RESEARCH ARTICLE
Provably secure identity-based encryption resilient to
post-challenge continuous auxiliary input leakage
Jiguo Li*, Yuyan Guo, Qihong Yu, Yang Lu and Yichen Zhang
College of Computer and Information, Hohai University, 211000 Nanjing, China
ABSTRACT
The situation for post-challenge continuous auxiliary input leakage has not been considered in the cryptography schemes for previous literature. We present a semantic-security model with post-challenge continuous auxiliary inputs for iden-tity-based encryption. In this model, the adversary is permitted to obtain some information of the private keys constantly and to query more information after seeing the challenge ciphertext through the side-channel attacks. Furthermore, we pres-ent an idpres-entity-based encryption scheme resilipres-ent to leakage under composite order groups. Our scheme is secure against post-challenge continuous auxiliary input, adaptive chosen-identity, and adaptive chosen plaintext attacks under three static assumptions in the standard model. Compared with existing identity-based encryption schemes under security properties and performance, our scheme is practical. Copyright © 2015 John Wiley & Sons, Ltd.
KEYWORDS
post-challenge; continuous auxiliary inputs; leakage resilient; composite order group *Correspondence
Jiguo Li, College of Computer and Information, Hohai University, 211000 Nanjing, China. E‐mail: [email protected]
1. INTRODUCTION
To address certificate management problem, Shamir put forward the notion of identity-based encryption (IBE) [1] in 1984, where public key of the user is produced through the identity and corresponding private key that is computed from private key generator (PKG). Boneh and Franklin [2] put forward thefirst efficient and secure IBE scheme in 2001. Canettiet al.[3] constructed an IBE scheme that is chosen-identity security under the standard model. In addi-tion, Gentry [4] presented a more efficient IBE system that possesses full security based on the same model. Boneh
et al.[5] came up with a hierarchical IBE scheme with con-stant size ciphertext, which is chosen-identity security under the standard model. To achieve full security, Lewko and Waters [6] combined the scheme [5] with the dual-system encryption to present a hierarchical IBE scheme for short ciphertexts.
Traditionally, cryptography is proved secure in an ideal model. Regrettably, most cryptographic schemes are not able to withstand side-channel attacks in real life. The secu-rity models frequently mentioned for side-channel attacks are relative-leakage model [7–12], bounded-retrieval model (BRM) [13–16], auxiliary inputs model [17, 18], continuous leakage-resilient model [19–25], and post-challenge leakage
model [26, 27]. In the relative-leakage model, the overall length of allowed leakage is limited by the size of private key, which is not enough long. In order to overcome this problem of the relative-leakage model, BRM has come up. This model is a generalization of the relative-leakage model, which allows the size of private key moreflexible. Auxiliary input model that is slightly stronger than the relative-leakage model is taken into account. In this model, the restriction of private key leakage bound is further relaxed, and the one-way leakage functions are required. Unfortunately, the common fault of three models earlier is that private key remains the same over the lifetime of the cryptography scheme. Hence, the cryptography schemes based on the three models are unable to resist continuous leakage attacks. The continuous leakage-resilient model is put forward against the attacks where an adversary continues to get a bounded amount of secret internal state information per invocation for the cryptographic primitive. The previous models are described as pre-challenge leakage models where the adver-sary learns leakage before knowing the challenge ciphertext. In order to consider the leakage after knowing the challenge ciphertext, the post-challenge leakage model is given by Halevi and Lin [26].
Many leakage-resilient IBE schemes were constructed. Chow et al. [28] provided several IBE systems resilient Published online 18 December 2015 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1396
to leakage in the standard model. Luo et al.[10] gave a leakage-resilient IBE system based on the hash proof sys-tem. Li and Zhang [11] devised a leakage-resilient IBE scheme and proved its security in the random oracle model. Then, Galindoet al.[29] provided a master-key leakage-resilient IBE against master-key leakage attacks. These previous IBE schemes are based on the relative-leakage model. Unfortunately, the size of allowed leakage for private key is limited in these schemes [10, 11, 28, 29]. In allusion to this issue, Brakerskiet al.[30] constructed some secure IBE systems based on the continuous leak-age-resilient model. Based on same secure model, Lewko
et al. [19] employed dual system encryption technology to provide some IBE, hierarchical IBE, and attribute-based encryption schemes. Yuen et al. [22] devised an IBE system that is resilient to continuous auxiliary input leakage. Yuenet al.[27] defined a post-challenge auxiliary input model and provided an IBE scheme with post-challenge auxiliary inputs.
1.1. Motivations and contributions
Wefind that the post-challenge continuous auxiliary input model has not been come up in the IBE schemes. In fact, some previous IBE schemes, which have been constructed in the ideal setting, may be insecure, when adversaries are permitted to learn some information of users’private keys constantly, and to query more information after seeing the challenge ciphertext through the side-channel attacks. Thus, it is meaningful to construct a secure leakage-resilient IBE scheme in post-challenge continuous auxiliary inputs model.
Inspired by [22, 27], we present a formal definition of post-challenge continuous auxiliary input model for IBE, where the ability of the adversary is enhanced. In this model, the adversary is able to get some leakage for the up-dated private keys and random value of the encryptor, and to gain more information after knowing the challenge ci-phertext. Moreover, we design a leakage-resilient IBE scheme based on [6] in the post-challenge continuous aux-iliary inputs model. A hard-to-invert strong extractor [27] is used to insure the security of the random value in the process of the encryption and resist the post-challenge leakage. A user in our leakage-resilient IBE scheme is allowed to constantly update private key to resist the contin-uous leakage attacks. Furthermore, a modified Goldreich– Levin theorem [27] is applied to our IBE scheme, which is secure against auxiliary inputs. Finally, we prove security for the scheme by the dual system encryption technology [6]. We compare our scheme with schemes [19, 22] on secu-rity properties and performance, and show the operation timing by using java pairing-based cryptography library ver-sion 2.0.0 [31].
1.2. Paper organization
The rest of the paper is organized as follows. In Section 2, we review some preliminaries that are used in this paper.
In Section 3, we propose a formal definition and a post-challenge continuous auxiliary inputs security model of IBE. We propose a leakage-resilient IBE scheme in Section 4. We prove that our scheme is secure in Section 5. Comparison for security properties, efficiency and operation timing are given in Section 6. Lastly, the conclusion is given in Section 7.
2. PRELIMINARIES
We introduce some basic notions used in our paper.
2.1. Definitions
Definition 1.(Bilinear map)
LetGandGTbe two multiplicative cyclic groups with
the same prime orderp.gis a generator ofG.eis a bilinear map ife:GG→GThas the properties as follows:
• Bilinear:e(ga, gb) =e(g, g)abfora,b∈ℤp.
• Non-degenerate:e(g, g)≠1∈GT.
• Computable: The mapeis efficiently computable. The security of our IBE scheme is based on the follow-ing complexity assumptions.
Definition 2.(Composite order bilinear groups) [32] A group generator takes a security parameter 1λ(λ∈) as input, generates a tuple (N=p1p2p3,G,GT,e) wherep1,
p2andp3are distinct primes, letGandGTbe two cyclic
groups of prime orderN, ande:G×G→GTis a bilinear
map. LetGp1, Gp2, Gp3 be the subgroups of orderp1,p2 andp3, respectively inG. We have thate vð ; evÞis the iden-tity element ofGT, wherev∈Gpi,ve∈Gpj,i, j∈{1, 2, 3} and
i≠j. In order to see this, letv∈Gp1andve∈Gp2.gis a gen-erator ofG, andGp3is generated byg
p1p2;G p1is generated bygp2p3, andGp 2is generated byg p1p3. Forv=ðgp2p3Þμ1and ev¼ðgp1p3Þμ2 where μ1, μ 2 ∈ ℤN, we have e vð ; evÞ ¼ e gð p2p3μ1; gp1p3μ2Þ ¼e gð μ1; gp3μ2Þp1p2p3¼1 . This is the orthogonality property forGp1,Gp2, andGp3.
Assumption 1.(Subgroup decision problem forGp1andG
p1p2) [28]
LetGp1p2be the subgroup of orderp1p2inG. GivenD1= (N,G,GT,e,g1,g2,g3),g1∈RGp1,g2∈RGp2,g3∈RGp3,T0¼ ga 1∈Gp1 and T1¼g a 1g b 2∈Gp1p2 wherea, b∈R ℤN. The advantage that an algorithmAdistinguishesT0and T1is
Adv1
A 1λ ¼jPr½A Dð 1; T0Þ ¼0Pr½A Dð 1; T1Þ ¼0j.
Assumption 2. (Subgroup decision problem for G and Gp1p3) [28]
Let Gp1p3 be the subgroup of orderp1p3in G. Given
D2¼ N; G; GT; e; g1; g2; g3; gx11g2; gx2 2g x3 3Þ ,g1 ∈RGp1,g2∈RGp2,g3∈RGp3,T0¼g a 1g c 3∈Gp1p3 andT1¼ ga 1g b 2g c 3∈Gp1p2p3 where x1, x2, x3, a, b, c∈RℤN. The
advantage that an algorithmAdistinguishesT0and T1is
Adv2
A 1λ ¼jPr½A Dð 2; T0Þ¼0 Pr½A Dð 2; T1Þ ¼0j.
Assumption 3. (Subgroup decisional bilinear Diffie– Hellman problem) [28] Given D3= N; G; GT; e; g1; g2; g3; gα1g2; gs 1g x2 2; g y2 2Þ, g1 ∈R Gp1, g2 ∈R Gp2, g3 ∈R Gp3, T0¼ e gð 1; g1Þαs∈GT, and T1∈RGT where α, s, x2, y2∈R
ℤN. The advantage that an algorithm A distinguishesT0 and T1is Adv3A 1λ ¼jPr½A Dð 3; T0Þ ¼0 Pr½A Dð 3; T1Þ ¼0j.
Definition 3. For any polynomial time algorithm A, if
Advi
A 1λ is an ignorable function ofλ, Assumptioniholds wherei= 1, 2, 3. The readers refer to [28] for detail.
3. THE FORMAL DEFINITION AND
SECURITY MODEL FOR IBE
3.1. The formal definition of IBE
An IBE scheme is afive-tuple algorithm (Setup,KeyGen,
Enc,Dec, andUpdateSK). We add anUpdateSKalgorithm to update private key, and the size of the corresponding up-dated private key remains the same.
• Setup(1λ): On input security parameter 1λ(λ∈), this algorithm generates a master public key mpk and a master secret keymsk.
• KeyGen(msk,ID): On inputmpk,msk, and an identity
ID, this algorithm outputs a private keyskID.
• Enc(mpk,ID,M): Givenmpk,ID, and a messageM, this algorithm returns the corresponding ciphertextc. • Dec(skID,c): On inputskIDandc, this algorithm
out-putsMor⊥ifcis an invalid ciphertext.
• UpdateSK(skID,mpk): On inputskIDandmpk, this
al-gorithm outputs an updated private key sekID where
skID
j j ¼sekID.
3.2. Security model for IBE
Refer to the security model in [22, 27], we present a formal definition of post-challenge continuous auxiliary input model for IBE. Let ∑ be an IBE scheme. The security for ∑ against post-challenge continuous auxiliary input, adaptively chosen-identity, and adaptively chosen plaintext attacks is defined through the following game pCAI-ID-CPA. Let F1 and F2 be two polynomial time computable leakage function families. The adversaryAgives
F1andF2to the challengerC. Then,Ccreates a listLskto store
the tuple in the form of (ID, skID) and a listLs k˜to store the tuple in the form of sekID;
, which are empty in the initialization for the game.
Setup.Cfirst runs algorithmSetup(1k), then returnsmpktoA.
Phase 1. The following oracles are inquired through A
adaptively.
• Private-key oracle: On inputID≠ID*,Csearches the latest tuple (ID,skID) in the listLsk. If it does not exist,
CrunsKeyGen(ID, mpk, msk) algorithm, generates a private keyskID, and adds (ID,skID) toLsk. C then
returnsskID.
• Pre-challenge leakage oracle: On inputIDand func-tionsfi∈F1wherei∈.Creturnsfi(Lsk, msk, skID, mpk, ID) toA.
Challenge identity.Asends the challenge identityID*to C. C runsKeyGen(ID*, mpk, msk) algorithm to generate
skID.
Phase 2. The following oracles are queried by A
adaptively:
• Private-key oracle: The same as that in the Phase 1. • Pre-challenge leakage oracle: On input functions
fi∈F1wherei∈. C returns fiðLsk; msk; skID;
mpk; IDÞtoA.
• UpdateSK oracle:CrunsUpdateSK(skID*, mpk)
algo-rithm to generate sekID. Letrskbe the random value
used in theUpdateSKalgorithm.Cthen adds the tuple
sekID; rsk
inLsk.
Challenge phase.AsubmitsM0andM1with the same size to C.Crandomly picksρ∈{0,1} and a valuer∈{0,1}*for encryp-tion. It then returnsc* =Enc(params, mpk, Mρ, ID*, r) toA. Phase 3.The following oracles are queried byAadaptively: • Private-key oracle: The same as that in the Phase 1. • Post-challenge leakage oracle: On input functions
efi′∈F2 where i′∈. C returns efið Þr to A, where r
∈{0,1}*is a random value for encryption.
• UpdateSK oracle: CrunsUpdateSK skð ID; mpkÞ al-gorithm to generatesekID. Letrskbe the random value
used in theUpdateSKalgorithm.Cthen adds the tuple
sekID; rsk
inLs k˜.
Guess.Areturns a guessρ′∈{0, 1}.Awins this game if
ρ′=ρ.
The advantage for A in an IBE scheme ∑ is
AdvAp CAI-ID-CPAð Þ ¼∑ j2 Pr½ρ¼ρ′ 1j.
Auxiliary functions.We give two families (F1,F2) for the leakage oracles (Please refer to [14, 27] for the detail.).F1 andF2are respectively considered one-way function fam-iliesHIDOW(ε1),How(ε2), defined later.
Let S* denote a group of valid user private keys on
ID*. Let S denote a group of user private keys, which are queried in the private-key oracle, where S*∩S=∅. Let HIDOW(ε1) be the family for functions fi :
{0, 1}*→{0, 1}* where 0<ε1<1, i∈ [1, q], andq ∈ , such that given (mpk, S, ID*, fi(Lsk, msk, skID*, mpk, ID*))ðmpk; S; ID; fiðLsk; msk; skID; mpk; IDÞÞ, no probability polynomial time (PPT) algorithm can re-coverskID* with probability at leastε1. Hence, we have
{fi}i∈[1,q]⊆HIDOW(ε1). Let HOW(ε2) be the family of functions efi′ {0, 1}
|r|→
{0, 1}* where r ∈ {0,1}* is a random value for encryption, 0<ε2<1, i′∈[1, q′], and
q′∈, such that givenefi′ð Þr , no PPT algorithm can re-cover r with probability at least ε2. Hence, we have
efi′ n o
i′∈½1; q′⊆HOWð Þε2 .
Definition 4.The IBE scheme is pCAI-ID-CPA secure in the post-challenge continuous auxiliary input model with respect to the families (HIDOW(ε1),HOW(ε2)), if the
ad-vantage of any PPT adversary A in the above game is negligible.
3.3. Strong extractor with hard-to-invert auxiliary inputs
Definition 5. (ðε2; eεÞ-strong extractor with auxiliary
inputs)
Let Ext : f0; 1glf0; 1g˜l→f0; 1g˜n , where
l; el; en∈.Extis aðε2; eεÞ-strong extractor with auxiliary
inputs, if for every PPT adversary A, we have Pr A x; efi′ð Þr; Ext xð ; rÞ ¼1 h i Pr½A xð ; efi′ð Þr ; uÞ ¼ 1j<eε, where 0<ε2; eε<1 ,x∈R{0, 1}l, r∈Rf0; 1g l ˜ , efi′∈RHOWð Þε2 ,u∈R{0, 1} ñ , andi′∈[1, q′].
Note that this strong extractor is 2eε-hard-to-invert. We have the following lemma in [27], which is used to prove the security for our IBE scheme.
Lemma 1.Letx∈{0, 1}lbe a random value. Given (x, f
(r), Ext(x, r)) where r∈f0; 1g˜l , f∈HOW(ε2), and a
ε2; eε
ð Þ-strong extractor Ext(x, r) with auxiliary inputs, no PPT adversary A can calculate r with probability at least 2eε.
We use the following modified Goldreich–Levin theo-rem in [27] to get security for our IBE scheme against aux-iliary inputs functionf.
Theorem 1.Letqbe a prime, and letHbe an arbitrary sub-set ofGF(q). Letf:Hm→{0,1}*be a randomized function. sis chosen randomly fromHm;ris chosen randomly from
GF(q)m.uis chosen randomly fromGF(q), andy=f(s). If there is a distinguisher D that runs in time t such that
Pr½Dðr; y; hr; siÞ ¼1 Pr½Dðr; y; uÞ ¼1
j j ¼eε ,
then there is an inverter A that runs in time t′¼ tpolyðm; j jH; 1=eεÞ such that Pr½A yð Þ ¼s≥eε3=
512mq2
ð Þ, where poly() is a polynomial function and hr, siis the inner product of rand s.
4. OUR IBE SCHEME
Based on [6], we present a new leakage-resilient IBE scheme under the post-challenge continuous auxiliary input model. We use composite order groups to construct this scheme. The master secret key in the scheme is split intonpieces. Our scheme consists of the followingfive algorithms:
Setup(1λ): LetGandGTbe two cyclic groups of prime
or-derN=p1p2p3wherep1,p2andp3are distinct primes. Let Gp1,Gp2andGp3be the subgroups of orderp1,p2, andp3 inG, respectively.g1andg3are the generators ofGp1 and Gp3, respectively. Given a security parameter 1
λ, the setup algorithm selects a bilinear map e: G×G→GT, α1, ⋯,
αn∈ℤN,u; h∈Gp1,x∈{0, 1}
l
, and aðε2; eεÞ-strong
extrac-tor Ext : f0; 1gl˜ f0; 1g˜l→f0; 1gn˜ where l; el; n;
e
n∈. We assume that ε2; eε are negligible values. mpk¼ N; G; GT;e;g1;u;h;
f g3; fe gð 1; g1Þαig
i∈½1; n; xgand
msk= {αi}i∈[1,n].
KeyGen(msk,ID): The PKG randomly choosessi∈ℤNand v3; i; σ3; i∈Gp3 wherei∈ [1, n]. It returns the private key skID= {sk1,i, sk2,i}i∈[1,n] where sk1; i¼gs1iv3; i and sk2; i¼gα1iðuIDhÞ
si
σ3; i. The PKG sendsskIDto the
user in the security channel.
Enc(mpk,ID,M): The sender randomly picksri∈f0; 1g l
˜
where i∈[1, n], then computes δi=Ext(x, ri) and
ciphertext c= {c1, c2,i, c3,i}i∈[1,n] where c1¼ M∏ n i¼1 e gð 1; g1Þ αiδi,c 2; i¼ðuIDhÞδi, and c3; i¼g1δi. Dec(skID,c): Given ciphertext c= {c1, c2,i, c3,i}i∈[1,n] and a private keyskID={sk1,i, sk2,i}i∈[1,n], the receiver computesM¼c1 ∏n i¼1e skð 1; i; c2; iÞ ∏n i¼1e sk2ð ; i; c3; iÞ . UpdateSK(skID, mpk): Given skID={sk1,i, sk2,i}i∈[1,n],
the private key update algorithm randomly choosesesi∈ℤN andev3; i; eσ3; i∈Gp3wherei∈[1, n]. It outputs a new pri-vate key sekID¼ sek1; i; sek2; i n o i∈½1; n where s e k1; i¼ sk1; ig s˜i 1ev3; iandsek2; i¼sk2; iðuIDhÞ s˜i e σ3; i.
The correctness of the decryption is easy to check due to the following equations:
c1 ∏n i¼1e sk1; i; c2; i ∏n i¼1e sk2; i; c3; i ¼M∏ n i¼1 e gð 1; g1Þ αiδi ∏ n i¼1e g si 1v3; i; ðuIDhÞδi ∏n i¼1e g αi 1ðuIDhÞ siσ 3; i; g1δi ¼M∏ni¼1e gð 1; g1Þαiδi ∏ n i¼1 e g si 1; u IDh ð Þδi e v3; i; ðuIDhÞδi ∏n i¼1 e gα1i; g1δi e uð IDhÞsi; g1δi ð Þe σ3; i; g1δi ¼M∏ n i¼1 e gð 1; g1Þ αiδi ∏ n i¼1e g si 1; u IDh ð Þδi ∏n i¼1 e g αi 1; g1δi e ðuIDhÞδi; g 1si ¼M:
Note that (1) v3; i; σ3; i∈Gp3, u IDh ð Þδi ; g1δi∈G p1, e v3; i; ðuIDhÞδi , and e σ3; i; g1δi
are the identity elements inGTdue to the orthogonality property of Gp1 andGp3. (2) We do not use the subgroupGp2in the scheme earlier, but apply it to the following proof with the dual system encryption technique.
5. SECURITY ANALYSIS
Now, we prove our IBE scheme is secure. First, two semi-functional (SF) structures (SF private key and SF cipher-text) are defined. The SF structures just like the normal form of the scheme, but combine with the generator of Gp2. They are just used in our proof. Letg2andeg2be the generators ofGp2.
SF private key. A SF private key skID¼
sk1; i; sk2; i i∈½1; n is generated by sk1; i¼sk1; ig2γi and sk2; i¼sk2; ieg2 zi, whereγ1, ⋯, γ n, z1,⋯, zn∈ℤN
andskID={sk1,i, sk2,i}i∈[1,n]is a normal private key.
SF ciphertext. A SF ciphertext c¼ c1; c2; i; c3; i i∈½1; n is given by c1¼c1, c2; i¼ c2; iegφ2i and c3; i¼c3; iegϕ2i, whereφ1, ⋯, φn, ϕ1, ⋯, ϕn∈ℤN and c= {c1, c2,i, c3,i}i∈[1,n] is a normal ciphertext.
It is worth noting that an SF private key is able to de-crypt a normal ciphertext and a normal private key is also able to decrypt an SF ciphertext. However, if the SF private key is used to decrypt the SF ciphertext, a message will be blinded by e gð 2; eg2Þ∑ n i¼1ziϕi∑ n i¼1γiφi. If ∑n i¼1ziϕi¼∑ n
i¼1γiφi, decryption will succeed, and we call this corresponding private keynominally SF private key.
Theorem 2. If Assumptions 1, 2, and 3 hold, our IBE scheme is pCAI-ID-CPA secure.
Proof. We prove the security by a serial of games as follows:
Gamereal. Gamerealdenotes game pCAI-ID-CPA.
Gamerestrained. Gamerestrainedis similar to Gamerealwith
the constraint condition that the adversary is forbidden to query private key on the identityID=ID*modp2. The re-striction of Gamerestrained still lingers in the following
games.
Gameκ. Letq¼qskþqlþqsk˜, whereqsk,ql, andqsk˜are
the times of private key queries, leakage queries and pri-vate key update queries, respectively, andκ∈[0, q]. This game is similar to Gamerestrainedexcept that the ciphertext
given to the adversary is SF, the first κ private keys are SF, and the other private keys are normal.
For thefirstκqueries, we have the following: • If adversary A makes private key queries, the
chal-lengerCreturns SF private keyskID.
• If adversaryAmakes pre-challenge leakage queries,C returnsfiðLsk; msk; skID; mpk; IDÞ.
• If adversaryAmakes post-challenge leakage queries, Creturnsefi′ð Þr.
• If adversary Amakes private key update queries, C adds the tuple sekID; rsk
inLs k˜ wheresekID is an updated SF private key.
Note that, the ciphertext is SF and all of the private keys are normal in Game0, all the private keys and the ciphertext are SF in Gameq.
Gamelast. It is the same as Gameq, except that the
ciphertext is a SF ciphertext for a random message, which is not the challenge message.
We will prove that the above games are indistinguish-able as follows.
Lemma 2. If there exists an adversary A satisfied
AdvGamereal
A ð Þ ∑ Adv
Gamerestrained
A ð Þ∑≥ε, then there is an algorithm B with non-negligible advantage in breaking Assumption 2. Proof.GivenD2¼ N; G; GT; e; g1; g2; g3; g x1 1g2; gx2 2g x3 3ÞandT(T¼ga1gc3orT¼ga1gb2gc3), wherex1, x2, x3, a, b, c∈RℤN,Binteracts withAas follows:
Setup. B randomly chooses χ, η∈ℤN, x∈{0, 1}l, and
αi∈ℤN where i∈[1, n], computes u¼gχ1 and h¼gη1,
then it outputs mpk¼fN; G; GT; e; g1; u; h;g3; e gð 1; g1Þαi
f gi∈½1; n; xg to A. The master secret key is
msk= {αi}i∈[1,n]. B owns msk; therefore, B can answer
all the queries fromA.
According to the hypothesis of the lemma 2, the proba-bility thatAinquiresIDandID*isε, whereID≠ID*mod
N,p2divides (IDID*). This means thatBcan generate a nontrivial factor for N through calculating A= gcd (IDID*, N). LetP=N/A. We have the following cases that occur with probability ε: (1) P=p1 or P=p1p3; (2)
P=p3. If (1) is true, B verifies e gx11g2P; T ¼?1 , if T ¼ ga 1gc3;e g x1 1g2 P ; T ¼1; elseT¼ga 1gb2gc3. If (2) is true, Bverifies e gx22gx33P; T ¼?1 , if T ¼ ga 1gc3,e g x2 2g x3 3 P ; T ¼1; elseT¼ga 1gb2gc3.□
Lemma 3. If there exists an adversary A satisfied
AdvGamerestrained
A ð Þ ∑ Adv
Game0
A ð Þ∑ ≥ε, then there is an algo-rithmBat advantageεin breaking Assumption 1.
Proof.On inputD1¼ðN; G; GT; e; g1; g2; g3Þand T(T¼ga1orT¼ga1gb2),Binteracts withAas follows:
Setup.Brandomly choosesχ, η∈ℤN,x∈{0, 1}l, and
αi∈ℤNwherei∈[1, n], computesu¼gχ1andh¼g η 1, then
it returns mpk¼fN; G; GT; e; g1; u; h; g3; e gð 1; g1Þαi
f gi∈½1; n; xg to A. The master secret key is
msk= {αi}i∈[1,n].
Phase 1.Bownsmsk; therefore,Bcan answer private-key or-acle and pre-challenge leakage oror-acle, which are queried byA. Challenge identity.Asends the challenge identityID*toB. Phase 2.Bcan answer private-key oracle, pre-challenge leak-age oracle, and UpdateSK oracle, which are queried byA. Challenge phase.AsendsM0andM1of the same length to
B.Brandomly picksρ∈{0, 1} and encryptsMρ. It then out-puts challenge ciphertextc¼ c1; c2; i; c3; i
n o i∈½1; n to A, where c1¼Mρ∏ n i¼1 e Tð ; g1Þαi, c2; i¼TχID þη , and c3; i¼T.
Phase 3. B can answer private-key oracle, post-challenge leakage oracle and UpdateSK oracle, which are queried byA.
IfT¼ga
1gb2,c* is a SF ciphertext, andφi=b(χID*+η),
ϕi=b.b∈ℤN, soϕimodulop2is reasonably distributed. The factor (χID* +η) modulop2is not related toχ and
ηmodulop1, so it is also reasonably distributed. Hence, the adversaryAsimulates Game0properly.
IfT¼ga1,c* is normal. Hence, the adversaryA simu-lates Gamerestrainedproperly.
In conclusion, if A distinguishes Gamerestrained and
Game0with non-ignorable advantage ε, B can break the Assumption 1 with non-ignorable advantageε.□
Lemma 4. If there exists an adversary A satisfied
AdvGameκ1
A ð Þ ∑ Adv
Gameκ
A ð Þ∑≥ε, then there is an algo-rithmBat advantageεin breaking Assumption 2.
Proof. Given D2¼ðN; G; GT; e; g1; g2; g3; gx1 1g2; g x2 2g x3 3ÞandT(T ¼ga1gc3orT¼ga1gb2gc3),Binteracts withAas follows:
Setup.Brandomly choosesχ, η∈ℤN,x∈{0, 1}l, and
αi∈ℤNwherei∈[1, n] and computesu¼gχ1andh¼g η 1,
then it returns mpk¼fN; G; GT; e; g1; u; h; g3; fe gð 1; g1Þαig
i∈½1; n; xgtoA.
Phase 1.B can answer jth private-key oracle and pre-challenge leakage oracle, which are queried byA, wherej∈. If j<κ whereκ∈[0, q],B randomly chooses si∈ℤN
and v3; i; σ3; i∈Gp3 wherei∈[1, n] and γ ′
1; ⋯; γ′n;
z′1; ⋯; z′n∈ℤN,then it generates a SF private keyskID¼
sk1; i; sk2; i i∈½1; n: sk1; i¼g si 1g x2 2g x3 3 γ′ iv 3; i and sk2; i¼gα1iðuIDhÞ si gx22gx33 z′ iσ 3; i. The SF parameters areγi¼x2γ′iandzi¼xiz′i, soskIDis reasonably distributed. If j>κ, B randomly chooses si∈ℤN and v3; i; σ3; i∈Gp3 wherei∈[1, n], then it generates a nor-mal keyskID= {sk1,i, sk2,i}i∈[1,n]: sk1; i¼g si 1v3; i and sk2; i¼gα1iðuIDhÞ siσ 3; i.
If j=κ, B randomly chooses v3; i; σ3; i∈Gp3 where
i∈[1, n], then it sets sk1,i=Tv3,i and sk2; i¼
gαi
1Tχ
IDþησ
3; i. IfT ¼ga1g
c
3,Bconstructs a normal private
key properly. IfT ¼ga
1g
b
2g
c
3,Bconstructs a SF private key.
Challenge identity.Asends the challenge identityID*toB. Phase 2. Bcan answer private-key oracle, pre-challenge leakage oracle, and UpdateSK oracle, which are queried byA.
Challenge phase.AsendsM0andM1with the same size to
B. Brandomly picksρ∈{0, 1} and encryptsMρ. It then outputs a SF challenge ciphertext c¼
c1; c2; i; c 3; i n o i∈½1; n to A, where c1 ¼ Mρ∏ n i¼1 egx11g2; g1αi,c2; i¼ g x1 1g2 χIDþη , andc3; i¼ gx11g2.
The SF ciphertext parameters are δi=x1, ϕi= 1, and
φi=χID*+η. Obviously, δi is randomly distributed.
From the view of adversary A, ϕi is randomly
distrib-uted, φi is randomly distributed except the following
two cases:
(1) The challenge private key is SF, that is,χmodulop2 andηmodulop2;
(2) ID=ID*modp2(this case is not possible, because it is confined in Gamerestrained).
For the case (1), ifAchooses the private key ofID*to challenge, thenBonly makes anominally SF private key
where ∑ni¼1ziϕi¼∑ n
i¼1γiφi. Therefore, the challenge ciphertext is randomly distributed toA.
Phase 3.Bcan answer private-key oracle, post-challenge leakage oracle, and UpdateSK oracle, which are queried byA.
IfT ¼ga
1g
c
3, the adversaryAsimulates Gameκ1 cor-rectly. If T¼ga
1gb2gc3, the adversaryA simulates Gameκ
correctly.
In conclusion, ifAdistinguishes Gameκ1and Gameκ with non-ignorable advantageε,Bcan break the Assump-tion 2 with non-ignorable advantageε.□
Lemma 5. If there exists an adversary A satisfied
AdvGameκ
A ð Þ ∑ Adv
Gamelast
A ð Þ∑ ≥ε, we canfind an algorithm
Proof. Given D3¼ðN; G; GT; e; g1; g2; g3; gα1g2; gs 1g x2 2; g y2 2Þwhereα, s, x2, y2∈RℤN, andT(T=e
(g1, g1)αsorT∈GT),Binteracts withAas follows: Setup. B randomly chooses χ, η∈ℤN and x∈{0, 1}l
wherei∈[1, n], computesu¼gχ1,h¼gη1, and generates
mpk¼fN; G; GT; e; g1; u; h; g3; fωi¼e
gα1g2; g1
gi∈½1; n; xg using the assumption inputgα1g2.
It then sendsmpktoA. It is worth noting thatBdoes not knowα.
Phase 1. B can answer private-key oracle and pre-challenge leakage oracle which are queried byA.
B generates a SF private key using gα1g2. Brandomly
chooses si∈ℤN, v3; i; σ3; i∈Gp3 where i∈[1, n] and
γ′
1; ⋯; γ′n; z1′; ⋯; z′n∈ℤN, then it generates a SF pri-vate key skID¼ sk1; i; sk2; i i∈½1; n : sk1; i¼ gsi 1g x2 2 γ′ iv 3; i and sk2; i¼ gα1g2 ðuIDhÞsi gx2 2 z′ iσ 3; i. The SF parameters areγi¼1þγ′iandzi¼z′i, soskIDis rea-sonably distributed.
Challenge identity.Asends the challenge identityID*toB. Phase 2.B can answer private-key oracle, pre-challenge leakage oracle, and UpdateSK oracle, which are queried byA.
Challenge phase.AsendsM0andM1of the same length to
B. B randomly chooses ρ∈{0, 1} and encrypts Mρ. It then outputs a SF challenge ciphertext c¼
c1; c2; i; c3; i n o i∈½1; n to A, where c1 ¼M ρ∏ n i¼1 T, c2; i¼ gs1g x2 2 χIDþη , andc3; i¼gs1g x2 2.
Phase 3.Bcan answer private-key oracle, post-challenge leakage oracle, and UpdateSK oracle, which are queried byA.
IfT=e(g1, g1)αs,cis the SF ciphertext for messageMρ, the adversaryAsimulates Gameqproperly.
IfT∈GT,cis the SF ciphertext for a random message, the adversaryAsimulates Gamelastproperly.
In conclusion, if Adistinguishes Gameq and Gamelast
with non-ignorable advantage ε, B is able to break the Assumption 3 with non-ignorable advantageε.□
If Assumptions 1, 2, and 3 hold, combined with the Lemmas 2, 3, 4, and 5, we have that Gamerealis
indistin-guishable from Gamelast. Therefore,Ahas no advantage
to break our IBE scheme, and the scheme is pCAI-ID-CPA secure.□
6. EFFICIENCY COMPARISON
We compare schemes [19, 22] with our scheme on security properties and performance. We denote exponentiation by
expin G, pairing operation byp, exponentiation byexpT
in GT, and the product operation of elements by mulG in G. Note thatGp1 andGp3are the subgroups of cyclic group Gandnis an integer. The details are listed in Tables 1 and 2. From Table 1, only our scheme possesses the security property of continuous, auxiliary input, and post-challenge leakage. From Table 2, the size of master secret key in our scheme is the smallest. The encryption and decryption costs of ours are close to scheme [22].
We implement exponentiation operateexpinG, pairing operationp, exponentiation operateexpTinGT, and the
prod-uct operation of elements inGandGT on Windows system with an Intel(R) Core(TM) i5 CPU 3.20 GHz and 8.00 GB RAM (Santa Clara, CA, USA). In this process, java pairing-based cryptography library version 2.0.0 [31] is used. It is a port of the pairing-based cryptography library [33] in C language. To close to the actual operation, we run the algorithms 10 times for exponentiation operateexp in G, 100 times for product operationmulGof elements inG, 10 times for pairing operationp, 100 times for exponentia-tion operateexpTinGT, 100,000 times for product operation
of elements inGT, and calculate average values. Wefind that the average operation timing for the product operation of elements in GT is 0.0011 ms; hence, we ignore this value. We show them in Table 3. The algorithms are coded using java. Table 4 gives a much clearer comparison between our scheme and the related schemes [19, 22] according to the data of Table 3. We ignore the strong extractor operations in all compared schemes because it is much more efficient than the other operations.
Table 4 shows that our scheme is similar with the scheme [22] on efficiency. However, our scheme resists post-challenge leakage while the scheme [22] does not. The scheme [19] is more efficient than ours and
Table I. Security properties comparison.
Scheme Model Hard problem Continuous leakage Auxiliary inputs leakage Post-challenge leakage Ours Standard Three static assumption in
composite order bilinear groups
√ √ √
[22] Standard Three static assumption in composite order bilinear groups
√ √ ×
[19] Standard Three static assumption in composite order bilinear groups
scheme [22], but it is not resilient to the auxiliary input leakage and post-challenge leakage.
7. CONCLUSIONS
In the article, we formalize the definition and the security model of IBE. Furthermore, we construct an IBE scheme and prove that it is secure against post-challenge continuous auxiliary input leakage attack under three static assumptions. Efficiency analysis and comparison are also given. Com-pared with the previously proposed schemes on security properties and performance, our scheme is feasible. How-ever, the leakage for master key and the leakage in the setup phase are not allowed in our scheme. Our future work is to construct certain IBE schemes that are able to resist the leak-age of master key and the leakleak-age in the setup phase. More-over, we can build some IBE schemes under a variety of assumptions, such as decisional bilinear Diffie–Hellman as-sumption, computational Diffie–Hellman assumption, and lattice-based assumptionet al.We will also consider the def-inition, security model, and construction of leakage-resilient identity-based signature and signcryption.
ACKNOWLEDGEMENTS
This research is supported by the National Natural Science Foundation of China (61272542), the Fundamental
Research Funds for the Central Universities (2013B07014), the Priority Academic Program Develop-ment of Jiangsu Higher Education Institutions, the Natural Science Foundation of the Jiangsu Higher Education Insti-tutions of China (14KJD520006), and the Funding of Jiangsu Innovation Program for Graduate Education (KYZZ_0139).
REFERENCES
1. Shamir A. Identity-based cryptosystems and signature Schemes. Advances in CryptologyCRYPTO 1984, Lecture Notes in Computer Science, 1984;196: 47–53. 2. Boneh D, Franklin M. Identity-based encryption from the weil pairing. Advances in CryptologyCRYPTO 2001, Lecture Notes in Computer Science, 2001; 2139: 213–229.
3. Canetti R, Halevi S, Katz J. A Forward-secure public-key encryption scheme.Advances in Cryptology
EUROCRYPT 2003, Lecture Notes in Computer Science, 2003;2656: 255–271.
4. Gentry C. Practical identity-based encryption without random oracles.Advances in CryptologyEUROCRYPT 2006, Lecture Notes in Computer Science, 2006; 4004: 445–464.
5. Boneh D, Boyen X, Goh EJ. Hierarchical identity based encryption with constant size ciphertext.
Advances in CryptologyEUROCRYPT 2005, Lecture Notes in Computer Science, 2005;3494: 440–456. 6. Lewko A, Waters B. New techniques for dual system
encryption and fully secure HIBE with short cipher-texts. InProceedings of the 7th Theory of Cryptogra-phy Conference (TCC 2010), Lecture Notes in Computer Science, 2010;5978: 455–479.
7. Micali S, Reyzin L. Physically observable cryptogra-phy. InProceedings of the First Theory of Cryptogra-phy Conference (TCC 2004), Lecture Notes in Computer Science, 2004;2951: 278–296.
8. Halderman JA, Schoen SD, Heninger N,et al. Lest we remember: cold-boot attacks on encryption keys. Com-munications of the ACM2009;52(5):91–98.
9. Akavia A, Goldwasser S, Vaikuntanathan V. Simulta-neous hardcore bits and cryptography against memory attacks. In Proceedings of the 6th Theory of Table II. Performance comparison.
Scheme Ciphertext size Master secret key size Master public key size Private key size Encryption cost Decryption cost Ours jGTj |ℤN| jGTj Gp1Gp3 nexpT+ (2n+ 1)expþmulG 2np [22] jGTj Gp1Gp3 jGTj Gp1Gp3 nexpT+ (2n+ 1)expþmulG 2np
[19] jGTj Gp1 Gp3 jGTj Gp1 Gp3 ðnþ3ÞexpþmulG (n+ 2)p
Table III. Operation timing.
Operations Operation timing (ms)
exp 10.9
mulG 0.16
p 7.8
expT 0.15
Table IV. Efficiency comparison.
Scheme Encryption operation timing Decryption operation timing Ours 21.95n+ 11.06 15.6n [22] 21.95n+ 11.06 15.6n [19] 10.9n+ 32.86 7.8n+ 15.6
Cryptography Conference(TCC 2009), Lecture Notes in Computer Science, 2009;5444: 474–495.
10. Luo X, Qian P, Zhu Y, et al. Leakage-resilient identity-based Encryption Scheme. InProceedings of the Networked Computing and Advanced Information Management(NCM 2010), 2010; 324–329.
11. Li S, Zhang F. Leakage-resilient identity-based en-cryption scheme. International Journal of Grid and Utility Computing2013;4(2):187–196.
12. Xiong H, Yuen TH, Zhang C,et al.Leakage-resilient certificateless public key encryption. In Proceedings of thefirst ACM workshop on Asia public-key cryptog-raphy, 2013; 13–22.
13. Naor M, Segev G. Public-key cryptosystems resilient to key leakage. Advances in CryptologyCRYPTO 2009, Lecture Notes in Computer Science, 2009; 5677: 18–35.
14. Alwen J, Dodis Y, Wichs D. Leakage-resilient public-key cryptography in the bounded-retrieval model.
Advances in CryptologyCRYPTO 2009, Lecture Notes in Computer Science, 2009;5677: 36–54. 15. Alwen J, Dodis Y, Naor M,et al.Public-key
encryp-tion in the bounded-retrieval model. Advances in CryptologyEUROCRYPT 2010, Lecture Notes in Computer Science, 2010;6110: 113–134.
16. Liu S, Weng J, Zhao Y. Efficient public key cryptosys-tem resilient to key leakage chosen ciphertext attacks. InProceedings of the Topics in CryptologyCT-RSA 2013, Lecture Notes in Computer Science, 2013; 7779: 84–100.
17. Dodis Y, Goldwasser S, Kalai YT,et al.Public-key encryption schemes with auxiliary inputs. In
Proceedings of the 7th Theory of Cryptography Conference(TCC 2010), Lecture Notes in Computer Science, 2010;5978: 361–381.
18. Yang G, Mu Y, Susilo W, et al. Leakage resilient authenticated key exchange secure in the auxiliary input model. In Proceedings of the Information Security Practice and Experience, Lecture Notes in Computer Science, 2013;7863: 204–217.
19. Lewko A, Rouselakis Y, Waters B. Achieving leakage resilience through dual system encryption. In Proceed-ings of the 8th Theory of Cryptography Conference
(TCC 2011), Lecture Notes in Computer Science, 2011;6597: 70–88.
20. Boyle E, Goldwasser S, Jain A, and Kalai YT. Multi-party computation secure against continual memory leakage. InProceedings of the 44th Annual ACM Sym-posium on Theory of Computing, 2012; 1235–1254. 21. Akavia A, Goldwasser S, Hazay C. Distributed public
key schemes secure against continual leakage. In
Proceedings of the 2012 ACM Symposium on Princi-ples of Distributed Computing, 2012; 155–164.
22. Yuen TH, Chow SSM, Zhang Y, Yiu SM. Identity-based encryption resilient to continual auxiliary leakage. Advances in CryptologyEUROCRYPT 2012, Lecture Notes in Computer Science, 2012; 7237: 117–134.
23. Ananth P, Goyal V, Pandey O. Interactive proofs under continual memory leakage. Advances in CryptologyCRYPTO 2014, Lecture Notes in Com-puter Science, 2014;8617: 164–182.
24. Agrawal S, Dodis Y, Vaikuntanathan V, et al. On continual leakage of discrete log representations.
Advances in CryptologyASIACRYPT 2013, Lecture Notes in Computer Science, 2013;8270: 401–420. 25. Alawatugoda J, Boyd C, Stebila D. Continuous
after-the-fact leakage-resilient key exchange. In
Proceedings of the Information Security and Privacy, Lecture Notes in Computer Science, 2014; 8544: 258–273, .
26. Halevi S, Lin H. After-the-fact leakage in public-key encryption. InProceedings of the Theory of Cryptog-raphy, Lecture Notes in Computer Science, 2011; 6597: 107–124.
27. Yuen TH, Zhang Y, Yiu SM, et al. Identity-based encryption with post-challenge auxiliary inputs for secure cloud applications and sensor networks. In Pro-ceedings of the 19th European Symposium on Research in Computer Security(ESORICS 2014), Lecture Notes in Computer Science, 2014;8712: 130–147.
28. Chow SSM, Dodis Y, Rouselakis Y,et al. Practical leakage-resilient identity-based encryption from simple assumptions. InProceedings of the 17th ACM conference on Computer and communications secu-rity, 2010; 152–161.
29. Galindo D, Herranz J, Villar J. Identity-based encryp-tion with master key-dependent message security and leakage-resilience. In Proceedings of the 17th European Symposium on Research in Computer Security(ESORICS 2012), Lecture Notes in Computer Science, 2012;7459: 627–642.
30. Brakerski Z, Kalai YT, Katz J,et al.Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage. In Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science(FOCS 2010), 2010; 501–510. 31. Caro AD. Java Pairing-based cryptography library.
http://libeccio.dia.unisa.it/projects/jpbc/, 2012. 32. Boneh D, Goh E, Nissim K. Evaluating 2-DNF
for-mulas on ciphertext. In Proceedings of the second Theory of Cryptography Conference (TCC 2005), Lecture Notes in Computer Science, 2005; 3378: 325–341.
33. B Lynn. PBC (Pairing-based cryptography) library. http://crypto.stanford.edu/pbc/, 2012.