Leakage-Resilient $$\mathsf {IBE}$$ / $$\mathsf {ABE}$$ with Optimal Leakage Rates from Lattices

Lai, Qiqi; Liu, Feng-Hao; Wang, Zhedong

doi:10.1007/978-3-030-97131-1_8

Qiqi Lai^11,12,
Feng-Hao Liu¹³ &
Zhedong Wang¹⁴

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13178))

Included in the following conference series:

IACR International Conference on Public-Key Cryptography

991 Accesses

Abstract

We derive the first adaptively secure $\mathsf {IBE}$ and $\mathsf {ABE}$ for t-CNF, and selectively secure $\mathsf {ABE}$ for general circuits from lattices, with $1-o(1)$ leakage rates, in the both relative leakage model and bounded retrieval model ($\mathsf {BRM}$).

To achieve this, we first identify a new fine-grained security notion for $\mathsf {ABE}$ – partially adaptive/selective security, and instantiate this notion from $\mathsf {LWE}$. Then, by using this notion, we design a new key compressing mechanism for identity-based/attributed-based weak hash proof system ($\mathsf {IB}$/$\mathsf {AB}$-$\mathsf {wHPS}$) for various policy classes, achieving (1) succinct secret keys and (2) adaptive/selective security matching the existing non-leakage resilient lattice-based designs. Using the existing connection between weak hash proof system and leakage resilient encryption, the succinct-key $\mathsf {IB}$/$\mathsf {AB}$-$\mathsf {wHPS}$ can yield the desired leakage resilient $\mathsf {IBE}$/$\mathsf {ABE}$ schemes with the optimal leakage rates in the relative leakage model. Finally, by further improving the prior analysis of the compatible locally computable extractors, we can achieve the optimal leakage rates in the $\mathsf {BRM}$.

Access provided by Autonomous University of Puebla. Download conference paper PDF

Private Circuits: A Modular Approach

Optimally Secure Tweakable Blockciphers

Adaptively Secure Laconic Function Evaluation for $$\mathsf {NC}^1$$

1 Introduction

Leakage-resilient cryptography aims to create crypto systems that maintain security even when partial information of the secret key is leaked. This line of studies is motivated by both theoretic curiosities and perhaps more importantly, real-world scenarios, where some secure crypto systems might be completely broken if some partial key leakage is given to the attackers. One famous example is the side-channel attacks where the adversary can obtain leakage from measuring some physical behavior of an implementation, e.g., [1, 27]. Another source of leakage comes from imperfect erasure where the attacker can obtain partial information before the content is completely erased, e.g., the cold boot attacks [23]. On the other hand, leakage resilience can be used to achieve security for other more complicated systems. For example, in the design of non-malleable codes, the work [17, 26, 31] leveraged leakage resilience to prove non-malleability. Therefore, leakage resilience has been an active research subject for the community, e.g., [4,5,6, 8, 16, 25, 33], to name a few.

Main Goal. As motivated above, we aim to determine how to derive encryption schemes with better leakage rates, stronger security, and more expressive access control functionalities. More specifically, our goal is to construct leakage resilient encryption schemes in both the relative leakage model and the bounded retrieval model ($\mathsf {BRM}$) with (1) optimal leakage rates, i.e., $1-o(1)$, (2) post-quantum security and (3) more fine-grained access control, i.e., $\mathsf {IBE}$ and $\mathsf {ABE} $ for various classes of policy functions.

The Leakage Models. Various leakage models have been studied in the literature, capturing information leaked to the adversary. This work focuses on a simple yet general model called the bounded-leakage model (also known as the memory leakage model), allowing the attacker to learn arbitrary information about the secret key $\mathsf {sk} $, as long as the number of leaked bits is bounded by some parameter $\ell $. This model has drawn a lot of attentions (e.g., [4, 5, 25, 33]) for its elegance and simplicity, and can be used as a building block towards more sophisticated and realistic models, such as the continual leakage model [9, 14] (see [25]). Thus, understanding this model is not only of theoretic interests but also a necessary step towards realizing security for broader physical attacks.

The bounded leakage model would require $\ell < |\mathsf {sk} |$, as otherwise, the attacker can trivially obtain the whole secret key, and thus no meaningful security can be attained. To further characterize this requirement, there are two important models studied in the literature that treat the relation between $\ell $ and $\mathsf {sk} $ in a different way: (1) relative leakage model, and (2) bounded retrieval model ($\mathsf {BRM}$).

In the former, the secret key and public-key are chosen in the same way as a standard crypto system (not necessary leakage resilient), and then the leakage parameter $\ell $ would be determined. The latter model generalizes the former by considering $\ell $ as an independent parameter whose growth (essentially) only goes with $|\mathsf {sk} |$, but would barely affect the other parameters, such as the public-key size, encryption running time, and ciphertext size. Basically, both models can scale up $\ell $ to allow an arbitrarily long leakage. But their difference is that the former would require to scale up the security parameter and thus all the other parameters, while the latter would only scale up the secret-key size and keep the other parameters essentially the same. Thus, constructions in the $\mathsf {BRM}$ is more desirable yet more challenging.

Leakage rate, i.e., the ratio $\ell / |\mathsf {sk} |$, is an important measure of efficiency for crypto systems in these two models. Particularly, rate $1-o(1)$ is the best we can hope for – in order to tolerate $\ell $ bits of leakage, the system only needs to scale $|\mathsf {sk} | $ slightly larger than $\ell $, optimizing the security/efficiency tradeoff.

Current State of the Arts and Challenges. We first notice that for the pre-quantum settings, leakage resilience can be achieved via the beautiful framework – dual system encryption, even for $\mathsf {IBE}$/$\mathsf {ABE} $ and with optimal leakage rates, e.g., [28]. However, current instantiations of the dual system encryption are all group-based [11, 20, 28, 29, 41, 42], and thus cannot defend against quantum algorithms. It is an interesting yet extremely challenging open question how to instantiate a dual system from a post-quantum candidate, such as $\mathsf {LWE}$ or $\mathsf {LPN}$.

For post-quantum leakage resilient encryption schemes, we notice that there are some limitations of the current techniques in achieving the optimal leakage rate beyond the basic $\mathsf {PKE}$. In prior work, there have been constructed $\mathsf {LWE}$/$\mathsf {LPN}$-based $\mathsf {PKE}$ schemes with leakage rates $1-o(1)$, e.g., [10, 13], but their ideas do not generalize to more advanced settings, such as $\mathsf {IBE}$ and $\mathsf {ABE}$. In a subsequent work, Hazay et al. [25] proposed a unified framework, showing that (1) $\mathsf {PKE}$ implies leakage resilient $\mathsf {PKE}$ in the relative leakage model, and (2) $\mathsf {IBE}$ implies leakage resilient $\mathsf {PKE}$/$\mathsf {IBE}$ in the $\mathsf {BRM}$. Moreover, the leakage resilient $\mathsf {IBE}$ achieves the same level of adaptive/selective security as that of the underlying $\mathsf {IBE}$. Their idea can be generalized to construct leakage resilient $\mathsf {ABE}$, but this approach inherently yields a very low leakage rate (i.e., $1/O(\lambda )$).

A recent work [35] somewhat mitigated this issue by improving the leakage rates, yet at the cost of weaker security guarantees for the post-quantum instantiations. Particularly, they construct $\mathsf {LWE}$-based leakage resilient $\mathsf {IBE}$ schemes in both the relative leakage model and the $\mathsf {BRM} $, achieving $1-o(1)$ leakage rate in the former and $1-O(1)$ (for any arbitrarily small constant) in the latter. Their improvement relies on a novel key-compression mechanism that shortens the secret key length required in the framework of Hazay et al. [25]. Due to some technical limitation in the mechanism, their $\mathsf {IBE}$ scheme however, can only achieve the selective security. From these works [25, 35], we see a tradeoff between security and leakage rate, i.e., either we have an adaptively secure $\mathsf {IBE}$ with a low leakage rate, or a selectively secure $\mathsf {IBE}$ with a higher leakage rate.

Main Question. In this work, we aim to further determine whether the tradeoff between (selective/adaptive) security and leakage rates as above is inherent. Particularly, we ask the following:

Can we achieve the optimal leakage rate ($1-o(1)$) for $\mathsf {IBE}$ (and $\mathsf {ABE}$ ) in both relative and bounded retrieval models with security matching existing non-leakage resilient $\mathsf {IBE}$ ( $\mathsf {ABE}$ ), under $\mathsf {LWE}$ ?

1.1 Our Contributions

In this work, we give positive answers in many settings of the main question. Our central idea is a refinement of the framework of [25, 35] by designing a new key compression mechanism from $\mathsf {ABE}$ with succinct keys. Below we describe our contributions in more details.

As a warm-up, we propose a new leakage model for $\mathsf {ABE}$ that incorporates parameters $\ell $ and $\omega $, where $\ell $ is the number of bits allowed to leak per key and $\omega $ is the number of keys the adversary can leak. We note that for $\mathsf {PKE}$ and $\mathsf {IBE}$, there is only one possible secret key corresponding to the challenge $\mathsf {id}$. In this case, it is without loss of generality to just consider $\omega =1$. However, for the $\mathsf {ABE}$ setting, there could be many possible secret keys corresponding to the challenge attribute, so specifying $\omega $ is natural and necessary in the leakage model. We call a scheme $(\ell ,\omega )$-leakage resilient if the scheme can tolerate leakage on $\omega $ keys, each within $\ell $ bits.
Next, we design improved instantiations of attribute-based weak hash proof system ($\mathsf {AB\text {-}wHPS}$), which generalizes (identity-based) weak hash proof system [5, 25] by associating each ciphertext with an attribute and each secret key with a policy function. Particularly, we construct lattice-based $\mathsf {AB\text {-}wHPS}$ from $\mathsf {ABE} $ for various function classes, achieving two important new features: (1) succinct secret keys, i.e., the secret key length is $|f| + o(|f|)$ where f is the policy function, and (2) security matching currently the best known lattice-based $\mathsf {ABE}$ schemes (not necessarily leakage resilient). More specifically, we construct adaptively secure $\mathsf {AB\text {-}wHPS}$ for the class of comparison functions (which is the $\mathsf {IB\text {-}wHPS}$) and the class t-$\mathsf {CNF} ^*$^{Footnote 1}, and selectively secure $\mathsf {AB\text {-}wHPS}$ for general circuits.
By using $\mathsf {AB\text {-}wHPS}$ for class $\mathcal {F}$ with succinct keys, we are able to construct $(\ell ,1)$-leakage resilient $\mathsf {ABE}$ for $\mathcal {F}$, with leakage rate $\ell /|\mathsf {sk} | = (1-o(1))$ in the relative leakage model.

We view $\mathsf {AB\text {-}wHPS}$ with succinct key as an improved key compression mechanism from prior works [25, 35] in the following two aspects: (1) $\mathsf {AB\text {-}wHPS}$ has better expressibility of policy function (the prior work [35] can only express the comparison function), and (2) we can derive adaptively secure $\mathsf {AB\text {-}wHPS}$ with succinct keys for classes which we have adaptively secure (non-leakage resilient) $\mathsf {ABE}$. Prior to our work, for lattice-based schemes, we only had either a selectively secure $\mathsf {IB\text {-}wHPS}$ with succinct secret keys [35] or an adaptively secure $\mathsf {IB\text {-}wHPS}$ with non-succinct keys [25].
From our $\mathsf {AB\text {-}wHPS}$, we can further derive $(\ell ,1)$-leakage resilient $\mathsf {ABE}$ in the $\mathsf {BRM}$, via an amplification and a connection with locally computable extractors as pointed out by [25]. However, prior compatible locally computable extractors [5] can only achieve $1-O(1)$ leakage rate for an arbitrarily small constant. To achieve $1-o(1)$ leakage rate, we improve the prior analysis [5] by refining their proof technique via the framework of Vadhan [40].
Finally, we present a bootstrapping mechanism that generalizes our prior $(\ell ,1)$-leakage resilient $\mathsf {ABE}$ schemes to $(\ell , \omega )$-leakage resilient schemes for any bounded polynomial $\omega $, in both relative leakage model and bounded retrieval model. The resulting leakage rate is still optimal (i.e., $1-o(1)$) against block leakage functions, a slightly more restricted class.

1.2 Overview of Our Techniques

Our central insight is a new key-compression mechanism for the framework in [25]. To illustrate our new idea, we first briefly review the prior framework [25] and point out the barrier of their leakage rates. Then we will describe our new ideas for the improvement.

(Weak) Hash Proof System. A hash proof system can be described as a key encapsulation mechanism that consists of four algorithms $(\mathsf {Setup}, \mathsf {Encap}, {\mathsf {Encap}}^{*}, \mathsf {Decap})$: (1) $\mathsf {Setup}$ outputs a key pair $(\mathsf {pk},\mathsf {sk})$, (2) $\mathsf {Encap}(\mathsf {pk})$ outputs a pair $(\mathsf {CT},k)$ where k is a key encapsulated in a “valid” ciphertext $\mathsf {CT} $, (3) $\mathsf {Encap}^{*}(\mathsf {pk})$ outputs an “invalid” ciphertext $\mathsf {CT} ^{*}$, and (4) $\mathsf {Decap}(\mathsf {sk},\mathsf {CT})$ outputs a key $k'$. A (weak) hash proof system requires the following:

Correctness. For a valid ciphertext $\mathsf {CT} $, $\mathsf {Decap}$ always outputs the encapsulated key $k'=k$, i.e., $\mathsf {Decap}(\mathsf {sk}, \mathsf {CT}) = k$, where $(\mathsf {CT},k)\xleftarrow {\$} \mathsf {Encap}(\mathsf {pk})$.
Ciphertext Indistinguishability. Valid ciphertexts and invalid ciphertexts are computationally indistinguishable, even given the secret key. This condition is essential for achieving leakage resilience [5, 33].
Universality. The decapsulation of an invalid ciphertext has information entropy, even for unbounded adversaries. Here, the randomness of invalid decapsulation comes from randomness in generating secret keys. A weak $\mathsf {HPS}$ ($\mathsf {wHPS}$) only requires this property to hold for a random invalid ciphertext, i.e. $\mathsf {CT} ^{*}\xleftarrow {\$} \mathsf {Encap}^{*}(\mathsf {pk})$, while a full-fledged $\mathsf {HPS}$ requires this to hold for any invalid ciphertext.

As noted in prior work [5], a $\mathsf {wHPS}$ already suffices to achieve leakage resilience, though it is not sufficient for the $\mathsf {CCA2}$ security, for which the $\mathsf {HPS}$ was originally intended to design [12]. Roughly speaking, the leakage resilient scheme derived from $\mathsf {wHPS}$ [5, 25, 33] can tolerate $\ell \approx | k | - \lambda $ bits of leakage, i.e., the length of encapsulated key minus security parameter, and thus the leakage rate of the derived encryption scheme would be $\ell /|\mathsf {wHPS}.\mathsf {sk} | \approx \frac{| k | - \lambda }{|\mathsf {wHPS}.\mathsf {sk} |} $.

Moreover, the idea can be generalized to $\mathsf {IB\text {-}wHPS}$ and $\mathsf {AB\text {-}wHPS}$ where an additional $\mathsf {id} $ or attribute $\boldsymbol{x}$ is associated with the ciphertext, and $\mathsf {id} $ or a policy function f is associated with the secret key. In the same way [25], $\mathsf {IB\text {-}wHPS}$ and $\mathsf {AB\text {-}wHPS}$ suffice to derive leakage resilient $\mathsf {IBE}$ and $\mathsf {ABE} $.

wHPS from Any PKE and Generalizations [25]. While there were several instantiations of $\mathsf {wHPS}$ from specific assumptions [5, 33], Hazay et al. [25] showed somewhat surprisingly, any $\mathsf {PKE}$ implies $\mathsf {wHPS}$. Their construction [25] can be thought as the following two steps: (1) construct a basic $\mathsf {wHPS}$ that only outputs 1 bit (or $\log \lambda $-bits), (2) amplify the output of the $\mathsf {wHPS}$ via parallel repetition. As pointed out in the work [25], parallel repetition might not amplify $\mathsf {HPS}$ in general, yet it does for $\mathsf {wHPS}$ as required in the application of leakage resilience.

The basic $\mathsf {wHPS}$ is simple: given any $\mathsf {PKE}= (\mathsf {Enc},\mathsf {Dec})$, the $\mathsf {wHPS}.\mathsf {pk} $ consists of two public keys $\mathsf {pk} _{0},\mathsf {pk} _{1}$ from $\mathsf {PKE}$, and $\mathsf {wHPS}.\mathsf {sk} $ is $(b,\mathsf {sk} _{b})$ for a random bit b where $\mathsf {sk} _{b}$ corresponds to $\mathsf {pk} _{b}$. The $\mathsf {Encap}$ algorithm outputs a valid ciphertext $\mathsf {CT} =(\mathsf {Enc}_{\mathsf {pk} _{0}}(k), \mathsf {Enc}_{\mathsf {pk} _{1}}(k) )$ to encapsulate a uniformly random key $k\in \{0,1\}$. The $\mathsf {Encap}^{*}$ algorithm outputs an invalid ciphertext $\mathsf {CT} ^{*}=(\mathsf {Enc}_{\mathsf {pk} _{0}}(k), \mathsf {Enc}_{\mathsf {pk} _{1}}(1-k) )$ for a uniformly random bit k. With a parallel repetition of n times, i.e., $ \mathsf {wHPS}_\Vert .\mathsf {pk}:= \{\mathsf {pk} _{i,0}, \mathsf {pk} _{i,1}\}_{i\in [n]}$ and $\mathsf {wHPS}_\Vert .\mathsf {sk}:= \{(i,b_{i}), \mathsf {sk} _{i,b_{i}}\}_{i\in [n]}$, we can get a $\mathsf {wHPS}_\Vert $ with $|k| =n$ for an arbitrarily large $n \gg \lambda $, and thus a leakage resilient encryption that tolerates $\ell = n - \lambda \approx n - o(|\mathsf {wHPS}_\Vert .\mathsf {sk} |)$.

Naturally, this elegant approach can be generalized to construct $\mathsf {IB\text {-}wHPS}$ and $\mathsf {AB\text {-}wHPS}$ for class $\mathcal {F}$ from any $\mathsf {IBE}$ and $\mathsf {ABE} $ for $\mathcal {F}$, and the (adaptive/selective) security of the $\mathsf {IB\text {-}wHPS}$ and $\mathsf {AB\text {-}wHPS}$ matches the underlying $\mathsf {IBE}$ and $\mathsf {ABE} $. Therefore, this framework provides a powerful way to design leakage resilient $\mathsf {IBE}$ and $\mathsf {ABE} $ from any $\mathsf {IBE}$ and $\mathsf {ABE} $ that can tolerate an arbitrarily large leakage $\ell $.

Technical Challenges from Prior Work. This technique of [25] achieves almost everything one would desire, except for the leakage rate. The main reason comes from the secret key size of $\mathsf {wHPS}_\Vert $, which is also scaled up by the parallel repetition, resulting in a low leakage rate as $ \frac{\ell }{|\mathsf {wHPS}_\Vert .\mathsf {sk} |} = \frac{n - o(|\mathsf {wHPS}_\Vert .\mathsf {sk} |)}{|\mathsf {wHPS}_\Vert .\mathsf {sk} |} \approx \frac{n - o(n|\mathsf {PKE}.\mathsf {sk} |) }{ n |\mathsf {PKE}.\mathsf {sk} |}\approx \frac{1}{|\mathsf {PKE}.\mathsf {sk} |}$. To further improve the rate, it suffices to decrease $|\mathsf {wHPS}.\mathsf {sk} |$ as observed by [35]. In particular, if we can shrink the secret key size of the $\mathsf {wHPS}$ to roughly $|\mathsf {wHPS}_\Vert .\mathsf {sk} | \approx n + |\mathsf {PKE}.\mathsf {sk} |$, then the leakage rate would be $\frac{n - o(|\mathsf {wHPS}_\Vert .\mathsf {sk} |)}{|\mathsf {wHPS}_\Vert .\mathsf {sk} |} \approx \frac{n - o(n + |\mathsf {PKE}.\mathsf {sk} |)}{n+ |\mathsf {PKE}.\mathsf {sk} |} \approx 1 - o(1)$, for sufficiently large n. Therefore, now the goal becomes to design a compact form of $\mathsf {wHPS}_\Vert .\mathsf {sk} $ that can encode n possible keys in a succinct way.

The work [35] achieved this goal and the more general $\mathsf {IB\text {-}wHPS}$ by proposing a novel key compression mechanism from a new primitive called multi-$\mathsf {IBE}$. Then they instantiated the required multi-$\mathsf {IBE}$ from inner-product encryption ($\mathsf {IPE}$) [3, 11, 42] with succinct keys. However, for lattice-based $\mathsf {IPE}$ schemes [3], only the selective security can be achieved under currently known techniques. Thus, the work [35] can only derive selectively secure leakage resilient $\mathsf {IBE}$ from lattices.

At this point, we summarize two limitations from the prior key compression mechanism [35]: (1) the approach is tied to $\mathsf {IBE}$/$\mathsf {IB\text {-}HPS}$, and it is unclear whether we can further generalize the technique for further expressive policies, i.e., $\mathsf {ABE}$; (2) the lattice-based instantiations are only selectively secure under currently known techniques. Below we show our new ideas to break these limitations.

Our New Key Compression Mechanism. We first present a new key compression mechanism that can be generalized to more expressive policy functions, i.e., $\mathsf {ABE}$. To illustrate our core insight, we first describe how to use the technique of key-policy ($\mathsf {KP}$)-$\mathsf {ABE}$ to encode $\mathsf {wHPS}_\Vert .\mathsf {sk} $ succinctly. The idea can be naturally generalized to compress $\mathsf {IB\text {-}wHPS}$ and $\mathsf {AB\text {-}wHPS}$. To facilitate further discussions, we first recall the concept of $\mathsf {KP}$-$\mathsf {ABE}$.

In a $\mathsf {KP}$-$\mathsf {ABE}$ scheme, a secret key is associated with a policy function $f:\{0,1\}^{*}\rightarrow \{0,1\}$, and a ciphertext is associated with an attribute $\boldsymbol{x}$. The secret key can decrypt and recover the encrypted message if and only if $f(\boldsymbol{x})=1$.

Now we explain our key compression mechanism. Let us describe the format of a valid ciphertext of $\mathsf {wHPS}_\Vert $ as ${\mathsf {CT}} := \Big \{\mathsf {Enc}_{\mathsf {pk} _{i,0}} (k_{i}), \mathsf {Enc}_{\mathsf {pk} _{i,1}}(k_{i}) \Big \}_{i\in [n]}$, and a secret key is of the form $\{(i,b_{i}), \mathsf {sk} _{i,b_{i}}\}_{i\in [n]}$. From another angle looking at the ciphertext, we can view the indices (i, b)’s as attributes in an $\mathsf {ABE}$, i.e. ${\mathsf {CT}} := \left\{ \mathsf {ABE}.\mathsf {Enc}(\mathsf {mpk}, (i,0), k_{i}), \mathsf {ABE}.\mathsf {Enc}(\mathsf {mpk}, (i,1), k_{i}) \right\} _{i\in [n]}$. Then we can use a single $\mathsf {ABE}$ secret key to encode the set of keys $\{(i,b_{i}), \mathsf {sk} _{i,b_{i}}\}_{i\in [n]}$ as follows. Let $\boldsymbol{b} = (b_{1},b_{2},\dots , b_{n})\in \{0,1\}^{n}$ be a binary vector, and define the following policy function $g_{\boldsymbol{b}}(i,z) = 1$ iff $b_{i} = z$ for each $i\in [n]$. In this way, only this set of attributes $\{(i,b_{i})\}_{i\in [n]}$ satisfies the policy function $g_{\boldsymbol{b}}$, so the $\mathsf {ABE}$ decryption algorithm with $\mathsf {sk} _{g_{\boldsymbol{b}}}$ can successfully recover the encrypted messages from $\{\mathsf {ABE}.\mathsf {Enc}(\mathsf {mpk}, (i,b_{i}), k_{i})\}_{i\in [n]}$. The other part of the ciphertext, i.e., $\{\mathsf {ABE}.\mathsf {Enc}(\mathsf {mpk}, (i,1-b_{i}), k_{i})\}_{i\in [n]}$ is hidden by the security of the $\mathsf {ABE} $. This approach can be naturally extended to the setting of $\mathsf {IB\text {-}wHPS}$ and $\mathsf {AB\text {-}wHPS}$ by adding an additional string $\boldsymbol{x}\in \{0,1\}^*$ (either an $\mathsf {ID}$ or general attribute) to the existing attributes as above, resulting in ciphertexts of the form ${\mathsf {CT}} := \left\{ \mathsf {ABE}.\mathsf {Enc}(\mathsf {mpk}, (\boldsymbol{x}, i,0), k_{i}), \mathsf {ABE}.\mathsf {Enc}(\mathsf {mpk}, (\boldsymbol{x}, i,1), k_{i}) \right\} _{i\in [n]}$. It is not hard to check these designs satisfy the requirements of ($\mathsf {IB}$/$\mathsf {AB}$)-$\mathsf {wHPS}$.

Here we can conclude: (1) $\mathsf {sk} _{g_{\boldsymbol{b}}}$ is functionally equivalent to the set of secret keys $\{(i,b_{i}), \mathsf {sk} _{i,b_{i}}\}_{i\in [n]}$, and (2) as long as $\mathsf {sk} _{g_{\boldsymbol{b}}}$ has a succinct representation, i.e., $|\mathsf {sk} _{g_{\boldsymbol{b}}}|$ only depends on the depth but not the size of the function $g_{\boldsymbol{b}}$ when $g_{\boldsymbol{b}}$ is given, we can achieve the optimal leakage rate. We can instantiate the desired $\mathsf {ABE}$ by the lattice-based schemes [7, 22], and consequently derive a $\mathsf {PKE}$/$\mathsf {IBE}$/$\mathsf {ABE}$ with the optimal rate in the relative leakage model.

Adaptive Security for Various Function Classes. A careful reader may already observe that the underlying $\mathsf {ABE}$ schemes of [7, 22] do not achieve adaptive security, and neither do the $\mathsf {IB\text {-}wHPS}$ and $\mathsf {AB\text {-}wHPS}$ as constructed above. Moreover, it seems that lattice-based $\mathsf {ABE}$ that supports the computation $g_{\boldsymbol{b} }(\cdot )$ with succinct keys (e.g., general circuits [7, 22]) can only achieve selective security. Thus, existing techniques plus the above approach do not suffice for our goal on adaptive security.

To overcome the limitation, we further observe that our constructions of $\mathsf {IB\text {-}wHPS}$ and $\mathsf {AB\text {-}wHPS}$ above actually do not require the full adaptive security of the whole attribute $(\boldsymbol{x}, (i,b))$ from the underlying $\mathsf {ABE} $. We only need the selective security over the second part (i, b), as this part is generated by the honest key generation algorithm, instead of being challenged by the adversary.

With this insight, we define a more fine-grained security notion that considers partially adaptive/selective security over partitioned attributes $(\boldsymbol{x}, (i,b))$. Intuitively, if the underlying $\mathsf {ABE}$ is adaptively (or selectively) secure over $\boldsymbol{x}$ and selective secure over (i, b), then we can prove the $\mathsf {AB\text {-}wHPS}$ is adaptively (resp. selectively) secure. Furthermore we instantiate the required partially adaptive-selective $\mathsf {ABE}$ for various function classes. As a result, we obtain an adaptively secure $\mathsf {IB\text {-}wHPS}$ and $\mathsf {AB\text {-}wHPS}$ for t-$\mathsf {CNF} ^*$, and selectively secure $\mathsf {AB\text {-}wHPS}$ for general circuits. This matches the function classes for which we know how to construct adaptively secure $\mathsf {ABE} $ without leakage.

Application. Our $\mathsf {AB\text {-}wHPS}$ with succinct keys immediately yields a $(\ell ,1)$-leakage resilient $\mathsf {ABE} $ with leakage rate $1-o(1)$ in the relative leakage model, followed from the framework [25]. More specifically, by using our adaptively secure $\mathsf {AB\text {-}wHPS}$ for the comparison function (i.e., $\mathsf {IB\text {-}wHPS}$) and the t-$\mathsf {CNF} ^*$ functions, we get leakage resilient and adaptively secure $\mathsf {ABE} $ for these classes with optimal leakage rates. Additionally, we can have selectively secure leakage resilient $\mathsf {ABE} $ for general circuits, with leakage rate $1-o(1)$.

Extension I. As pointed out by [25], we can further derive $(\ell ,1)$-leakage resilient $\mathsf {ABE}$ in the $\mathsf {BRM}$ from $\mathsf {AB\text {-}wHPS}$, via an amplification and a connection with locally computable extractors [40]. However, the analysis from prior compatible locally computable extractors only yields $1-O(1)$ rate for the leakage resilient encryption scheme. It was left as an interesting open question by [35] how to improve the analysis of the extractor. We solve this open question by improving the analysis of the sampler [5] required by the general construction of Vadhan [40]. With our improved analysis, we are able to achieve $1-o(1)$ leakage rate in the $\mathsf {BRM} $.

Extension II. Finally, we show how to derive $(\ell ,\omega )$-leakage resilient $\mathsf {ABE}$ with the optimal leakage rate in the block leakage setting for both relative model and $\mathsf {BRM} $, for any bounded polynomial $\omega $. Inspired by the work [21], we derive a new bootstrapping mechanism by connecting secret sharing with our $\mathsf {AB\text {-}wHPS}$. We leave it as an interesting open question how to achieve leakage resilient $\mathsf {ABE} $ even for an unbounded polynomial $\omega $.

1.3 Other Related Work

$\mathsf {AB\text {-}wHPS}$ has been studied to construct leakage resilient $\mathsf {ABE} $ schemes in [43, 44]. Particularly, in [43], the authors focus on $\mathsf {AB\text {-}wHPS}$ supporting linear secret sharing schemes as the policy function class, from the pre-quantum decisional bilinear Diffie-Hellman assumption. The work in [44] constructed an $\mathsf {AB\text {-}wHPS}$ from a post-quantum, i.e., $\mathsf {LWE}$, assumption. However, the constructions only achieve selective security for linear secret sharing schemes. And both of these related work only consider security in the relative leakage model. Compared with the prior works, our design/analysis approach is more modular, supporting broader function classes and/or stronger (adaptive) security.

2 Preliminaries

We use several standard mathematical notations, whose detailed descriptions are deferred to the full version of this paper, due to space limit.

2.1 Attribute-Based Encryption (ABE)

Definition 2.1

(ABE [37]). An attribute-based encryption ($\mathsf {ABE}$) scheme for a function class $\mathcal {F}_{\lambda }=\left\{ f:\mathcal {X} _{\lambda }\rightarrow \{0,1\} \right\} $ consists of four algorithms

$\mathsf {ABE}.\{\mathsf {Setup},\mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec}\}$ as follows.

Setup. $\mathsf {ABE.Setup}$ $(1^{\lambda })$ takes a security parameter $\lambda $ as input, and generates a pair of master public key and master secret key $(\mathsf {mpk},\mathsf {msk})$, where $\mathsf {mpk}$ contains the attribute space $\mathcal {X} _\lambda $, message space $\mathcal {M}$ and ciphertext space $\mathcal {CT} $.
Key generation. $\mathsf {ABE.KeyGen} (f,\mathsf {msk})$ takes as input a function $f\in \mathcal {F}_{\lambda }$ and the master secret key $\mathsf {msk}$, and generates a secret key $(f,\mathsf {sk} _{f})$. Without loss of generality, we think the secret key contains two parts, the function description f, and an extra $\mathsf {sk} _f$. The secret key is succinct if $|\mathsf {sk} _f| = o(|f|)$. When the context is clear, we often omit the description of f.
Encryption. $\mathsf {ABE.Enc}$ $(\mathsf {mpk},\boldsymbol{x},\mu )$ takes as input the master public key $\mathsf {mpk} $, an attribute $\boldsymbol{x}\in \mathcal {X} _\lambda $ and a message $\mu \in \mathcal {M}$, and outputs a ciphertext $\mathsf {ct} \in \mathcal {CT} $.
Decryption. $\mathsf {ABE.Dec}$ $(\mathsf {sk} _{f},\mathsf {ct})$ takes as input a secret key $\mathsf {sk} _{f}$ and a ciphertext c, and outputs $\mu \in \mathcal {M}$ if $f(\boldsymbol{x})=1$ and $\bot $ if $f(\boldsymbol{x})=0$, where $\boldsymbol{x}$ is the corresponding attribute used to generate $\mathsf {ct} $.

Correctness. We require that for all $f\in \mathcal {F}$, $\boldsymbol{x}\in \mathcal {X} _\lambda $, $\mu \in \mathcal {M}$, for correctly generated $(\mathsf {mpk},\mathsf {msk})\xleftarrow {\$}\mathsf {ABE}.\mathsf {Setup}(1^{\lambda })$, $\mathsf {sk} _f\xleftarrow {\$}\mathsf {ABE}.\mathsf {KeyGen} (\mathsf {msk},f)$ and $\mathsf {ct} \xleftarrow {\$}\mathsf {ABE}.\mathsf {Enc}(\mathsf {mpk},\boldsymbol{x},\mu )$, it holds that

if $f(\boldsymbol{x})=1$, $\Pr \left[ \mathsf {ABE}.\mathsf {Dec}(\mathsf {sk} _f,\mathsf {ct})=\mu \right] \ge 1-\mathsf {negl} (\lambda ).$
if $f(\boldsymbol{x})=0$, $\Pr \left[ \mathsf {ABE}.\mathsf {Dec}(\mathsf {sk} _f,\mathsf {ct})=\bot \right] \ge 1-\mathsf {negl} (\lambda ).$

Leakage Resilience in the Relative Leakage Model

Next, we give the formal definition of leakage-resilient key-policy $\mathsf {ABE}$.

Definition 2.2

(Leakage-Resilient ABE). A leakage-resilient $\mathsf {ABE} $ with attribute space $\mathcal {X} _\lambda $ for a class of functions $\mathcal {F}_{\lambda }=\{f:\mathcal {X} _{\lambda }\rightarrow \{0,1\} \}$ in the relative leakage model consists of four algorithms $\mathsf {ABE}.\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec}\}$, which are parameterized by a security parameter $\lambda $ and leakage parameters $\ell , \omega $. In particular, $(\ell ,\omega )$-leakage-resilient security can be defined by the following experiment.

We define the advantage of $\mathcal {A}$ in the above experiment^{Footnote 2} to be

$$\begin{aligned} \mathbf {Adv}_{\mathsf {ABE},\mathcal {A}}^{\mathsf{LR}}(\lambda ,\ell ,\omega )=\left| \Pr [b=b^\prime ]-1/2\right| . \end{aligned}$$

The scheme is $(\ell ,\omega )$-leakage resilient if for any $\textsc {ppt} $ adversary $\mathcal {A} $, we have

$\mathbf {Adv}_{\mathsf {ABE},\mathcal {A}}^{\mathsf{LR}}(\lambda ,\ell ,\omega )\le \mathsf {negl} (\lambda )$, and the leakage rate of this $\mathsf {ABE}$ is $\frac{\ell }{|\mathsf {sk} |}$.

Furthermore, the scheme is abbreviated as $\ell $-leakage resilient if $\omega =1$ in the above experiment.

Remark 2.3

We use the parameter $\omega $ to denote the number of different challenge keys that can be conducted leakage queries. For $\mathsf {PKE}$ and $\mathsf {IBE}$, we have $\omega =1$ as for these two settings, there is a unique challenge key corresponding to the challenge attribute. For the more general $\mathsf {ABE} $, there might be many different “1”-keys corresponding to the challenge attribute. Thus, this parameter $\omega $ would be an important specification for the leakage resilient $\mathsf {ABE}$.

Remark 2.4

In our security model, the adversary can obtain leakage on $\omega $ secret keys adaptively one after another. The secret keys would then form a block-source under the leakage.^{Footnote 3} We note that it is possible to generalize the model where the leakage function takes inputs all the $\omega $ secret keys. In this work, we focus mainly on the block-source setting, as it already captures many useful scenarios.

Leakage Resilience in the BRM.

Below, we generalize to the setting of $\mathsf {ABE}$ the definition of leakage-resilience in the $\mathsf {BRM}$ by Alwen et al. [5].

Definition 2.5

(ABE in the BRM). An $\mathsf {ABE} $ for attribute space $\mathcal {X} _{\lambda }$ and policy function class $\mathcal {F}:=\{\mathcal {X} _{\lambda }\rightarrow \{0,1\}\}$ is $(\ell ,\omega )$-leakage resilient in the $\mathsf {BRM}$ if its master public-key size, ciphertext size, encryption time and decryption time (and the number of secret-key bits used by decryption) are independent of the leakage-bound $\ell $. Besides, in the leakage resilient experiment, the adversary is allowed to conduct key leakage attacks on $\omega $ secret keys corresponding to the challenge attribute. More formally, there exist polynomials $\mathsf mpksize, ctsize, encT, decT$, such that, for any polynomial $\ell $ and any $(\mathsf {mpk},\mathsf {msk})\xleftarrow {\$}\mathsf {ABE.Setup}(1^{\lambda },1^{\ell (\lambda )})$, $\boldsymbol{x}\in \mathcal {X} _\lambda $, $\mu \in \mathcal {M}$, $\mathsf {ct} \xleftarrow {\$}\mathsf {ABE.Enc}(\mathsf {mpk},\boldsymbol{x},\mu )$, the scheme satisfies:

1.
Master public-key size is $|\mathsf {mpk} |\le O(\mathsf{mpksize(\lambda )})$, ciphertext size is $|\mathsf {ct} |\!\le \! O(\mathsf{ctsize}(\lambda ,|\mu |) )$.
2.
Run-time of $\mathsf {ABE.Enc}(\mu ,\mathsf {pk})$ is bounded by $O(\mathsf{encT}(\lambda ,|\mu |))$.
3.
Run-time of $\mathsf {ABE.Dec}(\mathsf {ct},\mathsf {sk} _f)$ and the number of bits of $\mathsf {sk} _f$ used in this decryption bounded by $O(\mathsf decT(\lambda ,|\mu |))$, where $\mathsf {sk} _f\xleftarrow {\$}\mathsf {ABE.KeyGen} (\mathsf {msk},f)$ with $f\in \mathcal {F}$ such that $f(\boldsymbol{x})=1$. Here we assume that the secret key $\mathsf {sk} _f$ is stored in a random access memory (RAM), and the decryption algorithm $\mathsf {ABE.Dec}(\mathsf {ct},\cdot )$ only needs to read partial bits of $\mathsf {sk} _f$ to decrypt.

The leakage rate of this scheme is defined as $\frac{\ell }{|\mathsf {sk} _f|}$. Furthermore, the scheme is abbreviated as $\ell $-leakage resilient if the parameter $\omega =1$ in the experiment.

Policy Function Classes. This work considers three function classes: (1) ID comparison functions, (2) t-$\mathsf {CNF} ^*$ formulas, and (3) general circuits. (1) and (3) are clear from the literature. We elaborate on (2). First we present the definition of the function class t-$\mathsf {CNF} $.

Definition 2.6

(t-CNF [38]). A t-$\mathsf {CNF} $ policy $f:\{0,1\}^{\ell }\rightarrow \{0,1\}$ is a set of classes $f=\{(T_{i},f_{i})\}_{i}$, where for all $i, T_{i}\subseteq [\ell ], |T_{i}|=t$ and $f_{i}:\{0,1\}^{t}\rightarrow \{0,1\}$. For all $x\in \{0,1\}^{\ell }$ the value of f(x) is computed as $f(x)=\bigwedge _{i}f_{i}(x_{T_i})$, where $x_{T}$ is the length-t bit-string consisting of the bits of x in the indices T. A function class $\mathcal {F}$ is t-$\mathsf {CNF} $ if it consists only of t-$\mathsf {CNF} $ policies for some fixed $\ell \in \mathbb {N}$ and a constant $t\le \ell $. If $\mathcal {F}$ is a t-$\mathsf {CNF} $ class, we say that t is the $\mathsf {CNF} $ locality of $\mathcal {F}$.

In this paper, we use the “dual” form of $t\text {-}\mathsf {CNF} $, called t-$\mathsf {CNF} ^*$. The use of the dual version is because the prior work [38] worked on the ciphertext-policy ABE for t-$\mathsf {CNF} $, and this work presents the result in the key-policy setting.

Definition 2.7

(t-CNF$^{\boldsymbol{*}}$). For any $x\in \{0,1\}^{\ell }$ (the domain of t-$\mathsf {CNF} $), let $U_{x}(\cdot )$ denote the function for which x is hardwired into $U_{x}(\cdot )$, and $U_{x}(\cdot )$ takes $f\in t$-$\mathsf {CNF} $ as input and outputs $U_{x}(f)$ such that $U_{x}(f)=f(x)$. $U_{x}(\cdot )$ is uniquely determined by x. We denote the function class $\{U_{x}(\cdot )\}$ as $t\text {-}\mathsf {CNF} ^{*}$.

2.2 Entropy and Extractors

Definition 2.8

(Min-Entropy). The min-entropy of a random variable X, denoted as $H_{\infty }(X)$ is defined as $H_\infty (x)=-\log \left( \max \limits _{x_0\in X} \Pr [x=x_0]\right) $.

Definition 2.9

(Average-Conditional Min-Entropy [15]). The average-

conditional min-entropy of a random variable X conditioned on a correlated variable Z, denoted as $H_{\infty }(X|Z)$ is defined as

$$\begin{aligned} H_{\infty }(X|Z)\!=\!-\log \left( \mathbb {E}_{z\leftarrow Z}[\max \limits _{x}\mathsf {Pr}[X=x|Z=z]]\right) \!=\!-\log \left( \mathbb {E}_{z\leftarrow Z}[2^{H_{\infty }[X|Z=z]}]\right) . \end{aligned}$$

This notion of conditional min-entropy measures the best guess for X by an adversary that may observe an average-case correlated variable Z.

Lemma 2.10

([15]). Let $X\!,\!Y\!,\!Z$ be arbitrarily correlated random variables where the support of Y has at most $2^{\ell }$ elements. Then $H_{\infty }(X|(Y,Z))\ge H_{\infty }(X|Z)-\ell $. In particular, $H_{\infty }(X|Y)\ge H_{\infty }(X)-\ell $.

We also give the definition of randomness extractors [34], which is somewhat stronger than the average-case strong extractor [15].

Definition 2.11

(Randomness Extractor). An efficient function $\mathsf {Ext}:\mathcal {X}\times \mathcal {S}\rightarrow \mathcal {Y}$ is a $(v,\varepsilon {})$-extractor if for all (correlated) random variable X, Z such that the support of X is $\mathcal {X}$ and $H_{\infty }(X|Z)\ge v$, we have $\varDelta ((Z,S,\mathsf {Ext} (X;S)),(Z,S,Y))$ $ \le \varepsilon {}$, where S (also called the seed) and Y are distributed uniformly and independently over their domains $\mathcal {S,Y}$ respectively.

Theorem 2.12

([15]). Let $\mathcal {H}=\{h_{s}:\mathcal {X}\rightarrow \mathcal {Y}\}_{s\in \mathcal {S}}$ be a universal family of hash functions meaning that for all $x=x^{\prime }\in \mathcal {X}$ we have $\mathsf {Pr}_{s\leftarrow \mathcal {S}}[h_{s}(x)=h_{s}(x^{\prime })]\le \frac{1}{|\mathcal {Y}|}$. Then $\mathsf {Ext} (x,s)\overset{def}{=}h_{s}(x)$, is a $(v,\varepsilon {})$-extractor for any parameter $v\ge \log |\mathcal {Y}|+2\log (1/\varepsilon {})$.

3 Attribute-Based Weak Hash Proof Systems

In this section, we first present a generalization of the weak hash proof system called attribute-based weak hash proof system ($\mathsf {AB\text {-}wHPS}$). This notion associates attributes and policy functions to the system following the spirit of attribute-based encryption. Next, we show how to construct $\mathsf {AB\text {-}wHPS}$ from $\mathsf {ABE} $ that achieves the property of succinct keys, which is the key to leakage resilience with the optimal rate. With a new fine-grained approach, we are able to achieve $\mathsf {AB\text {-}wHPS}$ with selective security for general circuits, adaptive security of identity comparison functions (i.e., identity-based $\mathsf {wHPS}$), and adaptive security for t-$\mathsf {CNF} ^*$ functions^{Footnote 4}, from lattices. This would imply lattice-based leakage resilient, adaptively secure $\mathsf {PKE}$, $\mathsf {IBE}$, $\mathsf {ABE} $ for t-$\mathsf {CNF} ^*$, and selectively secure $\mathsf {ABE} $ for general circuits, all with the optimal rate, matching the best known non-leakage resilient selectively/adaptively secure constructions.

3.1 Formal Definition of Attribute-Based $\mathsf {wHPS}$

We first present the formal definition of an $\mathsf {AB\text {-}wHPS}$.

Definition 3.1

(AB-wHPS). An attribute-based weak hash proof system

($\mathsf {AB\text {-}wHPS}$) for an attribute space $\mathcal {X} _\lambda =\{0,1\}^*$ and a class of functions $\mathcal {F}_{\lambda }=\{f:\mathcal {X} _{\lambda }\rightarrow \{0,1\}\}$ consists of five algorithms $\mathsf {AB\text {-}wHPS}.\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Encap},$ $\mathsf {Encap}^*,\mathsf {Decap}\}$:

Setup. $\mathsf {AB\text {-}wHPS.Setup}$ $(1^{\lambda })$ takes a security parameter $\lambda $ as input, and generates a pair of master public key and master secret key $(\mathsf {mpk},\mathsf {msk})$. The attribute space $\mathcal {X} _\lambda $ and the encapsulated key space $\mathcal {K}$ are determined by $\mathsf {mpk} $.
Key generation. $\mathsf {AB\text {-}wHPS.KeyGen}$ $(f,\mathsf {msk})$ takes as input a function $f\in \mathcal {F}_{\lambda }$ and the master secret key $\mathsf {msk}$, and generates a secret key $(f,\mathsf {sk} _{f})$. Without loss of generality, we think the secret key contains two parts, the function description f, and an extra $\mathsf {sk} _f$. The secret key is succinct if $|\mathsf {sk} _f| = o(|f|)$. When the context is clear, we often omit the description of f.
Valid encapsulation. $\mathsf {AB\text {-}wHPS.Encap}$ $(\mathsf {mpk},\boldsymbol{x})$ takes as input the master public key $\mathsf {mpk} $ and an attribute $\boldsymbol{x}\in \mathcal {X} _\lambda $, and outputs a valid ciphertext $\mathsf {CT} $ and its corresponding encapsulated key $k\in \mathcal {K}$.
Invalid encapsulation. $\mathsf {AB\text {-}wHPS.Encap}$ $^*$ $(\mathsf {mpk},\boldsymbol{x})$ takes as input the master public key $\mathsf {mpk} $ and $\boldsymbol{x}\in \mathcal {X} _\lambda $, and outputs an invalid ciphertext $\mathsf {CT} ^*$.
Decapsulation. $\mathsf {AB\text {-}wHPS.Decap}$ $(\mathsf {sk} _{f},\mathsf {CT})$ takes as input a secret key $\mathsf {sk} _f$ and a ciphertext $\mathsf {CT} $, and deterministically outputs $k\in \mathcal {K}$ if $f(\boldsymbol{x})=1$ and $\bot $ if $f(\boldsymbol{x})=0$, where $\boldsymbol{x}$ is the corresponding attribute used to generate $\mathsf {CT} $.

Furthermore, an $\mathsf {AB\text {-}wHPS}$ needs to satisfy three properties: correctness, ciphertext indistinguishability, and universality.

Correctness. For $(\mathsf {mpk},\mathsf {msk})\xleftarrow {\$}\mathsf {AB\text {-}wHPS.Setup}(\lambda )$, any $\boldsymbol{x}\in \mathcal {X} _\lambda $ and any $f\in \mathcal {F}_{\lambda }$ such that $f(\boldsymbol{x})=1$, we have

$$\begin{aligned} \begin{aligned} \Pr \Big [k=k^\prime \Big |&\mathsf {sk} _f\xleftarrow {\$}\mathsf {AB\text {-}wHPS.KeyGen} (f,\mathsf {msk}),\\&(\mathsf {CT},k)\xleftarrow {\$}\mathsf {AB\text {-}wHPS}.\mathsf {Encap}(\mathsf {mpk},\boldsymbol{x}),k^\prime =\mathsf {AB\text {-}wHPS}.\mathsf {Decap}(\mathsf {sk} _f,c)\Big ]=1. \end{aligned} \end{aligned}$$

Ciphertext Indistinguishability. For any challenge attribute $\boldsymbol{x}^*$, valid/in-valid ciphertexts output by $\mathsf {AB\text {-}wHPS}.$ $\mathsf {Encap}(\mathsf {mpk},\boldsymbol{x}^*)$ and $\mathsf {AB\text {-}wHPS.Encap}^*(\mathsf {mpk},$ $\boldsymbol{x}^*)$ are indistinguishable, even given one secret “1-key” $\mathsf {sk} _{f}$ such that $f(\boldsymbol{x}^{*})=1$ and perhaps many “0-keys” $\mathsf {sk} _{f'}$ such that $f'(\boldsymbol{x}^{*})=0$. More formally, this indistinguishability is always described by the experiment between an adversary $\mathcal {A}$ and a challenger $\mathcal {C}$ in Table 1.

Table 1. X

Full size table

We define the advantage of $\mathcal {A}$ in the above game to be $\mathbf {Adv}_{\varPi ,\mathcal {A},\mathcal {F}_{\lambda }}^{\mathsf {AB\text {-}wHPS}}(\lambda )=\left| \Pr [\mathcal {A} ~wins]-1/2\right| .$ The indistinguishability means that $\mathbf {Adv}_{\varPi ,\mathcal {A},\mathcal {F}_{\lambda }}^{\mathsf {AB\text {-}wHPS}}(\lambda )\le \mathsf {negl} (\lambda )$.

Remark 3.2

In this definition, we require ciphertext indistinguishability to hold even given a single $\mathsf {sk} _{f}$ such that $f(\boldsymbol{x}^{*})=1$. This suffices to achieve leakage resilient $\mathsf {PKE}$, $\mathsf {IBE}$, and $(\ell ,1)$-leakage resilient $\mathsf {ABE} $ directly, and $(\ell , \omega )$-leakage resilient $\mathsf {ABE} $ for any bounded-polynomial $\omega $ via a bootstrapping procedure (ref. Sect. 6), where $\ell \approx (1-o(1)) |\mathsf {sk} _f|$.

Universality. We need one additional information theoretic property, requiring that for any adversary with public parameters, the decapsulation of an invalid ciphertext has information entropy. We define this property in as follow.

Definition 3.3

(Universal AB-wHPS). We say that an $\mathsf {AB\text {-}wHPS}$ is $(l,\bar{w})$-universal, if for any attribute $\boldsymbol{x}\in \mathcal {X} _\lambda $, $(\mathsf {mpk},\mathsf {msk})\xleftarrow {\$}\mathsf {AB\text {-}wHPS.Setup}(1^{\lambda })$, and $\mathsf {CT} ^*\xleftarrow {\$} \mathsf {AB\text {-}wHPS}.\mathsf {Encap}^{*}(\mathsf {mpk},\boldsymbol{x})$, it holds

$$H_\infty (\mathsf {AB\text {-}wHPS}.\mathsf {Decap}(\mathsf {CT} ^*,\mathsf {sk} _f)|\mathsf {mpk},\mathsf {msk},\mathsf {CT} ^*,\boldsymbol{x})\ge \bar{w},$$

where $\mathsf {sk} _f=\mathsf {AB\text {-}wHPS.KeyGen} (f,\mathsf {msk})$ with $f(\boldsymbol{x})=1$, and l is the bit-length of the decapsulated value from $\mathsf {AB\text {-}wHPS}.\mathsf {Decap}(\mathsf {CT} ^*,\mathsf {sk})$.

3.2 Fine-Grained Security Notions and General Construction of $\mathsf {AB\text {-}wHPS}$from $\mathsf {ABE}$

In this section, we present how to construct $\mathsf {AB\text {-}wHPS}$ from $\mathsf {ABE} $. To achieve adaptive security for several subclasses of policy functions, we present a more fine-grained approach as follows. We first define a notion called partially selective/adaptive security over partitioned attributes. Next we show for a specific class $\mathcal {G} $, if an $\mathsf {ABE} $ is $(\mathsf {X},\mathsf {sel})$-secure for class $\mathcal {F}\wedge _{\Vert } \mathcal {G} $ for $\mathsf {X} \in \{\mathsf {sel},\mathsf {ada} \}$, then we can construct an $\mathsf {X} $-secure $\mathsf {AB\text {-}wHPS}$ for $\mathcal {F}$. Moreover, suppose the underlying $\mathsf {ABE} $ has succinct keys, so does the $\mathsf {AB\text {-}wHPS}$. In the next section, we show instantiations of $(\mathsf {ada},\mathsf {sel})$-secure $\mathsf {ABE} $ for various function classes. Below we elaborate on the notations and the new security definition.

Definition 3.4

Let $\mathcal {F}_{1} = \{f_{1}: \mathcal {X} _{1} \rightarrow \{0,1\}\}$ and $\mathcal {F}_{2} = \{f_{2}: \mathcal {X} _{2} \rightarrow \{0,1\}\}$ be two function classes. We define the operator $\wedge _{\Vert }$ over two function classes as follow: $\mathcal {F}:= \mathcal {F}_{1} \wedge _{\Vert } \mathcal {F}_{2}$ is a function class that consists of function maps $\mathcal {X} _{1} \times \mathcal {X} _{2} \rightarrow \{0,1\}$, where each function $f _{f_{1},f_{2}}\in \mathcal {F}$ is indexed by two functions $f_{1}\in \mathcal {F}_{1}$ and $f_{2} \in \mathcal {F}_{2}$ such that on input $\boldsymbol{x} = (\boldsymbol{x}_{1}, \boldsymbol{x}_{2} ) \in \mathcal {X} _{1} \times \mathcal {X} _{2}$, $f_{f_{1},f_{2}} (\boldsymbol{x}) = f_{1}(\boldsymbol{x}_{1}) \wedge f_{2}(\boldsymbol{x}_{2})$.

Using this composed function class in Definition 3.4, we can naturally consider any combination of selective/adaptive security for $\mathsf {ABE} $ as follows.

Definition 3.5

(Partial Selective/Adaptive Security). For any $\mathsf {ABE}$ with the attribute space $\mathcal {X} _1\times \mathcal {X} _2$ for the policy function class $\mathcal {F}:= \mathcal {F}_{1} \wedge _{\Vert } \mathcal {F}_{2}$ defined as in Definition 3.4, we define partial selective/adaptive security as follows:

$\mathsf {ada}$-$\mathsf {sel}$ security: For any challenge attribute $\boldsymbol{x}^*=(\boldsymbol{x}_1^*,\boldsymbol{x}_2^*)\in \mathcal {X} _1\times \mathcal {X} _2$, $\boldsymbol{x}_1^*$ is chosen adaptively but $\boldsymbol{x}_2^*$ is chosen selectively in the corresponding indistinguishability experiment.
$\mathsf {sel}$-$\mathsf {ada}$ security: For any challenge attribute $\boldsymbol{x}^*=(\boldsymbol{x}_1^*,\boldsymbol{x}_2^*)\in \mathcal {X} _1\times \mathcal {X} _2$, $\boldsymbol{x}_1^*$ is chosen selectively and $\boldsymbol{x}_2^*$ is chosen adaptively in the corresponding indistinguishability experiment.

This notion also captures the standard selective (or adaptive) security as $\mathsf {sel}$-$\mathsf {sel}$ (or $\mathsf {ada}$-$\mathsf {ada}$) security, where both parts of the challenge attribute are chosen selectively (or adaptively).

Remark 3.6

In this work, we need a slightly weaker version of the partial selective/adaptive security from $\mathsf {ABE} $ – the adversary is only allowed to query one key (f, g) such that $f(x_1^*)=1$ and $g(x_2^*)=0$. The other keys are of the form $(f',g')$ such that $f'(x_1^*) = 0$. Therefore, throughout this work we will use this slightly weaker version by default.

Remark 3.7

In the same way, we can define the partial selective/adaptive ciphertext indistinguishability for $\mathsf {AB\text {-}wHPS}$.

Remark 3.8

This definition can be defined recursively. For example, the first part $\mathcal {F}_1$ can also consists of two parts, i.e., $\mathcal {F}_1=\mathcal {F}_{1,1} \wedge _{\Vert } \mathcal {F}_{1,2}$. In this case, we can consider $(\mathsf {X} \text {-}\mathsf {Y})\text {-}\mathsf {Z} $ security for any combination of $\mathsf {X},\mathsf {Y},\mathsf {Z} \in \{\mathsf {sel},\mathsf {ada} \}$.

To construct our desired $\mathsf {AB\text {-}wHPS}$ for $\mathcal {F}$, we need an $\mathsf {ABE} $ for $\mathcal {F}\wedge _\Vert \mathcal {G} $ for this specific $\mathcal {G} $ as we describe below.

Definition 3.9

Let $m=m(\lambda )$ and $n=n(\lambda )$ be two integer parameters, and we define a function class $\mathcal {G} =\{g:[n]\times [m]\rightarrow \{0,1\}\}$ as follows. Each function $g_{\boldsymbol{y}}\in \mathcal {G} $ is indexed by a vector $\boldsymbol{y}=(y_1,\ldots ,y_{n})^{\top }\in [m]^n$, and $g_{\boldsymbol{y}}(x_1,x_2)=1$ if and only if $x_2=y_{x_{1}}$.

Remark 3.10

The class $\mathcal {G} $ can be captured by boolean circuits with input length $\log n + \log m$, and depth within $O(\log (n+m))$, i.e., $ \bigvee _{i\in [n]} (i {\mathop {=}\limits ^{?}}x_1)\wedge (y_i {\mathop {=}\limits ^{?}} x_2)$.

Given this particular class $\mathcal {G} $ (with parameters m, n) defined in Definition 3.9 and a class $\mathcal {F}$, we show how to use $\mathsf {ABE}$ for $\mathcal {F}\wedge _{\Vert } \mathcal {G} $ to construct $\mathsf {AB\text {-}wHPS}$ for $\mathcal {F}$. For different classes $\mathcal {F}$’s, the $\mathsf {AB\text {-}wHPS}$ can be used to further derive leakage resilient $\mathsf {PKE}$, $\mathsf {IBE}$, and $\mathsf {ABE}$.

Construction 3.11

(AB-wHPS from ABE). Let $\varPi _{\mathsf {ABE}}=\mathsf {ABE}.\{\mathsf {Setup},$ $\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec}\}$ be an $\mathsf {ABE}$ scheme with attribute-space $\bar{\mathcal {X}}_{\lambda }=\mathcal {X} _{\lambda }\times \mathcal {X} _{\lambda }^{\prime }=\{0,1\}^*\times \{[n]\times [m]\}$, message-space $\mathcal {M}=\mathbb {Z}_m$ and ciphertext space $\mathcal {CT} $ for the policy-function class $\mathcal {F}\wedge _{\Vert } \mathcal {G} $ for the class $\mathcal {G} $ as in Definition 3.9 with parameters m, n. Then, an $\mathsf {AB\text {-}wHPS}$ $\varPi _{\mathsf {AB\text {-}wHPS}}$ with attribute space $\mathcal {X} _\lambda =\{0,1\}^*$ and the encapsulated-key-space $\mathcal {K}=\mathbb {Z}_m^n$ for the policy-function class $\mathcal {F}=\{f:\{0,1\}^*\rightarrow \{0,1\}\}$ can be constructed as follows:

$\mathsf {AB\text {-}wHPS.Setup}$ $(1^\lambda )$: Given the security parameter $\lambda $ as input, the algorithm runs $\mathsf {ABE.Setup}$ to generate $(\mathsf {mpk} ^{\mathsf {ABE}},\mathsf {msk} ^{\mathsf {ABE}})\xleftarrow {\$} \mathsf {ABE.Setup}(1^\lambda )$, and outputs $\mathsf {mpk}:= \mathsf {mpk} ^{\mathsf {ABE}}$ and $\mathsf {msk}:=\mathsf {msk} ^{\mathsf {ABE}}$.
$\mathsf {AB\text {-}wHPS.KeyGen} (\mathsf {msk},f)$: Given a master secret-key $\mathsf {msk}:=\mathsf {msk} ^{\mathsf {ABE}}$ and a function $f\in \mathcal {F}$ as input, the algorithm first chooses a random vector $\boldsymbol{y}\xleftarrow {\$} [m]^n$, and sets $\hat{f} := {\hat{f}}_{f,g_{\boldsymbol{y}}} \in \mathcal {F}\wedge _{\Vert } \mathcal {G} $. Then the algorithm runs $\mathsf {ABE.KeyGen} $ to generate $\mathsf {sk} _{{\hat{f}} }^{\mathsf {ABE}}\xleftarrow {\$} \mathsf {ABE.KeyGen} (\mathsf {msk} ^{\mathsf {ABE}},{\hat{f}} )$, and outputs $\mathsf {sk} _{f} :=(\hat{f},\mathsf {sk} _{{\hat{f}} }^{\mathsf {ABE}})$ as the secret key for f. Note that the description of $\hat{f}$ can be expressed as $(f, \boldsymbol{y})$
$\mathsf {AB\text {-}wHPS.Encap}$ $(\mathsf {mpk},\boldsymbol{x})$: Given a master public-key $\mathsf {mpk}$ and an attribute $\boldsymbol{x}\in \{0,1\}^*$ as input, the algorithm first samples a random vector $\boldsymbol{k}=(k_1,\ldots ,k_{n})^{\top }\in \mathbb {Z}_m^n$, and then runs $\mathsf {ABE.Enc}$ mn times with attributes $\boldsymbol{x}_{i,j}=(\boldsymbol{x},i,j)\in \{0,1\}^*\times [n]\times [m]$ to set
$$ \small {\mathsf {CT}}:=\{\mathsf {ct} _{i,j}\xleftarrow {\$} \mathsf {ABE.Enc}(\mathsf {mpk},\boldsymbol{x}_{i,j},k_i)\}_{(i,j)\in [n]\times [m]}\in \mathcal {CT} ^{n\times m}, \text{ i.e., } $$

$$\begin{aligned} {\mathsf {CT}}:=\begin{bmatrix} \mathsf {ABE.Enc}(\boldsymbol{x}_{1,1},k_1)&{}\ldots &{}\mathsf {ABE.Enc}(\boldsymbol{x}_{1,j},k_1)&{}\ldots &{}\mathsf {ABE.Enc}(\boldsymbol{x}_{1,m},k_1)\\ \vdots &{}\ddots &{}\vdots &{}\ddots &{}\vdots \\ \mathsf {ABE.Enc}(\boldsymbol{x}_{n,1},k_n)&{}\ldots &{}\mathsf {ABE.Enc}(\boldsymbol{x}_{n,j},k_n)&{}\ldots &{}\mathsf {ABE.Enc}(\boldsymbol{x}_{n,m},k_n)\\ \end{bmatrix}. \end{aligned}$$
Finally, the algorithm outputs $({\mathsf {CT}},\boldsymbol{k})$.
$\mathsf {AB\text {-}wHPS.Encap}$ $^{*}(\mathsf {mpk}, \boldsymbol{x})$: Given a master public-key $\mathsf {mpk}$ and an attribute $\boldsymbol{x}\in \{0,1\}^*$ as input, the algorithm first samples a random vector $\boldsymbol{k}=(k_1,\ldots ,k_{n})^{\top }\in \mathbb {Z}_m^n$, and then runs $\mathsf {ABE.Enc}$ mn times with attributes $\boldsymbol{x}_{i,j}=(\boldsymbol{x},i,j)$ to set
$$ \small {\mathsf {CT}}^{*}:=\{\mathsf {ct} _{i,j}^{*}\xleftarrow {\$} \mathsf {ABE.Enc}(\mathsf {mpk},\boldsymbol{x}_{i,j},k_i+j)\}_{(i,j)\in [n]\times [m]}\in \mathcal {CT} ^{n\times m}, \text{ i.e., } $$

$$\begin{aligned} {\mathsf {CT}}^*:\!=\!\begin{bmatrix} \mathsf {ABE.Enc}(\boldsymbol{x}_{1,1},k_1\!+\!1)&{}\!\ldots \!&{}\mathsf {ABE.Enc}(\boldsymbol{x}_{1,j},k_1\!+\!j)&{}\!\ldots \!&{}\mathsf {ABE.Enc}(\boldsymbol{x}_{1,m},k_1\!+\!m)\\ \vdots &{}\!\ddots \!&{}\vdots &{}\!\ddots \!&{}\vdots \\ \mathsf {ABE.Enc}(\boldsymbol{x}_{n,1},k_n\!+\!1)&{}\!\ldots \!&{}\mathsf {ABE.Enc}(\boldsymbol{x}_{n,j},k_n\!+\!j)&{}\!\ldots \!&{}\mathsf {ABE.Enc}(\boldsymbol{x}_{n,m},k_n\!+\!m)\\ \end{bmatrix}\!,\! \end{aligned}$$
where the addition $k_i+j$ is performed over $\mathbb {Z}_m$. The algorithm outputs ${\mathsf {CT}}^{*}$.
$\mathsf {AB\text {-}wHPS.Decap}$ $(\mathsf {sk} _{f},{\mathsf {CT}})$: Given a secret key $\mathsf {sk} _{f}:=(\boldsymbol{y},\mathsf {sk} _{\hat{f}}^{\mathsf {ABE}})$ and ${\mathsf {CT}}:=$ $\{\mathsf {ct} _{i,j} \}_{(i,j)\in [n]\times [m]}$ as input, the algorithm runs $\mathsf {ABE.Dec}$ to compute $k_i=\mathsf {ABE.Dec}(\mathsf {sk} ^{\mathsf {ABE}}_{\hat{f}}, \mathsf {ct} _{i,y_i})$ for all $i\in [n]$, and then outputs ${\boldsymbol{k}}=(k_1,\ldots ,k_{n})^{\top }$, if $\hat{f}(\boldsymbol{x},i,y_i) = f(\boldsymbol{x}) \wedge g_{\boldsymbol{y}} (i, y_{i}) = 1$ for all $i\in [n]$, and $\bot $ otherwise.

Intuitively, our attribute design (the class $\mathcal {G} $) allows the secret key to open one ciphertext per row while keeps the others secret. For the valid encapsulation, all ciphertexts in a row encrypts the same element, while for the invalid encapsulation, they encrypt different elements. As the secret key can only open one per row, an adversary cannot distinguish a valid from an invalid encapsulation, even given the secret key.

Our $\mathsf {AB\text {-}wHPS}$ secret key would be of length $|\hat{f}_{f,g_{\boldsymbol{y}}}|+s({\hat{f}}_{f,g_{\boldsymbol{y}}})=|\boldsymbol{y}| + |f| +s({\hat{f}}_{f,g_{\boldsymbol{y}}})=n\log m+|f|+s({\hat{f}}_{f,g_{\boldsymbol{y}}})$, where $s(\cdot )$ is the key-size function (of the extra part, excluding the function description) of the underlying $\mathsf {ABE} $. If the underlying $\mathsf {ABE} $ has succinct keys, i.e., $s(f) = o(|f|)$, then our $\mathsf {AB\text {-}wHPS}$ secret would have size $n\log m + |f| +s({\hat{f}}_{f,g_{\boldsymbol{y}}}) = n\log m + |f| + o(n\log m + |f|)$. By setting sufficiently large n, m, we can achieve $\mathsf {ABE} $ with the optimal leakage rate, ref. Sect. 4.

Next we present the following theorem. Due to space limit, we defer the full proof to the full version, due to space limit.

Theorem 3.12

(AB-wHPS from ABE). Suppose $\varPi _{\mathsf {ABE}}\!$ is a secure $\mathsf {ABE} \!$ scheme with attribute space $\bar{\mathcal {X}}_{\lambda }=\mathcal {X} _{\lambda }\times \mathcal {X} _{\lambda }^\prime =\{0,1\}^*\times \{[n]\times [m]\}$ for the function class $\mathcal {F}\wedge _{\Vert } \mathcal {G} $, where $\mathcal {G} $ is the class as in Definition 3.9 with parameters m, n, then the construction $\varPi _{\mathsf {AB\text {-}wHPS}}$ described above is an $(n\log m,n\log m)$-universal $\mathsf {AB\text {-}wHPS}$ with the attribute space $\mathcal {X} _\lambda $ and the encapsulated-key-space $\mathcal {K}=\mathbb {Z}_m^n$, for the function class $\mathcal {F}$. Furthermore,

if the $\mathsf {ABE}$ is $\mathsf {X} \text {-}\mathsf {sel} $ secure for $\mathsf {X} \in \{\mathsf {sel},\mathsf {ada} \}$, then the $\mathsf {AB\text {-}wHPS}$ is $\mathsf {X} $ secure;
if the key-size (of the extra part, excluding the function description) of the $\mathsf {ABE}$ scheme for policy function f is s(f), then the key size of the $\mathsf {AB\text {-}wHPS}$ for f is $n\log m+ |f|+s({\hat{f}}_{f,g_{\boldsymbol{y}}} ) $, where $s(\cdot )$ is the key-size function (of the extra part, excluding the function description) of the underlying $\mathsf {ABE} $.

3.3 Instantiations of $\mathsf {AB\text {-}wHPS}$from Lattices

Now we show how to instantiate the required underlying $\mathsf {ABE} $. By combining the work [7] with [2] or [38], we get $\mathsf {ABE} $ for the following three classes.

Theorem 3.13

Assuming $\mathsf {LWE}$, then there exist:

1.
$\mathsf {ada} $-$\mathsf {sel} $-secure $\mathsf {ABE}$ for $\mathcal {I} \wedge _\Vert \mathcal {G} $, where $\mathcal {I} $ is the comparison function ($\mathsf {IBE}$).
2.
$\mathsf {ada} $-$\mathsf {sel} $-secure $\mathsf {ABE}$ for $t\text {-}\mathsf {CNF} ^* \wedge _\Vert \mathcal {G} $, where t-$\mathsf {CNF} ^*$ is the dual of the t conjunctive normal form formula. (Ref. Sect. 2.1.)
3.
$\mathsf {sel} $-$\mathsf {sel} $ secure $\mathsf {ABE}$ for $\mathcal {F}\wedge _\Vert \mathcal {G} $, where $\mathcal {F}$ is the general boolean circuits.

In all three cases, the size of the secret keys (excluding the function description) depends only on the depth of the circuit but not the size.

We present the constructions in full version for completeness. As a direct corollary of this theorem, we obtain the following $\mathsf {AB\text {-}wHPS}$ from lattices.

Corollary 3.14

Assuming $\mathsf {LWE}$, there exists $\mathsf {AB\text {-}wHPS}$ that is

1.
adaptively secure for the comparison functions;
2.
adaptively secure for t-$\mathsf {CNF} ^*$ functions.
3.
selectively secure for general circuits.

Moreover, the secret key size (excluding the function description) of the $\mathsf {AB\text {-}wHPS}$ only depends on the depth of the function, but not the size.

4 Optimal-Rate Leakage-Resilient Encryption Schemes in the Relative Leakage Model

Prior work (e.g., Naor and Segev [33], Alwen et al. [5], and Hazay et al. [25]) showed how to construct leakage resilient $\mathsf {PKE}$/$\mathsf {IBE}$ from $\mathsf {wHPS}$/$\mathsf {IB\text {-}wHPS}$ in the relative model. The construction can be generalized to construct leakage resilient $\mathsf {ABE} $ from $\mathsf {AB\text {-}wHPS}$ in the same spirit. To further achieve the optimal leakage rate, we observe that all we need is an $\mathsf {AB\text {-}wHPS}$ with succinct keys (which do not depend on the function size). This is what we construct in Sect. 3.2, i.e., Construction 3.11, Theorem 3.12, $\mathsf {AB\text {-}wHPS}$ and the underlying $\mathsf {ABE} $ instantiations in Corollary 3.14.

Construction 4.1

Let $\varPi =$ $\mathsf {AB\text {-}wHPS}$ $.\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Encap},\mathsf {Encap}^*,\mathsf {Decap}\}$

be a $(\log |\mathcal {K}|,\log |\mathcal {K}|)$-universal $\mathsf {AB\text {-}wHPS}$ with the encapsulated-key-space $\mathcal {K}$ and attribute space $\mathcal {X} =\{0,1\}^{*}$ for a class of policy functions $\mathcal {F}=\{f:\{0,1\}^{*}\rightarrow \{0,1\}\}$. Let $\mathsf {Ext}:\mathcal {K}\times \mathcal {S}\rightarrow \mathcal {M}$ be a $(\log |\mathcal {K}|-\ell ,\varepsilon {})$-extractor, where three sets $\mathcal {K},\mathcal {S},\mathcal {M}$ are efficient ensembles, $\ell =\ell (\lambda )$ is some parameter and $\varepsilon {}=\varepsilon {}(\lambda )=\mathsf {negl} (\lambda )$ is negligible. Furthermore, assume that $\mathcal {M}$ is an additive group. Then, a leakage-resilient $\mathsf {ABE} $ scheme $\varPi _{\mathcal {F}}=\varPi _{\mathcal {F}}.\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec}\}$ with message space $\mathcal {M}$ and policy function class $\mathcal {F}$ can be constructed as follows:

$\varPi _{\mathcal {F}}.\mathsf {Setup}(1^\lambda )$: The algorithm runs $(\mathsf {mpk} ^{\varPi }, \mathsf {msk} ^{\varPi }) \xleftarrow {\$} \varPi .\mathsf {Setup}(1^{\lambda })$, and outputs $\mathsf {mpk}:= \mathsf {mpk} ^{\varPi } $, and $\mathsf {msk}:= \mathsf {msk} ^{\varPi }$.
$\varPi _{\mathcal {F}}.\mathsf {KeyGen}(\mathsf {msk},f)$: Given a master secret-key $\mathsf {msk} $ and a function $f\in \mathcal {F}$ as input, the algorithm runs $\mathsf {AB\text {-}wHPS.KeyGen}$ to generate and output $(f,\mathsf {sk} _f^\varPi )$, where $\mathsf {sk} _{f}:=\mathsf {sk} ^{\varPi }_{f}\xleftarrow {\$} \mathsf {AB\text {-}wHPS.KeyGen} (\mathsf {msk},f)$.
$\varPi _{\mathcal {F}}.\mathsf {Enc}(\mathsf {mpk},\boldsymbol{x},\mu )$: Given a master public-key $\mathsf {mpk} $, an attribute $\boldsymbol{x}\in \mathcal {X} =\{0,1\}^{*}$, and a message $\mu \in \mathcal {M}$ as input, the algorithm runs $\mathsf {AB\text {-}wHPS.Encap}$ to generate $({\mathsf {CT}}^\prime ,k)\leftarrow $ $\mathsf {AB\text {-}wHPS.Encap}$ $(\mathsf {mpk},\boldsymbol{x})$, and then samples $s\xleftarrow {\$}\mathcal {S}$. Furthermore, the algorithm computes and outputs
$${\mathsf {ct}}=(s,{\mathsf {ct}}_0,{\mathsf {ct}}_1)=(s,{\mathsf {CT}}^\prime ,\mu +\mathsf {Ext} (k,s)).$$
$\varPi _{\mathcal {F}}.\mathsf {Dec}(\mathsf {sk} _{f},{\mathsf {ct}})$: Given a ciphertext ${\mathsf {ct}}=(s,{\mathsf {ct}}_0,{\mathsf {ct}}_1)$ and a secret key $\mathsf {sk} _f$ as input, the algorithm runs $\mathsf {AB\text {-}wHPS.Decap}$ to generate $k=\mathsf {AB\text {-}wHPS.Decap}(\mathsf {sk} _f,{\mathsf {ct}}_0)$, and then output $\mu ={\mathsf {ct}}_1-\mathsf {Ext} (k,s).$

Our construction achieves a leakage resilient $\mathsf {ABE}$, and can be re-calibrated into a leakage resilient $\mathsf {PKE}$/$\mathsf {IBE}$. We summarize the results in the following theorem, and defer the full proof to the full version, due to space limit.

Theorem 4.2

Assume $\varPi $ is a selectively (or adaptively, resp.) secure $(\log |\mathcal {K}|,$

$\log |\mathcal {K}|)$-universal $\mathsf {AB\text {-}wHPS}$ for the policy function class $\mathcal {F}$, and $\mathsf {Ext}:\mathcal {K}\times \mathcal {S}\rightarrow \mathcal {M}$ be a $(\log |\mathcal {K}|-\ell ,\mathsf {negl} (\lambda ) )$-extractor. Then the above $\mathsf {ABE} $ scheme $\varPi _{\mathcal {F}}=\varPi _{\mathcal {F}}.\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec}\}$ for $\mathcal {F}$ is a selectively (or adaptively, resp.) $\ell (\lambda )$-leakage resilient attribute-based encryption scheme for the policy function class $\mathcal {F}$ in the relative-leakage model. Particularly, $\varPi _{\mathcal {F}}$ is aslo

an $\ell (\lambda )$-leakage-resilient $\mathsf {PKE}$ in the relative-leakage model, if $\mathcal {F}$ contains only a single function that always outputs 1.
an $\ell (\lambda )$-leakage-resilient $\mathsf {IBE}$ in the relative-leakage model, if $\mathcal {F}$ contains the following comparison functions, i.e., each function $f_{\boldsymbol{y}}\in \mathcal {F}$ is indexed by a vector $\boldsymbol{y}$, and $f_{\boldsymbol{y}}(\boldsymbol{x})=1$ if and only if $\boldsymbol{y}=\boldsymbol{x}$.

Combining Theorem 3.12 and Theorem 4.2, we obtain the following results. Assume there exists a $\mathsf {sel}$-$\mathsf {sel}$ (or $\mathsf {ada}$-$\mathsf {sel}$) secure $\mathsf {ABE}$ scheme with the message space $\mathbb {Z}_{m}$ for the function class $\mathcal {F}\wedge _{\Vert } \mathcal {G} $, where $\mathcal {G} $ is the class as in Definition 3.9 with parameters m, n, and the key-length (of the extra part, excluding the function description of f) of this underlying $\mathsf {ABE}$ scheme for policy function f is s(f). Then the allowed leakage length of the above leakage resilient $\mathsf {ABE} $ (or $\mathsf {IBE}$ or $\mathsf {PKE}$) scheme $\varPi _{\mathcal {F}}$ for the function class $\mathcal {F}$ is $\ell =(n\log m-2\lambda )$ and the key-length of $\varPi _{\mathcal {F}}$ for f is $|\mathsf {sk} _f|=n\log m +|f|+ s({\hat{f}}_{f,g_{\boldsymbol{y}}} )$.

Furthermore, if the secret key size $s({\hat{f}}_{f,g_{\boldsymbol{y}}} )$ is succinct, i.e., $s({\hat{f}}_{f,g_{\boldsymbol{y}}} ) = o(| {\hat{f}}_{f,g_{\boldsymbol{y}}} |) = o(n\log m + |f|)$, then we can set sufficiently large n, m such that $n\log m = \omega (|f|)$. Consequently, the leakage rate of this scheme $\varPi _\mathcal {F}$ is $\frac{n\log m-2\lambda }{n\log m +|f|+ s({\hat{f}}_{f,g_{\boldsymbol{y}}} ) }=\frac{1-\frac{2\lambda }{n\log m}}{1 + \frac{s({\hat{f}}_{f,g_{\boldsymbol{y}}} )+|f| }{n\log m}}\approx 1-o(1)$, achieving the desired optimal leakage rate.

Finally, by combining Corollary 3.14 and Theorem 4.2, we obtain the following Corollary.

Corollary 4.3

Assuming $\mathsf {LWE}$, for all polynomial $S = \mathsf {poly}(\lambda )$, there exist $1-o(1)$ leakage resilient $\mathsf {ABE} $ schemes in the relative leakage model, which are

1.
adaptively secure for the comparison functions;
2.
adaptively secure for t-$\mathsf {CNF} ^*$ functions of size up to S;
3.
selectively secure for general circuits of size up to S.

Remark 4.4

We note that our ABE schemes are leakage resilient even if the policy function goes beyond the size bound S. The leakage rate would still be $1-o(1)$ for a slightly restricted class that leaks $ n\log m - 2\lambda $ on the part $\boldsymbol{y}$, the whole description of f, and the extra part of $\mathsf {sk} ^\varPi _f$ (excluding the function description) of the underlying $\mathsf {AB\text {-}wHPS}$. This is more restrictive than functions that leak $n\log m - 2\lambda + |f| $ from the whole secret key.

5 Extension I: Optimal-Rate Leakage-Resilient Encryption Schemes in the BRM

In this section, we present how to use $\mathsf {AB\text {-}wHPS}$ to construct optimal-rate leakage resilient $\mathsf {ABE}$ in the $\mathsf {BRM}$. We follow the structure of [5, 25] by first amplifying the hash proof system and then combining it with a locally computable extractor [40]. In particular, we first amplify $\mathsf {AB\text {-}wHPS}$ through parallel repetition and random sampling in Sect. 5.1. Then, in Sect. 5.2, we generalize the notion of locally computable extractor by Vadhan [40] into one with larger alphabets, and show that a refined analysis of this tool can be used to derive $1-o(1)$ leakage rate in the $\mathsf {BRM}$, improving the prior analysis [5, 35] that can only achieve a constant leakage rate. Finally in Sect. 5.3, we present the overall construction of our leakage resilient $\mathsf {ABE} $ in the $\mathsf {BRM}$ with the optimal leakage rate.

5.1 Amplification of AB-wHPS

Definition 5.1

Let $n^\prime $ be a positive integer, and $\mathcal {H} =\{h:[n^\prime ]\rightarrow \{0,1\}\}$ be a function class where each function $h_y\in \mathcal {H} $ is indexed by a value $y\in [n^\prime ]$, and $h_y(x)=1$ if and only if $x=y$.

Construction 52

(Construction of Amplified AB-wHPS.). Let $\varPi =\mathsf {AB\text {-}wHPS}.\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Encap},\mathsf {Encap}^*,\mathsf {Decap}\}$ be an $\mathsf {AB\text {-}wHPS}$ with the encapsulated-key-space $\mathcal {K}$ and attribute space $\mathcal {X} =\{0,1\}^*\times [n^\prime ]$ for a class of functions $\mathcal {F}\wedge _{\Vert } \mathcal {H} $, and let $t\le n^\prime $ be a positive integer. Then a new $\mathsf {AB\text {-}wHPS}$ $\varPi ^{n',t}_{\Vert }$ with attribute space $\{0,1\}^*$ and the encapsulated-key-space $\mathcal {K}^{t}$ for the function class $\mathcal {F}$ can be constructed.

$\varPi ^{n',t}_{\Vert }.\mathsf {Setup}(1^\lambda )$: The algorithm runs $(\mathsf {mpk} ^{\varPi }, \mathsf {msk} ^{\varPi }) \xleftarrow {\$} \varPi .\mathsf {Setup}(1^{\lambda })$, and outputs $\mathsf {mpk}:= \mathsf {mpk} ^{\varPi } $, and $\mathsf {msk}:= \mathsf {msk} ^{\varPi }$.
$\varPi ^{n',t}_{\Vert }.\mathsf {KeyGen} (\mathsf {msk},f)$: Given a function $f\in \mathcal {F}$, the algorithm first sets $\hat{f}^{i} = \hat{f}^{i}_{f,h_{i}} \in \mathcal {F}\wedge _{\Vert } \mathcal {H} $ for every $i\in [n']$, and runs $\mathsf {AB\text {-}wHPS.KeyGen} $ $n'$ times to generate $\mathsf {sk} _{\hat{f}^{i} }\xleftarrow {\$} \varPi .\mathsf {KeyGen} (\mathsf {msk} ^{\varPi }, \hat{f}^{i})$ for $i \in [n^\prime ]$. The algorithm outputs
$$ \mathsf {sk} _{f}:=\left( \mathsf {sk} _{\hat{f}^{1}}, \ \mathsf {sk} _{\hat{f}^{2}}, \dots , \ \mathsf {sk} _{\hat{f}^{n'} } \right) .$$
$\varPi ^{n',t}_{\Vert }.\mathsf {Encap}(\mathsf {mpk},\boldsymbol{x})$: Given $\mathsf {mpk}$ and an attribute $\boldsymbol{x}\in \{0,1\}^*$ as input, the algorithm chooses a random subset $\boldsymbol{r} := \{r_1,\ldots ,r_t\}\subseteq [n^\prime ]$ and computes
$$ (\mathsf {CT} _i,k_i)\xleftarrow {\$}\varPi .\mathsf {Encap}(\mathsf {mpk},(\boldsymbol{x},r_i)) \text{ for } \text{ all } i \in [t]. $$
The algorithm finally outputs ${\mathsf {CT}}:=(\boldsymbol{r}, \mathsf {CT} _1,\ldots ,\mathsf {CT} _t)$ and $\boldsymbol{k}=(k_1,\ldots ,k_t)^{\top }$.
$\varPi ^{n',t}_{\Vert }.\mathsf {Encap}^{*}(\mathsf {mpk},\boldsymbol{x})$: Given $\mathsf {mpk}$ and an attribute $\boldsymbol{x}\in \{0,1\}^*$ as input, the algorithm chooses a random subset $ \boldsymbol{r} := \{r_1,\ldots ,r_t\}\subseteq [n^\prime ]$ and computes
$$ \mathsf {CT} _i \xleftarrow {\$}\varPi .\mathsf {Encap}^{*}(\mathsf {mpk},(\boldsymbol{x},r_i)) \text{ for } \text{ all } i \in [t]. $$
Finally, the algorithm outputs ${\mathsf {CT}}:=(\boldsymbol{r}, \mathsf {CT} _1,\ldots ,\mathsf {CT} _t)$.
$\varPi ^{n',t}_{\Vert }.\mathsf {Decap}(\mathsf {sk} _{f},{\mathsf {CT}})$: Given a ciphertext ${\mathsf {CT}}:=(\boldsymbol{r}, \mathsf {CT} _1,\ldots ,\mathsf {CT} _t)$ and a secret key $\mathsf {sk} _{f}:=\left( \mathsf {sk} _{\hat{f}^{1}}, \ \mathsf {sk} _{\hat{f}^{2}}, \dots , \ \mathsf {sk} _{\hat{f}^{n'} } \right) $, the algorithm runs $\varPi .\mathsf {Decap}$ to generate $k_i=\varPi .\mathsf {Decap}(\mathsf {sk} _{\hat{f}^{r_{i}}}, \mathsf {CT} _{i})$ for $i\in [t]$, and outputs $\boldsymbol{k}=(k_1,\ldots ,k_t)^{\top }$ if $\hat{f}^{r_{i}} (\boldsymbol{x}, r_{i}) =1$ for all $i\in [t]$. Otherwise, the algorithm outputs $\bot $.

Next, we present the following amplification theorem, which is essential an extension of the work [5]. Due to space limit, we defer the full proof to the full version of this paper.

Theorem 5.3

Assume $\varPi $ is an (l, w)-universal $\mathsf {AB\text {-}wHPS}$ with the encapsulated-key-space $\mathcal {K}$ for $\mathcal {F}\wedge _{\Vert } \mathcal {H} $. Then the above amplified construction of $\varPi ^{n',t}_{\Vert }$ is an $(t\cdot l,t\cdot w)$-universal $\mathsf {AB\text {-}wHPS}$ with the encapsulated-key-set $\mathcal {K}^t$ for $\mathcal {F}$. Furthermore,

if the underlying $\varPi $ is selectively (or adaptively) secure, then the $\varPi ^{n',t}_{\Vert }$ is also selectively (or adaptively) secure;
if the secret-key-size of $\varPi $ scheme for the policy function f is $(|f|+s(f)), $^{Footnote 5} then the secret-key size of the $\varPi ^{n',t}_{\Vert }$ for f is $n' \times (|f|+\log n^\prime +s(\hat{f}_{f,h}))$.

Combining Theorem 3.12 and Theorem 5.3, we obtain the following corollary.

Corollary 5.4

Assume there exists an $\mathsf {ABE}$ scheme with the message space $\mathbb {Z}_{m}$ for the function class $\mathcal {F}\wedge _{\Vert } \mathcal {H} \wedge _{\Vert } \mathcal {G} $, where $\mathcal {G} $ with parameters m, n and $\mathcal {H} $ with parameter $n'$ are as Definitions 3.9 and 5.1, then there exists an amplified $\mathsf {AB\text {-}wHPS}$ with the encapsulated-key-space $\mathbb {Z}_{m}^t$ for the function class $\mathcal {F}$.

5.2 Locally Computable Extractor

Definition 5.5

(Locally Computable Extractor, Definition 6 in [40]).

An extractor $\mathsf {Ext}:\{0,1\}^n\times \{0,1\}^d\rightarrow \{0,1\}^v$ is said to be t-locally computable if for every $r\in \{0,1\}^d$, $\mathsf {Ext} (\boldsymbol{x},r)$ depends only on t-bits of $\boldsymbol{x}\in \{0,1\}^n$.

For our application (constructing leakage-resilient encryption in the $\mathsf {BRM}$), we need a generalized variant of the above notion. Let $\boldsymbol{x}\in \{0,1\}^{nk}$ be a vector. We can view it as a concatenation of n vectors $\boldsymbol{x}_i\in \{0,1\}^k$ for $i\in [n]$, i.e., $\boldsymbol{x}=(\boldsymbol{x}_1^{\top },\ldots ,\boldsymbol{x}_n^{\top })^{\top }$. In this case, each $\boldsymbol{x}_i\in \{0,1\}^k$ can be viewed as a symbol of some larger alphabet, i.e., $\varGamma = \{0,1\}^k$, and we will need a locally computable extractor for $\varGamma $ as follow.

Definition 5.6

(Locally Computable Extractor for Larger Alphabets). Let $\varGamma = \{0,1\}^k$ be some alphabet. An extractor $\mathsf {Ext}:\varGamma ^{n}\times \{0,1\}^d\rightarrow \{0,1\}^v$ is t-locally computable with respect to $\varGamma $ if for every $\boldsymbol{r}\in \{0,1\}^d$, $\mathsf {Ext} (\boldsymbol{x},\boldsymbol{r})$ depends only on t symbols of $\boldsymbol{x} = (\boldsymbol{x}_{1}^{\top },\dots , \boldsymbol{x}_{n}^{\top })^{\top }\in \varGamma ^{n}$.

Generally, a locally computable extractor can be obtained in two steps [40]: (1) the extractor uses part of the seed to select t bits (or symbols) of $\boldsymbol{x}$, and (2) the remaining seed is used to apply a standard extractor on the selected bits/symbols in the previous step. Vadhan [40] showed that as long as the selection in step (1) achieves an average sampler, then the combined steps would achieve a locally computable extractor. We summarize the result of Vadhan [40] below. We first recall the notion of an average sampler.

Definition 5.7

(Average Sampler, Definition 8 in [40]). A function

$\mathrm {Samp}: \{0,1\}^r\rightarrow [n]^t$ is a $(\mu ,\theta ,\gamma )$ average sampler if for every function $f:[n]\rightarrow [0,1]$ with average value $\frac{1}{n}\sum _if(i)\ge \mu $,

Next, we present a theorem by Vadhan in [40] that describes detailed requirements for a locally computable extractor.

Theorem 5.8

(Theorem 10 in [40]). Suppose that $\mathrm {Samp}: \{0,1\}^r\rightarrow [n]^t$ is a $(\mu ,\theta ,\gamma )$ average sampler with distinct samples for $\mu =(\delta -2\tau )/\log (1/\tau )$ and $\theta =\tau /\log (1/\tau )$, and $\mathsf {Ext}:\{0,1\}^{t}\times \{0,1\}^d\rightarrow \{0,1\}^v$ is a strong $((\delta -3\tau )t,\varepsilon )$ extractor. Define $\mathsf {Ext} ^\prime :\{0,1\}^{n}\times \{0,1\}^{r+d}\rightarrow \{0,1\}^v$ by

$$\mathsf {Ext} ^\prime (\boldsymbol{x},(\boldsymbol{y}_1,\boldsymbol{y}_2))=\mathsf {Ext} (\boldsymbol{x}_{\mathrm {Samp}(\boldsymbol{y}_1)},\boldsymbol{y}_2).$$

Then $\mathsf {Ext} ^\prime $ is a t-local strong $(\delta n,\varepsilon +\gamma +2^{-\varOmega (\tau n)})$ extractor.

As we mentioned above, our application needs a locally computable extractor for larger alphabets, which may not be implied directly from Theorem 5.8. To tackle this issue, we define the following sampling procedure Sampler 1 that outputs t distinct symbols of samples, and then prove that Sampler 1 is in fact a good average sampler as needed in Theorem 5.8. This would imply a locally computable extractor for larger alphabets as required in our application.

Notations for the Sampling. Before describing the algorithm, we set up some notations as follows. Let $\varGamma = \{0,1\}^k$ and $\boldsymbol{x} = (\boldsymbol{x}_{1}^{\top } ,\dots , \boldsymbol{x}_{n}^{\top } )^{\top }\in \varGamma ^{n}$ be a vector of n symbols, where $\boldsymbol{x}_{i} = (x_{i1},x_{i2},\dots , x_{ik})^{\top }\in \varGamma =\{0,1\}^k$ for $i\in [n]$. Let S denote a subset of $[n]\times [k]$, i.e. S contains tuples $(i,j) \in [n]\times [k]$ as its elements. In this case, we define ${\boldsymbol{x}}_{S} = \{x_{ij}\}_{(i,j)\in S}$. Then, we define Sampler 1 as below.

Sampler 1: Sample a random subset R of [n] that contains t distinct elements, i.e., $R= \{r_1,\ldots ,r_t\}$, and output $S:= \{(r_{i}, j)\}_{i\in [t], j\in [k]}$. Then we derive the following lemma.

Lemma 5.9

For any $\lambda \in \mathbb {Z}$, $\mu , \theta \in (0,1]$ and $\gamma =2\lambda \exp (-t\theta ^2/4)+\left( \frac{t(t-1)}{2n}\right) ^{\lambda }$, Sampler 1 is a $(\mu ,\theta , \gamma )$ averaging sampler.

Proof

According to the natural bijection between [nk] and $[n]\times [k]$, to prove that Sampler 1 is a good average sampler as Definition 5.7, it suffices to show that for any $f:[n]\times [k] \rightarrow [0,1]$ such that $\frac{1}{nk}\sum _{i\in [n],j\in [k]} f(i,j) \ge \mu $, the following inequality holds:

(1)

It might be hard to prove inequality (1) directly, since all blocks output by Sampler 1 are distinct. To handle this issue, we then define the following Sampler 2 through using “sample with replacement” and rejection sampling. It is not hard to show that these two procedures are statistically close. Furthermore, by using use a Chernoff bound argument, we show that Sampler 2 is a good average sampler as required in Theorem 5.8. Thus, we conclude that Sampler 1 with any strong extractor yields a locally computable extractor for larger alphabets.

Sampler 2:

1.
Sample $R= \{r_1,\ldots ,r_t\}$ from $[n]^t$ uniformly at random.
- If all elements are distinct, then output $S:= \{(r_{i}, j)\}_{i\in [t], j\in [k]}$ and terminate.
2.
Otherwise, i.e., there is a repeated element, discard the whole sample and redo Step 1.

Note: the algorithm will only redo Step 1 up to $\lambda $ times. If the algorithm does not produce an output by then, then output $\bot $.

Next we analyze Sampler 1 and Sampler 2 by the following two claims. Due to space limit, we defer the full proof to the full version of this paper.

Claim 5.10

For a set X consisting of $n=n(\lambda )$ different blocks and the parameters $t=t(\lambda )$ such that $t(t-1)<n$, the output distributions of Sample 1 and Sample 2 are statistically close.

Claim 5.11

For any $\mu , t, \theta ,n$, Sampler 2 is a $(\mu , \theta , \gamma )$ average sampler conditioned on non-$\bot $ output, where $\gamma = 2\lambda \exp (-t\theta ^2/4)$.

The proof of the lemma follows by the above Claims 5.10 and 5.11. $\square $

Furthermore, by applying the Sample 1 to Theorem 5.8 with the following parameters setting, we derive the following theorem.

Parameter Setting. Taking $\lambda $ as the security parameter, we set all the parameters in the following way: $k=\mathsf {poly}(\lambda ), n=\mathsf {poly}(\lambda ), t=\lambda \log ^3(n k), \delta =\frac{1}{\log (n k)},$ $\tau =\frac{1}{6\log (n k)}, \mu =\frac{2}{3\log (n k)\log (6\log (n k))}, \ \theta =\frac{1}{6\log (n k) \log (6\log (n k))},$ $\gamma =2\lambda \exp (-t\theta ^2/4)+\left( \frac{t(t-1)}{2n}\right) ^{\lambda }, \ \varepsilon {}=\mathsf {negl} (\lambda ).$

Theorem 5.12

Let $\varGamma = \{0,1\}^k$, $\mathrm {Samp} : \{0,1\}^r \rightarrow [n]^t$ be the Sampler 1 (as a $(\mu ,\theta ,\gamma )$ average sampler), and let $\mathsf {Ext}:\varGamma ^{t}\times \{0,1\}^d\rightarrow \{0,1\}^v$ be a strong $((\delta -3\tau )tk,\varepsilon )$ extractor. Define $\mathsf {Ext} ^\prime :\varGamma ^{n}\times \{0,1\}^{r+d}\rightarrow \{0,1\}^v$ as

$$\mathsf {Ext} ^\prime (\boldsymbol{x},(\boldsymbol{y}_1,\boldsymbol{y}_2))=\mathsf {Ext} (\boldsymbol{x}_{\mathrm {Samp}(\boldsymbol{y}_1)},\boldsymbol{y}_2).$$

Then $\mathsf {Ext} ^\prime $ is a t-block-local strong $(\delta nk,\varepsilon +\gamma +2^{-\varOmega (\tau n)})$ extractor, where $\varepsilon +\gamma +2^{-\varOmega (\tau n)} = \mathsf {negl} (\lambda )$ according to the setting of parameters.

5.3 Leakage-Resilient Encryption in the Bounded-Retrieval Model

In this section, we construct leakage-resilient encryption schemes in the BRM, through combining an random extractor with an amplified $\mathsf {AB\text {-}wHPS}$ presented in Sect. 5.1. Below, we give the specific construction of leakage resilient $\mathsf {ABE}$ scheme in the BRM from an amplified $\mathsf {AB\text {-}wHPS}$.

Construction 513

(Construction in the) BRM). Let $\varPi =\mathsf {AB\text {-}wHPS}.$

$\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Encap},\mathsf {Encap}^*,\mathsf {Decap}\}$ be an amplified $\mathsf {AB\text {-}wHPS}$ with integer parameters $n^\prime ,t$, the encapsulated-key-space $\mathcal {K}^t$ and attribute space $\mathcal {X} =\{0,1\}^{*}$ for a class of policy functions $\mathcal {F}=\{f:\{0,1\}^{*}\rightarrow \{0,1\}\}$. Let $\mathsf {Ext}:\mathcal {K}^t\times \mathcal {S}\rightarrow \mathcal {M}$ be a strong extractor, where three sets $\mathcal {K},\mathcal {S},\mathcal {M}$ are efficient ensembles, k denotes the size of $\mathcal {K}$. Furthermore, assume that $\mathcal {M}$ is an additive group. Then, an $\mathsf {ABE} $ scheme $\varPi _{\mathcal {F}}=\varPi _{\mathcal {F}}.\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec}\}$ with message space $\mathcal {M}$ and policy function class $\mathcal {F}$ can be constructed as follows:

$\varPi _{\mathcal {F}}.\mathsf {Setup}(1^\lambda )$: The algorithm runs $(\mathsf {mpk} ^{\varPi }, \mathsf {msk} ^{\varPi }) \xleftarrow {\$} \varPi .\mathsf {Setup}(1^{\lambda })$, and outputs $\mathsf {mpk}:= \mathsf {mpk} ^{\varPi } $, and $\mathsf {msk}:= \mathsf {msk} ^{\varPi }$.
$\varPi _{\mathcal {F}}.\mathsf {KeyGen}(\mathsf {msk},f)$: $\varPi _{\mathcal {F}}.\mathsf {KeyGen}(\mathsf {msk},f)$: Given a master secret-key $\mathsf {msk} $ and a function $f\!\in \!\mathcal {F}$ as input, the algorithm runs $\mathsf {sk} ^{\varPi }_{f}\xleftarrow {\$}\mathsf {AB\text {-}wHPS.KeyGen} (\mathsf {msk},f)$ and output $\mathsf {sk} _{f}:=\mathsf {sk} ^{\varPi }_{f}$.
$\varPi _{\mathcal {F}}.\mathsf {Enc}(\mathsf {mpk},\boldsymbol{x},\mu )$: Given a master public-key $\mathsf {mpk} $, an attribute $\boldsymbol{x}\in \{0,1\}^{*}$ and a message $\mu \in \mathcal {M}$ as input, the algorithm runs $\mathsf {AB\text {-}wHPS.Encap}$ to generate $({\mathsf {CT}}^\prime ,\boldsymbol{k})\leftarrow $ $\mathsf {AB\text {-}wHPS.Encap}$ $(\mathsf {mpk},\boldsymbol{x})$ with $\boldsymbol{k}\in \mathcal {K}^t$, and then samples $s\xleftarrow {\$}\mathcal {S}$. Furthermore, the algorithm computes and outputs
$${\mathsf {ct}}=(s,{\mathsf {ct}}_0,{\mathsf {ct}}_1)=(s,{\mathsf {CT}}^\prime ,\mu +\mathsf {Ext} (\boldsymbol{k},s)).$$
$\varPi _{\mathcal {F}}.\mathsf {Dec}(\mathsf {sk} _{f},{\mathsf {ct}})$: Given a ciphertext ${\mathsf {ct}}=(s,{\mathsf {ct}}_0,{\mathsf {ct}}_1)$ and a secret key $\mathsf {sk} _f$ as input, the algorithm runs $\mathsf {AB\text {-}wHPS.Decap}$ to generate $\boldsymbol{k}=\mathsf {AB\text {-}wHPS}.$ $\mathsf {Decap}(\mathsf {sk} _f,{\mathsf {ct}}_0)$ with $\boldsymbol{k}\in \mathcal {K}^t$, and then output $\mu ={\mathsf {ct}}_1-\mathsf {Ext} (\boldsymbol{k},s).$

Parameter Setting. For security parameter $\lambda $, we set the system parameters as follows: $k=\mathsf {poly}(\lambda ), n^\prime =\mathsf {poly}(\lambda ), t=\lambda \log ^3(n^\prime k),$ $\delta =\frac{1}{\log (n^\prime k)}, \tau =\frac{1}{6\log (n^\prime k)}, \varepsilon {}=\mathsf {negl} (\lambda ).$ Moreover, for the proof of leakage-resilience in the $\mathsf {BRM}$, we let $\mathsf {Ext}:\mathcal {K}^t\times \mathcal {S}\rightarrow \mathcal {M}$ be a $((\delta -3\tau )tk,\varepsilon )$-extractor.

Next, we prove that the construction is a leakage resilient $\mathsf {ABE}$ in the $\mathsf {BRM}$. Our proof uses a technique of locally computable extractors [40], i.e., Theorem 5.12, in a black-box way. Due to the space limit, we defer the detailed proof to the full version of this paper.

Theorem 5.14

Assume $\varPi $ is a selectively (or adaptively, resp.) secure amplified $\mathsf {AB\text {-}wHPS}$ with integer parameters $n^\prime ,t=\lambda \log ^3(n^\prime k)$ for the policy function class $\mathcal {F}$, and $\mathsf {Ext}:\mathcal {K}^t\times \mathcal {S}\rightarrow \mathcal {M}$ be a strong extractor. Then the above $\mathsf {ABE} $ scheme $\varPi _{\mathcal {F}}=\varPi _{\mathcal {F}}.\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec}\}$ for $\mathcal {F}$ is a selectively (or adaptively, resp.) $\ell $-leakage-resilient attribute-based encryption scheme with message space $\mathcal {M}$ in the $\mathsf {BRM}$ where $\ell =kn^\prime -\frac{kn^\prime }{\log (kn^\prime )}$.

Particularly, $\varPi _{\mathcal {F}}$ is also

an $\ell $-leakage-resilient public-key encryption scheme in the $\mathsf {BRM} $ with $\ell =kn^\prime -\frac{kn^\prime }{\log (kn^\prime )}$, if $\mathcal {F}$ contains only a single function that always outputs 1.
a selectively (or adaptively, resp.) $\ell $-leakage-resilient identity-based encryption scheme in the $\mathsf {BRM} $ with $\ell =kn^\prime -\frac{kn^\prime }{\log (kn^\prime )}$, if $\mathcal {F}$ contains the following comparison functions, i.e., each function $f_{\boldsymbol{y}}\in \mathcal {F}$ is indexed by a vector $\boldsymbol{y}$, and $f_{\boldsymbol{y}}(\boldsymbol{x})=1$ if and only if $\boldsymbol{y}=\boldsymbol{x}$.

Moreover,

1.
Public-key (resp. master public-key) size of $\varPi _{\mathcal {F}}$ is the same as that of $\varPi $, which is not dependent on leakage parameter $\ell $.
2.
The locality-parameter is $t=\lambda \log ^3(n^\prime k)$. Thus, the size of secret-key accessed during decryption depends on t, but not $\ell $.
3.
The ciphertext-size/encryption-time/decryption-time of $\varPi _{\mathcal {F}}$ depends on t, but not $\ell $.

Combining Corollary 5.4 and Theorem 5.14, we obtain the following results. Assume there exists an $\mathsf {ABE}$ scheme with the message space $\mathbb {Z}_{m}$ for the function class $\mathcal {F}\wedge _{\Vert } \mathcal {H} \wedge _{\Vert } \mathcal {G} $, where $\mathcal {G} $ with parameters m, n and $\mathcal {H} $ with parameter $n'$ are as defined in Definitions 3.9 and 5.1, and the key-length (of the extra part, excluding the function description of f) of this underlying $\mathsf {ABE}$ scheme for policy function f is s(f). Then the largest allowed leakage length of the above $\mathsf {ABE} $ (or $\mathsf {IBE}$ or $\mathsf {PKE}$) scheme $\varPi _{\mathcal {F}}$ for the function class $\mathcal {F}$ is $\ell =(kn^\prime -\frac{kn^\prime }{\log (kn^\prime )})$ with $k=n\log m$ and the key-length of $\varPi _{\mathcal {F}}$ for f is $|\mathsf {sk} _f|=n^\prime (n\log m+\log n^\prime +|f|+s(\hat{f}_{f, h, g_{\boldsymbol{y}}}))$.

Furthermore, if the secret key size $s(\hat{f}_{f, h, g_{\boldsymbol{y}}}))$is succinct, i.e., $s(\hat{f}_{f, h, g_{\boldsymbol{y}}})=o(|\hat{f}_{f, h, g_{\boldsymbol{y}}}|)=o(n\log m+\log n^\prime +|f|)$, then we can set sufficiently large $n,m,n^\prime $ such that $(\log n^\prime +|f|)=o(n\log m)$. Consequently, the leakage rate of this scheme $\varPi _\mathcal {F}$ is$\frac{kn^\prime -\frac{kn^\prime }{\log (kn^\prime )}}{n^\prime (n\log m+\log n^\prime +|f|+s(\hat{f}_{f, h, g_{\boldsymbol{y}}}))}= \frac{1-\frac{1}{\log (nn^\prime \log m)}}{1+\frac{\log n^\prime + |f|+s(\hat{f}_{f, h, g_{\boldsymbol{y}}})}{n\log m}}\approx 1-o(1)$, achieving the desired optimal leakage rate.

Finally, by combining Corollary 3.14 and Theorem 5.14, we obtain the following Corollary.

Corollary 5.15

Assuming $\mathsf {LWE}$, for all polynomial $S = \mathsf {poly}(\lambda )$, there exist $1-o(1)$ leakage resilient $\mathsf {ABE} $ schemes in the $\mathsf {BRM}$, which are

1.
adaptively secure for the comparison functions;
2.
adaptively secure for t-$\mathsf {CNF} ^*$ functions of size up to S;
3.
selectively secure for general circuits of size up to S.

For unbounded polynomial S, our schemes are still leakage resilient with the optimal rate for a smaller function class. See Remark 4.4 for the discussion.

6 Extension II: Leakage on Multiple Keys

Our prior $\mathsf {ABE}$ constructions from $\mathsf {AB\text {-}wHPS}$ only achieve leakage resilience in the one-key setting where the adversary can only leak on one of the all possible decrypting keys with respect to the challenge attribute. In this section, we show how to achieve leakage resilience in the multiple-key setting where the attacker can obtain leakage on $\omega $ possible decrypting keys for any bounded polynomial $\omega $. Our construction leverages the normal $\mathsf {AB\text {-}wHPS}$ (where the ciphertext indistinguishability holds when the adversary gets one decrypting key) and a threshold secret sharing scheme, following the bootstrapping idea of the work [21].

Construction 61

(Extended Leakage Resilient ABE). Let $\varPi =\varPi .\{\mathsf {Setup},$

$\mathsf {KeyGen},\mathsf {Encap},\mathsf {Encap}^*,\mathsf {Decap}\}$ be a $(\log |\mathcal {K}|,\log |\mathcal {K}|)$-universal $\mathsf {AB\text {-}wHPS}$ with the encapsulated-key-space $\mathcal {K}$ and attribute space $\mathcal {X} =\{0,1\}^{*}$ for a class of policy functions $\mathcal {F}=\{f:\{0,1\}^{*}\rightarrow \{0,1\}\}$. Let $\mathsf {Ext}:\mathcal {K}\times \mathcal {S}\rightarrow \mathcal {M}$ be a $(\log |\mathcal {K}|-\ell ,\varepsilon {})$-extractor, where $\mathcal {K},\mathcal {S},\mathcal {M}$ are efficient ensembles, $\ell =\ell (\lambda )$ is some parameter and $\varepsilon {}=\varepsilon {}(\lambda )=\mathsf {negl} (\lambda )$ is negligible. In addition, let $(\mathsf {Share},\mathsf {Rec})$ be a $(\hat{t}+1)$-out-of-n threshold secret sharing scheme with respect to secret domain $\mathcal {M}$, an additive group.

Then, a leakage-resilient $\mathsf {ABE} $ scheme $\varPi _{\mathcal {F}}=\varPi _{\mathcal {F}}.\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec}\}$ with message space $\mathcal {M}$ for policy function class $\mathcal {F}$ can be constructed as follows:

$\varPi _{\mathcal {F}}.\mathsf {Setup}(1^\lambda , n)$: The algorithm runs $(\mathsf {mpk} _i^{\varPi },\mathsf {msk} _i^{\varPi })\xleftarrow {\$}\varPi .\mathsf {Setup}(1^\lambda )$ for every $i\in [n]$, and outputs $\mathsf {mpk}:= \{\mathsf {mpk} _i^{\varPi }\}_{i\in [n]} $ and $\mathsf {msk}:= \{\mathsf {msk} _i^{\varPi }\}_{i\in [n]}$.
$\varPi _{\mathcal {F}}.\mathsf {KeyGen}(\mathsf {msk},f)$: Given a master secret-key $\mathsf {msk}:= \{\mathsf {msk} _i^{\varPi }\}_{i\in [n]}$ and a function $f\in \mathcal {F}$ as input, the algorithm first chooses a random subset of cardinality $\hat{t}+1$, i.e., $\varGamma =\{r_1,\ldots ,r_{\hat{t}+1}\}\subseteq [n]$, and then runs $\mathsf {sk} _f^{(r_i)}\xleftarrow {\$}\varPi .\mathsf {KeyGen}(\mathsf {msk} _{r_i}^\varPi ,f)$ for $i\in [\hat{t}+1]$. Finally, the algorithm outputs
$$\mathsf {sk} _f:=(\varGamma ,\mathsf {sk} _f^{(r_1)},\ldots ,\mathsf {sk} _f^{(r_{\hat{t}+1})}).$$
$\varPi _{\mathcal {F}}.\mathsf {Enc}(\mathsf {mpk},\boldsymbol{x},\mu )$: Given a master public-key $\mathsf {mpk}:= \{\mathsf {mpk} _i^{\varPi }\}_{i\in [n]}$, an attribute $\boldsymbol{x}\in \mathcal {X} =\{0,1\}^{*}$ and a message $\mu \in \mathcal {M}$ as input, the algorithm first runs $(\mu _1,\ldots ,\mu _n)\xleftarrow {\$}\mathsf {Share} (\mu )$. Furthermore, the algorithm runs $\varPi .\mathsf {Encap}$ to generate $({\mathsf {CT}}_i,k_i)\xleftarrow {\$}\varPi .\mathsf {Encap}(\mathsf {mpk} \mathsf {mpk} _i,\boldsymbol{x})$ for every $i\in [n]$. Next, the algorithm samples $s_1,\ldots ,s_n\xleftarrow {\$}\mathcal {S}$, and outputs
$$\begin{aligned} \begin{aligned} {\mathsf {ct}}&=(s_1,\ldots ,s_n,{\mathsf {ct} _1},\ldots ,{\mathsf {ct} _n}, {\mathsf {ct} _{n+1}},\ldots ,{\mathsf {ct} _{2n}})\\&=(s_1,\ldots ,s_n,{\mathsf {CT} _1},\ldots ,\mathsf {CT} _n,\mu _1+\mathsf {Ext} (k_1,s_1), \ldots ,\mu _n+\mathsf {Ext} (k_n,s_n)). \end{aligned} \end{aligned}$$
$\varPi _{\mathcal {F}}.\mathsf {Dec}(\mathsf {sk} _{f},{\mathsf {ct}})$: Given a ciphertext ${\mathsf {ct}}=(\{s_i\}_{i\in [n]},\{\mathsf {ct} _i\}_{i\in [2n]})$ and a secret key $\mathsf {sk} _f=(\varGamma ,\{\mathsf {sk} _f^{(r_i)}\}_{i\in [\hat{t}+1]})$ as input, the algorithm first runs $\varPi .\mathsf {Decap}$ to generate $k_{r_i}=\varPi .\mathsf {Decap}(\mathsf {sk} _f^{(r_i)},{\mathsf {ct}}_{r_i})$ and $\mu _{r_i}=\mathsf {ct} _{n+r_i}-\mathsf {Ext} (k_{r_i},s_{r_i})$ for every $i\in [\hat{t}+1]$. Then, the algorithm outputs $\mu =\mathsf {Rec} (\mu _{r_1},\ldots ,\mu _{r_{\hat{t}+1}})$.

Parameter Setting. For security parameter $\lambda $, given any $\omega =\mathsf {poly}(\lambda )$, we set $\hat{t}=\Theta (\omega ^2\lambda )$ and $n=\Theta (\omega ^2\hat{t})$. For details, we refer readers to the full version of this paper.

Our construction achieves a leakage resilient $\mathsf {ABE}$ in the multiple key setting. We summarize the results in the following theorem, and defer the full proof to the full version, due to space limit.

Theorem 6.2

Assume $\varPi $ is a selectively (or adaptively, resp.) secure $(\log |\mathcal {K}|,$

$\log |\mathcal {K}|)$-universal $\mathsf {AB\text {-}wHPS}$ for the policy function class $\mathcal {F}$, and $\mathsf {Ext}:\mathcal {K}\times \mathcal {S}\rightarrow \mathcal {M}$ be a $(\log |\mathcal {K}|-\ell ,\mathsf {negl} (\lambda ) )$-extractor. Then the above $\mathsf {ABE} $ scheme $\varPi _{\mathcal {F}}=\varPi _{\mathcal {F}}.\{\mathsf {Setup},\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec}\}$ for $\mathcal {F}$ is a selectively (or adaptively, resp.) $(\ell (\lambda ),\omega (\lambda ))$-leakage resilient attribute-based encryption scheme for $\mathcal {F}$ in the relative-leakage model, for any fixed bounded polynomial $\omega (\lambda ) = \mathsf {poly}(\lambda )$.

The corresponding leakage rate is $\frac{\ell (\lambda )}{(\hat{t}+1)(|\mathsf {sk} _f|+\log n)}$. Furthermore, when the underlying secret keys $(\mathsf {sk} _f^{(r_1)},\ldots ,\mathsf {sk} _f^{(r_{\hat{t}+1})})$ form a block source under each leakage function, the corresponding leakage rate is $\frac{\ell (\lambda )}{(|\mathsf {sk} _f|+\log n)}$.

Combining Theorem 3.12 and Theorem 6.2, we obtain the following results. Assume there exists an $\mathsf {sel}$-$\mathsf {ada}$/$\mathsf {sel}$-$\mathsf {sel}$ (or $\mathsf {ada}$-$\mathsf {ada}$/$\mathsf {ada}$-$\mathsf {sel}$) secure $\mathsf {ABE}$ scheme with the message space $\mathbb {Z}_{\bar{m}}$ for the function class $\mathcal {F}\wedge _{\Vert } \mathcal {G} $, where $\mathcal {G} $ is the class as in Definition 3.9 with parameters $\bar{m},\bar{n}$, and the key-length (of the extra part, excluding the function description of f) of this underlying $\mathsf {ABE}$ scheme for policy function f is s(f). Then the allowed leakage length of the above leakage resilient $\mathsf {ABE} $ scheme $\varPi _{\mathcal {F}}$ with parameters $n,\hat{t},\omega $ as in the above paragraph setting for the function class $\mathcal {F}$ is $\ell =(\bar{n}\log {\bar{m}}-2\lambda )$ and the key-length of $\varPi _{\mathcal {F}}$ for f is $|\mathsf {sk} _f|=(\hat{t}+1)(\log n+\bar{n}\log {\bar{m}}+|f| + s({\hat{f}}_{f,g_{\boldsymbol{y}}} ))$.

Furthermore, if the secret key size $s({\hat{f}}_{f,g_{\boldsymbol{y}}} )$ is succinct, i.e., $s({\hat{f}}_{f,g_{\boldsymbol{y}}} )=o(\bar{n}\log {\bar{m}}+|f|)$, then we can set sufficiently large $n,\bar{m},\bar{n}$ such that $(\log n+|f|)=o(\bar{n}\log \bar{m})$. Consequently, when the underlying secret keys form a block source under each leakage function, the corresponding leakage rate of this scheme $\varPi _\mathcal {F}$ is

$\frac{\bar{n}\log {\bar{m}}-2\lambda }{\log n +\bar{n}\log {\bar{m}} + |f|+ s({\hat{f}}_{f,g_{\boldsymbol{y}}} ) }=\frac{1-\frac{2\lambda }{\bar{n}\log \bar{m}}}{1 + \frac{\log n+|f|+s({\hat{f}}_{f,g_{\boldsymbol{y}}} ) }{\bar{n}\log \bar{m}}}\approx 1-o(1)$, achieving the desired optimal leakage rate.

Finally, by combining Corollary 3.14 and Theorem 6.2, we obtain the following Corollary.

Corollary 6.3

Assuming $\mathsf {LWE}$, for any $S = \mathsf {poly}(\lambda )$ and $\omega = \mathsf {poly}(\lambda )$, there exist $(\ell ,\omega )$-leakage resilient $\mathsf {ABE} $’s in the relative leakage model, which are

1.
adaptively secure for t-$\mathsf {CNF} ^*$ functions of size up to S;
2.
selectively secure for general circuits of size up to S.

Moreover, when the underlying secret keys form a block source under the each leakage function, the corresponding leakage rate is $1-o(1)$.

Furthermore, we can also achieve similar results in the $\mathsf {BRM}$. By combining Corollary 3.14, Theorem 5.3 and Theorem 6.2, we obtain the following corollary.

Corollary 6.4

Assuming $\mathsf {LWE}$, for any polynomial $S = \mathsf {poly}(\lambda )$ and $\omega = \mathsf {poly}(\lambda )$, there exist $(\ell ,\omega )$-leakage resilient $\mathsf {ABE} $ schemes in the $\mathsf {BRM}$, which are

1.
adaptively secure for t-$\mathsf {CNF} ^*$ functions of size up to S;
2.
selectively secure for general circuits of size up to S.

Moreover, when the underlying secret keys form a block source under the each leakage function, the corresponding leakage rate is $1-o(1)$.

Notes

1.
This is the dual class of t-$\mathsf {CNF} $ where the function is an assignment x and attribute is a description of t-$\mathsf {CNF} $. We use the dual class as we are working on Key-policy ABE while the prior work [38] worked on Ciphertext-policy ABE.
2.
Notice that in the above experiment $\mathbf {Exp}_{\mathsf {ABE},\mathcal {A}}^{\mathsf{LR}}(\lambda ,\ell ,\omega )$, we allow the adversary to interleave key queries in Test Stage 1 and leakage queries in $\omega $-Leakage queries Stage, in an arbitrary way.
3.
For the case that $\mathsf {sk}:=S= (S_1,\dots , S_m)$ is an $m \times e$ block source as in [39], we define leakage functions $f_i:\{0,1\}^*\rightarrow \{0,1\}^{\ell }$ independently for each block $S_i$ with all $i\in [m]$. We say $(f_1,\ldots ,f_m)$ are block leakage functions, if the min-entropy of $S_i$ is still large enough even given leakage $(f_1(S_1),\ldots ,f_{i-1}(S_{i-1}))$ for any $i\in [m]$. Clearly, when $m=1$, this is the trivial case in Definition 2.2. Here, we call $\frac{m\ell }{|\mathsf {sk} |}$ the block leakage rate of the corresponding scheme.
4.
We use a “dual” variant of the $\mathsf {CNF} $ functions as we discussed in the introduction. The formal definition is presented in Sect. 2.1.
5.
Recall that the function s(f) denotes the size of the extra part of the secret key, excluding the description of the function.

References

Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side—channel(s). In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_4
Chapter Google Scholar
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert [19], pp. 553–572
Google Scholar
Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_2
Chapter Google Scholar
Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_28
Chapter MATH Google Scholar
Alwen, J., Dodis, Y., Naor, M., Segev, G., Walfish, S., Wichs, D.: Public-key encryption in the bounded-retrieval model. In: Gilbert [19], pp. 113–134
Google Scholar
Alwen, J., Dodis, Y., Wichs, D.: Leakage-resilient public-key cryptography in the bounded-retrieval model. In: Halevi [24], pp. 36–54
Google Scholar
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Chapter Google Scholar
Brakerski, Z., Goldwasser, S.: Circular and leakage resilient public-key encryption under subgroup indistinguishability. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 1–20. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_1
Chapter Google Scholar
Brakerski, Z., Kalai, Y.T., Katz, J., Vaikuntanathan, V.: Overcoming the hole in the bucket: Public-key cryptography resilient to continual memory leakage. In: FOCS 2010 [18], pp. 501–510
Google Scholar
Brakerski, Z., Lombardi, A., Segev, G., Vaikuntanathan, V.: Anonymous IBE, leakage resilience and circular security from new assumptions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 535–564. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_20
Chapter Google Scholar
Chen, J., Gay, R., Wee, H.: Improved dual system ABE in prime-order groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_20
Chapter Google Scholar
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4
Chapter Google Scholar
Dodis, Y., Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Public-key encryption schemes with auxiliary inputs. In: Micciancio [32], pp. 361–381
Google Scholar
Dodis, Y., Haralambiev, K., López-Alt, A., Wichs, D.: Cryptography against continuous memory attacks. In: FOCS 2010 [18], pp. 511–520
Google Scholar
Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.D.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)
Article MathSciNet Google Scholar
Dziembowski, S.: On forward-secure storage. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 251–270. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_15
Chapter Google Scholar
Faust, S., Mukherjee, P., Nielsen, J.B., Venturi, D.: Continuous non-malleable codes. In: Lindell [30], pp. 465–488
Google Scholar
51st FOCS. IEEE Computer Society Press, October 2010
Google Scholar
Gilbert, H. (ed.): EUROCRYPT 2010. LNCS, vol. 6110. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5
Book MATH Google Scholar
Gong, J., Chen, J., Dong, X., Cao, Z., Tang, S.: Extended nested dual system groups, revisited. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 133–163. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_6
Chapter Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini and Canetti [36], pp. 162–179
Google Scholar
Gorbunov, S., Vinayagamurthy, D.: Riding on asymmetry: efficient ABE for branching programs. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 550–574. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_23
Chapter Google Scholar
Haldermany, J.A.: Lest we remember: cold boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2008)
Article Google Scholar
Halevi, S. (ed.): CRYPTO 2009. LNCS, vol. 5677. Springer, Heidelberg (2009)
MATH Google Scholar
Hazay, C., López-Alt, A., Wee, H., Wichs, D.: Leakage-resilient cryptography from minimal assumptions. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 160–176. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_10
Chapter Google Scholar
Kiayias, A., Liu, F.-H., Tselekounis, Y.: Practical non-malleable codes from l-more extractable hash functions. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16, pp. 1317–1328. ACM Press, Oct. (2016)
Chapter Google Scholar
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Chapter Google Scholar
Lewko, A., Rouselakis, Y., Waters, B.: Achieving leakage resilience through dual system encryption. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 70–88. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_6
Chapter Google Scholar
Lewko, A.B., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio [32], pp. 455–479
Google Scholar
Lindell, Y. (ed.): TCC 2014. LNCS, vol. 8349. Springer, Heidelberg (2014)
MATH Google Scholar
Liu, F.-H., Lysyanskaya, A.: Tamper and leakage resilience in the split-state model. In: Safavi-Naini and Canetti [36], pp. 517–532
Google Scholar
Micciancio, D. (ed.): TCC 2010. LNCS, vol. 5978. Springer, Heidelberg (2010)
MATH Google Scholar
Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi [24], pp. 18–35
Google Scholar
Nisan, N., Zuckerman, D.: Randomness is Linear in Space. Academic Press Inc. (1996)
Google Scholar
Nishimaki, R., Yamakawa, T.: Leakage-resilient identity-based encryption in bounded retrieval model with nearly optimal leakage-ratio. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 466–495. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_16
Chapter Google Scholar
Safavi-Naini, R., Canetti, R. (eds.): CRYPTO 2012. LNCS, vol. 7417. Springer, Heidelberg (2012)
MATH Google Scholar
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Chapter Google Scholar
Tsabary, R.: Fully secure attribute-based encryption for t-CNF from LWE, pp. 62–85
Google Scholar
Vadhan, S.P.: Pseudorandomness. Found. Trends Theor. Comput. Sci. 7(1–3), 1–336 (2012)
Google Scholar
Vadhan, S.P.: On constructing locally computable extractors and cryptosystems in the bounded storage model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 61–77. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_4
Chapter Google Scholar
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi [24], pp. 619–636
Google Scholar
Wee, H.: Dual system encryption via predicate encodings. In: Lindell [30], pp. 616–637
Google Scholar
Zhang, L., Zhang, J., Mu, Y.: Novel leakage-resilient attribute-based encryption from hash proof system. Comput. J. 60(4), 541–554 (2016)
Google Scholar
Zhang, M., Zhang, Y., Su, Y., Huang, Q., Mu, Y.: Attribute-based hash proof system under learning-with-errors assumption in obfuscator-free and leakage-resilient environments. IEEE Syst. J. 11(2), 1018–1026 (2017)
Article Google Scholar

Download references

Acknowledgements

We would like to thank the reviewers of PKC 2022 for their insightful advices. Qiqi Lai is supported by the National Natural Science Foundation of China (62172266, 61802241, U2001205), the National Cryptography Development Foundation during the 13th Five-year Plan Period (MMJJ20180217), and the Fundamental Research Funds for the Central Universities (GK202103093).

Feng-Hao Liu and Zhedong Wang are supported by the NSF Career Award CNS-1942400.

Author information

Authors and Affiliations

School of Computer Science, Shaanxi Normal University, Xi’an, China
Qiqi Lai
State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an, China
Qiqi Lai
Florida Atlantic University, Boca Raton, FL, USA
Feng-Hao Liu
School of Cyber Science and Engineering, Shanghai Jiao Tong University, Shanghai, China
Zhedong Wang

Authors

Qiqi Lai
View author publications
You can also search for this author in PubMed Google Scholar
Feng-Hao Liu
View author publications
You can also search for this author in PubMed Google Scholar
Zhedong Wang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhedong Wang .

Editor information

Editors and Affiliations

National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan
Goichiro Hanaoka
Yokohama National University, Yokohama, Japan
Junji Shikata
The University of Electro-Communications, Tokyo, Japan
Yohei Watanabe

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Lai, Q., Liu, FH., Wang, Z. (2022). Leakage-Resilient $\mathsf {IBE}$/$\mathsf {ABE}$ with Optimal Leakage Rates from Lattices. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds) Public-Key Cryptography – PKC 2022. PKC 2022. Lecture Notes in Computer Science(), vol 13178. Springer, Cham. https://doi.org/10.1007/978-3-030-97131-1_8

Download citation

DOI: https://doi.org/10.1007/978-3-030-97131-1_8
Published: 27 February 2022
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-97130-4
Online ISBN: 978-3-030-97131-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Leakage-Resilient \(\mathsf {IBE}\)/\(\mathsf {ABE}\) with Optimal Leakage Rates from Lattices

Abstract

Similar content being viewed by others

Private Circuits: A Modular Approach

Optimally Secure Tweakable Blockciphers

Adaptively Secure Laconic Function Evaluation for $$\mathsf {NC}^1$$

1 Introduction

1.1 Our Contributions

1.2 Overview of Our Techniques

1.3 Other Related Work

2 Preliminaries

2.1 Attribute-Based Encryption (ABE)

Definition 2.1

Definition 2.2

Remark 2.3

Remark 2.4

Definition 2.5

Definition 2.6

Definition 2.7

2.2 Entropy and Extractors

Definition 2.8

Definition 2.9

Lemma 2.10

Definition 2.11

Theorem 2.12

3 Attribute-Based Weak Hash Proof Systems

3.1 Formal Definition of Attribute-Based \(\mathsf {wHPS}\)

Definition 3.1

Remark 3.2

Definition 3.3

3.2 Fine-Grained Security Notions and General Construction of \(\mathsf {AB\text {-}wHPS}\)from \(\mathsf {ABE}\)

Definition 3.4

Definition 3.5

Remark 3.6

Remark 3.7

Remark 3.8

Definition 3.9

Remark 3.10

Construction 3.11

Theorem 3.12

3.3 Instantiations of \(\mathsf {AB\text {-}wHPS}\)from Lattices

Theorem 3.13

Corollary 3.14

4 Optimal-Rate Leakage-Resilient Encryption Schemes in the Relative Leakage Model

Construction 4.1

Theorem 4.2

Corollary 4.3

Remark 4.4

5 Extension I: Optimal-Rate Leakage-Resilient Encryption Schemes in the BRM

5.1 Amplification of AB-wHPS

Definition 5.1

Construction 52

Theorem 5.3

Corollary 5.4

5.2 Locally Computable Extractor

Definition 5.5

Definition 5.6

Definition 5.7

Theorem 5.8

Lemma 5.9

Proof

Claim 5.10

Claim 5.11

Theorem 5.12

5.3 Leakage-Resilient Encryption in the Bounded-Retrieval Model

Construction 513

Theorem 5.14

Corollary 5.15

6 Extension II: Leakage on Multiple Keys

Construction 61

Theorem 6.2

Corollary 6.3

Corollary 6.4

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information