CCA-Secure Leakage-Resilient Identity-Based Key-Encapsulation from Simple (Not \(\mathtt {q}\)-type) Assumptions

Abstract

In this paper, we propose a new leakage-resilient identity-based encryption (IBE) scheme that is secure against chosen-ciphertext attacks (CCA) in the bounded memory leakage model. It is the first CCA-secure leakage-resilient IBE scheme which does not depend on \(\mathtt {q}\)-type assumptions. More precisely, it is secure under the DLIN assumption for symmetric bilinear groups and under the XDLIN assumption for asymmetric bilinear groups, respectively.

A Proof of Lemmas

To complete the proof of Theorem 1, we prove Lemmas 4, 6, 7, and 8.

Lemma 4

We introduce a lemma before proving Lemma 4.

Lemma 5

([19, Claim 6.7]). Let \(0< \rho < 1\) be a real. For a sequence of identities \(\mathbf {id}\in (\mathcal {ID})^{Q+1}\), and \(\mathcal {ABORT}\) be the event that the challenger aborts with added rules in \(\text {Game}_{2}\). For any fixed \(\mathbf {id}\),

$$ \eta _\mathrm {low}\left( 1-\rho \right) \le \Pr [\lnot \mathcal {ABORT}] \le \eta _\mathrm {low}\left( 1+\rho \right) . $$

Proof

(of Lemma 4). For a sequence of identities \(\mathbf {id}\in (\mathcal {ID})^{Q+1}\), we define \(\mathcal {Q}(\mathbf {id})\) as the event that \(\mathsf {A}\) uses the last entry in \(\mathbf {id}\) as the challenge and makes key generation queries and decapsulation queries for the remaining identities. Then, we have \(\sum _{\mathbf {id}\in (\mathcal {ID})^{Q+1}}\Pr [\mathcal {Q}(\mathbf {id})] = 1\). Let \(\delta (\mathbf {id}) = \Pr [\lnot \mathcal {ABORT}]\), and \(\delta _\mathrm {low}\) and \(\delta _\mathrm {up}\) be reals such that \(\delta _\mathrm {low}\le \delta (\mathbf {id}) \le \delta _\mathrm {up}\). Then, we have

The last inequality above follows from Lemma 3, since we have

and

From Lemma 5, we have \(\delta _\mathrm {up}- \delta _\mathrm {low}\le \eta _\mathrm {low}\rho /2\). Therefore, defining , we obtain

   \(\square \)

Lemma 6

For any PPT algorithm \(\mathsf {A}\), there exists a PPT algorithm \(\mathsf {D}\) such that

(17)

Proof

Let be an XDLIN instance, where

$$\begin{aligned} \mathbf {A}&= \begin{pmatrix} a_1 &{} 0 &{} 1 \\ 0 &{} a_2 &{} 1 \end{pmatrix}, \\ \mathbf {y}&= \mathbf {A}^\top \mathbf {r}^*\text { or random}. \end{aligned}$$

Then, we build a PPT algorithm \(\mathsf {D}\) with input \((\left[ \mathbf {A} \right] _1,\left[ \mathbf {A} \right] _2,\left[ \mathbf {y} \right] _1)\) that simulates the IND-ID-lrCCA game with \(\mathsf {A}\) as follows.

• Setup phase: \(\mathsf {D}\) generates \(\mathrm { pp }= \left( \left[ \mathbf {A} \right] _1,\left[ \mathbf {B}_0 \right] _1,\left[ \mathbf {B}_1 \right] _1,\ldots ,\left[ \mathbf {B}_m \right] _1,\left[ \mathbf {D} \right] _1\right) \) as same as the challenger, except that \(\mathsf {D}\) computes

  $$\begin{aligned} \left[ \mathbf {B}_0 \right] _1&= \left[ \mathbf {A} \mathbf {R}_0 + \mathbf {I}_2 \right] _1, \\ \left[ \mathbf {B}_i \right] _1&= \left[ \mathbf {A} \mathbf {R}_i + h_i \mathbf {I}_2 \right] _1 \text { for } i = 1,\ldots ,m, \\ \left[ \mathbf {D} \right] _1&= \left[ \mathbf {A} \mathbf {E} \right] _1. \end{aligned}$$

  Finally \(\mathsf {D}\) sends \(\mathrm { pp }\) to \(\mathsf {A}\).

• Query phase: \(\mathsf {D}\) answers for each query from \(\mathsf {A}\) as follows.

  • Key Generation query \(\mathrm { id }\). Assume that \(\beta _h(\mathrm { id }) \ne 0\). \(\mathsf {D}\) chooses at random, computes such that \(\left[ \beta _h(\mathrm { id }) \mathbf {S}'' \right] _2 = \left[ -\mathbf {A}\mathbf {S}' + \mathbf {A}\mathbf {E} \right] _2\), sets

    $$ \left[ \mathbf {S}_\mathrm { id } \right] _2 = \left[ \begin{pmatrix} \mathbf {S}' - \mathbf {R}_\mathrm { id }\mathbf {S}'' \\ \mathbf {S}' \end{pmatrix} \right] _2, $$

    and returns \(\mathrm { sk }_\mathrm { id }= \left[ \mathbf {S}_\mathrm { id } \right] _2\) to \(\mathsf {A}\).

  • Leakage query \((\mathrm { id }, f)\) and decapsulation query \((\mathrm { id }, \mathrm { ct })\). If \(\beta _h(\mathrm { id }) \ne 0\), then \(\mathsf {D}\) can generate \(\mathrm { sk }_\mathrm { id }\) as above. Furthermore, even in that case that \(\beta _h(\mathrm { id }) = 0\) (i.e., \(\mathrm { id }=\mathrm { id }^*\)), \(\mathsf {D}\) can generate \(\mathrm { sk }_\mathrm { id }\) by computing \(\mathbf {S}_\mathrm { id }\) such that . Thus, \(\mathsf {D}\) can answer \(f(\mathrm { sk }_\mathrm { id })\) and \(\mathsf {Decap}(\mathrm { sk }_\mathrm { id }, \mathrm { ct })\) for any identity.

• Challenge phase: \(\mathsf {D}\) generates the challenge \((\mathrm { ct }^*,K_b^*) = \left( (\left[ \mathbf {c}^* \right] _1,\left[ k_a \right] _T,\mathrm { sd }),K_b^*\right) \) as same as the challenger, except that \(\mathsf {D}\) computes

  $$ \left[ \mathbf {c}^* \right] _1 = \left[ \begin{pmatrix} \mathbf {y} \\ \mathbf {R}_{\mathrm { id }^*}^\top \mathbf {y} \end{pmatrix} \right] _1 $$

  instead of \(\left[ \mathbf {c}^* \right] _1 = \left[ \mathbf {F}_{\mathrm { id }^*}^\top \mathbf {r} \right] _1\). Then, \(\mathsf {D}\) returns \((\mathrm { ct }^*,K_b^*)\) to \(\mathsf {A}\).

Finally, \(\mathsf {D}\) outputs \(\gamma = [b = b']\) where is the output of \(\mathsf {A}\).

We will show that the distribution of \((\mathrm { ct }^*, K_b^*)\) is the same as the challenge in \(\text {Game}_{4}\) if \(\mathbf {y} = \mathbf {A}^\top \mathbf {r}^*\), while if \(\mathbf {y}\) is a random it is the same as that in \(\text {Game}_{5}\) with overwhelming probability. First suppose that \(\mathbf {y} = \mathbf {A}^\top \mathbf {r}^*\). In this case,

showing that \((\mathrm { ct }^*, K_b^*)\) is the challenge in \(\text {Game}_{4}\). Next suppose that \(\mathbf {y}\) is random in . It suffices to prove that is also random in even given \(\mathbf {A}\), , and \(\mathbf {y}\). It is easy to see that

$$\begin{aligned} \begin{pmatrix} \mathbf {U} \\ \mathbf {z}^\top \end{pmatrix} = \underbrace{\begin{pmatrix} \mathbf {A} \\ \mathbf {y}^\top \end{pmatrix}}_\mathbf {V}\mathbf {R}_{\mathrm { id }^*}. \end{aligned}$$

Therefore, \(\mathbf {z}\) is random because \(\mathbf {V}\) is of full rank with probability \(1-1/q\). Hence, \(\left[ \mathbf {c}^* \right] _1\) is random as expected.

Thus, \(\text {Game}_{4}\) and \(\text {Game}_{5}\) are indistinguishable under the XDLIN assumption, so that we have Eq. (17).    \(\square \)

Lemma 7

(18)

Proof

We assume that all decapsulation queries are made after the challenge phase, but a similar (but slight simpler) argument can be used if \(\mathsf {A}\) makes queries before the challenge phase. Suppose that \((\mathrm { id }^*,\mathrm { ct }= (\left[ \mathbf {c} \right] _1,\left[ t \right] _T,\mathrm { sd }))\) is the first decapsulation query such that \(\mathrm { id }= \mathrm { id }^*\) and the condition at line 13 in Fig. 1 is evaluated. Let , where . Then, we have

where \(k_a\) is computed at line 11 in Fig. 1. From the supposition, we can assume that \(\alpha \ne \alpha ^*\), \(\mathbf {c}^*\) is chosen uniformly at random, and \(\left[ \mathbf {c} \right] _1\) is invalid for \(\mathrm { id }^*\). Hence, the matrix \(\mathbf {M}\) is of full rank with probability at least \(1-1/q\), that implies that the distribution of \(k_a\) is random and independent from \(\mathbf {D}\) and \(k_a^*\). In addition to \(\mathbf {D}\) and \(k_a^*\), \(\mathsf {A}\) knows at most \(\ell \) bit leakage and n bit challenge session key \(K_b^*\) that is probable to provide information on the value of \(k_a\) to \(\mathsf {A}\). Let \(K_a\), F, and I denote random variables induced by \(k_a\), , and \(({\mathbf D}, k_a^*)\), respectively. Given \(k_a\), , and \(({\mathbf D}, k_a^*)\) that \(\mathsf {A}\) knows, we have

$$ \tilde{H}_\infty (K_a \mid F, I) \ge \tilde{H}_\infty (K_a \mid I) - (\ell + n) = \log _2{q} - \ell - n $$

from Lemma 1 and the above discussion. Thus, for any \(k_a\), we have \(\Pr [K_a=k_a] \le 2^{\ell +n}/q\). Therefore, in the first evaluation of line 11, the condition \(t=k_a\) is satisfied with probability at most \({2^{\ell +n}}/{q}\). Now assuming \(t=k_a\) is not satisfied, the number of possible \(k_a\) decreases one. So, in the i-th evaluation of line 11, the probability that \(t=k_a\) holds is at most \(2^{\ell +n}/(q-i+1)\), in the case that \(t=k_a\) is not satisfied in all previous evaluations. From the above discussion, we have

From Eq. (2), we obtain Eq. (18).    \(\square \)

Lemma 8

(19)

Proof

In \(\text {Game}_{9}\), the challenger returns \(\bot \) to \(\mathsf {A}\) at line 13 in Fig. 1. Hence, \(\mathsf {A}\) does not learn any information on \(k_s^*\) via the decapsulation oracle, since \(\mathsf {A}\) can only get decapsulation results of valid ciphertexts. Now, \(\mathsf {A}\) knows \(\mathbf {D}\), \(k_a^*\), and as information about \(k_s^*\). Then, we show that the min-entropy of \(k_s^*\) is at least \(\log _2{q} - \ell \) with probability at least \(1-1/q\).

First, we have

$$\begin{aligned} k_s^*= {\mathbf {c}^*}^\top \mathbf {s}_1^*, \end{aligned}$$

and then

The matrix \(\mathbf {N}\) is of full rank with probability at least \(1-1/q\), since \(\alpha ^*\ne 0\) and \(\left[ \mathbf {c}^* \right] _1\) is uniformly at random. Then, the distribution of \(k_s^*\) is random and independent from \(\mathbf {D}\) and \(k_a^*\). In addition to \(\mathbf {D}\) and \(k_a^*\), \(\mathsf {A}\) knows at most \(\ell \) bit leakage that is probable to provide information on the value of \(k_s^*\) to \(\mathsf {A}\). Let \(K_a\), D, and F denote random variables induced by \(k_s^*\), \((\mathbf {D},k_a^*)\), and respectively. Given \(k_s^*\), \((\mathbf {D},k_a^*)\), and that \(\mathsf {A}\) knows, we have

$$\begin{aligned} \tilde{H}_\infty (K_s^*\mid D,F)&\ge \tilde{H}_\infty (K_s^*\mid D)- \ell = \log _2{q} - \ell \end{aligned}$$

from Lemma 1 and the discussion when ignoring . Hence \(\mathsf {Ext}(K_s^*, \mathrm { sd }^*)\) is statistically indistinguishable from an n bits random string because \(\mathsf {Ext}\) is a \((\log _2{q} - \ell )\)-randomness extractor. Therefore, we have Eq. (19).    \(\square \)