Leakage-Resilient Identity-Based Encryption in Bounded Retrieval Model with Nearly Optimal Leakage-Ratio

Abstract

We propose new constructions of leakage-resilient public-key encryption (PKE) and identity-based encryption (IBE) schemes in the bounded retrieval model (BRM). In the BRM, adversaries are allowed to obtain at most \(\ell \)-bit leakage from a secret key and we can increase \(\ell \) only by increasing the size of secret keys without losing efficiency in any other performance measure. We call \(\ell /|\mathsf {sk}|\) leakage-ratio where \(|\mathsf {sk}|\) denotes a bit-length of a secret key. Several PKE/IBE schemes in the BRM are known. However, none of these constructions achieve a constant leakage-ratio under a standard assumption in the standard model. Our PKE/IBE schemes are the first schemes in the BRM that achieve leakage-ratio \(1-\epsilon \) for any constant \(\epsilon >0\) under standard assumptions in the standard model.

As previous works, we use identity-based hash proof systems (IB-HPS) to construct IBE schemes in the BRM. It is known that a parameter for IB-HPS called the universality-ratio is translated into the leakage-ratio of the resulting IBE scheme in the BRM. We construct an IB-HPS with universality-ratio \(1-\epsilon \) for any constant \(\epsilon >0\) based on any inner-product predicate encryption (IPE) scheme with compact secret keys. Such IPE schemes exist under the d-linear, subgroup decision, learning with errors, or computational bilinear Diffie-Hellman assumptions. As a result, we obtain IBE schemes in the BRM with leakage-ratio \(1-\epsilon \) under any of these assumptions. Our PKE schemes are immediately obtained from our IBE schemes.

A Key-Compact IPE from CBDH or DBDH

Here, we give constructions of a fully key-compact selectively secure IPE scheme based on the CBDH or DBDH assumptions. The constructions are simple extensions of the Boneh-Boyen IBE [BB04] and can be seen as selectively secure variants of the adaptively secure short secret key IPE scheme by Chen, Gay, and Wee [CGW15].

1.1 A.1 Definitions

First, we define pairing groups and CBDH and DBDH assumptions for it. Let \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_T\) be groups of prime order q associated with a pairing \(e:\mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\). We require e to satisfy the following two properties.  

Bilinearity:

For all \(g_1 \in \mathbb {G}_1\), \(g_2 \in \mathbb {G}_2\) and \(a,b\in \mathbb {Z}_q\), it holds that \(e (g_1^{a},g_2^{b})= e (g_1,g_2)^{ab}\).

Non-degeneracy:

If \(g_1\) and \(g_2\) generate \(\mathbb {G}_1\) and \(\mathbb {G}_2\) respectively, then \(e (g_1,g_2)\ne ~1\).

 

Definition 8

(Computational Bilinear Diffie-Hellman Assumption). We say that the computational bilinear Diffie-Hellman (CBDH) assumption holds if for any PPT adversary \(\mathcal {A}\), we have

where \(g_1\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {G}_1\), \(g_2\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {G}_2\) and \(\alpha ,\beta ,\gamma \overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {Z}_q\).

Definition 9

(Decisional Bilinear Diffie-Hellman Assumption). We say that the decisional bilinear Diffie-Hellman (DBDH) assumption holds if for any PPT adversary \(\mathcal {A}\), we have

$$\begin{aligned} |\Pr [\mathcal {A}(g_1,g_1^\alpha ,g_1^\beta ,g_1^\gamma ,g_2,g_2^\alpha ,g_2^\beta ,g_2^\gamma ,T_0)=1]\\ -\Pr [\mathcal {A}(g_1,g_1^\alpha ,g_1^\beta ,g_1^\gamma ,g_2,g_2^\alpha ,g_2^\beta ,g_2^\gamma ,T_1)=1]|=\mathrm {negl}(\lambda ) \end{aligned}$$

where \(g_1\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {G}_1\), \(g_2\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {G}_2\), \(\alpha ,\beta ,\gamma \overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {Z}_q\), , and \(T_1\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {G}_T\).

By the Goldreich-Levin theorem [GL89], the following lemma holds.

Lemma 3

(Hardcore security of CBDH). If the CBDH assumption holds, then there exists a family \(\mathcal {G}\mathcal {L}\) of functions \(\mathsf {hc}:\mathbb {G}_T\rightarrow \{0,1\}\) such that

$$\begin{aligned} |\Pr [\mathcal {A}(g_1,g_1^\alpha ,g_1^\beta ,g_1^\gamma ,g_2,g_2^\alpha ,g_2^\beta ,g_2^\gamma ,\mathsf {hc},T_0)=1]\\ -\Pr [\mathcal {A}(g_1,g_1^\alpha ,g_1^\beta ,g_1^\gamma ,g_2,g_2^\alpha ,g_2^\beta ,g_2^\gamma ,\mathsf {hc},T_1)=1]|=\mathrm {negl}(\lambda ) \end{aligned}$$

where \(g_1\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {G}_1\), \(g_2\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {G}_2\), \(\alpha ,\beta ,\gamma \overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {Z}_q\), \(\mathsf {hc}\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathcal {G}\mathcal {L}\), , and \(T_1 \overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\{0,1\}\).

1.2 A.2 Construction

We first describe our IPE scheme based on the CBDH assumption.  

\(\mathsf {Setup}(1^\lambda ,1^{n})\)::

It generates parameters of a pairing group , chooses \(\mathsf {hc}\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathcal {G}\mathcal {L}\), \(\alpha ,\beta \overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {Z}_q\) and \(r_i\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {Z}_q\) for \(i\in [n]\), sets , and for \(i\in [n]\), and outputs and ). All other algorithms implicitly include \(\mathsf {pp}\) as an input. The message space is \(\{0,1\}\) and the vector space \(\mathbb {Z}_q^n\).

\(\mathsf {KeyGen}(\mathsf {msk},\varvec{y}=(y_1,...,y_n))\)::

It chooses \(s\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {Z}_q\), sets , , and outputs .

\(\mathsf {Enc}(\varvec{x}=(x_1,...,x_n), \mathsf {m}\in \mathbb {G}_T)\)::

It chooses \(\gamma \overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {Z}_q\), computes , for \(i\in [n]\), and , and outputs .

\(\mathsf {Dec}(\mathsf {sk}_{\varvec{y}}, \varvec{y}=(k_0,k_1), \mathsf {ct}_x=(C_0,C_1,...,C_n,C_\mathsf {m}))\)::

It outputs .

 

Correctness. Let \(\varvec{x}\in \mathbb {Z}_q^n\) and \(\varvec{y}\in \mathbb {Z}_q^n\) be vectors such that \(\varvec{x} ^{T}\cdot \varvec{y}=0\) and \(\mathsf {m}\in \{0,1\}\) be any message. Suppose that \(\mathsf {ct}_{\varvec{x}}=(C_0,C_1,...,C_n,C_\mathsf {m})\) and \(\mathsf {sk}_{\varvec{y}}=(k_1,k_2)\) are generated as \((\mathsf {msk},\mathsf {pp})\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathsf {Setup}(1^{\lambda },1^n)\), \(\mathsf {ct}_{\varvec{x}}\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathsf {Enc}(\varvec{x}, \mathsf {m})\), and \(\mathsf {sk}_{\varvec{y}}\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathsf {KeyGen}(\mathsf {msk},\varvec{y}=(y_1,...,y_n))\). Then we have

$$\begin{aligned}&e(C_0,k_1)\cdot e(\prod _{i=1}^{n}(C_i^{y_i}),k_0)^{-1} \\&= e(g_1^\gamma ,g_2^{\alpha \beta +s\sum _{i=1}^{n}y_ir_i}) \cdot e(g_1^{\sum _{i=1}^{n}y_i\gamma (\alpha x_i+r_i)},g_2^s)^{-1}\\&= e(g_1,g_2)^{\alpha \beta \gamma + \gamma s \sum _{i=1}^{n}y_ir_i}\cdot e(g_1,g_2)^{-\gamma s (\alpha \sum _{i=1}^{n}x_iy_i+\sum _{i=1}^{n}y_ir_i)}\\&= e(g_1,g_2)^{\alpha \beta \gamma }. \end{aligned}$$

Thus, the decryption correctly works since \(w^\gamma = e(g_1,g_2)^{\alpha \beta \gamma }\).

Key-Compactness. A secret key \(\mathsf {sk}_{\varvec{y}}\) for a vector \(\varvec{y}\) consists of two group elements of \(\mathbb {G}_2\), and its size is independent from the demension n. Therefore the scheme is fully key-compact.

Security

Theorem 4

If the CBDH assumption holds, then the above scheme is selectively secure.

Proof

Suppose that there exists a PPT adversary \(\mathcal {A}=((\mathcal {A}_{1\text {-}1},\mathcal {A}_{1\text {-}2}),\mathcal {A}_2)\) that breaks the selective security of the above IPE scheme. We construct a PPT algorithm \(\mathcal {B}\) that breaks the hardcore security of CBDH as follows.  

\(\mathcal {B}(g_1,g_1^\alpha ,g_1^\beta ,g_1^\gamma ,g_2, g_2^\alpha ,g_2^\beta ,g_2^\gamma ,\mathsf {hc},T)\)::

The goal of \(\mathcal {B}\) is to distinguish if \(T=\mathsf {hc}(e(g_1,g_2)^{\alpha \beta \gamma })\) or \(T\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\{0,1\}\). It first runs \((\varvec{x}^*,\mathsf {st}_{\mathcal {A},\mathsf {pre}})\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathcal {A}_{1\text {-}1}(1^{\lambda },1^{n})\). Then it picks \(r'_i\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {Z}_q\) for \(i\in [n]\), sets \(v\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }g_1^{\alpha }\), , (this implicitly sets ), and , and runs \((\mathsf {m}_0,\mathsf {m}_1,\mathsf {st})\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathcal {A}_{1\text {-}2}^{\mathsf {KeyGen}(\mathsf {msk},\cdot )}(\mathsf {pp},\mathsf {st}_{\mathcal {A},\mathsf {pre}})\) where the way to simulate the oracle \(\mathsf {KeyGen}(\mathsf {msk},\cdot )\) is described below. Then \(\mathcal {B}\) picks \(\mathsf {coin}\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\{0,1\}\), sets , for \(i\in [n]\), , and , and runs \(\widehat{\mathsf {coin}}\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathcal {A}_2^{\mathsf {KeyGen}(\mathsf {msk},\cdot )}(\mathsf {ct}^*,\mathsf {st})\) where the way to simulate the oracle \(\mathsf {KeyGen}(\mathsf {msk},\cdot )\) is described below. Finally, \(\mathcal {B}\) outputs \((\widehat{\mathsf {coin}}{\mathop {=}\limits ^{?}}\mathsf {coin})\).

\(\mathsf {KeyGen}(\mathsf {msk},\cdot )\)::

Here, we describe the way to simulate \(\mathsf {KeyGen}(\mathsf {msk},\cdot )\) by \(\mathcal {B}\). Given a key query \(\varvec{y} = (y_1,...,y_n)\), it first computes . If \(\eta =0\), then it aborts. Otherwise it picks \(s'\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathbb {Z}_q \), sets and , and returns . We omit sub/super-script of \(\sum _{i=1}^n\) below for ease of notation. Now, we set , then we can rewrite

$$\begin{aligned} k_1&= g^{s'\sum _{}^{}y_i (r_i + \alpha x_i^*) - s' \alpha \eta + \beta /\eta \sum _{}^{}y_i(r_i + \alpha x_i^*) }\\&= g^{(s' + \beta /\eta )\sum _{}^{}y_i r_i + s'\alpha (\sum _{}^{}y_i x_i^* -\eta ) + \alpha \beta /\eta \sum _{}^{}y_i x_i^*}\\&= g^{s\sum _{}^{}y_i r_i + \alpha \beta }\ \ \ (\because (\varvec{x}^*)^T\cdot \varvec{y} = \sum _{}^{}y_i x_i^* = \eta ) \end{aligned}$$

This perfectly simulate secret keys.

For the target ciphertext, \(C_0^*=g^{\gamma }\), and for \(i=1,...,n\), we have

$$\begin{aligned} C_i^*&= (g^{r'_i})^\gamma \\&= (g_1^{\alpha x_i^*} \cdot g_1^{r'_i - \alpha x_i^*})^\gamma \\&= (v^{x_i^*} u_i)^\gamma \end{aligned}$$

If \(T=\mathsf {hc}(e(g_1,g_2)^{\alpha \beta \gamma })\), then \(C^*_{\mathsf {m}}\) is also simulated correctly. On the other hand, if \(T\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\{0,1\}\), no information of \(\mathsf {coin}\) is given to \(\mathcal {A}\), and thus the probability that \(\mathcal {B}\) outputs 1 is 1/2. Therefore we have

$$\begin{aligned} \Pr [1\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathcal {B}|T=\mathsf {hc}(e(g_1,g_2)^{\alpha \beta \gamma })]-\Pr [1\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\mathcal {B}|T\overset{\scriptscriptstyle \mathsf {R}}{\leftarrow }\{0,1\}]=\frac{\mathsf {Adv}_{\mathsf {IPE},\mathcal {A}}^{\mathsf {CPA}}(\lambda )}{2}. \end{aligned}$$

i Thus, \(\mathcal {B}\) can break the hardcore security of CBDH if \(\mathcal {A}\) breaks the selective security of the IPE scheme. This immediately implies that if the CBDH assumption holds, then the scheme is selectively secure by Lemma 3.

 

   \(\blacksquare \)

If we use the DBDH assumption, we can set the message space of the scheme to \(\mathbb {G}_T\).