Abstract
We construct identity-based encryption and inner product encryption schemes under the decision linear assumption. Their private user keys are leakage-resilient in several scenarios. In particular,
-
In the bounded memory leakage model (Akavia et al., TCC, vol. 5444, pp. 474–495, 2009), our basic schemes reach the maximum-possible leakage rate \(1-o(1)\).
-
In the continual memory leakage model (Brakerski et al., Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage, 2010; Dodis et al., Cryptography against continuous memory attacks, 2010), variants of the above schemes enjoy leakage rate at least \(\frac{1}{2} -o(1)\). Among the results, we improve upon the work of Brakerski et al. by presenting adaptively secure IBE schemes.
In addition, we prove that our IBE schemes are anonymous under the DLIN assumption, so that ciphertexts leaks no information on the corresponding identities. Similarly, attributes in IPE are proved computationally hidden in the corresponding ciphertexts.
Similar content being viewed by others
Notes
J. A. Akinyele. Personal communication, 2013.
References
Abdalla M., Bellare M., Catalano D., Kiltz E., Kohno T., Lange T., Malone-Lee J., Neven G., Paillier P., Shi H.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. J. Cryptol. 21(3), 350–391 (2008).
Agrawal S., Boneh D., Boyen X.: Efficient lattice (H)IBE in the standard model. In: Gilbert H (ed.) Advances in Cryptology—EUROCRYPT 2010, Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Lecture Notes in Computer Science, vol. 6110, pp. 553–572. Springer, Berlin (2010).
Agrawal S., Dodis Y., Vaikuntanathanm V., Wichs D.: On Continual Leakage of Discrete Log Representations. Cryptology ePrint Archive, Report 2012/367. http://eprint.iacr.org/. Accepted to Asiacrypt 2013 (2012).
Agrawal S., Freeman D.M., Vaikuntanathan V.: Functional encryption for inner product predicates from learning with errors. Cryptology ePrint Archive, Report 2011/410. http://eprint.iacr.org/. Accepted to Asiacrypt 2011 (2011).
Akavia A., Goldwasser S., Vaikuntanathan V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold O. (ed.) TCC. Lecture Notes in Computer Science, vol. 5444, pp. 474–495. Springer, New York (2009).
Akinyele J.A., Garman C., Miers I., Pagano M.W., Rushanan M., Green M., Rubin A.D.: Charm: a framework for rapidly prototyping cryptosystems. J. Cryptogr. Eng. 3(2), 111–128 (2013).
Alwen J., Dodis Y., Wichs D.: Survey: leakage resilience and the bounded retrieval model. In: Kurosawa K. (ed.) ICITS. Lecture Notes in Computer Science, vol. 5973, pp. 1–18. Springer, New York (2009).
Alwen J., Dodis Y., Naor M., Segev G., Walfish S., Wichs D.: Public-key encryption in the bounded-retrieval model. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010. Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Lecture Notes in Computer Science, vol. 6110, pp. 113–134. Springer, New York (2010).
Boneh D., Boyen X., Shacham H.: Short group signatures. In: Franklin M.K. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 3152, pp. 41–55. Springer, New York (2004).
Boneh D., Lynn B., Shacham H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004).
Boneh D., Raghunathan A., Segev G.: Function-private identity-based encryption: hiding the function in functional encryption. In: Canetti R., Garay J.A. (ed.) CRYPTO (2). Lecture Notes in Computer Science, vol. 8043, pp. 461–478. Springer, New York (2013).
Boneh D., Waters B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan S.P. (ed.) TCC. Lecture Notes in Computer Science, vol. 4392, pp. 535–554. Springer, New York (2007).
Brakerski Z., Kalai Y.T., Katz J., Vaikuntanathan V.: Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage. In: Trevisan L. (ed.) 51th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2010, 23–26 Oct 2010, Las Vegas, Nevada, USA, pp. 501–510. IEEE Computer Society. http://eprint.iacr.org/2010/278 (2010).
Cash D., Hofheinz D., Kiltz E., Peikert C.: Bonsai trees, or how to delegate a lattice basis. In Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010. Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Lecture Notes in Computer Science, vol. 6110, pp. 523–552. Springer, New York (2010)
Chow S.S.M., Dodis Y., Rouselakis Y., Waters B.: Practical leakage-resilient identity-based encryption from simple assumptions. In Al-Shaer E., Keromytis A.D., Shmatikov V. (ed.) ACM Conference on Computer and Communications Security, pp. 152–161. ACM, New York (2010).
Damgård I., Faust S., Mukherjee P., Venturi D.: Bounded tamper resilience: how to go beyond the algebraic barrier. In Sako K., Sarkar P. (eds.) Advances in Cryptology—ASIACRYPT 2013. Proceedings of the 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, 1–5 Dec 2013, Part II. Lecture Notes in Computer Science, vol. 8270, pp. 140–160. Springer, New York (2013).
Dodis Y., Goldwasser S., Kalai Y.T., Peikert C., Vaikuntanathan V.: Public-key encryption schemes with auxiliary inputs. In: Micciancio D. (ed.) TCC. Lecture Notes in Computer Science, vol. 5978, pp. 361–381. Springer, New York (2010).
Dodis Y., Haralambiev K., López-Alt A., Wichs D.: Cryptography against continuous memory attacks. In: Trevisan L. (ed.) 51th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2010, 23–26 Oct 2010, Las Vegas, Nevada, USA, pp. 511–520. IEEE Computer Society (2010).
Dodis Y., Lewko A. B., Waters B., Wichs D.: Storing secrets on continually leaky devices. In: Ostrovsky R. (ed.) FOCS, pp. 688–697. IEEE (2011).
Halderman J.A., Schoen S.D., Heninger N., Clarkson W., Paul W., Calandrino J.A., Feldman A.J., Appelbaum J., Felten E.W.: Lest we remember: cold boot attacks on encryption keys. In: van Oorschot P.C. (ed.) USENIX Security Symposium, pp. 45–60. USENIX Association (2008).
Hofheinz D., Kiltz E.: Programmable hash functions and their applications. J. Cryptol. 25(3), 484–527 (2012).
Katz J., Sahai A., Waters B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart N.P. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 4965, pp. 146–162. Springer, Berlin (2008).
Kocher P.C., Jaffe J., Jun B.: Differential power analysis. In: Wiener M.J. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 1666, pp. 388–397. Springer, New York (1999).
Kurosawa K., Phong L.T.: Leakage resilient IBE and IPE under the DLIN assumption. In: Jacobson Jr. M.J., Locasto, M.E., Mohassel P., Safavi-Naini R. (eds.) ACNS. Lecture Notes in Computer Science, vol. 7954, pp. 487–501. Springer, New York (2013).
Lewko A.B., Lewko M., Waters B.: How to leak on key updates. In: Fortnow L., Vadhan S.P. (eds.) STOC, pp. 725–734. ACM, New York (2011).
Lewko A.B., Okamoto T., Sahai A., Takashima K., Waters B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010, Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, 30 May–3 June 2010. Lecture Notes in Computer Science, vol. 6110, pp. 62–91. Springer, New York (2010).
Lewko A.B., Rouselakis Y., Waters B.: Achieving leakage resilience through dual system encryption. In: TCC, pp. 70–88 (2011).
Li J., Guo Y., Yu Q., Lu Y., Zhang Y.: Provably secure identity-based encryption resilient to post-challenge continuous auxiliary inputs leakage. Secur. Commun. Netw. 9(10), 1016–1024 (2016).
Li J., Guo Y., Yu Q., Lu Y., Zhang Y., Zhang F.: Continuous leakage-resilient certificate-based encryption. Inf. Sci. 355–356, 1–14 (2016).
Li J., Teng M., Zhang Y., Yu Q.: A leakage-resilient CCA-secure identity-based encryption scheme. Comput. J. 59(7), 1066–1075 (2016).
Micali S., Reyzin L.: Physically observable cryptography (extended abstract). In: Naor M. (ed.) TCC. Lecture Notes in Computer Science, vol. 2951, pp. 278–296. Springer, New York (2004).
Naor M., Segev G.: Public-key cryptosystems resilient to key leakage. In: Halevi S. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 5677, pp. 18–35. Springer, New York. http://research.microsoft.com/en-us/um/people/gilse/papers/KeyLeakage (2009).
Okamoto T., Takashima K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin T. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 6223, pp. 191–208. Springer, New York (2010).
Quisquater J.-J., Samyde D.: Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In: Attali I., Jensen T.P. (eds.) E-smart. Lecture Notes in Computer Science, vol. 2140, pp. 200–210. Springer, New York (2001).
Shamir A.: Identity-based cryptosystems and signature schemes. In: CRYPTO, pp. 47–53 (1984).
Waters B.: Efficient identity-based encryption without random oracles. In: Cramer R. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 3494, pp. 114–127. Springer, New York (2005).
Yu Q., Li J., Zhang Y.: Leakage-resilient certificate-based encryption. Secur. Commun. Netw. 8, 3346–3355 (2015).
Yu Q., Li J., Zhang Y., Wu W., Huang X., Xiang Y.: Certificate-based encryption resilient to key leakage. J. Syst. Softw. 116, 101–112 (2016).
Yuen T.H., Chow S.S.M., Zhang Y., Yiu S.M.: Identity-based encryption resilient to continual auxiliary leakage. In: Pointcheval D., Johansson T. (eds.) EUROCRYPT. Lecture Notes in Computer Science, vol. 7237, pp. 117–134. Springer, New York (2012).
Acknowledgements
We thank the anonymous reviewers for their comments.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by C. Mitchell.
A preliminary version of this paper was presented at the 11th International Conference on Applied Cryptography and Network Security (ACNS ’13) [24].
Appendices
Appendix 1: Computing \(g^\mathbf {v}\)
We are given \(\mathbf {F}\in \mathbb {Z}_q^{2\times 2\ell }\), \(g^\mathbf {D}\in \mathbb {G}^{2\times 1}\) and want to compute \(g^\mathbf {v}\in \mathbb {G}^{2\ell \times 1}\) where \(\mathbf {F}\mathbf {v}= \mathbf {D}\). With all but negligible probability, we can assume that \(\mathbf {F}\) as generated in our scheme is of rank 2. Solving the linear equation \(\mathbf {F}\mathbf {v}=\mathbf {D}\) gives us \(\left[ \mathbf {I}_2 \big | \mathbf {F}_1\right] \mathbf {v}=\mathbf {F}_2\mathbf {D}\) where \(\mathbf {I}_2\) is the \(2\times 2\) identity matrix, and \(\mathbf {F}_1\in \mathbb {Z}^{2\times (2\ell -2)}, \mathbf {F}_2\in \mathbb {Z}_q^{2\times 2}\) depends on \(\mathbf {F}\). Now let \(\mathbf {w}=(\mathbf {v}[1], \mathbf {v}[2])^T\) and \(\mathbf {w}^{\prime }= (\mathbf {v}[3], \dots , \mathbf {v}[2\ell ])^T\) we have \(\mathbf {w}+ \mathbf {F}_1 \mathbf {w}^{\prime }=\mathbf {F}_2 \mathbf {D},\) so that \(\mathbf {w}^{\prime }\) can be free, and \(\mathbf {w}= \mathbf {F}_2 \mathbf {D}- \mathbf {F}_1 \mathbf {w}^{\prime }\). Since \(g^\mathbf {D}\) is given, we can compute \(g^\mathbf {w}\), and hence \(g^\mathbf {v}\) as well.
Appendix 2: Public key encryption scheme \({\mathcal {L}\ell }\) in [13]
1.1 Description
Fix integer parameter \(\ell \ge 7\). In key-generation, take random matrices \(\mathbf {A}\in \mathbb {Z}_q^{2\times \ell }\) and \(\mathbf {Y}\in \mathbb {Z}_q^{\ell \times 2}\) such that \(\mathbf {A}\mathbf {Y}= \mathbf {0}\). The public key is \(pk = g^{\mathbf {A}}\) and the secret key is \(sk = g^{\mathbf {Y}}\). To update the secret key, take random \(\mathbf {R}\in \mathbb {Z}_q^{2\times 2}\) and set \(sk^{\prime } = g^{\mathbf {Y}\mathbf {R}}\). Message space is of one bit. Encryption of bit 1 is \(g^\mathbf{u}\) for random vector \(\mathbf{u}\in \mathbb {Z}_q^{\ell }\). Encryption of bit 0 is \(g^{\mathbf{r}\mathbf {A}}\) for random vector \(\mathbf{r} \in \mathbb {Z}_q^{1\times 2}\). In decryption, given a ciphertext \(g^\mathbf{c}\) and secret key \(g^{\mathbf {Y}}\), apply pairing \({\hat{e}}\) to get \({\hat{e}}(g,g)^{\mathbf{c}\mathbf {Y}}\). If the result equals \({\hat{e}}(g,g)^{\mathbf {0}}\), return 0, otherwise return 1 as the message.
1.2 Security in CML model
Under the DLIN assumption, for \(\ell \ge 7\) and for all constants \(\gamma , c>0\), the above public key encryption scheme is secure in the CML model with update and memory leakage rates
Rights and permissions
About this article
Cite this article
Kurosawa, K., Phong, L.T. Anonymous and leakage resilient IBE and IPE. Des. Codes Cryptogr. 85, 273–298 (2017). https://doi.org/10.1007/s10623-016-0303-7
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-016-0303-7