Efficient chosen ciphertext secure identity-based encryption against key leakage attacks

Shi-Feng Sun, Dawu Gu, Shengli Liu

Research output: Contribution to journalArticleResearchpeer-review

7 Citations (Scopus)

Abstract

Due to the proliferation of side-channel attacks, many efforts have been made to construct cryptographic systems that remain provably secure even if part of the secret information is leaked to the adversary. Recently, there have been many identity-based encryption (IBE) schemes proposed in this context, almost all of which, however, can only achieve chosen plaintext attack (CPA) security. As far as we know, Alwen et al.'s IBE is the unique practical scheme secure against adaptive chosen ciphertext attacks (CCA2) in the standard model. Unfortunately, this scheme suffers from an undesirable shortcoming that the leakage parameter λ and the message length m are subject to λ + m≤ logp − ω(logκ), where κ and p denote the security parameter and the prime order of the underlying group, respectively. Beyond that, the leakage ratio in this scheme is very low, which can just reach 1/6. In this work, we put forward two new IBE schemes, both of which are λ-leakage-resilient CCA2 secure in the standard model. Specifically, the first construction is proposed based on Gentry's IBE, which is quite practical and almost as efficient as the original scheme. Moreover, its leakage parameter, λ≤ logp − ω(logκ), is independent of the size of the message space. To the best of our knowledge, it is the first practical leakage-resilient fully CCA2 secure IBE scheme in the standard model, tolerating up to (logp − ω(logκ))-bit leakage of the private key and its leakage parameter being independent of the message length. As to the second construction, it is proposed based on the scheme of Alwen et al., which has the same leakage parameter as Alwen et al., but has a better efficiency performance and a higher leakage ratio. As far as we know, it is the first practical and fully CCA2 secure leakage-resilient IBE scheme with leakage ratio up to 1/4. Copyright Â

Original languageEnglish
Pages (from-to)1417-1434
Number of pages18
JournalSecurity and Communication Networks
Volume9
Issue number11
DOIs
Publication statusPublished - 25 Jul 2016
Externally publishedYes

Keywords

  • chosen ciphertext security
  • full security
  • identity-based encryption
  • key leakage attack
  • leakage resilience

Cite this

@article{2ef2fc093d20429b81d9ca9bd5f71793,
title = "Efficient chosen ciphertext secure identity-based encryption against key leakage attacks",
abstract = "Due to the proliferation of side-channel attacks, many efforts have been made to construct cryptographic systems that remain provably secure even if part of the secret information is leaked to the adversary. Recently, there have been many identity-based encryption (IBE) schemes proposed in this context, almost all of which, however, can only achieve chosen plaintext attack (CPA) security. As far as we know, Alwen et al.'s IBE is the unique practical scheme secure against adaptive chosen ciphertext attacks (CCA2) in the standard model. Unfortunately, this scheme suffers from an undesirable shortcoming that the leakage parameter λ and the message length m are subject to λ + m≤ logp − ω(logκ), where κ and p denote the security parameter and the prime order of the underlying group, respectively. Beyond that, the leakage ratio in this scheme is very low, which can just reach 1/6. In this work, we put forward two new IBE schemes, both of which are λ-leakage-resilient CCA2 secure in the standard model. Specifically, the first construction is proposed based on Gentry's IBE, which is quite practical and almost as efficient as the original scheme. Moreover, its leakage parameter, λ≤ logp − ω(logκ), is independent of the size of the message space. To the best of our knowledge, it is the first practical leakage-resilient fully CCA2 secure IBE scheme in the standard model, tolerating up to (logp − ω(logκ))-bit leakage of the private key and its leakage parameter being independent of the message length. As to the second construction, it is proposed based on the scheme of Alwen et al., which has the same leakage parameter as Alwen et al., but has a better efficiency performance and a higher leakage ratio. As far as we know, it is the first practical and fully CCA2 secure leakage-resilient IBE scheme with leakage ratio up to 1/4. Copyright {\^A}",
keywords = "chosen ciphertext security, full security, identity-based encryption, key leakage attack, leakage resilience",
author = "Shi-Feng Sun and Dawu Gu and Shengli Liu",
year = "2016",
month = "7",
day = "25",
doi = "10.1002/sec.1429",
language = "English",
volume = "9",
pages = "1417--1434",
journal = "Security and Communication Networks",
issn = "1939-0114",
publisher = "Wiley-Blackwell",
number = "11",

}

Efficient chosen ciphertext secure identity-based encryption against key leakage attacks. / Sun, Shi-Feng; Gu, Dawu; Liu, Shengli.

In: Security and Communication Networks, Vol. 9, No. 11, 25.07.2016, p. 1417-1434.

Research output: Contribution to journalArticleResearchpeer-review

TY - JOUR

T1 - Efficient chosen ciphertext secure identity-based encryption against key leakage attacks

AU - Sun, Shi-Feng

AU - Gu, Dawu

AU - Liu, Shengli

PY - 2016/7/25

Y1 - 2016/7/25

N2 - Due to the proliferation of side-channel attacks, many efforts have been made to construct cryptographic systems that remain provably secure even if part of the secret information is leaked to the adversary. Recently, there have been many identity-based encryption (IBE) schemes proposed in this context, almost all of which, however, can only achieve chosen plaintext attack (CPA) security. As far as we know, Alwen et al.'s IBE is the unique practical scheme secure against adaptive chosen ciphertext attacks (CCA2) in the standard model. Unfortunately, this scheme suffers from an undesirable shortcoming that the leakage parameter λ and the message length m are subject to λ + m≤ logp − ω(logκ), where κ and p denote the security parameter and the prime order of the underlying group, respectively. Beyond that, the leakage ratio in this scheme is very low, which can just reach 1/6. In this work, we put forward two new IBE schemes, both of which are λ-leakage-resilient CCA2 secure in the standard model. Specifically, the first construction is proposed based on Gentry's IBE, which is quite practical and almost as efficient as the original scheme. Moreover, its leakage parameter, λ≤ logp − ω(logκ), is independent of the size of the message space. To the best of our knowledge, it is the first practical leakage-resilient fully CCA2 secure IBE scheme in the standard model, tolerating up to (logp − ω(logκ))-bit leakage of the private key and its leakage parameter being independent of the message length. As to the second construction, it is proposed based on the scheme of Alwen et al., which has the same leakage parameter as Alwen et al., but has a better efficiency performance and a higher leakage ratio. As far as we know, it is the first practical and fully CCA2 secure leakage-resilient IBE scheme with leakage ratio up to 1/4. Copyright Â

AB - Due to the proliferation of side-channel attacks, many efforts have been made to construct cryptographic systems that remain provably secure even if part of the secret information is leaked to the adversary. Recently, there have been many identity-based encryption (IBE) schemes proposed in this context, almost all of which, however, can only achieve chosen plaintext attack (CPA) security. As far as we know, Alwen et al.'s IBE is the unique practical scheme secure against adaptive chosen ciphertext attacks (CCA2) in the standard model. Unfortunately, this scheme suffers from an undesirable shortcoming that the leakage parameter λ and the message length m are subject to λ + m≤ logp − ω(logκ), where κ and p denote the security parameter and the prime order of the underlying group, respectively. Beyond that, the leakage ratio in this scheme is very low, which can just reach 1/6. In this work, we put forward two new IBE schemes, both of which are λ-leakage-resilient CCA2 secure in the standard model. Specifically, the first construction is proposed based on Gentry's IBE, which is quite practical and almost as efficient as the original scheme. Moreover, its leakage parameter, λ≤ logp − ω(logκ), is independent of the size of the message space. To the best of our knowledge, it is the first practical leakage-resilient fully CCA2 secure IBE scheme in the standard model, tolerating up to (logp − ω(logκ))-bit leakage of the private key and its leakage parameter being independent of the message length. As to the second construction, it is proposed based on the scheme of Alwen et al., which has the same leakage parameter as Alwen et al., but has a better efficiency performance and a higher leakage ratio. As far as we know, it is the first practical and fully CCA2 secure leakage-resilient IBE scheme with leakage ratio up to 1/4. Copyright Â

KW - chosen ciphertext security

KW - full security

KW - identity-based encryption

KW - key leakage attack

KW - leakage resilience

UR - http://www.scopus.com/inward/record.url?scp=84957599518&partnerID=8YFLogxK

U2 - 10.1002/sec.1429

DO - 10.1002/sec.1429

M3 - Article

VL - 9

SP - 1417

EP - 1434

JO - Security and Communication Networks

JF - Security and Communication Networks

SN - 1939-0114

IS - 11

ER -