Public-Key Cryptosystems Resilient to Continuous Tampering and Leakage of Arbitrary Functions

Abstract

We present the first chosen-ciphertext secure public-key encryption schemes resilient to continuous tampering of arbitrary (efficiently computable) functions. Since it is impossible to realize such a scheme without a self-destruction or key-updating mechanism, our proposals allow for either of them. As in the previous works resilient to this type of tampering attacks, our schemes also tolerate bounded or continuous memory leakage attacks at the same time. Unlike the previous results, our schemes have efficient instantiations, without relying on zero-knowledge proofs. We also prove that there is no secure digital signature scheme resilient to arbitrary tampering functions against a stronger variant of continuous tampering attacks, even if it has a self-destruction mechanism.

1 Introduction

We study the tampering attack security, or equivalently the related-key attack security, of public-key cryptosystems. The tampering attacks allow an adversary to modify the secret of a target cryptographic device and observe the effect of the changes at the output. For instance, the tampering attacks are mounted on the IND-CCA game of a public-key encryption (PKE) scheme, where an adversary may tamper with the secret-key and observe the output of the decryption oracle with the tampered secret.

Theoretical treatment of tampering attack is first considered independently by Gennaro et al. [23] and Bellare and Kohno [6]. The former treated arbitrary (efficiently computable) tampering functions, whereas the latter considered a restricted class of tampering functions.

Since allowing for all tampering functions is very challenging, Gennaro et al. [23] make a strong compromise that a trusted-third party may publish its verification key (of a secure digital signature scheme) as a part of public parameters where an adversary is not allowed to modify the parameters, and each user may obtain a signature on their secrets issued by the trusted-third party. We call this model the on-line model (called the algorithmic tamper-proof security model in [23]). On the other hand, Bellare and Kohno [6] assume no trusted party. However, its subsequent works [4, 5, 7, 22, 28, 33, 35] allow a trusted party to play a minimum role, where it makes a public parameter, but once it did, it does nothing. An adversary is not allowed to modify the public parameter. We call this model the common reference string (CRS) model.

Gennaro et al. [23] suggested that it is impossible to realize chosen-ciphertext attack (CCA) secure PKE and digital signature schemes resilient to all tampering functions even in the on-line model. Therefore, they allowed a cryptosystem to self-destruct, meaning that when detecting tampering, a cryptographic device can erase all internal data, so that an adversary cannot obtain anything more from the device.

Other known ways to bypass the impossibility result are (1) to use a key-updating mechanism, i.e., to allow a device to update its inner secret with fresh randomness  [26], and (2) to allow an adversary to submit a bounded number of tampering queries (the bounded tampering model) [14].

Tampering is further classified into persistent or non-persistent (due to [25]). In persistent tampering attacks, each tampering is applied to the current version of the secret that has been overwritten by the previous tampering function, i.e., when an adversary queries \((\phi _1,x_1)\) and \((\phi _2,x_2)\) to device \(G({{s}},\cdot )\) in this order, it receives \(G(\phi _1({s}),x_1)\) and \(G(\phi _2(\phi _1({s})),x_2)\), where \(\phi _1,\phi _2\) are tampering functions and \(x_1,x_2\) are inputs to device G. In non-persistent tampering attacks, tampering is always applied to the original secret, i.e., an adversary receives \(G(\phi _1({s}),x_1)\) and \(G(\phi _2({s}),x_2)\) when submitting the above queries. We insist that for PKE and digital signature schemes without a key-update mechanism, non-persistent tampering is stronger than persistent tampering, because an adversary that breaks a cryptosystem in a persistent tampering attack also breaks the same system in a non-persistent tampering attack. It is not clear in a cryptosystem with a key-updating mechanism the similar relation holds.

In this paper we focus on the common reference string (CRS) model (as mentioned above), where we assume a public parameter is generated by a trusted third party and assume that an adversary is not allowed to modify it. This setting is common in many prior works, e.g., [4, 5, 7, 14, 22, 26, 28, 33, 35].

At CRYPTO 2011, Kalai, Kanukurthi, and Sahai [26] considered the continual tampering and leakage (CTL) model, assuming tampering is persistent, and PKE and digital signature schemes are allowed to have a key-update algorithm, which updates a secret key with fresh (non-tampered) randomness between periods of tampering and leakage. This security model is considered in the CRS model. The proposed PKE scheme is one-bit-message encryption scheme based on [10] and is only chosen-plaintext attack (CPA) secure. Therefore, in their CTL security model, an adversary is not allowed to access the decryption oracle, which means that an adversary cannot observe the effect of tampering at the output of the decryption oracle. Instead, it can observe the effect of tampering at the output of the leakage oracle. We note that this tampering attack is not trivially implied by a leakage attack, because tampered secret \(\phi (sk)\) is updated and the adversary can observe a partial information on the updated secret, say \(L(\mathsf {Update}(\phi (sk)))\), from the leakage oracle. Their digital signature scheme (with a key-update mechanism) is constructed based on their CTL secure PKE scheme with simulation-sound non-interactive zero-knowledge proofs, which is simply inefficient. They also considered a digital signature scheme without a key-update mechanism in the so-called continuous tampering and bounded leakage (CTBL) model. The digital signature scheme may self-destruct (otherwise, it is impossible to prove the security). They claim that it is secure against persistent tampering attacks in the CTBL model. Remember that, if a digital signature scheme does not have a key-update mechanism, non-persistent tampering is stronger than persistent tampering. We later prove that if a digital signature scheme does not have a key-updating mechanism, it is impossible that it is resilient to continuous non-persistent tampering (even if it can self-destruct).

At ASIACRYPT 2013, Damgård, Faust, Mukherjee, and Venturi [14] proposed the bounded leakage and tampering (BLT) model. This setting allows a bounded number of non-persistent tampering, as well as bounded memory leakage, in the CRS model, where PKE has neither self-destructive nor key-update mechanism. In the BLT model for PKE, in addition to having access to bounded memory leakage oracle, an adversary is allowed to submit a bounded number of “pre-challenge"tampering queries \((\phi ,\mathsf {CT})\) to the decryption oracle and receive \(\mathbf {D}(\phi (sk),\mathsf {CT})\). It may also access the decryption oracle with the original secret-key both in the pre-challenge and post-challenge stages, as in the normal IND-CCA game. They presented a generic construction of IND-CCA BLT secure PKE scheme from an IND-CPA BLT secure PKE scheme with tSE NIZK proofs [15]. An instance of an IND-CPA BLT secure PKE scheme is BHHO PKE scheme [9]. Using the technique of [2], they also consider a variant of the floppy model [2], called the \(\iota \) -Floppy model, where each user has individual secret y different from secret-key sk and is allowed to execute an invisible key update, i.e., to update their secret key sk using (non-tampered) secret y with (non-tampered) flesh randomness.

1.1 Our Results

We study continuous tampering of arbitrary functions against PKE and digital signature schemes, in the presence of bounded or continuous memory leakage. Due to the impossibility result, we allow PKE and digital signature schemes to have either self-destructive or key-updating mechanism. There is no \(\textsc {IND}\)-\(\textsc {CCA}\) PKE scheme resilient to post-challenge tampering of arbitrary functions [14]. Indeed, one can break any PKE scheme, by observing the output of the decryption oracle after tampering with the following effciently computable function:

$$\begin{aligned} \phi (sk) = {\left\{ \begin{array}{ll} sk &{} \text {if } \mathbf {D}(sk,\mathsf {CT}^*) = m_0, \text { where } \mathsf {CT}^* \text { is a challenge ciphertext.} \\ \bot &{} \text {otherwise}. \end{array}\right. } \end{aligned}$$

This attack is unavoidable even with self-destruction, key-updating, and bounded persistent/non-persistent tampering in the on-line model (i.e., in the strongest compromised model). Therefore, we allow tampering queries only in the pre-challenge stage against a PKE scheme.

We present the first chosen-ciphertext secure PKE schemes secure against continuous (pre-challenge) tampering of arbitrary functions. At the same time, our proposals tolerate bounded or continuous memory leakage of arbitrary functions. Interestingly, by putting some parameters in the common reference string and providing a self-destructive mechanism to the decryption algorithm, Qin and Liu’s PKE scheme [31] is \(\textsc {CTBL}{\text {-}}\textsc {CCA}\) secure, meaning that it is \(\textsc {IND}\)-\(\textsc {CCA}\) secure resilient to continuous tampering and bounded memory leakage. We also propose the first \(\textsc {CTL}\)-\(\textsc {CCA}\) secure PKE scheme, meaning that it is \(\textsc {IND}\)-\(\textsc {CCA}\) secure resilient to continuous tampering and continual memory leakage. To the best of our knowledge, this is the first \(\textsc {IND}\)-\(\textsc {CCA}\) secure PKE scheme resilient to continuous memory leakage without using zero-knowledge, regardless of tampering.

Our security definitions basically model a non-persistent tampering attack, but it is straightforward to modify it to a persistent one. We show that any PKE scheme without a key-update mechanism that is \(\textsc {CTBL}\)-\(\textsc {CCA}\) secure against non-persistent tampering attacks is still \(\textsc {CTBL}\)-\(\textsc {CCA}\) secure against persistent tampering attacks. So is our \(\textsc {CTBL}\)-\(\textsc {CCA}\) secure PKE scheme. However, it is not clear that when a PKE scheme has a key-update mechanism, the similar relation holds.

We show that it is impossible to construct a secure digital signature scheme resilient to (continuous) non-persistent tampering even if it has a self-destructive mechanism. If a key-update mechanism should run only when tampering is detected, any digital signature scheme with a key-update mechanism is insecure, either.

Comparison Among Continuous Tampering Models. Table 1 classifies security models related to our continuous tampering model. Here \({\mathsf {b}}{\text {-}}{\mathsf {tamp}}\) indicates bounded tampering and \({\mathsf {c}}{\text {-}}{\mathsf {tamp}}\) indicates continuous tampering. Similarly, \({\mathsf {b}}{\text {-}}{\mathsf {leak}}\) indicates bounded memory leakage and \({\mathsf {c}}{\text {-}}{\mathsf {tamp}}\) indicates continuous memory leakage. \(\mathsf {persist}\) indicates persistent tampering and \(\mathsf {n}{\text {-}}\mathsf {persist}\) indicates non-persistent tampering. per./n-per. indicates that the result in this row is effective against both persistent and non-persistent tampering. \({\mathsf {c}}{\text {-}}{\mathsf {tamp}}^{-}\) indicates the case of KKS signature scheme [26], where an adversary is allowed to submit a bounded number of tampering queries within each time period, although the number of tampering queries overall is unbounded. Our result is given in the gray area. Our CTL model imposes a more severe condition in that the scheme is allowed to update secret keys only when it can detect tampering.

Table 1. Comparison: continuous tampering models and results

1.2 Other Related Work

Considering a restricted class of tampering functions, we briefly mention two lines of works.

One research stream derives from Bellare and Kohno’s [6], who study tampering (or equivalently related-key) resilient security against specific primitives, such as pseudo-random function (PRF) families, PKE, and identity-based encryption (IBE) schemes. By restricting tampering functions, post-challenge tampering queries can be treated in PKE. Currently, it is known that there is an IBE scheme (and hence, converted to PKE) resilient to polynomial functions [7] (in the CRS model). Qin et al. [33] recently claimed a broader class, but it is not correct [22] (Indeed, there is a counter example [3]). Recently, Fujisaki and Xagawa proposed an IBE scheme resilient to some kind of invertible functions [22]. In the above works, non-persistent tampering is considered, and primitives have neither self-destruction nor key-update mechanism.

The other line of works comes from algebraic manipulation detection (AMD) codes [11, 12] and non-malleable codes (NMC) [19], whose codes can detect tampering of a certain class of functions. Dziembowski, Pietrzak, and Wichs [19] presented NMC and its application to tamper-resilient security. In their model, a PKE scheme allows both self-destruction and key-update mechanisms. An adversary accesses target device G with a tampering query \((\phi ,x)\) with \(\phi \in \Phi \). If the decoding fails, i.e., \(\mathsf {Dec}(\phi (\mathsf {Enc}(s))=\bot \), then G self-destructs. Otherwise, it returns G(s, x) and updates \(\mathsf {Enc}(s)\). Faust, Mukherjee, Nielsen, and Ventrui [21] considered continuous NMC and apply it to tamper and leakage resilient security (in the split-state model). Recently, Jafargholi and Wichs [25] presented NMCs for a bounded number of any subset of a very broader class of tampering functions. However, since an adversary must choose the subset before seeing the parameters of the codes, this result is not effective against continuous tampering attacks in this paper.

Independent Work. Independently of us, Faonio and Venturi [20] has recently showed¹ that the digital signature scheme proposed by Dodis et al. [16] and Qin-Liu PKE scheme [31] are secure in the bounded leakage and tampering (BLT) model [14], where a bounded number of non-persistent tampering and bounded memory leakage are allowed in the CRS model. Since we have proved that there is no digital signature scheme resilient to continuous non-persistent tampering even if self-destruction is allowed, it is reasonable that the digital signature scheme is proven only secure against bounded tampering. As for the PKE case in which Qin-Liu PKE scheme is proven BLT-CCA secure, the proof analysis is somewhat close to ours, in the sense that it does not use the leakage oracle in a black box way to simulate the effect of tampering (unlike [14]).

2 Preliminaries

For \(n \in \mathbb {N}\) (the set of natural numbers), [n] denotes the set \(\{1,\ldots ,n\}\). We let \({\mathsf {negl}}(\kappa )\) to denote an unspecified function \(f(\kappa )\) such that \(f(\kappa ) ={\kappa }^{-\omega (1)}=2^{-\omega (1)\log \kappa }\), saying that such a function is negligible in \(\kappa \). We write PPT and DPT algorithms to denote probabilistic polynomial-time and deterministic poly-time algorithms, respectively. For PPT algorithm A, we write \(y \leftarrow A(x)\) to denote the experiment of running A for given x, picking inner coins r uniformly from an appropriate domain, and assigning the result of this experiment to the variable y, i.e., \(y=A(x;r)\). Let \(X=\{X_{\kappa }\}_{\kappa \in \mathbb {N}}\) and \(Y=\{Y_{\kappa }\}_{\kappa \in \mathbb {N}}\) be probability ensembles such that each \(X_{\kappa }\) and \(Y_{\kappa }\) are random variables ranging over \(\{0,1\}^{\kappa }\). The (statistical) distance between \(X_{\kappa }\) and \(Y_{\kappa }\) is \(\mathsf {Dist}(X_{\kappa }:Y_{\kappa }) \triangleq \) \(\frac{1}{2} \cdot |\Pr _{s \in \{0,1\}^{\kappa }}[X=s] - \Pr _{s \in \{0,1\}^{\kappa }}[Y=s]|\). We say that two probability ensembles, X and Y, are statistically indistinguishable (in \(\kappa \)), denoted \(X \mathop {\approx }\limits ^{\mathrm s}Y\), if \(\mathsf {Dist}(X_{\kappa }:Y_{\kappa })\) \(={\mathsf {negl}}(\kappa )\). In particular, we denote by \(X \equiv Y\) to say that X and Y are identical. We say that X and Y are computationally indistinguishable (in \(\kappa \)), denoted \(X \mathop {\approx }\limits ^{\mathrm c}Y\), if for every non-uniform PPT D (ranging over \(\{0,1\}\)), \(\{D(1^{\kappa },X_{\kappa })\}_{\kappa \in \mathbb {N}}\) \(\mathop {\approx }\limits ^{\mathrm s}\) \(\{D(1^{\kappa },Y_{\kappa })\}_{\kappa \in \mathbb {N}}\).

2.1 Entropy and Extractor

The min-entropy of random variable X is defined as \({\mathsf {H}}_{\infty }(X) = - \log {(\max _{x}\Pr [X=x])}\). We say that a function \(\mathsf {Ext}: \{0,1\}^{\ell _s}\times \{0,1\}^{n} \rightarrow \{0,1\}^{m}\) is an \((k, \epsilon )\)-strong extractor if for any random variable X such that \(X \in \{0,1\}^n\) and \({\mathsf {H}}_{\infty }(X)>k\), it holds that \(\mathsf {Dist}((S,\mathsf {Ext}(S,X)),(S,U_m)) \le \epsilon \), where S is uniform over \(\{0,1\}^{l_s}\). Let \({\mathcal {H}}= \{H\}\) be a family of hash functions \(H: \{0,1\}^n\rightarrow \{0,1\}^{m}\). \({\mathcal {H}}\) is called a family of universal hash functions if \(\forall \) \(x_1,x_2 \in \{0,1\}^n\) with \(x_1\ne x_2\), \(\Pr _{H\leftarrow {\mathcal {H}}}[H(x_1)=H(x_2)] =2^{-m}\). Then, The Leftover Hash Lemma (LHL) states the following.

Lemma 1

(Leftover Hash Lemma). Assume that the family \({\mathcal {H}}\) of functions \(H: \{0,1\}^n \rightarrow \{0,1\}^{m}\) is a family of universal hash functions. Then for any random variable X such that \(X\in \{0,1\}^n\) and \({\mathsf {H}}_{\infty }(X)>m\),

$$\begin{aligned} \mathsf {Dist}((H,H(X)),(H,U_{m})) \le \frac{1}{2}\sqrt{2^{-({\mathsf {H}}_{\infty }(X)-m)}}, \end{aligned}$$

where H is a random variable uniformly chosen over \({\mathcal {H}}\) and \(U_{m}\) is a random variable uniformly chosen over \(\{0,1\}^{m}\).

Therefore, H constructs a \((k,2^{-(k/2+1)})\)-strong extractor where \(k={\mathsf {H}}_{\infty }(X)-m\).

We use the notion of the average conditional min-entropy defined by Dodis et al. [18] and its “chain rule". Define the average conditional min-entropy of random variable X given random variable Y as

Lemma 2

(“Chain Rule” for Average Min-Entropy [18]). When random variable Z takes at most \(2^{r}\) possible values (i.e., \(\# \mathsf {Supp}(Z)=2^r\)) and X, Y are random variables, then

$$\begin{aligned} \widetilde{\mathsf {H}}_{\infty }(X|(Y,Z))\ge \widetilde{\mathsf {H}}_{\infty }((X,Y)|Z)-r \ge \widetilde{\mathsf {H}}_{\infty }(X|Z)-r. \end{aligned}$$

In particular,

$$\begin{aligned} \widetilde{\mathsf {H}}_{\infty }(X|Z)\ge {\mathsf {H}}_{\infty }(X,Z)-r \ge {\mathsf {H}}_{\infty }(X)-r. \end{aligned}$$

Dodis et al. [18] proved that any strong extractor is an average-case strong extractor for an appropriate setting of the parameters. As a special case, they showed any family of universal hash functions is an average-case strong extractor along with the following generalized version of the leftover hash lemma:

Lemma 3

(Generalized Leftover Hash Lemma [18]). Assume that the family \({\mathcal {H}}\) of functions \(H: \{0,1\}^n \rightarrow \{0,1\}^{m}\) is a family of universal hash functions. Then for any random variables, X and Z,

$$\begin{aligned} \mathsf {Dist}((H,H(X),Z),(H,U_{m},Z)) \le \frac{1}{2}\sqrt{2^{-(\widetilde{\mathsf {H}}_{\infty }(X|Z)-m)}}, \end{aligned}$$

where H is a random variable uniformly chosen over \({\mathcal {H}}\) and \(U_{m}\) is a random variable uniformly chosen over \(\{0,1\}^{m}\).

2.2 Hash Proof Systems

We recall the notion of the hash proof systems introduced by Cramer and Shoup [13]. Let \(\mathcal{C},\mathcal{K},\mathcal{SK}\), and \(\mathcal{PK}\) be efficiently samplable sets and let \(\mathcal{V}\) be a subset in \(\mathcal{C}\). Let \(\Lambda _{sk}:\mathcal{C}\rightarrow \mathcal{K}\) be a hash function indexed by \(sk \in \mathcal{SK}\). A hash function family \(\Lambda : \mathcal{SK}\times \mathcal{C}\rightarrow \mathcal{K}\) is projective if there is a projection \(\mu :\mathcal{SK}\rightarrow \mathcal{PK}\) such that \(\mu (sk) \in \mathcal{PK}\) defines the action of \(\Lambda _{sk}\) over subset \(\mathcal{V}\). That is to say, for every \(C \in \mathcal{V}\), \(K=\Lambda _{sk}(C)\) is uniquely determined by \(\mu (sk)\) and C. \(\Lambda \) is called \(\gamma \)-entropic [27] if for all \(pk \in \mathcal{PK}\), \(C\in \mathcal{C}\backslash \mathcal{V}\), and all \(K \in \mathcal{K}\),

$$\begin{aligned} \Pr [K=\Lambda _{sk}(C) |(pk,C)] \le 2^{-\gamma }, \end{aligned}$$

where the probability is taken over \(sk \mathop {\leftarrow }\limits ^{\scriptscriptstyle \mathsf{U}}\mathcal{SK}\) with \(pk=\mu (sk)\). We note that this \(\Lambda \) is originally called \(2^{-\gamma }\)-\(\text {universal}_1\) in [13]. By definition, we note that \({\mathsf {H}}_{\infty }(\Lambda _{sk}(C)|(pk,C))\ge \gamma \) for all \(pk \in \mathcal{PK}\) and \(C\in \mathcal{C}\backslash \mathcal{V}\).

\(\Lambda \) is called \(\epsilon \)-smooth [13] if \(\mathsf {Dist}((pk,C,\Lambda _{sk}(C)),(pk,C,K)) \le \epsilon \), where \(sk \mathop {\leftarrow }\limits ^{\scriptscriptstyle \mathsf{U}}\mathcal{SK}\), \(K \mathop {\leftarrow }\limits ^{\scriptscriptstyle \mathsf{U}}\mathcal{K}\) and \(C\mathop {\leftarrow }\limits ^{\scriptscriptstyle \mathsf{U}}\mathcal{C}\backslash \mathcal{V}\) are chosen at random and \(pk=\mu (sk)\).

A hash proof system \(\mathsf {HPS}\) \(=(\mathsf {HPS.param}\), \(\mathsf {HPS.pub}\), \(\mathsf {HPS.priv})\) consists of three algorithms such that \(\mathsf {HPS.param}\) takes \(1^{\kappa }\) and outputs an instance of \({\mathsf {params}}\) \(=({\mathsf {group}},\Lambda ,\mathcal{C},\mathcal{V},{\mathcal{SK}},\mathcal{PK},\mu )\), where \(\mathsf {group}\) contains some additional structural parameters and \(\Lambda \) is a projective hash function family associated with \((\mathcal{C},\mathcal{V}\),\({\mathcal{SK}}\), \(\mathcal{PK}\), \(\mu )\) as defined above. The deterministic public evaluation algorithm \(\mathsf {HPS.pub}\) takes as input \(pk=\mu (sk)\), \(C \in \mathcal{V}\) and a witness w such that \(C\in \mathcal{V}\) and returns \(\Lambda _{sk}(C)\). The deterministic private evaluation algorithm takes \(sk \in \mathcal{SK}\) and returns \(\Lambda _{sk}(C)\), without taking withness w for C (if it exists). A hash proof system \(\mathsf {HPS}\) as above is said to have a hard subset membership problem if two random elements \(C\in \mathcal{C}\) and \(C'\in \mathcal{C}\backslash \mathcal{V}\) are computationally indistinguishable, that is, \(\{C\,|\,C\mathop {\leftarrow }\limits ^{\scriptscriptstyle \mathsf{U}}\mathcal{C}\}_{\kappa \in \mathbb {N}} \mathop {\approx }\limits ^{\mathrm c}\{C'\,|\,C'\mathop {\leftarrow }\limits ^{\scriptscriptstyle \mathsf{U}}\mathcal{C}\backslash \mathcal{V}\}_{\kappa \in \mathbb {N}}\).

2.3 All-But-One Injective Functions

We recall all-but-one injective functions (ABO) [32], which is a simple variant of all-but-one injective trap-door functions [30].

A collection of \((n,\ell _{\mathsf {lf}})\)-all-but-one injective functions with branch collection \(\mathcal {B}=\{B_{\kappa }\}_{\kappa \in \mathbb {N}}\) is given by a tuple of PPT algorithms \(\mathsf {ABO}=(\mathsf {ABO.gen},\mathsf {ABO.eval})\) with the following properties:

• \(\mathsf {ABO.gen}\) is a PPT algorithm that takes \(1^{\kappa }\) and any branch \(b^*\in B_{\kappa }\), and outputs a function index \(i_{\mathsf {abo}}\) and domain \(\mathcal {X}\) with \(2^{n}\) elements.

• \(\mathsf {ABO.eval}\) is a DPT algorithm that takes \(i_{\mathsf {abo}}\), b, and \(x \in \mathcal {X}\), and computes \(y= \mathsf {ABO.eval}(i_{\mathsf {abo}},b,x)\).

We require that \((n,\ell _{\mathsf {lf}})\)-all-but-one injective functions given by \(\mathsf {ABO}\) satisfies the following properties:

1. 1.

   For any \(b\ne b^* \in B_{\kappa }\), \(\mathsf {ABO.eval}(i_{\mathsf {abo}},b,\cdot )\) computes an injective function over the domain \(\mathcal {X}\).

2. 2.

   The number of elements in the image of \(\mathsf {ABO.eval}(i_{\mathsf {abo}},b^*,\cdot )\) over the domain \(\mathcal {X}\) is at most \(2^{\ell _{\mathsf {lf}}}\).

3. 3.

   For any \(b, b^* \in B_{\kappa }\), \(\{\mathsf {ABO.gen}(1^{\kappa },b)\}_{\kappa \in \mathbb {N}} \mathop {\approx }\limits ^{\mathrm c}\{\mathsf {ABO.gen}(1^{\kappa },b^*)\}_{\kappa \in \mathbb {N}}\).

We note that ABO functions can be efficiently constructed under the DDH assumption and the DCR assumption (See Appendix B).

3 Continuous Tampering and Bounded Leakage Resilient CCA (\(\textsc {CTBL}\)-\(\textsc {CCA}\)) Secure Public-Key Encryption

A public-key encryption (PKE) scheme consists of the following four algorithms \(\Pi = (\mathsf {Setup},\mathbf {K},\mathbf {E},\mathbf {D})\): The setup algorithm \(\mathsf {Setup}\) is a PPT algorithm that takes \(1^\kappa \) and outputs public parameter \(\rho \). The key-generation algorithm \(\mathbf {K}\) is a PPT algorithm that takes \(\rho \) and outputs a pair of public and secret keys, (pk, sk). The encryption algorithm \(\mathbf {E}\) is a PPT algorithm that takes public parameter \(\rho \), public key pk and message \(m \in \mathcal {M}\), and produces ciphertext \(\mathsf {ct}\leftarrow \mathbf {E}_{\rho }(pk,m)\); Here \(\mathcal {M}\) is uniquely determined by pk. The decryption algorithm \({\mathbf {D}}\) is a DPT algorithm that takes \(\rho \), sk and presumable ciphertext \(\mathsf {ct}\), and returns message \(m= \mathbf {D}_{\rho }(sk,\mathsf {ct})\). We require for correctness that for every sufficiently large \(\kappa \in \mathbb {N}\), it always holds that \(\mathbf {D}_{\rho }(sk,\mathbf {E}_{\rho }(pk,m))=m\), for every \(\rho \in \mathsf {Setup}(1^{\kappa })\), every (pk, sk) generated by \(\mathbf {K}(\rho )\), and every \(m \in \mathcal {M}\).

We say that PKE \(\Pi \) is self-destructive if the decryption algorithm can erase all inner states including sk, when receiving an invalid ciphertext \(\mathsf {ct}\). We assume that public parameter \(\rho \) is system-wide, i.e., fixed beforehand and independent of all users, and the only public and secret keys are subject to the tampering attacks. This model is justified in the environment where the common public parameter could be hardwired into the algorithm codes and stored on tamper-proof hardware or distributed via a public channel where tampering is infeasible or could be easily detected.

CTBL-CCA Security. For PKE \(\Pi \) and an adversary \(A=(A_1,A_2)\), we define the experiment \(\mathsf {Expt}_{\Pi ,A,(\Phi _1,\Phi _2,\lambda )}^{\mathsf {ctbl}{\text {-}}\mathsf {cca}}(\kappa )\) as in Fig. 1. A may adaptively submit (unbounded) polynomially many queries \((\phi ,\mathsf {ct})\) to oracle \(\mathsf {RKDec}\) ², but \(\phi \) should be in \(\Phi _i\) appropriately. A may also adaptively submit (unbounded) polynomially many queries L to oracle \(\mathsf {Leak}\), before seeing the challenge ciphertext \(\mathsf {ct}^*\). The total amount of leakage on \(\mathsf {sk}\) must be bounded by some \(\lambda \) bit length. We note that if \(\Pi \) has the self-destructive property, \(\mathsf {RKDec}\) does not answer any further query, or simply return \(\bot \), after it receives an invalid ciphertext such that \(\mathbf {D}_{\rho }(\phi (\mathsf {sk}),\mathsf {ct})=\bot \). We define the advantage of A against \(\Pi \) with respects \((\Phi _1,\Phi _2)\) as

$$\begin{aligned} \mathsf {Adv}_{\Pi ,A,(\Phi _1,\Phi _2,\lambda )}^{\mathsf {ctbl}{\text {-}}\mathsf {cca}}(\kappa )\triangleq | \,2\Pr [\mathsf {Expt}_{\Pi ,A,(\Phi _1,\Phi _2,\lambda )}^{\mathsf {ctbl}{\text {-}}\mathsf {cca}}(\kappa )=1] - 1 \,|. \end{aligned}$$

We say that \(\Pi \) is \((\Phi _1,\Phi _2,\lambda )\)-\(\textsc {CTBL}{\text {-}}\textsc {CCA}\) secure if \(\mathsf {Adv}_{\Pi ,A,(\Phi _1,\Phi _2,\lambda )}^{\mathsf {ctbl}{\text {-}}\mathsf {cca}}(\kappa )=\mathsf {negl}(\kappa )\) for every PPT A.

Fig. 1.

The experiment of the \(\textsc {CTBL}{\text {-}}\textsc {CCA}\) game.

We say that \(\Pi \) is \(\textsc {CTBL}\)-\(\textsc {CCA}\) secure if it is \((\Phi _{\mathsf {all}},\{\mathfrak {id}\},\lambda )\)-\(\textsc {CTBL}\)-\(\textsc {CCA}\) secure, where \(\Phi _{\mathsf {all}}\) is the class of all efficiently computable functions and \(\mathfrak {id}\) denotes the identity function.

Remark 1

This security definition models non-persistent tampering. However, it is obvious that the persistent tampering version of \(\textsc {CTBL}\)-\(\textsc {CCA}\) security can be similarly defined.

We now state the following fact.

Theorem 1

Suppose a PKE scheme \(\Pi \) without a key-update mechanism (as defined in Sect. 5) is CTBL-CCA secure against non-persistent tampering attacks. Then, \(\Pi \) is also CTBL-CCA secure against persistent tampering attacks.

Proof

For a PKE scheme without a key-update mechanism, persistent tampering queries

$$\begin{aligned} (\phi _1,\mathsf {ct}_1),(\phi _2,\mathsf {ct}_2),\ldots ,(\phi _{\ell },\mathsf {ct}_{\ell }) \end{aligned}$$

can be simulated non-persistent tampering queries as

$$\begin{aligned} (\phi _1,\mathsf {ct}_1),(\phi _2\circ \phi _1,\mathsf {ct}_2),\ldots ,(\phi _{\ell }\circ \dots \circ \phi _1,\mathsf {ct}_{\ell }). \end{aligned}$$

Leakage functions in the persistent tampering attack are also simulated as \(L'=L\circ \phi _{\ell }\dots \circ \phi _{1}\), where \(\phi _1,\ldots ,\phi _{\ell }\) denote all persistent tampering functions submitted before leakage function L is submitted. So, if \(\Pi \) is \(\textsc {CTBL}\)-\(\textsc {CCA}\) secure against non-persistent tampering attacks, then it is \(\textsc {CTBL}\)-\(\textsc {CCA}\) secure against persistent tampering attacks.    \(\blacksquare \)

4 The \(\textsc {CTBL}\)-\(\textsc {CCA}\) Secure PKE Scheme

Let \(\mathsf {HPS}=(\mathsf {HPS.param},\mathsf {HPS.pub},\mathsf {HPS.priv})\) be a hash proof system (described in Sect. 2.2). Let \(\mathsf {ABO}=(\mathsf {ABO.gen},\mathsf {ABO.eval})\) be a collection of all-but-one injective (ABO) functions (described in Sect. 2.3). Let \(\mathsf {TCH}\) be a target collision resistant hash family. Let \({\mathcal {H}}\) \(=\{H |H:\{0,1\}^n \rightarrow \{0,1\}^{\ell _m}\}\) be a family of universal hash functions with \(n=|\mathcal{K}|\). Let \(\mathsf {OTSig}=(\mathsf {otKGen},\mathsf {otSign},\mathsf {otVrfy})\) a strong one-time signature scheme. We assume \(\mathsf {vk}=0 \not \in \mathsf {otKGen}\).

At ASIACRYPT 2013, Qin and Liu [31] proposed a new framework for constructing an \(\textsc {IND}\)-\(\textsc {CCA}\) secure PKE scheme resilient to bounded memory leakage. Assume a PKE scheme based on a hash-proof-system, where an encryption of m is constructed as \(CT=(C,H,e)\) where \(C\leftarrow \mathcal{V}\) with w, \(H\leftarrow {\mathcal {H}}\), and \(e=m\oplus H(\mathsf {HPS.pub}(PK,C,w))\), whereas the decryption is done by computing \(m=e \oplus H(\mathsf {HPS.priv}(SK,C))\). Naor and Segev [29] proved that such a PKE scheme is IND-CPA secure resilient to bounded memory leakage. Qin and Liu transformed it to IND-CCA secure one resilient to bounded memory leakage, by using a one-time lossy filter. We describe a slight modification of Qin-Liu PKE scheme in Fig. 1. The difference is that (1) our construction divides the original key generation algorithm into the \(\mathsf {Setup}\) algorithm and the key generation algorithm and puts \(\rho \) in the common reference string, and (2) replaces a one-time lossy filter with a combination of a strong one-time signature scheme and an ABO injective function. (Here (2) is not essential. It is just a matter of our preference to use an ABO injective function. Any one-time lossy filter suffices for our purpose.)

We then have the following theorem.

Theorem 2

Let \(\mathsf {HPS}\) be a \(\gamma \)-entropic hash proof system. Let \(\mathsf {ABO}\) be \((n,\ell _{\mathsf {lf}})\)-all-but-one injective function where \(n= \log |\mathcal{K}|\). We assume the PKE scheme in Fig. 2 is self-destructive. Then, it is \((\Phi _{\mathsf {all}},\{\mathfrak {id}\},\lambda )\)-\(CTBL\text {-}CCA\) secure, as long as \(\lambda (\kappa ) \le \gamma -\ell _{\mathsf {lf}}-\ell _{m} -2\eta - \log (1/{\epsilon })\) where \(\eta (\kappa )=\omega (\log \kappa )\) and \(\epsilon =2^{-\omega (\log \kappa )}\), and for any PPT adversary A with at most Q queries to \(\mathsf {RKDec}\) oracle, \(\mathsf {Adv}_{\Pi ,A,(\Phi _{\mathsf {all}},\{\mathfrak {id}\},\lambda )}^{\mathsf {ctbl}{\text {-}}\mathsf {cca}}(\kappa ) \le \)

$$\begin{aligned} 2\epsilon _{\mathsf {tcr}} + 2\epsilon _{\mathsf {otsig}} + 4 \epsilon _{\mathsf {lossy}} +4 \epsilon _{\mathsf {SD}} +2^{-\eta +2} + Q\cdot 2^{-(\gamma -\eta -\lambda -\ell _{\mathsf {lf}}-\ell _{m}-1)} + 2\epsilon , \end{aligned}$$

where \(\epsilon _{\mathsf {otsig}}\), \(\epsilon _{\mathsf {lossy}}\), and \(\epsilon _{\mathsf {SD}}\) denote some negligible functions such that \(\mathsf {Adv}^{\mathsf {ot}}_{\mathsf {OTSig},B}(\kappa )\) \(\le \epsilon _{\mathsf {otsig}}\), \(\mathsf {Adv}^{\mathsf {lossy}}_{\mathsf {ABO},B'}(\kappa )\) \(\le \epsilon _{\mathsf {lossy}}\), and \(\mathsf {Adv}^{\mathsf {SD}}_{\mathsf {HPS},D}(\kappa )\) \(\le \epsilon _{\mathsf {SD}}\) for any PPT adversaries, B, \(B'\) and D, respectively.

Proof Idea. Qin-Liu PKE scheme is leakage resilient. So, it is tempting to use the leakage oracle in the black box way to simulate the \(\mathsf {RKDec}\) oracle (as in [14]). However, the strategy does not work for continual tampering, because Qin-Liu PKE scheme is just bounded leakage resilient. In addition, even simulating the reply of a single tampering query seems to exceed the leakage bound. So, we need to analyze the exact leakage from tampering.

Fig. 2.

The \(\textsc {CTBL}{\text {-}}\textsc {CCA}\) secure PKE scheme based on Qin and Liu’s PKE

Let \(\mathsf {CT}^*=(C^*,e^*,H^*,\mathsf {vk}^*,\pi ^*,\sigma ^*)\) be the challenge ciphertext and \(b^*\) be the challenge bit. Let \(K^*=\Lambda _{SK}(C^*)\) and \(e^*=m_{b^*}\oplus H^*(K^*)\). In an early hybrid game of the proof, we set \(C^* \not \in \mathcal{V}\) and set \(\mathsf {T}(\mathsf {vk}^*)\) as a lossy branch, as expected. Since \(A(\mathsf {T}(\mathsf {vk}^*),\cdot )\) is lossy now, SK (and hence \(K^*\)) has large enough entropy after given \(\mathsf {CT}^*\). In the pre-challenge stage, we take care of how much entropy on \(K^*\) is preserved while answering leakage and tampering queries.

We first observe that when a tampering query \((\phi ,\mathsf {CT})\), where \(\mathsf {CT}\) \(=(C,e,H,\mathsf {vk},\pi ,\sigma )\), is rejected by the decryption oracle, the leaked information on \(K^*\) is at most \(\log (1/p)\)-bit where \(p=\Pr [\mathbf {D}(\phi (SK),\mathsf {CT})=\bot ]\). This comes from the following simple lemma.

Lemma 4

For any random variables, X and Z, \({\mathsf {H}}_{\infty }(X|Z=z) \ge {\mathsf {H}}_{\infty }(X ) -\log \Bigl ( \frac{1}{\Pr [Z=z]} \Bigr )\).

Proof

For any \(z \in Z\),

$$\begin{aligned} -\log \Bigl ( \max _x \Bigl ( \Pr [X=x|Z=z] \Bigr ) \Bigr )&=-\log \Biggl ( \max _x \Biggl ( \frac{\Pr [X=x\wedge Z=z]}{\Pr [Z=z]} \Biggr ) \Biggr ) \nonumber \\&\ge -\log \Bigl ( \max _x \Bigl ( \Pr [X=x] \Bigr ) \Bigr ) -\log \Bigl ( \frac{1}{\Pr [Z=z]} \Bigr ). \end{aligned}$$

   \(\blacksquare \)

By the lemma above, we have

$$\begin{aligned} {\mathsf {H}}_{\infty }(K^*|\mathbf {D}(\phi (SK),\mathsf {CT})=\bot ) \ge {\mathsf {H}}_{\infty }(K^*) -\log (1/p). \end{aligned}$$

(1)

Next, we observe the case that tampering query \((\phi ,\mathsf {CT})\) is accepted by the decryption oracle. Since the decryption oracle returns \(\mathbf {D}(\phi (SK),\mathsf {CT})\), it would apparently reveal more information on \(K^*\) except the fact that \(\mathsf {CT}\) is a valid ciphertext with respects to \(\phi (SK)\) ³. However, it is not true. Indeed, when submitting \((\phi ,\mathsf {CT})\), the adversary has already fixed \(\mathbf {D}(\phi (SK),\mathsf {CT})\). In other word, we have

$$\begin{aligned} {\mathsf {H}}_{\mathsf {sh}}\Bigl ( \mathbf {D}(\phi (SK),\mathsf {CT})\quad | \quad (\mathbf {D}(\phi (SK),\mathsf {CT}) \ne \bot ), (\phi ,\mathsf {CT}), PK \Bigr )=0, \end{aligned}$$

(2)

where \({\mathsf {H}}_{\mathsf {sh}}(X)\) denotes the Shannon entropy of random variable X (i.e., ). This comes from the fact that \(A(\mathsf {T}(\mathsf {vk}),\cdot )\) is injective and \(\pi =A(\mathsf {T}(\mathsf {vk}),\Lambda _{\phi (SK)}(C))\) is fixed by \(\mathsf {CT}\). Therefore, we have

$$\begin{aligned} \widetilde{\mathsf {H}}_{\infty }(K^*|\mathbf {D}(\phi (SK),\mathsf {CT}),(\mathbf {D}(\phi (SK),\mathsf {CT}) \ne \bot )) \ge {\mathsf {H}}_{\infty }(K^*)- \log (1/{p'}), \end{aligned}$$

(3)

where \(p'=\Pr [\mathbf {D}(\phi (SK),\mathsf {CT}) \ne \bot ]\). Hence, the leaked information on \(K^*\) in the “accepted"case is also at most \(\log (1/p')\). By definition, \(p+p'=1\).

We note that if the adversary submits a tampering query \((\phi ,\mathsf {CT})\) with \(p \le 2^{-\eta }=\mathsf {negl}(\kappa )\) and the unlikely event that \(\mathbf {D}(\phi (SK),\mathsf {CT}) = \bot \) really occurs, the leakage on \(K^*\) is \(\log (1/p)\) \(\ge \eta =\omega (\log \kappa )\) bits. The event occurs only with a negligible probability \(2^{-\eta }\). We note that if the event occurs with a probability more than \(2^{-\eta }\), the leakage on \(K^*\) is less than \(\eta \) bits. So, we can say that when \(\mathbf {D}(\phi (SK),\mathsf {CT}) = \bot \) occurs, the leakage on \(K^*\) is bounded by \(\eta \)-bit except with a negligible probability \(2^{-\eta }\). By definition, the event \(\mathbf {D}(\phi (SK),\mathsf {CT}) = \bot \) can occur only once. The case with \(p' \le 2^{-\eta }=\mathsf {negl}(\kappa )\) is implied in the next analysis.

Since the decryption algorithm self-destructs when rejecting a ciphertext, the adversary’s best strategy is to submit a sequence of tampering queries with \(p'=\textsf {non}\text {-}\textsf {negl}\) so that the decryption algorithm can accept as long a prefix of the sequence as possible. Even with this strategy, however, leakage amount on \(K^*\) is bounded by \(\eta \)-bit except with probability \(2^{-\eta }\).

We now consider a post-challenge (tampering) query, \((\mathfrak {id},\mathsf {CT})\), i.e., a normal decryption query, where \(\mathsf {CT}=(C,e,H,\mathsf {vk},\pi ,\sigma )\). In the post-challenge stage, we are interested in how to prevent \(H^*(K^*)\) from revealing any partial information. Even one bit leakage would possibly break the system. To achieve the goal, we need to reject any invalid ciphertext. The probability relies on the entropy of \(K=\Lambda _{SK}(C)\) (where \(C\not \in \mathcal{V}\)). Since the underlying hash proof system is \(\gamma \)-entropic, we can see that the remaining entropy of K is at least \(\gamma -\lambda -\eta -\ell _{\mathsf {lf}} -\ell _m\) (with an overwhelming probability). Here, \(\lambda \) is the leakage amount via leakage oracle in the pre-challenge stage, \(2^{\ell _{\mathsf {lf}}}\) denotes the number of possible elements of \(\pi ^*\), where \(A(\mathsf {T}(\mathsf {vk}^*),\cdot )\) is lossy, and \(\ell _m\) is the bit length of \(H^*(K^*)\). Then, the probability that we cannot reject an invalid ciphertext is at most \(2^{-(\gamma -\lambda -\eta -\ell _{\mathsf {lf}}-\ell _m)}\).

To summarize all the above, (a) just after the pre-challenge stage, the remaining entropy of \(K^*\) is at least \({\mathsf {H}}_{\infty }(K^*) -\lambda -(\eta +1)\) with an overwhelming probability. By applying an appropriate universal hash \(H^*\), we obtain \(H^*(K^*)\) that is statistically close to a true uniform \(\ell _m\)-bit string. So, \(\mathsf {CT}^*\) conceals message \(m_{b^*}\) in the statistical sense. (b) In the post-challenge stage, \(H^*(K^*)\) reveals no information with an overwhelming probability \(1-Q \cdot 2^{-(\gamma -\lambda -\eta -\ell _{\mathsf {lf}}-\ell _m)}\), where Q is the total number of decryption queries in the post-challenge stage. Like this, the proposal is proven \(\textsc {CTBL}{\text {-}}\textsc {CCA}\) secure.

Proof of Theorem 2. Here we provide the formal proof of Theorem 2 by using the standard game-hopping strategy. We denote by \(S_i\) the event that adversary A wins in Game i.

• Game 0: This game is the original \(\textsc {CTBL}{\text {-}}\textsc {CCA}\) game, where \(\mathsf {CT}^*=\) \((C^*,e^*,\) \(H^*,\mathsf {vk}^*,\pi ^*,\sigma ^*)\) denotes the challenge ciphertext. By definition, \(\Pr [S_0]=\Pr [\beta =\beta ^*]\) and \(\mathsf {Adv}_{\Pi ,A,(\Phi _{\mathsf {all}},\{\mathfrak {id}\},\lambda )}^{\mathsf {tbl}{\text {-}}\mathsf {cca}}(\kappa ) = |2\Pr [S_0]-1|\).

• Game 1: This game is identical to Game 0, except that when we produce the challenge ciphertext \(\mathsf {CT}^*\), we instead computes \(K^*=\mathsf {HPS.priv}(sk,C^*)\). The change is just conceptual and hence, it holds that \(\Pr [S_0]=\Pr [S_1]\).

• Game 2: This game is identical to Game 1, except that A is regarded as a defeat, when it submits tampering query \((\phi ,\mathsf {CT})\) such that \(\mathsf {T}(\mathsf {vk})=\mathsf {T}(\mathsf {vk}^*)\) but \(\sigma \) is still a valid signature on \((C,e,H,\mathsf {vk},\pi )\), where \(\mathsf {CT}=(C,e,H,\mathsf {vk},\pi ,\sigma )\) (\(\ne \mathsf {CT}^*\)). This happens only when \(\mathsf {T}(\mathsf {vk})=\mathsf {T}(\mathsf {vk}^*)\) with \(\mathsf {vk}\ne \mathsf {vk}^*\) or A forges a signature with respects to \(\mathsf {vk}^*\). So, we have \(\Pr [S_1] -\Pr [S_2] \le \epsilon _{\mathsf {tcr}}+\epsilon _{\mathsf {otsig}}\).

• Game 3: This game is identical to Game 2, except that we produce \(\rho \) and \(\mathsf {CT}^*\) as follows: Before the step 3 in the set-up \(\mathsf {Setup}\), we run \((\mathsf {vk}^*,\mathsf {otsk}^*)\leftarrow \mathsf {otKGen}(1^{\kappa })\) and set \(b^*=\mathsf {T}(\mathsf {vk}^*)\). Then we do the same things in the subsequent steps. We produce the challenge ciphertext \(\mathsf {CT}^*\) similarly in Game 2 except that we instead use \((\mathsf {vk}^*,\mathsf {otsk}^*)\) generated in the set-up phase. The difference between the probabilities of events, \(S_2\) and \(S_3\), are close because of indistinguishability between injective and lossy branches. Indeed, we have \(\Pr [S_2] -\Pr [S_3] \le 2 \epsilon _{\mathsf {lossy}}\).

• Game 4: This game is identical to Game 3, except that when producing \(\mathsf {CT}^*\), we instead picks up \(C^* \mathop {\leftarrow }\limits ^{\scriptscriptstyle \mathsf{U}}\mathcal{C}\backslash \mathcal{K}\). We then have \(\Pr [S_3] -\Pr [S_4] \le 2 \epsilon _{\mathsf {SD}}\).

• Game 5: This game is identical to the previous game, except that A is regarded as a defeat, when it submits a tampering query \((\phi ,\mathsf {CT})\) with \(p \le 2^{-\eta }\) where \(p=\Pr [\mathbf {D}(\phi (SK),\mathsf {CT})= \bot ]\) and the (unlikely) event that \(\mathbf {D}(\phi (SK),\mathsf {CT})= \bot \) really occurs. We then have \(\Pr [S_4] -\Pr [S_5] \le 2^{-\eta }\). Without loss of generality, we can assume that A does not make a tampering query with \(p> 2^{-\eta }\) in the subsequent games.

• Game 6: We say that a sequence of tampering queries made by A is \(\eta \) -challenging, if there is a prefix of the sequence such that the decryption oracle accepts the prefix with probability \(\le 2^{-\eta }\). Let \(\mathrm {RDview}\) be a random variable of the transcript between adversary A and oracle \(\mathsf {RKDec}\) in the pre-challenge stage and let

  $$\begin{aligned} \mathrm {rdv}=\{ (\phi _1,\mathsf {CT}_1,m_1),\ldots ,(\phi _{q'},\mathsf {CT}_{q'},m_{q'})\} \text { where } q' \le Q. \end{aligned}$$

  be a transcript. If \(\mathrm {rdv}\) is \(\eta \)-challenging, there is the minimum \(q_{\min } \le q'\) such that

  $$\begin{aligned} \Pr [\mathrm {RDview}=\mathrm {rdv}] \le \Pr \Bigl [ \wedge _{i=1}^{q_{\min }}\Bigl ( \mathbf {D}({\phi _i(SK)},\mathsf {CT}_i)\ne \bot \Bigr ) \Bigr ] \le 2^{-\eta }. \end{aligned}$$

  Game 6 is identical to the previous game except that \(\mathsf {RKDec}\) “self-destructs" at the \((q_{\min }+1)\)-th tampering query of \(\eta \)-challenging \(\mathrm {rdv}\), even if \(\mathsf {RKDec}\) accepts the \((q_{\min }+1)\)-th tampering query. (If it rejects an earlier tampering query, it self-destructs at the query.) This experiment is just conceptual and is not required to be executed in a polynomial time. We have \(\Pr [S_5] -\Pr [S_6] \le 2^{-\eta }\), because the prefix is accepted at most \(2^{-\eta }\).

• Game 7: In this game, for all post-challenge (decryption) query \((\mathfrak {id},\mathsf {CT})\) of A, we return \(\bot \) if \(C\in \mathcal{C}\backslash \mathcal{V}\). This experiment is just conceptual and is not required to be executed in a polynomial time. We evaluate the min-entropy of \(K=\Lambda _{SK}(C)\) derived from the post-challenge tampering query. Let \(\mathrm {Lview}\) be the random variable of the transcript between adversary A and oracle \(\mathsf {Leak}\) in the pre-challenge stage. When the first post-challenge decryption query is made, by the “chain rule"of the average-min entropy,

  $$\begin{aligned} \widetilde{\mathsf {H}}_{\infty }(K|(\mathrm {RDview},\mathrm {Lview},\pi ^*,H^*(K^*))) \ge \widetilde{\mathsf {H}}_{\infty }(K|\mathrm {RDview}) -\lambda -\ell _{\mathsf {lf}}-\ell _m, \end{aligned}$$

  where \(2^{\ell _{\mathsf {lf}}}\) denotes the number of elements in the image of “lossy" function \(\pi ^*=A(\mathsf {T}(\mathsf {vk}^*),\cdot )\), and \(\ell _m\) is the length of \(H^*(K^*)\). By lemma 4, we have

  $$\begin{aligned} {\mathsf {H}}_{\infty }(K|\mathrm {RDview}=\mathrm {rdv}) \ge {\mathsf {H}}_{\infty }(K) - \log \Bigl ( \frac{1}{\Pr [\mathrm {RDview}=\mathrm {rdv}]} \Bigr ) \ge {\mathsf {H}}_{\infty }(K) - \eta . \end{aligned}$$

  The second inequality comes from \(\Pr [\mathrm {RDview}=\mathrm {rdv}] \ge 2^{-\eta }\), because if \(\mathrm {rdv}\) is \(\eta \)-challenging, the adversary cannot make a post-challenge decryption query. Therefore, for \(C\in \mathcal{C}\backslash \mathcal{V}\),

  

  because \(\Lambda \) is \(\gamma \)-entropic. Therefore,

  $$\begin{aligned} \widetilde{\mathsf {H}}_{\infty }(K|(\mathrm {RDview},\mathrm {Lview},\pi ^*,H(K^*))) \ge \gamma - \eta -\lambda -\ell _{\mathsf {lf}}-\ell _m. \end{aligned}$$

  Since \(\mathsf {T}(\mathsf {vk}^*)\ne \mathsf {T}(\mathsf {vk})\),

  $$\begin{aligned} \widetilde{\mathsf {H}}_{\infty }(\pi |(\mathrm {RDview},\mathrm {Lview},\pi ^*,H(K^*))) = \widetilde{\mathsf {H}}_{\infty }(K|(\mathrm {RDview},\mathrm {Lview},\pi ^*,H(K^*))), \end{aligned}$$

  where \(\pi =A_{\mathsf {T}(\mathsf {vk}^*)}(\mathsf {T}(\mathsf {vk}),K)\) (injective). This means that \(\mathsf {RKDec}\) accepts \(\mathsf {CT}\) with \(C \in \mathcal{C}\backslash \mathcal{V}\) only with probability \(2^{-(\gamma - \eta -\lambda -\ell _{\mathsf {lf}}-\ell _m)}\). Assuming that A submits Q queries to \(\mathsf {RKDec}\) in total, the probability that \(\mathsf {RKDec}\) accepts at least one \(\mathsf {CT}\) with \(C \in \mathcal{C}\backslash \mathcal{V}\) is bounded by \(Q\cdot 2^{-(\gamma - \eta -\lambda -\ell _{\mathsf {lf}}-\ell _m)}\). Hence, we have

  $$\begin{aligned} \Pr [S_6] -\Pr [S_7] \le Q\cdot 2^{-(\gamma - \eta -\lambda -\ell _{\mathsf {lf}}-\ell _m)}. \end{aligned}$$

• Game 8: This is the last game we make. This game is identical to the previous game except that we replace \(H^*(K^*)\) with a uniformly random string from \(\{0,1\}^{\ell _m}\). Then it is clear that \(\Pr [S_7]=\frac{1}{2}\) because the view of A is independent of \(\beta ^*\). We now show that the advantages in Game 7 and Game 8 are statistically close. Let \(\mathrm {Reject}\) be the event that \(\mathbf {D}(\phi (SK),\mathsf {CT})= \bot \) in the pre-challenge stage. We note that \(\Pr [\mathrm {Reject}] > 2^{-\eta }\), due to Game 5. In this game, by definition, all post-challenge queries of “invalid"ciphertexts are rejected. So, the average min-entropy of \(K^*\) even after all post-challenge queries are made is equivalent to the average min-entropy of \(K^*\) conditioned on the possible events that appear in the pre-challenge stage. That is,

  $$\begin{aligned} \widetilde{\mathsf {H}}_{\infty }(K^*|(\mathrm {RDview},\mathrm {Reject},\mathrm {Lview},\pi ^*)) \ge \widetilde{\mathsf {H}}_{\infty }(K^*|\mathrm {RDview},\mathrm {Reject}) -\lambda -\ell _{\mathsf {lf}} \\ \ge \gamma -2 \eta -\lambda -\ell _{\mathsf {lf}}. \end{aligned}$$

  Remember that \(\lambda \le \gamma -2\eta -\ell _{\mathsf {lf}}-\ell _m -\log (1/{\epsilon })\) and \(H^*\) is independent of the view of the post-challenge decryption. By the generalized left-over hash lemma, \(H^*(K^*)\) is \(\epsilon \)-close to the uniform distribution on \(\{0,1\}^{\ell _m}\). We then have \(\Pr [S_7] -\Pr [S_8] \le \epsilon \).

By summing up the above inequalities, we have

$$\begin{aligned} \Pr [S_0] \le \frac{1}{2} + \epsilon _{\mathsf {tcr}} +\epsilon _{\mathsf {otsig}} +2 \epsilon _{\mathsf {lossy}} + 2\epsilon _{\mathsf {SD}} +2^{-\eta +1} + Q\cdot 2^{-(\gamma -\eta -\lambda -\ell _{\mathsf {lf}}-\ell _{m})} +\epsilon , \end{aligned}$$

and conclude the proof of the theorem, with \(\mathsf {Adv}_{\Pi ,A,(\Phi _{\mathsf {all}},\{\mathfrak {id}\},\lambda )}^{\mathsf {ctbl}{\text {-}}\mathsf {cca}}(\kappa )= 2\Pr [S_0]-1\).    \(\blacksquare \)

An Instantiation of CTBL-CCA Secure PKE with \(\mathbf{1-o(1)}\) Leakage Rate. We remark that even if we start with a hash proof system resilient to \(1-o(1)\) leakage rate, we cannot obtain a \(\textsc {CTBL}\)-\(\textsc {CCA}\) secure PKE scheme with \(1-o(1)\) leakage rate in general. To obtain an optimal leakage rate, we require \(\frac{\gamma }{|SK|} =1-o(1)\) for a \(\gamma \)-entropic hash proof system. The cryptosystems of Boneh et al. [9] and Naor-Segev [29] do not satisfy the condition, although they are IND-CPA secure resilient to \(1-o(1)\) leakage rate.

Let \(n=pq\) be a composite number of distinct odd primes, p and q, and \(1\le d < p,q\) be a positive integer. It is known that \({\mathbb {Z}}^{\times }_{n^{d+1}}\cong {\mathbb {Z}}_{n^{d}}\times ({\mathbb {Z}}/n{\mathbb {Z}})^{\times }\) and any element in \({\mathbb {Z}}^{\times }_{n^{d+1}}\) is uniquely represented as \((1+n)^{\delta }\gamma ^{{n^{d}}} \pmod {{n^{d+1}}}\) for some \(\delta \in {\mathbb {Z}}_{n^{d}}\) and \(\gamma \in ({\mathbb {Z}}/n{\mathbb {Z}})^{\times }\). For \(\delta \in {\mathbb {Z}}_{n^{d}}\), we write \(\mathbf {E}^{\mathsf{dj}}(\delta )\) to denote a subset in \({\mathbb {Z}}^{\times }_{n^{d+1}}\) such that \(\mathbf {E}^{\mathsf{dj}}(\delta )=\{(1+n)^{\delta }{\gamma }^{{n^{d}}} \,| \, \gamma \in ({\mathbb {Z}}/n{\mathbb {Z}})^{\times }\}\). It is well known that for any two distinct \(\delta ,\delta '\in {\mathbb {Z}}_{n^{d}}\), it is computationally hard to distinguish a random element in \(\mathbf {E}^{\mathsf{dj}}(\delta )\) from a random element in \(\mathbf {E}^{\mathsf{dj}}(\delta ')\) as long as the decision computational residue (DCR) assumption holds true. Let \(\mathcal{C}={\mathbb {Z}}^{\times }_{n^{d+1}}\) and \(\mathcal{V}=\mathbf {E}^{\mathsf{dj}}(0)\). Let \(\mathcal{SK}=\{0,1,\ldots , {{n^{d+1}}}\} \subset \mathbb {Z}\). Let \(g\in \mathcal{V}\) and \(\mathcal{PK}=\{\mu (sk) \,| \,\mu (sk)=g^{sk} \pmod {{n^{d+1}}} \text { where } sk \in \mathcal{SK}\}\) (\(=\mathbf {E}^{\mathsf{dj}}(0)\)). For \(C \in \mathcal{C}\), define \(\Lambda _{sk}(C) = C^{sk} \pmod {{n^{d+1}}}\). Then, \(\Lambda :\mathcal{SK}\times \mathcal{C}\rightarrow \mathcal{V}\) is projective and \(d \log (n)\)-entropic and a hash proof system \(\mathsf {HPS}\) is constructed on \(\Lambda \). In addition, \(\frac{\text {leakge bound}}{\text {the length of secret-key}} = \frac{d\log (n)-\omega (\log (\kappa ))}{(d+1)\log (n)}\) \(=1-o(1)\).

Corollary 1

By applying the DCR-based hash proof system above and the DCR based instantiation of ABO injective function in Appendix B to the PKE scheme in Fig. 2, it becomes a \(\textsc {CTBL}\)-\(\textsc {CCA}\) secure PKE scheme with \(1-o(1)\) bounded memory leakage rate under the DCR assumption.

5 Continuous Tampering and Leakage Resilient CCA (\(\textsc {CTL}\)-\(\textsc {CCA}\)) Secure Public-Key Encryption

We say that PKE has a key-update mechanism if there is a PPT algorithm \(\mathsf {Update}\) that takes \(\rho \) and sk and returns an “updated" secret key \(sk'=\mathsf {Update}_{\rho }(sk)\). We assume that the key-updating mechanism \(\mathsf {Update}\) can be activated only when the decryption algorithm rejects a ciphertext. Therefore, one cannot update his secret key unless the decryption algorithm has detected tampering. We require for \(\Pi =(\mathsf {Setup},\mathsf {Update},\mathbf {K},\mathbf {E},\mathbf {D})\) that for every sufficiently large \(\kappa \in \mathbb {N}\) and ever \(I\in \mathbb {N}\), it always holds that \(\mathbf {D}_{\rho }(sk_i,\mathbf {E}_{\rho }(pk,m))=m\), for every \(\rho \in \mathsf {Setup}(1^{\kappa })\), every \((pk,sk_0)\) \(\in \mathbf {K}(\rho )\), and every \(sk_i\in \mathsf {Update}_{\rho }(sk_{i-1})\) for \(i \in [I]\), and every \(m \in \mathcal {M}\).

CTL-CCA Security. For PKE with a key-update mechanism \(\Pi '=\) \((\mathsf {Setup},\mathsf {Update},\) \(\mathbf {K},\mathbf {E},\mathbf {D})\) and an adversary \(A=(A_1,A_2)\), we define the experiment \(\mathsf {Expt}_{\Pi ,A,(\Phi _1,\Phi _2,\lambda )}^{\mathsf {ctl}{\text {-}}\mathsf {cca}}(\kappa )\) as in Fig. 3. A may adaptively submit (unbounded) polynomially many queries \((\phi ,\mathsf {ct})\) to oracle \(\mathsf {RKDec}\), but it should be \(\phi \in \Phi _i\) appropriately. We remark that secret key sk is updated using (non-tampered) flesh randomness only when the decryption algorithm rejects a ciphertext. A may also adaptively submit (unbounded) polynomially many queries L to oracle \(\mathsf {Leak}\), before seeing the challenge ciphertext \(\mathsf {ct}^*\). The total amount of leakage on \(\mathsf {sk}\) must be bounded by some \(\lambda \) bit length within each one period between the key-updating mechanism are activated. We define the advantage of A against \(\Pi '\) with respects to \((\Phi _1,\Phi _2)\) as

$$\begin{aligned} \mathsf {Adv}_{\Pi ,A,(\Phi _1,\Phi _2,\lambda )}^{\mathsf {ctl}{\text {-}}\mathsf {cca}}(\kappa )\triangleq | \,2\Pr [\mathsf {Expt}_{\Pi ,A,(\Phi _1,\Phi _2,\lambda )}^{\mathsf {ctl}{\text {-}}\mathsf {cca}}(\kappa )=1] - 1 \,|. \end{aligned}$$

We say that \(\Pi \) is \((\Phi _1,\Phi _2,\lambda )\)-\(\textsc {CTL}{\text {-}}\textsc {CCA}\) secure if \(\mathsf {Adv}_{\Pi ,A,(\Phi _1,\Phi _2,\lambda )}^{\mathsf {ctl}{\text {-}}\mathsf {cca}}(\kappa )=\mathsf {negl}(\kappa )\) for every PPT A.

Fig. 3.

The experiment of the \(\textsc {CTL}{\text {-}}\textsc {CCA}\) game.

We say that \(\Pi \) is simply \(\textsc {CTL}\)-\(\textsc {CCA}\) secure if it is \((\Phi _{\mathsf {all}},\{\mathfrak {id}\},\lambda )\)-\(\textsc {CTL}\)-\(\textsc {CCA}\) secure, where \(\Phi _{\mathsf {all}}\) denotes the class of all efficiently computable functions and \(\mathfrak {id}\) denotes the identity function.

Remark 2

This security definition models non-persistent tampering. However, it is obvious that the persistent tampering version of \(\textsc {CTL}\)-\(\textsc {CCA}\) security can be similarly defined.

6 Random Subspace Lemmas

The following random subspace lemma is provided by Agrawal et al. [2], but we improve the bound using the analysis in Lemma A.1 given by Brakerski et al. [10].

Lemma 5

Let \(2\le d<t\le n\) and \(\lambda < (d-1)\log (q)\). Let \(\mathcal{W} \subset {\mathbb {F}}_{q}^n\) be an arbitrary vector subspace in \({\mathbb {F}}_{q}^n\) of dimension t. Let \(L:\{0,1\}^*\rightarrow \{0,1\}^{\lambda }\) be an arbitrary function. Then, we have

$$\begin{aligned} \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {A}, L(\mathbf {A}{\varvec{v}}) \Bigr ),\Bigl ( \mathbf {A}, L({\varvec{u}}) \Bigr ) \Biggr ) \le \sqrt{ \frac{2^{\lambda } }{q^{d-1} } } , \end{aligned}$$

where \(\mathbf {A}:=({\varvec{a}}_{\varvec{1}},\ldots ,{\varvec{a}}_{\varvec{d}})\) \(\leftarrow \mathcal{W}^d\) (seen as a \(n\times d\) matrix), \({\varvec{v}} \leftarrow {\mathbb {F}}_{q}^{d}\), and \({\varvec{u}} \leftarrow \mathcal{W}\).

If \(\mathbf {A} \leftarrow {\mathbb {F}}_{q}^{n\times d}\) and \({\varvec{u}} \leftarrow {\mathbb {F}}_{q}\), then it is equivalent to Lemma A.1 given by Brakerski et al. [10]. The proof is given in the full version.

The following is an affine version of Lemma 5.

Lemma 6

Let \(2\le d<t \le n\) and \(\lambda < (d-1)\log (q)\). Let \({\varvec{x}} \in {\mathbb {F}}_{q}^{n}\) be an arbitrary vector. Let \(\mathcal{W} \subset {\mathbb {F}}_{q}^n\) be an arbitrary vector subspace in \({\mathbb {F}}_{q}^n\) of dimension t. Let \(L:\{0,1\}^*\rightarrow \{0,1\}^{\lambda }\) be an arbitrary function. Then, we have

$$\begin{aligned} \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {A}, L({\varvec{x}}+\mathbf {A} {\varvec{v}}) \Bigr ),\Bigl ( \mathbf {A}, L({\varvec{x}}+{\varvec{u}}) \Bigr ) \Biggr ) \le \sqrt{ \frac{2^{\lambda } }{q^{d-1} } } , \end{aligned}$$

where \(\mathbf {A}:=({\varvec{a}}_{\varvec{1}},\ldots ,{\varvec{a}}_{\varvec{d}})\) \(\leftarrow \mathcal{W}^d\) (seen as a \(n\times d\) matrix), \({\varvec{v}} \leftarrow {\mathbb {F}}_{q}^{d}\), and \({\varvec{u}} \leftarrow \mathcal{W}\).

Proof

Let \(\mathbf {W} \in {\mathbb {F}}_{q}^{n\times t}\) be a matrix whose column vectors span \(\mathcal{W}\), i.e., \(\mathcal{W}=\mathsf {span}(\mathbf {W})\). Now, we have

$$\begin{aligned}&\, \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {A}, L({\varvec{x}}+\mathbf {A} {\varvec{v}}) \Bigr ),\Bigl ( \mathbf {A}, L({\varvec{x}}+{\varvec{u}}) \Bigr ) \Biggr ) \\ =&\, \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {WR_a}, L({\varvec{x}}+\mathbf {WR_a}{\varvec{v}}) \Bigr ),\Bigl ( \mathbf {W}{\varvec{r}}_{\varvec{a}}, L({\varvec{x}}+\mathbf {W}{\varvec{r}}_{\varvec{u}}) \Bigr ) \Biggr ) \quad (\text {where } \mathbf {A}=\mathbf {WR_a} \, {\varvec{u}}=\mathbf {W}{\varvec{r}}_{\varvec{u}} )\\ =&\, \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {WR_a}, L'(\mathbf {R_a}{\varvec{v}}) \Bigr ),\Bigl ( \mathbf {WR_a}, L'({\varvec{r}}_{\varvec{u}}) \Bigr ) \Biggr ) \quad (\text {where } L'({\varvec{y}}):= L({\varvec{x}}+\mathbf {W}{\varvec{y}}) )\\ \le&\, \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {R_a}, L'(\mathbf {R_a}{\varvec{v}}) \Bigr ),\Bigl ( \mathbf {R_a}, L'({\varvec{r}}_{\varvec{u}}) \Bigr ) \Biggr ) \le \sqrt{ \frac{2^{\lambda } }{q^{d-1}}}, \end{aligned}$$

where \(\mathbf {R_a} \leftarrow {\mathbb {F}}_{q}^{t\times d}\), \({\varvec{v}} \leftarrow {\mathbb {F}}_{q}^{d}\), and \({\varvec{r}}_{\varvec{u}} \leftarrow {\mathbb {F}}_{q}^{t}\).

We further provide the following lemma.

Lemma 7

Let \(2\le d\le t'<t\le n\) and \(\lambda < (d-1)\log (q)\). Let \(\mathcal{W} \subset {\mathbb {F}}_{q}^n\) be an arbitrary vector subspace in \({\mathbb {F}}_{q}^n\) of dimension t. Let \(L:\{0,1\}^*\rightarrow \{0,1\}^{\lambda }\) be an arbitrary function. Then, we have

$$\begin{aligned} \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {A}, L(\mathbf {A}{\varvec{v}}) \Bigr ),\Bigl ( \mathbf {A}, L({\varvec{u}}) \Bigr ) \Biggr ) \le \sqrt{ \frac{2^{\lambda } }{q^{d-1} } } +\sqrt{ \frac{2^{\lambda } }{q^{t'-1} } }, \end{aligned}$$

where \(\mathcal{W'}\) is a random vector subspace in \(\mathcal{W}\) of dimension \(t'\) (independent of function L), \(\mathbf {A}:=({\varvec{a}}_{\varvec{1}},\ldots ,{\varvec{a}}_{\varvec{d}})\) \(\leftarrow \mathcal{W'}^d\) (seen as a \(n\times d\) matrix), \({\varvec{v}} \leftarrow {\mathbb {F}}_{q}^{d}\), and \({\varvec{u}} \leftarrow \mathcal{W}\).

Proof

Let \(\mathbf {W} \in {\mathbb {F}}_{q}^{n\times t}\) be a matrix whose column vectors span \(\mathcal{W}\), i.e., \(\mathcal{W}=\mathsf {span}(\mathbf {W})\). Similary, let \(\mathbf {W'} \in {\mathbb {F}}_{q}^{n\times t'}\) be a matrix whose column vectors span \(\mathcal{W'}\), i.e., \(\mathcal{W'}=\mathsf {span}(\mathbf {W'})\). Then, we have

$$\begin{aligned}&\, \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {A}, L(\mathbf {A} {\varvec{v}}) \Bigr ),\Bigl ( \mathbf {A}, L({\varvec{u}}) \Bigr ) \Biggr ) \\ \le&\, \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {A}, L(\mathbf {A} {\varvec{v}}) \Bigr ),\Bigl ( \mathbf {A}, L({\varvec{u'}}) \Bigr ) \Biggr ) + \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {A},L({\varvec{u'}}) \Bigr ),\Bigl ( \mathbf {A}, L({\varvec{u}}) \Bigr ) \Biggr ) \quad (\text {where } {\varvec{u'}} =\mathbf {W'}{\varvec{r'}}_{\varvec{u}}) \\ \le&\, \frac{n}{2}\sqrt{ \frac{2^{\lambda } }{q^{d-1} } } + \mathsf {Dist}\Biggl ( L({\varvec{u'}}),L({\varvec{u}}) \Biggr ) \quad (\text {where } {\varvec{u}}=\mathbf {W}{\varvec{r}}_{\varvec{u}} )\\ =&\, \sqrt{ \frac{2^{\lambda } }{q^{d-1} } } + \mathsf {Dist}\Bigl ( L'(\mathbf {R'}{\varvec{r'}}_{\varvec{{u}}}), L'({\varvec{r}}_{\varvec{u}}) \Bigr ) \quad (\text {where } \mathbf {W'}=\mathbf {W}\mathbf {R'}, \, L'({\varvec{y}}):= L(\mathbf {W}{\varvec{y}}) )\\ \le&\, \sqrt{ \frac{2^{\lambda } }{q^{d-1} } } + \sqrt{ \frac{2^{\lambda } }{q^{t'-1}}}, \end{aligned}$$

where \(\mathbf {R'} \leftarrow {\mathbb {F}}_{q}^{t\times t'}\), \({\varvec{v}} \leftarrow {\mathbb {F}}_{q}^{d}\), \({\varvec{r'}}_{\varvec{u}} \leftarrow {\mathbb {F}}_{q}^{t'}\). and \({\varvec{r}}_{\varvec{u}} \leftarrow {\mathbb {F}}_{q}^{t}\).    \(\blacksquare \)

Corollary 2

Let \(2\le d\le t'<t \le n\) and \(\lambda < (d-1)\log (q)\). Let \({\varvec{x}} \in {\mathbb {F}}_{q}^{n}\) be an arbitrary vector. Let \(\mathcal{W} \subset {\mathbb {F}}_{q}^n\) be an arbitrary vector subspace in \({\mathbb {F}}_{q}^n\) of dimension t. Let \(L:\{0,1\}^*\rightarrow \{0,1\}^{\lambda }\) be an arbitrary function. Then, we have

$$\begin{aligned} \mathsf {Dist}\Biggl ( \Bigl ( \mathbf {A}, L({\varvec{x}}+\mathbf {A} {\varvec{v}}) \Bigr ),\Bigl ( \mathbf {A}, L({\varvec{x}}+{\varvec{u}}) \Bigr ) \Biggr ) \le \sqrt{ \frac{2^{\lambda } }{q^{d-1} } } +\sqrt{ \frac{2^{\lambda } }{q^{t'-1} } }, \end{aligned}$$

where \(\mathcal{W'}\) is a random vector subspace in \(\mathcal{W}\) of dimension \(t'\) (independent of function L), \(\mathbf {A}:=({\varvec{a}}_{\varvec{1}},\ldots ,{\varvec{a}}_{\varvec{d}}) \leftarrow \mathcal{W'}^d\) (seen as a \(n\times d\) matrix), \({\varvec{v}} \leftarrow {\mathbb {F}}_{q}^{d}\), and \({\varvec{u}} \leftarrow \mathcal{W}\).

7 The \(\textsc {CTL}\)-\(\textsc {CCA}\) Secure PKE Scheme

In this section, we present a \(\textsc {CTL}\)-\(\textsc {CCA}\)-secure PKE scheme. We first provide the intuition behind our construction.

Our starting point is a hash proof system based PKE scheme proposed by Agrawal et al. [2], that is IND-CPA secure resilient to continuous memory leakage in the so-called Floppy model, where a decryptor additionally owns secret \(\varvec{\alpha }\) to refresh its secret key sk using fresh randomness. The Floppy model assumes secret \(\varvec{\alpha }\) is not leaked. The Agrawal et al. scheme is as follows: \(pk= (g,g^{\varvec{\alpha }},f)\) is a public key and \(sk={\varvec{s}}\) is the corresponding secret-key such that \(f=g^{<\varvec{\alpha },{\varvec{s}}>}\), where g is a generator of cyclic group G of prime order q, \(\varvec{\alpha },{\varvec{s}} \in ({\mathbb {Z}}/q{\mathbb {Z}})^{n}\). In addition, the decryptor owns \(\varvec{\alpha }\) as the key-update key. The encryption of message \(m\in G\) under pk is \(\mathsf {ct}=(g^{{\varvec{c}}},e)=(g^{r\varvec{\alpha }},m\cdot f^r)\), while the decryption is computed as \(e \cdot (g^{<{\varvec{c}},sk>})^{-1}\). The secret key sk is refreshed between each two time periods as \(sk:=sk +\varvec{\beta }\) where \(\varvec{\beta }\leftarrow \ker (\varvec{\alpha })\) is chosen using secret \(\alpha \). Here, \(f=g^{<\varvec{\alpha },{\varvec{s}}>}=g^{<\varvec{\alpha },{\varvec{s}}+\varvec{\beta }>}\), because \(<\varvec{\alpha },\varvec{\beta }>=0\).

We first convert this scheme to an IND-CPA secure PKE scheme that is resilient to continuous memory leakage in the model of Brakerski et al. [10], where the key-update is executed without additional secret \(\varvec{\alpha }\). To do so, we pick up \(\ell \) independent vectors, \({\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }} \in \ker (\varvec{\alpha })\), where \(\ell < n-1=\dim (\ker (\varvec{\alpha }))\), and publish \(\tilde{g}^{\mathbf {V}}\) where \({\mathbf {V}}=({\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }})\) \(\in ({\mathbb {Z}}/q{\mathbb {Z}})^{n\times \ell }\) is \(n\times \ell \) matrix with \({\varvec{v}}_{\varvec{i}}\) as i-th column. Here we assume asymmetric pairing groups \((e,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T)\) where \(g,\tilde{g}\) are generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively. We then set \(pk=(g,\tilde{g},g^{\varvec{\alpha }},\tilde{g}^{\mathbf {V}},Y)\) and \(sk=g^{{\varvec{s}}}\) such that \(Y=e(g,\tilde{g})^{<\varvec{\alpha },{\varvec{s}}>}\). Here, the encryption of message \(m\in \mathbb {G}_T\) under pk is \(\mathsf {ct}=(g^{{\varvec{c}}},e)=(g^{r\varvec{\alpha }},m \cdot Y^r)\), while the decryption is computed as \(e \cdot K^{-1}\), where \(K=e(g^{{\varvec{c}}},sk)=e(g,\tilde{g})^{<{\varvec{c}},{\varvec{s}}>}\). The secret key sk is refreshed between each two time periods as \(sk:=sk \cdot \tilde{g}^{\varvec{\beta }}\) where \(\varvec{\beta }\leftarrow \mathsf {span}(\mathbf {V}) \subset \ker (\varvec{\alpha })\). We note that random \(\tilde{g}^{\varvec{\beta }}=\tilde{g}^{\mathbf {V}{\varvec{r'}}}\) can be computed using public \(\tilde{g}^{\mathbf {V}}\) with random vector \({\varvec{r'}} \in {\mathbb {F}}_{q}^{\ell }\). This construction is an IND-CPA secure PKE scheme resilient to continuous memory leakage in the sense of [10] under the extended matrix d-linear assumption (on \(\mathbb {G}_1\)), which is implied by the SXDH assumption. We provide the formal description of the scheme as well as the security proof in Appendix C.

The proposed PKE scheme (as described in Appendix C) is based on a hash proof system where \(K=\mathsf {HPS.pub}(Y,g^{r\varvec{\alpha } },r) =\mathsf {HPS.priv}(g^{r\varvec{\alpha }},sk)=e(g,\tilde{g})^{<\varvec{\alpha },{\varvec{s}}>}\). We then filter the hash key K using the one-time lossy filter technique [31] and finally obtain our \(\textsc {CTL}\)-\(\textsc {CCA}\) secure construction.

We now describe our full-fledged scheme in Fig. 4.

Asymmetric Pairing. Let \(\mathsf {GroupG}\) be a PPT algorithm that on input a security parameter \(1^{\kappa }\) outputs a bilinear paring \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,q,g,\tilde{g})\) such that; \(\mathbb {G}_1\), \(\mathbb {G}_2\), and \(\mathbb {G}_T\) are cyclic groups of prime order q, \(g,\tilde{g}\) are generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively, and a map \(e:\mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\) satisfies the following properties:

• (Bilinear:) for any \(g \in \mathbb {G}_1\), \(h \in \mathbb {G}_2\), and any \(a,b \in \mathbb {Z}_q\), \(e(g^a,h^b) = e(g,h)^{ab}\),

• (Non-degenerate:) \(e(g,\tilde{g})\) has order q in \(\mathbb {G}_T\), and

• (Efficiently computable:) \(e(\cdot ,\cdot )\) is efficiently computable.

Symmetric External Diffie-Hellman (SXDH) Assumption. The symmetric external DH assumption (SXDH) (on \(\mathsf {GroupG}\)) is that the DDH problem is hard in both groups, \(\mathbb {G}_1\) and \(\mathbb {G}_2\). The assumption implies that there is no efficiently computable mapping between \(\mathbb {G}_1\) and \(\mathbb {G}_2\).

We now present our \(\textsc {CTL}\)-\(\textsc {CCA}\) secure PKE scheme in Fig. 4.

Fig. 4.

Our \(\textsc {CTL}\)-\(\textsc {CCA}\) secure PKE scheme

Theorem 3

The PKE scheme in Fig. 4 is \((\Phi _{\mathsf {all}},\{\mathfrak {id}\},\lambda )\)-\(CTL\text {-}CCA\) secure, as long as \(\lambda (\kappa ) < \log (q) -\ell _{\mathsf {lf}}-\ell _{m} -\eta - \omega (\log \kappa )\) with \(\eta (\kappa )=\omega (\log \kappa )\), and for any PPT adversary A with at most Q queries to \(\mathsf {RKDec}\) oracle, \(\mathsf {Adv}_{\Pi ,A,(\Phi _{\mathsf {all}},\{\mathfrak {id}\},\lambda )}^{\mathsf {ctl}{\text {-}}\mathsf {cca}}(\kappa ) \le \)

$$\begin{aligned} 2\epsilon _{\mathsf {tcr}} + 2\epsilon _{\mathsf {otsig}} + 4 \epsilon _{\mathsf {lossy}} + 4\epsilon _{\textsf {ex}} +2^{-\eta +2} + Q\cdot 2^{-(\log (q)-\eta -\lambda -\ell _{\mathsf {lf}}-\ell _{m}-1)} \\ + 2Q\cdot \sqrt{\frac{2^{\lambda }}{q^{\ell -1}}} + 2Q\cdot \sqrt{\frac{2^{\lambda }}{q^{n-1}}} +\sqrt{\frac{2^{\lambda } }{q^{n-1}}}, \end{aligned}$$

\(\epsilon _{\mathsf {otsig}}\), \(\epsilon _{\mathsf {lossy}}\), and \(\epsilon _{ex}\) denote some negligible functions such that \(\mathsf {Adv}^{\mathsf {ot}}_{\mathsf {OTSig},B}(\kappa ) \le \epsilon _{\mathsf {otsig}}\), \(\mathsf {Adv}^{\mathsf {lossy}}_{\mathsf {ABO},B'}(\kappa ) \le \epsilon _{\mathsf {lossy}}\), and \(\mathsf {Adv}^{ex}_{D}(\kappa ) \le \epsilon _{ex}\) for any PPT adversaries, B, \(B'\) and D, respectively.

Due to the space limitation, the proof is given in the full version.

An Instantiation of CTL-CCA Secure PKE with \(\frac{\mathbf{1}}{\mathbf{4}}{} \mathbf{-o(1)}\) Leakage Rate. We remark that the underlying hash proof system is \(\log (q)\)-entropic and we have \(|sk|=n\log (q)\). By construction, we require \(2\le \ell < n-1\). Hence, the best parameter for leakage rate is \(n=4\) and \(\ell =2\), where the resulting \(\textsc {CTL}\)-\(\textsc {CCA}\) secure PKE scheme has \(\frac{1}{4}-o(1)\) leakage rate.

8 Impossibility of Non-Persistent Tampering Resilient Signatures

We show that there is no secure digital signature scheme resilient to the non-persistent tampering attacks, if it does not have a key-updating mechanism (See for definition Appendix D). This fact does not contradict [26] (in which they claim a tampering resilient digital signature scheme), because the persistent tampering attack is weaker than the non-persistent attack. To prove our claim, we consider the following adversary. The adversary runs the key-generation algorithm, \(\mathsf {Gen}\), and obtains two legitimate pairs of verification and signing keys, \((vk_0,sk_0)\) and \((vk_1,sk_1)\). Then, it sets a set of functions \(\{\phi _{(sk_0,sk_1)}^i\}\), such that

$$\begin{aligned} \phi ^{i}_{(sk_0,sk_1)}(sk) = {\left\{ \begin{array}{ll} sk_0 &{} \text {if the }i\text {-th bit of }sk \text { is } 0, \\ sk_1 &{} \text {otherwise}. \end{array}\right. } \end{aligned}$$

For \(i=1,\ldots , |sk|\), the adversary submit \((\phi _{(sk_0,sk_1)}^i,m)\) to the signing oracle and receives \(\sigma _i\)’s. Then the adversary finds bit \(b_i\) such that \(\mathsf {Vrfy}(vk_{b_i},m,\sigma _i)=1\) for all i and retrieves the entire secret key sk. This attack is unavoidable because both \(sk_0\) and \(sk_1\) are real secret keys and the signing algorithm cannot detect the tampering attack and cannot self-destruct.

If the key-updating algorithm is allowed to run only when a tampering is detected (which is the case of our definition), then there is no secure digital signature scheme resilient to the non-persistent tampering attacks, even if it has both self-destructive and key-updating mechanisms (See for definition Appendix D).

Appendices

A Computational Hardness Assumptions

Let \(\mathcal G\) be a PPT algorithm that takes security parameter \(1^{\kappa }\) and outputs a triplet \(\mathbb {G}=(G,q,g)\) where G is a group of prime order q that is generated by \(g \in G\).

d -Linear Assumption. The d-linear assumption [24, 29] (where \(d\ge 1\)), a generalization of the linear assumption [8], states that there is a PPT algorithm \(\mathcal G\) such that the following two ensembles are computationally indistinguishable,

$$\begin{aligned} \Biggl \{ \Biggl ( \mathbb {G},g_1,\dots ,g_d,g_{d+1}, g_1^{r_1},\dots ,g_d^{r_d}, g_{d+1}^{\sum _{i=1}^dr_i} \Biggr ) \Biggr \}_{\kappa \in \mathbb {N}} \end{aligned}$$

$$\begin{aligned} \mathop {\approx }\limits ^{\mathrm c}\Bigl \{ \Bigl ( \mathbb {G},g_1,\dots ,g_d,g_{d+1}, g_1^{r_1},\dots ,g_d^{r_d}, g_{d+1}^{r_{d+1}} \Bigr ) \Bigr \}_{\kappa \in \mathbb {N}} \end{aligned}$$

where \(\mathbb {G}\leftarrow \mathcal{G}(1^{\kappa })\), and the elements \(g_1,\dots ,g_{d+1} \in G\) and \(r_1,\dots , r_{d+1} \in {\mathbb {Z}}/q{\mathbb {Z}}\) are chosen independently and uniformly at random. The DDH assumption (on \(\mathcal{G}\)) is equivalent to 1-linear assumption (on \(\mathcal{G}\)) and these assumptions are progressively weaker: For every \(d\ge 1\), the \((d+1)\)-linear assumption is weaker than the d-linear assumption.

Matrix d -Linear Assumption. We denote by \({\mathrm {Rk}}_i({\mathbb {F}}_{q}^{m\times n})\) the set of all \(m\times n\) matrices over \({\mathbb {F}}_{q}\) with rank i. The matrix d-linear assumption [29] states that there is a PPT algorithm \(\mathcal G\) such that, for any integers, m and n, and for any \(d \le i \le j \le \min (m,n)\), the following two ensembles are computationally indistinguishable,

$$\begin{aligned} \Bigl \{ (\mathbb {G},g,g^{\mathbf {x}}) \,| \quad \mathbb {G}\leftarrow \mathcal{G}(1^{\kappa }); \, \mathbf {x}\leftarrow {\mathrm {Rk}}_i({\mathbb {F}}_{q}^{m\times n}) \Bigr \}_{\kappa \in \mathbb {N}} \end{aligned}$$

$$\begin{aligned} \quad \mathop {\approx }\limits ^{\mathrm c}\quad \Bigl \{ (\mathbb {G},g,g^{\mathbf {x}})\,| \quad \mathbb {G}\leftarrow \mathcal{G}(1^{\kappa }); \, \mathbf {x}\leftarrow {\mathrm {Rk}}_j({\mathbb {F}}_{q}^{m\times n}) \Bigr \}_{\kappa \in \mathbb {N}}. \end{aligned}$$

It is known that breaking the matrix d-Linear assumption implies breaking the d-Linear assumption (on the same \(\mathcal G\)). The following statement holds.

Lemma 8

([29]). Breaking the matrix d-Linear assumption is at least as hard as breaking the d-Linear assumption (on the same \(\mathcal G\)).

Extended Matrix d -Linear Assumption. We state a stronger version of the matrix d-linear assumption, called the extended matrix d-linear assumption [2]. For matrix \(\mathbf {x} \in {\mathbb {F}}_{q}^{n\times m}\), we write \(\ker (\mathbf {x})\) to denote the left kernel of \(\mathbf {x}\), i.e.,

$$\begin{aligned} \ker (\mathbf {x}) = \{{\varvec{v}} \in {\mathbb {F}}_{q}^{n} \, |\, {\varvec{v}}^{T}\mathbf {x}=0 \in {\mathbb {F}}_{q}^{1\times m}\}. \end{aligned}$$

Here \(\ker (\mathbf {x})\) is a subspace in \({\mathbb {F}}_{q}^n\) of dimension \((n-\mathsf {rank}(\mathbf {x}))\). The matrix d-linear assumption means that it is infeasible to distinguish \(g^{\mathbf {x_i}}\) from \(g^{\mathbf {x_j}}\), where rank-i matrix \(\mathbf {x_i}\) and rank-j matrix \(\mathbf {x_i}\) are chosen independently and uniformly for any \(d\le i< j\le \min (n,m)\). Since \(\dim (\ker (\mathbf {x_i}))=n-i\) and \(\dim (\ker (\mathbf {x_j}))=n-j\) (with \(n-j< n-i\)), the matrix d-linear assumption does not hold if an adversary additionally receive \(n-i\) independent vectors orthogonal to \({\mathbf {x}}\). However, one cannot yet distinguish them even if \(n-j\) independent vectors orthogonal to \({\mathbf {x}}\) are given, as long as the matrix d-linear assumption holds true. The extended matrix d-linear assumption [2] states that there is a PPT algorithm \(\mathcal G\) such that, for any integers, m and n, for any \(d \le i \le j \le \min (m,n)\), and for any \(\ell \le n-j\), the following two ensembles are computationally indistinguishable,

$$\begin{aligned} \Bigl \{ (\mathbb {G},g,g^{\mathbf {x}}, {\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }} ) \,| \, \mathbb {G}\leftarrow \mathcal{G}(1^{\kappa }); \, \mathbf {x}\leftarrow {\mathrm {Rk}}_i({\mathbb {F}}_{q}^{m\times n}); v_1,\ldots ,v_{\ell } \leftarrow \ker (\mathbf {x}) \Bigr \}_{\kappa \in \mathbb {N}} \end{aligned}$$

$$\begin{aligned} \mathop {\approx }\limits ^{\mathrm c}\, \Bigl \{ (\mathbb {G},g,g^{\mathbf {x}}, {\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }} ) \,| \, \mathbb {G}\leftarrow \mathcal{G}(1^{\kappa }); \, \mathbf {x}\leftarrow {\mathrm {Rk}}_j({\mathbb {F}}_{q}^{m\times n}); v_1,\ldots ,v_{\ell }\leftarrow \ker (\mathbf {x}) \Bigr \}_{\kappa \in \mathbb {N}}. \end{aligned}$$

The following statement holds.

Lemma 9

([2, 10]). Breaking the extended matrix d-Linear assumption is at least as hard as breaking the d-Linear assumption (on the same \(\mathcal G\)).

The proof is implicitly in [10].

Decision Computational Residue (DCR) Assumption. Let \(n=pq\) be a composite number of distinct odd primes, p and q, and \(1\le d < p,q\) be a positive integer. We say that the DCR assumption holds if for every PPT A, there exists a parameter generation algorithm \(\mathsf {Gen}\) such that \( \mathsf {Adv}_{A}^{\mathsf {dcr}}(\kappa ) =\)

$$\begin{aligned} \Pr [\mathsf {Expt}^{{\mathsf {dcr}}-0}_{A}(\kappa )=1] - \Pr [\mathsf {Expt}^{{\mathsf {dcr}}-1}_{A}(\kappa )=1] \end{aligned}$$

is negligible in \(\kappa \), where

$$\begin{aligned} \begin{array}{r|l} \begin{array}{l} \mathsf {Expt}^{{\mathsf {dcr}}-0}_{A}(\kappa ):\\ \quad n \leftarrow \mathsf {Gen}(1^{\kappa }); \, R \mathop {\leftarrow }\limits ^{\scriptscriptstyle \mathsf{U}}{\mathbb {Z}}^{\times }_{n^{2}} \\ \quad c = R^{n} \bmod {n^{2}}\\ \quad \textit{return } A(n,c). \end{array} &{} \begin{array}{l} \mathsf {Expt}^{{\mathsf {dcr}}-1}_{d,A}(\kappa ):\\ \quad n \leftarrow \mathbb {G}(1^{\kappa }); \, R \mathop {\leftarrow }\limits ^{\scriptscriptstyle \mathsf{U}}{\mathbb {Z}}^{\times }_{n^{2}} \\ \quad c= (1+n)R^{n} \bmod {n^{2}}\\ \quad \textit{return } A(n,c). \end{array} \end{array} \end{aligned}$$

B Instantiation of ABO Injective Functions

1.1 B.1 A Matrix Instantiation Based on DDH

Let \(\mathcal G\) be a PPT algorithm that takes security parameter \(1^{\kappa }\) and outputs a triplet \(\mathbb {G}=(G,q,g)\) where G is a group of prime order q that is generated by \(g \in G\). Let \(\mathcal{B}=\{{\mathbb {Z}}/q{\mathbb {Z}}\}\) be a branch collection associated with \(\mathbb {G}=(G,q,g)\) generated by \(\mathcal G\).

• \(\mathsf {ABO.gen}(1^{\kappa },b^*)\) where \(b^*\in {\mathbb {Z}}/q{\mathbb {Z}}\): Pick up a random column vector \({\varvec{u}} =(u_i) \in G^{\mu }\) and a random column vector \({\varvec{v}}=(v_j) \in G^{\mu }\). Compute matrix \(\mathbf {A}=(A_{i,j}) \in G^{\mu \times \mu }\) as

  $$\begin{aligned} \mathbf {A}=({\varvec{u}}\cdot {\varvec{v}}^T)\boxplus g^{{-(b^*)\mathbf {I}_{\mu }}} = \Bigl ( u_i v_j g^{-(b^*)\delta _{i,j}} \Bigr ) \in G^{\mu \times \mu } \end{aligned}$$

  where \(\boxplus \) denotes the componet-wise product of matrices over G, \(\mathbf {I}_{\mu } \in ({\mathbb {Z}}/q{\mathbb {Z}})^{\mu \times \mu }\) is the identity matrix and \(\delta _{i,j}\) is Kronecker’s delta, i.e., \(\delta _{i,j}=1\) if \(i=j\) and 0 otherwise. We note that \(\mathsf {rank}({\varvec{u}}\cdot {\varvec{v}}^T)=1\) and, at least with probability \(1-\frac{2\mu }{q}\), \(\mathsf {rank}(A)=\mu \). We let A(b) to denote

  $$\begin{aligned} A(b) := {A \boxplus g^{b I_{\mu }}} = \Bigl ( u_iv_jg^{(b-b^*)\delta _{i,j}} \Bigr ) \in G^{\mu \times \mu }. \end{aligned}$$

  Finally, output \(\iota _{\mathsf {abo}}=A(\cdot )\).

• \(\mathsf {ABO.eval}(\iota _{\mathsf {abo}},b,x)\): On input matrix \(X\in ({\mathbb {Z}}/q{\mathbb {Z}})^{\mu \times d}\), output

  $$\begin{aligned} \mathsf {ABO.eval}(\iota _{\mathsf {abo}},b,x) = {A(b)}\cdot X \in G^{\mu \times d}. \end{aligned}$$

This implementation realizes a collection of \((\mu \cdot d\log (q), (\mu -1)d\log (q))\)-all-but-one injective functions (under the DDH assumption).

1.2 B.2 DCR Based Instantiation

Let \(n=pq\) be a composite number of distinct odd primes, p and q, and \(1\le d < p,q\) be a positive integer. It is known that \({\mathbb {Z}}^{\times }_{n^{d+1}}\cong {\mathbb {Z}}_{n^{d}}\times ({\mathbb {Z}}/n{\mathbb {Z}})^{\times }\) and any element in \({\mathbb {Z}}^{\times }_{n^{d+1}}\) is uniquely represented as \((1+n)^{\delta }\gamma ^{{n^{d}}} \pmod {{n^{d+1}}}\) for some \(\delta \in {\mathbb {Z}}_{n^{d}}\) and \(\gamma \in ({\mathbb {Z}}/n{\mathbb {Z}})^{\times }\). For \(\delta \in {\mathbb {Z}}_{n^{d}}\), we write \(\mathbf {E}^{\mathsf{dj}}(\delta )\) to denote a subset in \({\mathbb {Z}}^{\times }_{n^{d+1}}\) such that \(\mathbf {E}^{\mathsf{dj}}(\delta )=\{(1+n)^{\delta }{\gamma }^{{n^{d}}} \,| \, \gamma \in ({\mathbb {Z}}/n{\mathbb {Z}})^{\times }\}\). It is known that for any two distinct \(\delta ,\delta '\in {\mathbb {Z}}_{n^{d}}\), it is computationally hard to distinguish a random element in \(\mathbf {E}^{\mathsf{dj}}(\delta )\) from a random element in \(\mathbf {E}^{\mathsf{dj}}(\delta ')\) as long as the decision computational residue (DCR) assumption holds true.

• \(\mathsf {ABO.gen}(1^{\kappa },b^*)\) where \(b^*\in \{0,1\}^{d\kappa }\): Pick up \(\kappa /2\)-bit distinct odd primes p, q and compute \(n=pq\). Then choose \(\iota _{\mathsf {abo}} \leftarrow \mathbf {E}^{\mathsf{dj}}(-b^*)\). Output \(\iota _{\mathsf {abo}}\).

• \(\mathsf {ABO.eval}(\iota _{\mathsf {abo}},b,x)\): On input matrix \(x\in {\mathbb {Z}}_{n^{d}}\), output

  $$\begin{aligned} \mathsf {ABO.eval}(\iota _{\mathsf {abo}},b,x) = \Bigl ( \iota _{\mathsf {abo}}\cdot (1+n)^b \Bigr )^x (\in \mathbf {E}^{\mathsf{dj}}(b-b^*)^x). \end{aligned}$$

This implementation realizes a collection of \(( d\log (n), \log ((p-1)(q-1)))\)-all-but-one injective functions (under the DCR assumption).

C The Continuous Leakage Resileint CPA PKE Scheme

We propose an IND-CPA secure PKE scheme resilient to continuous memory leakage, based on Agrawal et al. scheme [2].

• The Key Generation Algorithm: Choose \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,q,g,\tilde{g}) \leftarrow \mathsf {GroupG}\). Pick up a random column vector \(\varvec{\alpha } \leftarrow ({\mathbb {Z}}/q{\mathbb {Z}})^n\). Pick up \(\ell \) independent column vectors, \({\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }}\), in \(({\mathbb {Z}}/q{\mathbb {Z}})^n\) uniformly from \(\mathsf {Ker}(\varvec{\alpha })\) where \(2\le \ell \le n-2\). Set \(n\times \ell \) matrix \(\mathbf {V} =({\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }})\). Set \(g^{\varvec{\alpha }}:=(g^{\alpha _1},\ldots ,g^{\alpha _n})^T\). Set \(\tilde{g}^{\mathbf {V}}:=(\tilde{g}^{{\varvec{v}}_{\varvec{1}}},\ldots ,\tilde{g}^{{\varvec{v}}_{\varvec{\ell }}})\). Pick up a random column vector \({\varvec{s}} \leftarrow ({\mathbb {Z}}/q{\mathbb {Z}})^n\). Compute \({\tilde{g}}^{{\varvec{s}}}=(\tilde{g}^{s_1},\ldots ,\tilde{g}^{s_n})^T\). Compute \(Y=e(g^{\varvec{\alpha }},\tilde{g}^{{\varvec{s}}})= e(g,\tilde{g})^{\langle {\varvec{\alpha }},{{\varvec{s}}}\rangle }\). Set \(pk:=(g,\tilde{g},g^{\varvec{\alpha }},\tilde{g}^{\mathbf {V}},Y)\) and \(sk:=\tilde{g}^{{\varvec{s}}}\). Output (pk, sk).

• The Key Update Algorithm: Take (pk, sk) as input. Choose a random column vector \({\varvec{r'}} \leftarrow ({\mathbb {Z}}/q{\mathbb {Z}})^{\ell }\) and compute \(\tilde{g}^{\varvec{\beta }}=\tilde{g}^{\mathbf {V}r'}\). Update \(sk:= sk \cdot \tilde{g}^{\varvec{\beta }}=\tilde{g}^{{\varvec{s}}+\varvec{\beta }}\). Note that \(\varvec{\beta } \in \mathsf {span}(\mathbf {V}) \subset \ker (\varvec{\alpha })\). Output sk.

• The Encryption Algorithm: To encrypt \(m\in \mathbb {G}_T\) under pk, pick up random \(r\leftarrow {\mathbb {Z}}/q{\mathbb {Z}}\). Compute \({\varvec{C}}=g^{r\varvec{\alpha }}\) and \(K= Y^r\). Output \(\mathsf {CT}=({\varvec{C}},e)\) where \(e=m\cdot K\).

• The Decryption algorithm: To decrypt ciphertext \(\mathsf {CT}=(g^{{\varvec{c}}},e)\) under sk, compute \(K=e(g^{{\varvec{c}}},sk)(=e(g,\tilde{g})^{<{\varvec{c}},{\varvec{s}}>})\). Output \(m=e\cdot K^{-1}\).

We define IND-CPA security of PKE resilient to \(\lambda \)-continuous memory leakage [10] as \((\emptyset ,\emptyset ,\lambda )\)-\(\textsc {CTL}\)-\(\textsc {CCA}\) security of PKE.

Theorem 4

The above PKE scheme is \((\emptyset ,\emptyset ,\lambda )\)-CTL-CCA secure, as long as \(\lambda (\kappa ) < \ell \log (q) -\omega (\log \kappa )\), and for any PPT adversary A,

$$\begin{aligned} \mathsf {Adv}^{\mathsf {ctl}{\text {-}}\mathsf {cca}}_{\Pi ,A,(\emptyset ,\emptyset ,\lambda )}(\kappa )\le + 4\epsilon _{\textsf {ex}} + 2Q\cdot \sqrt{\frac{2^{\lambda }}{q^{\ell -1}}} + 2Q\cdot \sqrt{\frac{2^{\lambda }}{q^{n-1}}} +\sqrt{\frac{2^{\lambda } }{q^{n-1}}}, \end{aligned}$$

where Q denotes the total number of key-updates in the running time of A.

Proof

Here we prove the theorem by using the standard game-hopping strategy. We denote by \(S_i\) the event that adversary A wins in Game i.

• Game 0: This game is the original game. We write \(\mathsf {CT}^*=(g^{{\varvec{c}}^{\varvec{*}}},e^*)\) where \(e^*=m_{b^*}\cdot K^*\) to denote the challenge ciphertext. Let us assume that Q is the maximum number of the key-updates.

  By definition, \(\Pr [S_0]=\Pr [b =b^*]\) and \(\mathsf {Adv}_{\Pi ,A,(\emptyset ,\emptyset ,\lambda )}^{\mathsf {ctl}{\text {-}}\mathsf {cca}}(\kappa ) = |2\Pr [S_0]-1|\).

• Game 1: In this game, we instead produce \(\mathsf {CT}^*\) as follows: Compute \(K^*=e(g^{{\varvec{c}}^{\varvec{*}}}, sk)\) \(=e(g,\tilde{g})^{r \langle {\varvec{\alpha }},{{\varvec{s}}}\rangle }\) and set \(e^*=m_{b^*}\cdot K^*\). This change is just conceptual. Then, \(\Pr [S_0] =\Pr [S_1]\).

• Game 2: This game is identical to Game 1, except that we choose \(\ell \) independent vectors \({\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }}\) \(\leftarrow \ker (\varvec{\alpha },{\varvec{c}}^{\varvec{*}})\) and set \(\mathbf {V}=({\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }})\). Since \({\varvec{c}}^{\varvec{*}} =r^*\varvec{\alpha }\), \(\ker (\varvec{\alpha },{\varvec{c}}^{\varvec{*}}) =\ker (\varvec{\alpha })\). Hence, \(\Pr [S_1]=\Pr [S_2]\).

• Game 3: This game is identical to Game 2, except that when producing \(\mathsf {CT}^*\), we instead pick up random vector \({\varvec{c}}^{\varvec{*}} \leftarrow {\mathbb {F}}_{q}^n\). We note that since \(\dim (\ker (\varvec{\alpha },{\varvec{c}}^{\varvec{*}}))=n-2\ge \ell \), we can still choose \(\ell \) independent vectors \({\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }}\). The difference between these two games is bounded by the extended matrix d-linear assumption.

Lemma 10

Under the extended matrix d-linear assumption in Appendix A, we have \(\Pr [S_2] -\Pr [S_3] \le 2 \epsilon _{\textsf {ex}}\).

Proof

Let \(\mathbf {x} \in ({\mathbb {Z}}/q{\mathbb {Z}})^{n\times 2}\) whose columns are \(\varvec{\alpha }\) and \({\varvec{c}}\), i.e., \(\mathbf {x}=(\varvec{\alpha },{\varvec{c}})\). Let \({\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }}\) be \(\ell \) independent random column vectors chosen via \({\varvec{v}}_{\varvec{i}} \leftarrow \ker (\mathbf {x})=\ker (\varvec{\alpha },{\varvec{c}})\) and set \(\mathbf {V}= ({\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }})\). Now given \(g^{\mathbf {x}}\) and \(\mathbf {V}= ({\varvec{v}}_{\varvec{1}},\ldots ,{\varvec{v}}_{\varvec{\ell }})\), we can simulate public and secret keys that the adversary sees during the game, as well as the challenge ciphertext. In the case that \(\mathsf {rank}(X)=1\), we perfectly simulate Game 2. In the case that \(\mathsf {rank}(X)=2\), we perfectly simulate Game 3. Then, we have \(\Pr [S_2] -\Pr [S_3] \le 2 \epsilon _{\textsf {ex}}\).    \(\blacksquare \)

• Game 4 is defined as a sequence of \(Q+1\) sub-games denoted by Games, \(4.0,\ldots , 4.Q\). For \(i=0,\ldots , Q\), we have

  • Game 4. i : This game is identical to Game 4.0, except that at the last i key-updates, we instead choose \(\varvec{\beta } \leftarrow \ker (\varvec{\alpha })\) and update \(sk:=sk\cdot \tilde{g}^{\varvec{\beta }}\). We insist that the first \(Q-i\) key-updates, \(\varvec{\beta }\) is chosen from \(\mathsf {span}(\mathbf {V})\), whereas in the last i key-updates, it is chosen from \(\ker (\varvec{\alpha })\).

  Game 4.0 is identical to Game 3. The difference between Games, 4.i and \(4.{i+1}\), is computationally bounded. Indeed, by Corollary 2, we have

  $$\begin{aligned} \mathsf {Dist}\Bigl ( (\mathbf {V},L({\varvec{s}}+\mathbf {V}{\varvec{r'}})) :(\mathbf {V},L({\varvec{s}}+\varvec{\beta })) \Bigr ) \le \sqrt{\frac{2^{\lambda }}{q^{\ell -1}}} + \sqrt{\frac{2^{\lambda }}{q^{m-1}}}, \end{aligned}$$

  where \(\mathbf {V} \leftarrow \Bigl ( \ker (\varvec{\alpha },{\varvec{c}}^{\varvec{*}}) \Bigr )^{\ell }\), \({\varvec{r'}}\leftarrow ({\mathbb {Z}}/q{\mathbb {Z}})^{\ell }\), and \(\varvec{\beta } \leftarrow \ker (\varvec{\alpha })\), with \(\dim (\ker (\varvec{\alpha },{\varvec{c}}^{\varvec{*}}))=n-2\) and \(\dim (\ker (\varvec{\alpha }))=n-1\). So, we have \(\Pr [S_{4.i}] -\Pr [S_{4.{i+1}}]\) \(\le \sqrt{\frac{2^{\lambda }}{q^{\ell -1}}} + \sqrt{\frac{2^{\lambda }}{q^{m-1}}}\), Therefore \(\Pr [S_{3}] -\Pr [S_{4.{Q}}] \le Q\sqrt{\frac{2^{\lambda }}{q^{\ell -1}}} + Q\sqrt{\frac{2^{\lambda }}{q^{m-1}}}.\)

• Game 5: This game is identical to Game4.Q, except that we pick up random \(k^*\leftarrow {\mathbb {Z}}/q{\mathbb {Z}}\) and compute \(K^*=e(g,\tilde{g})^{k^*}\). This \(k^*\) is statistically close to \(<{\varvec{c}}^{\varvec{*}},{\varvec{s}}+\varvec{\beta }>\). By Lemma 3,

  $$\begin{aligned} \mathsf {Dist}(({\varvec{c}}^{\varvec{*}},<{\varvec{c}}^{\varvec{*}},{\varvec{s}}+\varvec{\beta }>,L({\varvec{s}}+\varvec{\beta }),\mathsf {view}): ({\varvec{c}}^{\varvec{*}},k^*,L({\varvec{s}}+\varvec{\beta }),\mathsf {view})) \le \frac{1}{2}2^{-\sqrt{\widetilde{\mathsf {H}}_{\infty }({\varvec{s}}+\varvec{\beta }|L({\varvec{s}}+\varvec{\beta }),\mathsf {view})}}, \end{aligned}$$

  where \(\mathsf {view}\) is fixed values containing \(\varvec{\alpha }\),\(\mathbf {V}\), and \(<\varvec{\alpha },{\varvec{s}}>\). Let us repersent \({\varvec{s}}={\varvec{s}}^{\varvec{*}} +r'\varvec{\alpha }\) such that \({\varvec{s}}^{\varvec{*}} \in \ker (\alpha )\) and \(r'\in {\mathbb {Z}}/q{\mathbb {Z}}\). Since \({\varvec{s}}^{\varvec{*}}\) and \(\varvec{\beta }\) are only random variables in the above \(\widetilde{\mathsf {H}}_{\infty }\), we have

  $$\begin{aligned} \widetilde{\mathsf {H}}_{\infty }({\varvec{s}}+\varvec{\beta }|L({\varvec{s}}+\varvec{\beta }),\mathsf {view})=\widetilde{\mathsf {H}}_{\infty }({\varvec{s}}^{\varvec{*}}+\varvec{\beta }|L({\varvec{s}}+\varvec{\beta })) \ge {\mathsf {H}}_{\infty }({\varvec{s}}^{\varvec{*}}+\varvec{\beta })-\lambda = (n-1) \log (q) -\lambda . \end{aligned}$$

  Therefore, we have \(\Pr [S_{4.Q}] -\Pr [S_{5}] \le \frac{1}{2}\sqrt{\frac{2^\lambda }{q^{n-1}}}\). By construction, \(\Pr [S_{5}]=\frac{1}{2}\).

To summarize the above, we have \(\Pr [S_0]-\frac{1}{2}=\)

$$\begin{aligned} 2\epsilon _{\textsf {ex}}+ Q\cdot \sqrt{\frac{2^{\lambda }}{q^{\ell -1}}} + Q\cdot \sqrt{\frac{2^{\lambda }}{q^{n-1}}} +\frac{1}{2}\sqrt{\frac{2^\lambda }{q^{n-1}}}. \end{aligned}$$

   \(\blacksquare \)

D Continuos Tampering Secure Signature

A digital signature scheme \(\Sigma =(\mathsf {Setup},\mathsf {KGen}, \mathsf {Sign},\mathsf {Vrfy})\) consists four algorithms. \(\mathsf {Setup}\), the set-up algoritm, takes as input security parameter \(1^k\) and outputs public parameter \(\rho \). \(\mathsf {KGen}\), the key-generation algorithm, takes as input \(\rho \) and outputs a pair comprising the verification and signing keys, (vk, sk). \(\mathsf {Sign}\), the signing algorithm, takes as input \((\rho ,sk)\) and message m and produces signature \(\sigma \). \(\mathsf {Vrfy}\), the verification algorithm, takes as input verification key vk, message m and signature \(\sigma \), as well as \(\rho \), and outputs a bit. For completeness, it is required that for all \(\rho \in \mathsf {Setup}(1^{\kappa })\), all \((vk,sk)\in \mathsf {KGen}({\rho })\) and for all \(m \in \{0,1\}^*\), it holds \(\mathsf {Vrfy}_{\rho }(vk,m,\mathsf {Sign}_{\rho }(sk,m))=1\).

We say that digital signature scheme \(\Sigma \) is self-destructive, if the signing algorithm can erase all inner states including sk and does not work any more, when it can detect tampering. We say that digital signature scheme \(\Sigma \) has a key-updating mechanism if there is a PPT algorithm \(\mathsf {Update}\) that takes \(\rho \) and sk and returns an “updated" secret key \(sk'=\mathsf {Update}_{\rho }(sk)\). We assume that the key-updating mechanism \(\mathsf {Update}\) can be activated only when the signing algorithm detects tampering.

CTBL-CMA Security. For digital signature scheme \(\Sigma \) and an adversary A, we define the experiment \(\mathsf {Expt}_{\Pi ,A,(\Phi ,\lambda )}^{\mathsf {ctbl}{\text {-}}\mathsf {cma}}(\kappa )\) as in Fig. 5. We define the advantage of A against \(\Pi \) with respects \(\Phi \) as

$$\begin{aligned} \mathsf {Adv}_{\Sigma ,A,(\Phi ,\lambda )}^{\mathsf {ctbl}{\text {-}}\mathsf {cma}}(\kappa )\triangleq \Pr [\mathsf {Expt}_{\Sigma ,A,(\Phi ,\lambda )}^{\mathsf {ctbl}{\text {-}}\mathsf {cma}}(\kappa )=1]. \end{aligned}$$

A may adaptively submit (unbounded) polynomially many queries \((\phi ,\mathsf {CT})\) to oracle \(\mathsf {RKSign}\), but it should be \(\phi \in \Phi \). A may also adaptively submit (unbounded) polynomially many queries L to oracle \(\mathsf {Leak}\). Finally, A outputs \((m',\sigma ')\). We say that A wins if \(\mathsf {Vrfy}(\mathsf {vk},m',\sigma ')=1\) and \(m'\) is not asked to \(\mathsf {RKSign}\). We note that if \(\mathsf {Sig}\) has “self-destructive” property, \(\mathsf {RKSign}\) does not receive any further query from the adversary or simply returns \(\bot \). We say that \(\Sigma \) is \((\Phi ,\lambda )\)-\(\textsc {CTBL}\text {-}\textsc {CMA}\) secure if \(\mathsf {Adv}_{\Sigma ,A,(\Phi ,\lambda )}^{\mathsf {tbl}{\text {-}}\mathsf {cma}}(\kappa )=\mathsf {negl}(\kappa )\) for every PPT A.

Fig. 5.

The experiment of the \(\textsc {CTBL}\text {-}\textsc {CMA}\) game.

CTL-CMA Security. For digital signature scheme \(\Sigma =(\mathsf {Setup},\mathsf {KGen},\mathsf {Update},\mathsf {Sign},\mathsf {Vrfy})\) with a key-updating mechanism and an adversary A, we define the experiment \(\mathsf {Expt}_{\Sigma ,A,(\Phi ,\lambda )}^{\mathsf {ctl}{\text {-}}\mathsf {cma}}(\kappa )\) as in Fig. 6. We define the advantage of A against \(\Sigma \) with respects \(\Phi \) as

$$\begin{aligned} \mathsf {Adv}_{\Sigma ,A,(\Phi ,\lambda )}^{\mathsf {ctl}{\text {-}}\mathsf {cma}}(\kappa )\triangleq \Pr [\mathsf {Expt}_{\Sigma ,A,(\Phi ,\lambda )}^{\mathsf {ctl}{\text {-}}\mathsf {cma}}(\kappa )=1]. \end{aligned}$$

A may adaptively submit (unbounded) polynomially many queries \((\phi ,\mathsf {CT})\) to oracle \(\mathsf {RKSign}\), but it should be \(\phi \in \Phi \). A may also adaptively submit (unbounded) polynomially many queries L to oracle \(\mathsf {Leak}\). Finally, A outputs \((m',\sigma ')\). We say that A wins if \(\mathsf {Vrfy}(\mathsf {vk},m',\sigma ')=1\) and \(m'\) is not asked to \(\mathsf {RKSign}\). We say that \(\Sigma \) is \((\Phi ,\lambda )\)-\(\textsc {CTL}\text {-}\textsc {CMA}\) secure if \(\mathsf {Adv}_{\Sigma ,A,(\Phi ,\lambda )}^{\mathsf {ctl}{\text {-}}\mathsf {cma}}(\kappa )=\mathsf {negl}(\kappa )\) for every PPT A.

Fig. 6.

The experiment of the \(\textsc {CTL}\text {-}\textsc {CMA}\) game.