CCA-Secure Leakage-Resilient Identity-Based Key-Encapsulation from Simple (Not \(\mathtt {q}\)-type) Assumptions

Abstract

In this paper, we propose a new leakage-resilient identity-based encryption (IBE) scheme that is secure against chosen-ciphertext attacks (CCA) in the bounded memory leakage model. It is the first CCA-secure leakage-resilient IBE scheme which does not depend on \(\mathtt {q}\)-type assumptions. More precisely, it is secure under the DLIN assumption for symmetric bilinear groups and under the XDLIN assumption for asymmetric bilinear groups, respectively.

1 Introduction

1.1 Background

Most of the encryption schemes known so far have been proven secure by assuming that the secret key is completely hidden. However, in the real world, a partial information of the secret key may leak by side-channel attacks [6, 14, 20] or a cold-boot attack [15]. In recent years, extensive research effort has been invested in providing encryption schemes which are provably secure even in this setting. Such schemes are said to be leakage-resilient.

Akavia et al. [2] introduced the bounded memory leakage model in which a bounded amount of information of the secret key is leaked to the adversary. Naor and Segev [26] showed how to construct leakage-resilient public-key encryption schemes from hash proof systems (HPS) in this model. (Other constructions were given by [4, 18, 22].) Qin et al. [28] showed a generic method to construct a CCA-secure leakage-resilient encryption scheme from any tag-based strongly universal\(_2\) HPS.

Regarding identity-based encryption (IBE) schemes, CPA-secure leakage-resilient IBE schemes were shown by Akavia et al. [2], Alwen et al. [3] and Chow et al. [8]. Furthermore, the scheme of Kurosawa and Phong [21] achieves the leakage rate \(1-o(1)\) under the DLIN assumption, where the leakage rate is defined as

$$ \frac{\text {size of leakage}}{\text {size of secret key}}. $$

On the other hand, CCA-secure leakage-resilient IBE schemes were shown by Alwen et al. [3], Sun et al. [30] and Li et al. [24]. Unfortunately, all these CCA-secure leakage-resilient IBE schemes rely on \(\mathtt {q}\)-type assumptions. Due to the Cheon attack [7], it is better to avoid such assumptions.

1.2 Our Contribution

In this paper, we propose the first CCA-secure leakage-resilient IBE scheme which does not depend on \(\mathtt {q}\)-type assumptions. More precisely, it is secure under the DLIN assumption for symmetric bilinear groups and under the XDLIN assumption for asymmetric bilinear groups. (See Sect. 2.1 for the types of bilinear groups.)

In fact, we construct a CCA-secure leakage-resilient IB-KEM. A CCA-secure leakage-resilient IBE scheme is obtained by combining our IB-KEM with any CCA-secure symmetric-key encryption scheme (which does not need to be leakage-resilient).

Our IB-KEM scheme is obtained by applying the technique of Qin et al. [28] to the CPA-secure leakage-resilient IBE scheme of Kurosawa and Phong [21]. Hereby, we can achieve the leakage rate 1/10. Our scheme will be able to generalize to k-linear assumption.

Table 1 shows a comparison of CCA-secure leakage-resilient IBE schemes.

Table 1. Comparison of CCA-secure leakage-resilient IBE schemes

1.3 Various Models for Leakage-Resilient

Several researchers consider some variants of leakage models to capture practical issues. We summarize some leakage models below.

Micali and Reyzin [25] considered the “only computation leak information” model to deal with physical observation via side-channel attacks. However, this model could not capture key leakage attacks, such as a cold-boot attack. To capture key leakage attacks, Akavia et al. [2] proposed the bounded memory leakage model, in which an adversary can get partial information on secret keys. Brakerski et al. [5] and Dodis et al. [9] presented a new model called continual memory leakage model, which allows leakage on the private key in many periods of time. In this model, the secret key is updated over time and the total leakage over the lifetime of the system is unbounded. Dodis et al. [10] invented the auxiliary input model, in which the entire secret could be leaked information-theoretically, provided that it is computationally infeasible to compute the secret.

All these leakage models only consider leakage occurring before the challenge ciphertext is given to the adversary. In response to this, Halevi and Lin [16] proposed the after-the-fact leakage model, in which an adversary can obtain leaked information after seeing the challenge ciphertext.

1.4 Organization

The rest of the paper is organized as follows. Section 2 introduces notations, some building blocks, and computational assumptions. Section 3 describes the definition of IB-KEM and the leakage-resilient CCA-security. We present the concrete construction of our CCA-secure leakage-resilient IB-KEM scheme in Sect. 4 and its security proof in Sect. 5. Finally, the conclusion of this paper is given in Sect. 6.

2 Preliminaries

2.1 Notations

We introduce some notations used in this paper. Let denote the security parameter. We say that a function is negligible in if it is smaller than all polynomial fractions for a sufficiently large . For a finite set \(\mathcal {S}\), we use to denote the process of sampling an element s from \(\mathcal {S}\) uniformly at random and let denote its cardinality.

Let \(\mathsf {GGen}\) be a probabilistic polynomial time (PPT) algorithm that on input the security parameter returns a description of pairing groups, where , , are cyclic groups of a prime order q, \(g_1\) and \(g_2\) are generators of and , respectively, and is an efficiently computable (non-degenerated) bilinear map. Define , which is a generator of .

We refer to [31] for a description of types of bilinear groups. There are three types of bilinear groups according to whether efficient isomorphisms exist or not between and [13]. In type 1, both the isomorphism \(\psi :\) and its inverse \(\psi ^{-1}:\) are efficiently computable, i.e., it can be regarded as . In type 2, the isomorphism is efficiently computable but its inverse is not. In type 3, there are no efficient isomorphisms between and . Type 1 pairing groups are called symmetric, and type 2 and 3 pairing groups are called asymmetric. We assume type 3 pairing groups in our scheme, but our scheme also works in type 1 and 2 setting under appropriate computational assumptions.

We use implicit representation of group elements as introduced in [12]. For and we define as the implicit representation of a in . Similarly, for a matrix

we define

as the implicit representation of \(\mathbf {A}\) in . Note that it is easy to compute \(\left[ \mathbf {A}\mathbf {B} \right] _s\) given \(\left( \left[ \mathbf {A} \right] _s,\mathbf {B}\right) \) or \(\left( \mathbf {A},\left[ \mathbf {B} \right] _s\right) \) with appropriate dimensions. We define that can be efficiently computed given \(\left[ \mathbf {A} \right] _1\) and \(\left[ \mathbf {B} \right] _2\).

2.2 External Decisional Linear Assumption

We assume the following property.

Definition 1

(External Decisional Linear Assumption: XDLIN [1]). Let . We say that the XDLIN assumption holds relative to \(\mathsf {GGen}\) in group if for any PPT adversary \(\mathsf {D}\), the following is negligible in :

where , , , and

This assumption is a variant of the standard decisional linear (DLIN) assumption [27] for asymmetric pairing groups. The XDLIN assumption is equivalent to the DLIN assumption in the generic group model.

2.3 Statistical Distance, Min-Entropy and Randomness Extractor

The statistical distance between random variables X, Y over a finite domain is defined by

The min-entropy of X is defined by

Furthermore, average min-entropy of X conditioned on Y is defined by

as defined in [11], which also proved the following lemma.

Lemma 1

([11, Lemma 2.2]). Let \(\ell \) be a positive integer. Let X, Y and Z be random variables. If Y has at most \(2^\ell \) possible values, then

$$ \tilde{H}_\infty (X \mid Y, Z) \ge \tilde{H}_\infty (X, Y \mid Z) - \ell \ge \tilde{H}_\infty (X \mid Z) - \ell . $$

One of main tools in our construction is a randomness extractor [11].

Definition 2

(Randomness Extractor). Let n be a positive integer, and \(\phi > n, \epsilon _\mathsf {Ext}\) be positive reals, and \(\mathcal {D}, \mathcal {S}\) be finite sets. A function is called a \((\phi , \epsilon _\mathsf {Ext})\)-randomness extractor if for all pairs of random variables (X, I) such that X is a random variable over \(\mathcal {D}\) satisfying \(\tilde{H}_\infty (X \mid I) \ge \phi \),

$$ \Delta \left( (\mathsf {Ext}(X,S),S,I),(R,S,I)\right) \le \epsilon _\mathsf {Ext}$$

holds, where S is uniform over \(\mathcal {S}\) and R is uniform over .

2.4 Hash Functions

Let be a hash function, where \(\mathcal {D} = \mathcal {D}(\lambda )\) and \(\mathcal {R} = \mathcal {R}(\lambda )\) are sets. We require the following property of hash functions for our scheme.

Definition 3

(Target Collision Resistance). We say a hash function is target collision resistant if for any PPT adversary \(\mathsf {A}\),

is negligible in .

2.5 Useful Facts

Here, we introduce useful facts used in our security proof. We use the following lemmas to prove adaptive identity security of our scheme.

Lemma 2

(Programmable hash function [17, Theorem 7]). Let m, Q be integers. We choose as follows: (1) set \(J = Q^2\), (2) sample for \(i = 1,\ldots ,m\) and \(j = 1,\ldots ,J\), (3) set \(h_i = \sum _{j=1}^{J}u_{i,j}\). For \(h = (h_1,\ldots ,h_m)\), we define

where . Then, for any distinct , we have

$$ \Pr \left[ \bigwedge _{j=1}^{Q}(\beta _h(\mathrm { id }_j) \ne 0) \wedge \left( \beta _h(\mathrm { id }^*) = 0\right) \right] \ge \varTheta {\frac{1}{\sqrt{m}Q}}, $$

where the probability is taken over the choice of h.

Lemma 3

([32, Lemma 5]). Let be reals such that

Furthermore, let be reals such that \(0 < \delta _\mathrm {low}\le \delta _i \le \delta _\mathrm {up}\) for \(i = 1,\ldots ,l\). Then, we have

3 Identity-Based Key-Encapsulation Mechanism

In this section, we introduce the syntax, the correctness property, and the security notion for IB-KEM.

Syntax. An IB-KEM scheme consists of four PPT algorithms.

• . The setup algorithm takes as input the security parameter , outputs a public parameter \(\mathrm { pp }\) and a master key \(\mathrm { mk }\). We assume that \(\mathrm { pp }\) implicitly defines an identity space \(\mathcal {ID}\), a session key space \(\mathcal {K}\), and a secret key space \(\mathcal {SK}\).

• . The key generation algorithm takes as input the master key \(\mathrm { mk }\) and an identity \(\mathrm { id }\in \mathcal {ID}\), outputs a secret key \(\mathrm { sk }_\mathrm { id }\) for the \(\mathrm { id }\).

• \(\mathsf {Encap}(\mathrm { pp },\mathrm { id }) \rightarrow (\mathrm { ct },K)\). The encapsulation algorithm takes as input the public parameter \(\mathrm { pp }\) and an \(\mathrm { id }\in \mathcal {ID}\), outputs a session key \(K \in \mathcal {K}\) together with a ciphertext \(\mathrm { ct }\) with respect to identity \(\mathrm { id }\).

• \(\mathsf {Decap}(\mathrm { sk }_\mathrm { id },\mathrm { ct }) \rightarrow K\) or \(\bot \). The decapsulation algorithm takes as input a secret key \(\mathrm { sk }_\mathrm { id }\) and a ciphertext \(\mathrm { ct }\), outputs a decapsulated key \(K \in \mathcal {K}\) or the rejection symbol \(\bot \).

Correctness. We require correctness of decapsulation: that is for all , all pairs \((\mathrm { pp },\mathrm { mk })\) generated by , all identities \(\mathrm { id }\in \mathcal {ID}\), and all \((\mathrm { ct },K) \leftarrow \mathsf {Encap}(\mathrm { pp },\mathrm { id })\), .

Security. In this paper, we consider the IB-KEM variant of CCA-security for leakage-resilient IBE in the bounded memory leakage model [3]. Let \(\varPi \) be an IB-KEM scheme. We consider the IND-ID-lrCCA game between a challenger and an adversary \(\mathsf {A}\) as follows.

• Setup phase: The challenger runs \(\mathsf {Setup}\) to generate \((\mathrm { pp }, \mathrm { mk })\), and sends \(\mathrm { pp }\) to \(\mathsf {A}\).

• Query phase 1: The adversary \(\mathsf {A}\) makes queries of the following types:

  • Key generation query \(\mathrm { id }\in \mathcal {ID}\). The challenger computes and returns the secret key to \(\mathsf {A}\).

  • Leakage query \((\mathrm { id },f)\), where is an efficiently computable function. The challenger returns \(f(\mathrm { sk }_\mathrm { id })\) to \(\mathsf {A}\).

  • Decapsulation query \((\mathrm { id },\mathrm { ct })\). The challenger returns \(\mathsf {Decap}(\mathrm { sk }_\mathrm { id },\mathrm { ct })\) to \(\mathsf {A}\).

• Challenge phase: \(\mathsf {A}\) sends the challenge identity \(\mathrm { id }^*\in \mathcal {ID}\) to the challenger. It must be that he has never queried \(\mathrm { id }^*\) as a key generation query. The challenger chooses a bit . The challenger runs \(\mathsf {Encap}(\mathrm { pp },\mathrm { id }^*)\) to generate \((\mathrm { ct }^*, K_0^*)\), and chooses a random session key . Then, he sends \((\mathrm { ct }^*, K_b^*)\) to \(\mathsf {A}\).

• Query phase 2: \(\mathsf {A}\) makes queries of the following types:

  • Key generation query \(\mathrm { id }\in \mathcal {ID}\), where it must be that \(\mathrm { id }\ne \mathrm { id }^*\).

  • Decapsulation query \((\mathrm { id },\mathrm { ct })\), where it must be that \((\mathrm { id }, \mathrm { ct }) \ne (\mathrm { id }^*, \mathrm { ct }^*)\).

• Guess phase: Finally \(\mathsf {A}\) outputs a guess .

Note that, in query phase 1 and 2 the challenger computes \(\mathrm { sk }_\mathrm { id }\) the first time that \(\mathrm { id }\) is queried in a key generation, leakage, or decryption query, and responds to all future queries on the same \(\mathrm { id }\) with the same \(\mathrm { sk }_\mathrm { id }\).

Definition 4

(IND-ID-lrCCA security). An IB-KEM scheme \(\varPi \) is \(\ell \)-IND-ID-lrCCA (indistiguishability against adaptive identity leakage-resilient chosen-ciphertext attack) secure if for any PPT adversary \(\mathsf {A}\) that makes at most \(\ell \) leakage queries, the advantage

is negligible in .

Remark: Challenge-Dependent Leakage. In the security definition, the adversary is not allowed to obtain the leakage \(f(\mathrm { sk }_\mathrm { id })\) after the challenge phase. We note that this restriction is indeed necessary: the adversary can encode the decapsulation algorithm for the challenge ciphertext \(\mathrm { ct }^*\) and the challenge identity \(\mathrm { id }^*\).

4 Construction

In this section, we propose a new CCA-secure leakage-resilient IB-KEM scheme.

Let , n be the bit-length of a session key (i.e., ), m be the bit-length of an identity (i.e., ), \(\ell < \log _2{q}\) be any positive integer, be a target collision resistant hash function, be a \((\log _2{q}-\ell ,\epsilon _\mathsf {Ext})\)-randomness extractor. We assume that m is independent of , \(\epsilon _\mathsf {Ext}\) is negligible in .

Our scheme is described as follows.

• : Choose and uniformly at random and set

  

  Output \(\mathrm { pp }= (\left[ \mathbf {A} \right] _1,\left[ \mathbf {B}_0 \right] _1,\left[ \mathbf {B}_1 \right] _1,\ldots ,\left[ \mathbf {B}_m \right] _1,\left[ \mathbf {D} \right] _1)\) and \(\mathrm { mk }= (a_1,a_2,\mathbf {B}_0,\mathbf {B}_1,\ldots ,\mathbf {B}_m,\mathbf {D})\).

  For an identity , let

  

• : Compute a random matrix such that

  $$\begin{aligned} \mathbf {F}_\mathrm { id }\mathbf {S}_\mathrm { id }= \mathbf {D} \end{aligned}$$

  (1)

  as follows. Let

  

  Choose at random, compute

  

  and set

  $$ \mathbf {S}_{\mathrm { id }} = \begin{pmatrix} \mathbf {S}'' \\ \mathbf {S}' \end{pmatrix}. $$

  Output \(\mathrm { sk }_\mathrm { id }= \left[ \mathbf {S}_\mathrm { id } \right] _2\) as a secret key for the \(\mathrm { id }\).

• \(\mathsf {Encap}(\mathrm { pp },\mathrm { id })\): Choose and at random, compute

  

  Output \(\mathrm { ct }= (\left[ \mathbf {c} \right] _1,\left[ k_a \right] _T,\mathrm { sd })\) and \(K = \mathsf {Ext}(\left[ k_s \right] _T,\mathrm { sd })\).

• \(\mathsf {Decap}(\mathrm { sk }_\mathrm { id },\mathrm { ct })\): On input \(\mathrm { sk }_{\mathrm { id }} = \left[ \mathbf {S}_\mathrm { id } \right] _2\) and \(\mathrm { ct }= (\left[ \mathbf {c} \right] _1,\left[ t \right] _T,\mathrm { sd })\), compute

  

  Output \(\mathsf {Ext}(\left[ k_s \right] _T,\mathrm { sd })\) if \(\left[ t \right] _T = \left[ k_a \right] _T\), otherwise \(\bot \).

Correctness. Let \(\mathrm { sk }_\mathrm { id }= \left[ \mathbf {S}_\mathrm { id } \right] _2\), \(\mathrm { ct }= (\left[ \mathbf {c} \right] _1,\left[ t \right] _T,\mathrm { sd })\), and . If \(\mathbf {c} = \mathbf {F}^\top _\mathrm { id }\mathbf {r}\) and \(t = \mathbf {r}^\top \mathbf {D} \left( {\begin{matrix} 1 \\ \alpha \end{matrix}}\right) \) then

$$\begin{aligned} k_a = \mathbf {c}^\top \mathbf {S}_\mathrm { id }\left( {\begin{matrix} 1 \\ \alpha \end{matrix}}\right) = \mathbf {r}^\top \mathbf {F}_\mathrm { id }\mathbf {S}_\mathrm { id }\left( {\begin{matrix} 1 \\ \alpha \end{matrix}}\right) = \mathbf {r}^\top \mathbf {D} \left( {\begin{matrix} 1 \\ \alpha \end{matrix}}\right) = t \end{aligned}$$

in the \(\mathsf {Decap}\) procedure, and it is similar to \(k_s\). Therefore, our IB-KEM scheme \(\varPi \) satisfies correctness.

5 Security

In this section, we prove the IND-ID-lrCCA security of our scheme.

Theorem 1

Under the XDLIN assumption relative to \(\mathsf {GGen}\) in group , our scheme \(\varPi \) is \(\ell \)-IND-ID-lrCCA secure for any positive integer \(\ell \) satisfying

$$\begin{aligned} \ell \le \log _2{q} - n - \eta , \end{aligned}$$

(2)

where is a positive integer such that \(2^{-\eta }\) is negligible in .

In particular, given an efficient adversary \(\mathsf {A}\) breaking the \(\ell \)-IND-ID-lrCCA secure of \(\varPi \) with advantage , we can construct an adversary \(\mathsf {D}\) breaking the XDLIN assumption with advantage such that

holds for such , where and are the number of key generation queries and decapsulation queries made by \(\mathsf {A}\), respectively.

Remark

Our scheme works also on type 1 or 2 bilinear groups.

Proof

Let \(\mathsf {A}\) be an efficient adversary on the IND-ID-lrCCA security of \(\varPi \). Namely, for infinitely many . We will consider a sequence of games, \(\text {Game}_{0},\ldots ,\text {Game}_{9}\) performed by a challenger and \(\mathsf {A}\). At the end of each game, the challenger outputs a bit , which will be described below.

Let \(W_i\) be the event such that \(\gamma = 1\) in \(\text {Game}_i\).

• Game\(_{0}\): This game is the IND-ID-lrCCA game. At the end of the game, the challenger outputs \(\gamma = 1\) if \(b' = b\), otherwise \(\gamma = 0\), where \(b'\) is \(\mathsf {A}\)’s guessing bit of b. Thus,

  

  (3)

  The challenge is \((\mathrm { ct }^*,K_b^*)\) where \(\mathrm { ct }^*= (\left[ \mathbf {c}^* \right] _1,\left[ k_a^* \right] _T,\mathrm { sd }^*)\). We denote by \(\mathbf {r}^*,\alpha ^*,k_s^*\) the corresponding intermediate values. The session key \(K_b^*\) is \(\mathsf {Ext}(\left[ k_s^* \right] _T,\mathrm { sd }^*)\) or random over , depending on the bit b.

• Game\(_{1}\) : This game is the same as \(\text {Game}_{0}\) except that the challenger changes the generation of the public parameter \(\mathrm { pp }\) and the ciphertext \(\mathrm { ct }^*\) as follows.

  • In the setup phase, choose uniformly at random. Set , sample for \(i = 1,\ldots ,m\) and \(j = 1,\ldots ,J\), and set . The public parameter is defined as

    $$\begin{aligned} \mathbf {B}_0&= \mathbf {A} \mathbf {R}_0 + \mathbf {I}_2, \\ \mathbf {B}_i&= \mathbf {A} \mathbf {R}_i + h_i \mathbf {I}_2 \text { for } i=1,\ldots ,m, \\ \mathbf {D}&= \mathbf {A} \mathbf {E}. \end{aligned}$$

    Output \(\mathrm { pp }= (\left[ \mathbf {A} \right] _1,\left[ \mathbf {B}_0 \right] _1,\left[ \mathbf {B}_1 \right] _1,\ldots ,\left[ \mathbf {B}_m \right] _1,\left[ \mathbf {D} \right] _1)\). The challenger holds \(\left( a_1,a_2,\mathbf {R}_0,\mathbf {R}_1,\ldots ,\mathbf {R}_m,\mathbf {E}\right) \) as a master key in this game.

    In \(\text {Game}_{1}\), the \(\mathbf {F}_\mathrm { id }\) for can be written by

    

    where \(\mathbf {R}_\mathrm { id }= \mathbf {R}_0 + \sum _{i = 1}^{m} \mathrm { id }[i] \mathbf {R}_i\) and \(\beta _h(\mathrm { id }) = 1 + \sum _{i = 1}^{m} \mathrm { id }[i] h_i\).

  • In the challenge phase, the challenger computes \(\left[ k_a^* \right] _T\) and \(\left[ k_s^* \right] _T\) as follows:

    $$\begin{aligned} \left[ k_a^* \right] _T&= \left[ {\mathbf {c}^*}^\top \right] _1 \circ \left[ \mathbf {S}^*\left( {\begin{matrix} 1 \\ \alpha ^*\end{matrix}}\right) \right] _2, \\ \left[ k_s^* \right] _T&= \left[ {\mathbf {c}^*}^\top \right] _1 \circ \left[ \mathbf {S}^*\left( {\begin{matrix} 1 \\ 0 \end{matrix}}\right) \right] _2, \end{aligned}$$

    where \(\left[ \mathbf {S}^* \right] _2\) is the secret key for the \(\mathrm { id }^*\).

  Note that this change does not affect the distributions of the public parameter \(\mathrm { pp }\) and the challenge \((\mathrm { ct }^*,K_b^*)\). Therefore, we have

  $$\begin{aligned} \Pr [W_{0}] = \Pr [W_{1}]. \end{aligned}$$

  (4)

• Game\(_{2}\): Let \(\mathrm { id }^*\) be the challenge identity and \(\mathrm { id }_1,\ldots ,\mathrm { id }_Q\) be identities that \(\mathsf {A}\) queries in the key generation query and the decapsulation query, where . Define the event

  $$\begin{aligned} \mathcal {FORCEDABORT}: \bigvee _{i=1}^{Q}(\beta _h(\mathrm { id }_i) = 0) \vee \left( \beta _h(\mathrm { id }^*) \ne 0\right) , \end{aligned}$$

  and

  

  for \(\mathbf {id}_\mathsf {A}= (\mathrm { id }_1,\ldots ,\mathrm { id }_Q,\mathrm { id }^*)\), where the probability is taken over the choice of h. By Lemma 2, this probability has a minimum value greater than 0. Let \(\eta _\mathrm {low}\) be the minimum value of \(\eta (\mathbf {id}_\mathsf {A})\).

  In the guess phase, \(\mathsf {A}\) outputs its guess for b. The challenger checks the event \(\mathcal {FORCEDABORT}\) occurs for \(\mathbf {id}_\mathsf {A}\). If yes, the challenger aborts the game and outputs a fresh random bit . Otherwise, the challenger first estimates the probability \(\eta (\mathbf {id}_\mathsf {A})\) by sampling \((h_1,\ldots ,h_m)\) sufficiently large amount of times. Let \(\eta '(\mathbf {id}_\mathsf {A})\) be the estimation of \(\eta (\mathbf {id}_\mathsf {A})\). Depending on the estimate \(\eta '(\mathbf {id}_\mathsf {A})\) the challenger decides \(\gamma \) as follows:

  • Case \(\eta '(\mathbf {id}_\mathsf {A}) \le \eta _\mathrm {low}\): The challenger outputs \(\gamma = [b=b']\).

  • Case \(\eta '(\mathbf {id}_\mathsf {A}) > \eta _\mathrm {low}\): With probability \(\eta _\mathrm {low}/\eta '(\mathbf {id}_\mathsf {A})\) the challenger outputs \(\gamma = [b=b']\). With probability \(1-\eta _\mathrm {low}/\eta '(\mathbf {id}_\mathsf {A})\) the challenger aborts the game and outputs a fresh random bit .

  Lemma 4 in Appendix will show that

  

  From Lemma 2, we have

  

  (5)

• Game\(_{3}\): In \(\text {Game}_{3}\), we make the following changes to the experiment. When \(\mathsf {A}\) queries an identity \(\mathrm { id }\) to the key generation oracle, the challenger checks whether \(\beta _h(\mathrm { id }) = 0\). If so, the challenger immediately aborts and returns a fresh random bit \(\gamma \). When \(\mathsf {A}\) outputs \(\mathrm { id }^*\) as a challenge identity, if \(\beta _h(\mathrm { id }^*) \ne 0\) the challenger immediately aborts and returns a fresh random bit \(\gamma \). Clearly, the above changes do not affect \(\mathsf {A}\)’s environment if \(\mathcal {FORCED}\mathcal {ABORT}\) dose not occur. Then, we have

  $$\begin{aligned} \Pr [W_{2}] = \Pr [W_{3}]. \end{aligned}$$

  (6)

• Game\(_{4}\): This game is the same as \(\text {Game}_{3}\) except that the challenger changes the generation of the secret key \(\mathrm { sk }_\mathrm { id }= \left[ \mathbf {S}_\mathrm { id } \right] _2\) for \(\mathrm { id }\) as follows.

  • Case \(\beta _h(\mathrm { id }) \ne 0\): The challenger chooses , computes satisfying

    $$\begin{aligned} \beta _h(\mathrm { id }) \mathbf {W}' = -\mathbf {A}\mathbf {W} + \mathbf {A}\mathbf {E}, \end{aligned}$$

    (7)

    and sets

    $$ \mathbf {S}_\mathrm { id }= \begin{pmatrix} \mathbf {W} - \mathbf {R}_\mathrm { id }\mathbf {W}' \\ \mathbf {W}' \end{pmatrix}. $$

    This \(\mathbf {S}_\mathrm { id }\) satisfies Eq. (1) because

    

    Further, the above \(\mathbf {S}_\mathrm { id }\) has the same distribution as the secret key generated by , because 6 elements are chosen at random and the remaining are determined uniquely by Eq. (7).

  • Case \(\beta _h(\mathrm { id }) = 0\): The challenger computes such that

    

    (8)

    as follows. The challenger computes where , and sets

    $$ \mathbf {S}_{\mathrm { id }} = \begin{pmatrix} \mathbf {S}'' \\ \mathbf {S}' \end{pmatrix}. $$

    It is easy to see that \(\left[ \mathbf {S}_\mathrm { id } \right] _2\) is the correct secret key for \(\mathrm { id }\) by multiplying \(\mathbf {A}\) from the left to both hand sides of Eq. (8).

    We show that the above \(\mathbf {S}_\mathrm { id }\) has the same distribution of the original as seen from \(\mathsf {A}\). Now, \(\mathbf {S}'\) is chosen randomly. Hence, we need to show that 2 elements in \(\mathbf {S}''\) e.g. \(\mathbf {e} \mathbf {S}''\) are also random where . It suffices to prove is random even given \(\mathbf {A}\) and \(\mathbf {D} = \mathbf {A}\mathbf {E}\), since \(\mathbf {e} \mathbf {S}''= \mathbf {e} \mathbf {E} - \mathbf {e} \mathbf {R}_\mathrm { id }\mathbf {S}'\). It is easy to see that

    $$\begin{aligned} \begin{pmatrix} \mathbf {D} \\ \mathbf {u} \end{pmatrix} = \underbrace{\begin{pmatrix} \mathbf {A} \\ \mathbf {e} \end{pmatrix}}_{\mathbf {A}'} \mathbf {E}. \end{aligned}$$

    (9)

    Because \(\mathbf {A}'\) is of full rank, the distribution of \(\mathbf {u}\) is random and independent from \(\mathbf {D}\) that \(\mathsf {A}\) knows. Hence, \(\mathbf {e} \mathbf {S}''\) is also random as seen from \(\mathsf {A}\).

  Note that this change dose not affect the distribution of the secret key \(\mathrm { sk }_\mathrm { id }\) for \(\mathrm { id }\). Therefore, we have

  $$\begin{aligned} \Pr [W_{3}] = \Pr [W_{4}]. \end{aligned}$$

  (10)

• Game\(_{5}\): This game is the same as \(\text {Game}_{4}\) except that \(\left[ \mathbf {c}^* \right] _1\) in the challenge is randomly chosen from . Furthermore, the challenger chooses , , and computes at the beginning of the game. As we will show in Lemma 6, we have that there exists a PPT adversary \(\mathsf {D}\) such that

  

  (11)

  The decapsulation oracle in this game is depicted in Fig. 1. We define that a ciphertext \(\left[ \mathbf {c} \right] _1\) is valid for \(\mathrm { id }\) if there exists such that \(\left[ \mathbf {c} \right] _1 = \left[ \mathbf {F}^\top _\mathrm { id }\mathbf {r} \right] _1\). With \(\mathrm { pp }\) and \(\mathrm { mk }\), we can efficiently check whether \(\left[ \mathbf {c} \right] _1 = \left[ (c_1,c_2,c_3,c_4,c_5)^\top \right] _1\) is valid for \(\mathrm { id }\) by simply verifying

  $$ \left[ (c_3,c_4,c_5) \right] _1 = \left[ (c_1,c_2) \begin{pmatrix} a_1^{-1} &{} 0 \\ 0 &{} a_2^{-1} \end{pmatrix}\mathbf {F}'_{\mathrm { id }} \right] _1. $$

  Fig. 1.

  

  Decapsulation oracle in \(\text {Game}_{5}\)

• Game\(_{6}\): In this game, at line 6 in Fig. 1, the challenger returns \(\bot \). Then we have

  

  Therefore, we obtain

  

  (12)

• Game\(_{7}\): In this game, at line 13 in Fig. 1, the challenger returns \(\bot \). As we will show in Lemma 7, we have

  

  (13)

• Game\(_{8}\): In this game, at line 8 in Fig. 1, the challenger returns \(\bot \). \((\left[ \mathbf {c} \right] _1,\mathrm { sd }) = (\left[ \mathbf {c}^* \right] _1,\mathrm { sd }^*)\) holds with probability before the challenge phase, since \(\mathsf {A}\) knows nothing about \((\mathbf {c}^*,\mathrm { sd }^*)\) chosen randomly. On the other hand, after the challenge phase \((\mathrm { id }^*,\mathrm { ct }^*= (\left[ \mathbf {c}^* \right] _1,\left[ k_a^* \right] _T,\mathrm { sd }^*))\) was already announced to \(\mathsf {A}\), any adversarial decapsulation query \((\mathrm { id }^*,(\left[ \mathbf {c}^* \right] _1,\left[ k_a \right] _T,\mathrm { sd }^*))\) with \(\left[ t \right] _T=\left[ k_a \right] _T\) is equal to \((\mathrm { id }^*,\mathrm { ct }^*)\). Hence, such adversarial decapsulation query is forbidden by the restriction of \(\mathrm {IND\text {-}ID\text {-}lrCCA}\) game. Thus we have

  

  (14)

• Game\(_{9}\): In this game, \(K_0^*\) is chosen at random from instead of using \(\mathsf {Ext}(\left[ k_s^* \right] _T, \mathrm { sd }^*)\). As we will show in Lemma 8, we have

  

  (15)

  In \(\text {Game}_{9}\), \(\mathsf {A}\) does not get any information about bit b because both \(K_0^*\) and \(K_1^*\) are random. Hence, we have

  $$\begin{aligned} \Pr [W_{9}] = \frac{1}{2}. \end{aligned}$$

  (16)

From Eqs. (3)–(6) and (10)–(16), we have shown that given an adversary \(\mathsf {A}\) with advantage \(\epsilon _\mathsf {A}\), there exists an adversary \(\mathsf {D}\) with such that

Therefore, we have

The right side of the above inequality is non-negligible, since \(\epsilon _\mathsf {A}\) and are non-negligible in , other terms are negligible in . Hence, this contradicts the XDLIN assumption. This completes the proof of Theorem 1.    \(\square \)

6 Conclusion

In this paper, we proposed the first CCA-secure leakage-resilient IB-KEM scheme which does not depend on \(\mathtt {q}\)-type assumptions. More precisely, it is secure under the DLIN assumption for symmetric bilinear groups and under the XDLIN assumption for asymmetric bilinear groups. A CCA-secure leakage-resilient IBE scheme is obtained by combining our IB-KEM with any CCA-secure symmetric-key encryption scheme (which does not need to be leakage-resilient). However, the leakage rate of our scheme is smaller than previous works [3, 24, 30].

A Proof of Lemmas

To complete the proof of Theorem 1, we prove Lemmas 4, 6, 7, and 8.

Lemma 4

We introduce a lemma before proving Lemma 4.

Lemma 5

([19, Claim 6.7]). Let \(0< \rho < 1\) be a real. For a sequence of identities \(\mathbf {id}\in (\mathcal {ID})^{Q+1}\), and \(\mathcal {ABORT}\) be the event that the challenger aborts with added rules in \(\text {Game}_{2}\). For any fixed \(\mathbf {id}\),

$$ \eta _\mathrm {low}\left( 1-\rho \right) \le \Pr [\lnot \mathcal {ABORT}] \le \eta _\mathrm {low}\left( 1+\rho \right) . $$

Proof

(of Lemma 4). For a sequence of identities \(\mathbf {id}\in (\mathcal {ID})^{Q+1}\), we define \(\mathcal {Q}(\mathbf {id})\) as the event that \(\mathsf {A}\) uses the last entry in \(\mathbf {id}\) as the challenge and makes key generation queries and decapsulation queries for the remaining identities. Then, we have \(\sum _{\mathbf {id}\in (\mathcal {ID})^{Q+1}}\Pr [\mathcal {Q}(\mathbf {id})] = 1\). Let \(\delta (\mathbf {id}) = \Pr [\lnot \mathcal {ABORT}]\), and \(\delta _\mathrm {low}\) and \(\delta _\mathrm {up}\) be reals such that \(\delta _\mathrm {low}\le \delta (\mathbf {id}) \le \delta _\mathrm {up}\). Then, we have

The last inequality above follows from Lemma 3, since we have

and

From Lemma 5, we have \(\delta _\mathrm {up}- \delta _\mathrm {low}\le \eta _\mathrm {low}\rho /2\). Therefore, defining , we obtain

   \(\square \)

Lemma 6

For any PPT algorithm \(\mathsf {A}\), there exists a PPT algorithm \(\mathsf {D}\) such that

(17)

Proof

Let be an XDLIN instance, where

$$\begin{aligned} \mathbf {A}&= \begin{pmatrix} a_1 &{} 0 &{} 1 \\ 0 &{} a_2 &{} 1 \end{pmatrix}, \\ \mathbf {y}&= \mathbf {A}^\top \mathbf {r}^*\text { or random}. \end{aligned}$$

Then, we build a PPT algorithm \(\mathsf {D}\) with input \((\left[ \mathbf {A} \right] _1,\left[ \mathbf {A} \right] _2,\left[ \mathbf {y} \right] _1)\) that simulates the IND-ID-lrCCA game with \(\mathsf {A}\) as follows.

• Setup phase: \(\mathsf {D}\) generates \(\mathrm { pp }= \left( \left[ \mathbf {A} \right] _1,\left[ \mathbf {B}_0 \right] _1,\left[ \mathbf {B}_1 \right] _1,\ldots ,\left[ \mathbf {B}_m \right] _1,\left[ \mathbf {D} \right] _1\right) \) as same as the challenger, except that \(\mathsf {D}\) computes

  $$\begin{aligned} \left[ \mathbf {B}_0 \right] _1&= \left[ \mathbf {A} \mathbf {R}_0 + \mathbf {I}_2 \right] _1, \\ \left[ \mathbf {B}_i \right] _1&= \left[ \mathbf {A} \mathbf {R}_i + h_i \mathbf {I}_2 \right] _1 \text { for } i = 1,\ldots ,m, \\ \left[ \mathbf {D} \right] _1&= \left[ \mathbf {A} \mathbf {E} \right] _1. \end{aligned}$$

  Finally \(\mathsf {D}\) sends \(\mathrm { pp }\) to \(\mathsf {A}\).

• Query phase: \(\mathsf {D}\) answers for each query from \(\mathsf {A}\) as follows.

  • Key Generation query \(\mathrm { id }\). Assume that \(\beta _h(\mathrm { id }) \ne 0\). \(\mathsf {D}\) chooses at random, computes such that \(\left[ \beta _h(\mathrm { id }) \mathbf {S}'' \right] _2 = \left[ -\mathbf {A}\mathbf {S}' + \mathbf {A}\mathbf {E} \right] _2\), sets

    $$ \left[ \mathbf {S}_\mathrm { id } \right] _2 = \left[ \begin{pmatrix} \mathbf {S}' - \mathbf {R}_\mathrm { id }\mathbf {S}'' \\ \mathbf {S}' \end{pmatrix} \right] _2, $$

    and returns \(\mathrm { sk }_\mathrm { id }= \left[ \mathbf {S}_\mathrm { id } \right] _2\) to \(\mathsf {A}\).

  • Leakage query \((\mathrm { id }, f)\) and decapsulation query \((\mathrm { id }, \mathrm { ct })\). If \(\beta _h(\mathrm { id }) \ne 0\), then \(\mathsf {D}\) can generate \(\mathrm { sk }_\mathrm { id }\) as above. Furthermore, even in that case that \(\beta _h(\mathrm { id }) = 0\) (i.e., \(\mathrm { id }=\mathrm { id }^*\)), \(\mathsf {D}\) can generate \(\mathrm { sk }_\mathrm { id }\) by computing \(\mathbf {S}_\mathrm { id }\) such that . Thus, \(\mathsf {D}\) can answer \(f(\mathrm { sk }_\mathrm { id })\) and \(\mathsf {Decap}(\mathrm { sk }_\mathrm { id }, \mathrm { ct })\) for any identity.

• Challenge phase: \(\mathsf {D}\) generates the challenge \((\mathrm { ct }^*,K_b^*) = \left( (\left[ \mathbf {c}^* \right] _1,\left[ k_a \right] _T,\mathrm { sd }),K_b^*\right) \) as same as the challenger, except that \(\mathsf {D}\) computes

  $$ \left[ \mathbf {c}^* \right] _1 = \left[ \begin{pmatrix} \mathbf {y} \\ \mathbf {R}_{\mathrm { id }^*}^\top \mathbf {y} \end{pmatrix} \right] _1 $$

  instead of \(\left[ \mathbf {c}^* \right] _1 = \left[ \mathbf {F}_{\mathrm { id }^*}^\top \mathbf {r} \right] _1\). Then, \(\mathsf {D}\) returns \((\mathrm { ct }^*,K_b^*)\) to \(\mathsf {A}\).

Finally, \(\mathsf {D}\) outputs \(\gamma = [b = b']\) where is the output of \(\mathsf {A}\).

We will show that the distribution of \((\mathrm { ct }^*, K_b^*)\) is the same as the challenge in \(\text {Game}_{4}\) if \(\mathbf {y} = \mathbf {A}^\top \mathbf {r}^*\), while if \(\mathbf {y}\) is a random it is the same as that in \(\text {Game}_{5}\) with overwhelming probability. First suppose that \(\mathbf {y} = \mathbf {A}^\top \mathbf {r}^*\). In this case,

showing that \((\mathrm { ct }^*, K_b^*)\) is the challenge in \(\text {Game}_{4}\). Next suppose that \(\mathbf {y}\) is random in . It suffices to prove that is also random in even given \(\mathbf {A}\), , and \(\mathbf {y}\). It is easy to see that

$$\begin{aligned} \begin{pmatrix} \mathbf {U} \\ \mathbf {z}^\top \end{pmatrix} = \underbrace{\begin{pmatrix} \mathbf {A} \\ \mathbf {y}^\top \end{pmatrix}}_\mathbf {V}\mathbf {R}_{\mathrm { id }^*}. \end{aligned}$$

Therefore, \(\mathbf {z}\) is random because \(\mathbf {V}\) is of full rank with probability \(1-1/q\). Hence, \(\left[ \mathbf {c}^* \right] _1\) is random as expected.

Thus, \(\text {Game}_{4}\) and \(\text {Game}_{5}\) are indistinguishable under the XDLIN assumption, so that we have Eq. (17).    \(\square \)

Lemma 7

(18)

Proof

We assume that all decapsulation queries are made after the challenge phase, but a similar (but slight simpler) argument can be used if \(\mathsf {A}\) makes queries before the challenge phase. Suppose that \((\mathrm { id }^*,\mathrm { ct }= (\left[ \mathbf {c} \right] _1,\left[ t \right] _T,\mathrm { sd }))\) is the first decapsulation query such that \(\mathrm { id }= \mathrm { id }^*\) and the condition at line 13 in Fig. 1 is evaluated. Let , where . Then, we have

where \(k_a\) is computed at line 11 in Fig. 1. From the supposition, we can assume that \(\alpha \ne \alpha ^*\), \(\mathbf {c}^*\) is chosen uniformly at random, and \(\left[ \mathbf {c} \right] _1\) is invalid for \(\mathrm { id }^*\). Hence, the matrix \(\mathbf {M}\) is of full rank with probability at least \(1-1/q\), that implies that the distribution of \(k_a\) is random and independent from \(\mathbf {D}\) and \(k_a^*\). In addition to \(\mathbf {D}\) and \(k_a^*\), \(\mathsf {A}\) knows at most \(\ell \) bit leakage and n bit challenge session key \(K_b^*\) that is probable to provide information on the value of \(k_a\) to \(\mathsf {A}\). Let \(K_a\), F, and I denote random variables induced by \(k_a\), , and \(({\mathbf D}, k_a^*)\), respectively. Given \(k_a\), , and \(({\mathbf D}, k_a^*)\) that \(\mathsf {A}\) knows, we have

$$ \tilde{H}_\infty (K_a \mid F, I) \ge \tilde{H}_\infty (K_a \mid I) - (\ell + n) = \log _2{q} - \ell - n $$

from Lemma 1 and the above discussion. Thus, for any \(k_a\), we have \(\Pr [K_a=k_a] \le 2^{\ell +n}/q\). Therefore, in the first evaluation of line 11, the condition \(t=k_a\) is satisfied with probability at most \({2^{\ell +n}}/{q}\). Now assuming \(t=k_a\) is not satisfied, the number of possible \(k_a\) decreases one. So, in the i-th evaluation of line 11, the probability that \(t=k_a\) holds is at most \(2^{\ell +n}/(q-i+1)\), in the case that \(t=k_a\) is not satisfied in all previous evaluations. From the above discussion, we have

From Eq. (2), we obtain Eq. (18).    \(\square \)

Lemma 8

(19)

Proof

In \(\text {Game}_{9}\), the challenger returns \(\bot \) to \(\mathsf {A}\) at line 13 in Fig. 1. Hence, \(\mathsf {A}\) does not learn any information on \(k_s^*\) via the decapsulation oracle, since \(\mathsf {A}\) can only get decapsulation results of valid ciphertexts. Now, \(\mathsf {A}\) knows \(\mathbf {D}\), \(k_a^*\), and as information about \(k_s^*\). Then, we show that the min-entropy of \(k_s^*\) is at least \(\log _2{q} - \ell \) with probability at least \(1-1/q\).

First, we have

$$\begin{aligned} k_s^*= {\mathbf {c}^*}^\top \mathbf {s}_1^*, \end{aligned}$$

and then

The matrix \(\mathbf {N}\) is of full rank with probability at least \(1-1/q\), since \(\alpha ^*\ne 0\) and \(\left[ \mathbf {c}^* \right] _1\) is uniformly at random. Then, the distribution of \(k_s^*\) is random and independent from \(\mathbf {D}\) and \(k_a^*\). In addition to \(\mathbf {D}\) and \(k_a^*\), \(\mathsf {A}\) knows at most \(\ell \) bit leakage that is probable to provide information on the value of \(k_s^*\) to \(\mathsf {A}\). Let \(K_a\), D, and F denote random variables induced by \(k_s^*\), \((\mathbf {D},k_a^*)\), and respectively. Given \(k_s^*\), \((\mathbf {D},k_a^*)\), and that \(\mathsf {A}\) knows, we have

$$\begin{aligned} \tilde{H}_\infty (K_s^*\mid D,F)&\ge \tilde{H}_\infty (K_s^*\mid D)- \ell = \log _2{q} - \ell \end{aligned}$$

from Lemma 1 and the discussion when ignoring . Hence \(\mathsf {Ext}(K_s^*, \mathrm { sd }^*)\) is statistically indistinguishable from an n bits random string because \(\mathsf {Ext}\) is a \((\log _2{q} - \ell )\)-randomness extractor. Therefore, we have Eq. (19).    \(\square \)