TY - JOUR AU - Hu,, Mingxiao AB - Abstract In the actual applications, an adversary can break the security of cryptography scheme through various leakage attacks (e.g. side-channel attacks, cold-boot attacks, etc.), even the continuous leakage attacks. That is, a practical cryptography scheme must maintain its claimed security in the continuous leakage setting. However, the previous constructions on the leakage-resilient identity-based encryption (IBE) scheme could tolerate a leakage that is bounded, and cannot resist the continuous leakage attacks. In order to further achieve the better security, a novel method to build the continuous leakage-resilient IBE scheme with tight security is presented in this paper, and the scheme’s security is proved, in the standard model, based on a stronger security assumption that depends on the number of queries made by the adversary. In addition, our proposal has several advantages over previous such constructions, e.g. shorter public parameters, higher communication efficiency, tight security, etc. 1. INTRODUCTION In the traditional security model, such as chosen-plaintext attacks (CPA), chosen-ciphertext attacks, etc., an efficient adversary can only see the appointed input and output of a cryptographic scheme, but it has no other ability to access the internal secret information (e.g. private key, etc.). In other words, these models are the ideal security model, and the leakage on internal secret states does not consider. In the real world, an adversary can learn a certain amount of leakage information on the internal secret information through various leakage attacks, e.g. side-channel attacks, cold-boot attacks, etc. That is, the traditional cryptography schemes whose security is proved in an idealized setting, and may not be able to maintain their claimed security in the leakage setting. To further improve practicability, the leakage-resilient cryptographic schemes were constructed by many researcher in the past fews years, including the leakage-resilient public-key encryption (PKE) scheme [1, 2], the leakage-resilient identity-based encryption (IBE) scheme [3–5], the leakage-resilient certificate-based encryption (CBE) scheme [6–8], the leakage-resilient signcryption scheme [9], the leakage-resilient certificateless public-key encryption (CL-PKE) scheme [10, 11], etc. Thus, the leakage-resilient cryptography has led to constructions of many cryptographic primitives which can be proven secure even against these adversaries who can obtain limited additional information about the private key or other internal secret states. However, any adversary can make continuous leakage attacks in the actual application, and a cryptography scheme with continuous leakage resilience is more practical. In summary, (continuous) leakage resilience provides a powerful tool, allowing us to easily analyze the security of such constructions, and we believe that (continuous) leakage resilience is an interesting property of cryptographic primitives. Thus, in this paper, we research the continuous leakage resilience on the IBE scheme, and design the concrete construction of continuous leakage-resilient IBE scheme in the standard model. 1.1. Leakage model In recent years, the bounded-leakage model has received much attention [1–4, 6]. In this model, an adversary can learn arbitrary information about the private key, as long as the total number of bits leaked is bounded by some parameter λ ⁠, called it leakage parameter. We formalize this security notion by giving the adversary access to a leakage oracle OSKidλ,κ() (the formal definition is described in Section 3.2) that she can repeatedly and adaptively query; each query to the leakage oracle OSKidλ,κ() consists of an efficient computable leakage function fi() ⁠, and the leakage oracle OSKidλ,κ() responds with the ‘leakage information’ fi(SKid) computed on the private key SKid ⁠, and the total number of bits leakage on the same private key is bounded by λ ⁠. In the continuous leakage model, the entire lifetime of cryptosystem is partitioned into some periods, and at the end of each period, the internal secret states are updated, and some new randomness is pushed into the internal secret states by performing this additional update operation. Then, for an adversary, the internal secret states are uniform random even if a certain amount of addition information on the internal secret states was captured by the adversary. Thus, in this model, the adversary is allowed to obtain bounded leakage from the entire internal secret states during each time period, as in the bound leakage model, but the total leakage over the lifetime of the scheme is unbounded. Hence, the main advantage of continuous leakage model is that the problem of continuous leakage attacks can be reduced to the simple single round bounded leakage-resilient property. Because of the continuous leakage resilience is more close to the real life, and several constructions have captured continuous leakage resilience in their security consideration, such as the continuous leakage-resilient PKE schemes [12–14], the continuous leakage-resilient key exchange protocol [15], the continuous leakage-resilient signature scheme [16], the continuous leakage-resilient CBE scheme [17], the continuous leakage-resilient CL-PKE scheme [18], the continuous leakage-resilient IBE scheme [19], the continuous leakage-resilient attribute-based encryption (ABE) scheme [20], etc. 1.2. Prior constructions In EUROCRYPT 2010, to resist the leakage attacks for the IBE scheme, Alwen et al. [21] generalized hash proof systems in the identity-based setting and referred to it as identity-based hash proof system (IB-HPS). Also, they showed how to construct leakage-resilient IBE scheme from IB-HPS. That is, the generic construction of leakage-resilient IBE is designed from IB-HPS. In particular, they presented three instantiations based on Boneh et al.’ IBE scheme [22], Gentry’s IBE scheme [23] and Gentry et al.’ IBE scheme [24], respectively. In CCS 2010, based on the conclusions of Alwen et al. [21], Chow et al. [25] constructed three new leakage-resilient IBE schemes, which were constructed from Boneh et al.’ IBE scheme [26], Lewko et al.’ IBE scheme [27] and Waters’s IBE scheme [28]. Also, the first construction was proved in the selective identity security model. In EUROCRYPT 2012, Yuen et al. [29] proposed a new leakage-resilient IBE scheme in the auxiliary input model, which can tolerate a more general form of leakage. In addition, Li et al. [3] presented a provably secure IBE scheme resilient to post-challenge continuous auxiliary input leakage. In TCC 2011, Lewko et al. [30] showed that the leakage resilience for cryptography schemes can be obtained quite naturally within the methodology of dual system encryption. Sun et al. [31] designed the first leakage-resilient wicked IBE scheme over the composite order groups, and the security proof of this scheme is achieved via the dual system encryption technique. Recently, Li et al. [20] developed a leakage-resilient identity-based broadcast encryption scheme based on the dual system encryption technique. Furthermore, a continuous leakage-resilient IBE scheme was created by Zhou et al. [19] However, the analysis shows that the above IBE schemes [3, 19–21, 25, 29–31] with (continuous) leakage resilience have the following deficiencies: These constructions [3, 20, 21, 25, 29–31] were only proved CPA security. Because of security against adaptive chosen ciphertext attacks is a strong and very useful notion of security for IBE schemes, Li et al. [4] applied a hash proof technique in the existing CCA secure variant of the Gentry’s IBE [23] scheme to construct a new leakage-resilient IBE scheme, and Sun et al. [5] presented a new leakage-resilient IBE scheme with Gentry’s method [23], which also can achieve CCA security. However, the above constructions [4, 5] with CCA security can only achieve the bounded leakage resilience, and cannot keep their original security in the continuous leakage setting. The practicability of the corresponding constructions [20, 29–31] created based on dual system encryption technique is lower, because of the security of the proposed schemes is proved under the subgroup decisional assumptions over the composite order bilinear groups. Also, CPA security can only be obtained while the corresponding constructions were built over the composite order bilinear groups. Although, these constructions [29, 30] can achieve continuous leakage resilience, and only obtain CPA security. To obtain the continuous leakage-resilient CCA security, Zhou et al. [19] created a novel construction of continuous leakage-resilient IBE scheme, however, its CCA security is proved in the selective identity security model. To sum up, in the identity-based setting, some continuous leakage-resilient IBE schemes [29, 30] can only achieve CPA security, and the CCA security of continuous leakage-resilient IBE scheme proposed in [19] is proved in the selective identity security model, and can only achieve selective identity CCA security. Therefore, there is no practical IBE scheme with CCA security in the literature, which has adopted the continuous leakage attacks. In order to further obtain the better performance, we will put focus on the construction of the practical CCA secure continuous leakage-resilient IBE scheme with tight security reduction. Also, the CCA security is proved in the standard model. 1.3. Our contributions Prior constructions of (continuous) leakage-resilient IBE scheme [3, 21, 25, 29–31] could either tolerate a leakage that is bounded or only achieve the CPA security. Moreover, the selective identity CCA security was only obtained in [19]. To further solve the above problems, our work shows how to construct CCA secure IBE scheme with continuous leakage resilience. In practical, we first put forward a basic continuous leakage-resilient IBE scheme Π with CPA security, in the standard model, under the truncated augmented bilinear Diffie–Hellman exponent (⁠ q-TABDHE) assumption. After that, we develop a novel construction of continuous leakage-resilient IBE scheme Π′ ⁠, and the CCA security of Π′ can be proved with the same method in Π ⁠. Compare with these (continuous) leakage-resilient IBE schemes [4, 5, 19], our proposal enjoys better performance, e.g. higher communication efficiency, shorter public parameters, tight security, etc. 2. PRELIMINARIES 2.1. Notations Let κ∈N denote the security parameter. If S is a string, then ∣S∣ denotes its length, while if S is a set then ∣S∣ denotes its size and s←RS denotes the operation of picking an element s uniformly at random from S ⁠. We denote y←A(x) the operation of running A with input x and assigning y as the result. We use 𝗇𝖾𝗀𝗅(κ) to denote the set of all functions that are negligible in security parameter κ ⁠. 2.2. Bilinear groups Let G(1κ) be a probability polynomial time (PPT) group generation algorithm that takes as input a security parameter κ ⁠, and outputs a tuple G=(p,G,GT,e(·,·),g) ⁠, such that: (i) G and GT are two (multiplicative) cyclic groups of prime order p ⁠; (ii) g is a generator of G ⁠; (iii) e:G×G→GT is an efficiently computable bilinear pairing with the following properties: Bilinear: e(ua,vb)=e(u,v)ab ⁠, for all a,b←RZp* and u,v←RGT ⁠; Non-degeneracy: e(g,g)≠1GT ⁠, where 1GT is the generator of GT ⁠; Computable: e(u,v) can be computed efficiently for all v,u∈G ⁠. 2.3. Security assumption The security of our constructions is based on a complexity assumption that we call the decisional augmented bilinear Diffie–Hellman exponent assumption (decisional ABDHE). The q-ABDHE problem is described as follows: Given a vector of 2q+2 elements (g′,g′(αq+2),g,gα,…,g(αq),g(αq+2),…,g(α2q))∈G2q+2 as input, output e(g,g′)αq+1∈GT ⁠. Now, we use gi and gi′ to denote g(αi) and g′(αi) ⁠. The decisional version of truncated q-ABDHE is defined as follows: Let T1=(g′,gq+2′,g,g1,…,gq,T1) and T0=(g′,gq+2′,g,g1,…,gq,T0) ⁠, where T1=e(gq+1,g′) and T0←RGT ⁠, then, the advantage of adversary S in solving q-ABDHE problem is defined as 𝖠𝖽𝗏Sq-ABDHE(κ)=∣Pr[A(T1)=1]−Pr[A(T0)=1]∣, where the probability is over the random choice of generators g,g′ in G ⁠, the random choice of α in Zp* ⁠, the random choice of T0←RGT ⁠, and the random bits consumed by S ⁠. The q-ABDHE assumption is captured in the following distinguishability game performed by a challenger C and an adversary S ⁠. Setup. The challenger C runs G←G(1κ) ⁠, and gives G=(p,G,GT,e(·,·),g) to the adversary S ⁠. Challenge Stage. C does the following operations: Computes gi=g(αi) and gi′=g′(αi) ⁠, where g,g′←RG ⁠, i = 1,2,…,q and α←RZq* ⁠. Sets T1=(g′,gq+2′,g,g1,…,gq,T1) and T0=(g′,gq+2′,g,g1,…,gq,T0) ⁠, where T1=e(gq+1,g′) and T0←RGT ⁠. Sends challenge tuple Tv to S ⁠, where v←R{0,1} ⁠. Output. S outputs a bit v′∈{0,1} as the guess of random bit v chosen by the challenger C ⁠. If v′=v ⁠, then S wins in this game. That is, the adversary S can distinguish a q-ABDHE tuple and a random tuple. Definition 2.1 (⁠ q-ABDHE) We say that the q-ABDHE assumption holds if for all PPT adversaries S ⁠, we have 𝖠𝖽𝗏Sq-ABDHE(κ)≤𝗇𝖾𝗀𝗅(κ) ⁠. 2.4. Randomness extractor The basic notions such as universal hash, min-entropy H∞(A) ⁠, statistical distance 𝖲𝖣(A,B) and average conditional min-entropy H˜∞(A∣C) are omitted in the presentation. The reader could refer to [1, 2, 32] for more details. By the definition of H˜∞(A∣C) ⁠, for any PPT adversary A ⁠, we obtain Pr(A(C)=A)=Ec[Pr(A(C)=A)]≤Ec[2−H∞(A∣C=c)]=2−H˜∞(A∣C), where Ec denotes the mathematical expectation over C ⁠. Lemma 2.1 ([32]) Let X,Yand Zbe random variables, if Yhas at most 2λpossible values, then H˜∞(X∣(Y,Z))≥H˜∞(X∣Z)−λ. Definition 2.2 (Randomness extractor) An efficient computable function 𝖤𝗑𝗍:{0,1}ln×{0,1}lt→{0,1}lmis an average-case (k,ε)-strong randomness extractor if for all pairs of random variables (X,Y)such that X∈{0,1}lnand H˜∞(X∣Y)≥k ⁠, we have 𝖲𝖣((𝖤𝗑𝗍(X,S),S,Y),(Um,S,Y))≤εwhere S←R{0,1}ltand Um←R{0,1}lm ⁠. Definition 2.3 (Universal hash function) For i∈Iand all distinct x1≠x2∈X ⁠, if we have Pri←I[Hi(x1)=Hi(x2)]≤1∣Y∣ ⁠, then the hash function HI:X→Yis universal. Example 1 ([2]) The family of functions {Hk1,k2,…,kl:Zpl+1→Zp}ki∈Zp,i=1,…,l is universal, where Hk1,k2,…,kl(x0,x1,…,xl)=x0+k1x1+⋯+klxl ⁠. All operations are in the prime field Fp ⁠. Example 2 ([2]) Let G be a multiplicative group of prime order p ⁠, and g∈G,g≠1 ⁠. The family of functions {Hk1,k2,…,kl:Gl+1→G}ki∈Zp,i=1,…,l is universal, where Hk1,k2,…,kl(g0,g1,…,gl)=g0g1k1⋯glkl ⁠. Lemma 2.2 (Leftover hash lemma [32]) Let HS={HS:X→Y}S∈Sbe a family of universal hash functions. Let Uyis a uniform distribution over Y ⁠. For two random variables X←RXand C ⁠, it holds that 𝖲𝖣((HS(X),S),(Uy,S))≤122−H∞(X)∣Y∣;𝖲𝖣((HS(X),S,C),(Uy,S,C))≤122−H˜∞(X∣C)∣Y∣. Lemma 2.3 (Generalized leftover hash lemma [32]) Let X,Ybe random variables such that X←R{0,1}lnand H˜∞(X∣Y)≥k ⁠. Let HSbe a family of universal hash functions from {0,1}lnto {0,1}lm ⁠. Then, for S←RSand Um←R{0,1}lm ⁠, we can obtain SD((Y,S,HS(X)),(Y,S,Um))≤εas long as lm≤k−2log(1/ε) ⁠. By Lemmas 2.2 and 2.3, we have that, for an index i←RI ⁠, the universal hash function Hi:X→Y can be employed as an average-case strong randomness extractor. 3. IDENTITY-BASED ENCRYPTION 3.1. Definition Similar to previous works [4, 5, 25, 33], an IBE scheme consists of four algorithms: 𝖲𝖾𝗍𝗎𝗉 ⁠, 𝖪𝖾𝗒𝗀𝖾𝗇 ⁠, 𝖤𝗇𝖼 and 𝖣𝖾𝖼 ⁠. These algorithms are described as follows: (Params,Smsk)←𝖲𝖾𝗍𝗎𝗉(1κ) ⁠. The setup algorithm takes as input a security parameter κ ⁠, and outputs the public parameters Params and the master secret key Smsk ⁠, where Params is a common input of the following algorithms. SKid←𝖪𝖾𝗒𝖦𝖾𝗇(Smsk,id) ⁠. The key generation algorithm takes Smsk and an identity id∈ID (where ID denotes identity space) as input, and generates the private key SKid for the identity id ⁠. c←𝖤𝗇𝖼(id,M) ⁠. On input a message M∈M (where M denotes message space) and an identity id ⁠, the encryption algorithm 𝖤𝗇𝖼 outputs the corresponding ciphertext c ⁠. M/⊥←𝖣𝖾𝖼(SKid,c) ⁠. The recipient with identity id decrypts the ciphertext c by using decryption algorithm 𝖣𝖾𝖼 ⁠, with the ciphertext c and her private key SKid as input, and outputs the corresponding message M or a special symbol ⊥ ⁠. In the continuous leakage setting, an additional key update algorithm will be used to push some new randomness into the private key, which can be described as follows: SKid′←𝖴𝗉𝖽𝖺𝗍𝖾(SKid,String) ⁠. The key update algorithm takes a private key SKid and the corresponding parameter String as input, and generates a new private key SKid′ for the identity id ⁠. Also, for any adversary, we have 𝖲𝖣(SKid,SKid′)≤𝗇𝖾𝗀𝗅(κ) ⁠. 3.2. Leakage oracle We model the adversary’s leakage attacks on the private key SKid ⁠, by giving the adversary access to a leakage oracle OSKidλ,κ() ⁠, and the adversary can query to gain the leakage information about SKid ⁠. Definition 3.1 (Leakage oracle) A leakage oracle OSKidλ,κ()is parameterized by a private key SKid ⁠, a leakage parameter λand a security parameter κ ⁠. A query to the leakage oracle consists of an efficient computable leakage function fi:{0,1}*→{0,1}λi ⁠. The leakage oracle OSKidλ,κ()checks if the sum of λi ⁠, over all queries received so far, exceeds the leakage parameter λand ignores the query if this is the case. The leakage oracle computes the function fi(SKid)for at most polynomial steps, and if the computation completes, responds with the output. Otherwise, it responds with the dummy value ⊥ ⁠. Without loss of generality, we can assume that the adversary can access the leakage oracle only once, and obtain at most λ bits leakage. 3.3. Security model with (continuous) leakage resilience In the (continuous) leakage setting, we require that the security of IBE scheme remains intact even if an adversary can obtain some additional information on the private key of user. According to the previous works [4, 5, 25], our (continuous) leakage-resilient security definition of IBE scheme only allows leakage attacks against the private keys of the various identities, but not the master secret key. Just as noted by [1, 4, 5, 25], we only allow the adversary to make leakage queries before seeing the challenge ciphertext. This is a necessary restriction as otherwise, the adversary could leak the first bit of the message and easily win the distinguishing game. An IBE scheme Π=(𝖲𝖾𝗍𝗎𝗉,𝖪𝖾𝗒𝖦𝖾𝗇,𝖤𝗇𝖼,𝖣𝖾𝖼) with identity space ID and message space M ⁠, we illustrate the security notion of leakage-resilient chosen-ciphertext attacks (LR-CCA) security which performed by the following game between an adversary A and a simulator S under a security parameter κ and a leakage parameter λ ⁠. The message exchange process is described as follows: Setup. S runs (Params,Smsk)←𝖲𝖾𝗍𝗎𝗉(1κ) ⁠, and sends Params to A while keeps Smsk as a secret. Test stage 1. In this stage, A can make the following three kinds of queries. These queries may be made adaptively, i.e. each query may depend on the answers to the previous queries. Key generation queries. On input an identity id∈ID ⁠, S runs SKid←𝖪𝖾𝗒𝖦𝖾𝗇(Smsk,id) ⁠, and replies with the private key SKid ⁠. We stress that, in the leakage and decryption queries, the corresponding private key can be obtained by computing key generation algorithm. Leakage queries. On input an identity id and an efficient computable leakage function fi:{0,1}*→{0,1}λi ⁠, S returns the corresponding leakage information fi(SKid) on the private key SKid by using a leakage oracle OSKidλ,k(·) ⁠, where SKid←𝖪𝖾𝗒𝖦𝖾𝗇(Smsk,id) ⁠. However, the total length of leakage on the same private key SKid must be less than the leakage parameter, i.e. ∑i=1jfi(SKid)≤λ ⁠. Otherwise, an invalid answer ⊥ will be outputted. Decryption queries. On input a ciphertext C and an identity id ⁠, S decrypts C using the private key SKid of identity id ⁠, and sends the corresponding result M/⊥=𝖣𝖾𝖼(SKid,C) to A ⁠, where SKid←𝖪𝖾𝗒𝖦𝖾𝗇(Smsk,id) ⁠. Challenge. Once A decides that Test stage 1 is over it outputs two equal length messages M0,M1∈M and a challenge identity id*∈ID ⁠, which never appeared in a key generation query and appeared in the leakage queries with at most λ bits leakage. S chooses a bit b←R{0,1} ⁠, and produces Cb*←𝖤𝗇𝖼(id*,Mb) ⁠, and then sends Cb* as the challenge ciphertext to A ⁠. Test stage 2. This stage is similar to Test Stage 1, with the restriction that neither key generation queries on id* nor decryption queries on (Cb*,id*) are allowed to make. Also, as mentioned above, no leakage query is allowed to make in this stage. Output. Finally, A outputs b′∈{0,1} as the guess of random bit b picked by S ⁠. We say that A wins if b′=b ⁠. The advantage 𝖠𝖽𝗏IBE,ALR-CCA(κ,λ) of adversary A in attacking an IBE scheme is defined as 𝖠𝖽𝗏IBE,ALR-CCA(κ,λ)=Pr[Awins]−12 The leakage-resilient CCA (LR-CCA) security is described as follows: Definition 3.2 (LR-CCA security) An IBE scheme Πis secure against adaptive posteriori leakage-resilient chosen-ciphertext attacks if for any PPT adversary Athe advantage 𝖠𝖽𝗏Π,ALR-CCA(κ,λ)in above game is negligible, and the total amount of leakage on the same private key has to be bounded by the leakage parameter λ ⁠. In FOCS 2010, Dodis et al. [12] showed that a cryptographic scheme with bounded leakage resilience can resist the continuous leakage attacks, if it allows users to refresh their private keys by using only fresh local randomness while the public parameters and the function keep unchanged. Therefore, the continuous leakage-resilient CCA (CLR-CCA) security is described as follows: Definition 3.3 (CLR-CCA security) An IBE scheme Πwith key update function is secure against adaptive posteriori continuous leakage-resilient chosen-ciphertext attacks if for any PPT adversary Athe advantage 𝖠𝖽𝗏Π,ALR-CCA(κ,λ)in above game is negligible. Furthermore, in each round of leakage attacks, the total amount of leakage on the same private key has to be bounded by λ ⁠. We stress that, in the (continuous) leakage-resilient CPA security model, the decryption queries cannot be submitted by the adversary. Due to the space limitation, the corresponding descriptions are omitted. Specially, in this paper, we only prove the bounded leakage-resilient CPA/CCA security of our proposals, and the continuous leakage resilience is naturally obtained by running update algorithm, since the advantage of continuous leakage resilience is that which can be reduced to the simple single round bounded leakage-resilient property by performing an additional key update algorithm. 4. CONTINUOUS LEAKAGE-RESILIENT IBE SCHEME WITH CPA SECURITY A CPA secure IBE scheme Π=(𝖲𝖾𝗍𝗎𝗉,𝖪𝖾𝗒𝖦𝖾𝗇,𝖴𝗉𝖽𝖺𝗍𝖾, 𝖤𝗇𝖼,𝖣𝖾𝖼) is constructed in the continuous leakage model, which is described in the following. 4.1. Concrete construction Setup. The setup algorithm (Params,Smsk)←𝖲𝖾𝗍𝗎𝗉(1κ) is described as follows: Run the group sampling algorithm G(1κ) to obtain G=(p,G,GT,e(·,·),g) ⁠. Let 𝖤𝗑𝗍:G×{0,1}lt→{0,1}lm be an average case (logp−λ,ε)-strong randomness extractor, where λ is the leakage parameter and ε is negligible. Choose α←RZp* and h←RG ⁠, and then compute g1=gα ⁠. Let the master secret key be Smsk=α ⁠, and set the public parameters Params= as the common input of the following algorithms. In addition, let the identity space be ID=Zp* and the message space be M={0,1}lm ⁠. Notice that, we can let identities be a bit strings of arbitrary length and Zp* be the output of a collision-resistant hash function H:{0,1}*→Zp* ⁠. Key generation. The key generation algorithm (SKid,tkid)←𝖪𝖾𝗒𝖦𝖾𝗇(id,Smsk) is described as follows: Choose t←RZp* ⁠, and compute skid,1=(hg−t)1α−id and skid,2=t ⁠. Output the private key SKid=(skid,1,skid,2) associated with the identity id ⁠. In addition, return an update key tkid=g1α−id ⁠, which be used in the key update algorithm. We stress that, if α=id ⁠, then the key generation algorithm aborts. Moreover, the update key is only used in the key update algorithm, and the corresponding leakage is omitted. In other words, the adversary cannot perform leakage queries for the master secret key and the update key. Key update. The key update algorithm SKidj←𝖴𝗉𝖽𝖺𝗍𝖾(SKidj−1,tkid) is described as follows: Choose tj←RZp* ⁠, and compute skid,1j=skid,1j−1tk−tj and skid,2j=skid,2j−1+tj ⁠. Then, for any update index j∈Zp* ⁠, we have skid,1=(hg−(t+∑i=1jti))1α−id and skid,2=t+∑i=1jti ⁠. Output the new private key SKidj=(skid,1j,skid,2j) associated with the identity id ⁠. Also, for any adversary, we have 𝖲𝖣(SKidj,SKidj−1)≤𝗇𝖾𝗀𝗅(κ) ⁠, since tj is uniformly random and independent from the adversary’s view. Encryption. The encryption algorithm C←𝖤𝗇𝖼(id,M) is described as follows: Choose r←RZp* and S←R{0,1}lt ⁠, and then compute c1=g1rg−r·id ⁠, c2=e(g,g)r and c3=𝖤𝗑𝗍(e(g,h)r,S)⊕M ⁠, where S is a randomness seed. Set C=(c1,c2,c3,S) as the ciphertext of M ⁠, and output the ciphertext C ⁠. Notice that, encryption operation does not require any pairing computations once e(g,g) and e(g,h) have been pre-computed. Alternatively, e(g,g) and e(g,h) can be included in the system public parameters, in which case h can be dropped. Decryption. The decryption algorithm M←𝖣𝖾𝖼(SKid,C) is described as follows: Compute ω=e(c1,skid,1)c2skid,2 ⁠. Output M=𝖤𝗑𝗍(ω,S)⊕c3 as the plaintext of C ⁠. Correctness. From the following equation, it is easy for us to see that the decryption algorithm is consistent with the encryption algorithm. ω=e(c1,skid,1)c2skid,2=e(g1rg−r·id,(hg−t)1α−id)e(g,g)rt=e(gr,h)e(gr,g−t)e(g,g)rt=e(g,h)r. 4.2. Proof of security Based on the Dodis et al.’s conclusions [12], we obtain that the continuous leakage-resilient IBE scheme can be obtained from an IBE scheme Π=(𝖲𝖾𝗍𝗎𝗉,𝖪𝖾𝗒𝖦𝖾𝗇,𝖤𝗇𝖼,𝖣𝖾𝖼) with the bounded leakage resilience by running an additional key update algorithm 𝖴𝗉𝖽𝖺𝗍𝖾 ⁠. Therefore, in this section, we only proof the bounded leakage-resilient property of our construction, and the continuous leakage resilience is naturally achieve by performing key update operation. Theorem 4.1 Under the q-ABDHE assumption (where q=qk+1 ⁠, any adversary submits at most qkprivate key generation queries.), for any leakage parameter λ≤2logp−lm−ω(logκ) ⁠, our construction Πis a continuous leakage-resilient IBE scheme with CPA security. Proof The simulator S takes as input a random truncated decision q-ABDHE challenge Tv=(g′,gq+2′,g,g1,g2,…,gq,Tv), where g,g′←RG ⁠, gi=g(αi) and gi′=g′(αi) for an unknown α∈Zp* ⁠, and Tv is either e(gq+1,g′) or a random element of GT ⁠. That is, in the beginning, S receives a challenge tuple from the challenger C of the q-ABDHE problem. S simulates the leakage-resilient CPA security game for the adversary A as follows: Setup. S generates a random polynomial f(z)∈Zp[z] of degree q ⁠, and sets h=gf(α) ⁠. It sends the public parameter Params=(g,g1=gα,h=gf(α),𝖤𝗑𝗍) to A ⁠, where 𝖤𝗑𝗍:G×{0,1}lt→{0,1}lm is an average case strong randomness extractor. Let ID=Zp* be the identity space and M={0,1}lm be the message space. The master secret key is impliedly set as Smsk=α ⁠. Notice that, since α is chosen uniformly at random, h and g1 are uniformly random and this system public parameter has a distribution identical to that in the actual construction. In other words, α is chosen by the challenger C from Zp* ⁠, and α is uniformly random from the simulator S’s view. Test stage 1. In this stage, the following two kinds of queries are adaptively submitted by A ⁠, and the query depends on the previous queries, as well as the corresponding responses. Key generation queries. For the key generation queries of any identity id∈ID ⁠, if id=α ⁠, S uses α to solve truncated decision q-ABDHE immediately; otherwise, let Fid(z) denote the (q−1)-degree polynomial f(z)−f(id)z−id ⁠. S outputs the corresponding private key SKidi=(gFid(α),f(id)) ⁠. This is a valid private key for the identity id ⁠, since gFid(α)=gf(α)−f(id)α−id=(gf(α)g−f(id))1α−id=(hg−f(id))1α−id. Leakage queries. For the leakage queries of any identity id∈ID ⁠, S operates the leakage oracle OSKidλ,k(·) and returns the corresponding answers fi(SKid) by using the private key SKid ⁠, where fi:{0,1}*→{0,1}λi is an efficient computable leakage function submitted by the adversary A and the private key SKid can be created with the same method as the key generation queries. In the process of leakage queries, the total length of fi(SKid) which all returned from the leakage oracle OSKidλ,k(·) on the same private key SKid must be less than the leakage parameter λ ⁠. Otherwise, an invalid answer ⊥ will be outputted. Challenge stage. In this stage, A will submit a challenge identity id*∈ID and two equal length challenge messages M0,M1∈M to S ⁠, where id* never appeared in a key generation query and appeared in the leakage queries with at most λ bits leakage. If id=α ⁠, S uses α to solve truncated decision q-ABDHE immediately. Otherwise, S computes SKid*=(skid*,1,skid*,2) as in the simulation of private key queries for id* ⁠, and does the following operations: Let Fid*′(z)=f′(z)−f′(id*)z−id* be a polynomial of degree q+1 ⁠, where f′(z)=zq+2 ⁠. Furthermore, let Fid*,i′ be the coefficient of xi in Fid*′(z) ⁠. Choose b←R{0,1} ⁠, and compute c1*=(g′)f′(α)−f′(id*),c2*=Tve(g′,∏i=0qgFid*,i′αi),c3*=𝖤𝗑𝗍(e(c1*,skid*,1)c2*skid*,2,S*)⊕Mb, where S*←R{0,1}lt ⁠. That is, S computes the challenge ciphertext Cb*=(c1*,c2*,c3*,S*) from (g,g1,g2,…,gq) ⁠, and without knowledge of α ⁠. Send Cb*=(c1*,c2*,c3*,S*) to the adversary A as the challenge ciphertext. We have to stress that, in the challenge ciphertext Cb*=(c1*,c2*,c3*,S*) ⁠, the elements c1* and c2* can be written as follows: c1*=(g′)f′(α)−f′(id*)=g(loggg′)Fid*′(α)(α−id*)=(g1g−id*)(loggg′)Fid*′(α)c2*=Tve(g′,∏i=0qgFid*,i′αi)=e(g′,∏i=0qgFid*,i′αi)e(gαq+1,g′)=e(g(loggg′),g∑i=0qFid*,i′αi+αq+1)=e(g(loggg′),g∑i=0q+1Fid*,i′αi)=e(g,g)(loggg′)Fid*′(α). For ease of exposition we let r=(loggg′)Fid*′(α) ⁠. Notice that, α and g′ are chosen by the challenger C from Zp* and G ⁠, respectively, i.e. α←RZp* and g′←RG ⁠. Thus, for any adversary, α and loggg′ are uniformly random, where g is a generator of the group G ⁠. In other words, the random values α and g′ were sent to the simulator S from the challenger C through the public parameters of q-ABDHE problem. However, for any adversary, it can not know α and g′ ⁠. Hence, in the view of any adversary, (loggg′)Fid*′(α) is uniform and random. Now, we consider the following two cases: If Tv=e(gp+1,g′) ⁠, then c1*=g1rg−r·id* ⁠, c2*=e(g,g)r and c3*=𝖤𝗑𝗍(e(g,h)r,S*)⊕Mb ⁠, since c1*=(g1g−id*)(loggg′)Fid*′(α)=(g1g−id*)r=g1rg−r·id*;c2*=e(g,g)(loggg′)Fid*′(α)=e(g,g)r. Based on the correctness of our construction Π ⁠, we have e(c1*,skid*,1)c2*skid*,2=e(g1rg−r·id*,(hg−f(id*))1α−id*)e(g,g)rf(id*)=e(gr,h)e(gr,g−f(id*))e(g,g)rf(id*)=e(g,h)r. Thus, the challenge ciphertext Cb*=(c1*,c2*,c3*,S*) is a valid encryption ciphertext for id* and Mb under randomness r=(loggg′)Fid*′(α) ⁠. Since α and loggg′ are uniformly random, r is uniformly random, and so Cb* is a valid, appropriately-distributed challenge ciphertext. If Tv←RGT ⁠, then (c1*,c2*) is a uniformly random and independent element of G×GT ⁠. In this case, the inequalities c2*≠e(c1*,g)1α−id* hold with probability 1−1p ⁠. When this inequality hold, the value of e(c1*,skid*,1)c2*skid*,2=e(c1*,(hg−f(id*))1α−id*)c2*f(id*) is uniformly random and independent from A’s view, since f(id*) is uniformly random and independent from A’s view. Thus, c3* is uniformly random and independent, and Cb*=(c1*,c2*,c3*,S*) can impart no information regarding the bit b ⁠. Test stage 2. In this stage, the simulator S calculates the complete private key of any identity (except the challenge identity id* ⁠) as he did in Test Stage 1. Furthermore, the leakage queries for any identity are omitted. Output. Eventually, A outputs a guess b′ of the random value b picked by S ⁠. It is easy to see that the simulation is perfect, and Cb* is a valid encryption ciphertext of the message Mb if Tv=e(gp+1,g′) ⁠. On the other hand, if Tv←RGT ⁠, then Cb* is a uniformly random message in the A’s view, and gives no information about the random value b picked by S ⁠, except the probability 1p ⁠. Assuming that no queried identity equals α ⁠, we obtain that Pr[S(T0)=1]−12≤1p, where T0←RGT ⁠. However, we have that Pr[S(T1)=1]−12≥𝖠𝖽𝗏A,ΠLR-CCA(κ) where T1=e(gp+1,g′) ⁠. Then, we can obtain that if there exists an adversary A who can break the leakage-resilient CPA security of our construction Π with a non-negligible advantage 𝖠𝖽𝗏A,ΠLR-CPA(κ) ⁠, and then, we can build a simulator S who can break the security of q-ABDHE assumption with an obvious advantage 𝖠𝖽𝗏Sq-ABDHE(κ)=∣Pr[S(T1)=1]−Pr[S(T0)=1]∣≥𝖠𝖽𝗏A,ΠLR-CPA(κ)−1p. That is, we prove that the advantage of S in breaking the decisional version of truncated q-ABDHE assumption is negligibly close to the advantage of A in the leakage-resilient CPA security game. In the continuous leakage setting, the adversary cannot obtain any information on the SKid* from the public parameter Params ⁠, the challenge plaintexts M0,M1 ⁠, and the challenge identity id* ⁠. Besides the knowledge previously, the adversary also obtains at most λ bits leakage 𝖫𝖾𝖺𝗄 on the private key SKid* ⁠. By Lemma 2.1, we can obtain H˜∞(skid*,1,skid*,2∣Cb*,𝖫𝖾𝖺𝗄)=H˜∞(skid*,1,skid*,2∣𝖫𝖾𝖺𝗄)≥2logp−λ, where skid*,1←RG and skid*,2←RZp* ⁠. In practice, given public parameters Params ⁠, challenge identity id* ⁠, challenge plaintext M0,M1 ⁠, challenge ciphertext Cb* ⁠, and λ bits leakage on the private key SKid* ⁠, the average min-entropy of the variable e(c1*,skid*,1)c2*skid*,2 is at least 2logp−λ ⁠. In addition, 𝖤𝗑𝗍:G×{0,1}lt→{0,1}lm is an average case (logp−λ,ϵ) strong randomness extractor. Therefore, the average min-entropy of e(c1*,skid*,1)c2*skid*,2 satisfies the requirement of randomness extractor 𝖤𝗑𝗍:G×{0,1}lt→{0,1}lm ⁠. By the generalized leftover hash lemma (Lemma 2.3), we have lm≤2logp−λ−2log(1ϵ) ⁠. Taking into account that ϵ is negligible in the security parameter κ ⁠, i.e. 2log(1ϵ)=ω(logκ) ⁠, thus, we have λ≤2logp−lm−ω(logκ) ⁠. To sum up, based on the randomness of key update algorithm, we have, for any leakage parameter λ≤2logp−lm−ω(logκ) ⁠, our construction Π is a continuous leakage-resilient CPA secure IBE scheme.□ 5. CONTINUOUS LEAKAGE-RESILIENT IBE SCHEME WITH CCA SECURITY In our construction Π ⁠, we only achieve continuous leakage-resilient CPA securiy. In this section, to improve the security level of continuous leakage-resilient IBE scheme, we will develop a continuous leakage-resilient CCA secure IBE scheme Π′=(𝖲𝖾𝗍𝗎𝗉′,𝖪𝖾𝗒𝖦𝖾𝗇′,𝖴𝗉𝖽𝖺𝗍𝖾′,𝖤𝗇𝖼′,𝖣𝖾𝖼′) in the standard model. Similarly, in our new scheme, the adversary only allows make leakage queries for the private key of identity, but not the master secret key and the update key. 5.1. Concrete construction Setup. The setup algorithm (Params,Smsk)←𝖲𝖾𝗍𝗎𝗉′(1κ) is described as follows: Run the algorithm G(1κ) to obtain G=(p,G,GT,e(·,·),g) ⁠. Choose α←RZp* and h1,h2←RG ⁠, and then compute g1=gα ⁠. Let the master secret key be Smsk=α ⁠, and set the public parameters Params= as the common input of the following algorithms, where H:G×GT×GT×Zp*→Zp* is an one-way cryptography hash function. In addition, let the identity space be ID=Zp* and the message space be M=GT ⁠. Key generation. The key generation algorithm (SKid,tkid)←𝖪𝖾𝗒𝖦𝖾𝗇′(id,Smsk) is described as follows: – Choose t1,t2←RZp* ⁠, and compute skid,1=(h1g−t1)1α−id ⁠, skid,2=t1 ⁠, skid,3=(h2g−t2)1α−id and t4=t2 ⁠. – Output the private key SKid=(skid,1,skid,2, skid,3,skid,4) associated with the identity id ⁠. In addition, return an update key tkid=g1α−id ⁠, which be used in the key update algorithm. We stress that, if α=id ⁠, then the key generation algorithm aborts. Key update. The key update algorithm SKidj←𝖴𝗉𝖽𝖺𝗍𝖾′(SKidj−1,tkid) is described as follows: Choose aj,bj←RZp* ⁠, and compute skid,1j=skid,1j−1tk−aj,skid,2j=skid,2j−1+aj, skid,3j=skid,3j−1tk−bj,skid,4j=skid,4j−1+bj. Then, for any update index j∈Zp* ⁠, we have skid,1j=(h1g−(t1+∑i=1jai))1α−id,skid,2j=t1+∑i=1jai, skid,3j=(h2g−(t2+∑i=1jbi))1α−id,skid,4j=t2+∑i=1jbi. Output the new private key SKidj=(skid,1j,skid,2j, skid,3j,skid,4j) associated with the identity id ⁠. Also, for any adversary, we have 𝖲𝖣(SKidj,SKidj−1)≤𝗇𝖾𝗀𝗅(κ) ⁠, since aj and bj are uniformly random and independent from the adversary’s view. Encryption. The encryption algorithm C←𝖤𝗇𝖼′(id,M) is described as follows: Choose r←RZp* ⁠, and compute c1=g1rg−r·id,c2=e(g,g)r. Choose s←RZp* ⁠, and compute c3=e(g,h1)rse(g,h2)rM. Compute c4=e(g,h1)re(g,h2)rβ, where β=H(c1,c2,c3,s) ⁠. Set C=(c1,c2,c3,c4,s) as the ciphertext of M ⁠, and output the ciphertext C ⁠. Notice that, in this construction, the random extract is implemented by a special universal hash functions Hs(x,y)=xys as average-case strong extractor, where s∈Zp* ⁠, x=e(g,h2)r and y=e(g,h1)r ⁠. Similarly, the element c4 in C=(c1,c2,c3,c4,s) is created by a universal hash functions Hβ(y,x)=yxβ ⁠, where β∈Zp* ⁠. Decryption. The decryption algorithm M←𝖣𝖾𝖼(SKid,C) is described as follows: Compute ω1=e(c1,skid,1)c2skid,2andω2=e(c1,skid,3)c2skid,4. If c4=ω1ω2β ⁠, where β=H(c1,c2,c3,s) ⁠, then output M=(ω1sω2)−1c3 as the plaintext of C ⁠; otherwise, return a symbol ⊥ ⁠. Correctness. From the following equations, it is easy for us to see that the decryption algorithm is consistent with the encryption algorithm. ω1=e(c1,skid,1)c2skid,2=e(g1rg−r·id,(h1g−t1)1α−id)e(g,g)rt1=e(gr,h1)e(gr,g−t1)e(g,g)rt1=e(g,h1)r.ω2=e(c1,skid,3)c2skid,4=e(g1rg−r·id,(h2g−t2)1α−id)e(g,g)rt2=e(gr,h2)e(gr,g−t2)e(g,g)rt2=e(g,h2)r. In addition, for the updated private key SKidj=(skid,1j, skid,2j,skid,3j,skid,4j) ⁠, we can have ω1=e(c1,skid,1j)c2skid,2j=e(g1rg−r·id,(h1g−(t1+∑i=1jai))1α−id)e(g,g)r(t1+∑i=1jai)=e(g,h1)r.ω2=e(c1,skid,3j)c2skid,4j=e(g1rg−r·id,(h2g−(t2+∑i=1jbi))1α−id)e(g,g)r(t2+∑i=1jbi)=e(g,h2)r. 5.2. Proof of security Similarly, in this section, we only proof the bounded leakage-resilient CCA security of our proposal Π′ ⁠, and the continuous leakage-resilient CCA security is naturally achieve by performing key update operation. Theorem 5.1 Under the q-ABDHE assumption (where q=qk+1 ⁠, any adversary submits at most qkprivate key generation queries), for any leakage parameter λ≤3logp−ω(logκ) ⁠, our construction Π′is a continuous leakage-resilient IBE scheme with CCA security. Proof The simulator S takes as input a random truncated decision q-ABDHE challenge Tv=(g′,gq+2′,g,g1,g2,…,gq,Tv), where gi=g(αi) and gi′=g′(αi) for an unknown α∈Zp* ⁠, and Tv is either e(gq+1,g′) or a random element of GT ⁠. That is, in the begining, S receives a challenge tuple from the challenger C of the q-ABDHE problem. S simulates the leakage-resilient CCA security game for the adversary A as follows: Setup. To setup the system environment of our IBE scheme Π′ ⁠, S does the following operations: Generates two random polynomials f1(z) ⁠, f2(z)∈Zp[z] of degree q ⁠, and sets h1=gf1(α)andh2=gf2(α). Sends the public parameter Params=(g,g1=gα,h1=gf1(α),h2=gf2(α),H) to A ⁠, where H:G×GT×GT×Zp*→Zp* is an one-way cryptography hash function. Let ID=Zp* be the identity space and M=GT be the message space. The master secret key is impliedly set as Smsk=α ⁠. Notice that, since α is chosen uniformly at random, h1,h2 and g1 are uniformly random and this system public parameter has a distribution identical to that in the actual construction. Test stage 1. In this stage, the following three kinds of queries are adaptively submitted by A ⁠, and the query depends on the previous queries, as well as the corresponding responses. Key generation queries. For the key generation queries of any identity id∈ID ⁠, if id=α ⁠, S uses α to solve truncated decision q-ABDHE immediately; otherwise, let Fid1(z) ⁠, Fid2(z) denote two (q−1)-degree polynomials f1(z)−f1(id)z−id and f2(z)−f2(id)z−id ⁠. S outputs the corresponding private key SKid=(gFid1(α),f1(id),gFid2(α),f2(id)) ⁠. This is a valid private key for the identity id ⁠, since gFid1(α)=gf1(α)−f1(id)α−id=(gf1(α)g−f1(id))1α−id=(h1g−f1(id))1α−id.gFid2(α)=gf2(α)−f2(id)α−id=(gf2(α)g−f2(id))1α−id=(h2g−f2(id))1α−id. Leakage queries. For the leakage queries of any identity id∈ID ⁠, S operates the leakage oracle OSKidλ,k(·) and returns the corresponding answers fi(SKid) by using the private key SKid ⁠, where fi:{0,1}*→{0,1}λi is an efficient computable leakage function submitted by the adversary A ⁠. In the process of leakage queries, the total length of fi(SKid) which all returned from the leakage oracle OSKidλ,k(·) on the same private key SKid must be less than the leakage parameter λ ⁠. Otherwise, an invalid answer ⊥ will be outputted. Notice that, in the leakage query, the corresponding private key SKid of an identity id is created with the same method in the key generation query. Decryption queries. When the adversary A makes a decryption query for the ciphertext C and an identity id ⁠, then S returns the corresponding answer 𝖣𝖾𝖼′(C,SKid) to A ⁠, where the private key SKid can be created with the same method as the key generation queries. That is, for a decryption query on the tuple (C,id) ⁠, the simulator S can output the corresponding result M/⊥ by running decryption algorithm 𝖣𝖾𝖼′() ⁠, i.e. M/⊥=𝖣𝖾𝖼′(C,SKid) ⁠. Challenge stage. In this stage, A will submit a challenge identity id*∈ID and two equal length challenge messages M0,M1∈M to S ⁠, where id* never appeared in a key generation query and appeared in the leakage queries with at most λ bits leakage. If id=α ⁠, S uses α to solve truncated decision q-ABDHE immediately. Otherwise, S computes SKid*=(skid*,1,skid*,2,skid*,3,skid*,4) as in the simulation of private key queries for id* ⁠, and does the following operations: Let Fid*′(z)=f′(z)−f′(id*)z−id* be a polynomial of degree q+1 ⁠, where f′(z)=zq+2 ⁠. Furthermore, let Fid*,i′ be the coefficient of xi in Fid*′(z) ⁠. Choose b←R{0,1} ⁠, and compute c1*=(g′)f′(α)−f′(id*),c2*=Tve(g′,∏i=0qgFid*,i′αi),c3*=(e(c1*,skid*,1)c2*skid*,2)s*e(c1*,skid*,3)c2*skid*,4Mb,c4*=e(c1*,skid*,1)c2*skid*,2(e(c1*,skid*,3)c2*skid*,4)β*, where s*←RZp* and β*=H(c1*,c2*,c3*,s*) ⁠. That is, S computes the challenge ciphertext Cb*=(c1*,c2*,c3*,c4*,s*) from (g,g1,g2,…,gq) ⁠, and without knowledge of α ⁠. Send Cb*=(c1*,c2*,c3*,c4*,s*) to the adversary A as the challenge ciphertext. Now, let r=(loggg′)Fid*′(α) ⁠, and we consider the following two cases: If Tv=e(gp+1,g′) ⁠, then c1*=g1rg−r·id* ⁠, c2*=e(g,g)r ⁠, c3*=e(g,h1)rs*e(g,h2)rMb and c4*=e(g,h1)re(g,h2)rβ* ⁠, since c1*=(g′)f′(α)−f′(id*)=g1rg−r·id*;c2*=Tve(g′,∏i=0qgFid*,i′αi)=e(g,g)(loggg′)Fid*′(α)=e(g,g)r. In addition, based on the correctness of our construction Π ⁠, we have the following equations are valid. e(c1*,skid*,1)c2*skid*,2=e(g,h1)r;e(c1*,skid*,3)c2*skid*,4=e(g,h2)r. Thus, the challenge ciphertext Cb*=(c1*,c2*,c3*,c4*,s*) is a valid encryption ciphertext for id* and Mb under randomness r=(loggg′)Fid*′(α) ⁠. Similarly, r is uniformly random and independent from the adversary’s view. If Tv←RGT ⁠, then (c1*,c2*) is a uniformly random and independent element of G×GT ⁠. Based on Theorem 4.1, we obtain c3* and c4* are uniformly random and independent, thus, Cb*=(c1*,c2*,c3*,c4*,s*) can impart no information regarding the bit b ⁠. Test stage 2. In this stage, A may continue to make decryption oracle queries, and these are answered as before. Notice that, in this stage, A may not query the decryption oracle on the challenge ciphertext itself, and cannot make key generation query for the challenge identity. In addition, the leakage queries for any identity are omitted. We stress that, for a decryption query on the challenge identity id* and any ciphertext C′≠Cb* ⁠, S can return the corresponding result M′/⊥ by performing decryption algorithm 𝖣𝖾𝖼 with the private key SKid* ⁠, i.e. M′/⊥=𝖣𝖾𝖼(SKid*,C′) ⁠, where SKid* can be generated through the same method in key generation query. Output. Eventually, A outputs a guess b′ of the random value b picked by S ⁠. It is easy to see that the simulation is perfect, and Cb* is a valid encryption ciphertext of the message Mb if Tv=e(gp+1,g′) ⁠. On the other hand, if Tv←RGT ⁠, then Cb* is a uniformly random message in the A’s view, and gives no information about the random value b picked by S ⁠. According to Theorem 4.1, we can obtain that if there exists an adversary A who can break the leakage-resilient CCA security of our construction Π′ with a non-negligible advantage 𝖠𝖽𝗏A,ΠLR-CCA(κ) ⁠, then, we can build a simulator S who can break the security of q-ABDHE assumption with an obvious advantage 𝖠𝖽𝗏Sq-ABDHE(κ)=∣Pr[S(T1)=1]−Pr[S(T0)=1]∣≥𝖠𝖽𝗏A,ΠLR-CCA(κ)−1p. By Theorem 4.1, we can obtain H˜∞(skid*,1,skid*,2,skid*,3,skid*,4∣Cb*,𝖫𝖾𝖺𝗄)=H˜∞(skid*,1,skid*,2,skid*,3,skid*,4∣𝖫𝖾𝖺𝗄)≥4logp−λ, where, for the adversary A ⁠, skid*,1←RG ⁠, skid*,2←RZp* ⁠, skid*,3←RG and skid*,4←RZp* ⁠. Because the random extract operation is performed by a special universal hash function, and by the generalized leftover hash lemma (Lemma 2.3), we have logp≤4logp−λ−2log(1ϵ) ⁠, where ϵ is negligible in the security parameter κ ⁠, i.e. 2log(1ϵ)=ω(logκ) ⁠, thus, we have λ≤3logp−ω(logκ) ⁠. As discussed above, based on the randomness of key update algorithm, we have, for any leakage parameter λ≤3logp−ω(logκ) ⁠, our construction Π′ is a continuous leakage-resilient CCA secure IBE scheme.□ 5.3. Comparisons In this part, we will give two comparisons of our construction with the previous works [4, 5] in the basic performance and computation efficiency. The basic performance is determined by the private key length (SKLen) ⁠, ciphertext length (CLen) ⁠, leakage model (LModel) ⁠, security and the upper bound of the bit-size of allowed leakage (Uλ) which are listed in Table 1. The computation efficiency is determined by the computational costs of algorithms 𝖪𝖾𝗒𝖦𝖾𝗇 ⁠, 𝖤𝗇𝖼 and 𝖣𝖾𝖼 ⁠, which are listed in Table 2. For presentation simplicity, we will call the (continuous) leakage-resilient IBE schemes proposed in [4, 5, 19] ‘LR-IBE-Li’, ‘LR-IBE-Sun’ and ‘CLR-IBE-Zhou’, respectively. TABLE 1. Comparison of basic parameters with previous works. SKLen CLen Assumption LModel Uλ Security LR-IBE-Li 2∣G∣+2∣p∣ ∣G∣+2∣GT∣+lm+lt q-ABDHE BLM logp−lm−ω(logκ) CCA LR-IBE-Sun 3∣G∣+3∣p∣ 2∣G∣+2∣GT∣+∣p∣ q-ABDHE BLM logp−ω(logκ) CCA CLR-IBE-Zhou 2∣G∣+2∣p∣ 2∣G∣+2∣GT∣+∣p∣ DBDH CLM 2logp−ω(logκ) CCA Our Scheme Π ∣G∣+∣p∣ ∣G∣+∣GT∣+lm+lt q-ABDHE CLM 2logp−lm−ω(logκ) CPA Our Scheme Π′ 2∣G∣+2∣p∣ ∣G∣+3∣GT∣+∣p∣ q-ABDHE CLM 3logp−ω(logκ) CCA SKLen CLen Assumption LModel Uλ Security LR-IBE-Li 2∣G∣+2∣p∣ ∣G∣+2∣GT∣+lm+lt q-ABDHE BLM logp−lm−ω(logκ) CCA LR-IBE-Sun 3∣G∣+3∣p∣ 2∣G∣+2∣GT∣+∣p∣ q-ABDHE BLM logp−ω(logκ) CCA CLR-IBE-Zhou 2∣G∣+2∣p∣ 2∣G∣+2∣GT∣+∣p∣ DBDH CLM 2logp−ω(logκ) CCA Our Scheme Π ∣G∣+∣p∣ ∣G∣+∣GT∣+lm+lt q-ABDHE CLM 2logp−lm−ω(logκ) CPA Our Scheme Π′ 2∣G∣+2∣p∣ ∣G∣+3∣GT∣+∣p∣ q-ABDHE CLM 3logp−ω(logκ) CCA Let lt be the length of randomness seed, lm the length of message and ∣p∣ the length of element in Zp* ⁠. Let ∣G∣ ⁠, ∣GT∣ be the length of element in the group G and GT ⁠, respectively. Let BLM be the bounded leakage model, and CLM be the continuous leakage model. View Large TABLE 1. Comparison of basic parameters with previous works. SKLen CLen Assumption LModel Uλ Security LR-IBE-Li 2∣G∣+2∣p∣ ∣G∣+2∣GT∣+lm+lt q-ABDHE BLM logp−lm−ω(logκ) CCA LR-IBE-Sun 3∣G∣+3∣p∣ 2∣G∣+2∣GT∣+∣p∣ q-ABDHE BLM logp−ω(logκ) CCA CLR-IBE-Zhou 2∣G∣+2∣p∣ 2∣G∣+2∣GT∣+∣p∣ DBDH CLM 2logp−ω(logκ) CCA Our Scheme Π ∣G∣+∣p∣ ∣G∣+∣GT∣+lm+lt q-ABDHE CLM 2logp−lm−ω(logκ) CPA Our Scheme Π′ 2∣G∣+2∣p∣ ∣G∣+3∣GT∣+∣p∣ q-ABDHE CLM 3logp−ω(logκ) CCA SKLen CLen Assumption LModel Uλ Security LR-IBE-Li 2∣G∣+2∣p∣ ∣G∣+2∣GT∣+lm+lt q-ABDHE BLM logp−lm−ω(logκ) CCA LR-IBE-Sun 3∣G∣+3∣p∣ 2∣G∣+2∣GT∣+∣p∣ q-ABDHE BLM logp−ω(logκ) CCA CLR-IBE-Zhou 2∣G∣+2∣p∣ 2∣G∣+2∣GT∣+∣p∣ DBDH CLM 2logp−ω(logκ) CCA Our Scheme Π ∣G∣+∣p∣ ∣G∣+∣GT∣+lm+lt q-ABDHE CLM 2logp−lm−ω(logκ) CPA Our Scheme Π′ 2∣G∣+2∣p∣ ∣G∣+3∣GT∣+∣p∣ q-ABDHE CLM 3logp−ω(logκ) CCA Let lt be the length of randomness seed, lm the length of message and ∣p∣ the length of element in Zp* ⁠. Let ∣G∣ ⁠, ∣GT∣ be the length of element in the group G and GT ⁠, respectively. Let BLM be the bounded leakage model, and CLM be the continuous leakage model. View Large TABLE 2. Comparison of computation efficiency with previous works. 𝖪𝖾𝗒𝖦𝖾𝗇 𝖤𝗇𝖼 𝖣𝖾𝖼 LR-IBE-Li 4Es Es+2Ed+Ee+EExt 2Ed+2Ee+EExt LR-IBE-Sun 6Es 1Es+3Ed+3Ee 2Es+2Ed+2Ee CLR-IBE-Zhou 2Es+2Es 2Es+2Ed 2Ed+4Ee Our Scheme Π 1Ed 2Es+2Ed+1EExt 1Es+1Ee+1EExt Our Scheme Π′ 2Ed 1Es+3Ed 2Ee+4Ed 𝖪𝖾𝗒𝖦𝖾𝗇 𝖤𝗇𝖼 𝖣𝖾𝖼 LR-IBE-Li 4Es Es+2Ed+Ee+EExt 2Ed+2Ee+EExt LR-IBE-Sun 6Es 1Es+3Ed+3Ee 2Es+2Ed+2Ee CLR-IBE-Zhou 2Es+2Es 2Es+2Ed 2Ed+4Ee Our Scheme Π 1Ed 2Es+2Ed+1EExt 1Es+1Ee+1EExt Our Scheme Π′ 2Ed 1Es+3Ed 2Ee+4Ed Let EExt be the cost of the randomness extractor operation, Es the cost of single exponentiation operation, Ed the cost of double exponentiation operation and Ee the cost of the pairing operation, where Ee>Ed>Es ⁠. View Large TABLE 2. Comparison of computation efficiency with previous works. 𝖪𝖾𝗒𝖦𝖾𝗇 𝖤𝗇𝖼 𝖣𝖾𝖼 LR-IBE-Li 4Es Es+2Ed+Ee+EExt 2Ed+2Ee+EExt LR-IBE-Sun 6Es 1Es+3Ed+3Ee 2Es+2Ed+2Ee CLR-IBE-Zhou 2Es+2Es 2Es+2Ed 2Ed+4Ee Our Scheme Π 1Ed 2Es+2Ed+1EExt 1Es+1Ee+1EExt Our Scheme Π′ 2Ed 1Es+3Ed 2Ee+4Ed 𝖪𝖾𝗒𝖦𝖾𝗇 𝖤𝗇𝖼 𝖣𝖾𝖼 LR-IBE-Li 4Es Es+2Ed+Ee+EExt 2Ed+2Ee+EExt LR-IBE-Sun 6Es 1Es+3Ed+3Ee 2Es+2Ed+2Ee CLR-IBE-Zhou 2Es+2Es 2Es+2Ed 2Ed+4Ee Our Scheme Π 1Ed 2Es+2Ed+1EExt 1Es+1Ee+1EExt Our Scheme Π′ 2Ed 1Es+3Ed 2Ee+4Ed Let EExt be the cost of the randomness extractor operation, Es the cost of single exponentiation operation, Ed the cost of double exponentiation operation and Ee the cost of the pairing operation, where Ee>Ed>Es ⁠. View Large Performance analysis. Table 1 shows that, in the previous constructions [4, 5, 19], LR-IBE-Li and LR-IBE-Sun only achieve bounded leakage resilience, and the continuous leakage-resilient security of CLR-IBE-Zhou is proved in the selective identity security model. However, our constructions not only can resist the continuous leakage attacks, but alos achieves adaptive security. Also, in our new proposal Π′ ⁠, the upper bound of permitted leakakge can achieve 3logp−ω(logκ) ⁠. We stress that, the computational assumption of our schemes look worse than CLR-IBE-Zhou, however, our proposal can achieve the continuous leakage resilience in the standard model while CLR-IBE-Zhou obtains it in the selective identity model. Efficiency analysis. Table 2 summarizes the computational costs of the above mentioned schemes. When evaluating the computation efficiency, the hash function and XOR operations are ignored. From Table 2, we obtain that our proposal Π has the comparable computational efficiency with the other schemes [4, 5, 19], but our construction with better performance than these schemes [4, 5, 19], e.g. shorter public parameters, tight security, etc. 6. CONCLUSION In the real life, an adversary can break the security of cryptographic primitives through continuous leakage attacks. Because of the previous constructions [3, 20, 29, 30] only achieve continuous leakage-resilient CPA security, we design a novel construction of continuous leakage-resilient CCA secure IBE scheme based on a non-static security assumption in the standard model. Compared with the previous constructions, our continuous leakage-resilient IBE scheme has better performance, e.g. shorter public parameters, tight security, etc. In this paper, the leakage on master secret key is omitted. However, in the actual applications, some leakage of master secret key can be obtained by the adversary, thus, an IBE scheme with CCA security, which can resist the continuous leakage attacks on the master secret key, is very practical. Therefore, in the next research stage, the continuous leakage resilience of the master secret key be considered. Furthermore, a new construction of continuous leakage-resilient IBE scheme will be researched in the standard model based on the classic static security assumption. FUNDING This work is supported by the National Key R&D Program of China (No. 2017YFB0802000), the National Natural Science Foundation of China (61802242, 61572303, 61772326, 61802241, 61872087, 61702259), the Natural Science Basic Research Plan in Shaanxi Province of China (2018JQ6088), the National Cryptography Development Foundation during the 13th Five-year Plan Period (MMJJ20180217), the Foundation of State Key Laboratory of Information Security (2017-MS-03) and the Fundamental Research Funds for the Central Universities (GK201803064), the Natural Science Foundation of Zhejiang Province of China (LY14F020032). ACKNOWLEDGMENTS The authors would like to thank the anonymous reviewer for your helpful comments. REFERENCES 1 Naor , M. and Segev , G. ( 2009 ) Public-key Cryptosystems Resilient to Key Leakage. Advances in Cryptology—CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16–20, 2009. Proceedings, pp. 18–35. 2 Liu , S. , Weng , J. and Zhao , Y. ( 2013 ) Efficient Public Key Cryptosystem Resilient to Key Leakage Chosen Ciphertext Attacks. CT-RSA 2013, San Francisco, CA, USA, February 25–March 1, 2013, pp. 84–100. 3 Li , J. , Guo , Y. , Yu , Q. , Lu , Y. and Zhang , Y. ( 2016 ) Provably secure identity-based encryption resilient to post-challenge continuous auxiliary input leakage . Secur. Commun. Netw. , 9 , 1016 – 1024 . Google Scholar Crossref Search ADS WorldCat 4 Li , J. , Teng , M. , Zhang , Y. and Yu , Q. ( 2016 ) A leakage-resilient CCA-secure identity-based encryption scheme . Comput. J. , 59 , 1066 – 1075 . Google Scholar Crossref Search ADS WorldCat 5 Sun , S. , Gu , D. and Liu , S. ( 2013 ) Efficient Leakage-Resilient Identity-Based Encryption with CCA Security. 6th Int. Conf. Pairing-Based Cryptography—Pairing 2013, Beijing, China, November 22–24, 2013, Revised Selected Papers, pp. 149–167. 6 Yu , Q. , Li , J. and Zhang , Y. ( 2015 ) Leakage-resilient certificate-based encryption . Secur. Commun. Netw. , 8 , 3346 – 3355 . Google Scholar Crossref Search ADS WorldCat 7 Yu , Q. , Li , J. , Zhang , Y. , Wu , W. , Huang , X. and Xiang , Y. ( 2016 ) Certificate-based encryption resilient to key leakage . J. Syst. Softw. , 116 , 101 – 112 . Google Scholar Crossref Search ADS WorldCat 8 Guo , Y. , Li , J. , Lu , Y. , Zhang , Y. and Zhang , F. ( 2018 ) Provably secure certificate-based encryption with leakage resilience . Theor. Comput. Sci. , 711 , 1 – 10 . Google Scholar Crossref Search ADS WorldCat 9 Zhou , Y. , Yang , B. and Zhang , W. ( 2016 ) Provably secure and efficient leakage-resilient certificateless signcryption scheme without bilinear pairing . Discrete Appl. Math. , 204 , 185 – 202 . Google Scholar Crossref Search ADS WorldCat 10 Zhou , Y. and Yang , B. ( 2018 ) Leakage-resilient cca2-secure certificateless public-key encryption scheme without bilinear pairing . Inf. Process. Lett. , 130 , 16 – 24 . Google Scholar Crossref Search ADS WorldCat 11 Zhou , Y. , Yang , B. , Cheng , H. and Wang , Q. ( 2018 ) A leakage-resilient certificateless public key encryption scheme with CCA2 security . Front. Inf. Technol. Electron. Eng. , 19 , 481 – 493 . Google Scholar Crossref Search ADS WorldCat 12 Dodis , Y. , Haralambiev , K. , López-Alt , A. and Wichs , D. ( 2010 ) Cryptography Against Continuous Memory Attacks. 51th Annual IEEE Symp. Foundations of Computer Science, FOCS 2010, October 23–26, 2010, Las Vegas, NV, USA, pp. 511–520. 13 Goldwasser , S. and Rothblum , G.N. ( 2010 ) Securing Computation Against Continuous Leakage. Advances in Cryptology—CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15–19, 2010, pp. 59–79. 14 Zhou , Y. , Yang , B. , Zhang , W. and Mu , Y. ( 2016 ) CCA2 secure public-key encryption scheme tolerating continual leakage attacks . Secur. Commun. Netw. , 9 , 4505 – 4519 . Google Scholar Crossref Search ADS WorldCat 15 Alawatugoda , J. , Boyd , C. and Stebila , D. ( 2014 ) Continuous After-the-Fact Leakage-Resilient Key Exchange. Information Security and Privacy —19th Australasian Conference, ACISP 2014, Wollongong, NSW, Australia, July 7–9, 2014, pp. 258–273. 16 Wang , Y. and Tanaka , K. ( 2015 ) Generic Transformation to Strongly Existentially Unforgeable Signature Schemes with Continuous Leakage Resiliency. Information Security and Privacy—20th Australasian Conference, ACISP 2015, Brisbane, QLD, Australia, June 29–July 1, 2015, pp. 213–229. 17 Li , J. , Guo , Y. , Yu , Q. , Lu , Y. , Zhang , Y. and Zhang , F. ( 2016 ) Continuous leakage-resilient certificate-based encryption . Inf. Sci. , 355–356 , 1 – 14 . WorldCat 18 Zhou , Y. and Yang , B. ( 2017 ) Continuous leakage-resilient certificateless public key encryption with CCA security . Knowl. Based Syst. , 136 , 27 – 36 . Google Scholar Crossref Search ADS WorldCat 19 Zhou , Y. , Yang , B. and Mu , Y. ( 2018 ) Continuous leakage-resilient identity-based encryption without random oracles . Comput. J. , 61 , 586 – 600 . Google Scholar Crossref Search ADS WorldCat 20 Li , J. , Yu , Q. , Zhang , Y. and Shen , J. ( 2019 ) Key-policy attribute-based encryption against continual auxiliary input leakage . Inf. Sci. , 470 , 175 – 188 . Google Scholar Crossref Search ADS WorldCat 21 Alwen , J. , Dodis , Y. , Naor , M. , Segev , G. , Walfish , S. and Wichs , D. ( 2010 ) Public-key encryption in the bounded-retrieval model. Advances in Cryptology—EUROCRYPT 2010, 29th Annual Int. Conf. Theory and Applications of Cryptographic Techniques, Monaco/French Riviera, May 30–June 3, 2010, pp. 113–134. 22 Boneh , D. , Gentry , C. and Hamburg , M. ( 2007 ) Space-Efficient Identity Based Encryption Without Pairings. 48th Annual IEEE Symp. Foundations of Computer Science (FOCS 2007), October 20–23, 2007, Providence, RI, USA, Proceedings, pp. 647–657. 23 Gentry , C. ( 2006 ) Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology—EUROCRYPT 2006, 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28–June 1, 2006, pp. 445–464. 24 Gentry , C. , Peikert , C. and Vaikuntanathan , V. ( 2008 ) Trapdoors for Hard Lattices and New Cryptographic Constructions. Proc. 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17–20, 2008, pp. 197–206. 25 Chow , S.S.M. , Dodis , Y. , Rouselakis , Y. and Waters , B. ( 2010 ) Practical Leakage-Resilient Identity-Based Encryption from Simple Assumptions. Proc. 17th ACM Conf. Computer and Communications Security, CCS 2010, Chicago, IL, USA, October 4–8, 2010, pp. 152–161. 26 Boneh , D. and Boyen , X. ( 2004 ) Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. Advances in Cryptology—EUROCRYPT 2004, Int. Conf. Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2–6, 2004, pp. 223–238. 27 Boneh , D. and Boyen , X. ( 2004 ) Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. Advances in Cryptology —EUROCRYPT 2004, Int. Conf. Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2–6, 2004, pp. 223–238. 28 Waters , B. ( 2005 ) Efficient Identity-Based Encryption Without Random Oracles. Advances in Cryptology—EUROCRYPT 2005, 24th Annual Int. Conf. Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, pp. 114–127. 29 Yuen , T.H. , Chow , S.S.M. , Zhang , Y. and Yiu , S. ( 2012 ) Identity-Based Encryption Resilient to Continual Auxiliary Leakage. Advances in Cryptology—EUROCRYPT 2012—31st Annual Int. Conf. Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15–19, 2012. Proceedings, pp. 117–134. 30 Lewko , A.B. , Rouselakis , Y. and Waters , B. ( 2011 ) Achieving Leakage Resilience Through Dual System Encryption. Theory of Cryptography—8th Theory of Cryptography Conference, TCC 2011, Providence, RI, USA, March 28–30, 2011. Proceedings, pp. 70–88. 31 Sun , S. , Gu , D. and Huang , Z. ( 2015 ) Fully secure wicked identity-based encryption against key leakage attacks . Comput. J. , 58 , 2520 – 2536 . Google Scholar Crossref Search ADS WorldCat 32 Dodis , Y. , Reyzin , L. and Smith , A.D. ( 2004 ) Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. Advances in Cryptology—EUROCRYPT 2004, Int. Conf. Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2–6, 2004, Proceedings, pp. 523–540. 33 Shamir , A. ( 1984 ) Identity-Based Cryptosystems and Signature Schemes. Advances in Cryptology, Proc. CRYPTO’84, Santa Barbara, CA, USA, August 19–22, 1984, Proceedings, pp. 47–53. © The Author(s) 2019. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model) TI - Continuous Leakage-Resilient Identity-Based Encryption with Tight Security JF - The Computer Journal DO - 10.1093/comjnl/bxy144 DA - 2019-08-09 UR - https://www.deepdyve.com/lp/oxford-university-press/continuous-leakage-resilient-identity-based-encryption-with-tight-tuXLtkrkbo SP - 1092 VL - 62 IS - 8 DP - DeepDyve ER -