li, J., Zhang, Y., Wu, W., Huang, X. and Xiang, Y.
(2016) Certificate-based encryption resilient to key leakage. J.
Syst. Softw., 116, 101–112.
[8] Guo, Y., Li, J., Lu, Y., Zhang, Y. and Zhang, F. (2018)
Provably secure certificate-based encryption with leakage resili-
ence. Theor. Comput. Sci., 711, 1–10.
[9] Zhou, Y., Yang, B. and Zhang, W. (2016) Provably secure
and efficient leakage-resilient certificateless signcryption
scheme without bilinear pairing. Discrete Appl. Math., 204,
185–202.
[10] Zhou, Y. and Yang, B. (2018) Leakage-resilient cca2-secure
certificateless public-key encryption scheme without bilinear
pairing. Inf. Process. Lett., 130, 16–24.
[11] Zhou, Y., Yang, B., Cheng, H. and Wang, Q. (2018) A
leakage-resilient certificateless public key encryption scheme
with CCA2 security. Front. Inf. Technol. Electron. Eng., 19,
481–493.
[12] Dodis, Y., Haralambiev, K., López-Alt, A. and Wichs, D.
(2010) Cryptography Against Continuous Memory Attacks.
51th Annual IEEE Symp. Foundations of Computer Science,
FOCS 2010, October 23–26, 2010, Las Vegas, NV, USA, pp.
511–520.
[13] Goldwasser, S. and Rothblum, G.N. (2010) Securing
Computation Against Continuous Leakage. Advances in
Cryptology—CRYPTO 2010, 30th Annual Cryptology Conference,
Santa Barbara, CA, USA, August 15–19, 2010, pp. 59–79.
[14] Zhou, Y., Yang, B., Zhang, W. and Mu, Y. (2016) CCA2
secure public-key encryption scheme tolerating continual leak-
age attacks. Secur. Commun. Netw., 9, 4505–4519.
[15] Alawatugoda, J., Boyd, C. and Stebila, D. (2014) Continuous
After-the-Fact Leakage-Resilient Key Exchange. Information
Security and Privacy —19th Australasian Conference, ACISP
2014, Wollongong, NSW, Australia, July 7–9, 2014, pp.
258–273.
[16] Wang, Y. and Tanaka, K. (2015) Generic Transformation
to Strongly Existentially Unforgeable Signature Schemes
with Continuous Leakage Resiliency. Information Security
and Privacy—20th Australasian Conference, ACISP 2015,
Brisbane, QLD, Australia, June 29–July 1, 2015, pp. 213–229.
[17] Li, J., Guo, Y., Yu, Q., Lu, Y., Zhang, Y. and Zhang, F.
(2016) Continuous leakage-resilient certificate-based encryp-
tion. Inf. Sci., 355–356, 1–14.
14 Y. ZHOU et al.
[18] Zhou, Y. and Yang, B. (2017) Continuous leakage-resilient cer-
tificateless public key encryption with CCA security. Knowl.
Based Syst., 136, 27–36.
[19] Zhou, Y., Yang, B. and Mu, Y. (2018) Continuous leakage-
resilient identity-based encryption without random oracles.
Comput. J., 61, 586–600.
[20] Li, J., Yu, Q., Zhang, Y. and Shen, J. (2019) Key-policy attri-
bute-based encryption against continual auxiliary input leakage.
Inf. Sci., 470, 175–188.
[21] Alwen, J., Dodis, Y., Naor, M., Segev, G., Walfish, S. and
Wichs, D. (2010) Public-key encryption in the bounded-
retrieval model. Advances in Cryptology—EUROCRYPT 2010,
29th Annual Int. Conf. Theory and Applications of Cryptographic
Techniques, Monaco/French Riviera, May 30–June 3, 2010, pp.
113–134.
[22] Boneh, D., Gentry, C. and Hamburg, M. (2007) Space-
Efficient Identity Based Encryption Without Pairings. 48th
Annual IEEE Symp. Foundations of Computer Science (FOCS
2007), October 20–23, 2007, Providence, RI, USA,
Proceedings, pp. 647–657.
[23] Gentry, C. (2006) Practical Identity-Based Encryption Without
Random Oracles. Advances in Cryptology—EUROCRYPT
2006, 25th Annual International Conference on the Theory and
Applications of Cryptographic Techniques, St. Petersburg,
Russia, May 28–June 1, 2006, pp. 445–464.
[24] Gentry, C., Peikert, C. and Vaikuntanathan, V. (2008)
Trapdoors for Hard Lattices and New Cryptographic
Constructions. Proc. 40th Annual ACM Symposium on Theory
of Computing, Victoria, British Columbia, Canada, May
17–20, 2008, pp. 197–206.
[25] Chow, S.S.M., Dodis, Y., Rouselakis, Y. and Waters, B.
(2010) Practical Leakage-Resilient Identity-Based Encryption
from Simple Assumptions. Proc. 17th ACM Conf. Computer
and Communications Security, CCS 2010, Chicago, IL, USA,
October 4–8, 2010, pp. 152–161.
[26] Boneh, D. and Boyen, X. (2004) Efficient Selective-ID Secure
Identity-Based Encryption Without Random Oracles. Advances
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS
THE COMPUTER JOURNAL, 2019
in Cryptology—EUROCRYPT 2004, Int. Conf. Theory and
Applications of Cryptographic Techniques, Interlaken, Switzerland,
May 2–6, 2004, pp. 223–238.
Downloaded from https://academic.oup.com/comjnl/advance-article-abstract/doi/10.1093/comjnl/bxy144/5288324 by Iowa State University user on 15 January 2019
[27] Boneh, D. and Boyen, X. (2004) Efficient Selective-ID Secure
Identity-Based Encryption Without Random Oracles. Advances
in Cryptology —EUROCRYPT 2004, Int. Conf. Theory and
Applications of Cryptographic Techniques, Interlaken, Switzerland,
May 2–6, 2004, pp. 223–238.
[28] Waters, B. (2005) Efficient Identity-Based Encryption Without
Random Oracles. Advances in Cryptology—EUROCRYPT
2005, 24th Annual Int. Conf. Theory and Applications of
Cryptographic Techniques, Aarhus, Denmark, May 22–26,
2005, pp. 114–127.
[29] Yuen, T.H., Chow, S.S.M., Zhang, Y. and Yiu, S. (2012)
Identity-Based Encryption Resilient to Continual Auxiliary
Leakage. Advances in Cryptology—EUROCRYPT 2012—31st
Annual Int. Conf. Theory and Applications of Cryptographic
Techniques, Cambridge, UK, April 15–19, 2012. Proceedings,
pp. 117–134.
[30] Lewko, A.B., Rouselakis, Y. and Waters, B. (2011) Achieving
Leakage Resilience Through Dual System Encryption. Theory
of Cryptography—8th Theory of Cryptography Conference,
TCC 2011, Providence, RI, USA, March 28–30, 2011.
Proceedings, pp. 70–88.
[31] Sun, S., Gu, D. and Huang, Z. (2015) Fully secure wicked
identity-based encryption against key leakage attacks. Comput.
J., 58, 2520–2536.
[32] Dodis, Y., Reyzin, L. and Smith, A.D. (2004) Fuzzy
Extractors: How to Generate Strong Keys from Biometrics and
Other Noisy Data. Advances in Cryptology—EUROCRYPT
2004, Int. Conf. Theory and Applications of Cryptographic
Techniques, Interlaken, Switzerland, May 2–6, 2004,
Proceedings, pp. 523–540.
[33] Shamir, A. (1984) Identity-Based Cryptosystems and Signature
Schemes. Advances in Cryptology, Proc. CRYPTO’84, Santa
Barbara, CA, USA, August 19–22, 1984, Proceedings, pp.
47–53.