Certificate-based encryption resilient to key leakage

doi:10.1016/j.jss.2015.05.066

Journal of Systems and Software

Volume 116, June 2016, Pages 101-112

https://doi.org/10.1016/j.jss.2015.05.066 Get rights and content

Highlights

•
We put forward the formal definition and security model of LR-CBE.
•
We present first certificate-based encryption scheme with leakage resilience.
•
The security of the scheme is reduced to composite order bilinear group assumption.
•
The relative leakage rate of key is close to 1/3.

Abstract

Certificate-based encryption (CBE) is an important class of public key encryption but the existing schemes are secure only under the premise that the decryption key (or private key) and master secret key are absolutely secret. In fact, a lot of side channel attacks and cold boot attacks can leak secret information of a cryptographic system. In this case, the security of the cryptographic system is destroyed, so a new model called leakage-resilient (LR) cryptography is introduced to solve this problem. While some traditional public key encryption and identity-based encryption with resilient-leakage schemes have been constructed, as far as we know, there is no leakage-resilient scheme in certificate-based cryptosystems. This paper puts forward the first certificate-based encryption scheme which can resist not only the decryption key leakage but also the master secret key leakage. Based on composite order bilinear group assumption, the security of the scheme is proved by using dual system encryption. The relative leakage rate of key is close to 1/3.

Introduction

In order to solve certificate management problem in traditional public key cryptosystems and the key escrow problem in identity based cryptosystems, Gentry (2003) proposed a new cryptography paradigm called certificate-based encryption. From then on, many concrete schemes (Li et al., 2010, 2012a, 2012b, 2012c, Li et al., 2013, Lu and Li, 2010, 2012) were constructed under the assumption that the decryption key and master secret key are absolutely confidential.

But that is not always the case, and some side channel attacks (Halderman et al., 2009, Dodis and Pietrzak, 2010, Brumley and Boneh, 2005, Gandolfi et al., 2001, Chen et al., 2013) have been found in real world. From the attacks, the adversary can obtain some information by observing execution timing, energy consumption, etc. This results in secret information leakage which includes the information of the vital master secret key and decryption key. Side channel attacks give the adversaries an advantage to obtain the secret information. Therefore, the security of previous cryptographic schemes is compromised under the circumstances. New model must be constructed to capture such attacks.

In order to guarantee the security of cryptographic systems under some circumstances, we usually define an attack model to limit the attacker's behavior. If the attacker satisfies the constraints, the corresponding cryptosystems are regarded as security in the model. Leakage resilient cryptography is to capture side channel attacks. In fact, it has become a research hotspot in recent years.

For identity-based cryptosystems and traditional public key cryptosystems, some leakage-resilient schemes have been constructed. For certificate-based cryptosystems, as far as we know, no leakage-resilient scheme is presented. The paper puts forward the first certificate-based encryption scheme resilient to master secret key leakage and decryption key leakage.

In 2004, Micali and Reyzin (2004) proposed “only computation leaks information” model: computation is divided into many steps. Only the part of the secret state which is accessed (i.e. active) in that step can leak. The other part of the secret state that is not accessed (i.e. inactive) will not leak in that step. Under this model, the leakage-resilient stream cipher (Pietrzak, 2009, Dziembowski and Pietrzak, 2008) and leakage-resilient signature (Faust et al., 2010) were constructed. Although “only computation leaks information” model describes a large class of leakage attacks, it has shortcomings, namely, it does not capture the setting where the inactive part in memory also leaks information (for example, the cold boot attack (Halderman et al., 2009)). In order to solve this problem, the work (Akavia et al., 2009) introduced “bounded leakage” model, and it is a stronger model than “only computation leaks information” model. In “bounded leakage” model, the leakage of inactive part is also considered. Under the “bounded leakage” model, leakage-resilient encryption and signature schemes (Chow et al., 2010, Naor and Segev, 2012, Katz and Vaikuntanathan, 2009) were constructed. The constructions of leakage-resilient identity-based schemes attract more attention. Some achievements have been given in the works (Alwen et al., 2009, Chen et al., 2011, Luo et al., 2010).

By constructing the hash proof system, the work (Naor and Segev, 2012) gave the leakage-resilient encryption scheme which can resist l/4 bits information leakage about private key (l is the bit length of private key). The work (Alwen et al., 2010) extended the method of the work (Naor and Segev, 2012) to construct the identity-based hash proof system and further to put forward the leakage-resilient identity-based encryption (LR-IBE) in the bounded retrieval model. To improve the property of leakage resilience, the work (Lewko et al., 2011) introduced the dual system encryption.

Similar to traditional security model of CBE, we consider two types of adversaries as well. The first type of adversary $A 1$ is the malicious user who is allowed to replace public key without knowing the master secret key. The second type of adversary $A 2$ is the dishonest certificate authority (CA) who has the master secret key for generating the certificate but it is not allowed to replace the public key. Inspired by the leakage-resilient certificateless encryption (CLE) (Xiong et al., 2013) and the certificate-based encryption (Wu et al., 2012), we propose the formal definition and the security model of the leakage-resilient certificate-based encryption (LR-CBE) and further present the first leakage-resilient certificate-based encryption scheme in the “bounded leakage” model. The security of the scheme has been proved by utilizing dual system encryption technique. The leakage bound amounts to 1/3 if n is large enough. Performance comparison illustrates the encryption operation of our scheme is faster than that of the schemes given in Gentry (2003). However, decryption cost is linearly correlated with the vector size n. In order to make the scheme more efficient, we can take n = 2 and the decryption operation needs 4 pairings which is acceptable in practical application.

In the security proof we use dual system encryption technique proposed in Waters (2009). The dual system encryption technique can be used to improve the security of cryptographic systems. In the dual system encryption the decryption keys and ciphertexts have two states: normal and semi-functional (SF). The normal decryption keys can decrypt the normal and semi-functional ciphertexts. The semi-functional decryption keys can only decrypt the normal ciphertexts correctly. In real security game, all decryption keys and ciphertexts are normal. The security proof is a hybrid argument where the ciphertexts are first altered to semi-functional ones, then, the keys are altered to semi-functional ones gradually. For the consecutive two games we prove that the attacker cannot detect the difference between them with non-negligible advantage. Finally, we give such a game: we only need to produce semi-functional decryption keys and ciphertexts. Thus the attacker cannot correctly decrypt. This allows us to prove security.

In Section 2, we give some preliminaries that will be used. Formal description and security model of LR-CBE are given in Section 3. In Section 4, concrete construction of LR-CBE is put forward. Security proof of the proposed scheme is shown in Section 5. The leakage bound is analyzed in Section 6. The comparisons with other schemes are given in Section 7. Section 8 concludes this paper.

Section snippets

Several basic conceptions

Definition 1

Bilinear Map

Let G and G_T be multiplicative cyclic groups of order q and P be a generator of G, a bilinear map e: G × G → G_T has three properties as follows:

(1)
Bilinearity: For P, Q ∈ G and a, b ∈ Z*, $e (P^{a}, Q^{b}) = e {(P, Q)}^{a b}$ .
(2)
Non-degeneracy:e(P, P) ≠ 1.
(3)
Computability: There is an effective algorithm to calculate e(P, Q) ∈ G_T.

Definition 2

NIZK Proof System

Let R be a binary relation in a languageL. For (x, w) ∈ R, x is called the statement and w is called the witness. A non-interactive zero-knowledge (NIZK) proof

Formal definition of LR-CBE

Inspired by the works (Lewko et al., 2011, Xiong et al., 2013), we put forward the formal definition of LR-CBE which is resilient to master secret key leakage and decryption key leakage. We will use a hash function: $\bar{H} : I D \times P K \to I D$ , where $I D$ is the identity space and $P K$ is the public key space. The functionality of the hash function is to maintain the security when a CLE is converted to a CBE (refer to Wu et al., 2012). Our LR-CBE scheme is composed of the following seven algorithms.

Setup: Setup(1^ϑ

Construction of our LR-CBE

We firstly give an NIZK proof system $\prod = (G e n, P r f, V e r)$ which will be employed in our scheme. We define $\prod = (G e n, P r f, V e r)$ is an NIZK proof system with the language $L = {β : Y^{β} = Z}$ where β ∈ Z_N, and Y, Z ∈ G_T. $\bar{H} : I D \times P K \to I D$ is a hash function, where $I D$ is the identity space and $P K$ is the public key space. The hash function is used to maintain the security when a CLE is converted to a CBE (refer to Wu et al., 2012). Suppose that any identity is an element of Z_N. Our LR-CBE consists of the following seven

Security proof

Inspired by dual system encryption method (Lewko et al., 2011, Waters, 2009, Lewko and Waters, 2010), we use semi-functional ciphertexts and keys in our proof. In order to accomplish our proof, we give dual system construction of our LR-CBE.

Leakage bound

Our scheme is resilient to the λ_msk leakage of the master secret key and the $λ_{d k}$ leakage of the decryption key. The $λ_{m s k}$ and $λ_{d k}$ have the same maximum value $(n - 2 c - 1) λ$ , where n ≥ 2 is an integer and c is a fixed positive constant. The leakage is subject to the size of the subgroup $G_{p_{2}}$ . The value of n can be varied.

In our system $N = p_{1} p_{2} p_{3}$ and p₁, p₂, p₃ are λ-bit primes. The size of the master secret key is $(n + 3) (λ + λ + λ) = 3 (n + 3) λ$ . Similarly, the size of the decryption key is $3 (n + 2) λ$ . The leakage

Comparisons

We compare our scheme with the schemes in Gentry (2003) and Li et al. (2012). There are two CBE schemes in Gentry (2003), BasicCBE and FullCBE, neither of which has leakage resilience. The major contribution of Li et al. (2012) is a key encapsulation mechanism which can be used to construct CBE. The key encapsulation mechanism has no leakage resilience either. Our scheme is a practical and secure scheme with leakage resilience. Denote the hash operation by H and the pairing computation by P.

Conclusion

Formal definitions and security models for LR-CBE are given in this paper. We present a leakage-resilient certificate-based encryption scheme in which leakage about the decryption key and the master secret key is considered. The security of the scheme is reduced to the composite order bilinear groups assumption. To the best of our knowledge, this is the first LR-CBE resilient to master secret key leakage. Our scheme has good leakage resilience. The leakage rate is close to 1/3 if we adjust n

Acknowledgments

We would like to thank anonymous referees for their helpful comments and suggestions to improve our paper. This research is supported by the National Natural Science Foundation of China (61272542, 61472083, 61402110, 61170298), the Fundamental Research Funds for the Central Universities (2013B07014), the Funding of Jiangsu Innovation Program for Graduate Education (KYZZ_0139) and the Natural Science Foundation of the Jiangsu Higher Education Institutions of China (14KJD520006), Fok Ying Tung

Qihong Yu received his B.S. degree in mathematics from the Xuzhou Normal University, Xuzhou, China in 2001. He received his M.S. degree in computer science from the Yangzhou University, Yangzhou, China in 2006. He is currently a lecturer and pursuing the Ph.D. degree in the College of Computer and Information, Hohai University, Nanjing, China. His research interests include cryptography, network security. He has published over 10 research papers in refereed international conferences and

References (34)

BrumleyD. et al.
Remote timing attacks are practical
Comput. Networks
(2005)
ChenC. et al.
Improving timing attack on RSA-CRT via error detection and correction strategy
Inf. Sci.
(2013)
LiJ. et al.
Certificate-based signcryption with enhanced security features
Comput. Math. Appl.
(2012)
LiJ. et al.
An efficient short certificate-based signature scheme
J. Syst. Software
(2012)
LiJ. et al.
Provably secure certificate-based signature scheme without pairings
Inf. Sci.
(2013)
AkaviaA. et al.
Simultaneous hardcore bits and cryptography against memory attacks
AlwenJ. et al.
Public-key encryption in the bounded-retrieval model
AlwenJ. et al.
Leakage-resilient public-key cryptography in the bounded-retrieval model
BonehD. et al.
Evaluating 2-DNF formulas on ciphertexts
BrakerskiZ. et al.
Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage
FOCS
(2010)

ChenY. et al.

A new leakage-resilient IBE scheme in the relative leakage model

ChowS.M. et al.

Practical leakage-resilient identity-based encryption from simple assumptions

CCS

(2010)

DodisY. et al.

Leakage-resilient pseudorandom functions and side-channel attacks on Feistel networks

DziembowskiS. et al.

Leakage-resilient cryptography

FOCS

(2008)

FaustS. et al.

Leakage-resilient signatures

GandolfiK. et al.

Electromagnetic analysis: concrete results

GentryC.

Certificate-based encryption and the certificate revocation problem

Cited by (51)

Continuous leakage-resilient certificate-based signcryption scheme and application in cloud computing
2021, Theoretical Computer Science
Leakage of private information, e.g. the secret keys, has become a serious threat to the security of computing systems. It has become a common requirement that real-world security applications should withstand various leakage attacks, such as side-channel attacks, cold-boot attacks, etc. For example, the above leakage attacks are very common in cloud computing nowadays. Hence, we need a novel method to protect the security of data storage and authorization even if a certain amount of leakage information with respect to the secret state can be obtained by any adversary. In order to achieve the above goal, in this paper, we introduce a continuous leakage-resilient certificate-based signcryption (CBS) scheme, and we prove that our proposed scheme achieves the chosen-ciphertext attacks (CCA) security based on the discrete logarithm assumption and the decisional Diffie-Hellman assumption. Our proposed scheme not only has the ability to resist the continuous leakage attacks, but also enjoys very low computational overheads. Moreover, two concrete continuous leakage-resilient data storage and authorization protocols are generated from the above continuous leakage-resilient CBS scheme: one has a single key generation center and the other generates the keys in a distributed form. Therefore, our protocols with continuous leakage resilience are particularly suitable for data storage and authorization in cloud computing system.
Efficient cloud-aided verifiable secret sharing scheme with batch verification for smart cities
2020, Future Generation Computer Systems
With the wide usage of the information and communication technology (ICT) in smart cities, people’s lives become easier and more convenient. Cloud computing, as a burgeoning technology of the ICT, provides consumers with unlimited computing capabilities and storage resources. Using the cloud to promote the progress of the ICT-based applications meets the requirement of the practical usage, and is also in line with the sustainable development. As we all know, the secret sharing is a hot topic in the security community. Many security-assurance applications can be realized with the assistance of secret sharing. In this paper, an efficient cloud-aided verifiable secret sharing scheme is proposed based on the polynomial commitment for smart cities, which can be used in a variety of practical applications such as electronic voting and revocable electronic cash. In the proposed scheme, users can verify the received shares from the cloud. Moreover, in order to meet the requirement of the real-world usage, we extend our scheme to support the batch verification with the aid of a third-party arbitration center. In addition, the aggregate signature is used to verify whether a subset of users possess the shares that indeed sent by the cloud. The security analysis shows that the proposed scheme can satisfy the security requirements of the verifiable secret sharing (VSS) and the performance analysis shows that our scheme is more efficient than previous schemes in terms of the communication and the computation.
Identity-based encryption with leakage-amplified chosen-ciphertext attacks security
2020, Theoretical Computer Science
Alwen et al. (EUROCRYPT 2010) proposed the formal definition of identity-based hash proof system (IB-HPS). As an independent interest, they showed that a leakage-resilient identity-based encryption (LR-IBE) scheme can be created based on an IB-HPS. That is, a generic construction of LR-IBE scheme with the chosen-plaintext attacks (CPA) security be designed from the IB-HPS. However, in order to further improve the practicability of identity-based encryption (IBE) system, an IBE scheme must have the chosen-ciphertext attacks (CCA) security. Hence, in this paper, a generic construction of LR-IBE scheme with the CCA security is proposed from the IB-HPS. In additional, to design an LR-IBE schemes with an arbitrarily length leakage parameter, we design a novel generic construction of leakage amplified IBE scheme with CCA security, where we only increase the size of private key proportionally, while do not change all other parameters, and the upper bound of permitted leakage can be flexibly controlled by changing the leakage-size parameter. In other words, the length of allowed leakage of our generic construction is determined by the leakage requirements of actual applications.
Novel updatable identity-based hash proof system and its applications
2020, Theoretical Computer Science
Alwen et al. in Eurocrypt 2010, showed that an identity-based hash proof system (IB-HPS), where IB-HPS generalizes the notion of hash proof system (HPS) to the identity-based setting, almost immediately yields an identity-based encryption (IBE) scheme which is secure against partial leakage of the target identity's decryption key. That is, an IBE scheme with bounded leakage resilience can be naturally created from an IB-HPS. However, in the real world, the leakage is unbounded, and any adversary can break the security of cryptography shceme by performing continuous leakage attacks. To further increase the practicability, a cryptography scheme must hold the claimed security in the continuous leakage setting. Dodis et al. in FOCS 2010, showed a generic method how to create a cryptography shceme with continuous leakage resilience from the bounded leakage-resilient cryptosystem by performing an additional key update algorithm while the public parameters keep unchanged. To construct a continuous leakage-resilient cryptography scheme, a new primitive, called it updatable identity-based hash proof system (U-IB-HPS), is proposed, which is an improved IB-HPS. In particular, the improved system has an additional key update algorithm, which can push some new randomness into the private key of user (or the master secret key), the updated results are random in the adversary's view, and the leakage of previous private key of user (or the master secret key) does not work for the updated results. However, the previous instantiations of U-IB-HPS cannot achieve the claimed security. To solve the above problems, in this paper, two instantiations of U-IB-HPS with better performance are created, and the security of proposed system is proved, in the standard model, based on the classic decisional bilinear Diffie-Hellman assumption. The corresponding IBE scheme created with our U-IB-HPS allows continuous leakage of multiple keys, i.e., continuous leakage of the master secret key and the private key of user. Additionally, our U-IB-HPS can also be employed as an underlying basic tool to build the generic construction of continuous leakage-amplified public-key encryption scheme, continuous leakage-resilient identity-based authenticated key exchange protocol, and continuous leakage-resilient public-key encryption scheme with keyword search, etc.
The generic construction of continuous leakage-resilient identity-based cryptosystems
2019, Theoretical Computer Science
Citation Excerpt :
Therefore, the leakage-resilient cryptosystems are important to meet the security requirements in the real world. Most previous leakage-resilient cryptosystems [11,15,16,23,24,20,30,31] only consider the bounded leakage attacks and do not allow any continuous leakage. However, in the real world, the leakage is unbounded; therefore, we will focus on continuous leakage-resilient cryptosystems.
In the leakage setting, the adversary is allowed to access the internal secret states of a cryptosystem, such as the private key of user and the master secret key. In the continuous leakage model, there is no predetermined bound on the leakage of internal secret states; therefore, it is more challenging. In this paper, we present a new primitive called updatable identity-based hash proof system (U-IB-HPS), which can serve as a fundamental tool for constructing continuous leakage-resilient identity-based cryptosystems. With the U-IB-HPS, we obtain the generic constructions of identity-based cryptosystem with continuous leakage-resilience, such as the continuous leakage-resilient identity-based encryption with leakage amplification, the continuous leakage-resilient identity-based hybrid encryption with leakage amplification, etc. As a feature of our generic constructions, we allow the leakage of multiple keys, i.e., leakage of the master secret key and the private key of user. In addition, we present a generic framework of one-round identity-based authenticated key exchange (AKE) protocol with continuous leakage resilience, which ensures the session key security even if the adversary performs continuous leakage attacks during the execution of a session. We also present instantiations of U-IB-HPS from bilinear groups and composite order bilinear groups, respectively. The security of our instantiations is based on the standard static assumptions, such as the decisional bilinear Diffie–Hellman assumption, the corresponding complexity assumptions over composite order bilinear groups, etc. Our instantiations can be easily extended to construct the updatable hierarchical identity-based hash proof system.
Hierarchical attribute based encryption with continuous leakage-resilience
2019, Information Sciences
Attribute based encryption (ABE) is widely applied in cloud computing settings due to its fine-grained access control. Most ABE schemes do not consider the side channel attacks which may leak the secret information of cryptosystems. Leakage-resilient cryptography aims to model security for various side channel attacks. In this paper, we first give the formal definition and security model of hierarchical attribute based encryption (HABE) with continuous leakage-resilience. Furthermore, we present a ciphertext-policy HABE scheme with continuous leakage-resilience. The proposed scheme is resilient to master key leakage and secret key leakage. We prove the security of our scheme under composite order bilinear group assumptions by using dual system encryption techniques. The performance of leakage-resilience is analyzed theoretically. If the depth of our proposed scheme is 1, the relative leakage ratio is almost up to 1/3. In addition, we give the performance comparison through experiments.

View all citing articles on Scopus

Jiguo Li received his B.S. degree in mathematics from Heilongjiang University, Harbin, China in 1996, M.S. degree in mathematics and Ph.D. degree in computer science from Harbin Institute of Technology, Harbin, China in 2000 and 2003, respectively. During 2006.9–2007.3, he was a visiting scholar at Centre for Computer and Information Security Research, School of Computer Science & Software Engineering, University of Wollongong, Australia. During 2013.2–2014.1, he was a visiting scholar in Institute for Cyber Security in the University of Texas at San Antonio. He is currently a Professor with the College of Computer and Information, Hohai University, Nanjing, China. His research interests include cryptography and information security, cloud computing, wireless security and trusted computing etc. He has published over 100 research papers in refereed international conferences and journals. His work has been cited more than 1200 times at Google Scholar. He has served as program committee member in over 20 international conferences and served as the reviewers in over 50 international journals and conferences.

Yichen Zhang received her B.S. degree in computer science from the Qiqihar University, Qiqihar, China in 1995. She is currently a lecturer and pursuing the Ph.D. degree in the College of Computer and Information, Hohai University, Nanjing, China. Her research interests include cryptography, network security. She has published over 30 research papers in refereed international conferences and journals.

Wei Wu received her Ph.D. degree from the School of Computer Science and Software Engineering, University of Wollongong, Australia. She is currently an Associate Professor at the School of Mathematics and Computer Science, Fujian Normal University, China. Her research interests include applied cryptography and network security. She has published over 20 research papers in refereed international conferences and journals.

Xinyi Huang received his Ph.D. degree from the School of Computer Science and Software Engineering, University of Wollongong, Australia. He is currently a Professor at the School of Mathematics and Computer Science, Fujian Normal University, China, and the Co-Director of Fujian Provincial Key Laboratory of Network Security and Cryptology. His research interests include applied cryptography and network security. He has published over 100 research papers in refereed international conferences and journals. His work has been cited more than 1700 times at Google Scholar (H-Index: 23). He is an associate editor of IEEE Transactions on Dependable and Secure Computing, in the Editorial Board of International Journal of Information Security (IJIS, Springer) and has served as the program/general chair or program committee member in over 70 international conferences.

Yang Xiang received his PhD in Computer Science from Deakin University, Australia. He is currently a full professor at School of Information Technology, Deakin University. He is the Director of the Network Security and Computing Lab (NSCLab) and the Associate Head of School (Industry Engagement). His research interests include network and system security, distributed systems, and networking. He is the Chief Investigator of several projects in network and system security, funded by the Australian Research Council (ARC). He has published more than 150 research papers in many international journals and conferences. Two of his papers were selected as the featured articles in the April 2009 and the July 2013 issues of IEEE Transactions on Parallel and Distributed Systems. He has published two books, Software Similarity and Classification (Springer) and Dynamic and Advanced Data Mining for Progressing Technological Development (IGI-Global). He has served as the Program/General Chair for many international conferences. He serves as the Associate Editor of IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, Security and Communication Networks (Wiley), and the Editor of Journal of Network and Computer Applications. He is the Coordinator, Asia for IEEE Computer Society Technical Committee on Distributed Processing (TCDP). He is a Senior Member of the IEEE.

View full text

Certificate-based encryption resilient to key leakage

Highlights

Abstract

Introduction

Section snippets

Several basic conceptions

Formal definition of LR-CBE

Construction of our LR-CBE

Security proof

Leakage bound

Comparisons

Conclusion

Acknowledgments

Comput. Networks

Inf. Sci.

Comput. Math. Appl.

J. Syst. Software

Inf. Sci.

Simultaneous hardcore bits and cryptography against memory attacks

Public-key encryption in the bounded-retrieval model

Leakage-resilient public-key cryptography in the bounded-retrieval model

Evaluating 2-DNF formulas on ciphertexts

Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage

FOCS

A new leakage-resilient IBE scheme in the relative leakage model

Practical leakage-resilient identity-based encryption from simple assumptions

CCS

Leakage-resilient pseudorandom functions and side-channel attacks on Feistel networks

Leakage-resilient cryptography

FOCS

Leakage-resilient signatures

Electromagnetic analysis: concrete results

Certificate-based encryption and the certificate revocation problem