Professional Documents
Culture Documents
In the actual applications, an adversary can break the security of cryptography scheme through
various leakage attacks (e.g. side-channel attacks, cold-boot attacks, etc.), even the continuous
leakage attacks. That is, a practical cryptography scheme must maintain its claimed security in the
continuous leakage setting. However, the previous constructions on the leakage-resilient identity-
based encryption (IBE) scheme could tolerate a leakage that is bounded, and cannot resist the con-
tinuous leakage attacks. In order to further achieve the better security, a novel method to build
the continuous leakage-resilient IBE scheme with tight security is presented in this paper, and the
scheme’s security is proved, in the standard model, based on a stronger security assumption that
depends on the number of queries made by the adversary. In addition, our proposal has several
advantages over previous such constructions, e.g. shorter public parameters, higher communica-
tion efficiency, tight security, etc.
Received 4 April 2018; revised 18 December 2018; editorial decision 19 December 2018
Handling editor: Chris Mitchell
1. INTRODUCTION
the leakage-resilient certificate-based encryption (CBE) scheme
In the traditional security model, such as chosen-plaintext [6–8], the leakage-resilient signcryption scheme [9], the leakage-
attacks (CPA), chosen-ciphertext attacks, etc., an efficient adver- resilient certificateless public-key encryption (CL-PKE) scheme
sary can only see the appointed input and output of a crypto- [10, 11], etc. Thus, the leakage-resilient cryptography has led to
graphic scheme, but it has no other ability to access the internal constructions of many cryptographic primitives which can
secret information (e.g. private key, etc.). In other words, these be proven secure even against these adversaries who can
models are the ideal security model, and the leakage on internal obtain limited additional information about the private key
secret states does not consider. In the real world, an adversary or other internal secret states. However, any adversary can
can learn a certain amount of leakage information on the internal make continuous leakage attacks in the actual application,
secret information through various leakage attacks, e.g. side- and a cryptography scheme with continuous leakage resili-
channel attacks, cold-boot attacks, etc. That is, the traditional ence is more practical. In summary, (continuous) leakage
cryptography schemes whose security is proved in an idealized resilience provides a powerful tool, allowing us to easily
setting, and may not be able to maintain their claimed security analyze the security of such constructions, and we believe
in the leakage setting. To further improve practicability, the that (continuous) leakage resilience is an interesting prop-
leakage-resilient cryptographic schemes were constructed by erty of cryptographic primitives. Thus, in this paper, we
many researcher in the past fews years, including the leakage- research the continuous leakage resilience on the IBE
resilient public-key encryption (PKE) scheme [1, 2], the scheme, and design the concrete construction of continuous
leakage-resilient identity-based encryption (IBE) scheme [3–5], leakage-resilient IBE scheme in the standard model.
1.1. Leakage model leakage-resilient IBE schemes, which were constructed from
Boneh et al.’ IBE scheme [26], Lewko et al.’ IBE scheme
In recent years, the bounded-leakage model has received
[27] and Waters’s IBE scheme [28]. Also, the first construc-
much attention [1–4, 6]. In this model, an adversary can learn
security, and the CCA security of continuous leakage- (1) Bilinear: e (ua , v b) = e (u, v)ab , for all a, b ¬R *p
resilient IBE scheme proposed in [19] is proved in the select- and u, v ¬R G T ;
ive identity security model, and can only achieve selective (2) Non-degeneracy: e (g, g) ¹ 1GT , where 1GT is the
leakage-resilient IBE scheme P with CPA security, in the sional version of truncated q -ABDHE is defined as follows:
standard model, under the truncated augmented bilinear Let 1 = (g¢, gq¢+ 2 , g, g1, ¼, gq , T1) and 0 = (g¢, gq¢+ 2 ,
Diffie–Hellman exponent (q -TABDHE) assumption. After g, g1, ¼, gq , T0), where T1 = e (gq + 1, g¢) and T0 ¬R G T , then,
that, we develop a novel construction of continuous leakage- the advantage of adversary in solving q -ABDHE problem
resilient IBE scheme P¢, and the CCA security of P¢ can be is defined as
proved with the same method in P. Compare with these (con-
tinuous) leakage-resilient IBE schemes [4, 5, 19], our pro- Adv q-ABDHE (k) = ∣ Pr [ (1) = 1] - Pr [ ( 0) = 1] ∣ ,
posal enjoys better performance, e.g. higher communication
efficiency, shorter public parameters, tight security, etc.
where the probability is over the random choice of generators
g, g¢ in G , the random choice of a in *p , the random choice
of T0 ¬R G T , and the random bits consumed by .
2. PRELIMINARIES The q -ABDHE assumption is captured in the following
2.1. Notations distinguishability game performed by a challenger and an
adversary .
Let k Î denote the security parameter. If S is a string, then Setup. The challenger runs ¬ (1k ), and gives
∣S∣ denotes its length, while if S is a set then ∣S∣ denotes its = ( p, G, G T , e (·,·) , g) to the adversary .
size and s ¬R S denotes the operation of picking an element Challenge Stage. does the following operations:
s uniformly at random from S . We denote y ¬ (x) the
operation of running with input x and assigning y as the (1) Computes gi = g(a ) and gi¢ = g¢ (a ), where
i i
result. We use negl (k) to denote the set of all functions that g, g¢ ¬R G , i = 1,2,…,q and a ¬R *q .
are negligible in security parameter k . (2) Sets 1 = (g¢, gq¢+ 2 , g , g1, ¼, gq , T1) and 0 = (g¢, gq¢+ 2 ,
g , g1, ¼, gq , T0), where T1 = e (gq + 1, g¢) and T0 ¬R GT .
(3) Sends challenge tuple v to , where v ¬R {0, 1}.
2.2. Bilinear groups
Output. outputs a bit v¢ Î {0, 1} as the guess of random
Let (1k ) be a probability polynomial time (PPT) group gen- bit v chosen by the challenger . If v¢ = v , then wins in
eration algorithm that takes as input a security parameter k , this game. That is, the adversary can distinguish a
and outputs a tuple = ( p, G, G T , e (·,·) , g), such that: (i) q -ABDHE tuple and a random tuple.
G and G T are two (multiplicative) cyclic groups of prime
order p; (ii) g is a generator of G ; (iii) e: G ´ G G T is an DEFINITION 2.1 (q -ABDHE). We say that the q -ABDHE
efficiently computable bilinear pairing with the following assumption holds if for all PPT adversaries , we have
properties: Adv q-ABDHE (k) £ negl (k).
2.4. Randomness extractor LEMMA 2.3 (Generalized leftover hash lemma [32]). Let
X , Y be random variables such that X ¬R {0, 1 }ln and
The basic notions such as universal hash, min-entropy ~
H¥ (X∣Y ) ³ k . Let be a family of universal hash func-
H¥ (A), statistical distance SD (A, B) and average conditional
~ tions from {0, 1 }ln to {0, 1 }lm . Then, for S ¬R and
proof the bounded leakage-resilient property of our construc- and returns the corresponding answers fi (SKid ) by
tion, and the continuous leakage resilience is naturally using the private key SKid , where fi : {0, 1}*
achieve by performing key update operation. {0, 1 }li is an efficient computable leakage function
g1 are uniformly random and this system public parameter has c3* = Ext (e (c1*, sk id *,1) c2*sk id *,2 , S*) Å Mb,
a distribution identical to that in the actual construction. In where S* ¬R {0, 1 }lt . That is, computes the
other words, a is chosen by the challenger from *p , and a challenge ciphertext Cb* = (c1*, c2*, c3*, S*) from
is uniformly random from the simulator ’s view. (g, g1, g2, ¼, gq), and without knowledge of a.
Test stage 1. In this stage, the following two kinds of quer-
(3) Send Cb* = (c1*, c2*, c3*, S*) to the adversary as
ies are adaptively submitted by , and the query depends on
the challenge ciphertext.
the previous queries, as well as the corresponding responses.
We have to stress that, in the challenge ciphertext Cb* = (c1*,
(1) Key generation queries. For the key generation queries
c2 , c3*, S*), the elements c1* and c2* can be written as follows:
*
of any identity id Î ID, if id = a, uses a to solve
truncated decision q -ABDHE immediately; otherwise, ¢ (a)- f ¢ (id *) ¢
let Fid (z) denote the (q - 1)-degree polynomial c1* = (g¢) f = g(logg g ) Fid¢ * (a)(a - id *)
¢
f (z) - f (id )
. outputs the corresponding private key = (g1g-id *)(logg g ) Fid¢ * (a)
z - id q
¢
SKidi = (g Fid (a), f (id )). This is a valid private key for g Fid *, i a )
i
c2* = Tv e (g¢ ,
the identity id , since i=0
q
¢
g Fid *, i a ) e (ga
i q+1
f (a)- f (id )
= e (g¢ , , g¢)
g Fid (a) = g a - id i=0
(logg g¢) ¢ q+1
, g å i = 0 Fid *, i a + a
q i
1 = e (g )
= (g f (a) g-f (id) )a - id
(logg g¢) å qi =+01 Fid¢ *, i a i
1 = e (g ,g )
= (hg-f (id) )a - id . (logg g¢) Fid¢ * (a)
= e (g , g ) .
(2) Leakage queries. For the leakage queries of any iden- For ease of exposition we let r = (logg g¢) Fid¢ * (a). Notice
tity id Î ID, operates the leakage oracle lSK, kid (·) that, a and g¢ are chosen by the challenger from *p and G ,
respectively, i.e. a ¬R *p and g¢ ¬R G . Thus, for any It is easy to see that the simulation is perfect, and Cb* is a
adversary, a and logg g¢ are uniformly random, where g is a valid encryption ciphertext of the message Mb if
generator of the group G . In other words, the random values Tv = e (gp + 1, g¢). On the other hand, if Tv ¬R G T , then Cb* is
a and g¢ were sent to the simulator from the challenger a uniformly random message in the ’s view, and gives no
()
2 log 1 = w (log k), thus, we have l £ 2 log p - lm -
Key update. The key update algorithm SKidj ¬ Update¢
w (log k). (SKidj- 1, tkid ) is described as follows:
To sum up, based on the randomness of key update
(1) Choose aj , bj ¬R *p , and compute
(2) Output the new private key SKidj = (skidj ,1, skidj ,2,
5.1. Concrete construction skidj ,3, skidj ,4) associated with the identity id . Also, for
any adversary, we have SD (SKidj , SKidj- 1) £ negl (k),
Setup. The setup algorithm (Params, Smsk ) ¬ Setup¢ (1k ) is since aj and bj are uniformly random and independent
described as follows: from the adversary’s view.
(1) Run the algorithm (1k ) to obtain = ( p, G, G T , Encryption. The encryption algorithm C ¬ Enc¢ (id , M )
e (·,·) , g). is described as follows:
(2) Choose a ¬R *p and h1, h2 ¬R G , and then com-
pute g1 = ga . (1) Choose r ¬R *p , and compute
(3) Let the master secret key be Smsk = a, and set the
public parameters Params = < , h1, h2 , g1, > as c1 = g1r g-r·id , c2 = e (g , g)r .
the common input of the following algorithms, where
: G ´ G T ´ G T ´ *p *p is an one-way crypt- (2) Choose s ¬R *p , and compute
ography hash function. In addition, let the identity
space be ID = *p and the message space be c3 = e (g , h1)rs e (g , h2)r M .
= GT .
(3) Compute
Key generation. The key generation algorithm (SKid ,
c4 = e (g , h1)r e (g , h2)rb ,
tkid ) ¬ KeyGen¢ (id , Smsk ) is described as follows:
1 where b = (c1, c2 , c3, s).
– Choose t1, t2 ¬R *p , and compute skid ,1 = (h1 g-t1)a - id ,
1 (4) Set C = (c1, c2 , c3, c4 , s) as the ciphertext of M , and
skid,2 = t1, skid ,3 = (h2 g-t2)a - id and t4 = t2 . output the ciphertext C .
– Output the private key SKid = (skid ,1, skid ,2, skid,3,
skid,4) associated with the identity id . In addition, return Notice that, in this construction, the random extract is
1
an update key tkid = g a- id , which be used in the key implemented by a special universal hash functions Hs (x, y) =
update algorithm. xy s as average-case strong extractor, where s Î *p , x =
e (g, h2)r and y = e (g, h1)r . Similarly, the element c4 in
We stress that, if a = id , then the key generation algorithm C = (c1, c2 , c3, c4 , s) is created by a universal hash functions
aborts. Hb ( y, x) = yx b , where b Î *p .
Decryption. The decryption algorithm M ¬ Dec (SKid , C ) v = (g¢ , gq¢+ 2 , g , g1, g2, ¼, gq , Tv) ,
is described as follows:
where gi = g(a ) and gi¢ = g¢ (a ) for an unknown a Î *p , and
i i
using the private key SKid , where fi : {0, 1}* (1) If Tv = e (gp + 1, g¢), then c1* = g1r g-r·id *, c2* = e (g , g)r ,
{0, 1 }li is an efficient computable leakage function c3* = e (g, h1)rs* e (g, h 2)r Mb and c4* = e (g, h1)r e (g, h2)rb* ,
submitted by the adversary . In the process of leak- since
age queries, the total length of fi (SKid ) which all
Adv q-ABDHE (k) = ∣ Pr [ (1) = 1] - Pr [ ( 0) = 1] ∣ computation efficiency. The basic performance is determined
by the private key length (SKLen), ciphertext length (Len),
1
³ Adv LR -CCA
, P (k) - . leakage model (Model), security and the upper bound of the
p bit-size of allowed leakage (l) which are listed in Table 1. The
LR-IBE-Li 2∣G∣ + 2∣p∣ ∣G∣ + 2∣GT ∣ + lm + lt q -ABDHE BLM log p - lm - w (log k) CCA
LR-IBE-Sun 3∣G∣ + 3∣p∣ 2∣G∣ + 2∣GT ∣ + ∣p∣ q -ABDHE BLM log p - w (log k) CCA
CLR-IBE-Zhou 2∣G∣ + 2∣p∣ 2∣G∣ + 2∣GT ∣ + ∣p∣ DBDH CLM 2 log p - w (log k) CCA
Our Scheme P ∣G∣ + ∣p∣ ∣G∣ + ∣GT ∣ + lm + lt q -ABDHE CLM 2 log p - lm - w (log k) CPA
Our Scheme P¢ 2∣G∣ + 2∣p∣ ∣G∣ + 3∣GT ∣ + ∣p∣ q -ABDHE CLM 3 log p - w (log k) CCA
Let lt be the length of randomness seed, lm the length of message and ∣p∣ the length of element in *p . Let ∣G∣, ∣GT ∣ be the length of element in
the group G and GT , respectively. Let BLM be the bounded leakage model, and CLM be the continuous leakage model.
6. CONCLUSION [3] Li, J., Guo, Y., Yu, Q., Lu, Y. and Zhang, Y. (2016) Provably
secure identity-based encryption resilient to post-challenge con-
In the real life, an adversary can break the security of crypto- tinuous auxiliary input leakage. Secur. Commun. Netw., 9,
graphic primitives through continuous leakage attacks. Because 1016–1024.
[18] Zhou, Y. and Yang, B. (2017) Continuous leakage-resilient cer- in Cryptology—EUROCRYPT 2004, Int. Conf. Theory and
tificateless public key encryption with CCA security. Knowl. Applications of Cryptographic Techniques, Interlaken, Switzerland,
Based Syst., 136, 27–36. May 2–6, 2004, pp. 223–238.