Page 1

Public-Key Cryptosystems Resilient to Key Leakage

Moni Naor∗

Gil Segev†

Abstract

Most of the work in the analysis of cryptographic schemes is concentrated in abstract ad-

versarial models that do not capture side-channel attacks. Such attacks exploit various forms

of unintended information leakage, which is inherent to almost all physical implementations.

Inspired by recent side-channel attacks, especially the “cold boot attacks”, Akavia, Goldwasser

and Vaikuntanathan (TCC ’09) formalized a realistic framework for modeling the security of

encryption schemes against a wide class of side-channel attacks in which adversarially cho-

sen functions of the secret key are leaked. In the setting of public-key encryption, Akavia et al.

showed that Regev’s lattice-based scheme (STOC ’05) is resilient to any leakage of L/polylog(L)

bits, where L is the length of the secret key.

In this paper we revisit the above-mentioned framework and our main results are as follows:

• We present a generic construction of a public-key encryption scheme that is resilient to key

leakage from any universal hash proof system. The construction does not rely on additional

computational assumptions, and the resulting scheme is as efficient as the underlying proof

system. Existing constructions of such proof systems imply that our construction can be

based on a variety of number-theoretic assumptions, including the decisional Diffie-Hellman

assumption (and its progressively weaker d-Linear variants), the quadratic residuosity

assumption, and Paillier’s composite residuosity assumption.

• We construct a new hash proof system based on the decisional Diffie-Hellman assumption

(and its d-Linear variants), and show that the resulting scheme is resilient to any leakage

of L(1−o(1)) bits. In addition, we prove that the recent scheme of Boneh et al. (CRYPTO

’08), constructed to be a “circular-secure” encryption scheme, is resilient to any leakage of

L(1−o(1)) bits. These two proposed schemes complement each other in terms of efficiency.

• We extend the framework of key leakage to the setting of chosen-ciphertext attacks. On

the theoretical side, we prove that the Naor-Yung paradigm is applicable in this setting

as well, and obtain as a corollary encryption schemes that are CCA2-secure with any

leakage of L(1 − o(1)) bits. On the practical side, we prove that variants of the Cramer-

Shoup cryptosystem (along the lines of our generic construction) are CCA1-secure with

any leakage of L/4 bits, and CCA2-secure with any leakage of L/6 bits.

∗Incumbent of the Judith Kleeman Professorial Chair, Department of Computer Science and Applied Mathematics,

Weizmann Institute of Science, Rehovot 76100, Israel. Email: moni.naor@weizmann.ac.il. Research supported in

part by a grant from the Israel Science Foundation.

†Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100,

Israel. Email: gil.segev@weizmann.ac.il. Research supported by the Adams Fellowship Program of the Israel

Academy of Sciences and Humanities, and by a grant from the Israel Science Foundation.

Page 2

Contents

1 Introduction

1.1Our Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.3 Paper Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2

2

5

6

2Preliminaries, Assumptions, and Tools

2.1 Computational Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.2Randomness Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.3 Hash Proof Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6

6

7

7

3Defining Key-Leakage Attacks

3.1 Chosen-Plaintext Key-Leakage Attacks . . . . . . . . . . . . . . . . . . . . . . . . . .

3.2 Chosen-Ciphertext Key-Leakage Attacks . . . . . . . . . . . . . . . . . . . . . . . . .

3.3 Weak Key-Leakage Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

9

9

10

11

4A Generic Construction from Hash Proof Systems

4.1The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.2 Example: A DDH-Based Instantiation . . . . . . . . . . . . . . . . . . . . . . . . . .

11

12

13

5Improved Resilience Based on DDH and d-Linear

5.1Proposal 1: A New Hash Proof System . . . . . . . . . . . . . . . . . . . . . . . . . .

5.2 Proposal 2: The BHHO Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5.3Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

14

14

16

17

6Protecting Against Chosen-Ciphertext Key-Leakage Attacks

6.1A Generic Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.2 An Efficient CCA1-Secure Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.3An Efficient CCA2-Secure Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

18

22

25

7Protecting Against Weak Key-Leakage Attacks 30

8Protecting Against Generalized Forms of Key-Leakage Attacks

8.1Noisy Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8.2 Leakage of Intermediate Values from the Key-Generation Process . . . . . . . . . . .

8.3Keys Generated using Weak Random Sources . . . . . . . . . . . . . . . . . . . . . .

8.4 Leakage of Intermediate Values from the Decryption Process

32

32

32

33

34 . . . . . . . . . . . . .

A The Matrix d-Linear Assumption37

1

Page 3

1Introduction

Proving the security of a cryptographic scheme consists of two main ingredients: (1) an adver-

sarial model that specifies the adversarial access to the system and the adversary’s computational

capabilities, and (2) a notion of security that specifies what it means to “break” the security of

the scheme. Whereas notions of security have significantly evolved over the years (following the

seminal work of Goldwasser and Micali [18]), the vast majority of cryptographic schemes are ana-

lyzed in abstract adversarial models that do not capture side-channel attacks. Such attacks exploit

unintended leakage of information which is inherent to almost all physical implementations. Over

the years side-channel attacks exposed crucial vulnerabilities of systems that are considered secure

in standard adversarial models (see, for example, [3, 5, 30, 31]).

Countermeasures for protecting against side-channel attacks are taken on two complementing

levels: the hardware level and the software level. Preventing unintended leakage on the hardware

level is typically rather inefficient and expensive, and is even impossible in some cases. It is thus

highly desirable to protect, as much as possible, against side-channel attacks on the software level

by modeling such attacks using abstract notions of computation.

Physically observable cryptography.

forward a powerful and comprehensive framework for modeling security against side-channel at-

tacks. Their framework captures any such attack in which leakage of information occurs as a result

of computation. The framework relies on the basic assumption that computation and only compu-

tation leaks information, that is, there is no leakage of information in the absence of computation.

This assumption has led to the construction of various cryptographic primitives that are robust to

“computational” leakage (see, for example, [16, 19, 35, 37, 38]).

In their pioneering work, Micali and Reyzin [35] put

Memory-leakage attacks.

violate the basic assumption underlying the framework of Micali and Reyzin. Halderman et al.

showed that, contrary to popular assumptions, a computer’s memory is not erased when it loses

power. They demonstrated that ordinary DRAMs typically lose their contents gradually over a

period of seconds, and that residual data can be recovered using simple, non-destructive techniques

that require only momentary physical access to the machine. Halerman et al. presented attacks

that exploit DRAM remanence effects to recover cryptographic keys held in memory. Specifically,

their “cold boot” attacks showed that a significant fraction of the bits of a cryptographic key can

be recovered if the key is ever stored in memory. Halderman et al. managed to completely com-

promise the security of several popular disk encryption systems (including BitLocker, TrueCrypt,

and FileVault), and to reconstruct DES, AES, and RSA keys (see also the improved RSA key

reconstruction by Heninger and Shacham [23]).

Inspired by the cold boot attacks, Akavia, Goldwasser and Vaikuntanathan [2] formalized a

general framework for modeling “memory attacks” in which adversarially chosen functions of the

secret key are leaked in an adaptive fashion, with the only restriction that the total amount of

leakage is bounded. Akavia et al. showed that the lattice-based public-key encryption scheme of

Regev [39] is resilient to such key leakage (to an extent that depends on the amount of leakage) by

slightly strengthening the computational assumption that is required by the original scheme.

Recently, Halderman et al. [21] presented a suite of attacks that

1.1 Our Contributions

In this work we revisit the framework of key-leakage attacks introduced by Akavia et al. in the setting

of public-key encryption. We present a generic construction of a public-key encryption scheme that

2

Page 4

is resilient to key leakage, and show that the construction can be based on a variety of number-

theoretic assumptions (see below). Moreover, we demonstrate that our approach leads to encryption

schemes that are both resilient to significantly large amounts of leakage, and that are very efficient

and can be used in practice (see, in particular, the instantiation in Section 4.2 that is based on

the decisional Diffie-Hellman assumption). In addition, we extend the framework of key-leakage

attacks to the setting of chosen-ciphertext attacks. We present both a generic transformation from

chosen-plaintext security to chosen-ciphertext security in the context of key-leakage attacks, and

efficient schemes that are based on specific number-theoretic assumptions.

In what follows we present a more elaborated exposition of our results, but first, we briefly

describe the framework of Akavia et al. and their results. Informally, an encryption scheme is

resilient to key-leakage attacks if it is semantically secure even when the adversary obtains sensitive

leakage information. This is modeled by providing the adversary with access to a leakage oracle:

the adversary can submit any function f and receive f(sk), where sk is the secret key (we note that

the leakage functions can be chosen depending on the public key, which is known to the adversary).

The adversary can query the leakage oracle adaptively, with only one restriction: the sum of output

lengths of all the leakage functions has to be bounded by a predetermined parameter λ (clearly,

λ has to be less than the length of the secret key)1. A formal definition is provided in Section 3.

Akavia et al. showed that Regev’s public-key encryption scheme is resilient to any key leakage of

L/polylog(L) bits, where L is the length of the secret key. We are now ready to state our results

more clearly:

A generic construction.

that is resilient to key leakage from any universal hash proof system, a very useful primitive in-

troduced by Cramer and Shoup [8]. The construction does not rely on additional computational

assumptions, and the resulting scheme is as efficient as the underlying proof system. Existing

constructions of such proof systems [8, 29, 43] imply that our construction can be based on a va-

riety of number-theoretic assumptions, including the decisional Diffie-Hellman (DDH) assumption

and its progressively weaker d-Linear variants, the quadratic residuosity assumption, and Paillier’s

composite residuosity assumption. The natural approach for achieving security against partial key

leakage is to add redundancy to the private key, so that every (short) function of it will still keep

many possibilities for the “real secret”. Hash proof systems yield a convenient method for doing

just that.

We then emphasize a specific instantiation with a simple and efficient DDH-based hash proof

system. The resulting encryption scheme is resilient to any leakage of L(1/2 − o(1)) bits, where L

is the length of the secret key. Although one can instantiate our construction with any hash proof

system, we find this specific instantiation rather elegant (we refer the reader to Section 4.2).

The schemes that result from our generic construction satisfy in fact a more general notion of

leakage resilience: these schemes are secure even if the leakage functions chosen by the adversary

are applied to the random bits used by the key generation algorithm. This clearly generalizes

the framework of Akavia et al. and guarantees security even in case that intermediate values from

the process of generating the secret and public keys are leaked2. In addition, we consider several

We present a generic construction of a public-key encryption scheme

1Akavia et al. refer to such attacks as adaptive memory attacks. They also define the notion of non-adaptive

memory attacks which we discuss later on.

2We note that it is not clear that Regev’s scheme is resilient to leakage of intermediate key-related values, or at

least, the proof of security of Akavia et al. does not seem to generalize to this setting. The main reason is that their

proof of security involves an indistinguishability argument over the public key, and an adversary that has access to

the randomness of the key generation algorithm (via leakage queries) can identify that the public key was not sampled

from its specified distribution.

3

Page 5

other important generalizations of the framework of Akavia et al. that are satisfied by our schemes.

These include a scenario in which the adversary obtains a noisy version of all of the memory as in

the attack of Halderman et al. (i.e., the leakage may be as long as the whole memory and not of

bounded length), and a scenario in which partial results of the decryption process are leaked (we

refer the reader to Section 8 for a more elaborated discussion on our generalizations).

Improved key-leakage resilience.

resilient to any key leakage of L(1 − o(1)) bits, where L is the length of the secret key. Our

proposals are based on the observation that our generic construction from hash proof systems can

in fact be based on hash proof systems with a slightly weaker universality property. When viewing

hash proof systems as key-encapsulation mechanisms, relaxing the universality property enables us

to achieve essentially the best possible ratio between the length of the secret key and the length

of the encapsulated symmetric key. This ratio translates to the relative amount of key leakage to

which the encryption schemes are resilient3.

For our first proposal we construct a new hash proof system based on the decisional Diffie-

Hellman assumption (and more generally, on any of the d-Linear assumptions) that satisfies this

weaker universality property. The resulting encryption scheme is then obtained by instantiating

our generic construction with this hash proof system. For our second proposal, we show the recent

“circular-secure” encryption scheme of Boneh et al. [6] fits into our generic approach using a different

hash proof system (that satisfies the same weaker universality property). We then compare our two

proposals both conceptually and practically, indicating that they complement each other in terms

of efficiency.

We propose two public-key encryption schemes that are

Chosen-ciphertext security.

ciphertext security. Technically, this is a very natural extension by providing the adversary with

access to both a leakage oracle and a decryption oracle (a formal definition is provided in Section

3). On the theoretical side, we show that the Naor-Yung “double encryption” paradigm [14, 36] can

be used as a general transformation from chosen-plaintext security to chosen-ciphertext security in

the presence of key leakage. As an immediate corollary of our above-mentioned results, we obtain

a scheme that is CCA2-secure with any leakage of L(1 − o(1)) bits, where L is the length of the

secret key.

The schemes resulting from the Naor-Yung paradigm are rather inefficient due to the usage

of generic non-interactive zero-knowledge proofs. To complement this situation, on the practical

side, we prove that variants of the Cramer-Shoup cryptosystem [9] (along the lines of our generic

transformation from hash proof systems) are CCA1-secure with any leakage of L(1/4 − o(1)) bits,

and CCA2-secure with any leakage of L(1/6−o(1)) bits. It is left as an open problem to construct

a practical CCA-secure scheme that is resilient to any leakage of L(1−o(1)) bits (where a possible

approach is to examine recent refinements of the Cramer-Shoup cryptosystem [1, 29, 32]).

We extend the framework of key leakage to the setting of chosen-

“Weak” key-leakage security.

leakage (which they refer to as “non-adaptive” leakage): a leakage function f with output length

λ is chosen by the adversary ahead of time (without any knowledge of the public key), and then

the adversary is given (pk,f(sk)). That is, in a “weak” key-leakage attack the leakage function f

is chosen independently of pk. Akavia et al. proved that Regev’s encryption scheme is resilient to

any weak key leakage of L(1 − o(1)) bits.

3We do not argue that such a relaxation is in fact necessary for achieving the optimal ratio.

Akavia et al. also considered the following weaker notion of key

4

Page 6

Although this notion of key leakage seems rather limited, it still captures many realistic attacks

in which the leakage does not depend on the parameters of the encryption scheme. Specifically,

this notion captures the cold boot attack of Halderman et al. [21], in which the leakage depends

only on the properties of the hardware devices that are used for storing the secret key.

For weak key-leakage attacks we present a generic construction that transforms any encryption

scheme to one that is resilient to any weak leakage of L(1−o(1)) bits, where L is the length of the

secret key. The resulting scheme is essentially as efficient as the original one, and does not rely on

additional computational assumptions. Our approach crucially relies on the fact that the leakage

is independent of the public key. One may interpret our construction as evidence to the deficiency

of this weaker notion of key-leakage attacks.

1.2 Related Work

Extensive work has been devoted for protecting against side-channel attacks, and for exploiting

side-channels to compromise the security of cryptographic schemes. It is far beyond the scope of

this paper to present an exhaustive overview of this ever-growing line of work. We focus here on

the results that are most relevant to our work. Already in 1985 Rivest and Shamir [40] introduced

a model for leakage attacks in the context of factoring. They considered a scenario in which an

adversary is interested in factoring an n-bit modulus N = PQ, and is allowed to ask a certain

number of arbitrary “Yes/No” questions. Rivest and Shamir asked the following question: how

many questions are needed in order to factor N in polynomial time? Clearly, if the adversary is

allowed to ask about n/2 questions, then the binary representation of P can be fully revealed.

Rivest and Shamir showed an attack that requires only n/3 questions. Specifically, in their attack

the adversary requests the top n/3 bits of P. This was later improved by Maurer [34] who showed

that ?n questions are sufficient, for any constant ? > 0.

Canetti et al. [7] introduced the notion of exposure resilient cryptographic primitives, which

remain secure even if an adversary is able to learn almost all of the secret key of the primitive.

Most notably, they introduced the notion of an exposure resilient function: a deterministic function

whose output appears random even if almost all the bits of the input are known (see also the work

of Dodis et al. [12] on adaptive security of such functions). Ishai et al. [25, 26] considered the more

general problem of protecting privacy in circuits, where the adversary can access a bounded number

of wires in the circuit. Ishai et al. proposed several techniques for dealing with this type of attacks.

Dziembowski and Pietrzak [16] and Pietrzak [38] introduced a general framework for leakage-

resilient cryptography, following the assumption of Micali and Reyzin that only computation leaks

information. Their main contributions are constructions of leakage-resilient stream-ciphers. In-

formally, their model considers cryptographic primitives that proceed in rounds, and update their

internal state after each round. In each round, the adversary can obtain bounded leakage informa-

tion from the portions of memory that were accessed during that round.

Dodis, Tauman Kalai, and Lovett [13] studied the security of symmetric-key encryption schemes

under key leakage attacks. They considered leakage of the form f(sk), where sk is the secret key

and f is any exponentially-hard one-way function. On one hand they do not impose any restriction

on the min-entropy of the secret key given the leakage, but on the other hand, they require that the

leakage is a function that is extremely hard to invert. Dodis et al. introduced a new computational

assumption that is a generalization of learning parity with noise, and constructed symmetric-key

encryption schemes that are resilient to any key leakage that is exponentially hard to invert.

5

Page 7

1.3Paper Organization

The remainder of the paper is organized as follows. In Section 2 we present some basic notions,

as well as several tools that are used in our constructions. In Section 3 we formally describe the

framework of key-leakage attacks, and extend it to the setting of chosen-ciphertext attacks. In

Section 4 we present our generic construction from hash proof systems, and provide a simple and

efficient instantiation. In Section 5 we present our two proposals that are resilient to any key leakage

of L(1 − o(1)) bits, and provide a comparison between them. In Section 6 we present encryption

schemes that are secure against chosen-ciphertext key-leakage attacks. In Section 7 we present a

generic construction for protecting against weak key-leakage attacks. In Section 8 we discuss several

important generalizations of the framework of key leakage that are satisfied by our schemes. In

Appendix A we introduce the matrix d-Linear assumption on which we base our new hash proof

system in Section 5, and prove that it is implied by the d-Linear assumption.

2 Preliminaries, Assumptions, and Tools

In this section we present some basic notions, definitions, and tools that are used in our construc-

tions. We formally state the decisional Diffie-Hellman and the d-Linear assumptions, and present

the notions of an average-case strong extractor and hash proof systems.

2.1 Computational Assumptions

Let G be a probabilistic polynomial-time algorithm algorithm that takes as input a security pa-

rameter, and outputs a triplet G = (G,q,g) where G is a group of order q that is generated by

g ∈ G.

The decisional Diffie-Hellman assumption.

tion is that the ensembles {(G,g1,g2,gr

indistinguishable, where G ← G(1n), and the elements g1,g2 ∈ G and r,r1,r2 ∈ Zq are chosen

independently and uniformly at random.

The decisional Diffie-Hellman (DDH) assump-

2)}n∈Nand {(G,g1,g2,gr1

1,gr

1,gr2

2)}n∈Nare computationally

The d-Linear assumption.

intended to take the place of DDH in groups where DDH is easy (specifically, in bilinear groups).

They showed that the hardness of DDH implies that hardness of Linear, but at least in generic

groups (see, for example, [27, 44]), Linear remains hard even if DDH is easy. The DDH and Linear

assumptions naturally generalize to the family of d-Linear assumptions [28, 43], where for every

d ≥ 1 the d-Linear assumption is that the ensembles

??

??G,g1,...,gd,gd+1,gr1

are computationally indistinguishable, where G ← G(1n), and the elements g1,...,gd+1∈ G and

r1,...,rd+1∈ Zqare chosen independently and uniformly at random.

Note that DDH is the 1-Linear assumption, and that Linear is the 2-Linear assumption. These

assumptions are progressively weaker: the hardness of d-Linear implies the hardness of (d + 1)-

Linear, but in generic groups (d + 1)-Linear remains hard even if d-Linear is easy.

Boneh, Boyen, and Shacham [4] introduced the Linear assumption,

G,g1,...,gd,gd+1,gr1

1,...,grd

d,g

?d

i=1ri

d+1

??

n∈N

1,...,grd

d,grd+1

d+1

??

n∈N,

6

Page 8

2.2Randomness Extraction

The statistical distance between two random variables X and Y over a finite domain Ω is SD(X,Y ) =

1

2

is at most ?. The min-entropy of a random variable X is H∞(X) = −log(maxxPr[X = x]).

Dodis et al. [11] formalized the notion of average min-entropy that captures the remaining

unpredictability of a random variable X conditioned on the value of a random variable Y , formally

defined as follows:

?H∞(X|Y ) = −log

edge of Y . The following bound on average min-entropy was proved in [11]:

?

ω∈Ω|Pr[X = ω]−Pr[Y = ω]|. We say that two variables are ?-close if their statistical distance

?

Ey←Y

?

2−H∞(X|Y =y)??

.

The average min-entropy corresponds exactly to the optimal probability of guessing X, given knowl-

Lemma 2.1 ([11]). If Y has 2rpossible values and Z is any random variable, then?H∞(X|(Y,Z)) ≥

A main tool in our constructions in this paper is a strong randomness extractor. The following

definition naturally generalizes the standard definition of a strong extractor to the setting of average

min-entropy:

H∞(X|Z) − r.

Definition 2.2 ([11]). A function Ext : {0,1}n×{0,1}t→ {0,1}mis an average-case (k,?)-strong

extractor if for all pairs of random variables (X,I) such that X ∈ {0,1}nand?H∞(X|I) ≥ k it

SD((Ext(X,S),S,I),(Um,S,I)) ≤ ? ,

where S is uniform over {0,1}t.

Dodis et al. proved that any strong extractor is in fact an average-case strong extractor, for an

appropriate setting of the parameters. As a specific example, they proved the following generalized

variant of the leftover hash lemma, stating that any family of pairwise independent hash functions

is an average-case strong extractor:

holds that

Lemma 2.3 ([11]). Let X,Y be random variables such that X ∈ {0,1}nand?H∞(X|Y ) ≥ k. Let

holds that

SD((Y,h,h(X)),(Y,h,Um)) ≤ ?

as long as m ≤ k − 2log(1/?).

H be a family of pairwise independent hash functions from {0,1}nto {0,1}m. Then for h ← H, it

2.3Hash Proof Systems

We present the framework of hash proof systems, introduced by Cramer and Shoup [8]. For sim-

plicity we frame the description by viewing hash proof systems as key-encapsulation mechanisms

(using the notation of Kiltz et al. [29]), and refer the reader to [8] for a more complete description.

A key-encapsulation mechanism is a public-key encryption scheme that is used for encrypting

random messages. Typically, these messages are used as encryption keys for a symmetric-key

encryption scheme, which in turn encrypts the actual plaintext. In this setting, hash proof systems

may be viewed as key-encapsulation mechanisms in which ciphertexts can be generated in two

modes. Ciphertexts generated using the first mode are referred to as valid ciphertexts, and are

indeed encapsulations of symmetric keys. That is, given a public key and a valid ciphertext, the

encapsulated key is well defined, and can be decapsulated using the secret key. In addition, the

generation process of a valid ciphertext also produces a “witness” to the fact that the ciphertext

7

Page 9

is indeed valid. Ciphertexts generated using the second mode are referred to as invalid ciphertexts,

and essentially contain no information on the encapsulated key. That is, given a public key and an

invalid ciphertext, the distribution of the encapsulated key (as it will be produced by the decryption

process) is almost uniform. This is achieved by introducing redundancy into the secret key: each

public key has many corresponding secret keys. The only computational requirement is that the

two modes are computational indistinguishable: any efficient adversary that is given a public key

cannot distinguish with a noticeable advantage between valid ciphertexts and invalid ciphertexts.

We note that the secret and public keys are always generated using the same algorithm, and the

indistinguishability requirement is only over the ciphertexts.

Smooth projective hashing.

keys, PK as the set of public keys, and K as the set of encapsulated symmetric keys. Let C and

V ⊂ C be sets, where we view C as the set of all ciphertexts, V as the set of all valid ciphertexts (i.e.,

those generated appropriately with a corresponding witness). We assume that there are efficient

algorithms for sampling sk ∈ SK, C ∈ V together with a witness w, and C ∈ C \ V.

Let Λsk: C → K be a hash function indexed with sk ∈ SK that maps ciphertexts to symmetric

keys. The hash function Λ(·)is projective if there exists a projection µ : SK → PK such that

µ(sk) ∈ PK defines the action of Λskover the subset V of valid ciphertexts. That is, for every valid

ciphertext C ∈ V, the value K = Λsk(C) is uniquely determined by pk = µ(sk) and C. In other

words, even though there are many different secret keys sk corresponding to the same public key

pk, the action of Λskover the subset of valid ciphertexts in completely determined by the public

key pk. On the other hand, the action of Λsk over the subset of invalid ciphertexts should be

completely undetermined: A projective hash function is ?-almost 1-universal if for all C ∈ C \ V,

SD((pk,Λsk(C)),(pk,K)) ≤ ?

where sk ∈ SK and K ∈ K are sampled uniformly at random, and pk = µ(sk).

Let SK, PK, and K be sets where we view SK as the set of secret

(2.1)

Hash proof systems.

that run in polynomial time. The randomized algorithm Param(1n) generates parameterized in-

stances of the form (group,K,C,V,SK,PK,Λ(·),µ), where group may contain public parameters.

The deterministic public evaluation algorithm Pub is used to decapsulate valid ciphertexts C ∈ V

given a “witness” w of the fact that C is indeed valid (specifically, one can think of w as the

random coins used to sample C from the set V). The algorithm Pub receives as input a public

key pk = µ(sk), a valid ciphertext C ∈ V, and a witness w of the fact that C ∈ V, and outputs

the encapsulated key K = Λsk(C). The deterministic private evaluation algorithm Priv is used to

decapsulate valid ciphertexts without knowing a witness w, but by using the secret key sk. That is,

the algorithm Priv receives as input a secret key sk ∈ SK and a valid ciphertext C ∈ V, and outputs

the encapsulated key K = Λsk(C). We assume that µ and Λ(·)are efficiently computable. We say

that a hash proof system is 1-universal if for all possible outcomes of Param(1n) the underlying

projective hash function is ?(n)-almost 1-universal for some negligible ?(n).

A hash proof system HPS = (Param,Pub,Priv) consists of three algorithms

Subset membership problem.

bership problem is hard in HPS, which means that for random valid ciphertext C0∈ V and random

invalid ciphertext C1∈ C\V, the two ciphertexts C0and C1are computationally indistinguishable.

This is formally captured by defining the advantage function AdvSM

HPS,A(n) =??PrC0←V[A(C,V,C0) = 1] − PrC1←C\V[A(C,V,C1) = 1]??,

As a computational problem we require that the subset mem-

HPS,A(n) of an adversary A as

AdvSM

where C and V are generated using Param(1n).

8

Page 10

Example: A DDH-based hash proof system.

on a variety of number-theoretic assumptions: the decisional Diffie-Hellman assumption and its

progressively weaker d-Linear variants, the quadratic residuosity assumption, and Paillier’s com-

posite residuosity assumption [8, 29, 43]. We conclude this section by presenting a simple example

of a hash proof system (due to Cramer and Shoup [8]) that is based on the decisional Diffie-Hellman

assumption. This hash proof system is used in Section 4.2 to instantiate our generic construction

of a public-key encryption scheme that is resilient to key leakage.

Let G be a group of prime order q. We define a hash proof system HPS = (Param,Pub,Priv) as

follows. The algorithm Param(1n) generates instances (group,K,C,V,SK,PK,Λ,µ), where:

• group = (G,g1,g2), where g1,g2∈ G are uniformly chosen generators.

• C = G2, V = {(gr

• SK = Z2

• For sk = (x1,x2) ∈ SK we define µ(sk) = gx1

• For C = (gr

• For C = (c1,c2) ∈ V we define Priv(sk,C) = Λsk(C) = cx1

This hash proof system can be easily shown to be 1-universal based on the DDH assumption

(see, for example, [29] for a complete proof).

Hash proof systems are known to exist based

1,gr

2) : r ∈ Zq}, K = G.

q, PK = G.

1gx2

2∈ PK.

1,gr

2) ∈ V with witness r ∈ Zqwe define Pub(pk,C,r) = pkr.

1cx2

2.

3Defining Key-Leakage Attacks

In this section we define the notion of a key-leakage attack, as introduced as Akavia et al. [2]. In

addition, we present a natural extension of this notion to the setting of chosen-ciphertext attacks,

and define the notion of a weak key-leakage attack. In Section 8 we discuss several generalizations

of this framework.

3.1 Chosen-Plaintext Key-Leakage Attacks

Informally, an encryption scheme is resilient to key-leakage attacks if it is semantically secure

even when the adversary obtains sensitive leakage information. This is modeled by providing the

adversary with access to a leakage oracle: the adversary can submit any function f and receive

f(SK), where SK is the secret key. The adversary can query the leakage oracle adaptively, with

only one restriction: the sum of output lengths of all the leakage functions has to be bounded by

a predetermined parameter λ.

More formally, for a public-key encryption scheme (G,E,D) we denote by SKnand PKnthe sets

of secret keys and public keys that are produced by G(1n). That is, G(1n) : {0,1}∗→ SKn×PKnfor

every n ∈ N. The leakage oracle, denoted Leakage(SK), takes as input a function f : SKn→ {0,1}∗

and outputs f(SK). We say that an oracle machine A is a λ-key-leakage adversary if the sum of

output lengths of all the functions that A submits to the leakage oracle is at most λ.

Definition 3.1 (key-leakage attacks). A public-key encryption scheme Π = (G,E,D) is seman-

tically secure against λ(n)-key-leakage attacks if for any probabilistic polynomial-time λ(n)-key-

leakage adversary A = (A1,A2) it holds that

AdvLeakage

Π,A

is negligible in n, where ExptLeakage

Π,A

(n)def

=

???Pr

?

ExptLeakage

Π,A

(b) is defined as follows:

(0) = 1

?

− Pr

?

ExptLeakage

Π,A

(1) = 1

????

9

Page 11

1. (SK,PK) ← G(1n).

2. (M0,M1,state) ← ALeakage(SK)

3. C ← Epk(Mb).

4. b?← A2(C,state)

5. Output b?.

1

(PK) such that |M0| = |M1|.

Challenge-dependent key leakage.

oracle after the challenge phase. This restriction is necessary: the adversary can clearly encode the

decryption algorithm, the challenge ciphertext, and the two messages M0and M1into a function

that outputs the bit b. It will be very interesting to find an appropriate definition that allows a

certain form of challenge-dependent leakage.

Note that the adversary is not allowed to access the leakage

Adaptivity.

in which the adversary queries the leakage oracle only once. Informally, the adversary can encode

its adaptive behavior into a single polynomial-size leakage function. It is not clear, however, that

the same equivalence holds when we extend the definition to consider chosen-ciphertext attacks.

Therefore, for consistency, we chose to present this adaptive definition.

As pointed out by Akavia et al. [2], Definition 3.1 is in fact equivalent to a definition

3.2Chosen-Ciphertext Key-Leakage Attacks

Extending the above definition to the setting of chosen-ciphertext security is rather natural. In

this case the adversary is allowed to adaptively access a decryption oracle D(SK,·) that receives as

input a ciphertext and outputs a decryption using the secret key SK. We denote by D?=C(SK,·)

a decryption oracle that decrypts any ciphertext other than C. As in the standard definition of

chosen-ciphertext attacks we distinguish between a-priori chosen-ciphertext attacks (CCA1) and

a-posteriori chosen-ciphertext attacks (CCA2).

Definition 3.2 (a-priori chosen-ciphertext key-leakage attacks). A public-key encryption scheme

Π = (G,E,D) is semantically secure against a-priori chosen-ciphertext λ(n)-key-leakage attacks if

for any probabilistic polynomial-time λ(n)-key-leakage adversary A = (A1,A2) it holds that

(n)def

=

ExptLeakageCCA1

Π,A

AdvLeakageCCA1

Π,A

???Pr

Π,A

?

(0) = 1

?

− Pr

?

ExptLeakageCCA1

Π,A

(1) = 1

????

is negligible in n, where ExptLeakageCCA1

(b) is defined as follows:

1. (SK,PK) ← G(1n).

2. (M0,M1,state) ← ALeakage(SK),D(SK,·)

3. C ← Epk(Mb).

4. b?← A2(C,state)

5. Output b?.

1

(PK) such that |M0| = |M1|.

10

Page 12

Definition 3.3 (a-posteriori chosen-ciphertext key-leakage attacks). A public-key encryption sche-

me Π = (G,E,D) is semantically secure against a-posteriori chosen-ciphertext λ(n)-key-leakage

attacks if for any probabilistic polynomial-time λ(n)-key-leakage adversary A = (A1,A2) it holds

that

AdvLeakageCCA2

Π,A

is negligible in n, where ExptLeakageCCA2

Π,A

1. (SK,PK) ← G(1n).

2. (M0,M1,state) ← ALeakage(SK),D(SK,·)

3. C ← Epk(Mb).

4. b?← AD?=C(SK,·)

5. Output b?.

(n)def

=

???Pr

?

ExptLeakageCCA2

Π,A

(b) is defined as follows:

(0) = 1

?

− Pr

?

ExptLeakageCCA2

Π,A

(1) = 1

????

1

(PK) such that |M0| = |M1|.

2

(C,state)

3.3 Weak Key-Leakage Attacks

Akavia et al. also considered the following weaker notion of leakage (which they refer to as “non-

adaptive” leakage): a leakage function f with output length λ is chosen by the adversary ahead

of time (without any knowledge of the public key), and then the adversary is given (PK,f(SK)).

That is, the leakage function f is chosen independently of the public key. Although this notion

seems rather weak, it nevertheless captures realistic attacks in which the leakage depends only on

hardware devices (as in [21]) and is independent of the parameters of the system, including the

public-key.

Definition 3.4 (weak key-leakage attacks). A public-key encryption scheme Π = (G,E,D) is

semantically secure against weak λ(n)-key-leakage attacks if for any probabilistic polynomial-time

adversary A = (A1,A2), and for any ensemble F =

computable functions, it holds that

???Pr

Π,A,F

1. (SK,PK) ← G(1n).

2. (M0,M1,state) ← A1(PK,fn(SK)) such that |M0| = |M1|.

3. C ← Epk(Mb).

4. b?← A2(C,state)

5. Output b?.

?fn: SKn→ {0,1}λ(n)?

(0) = 1

− Pr

(b) is defined as follows:

n∈Nof efficiently

????

AdvWeakLeakage

Π,A,F

(n)def

=

?

ExptWeakLeakage

Π,A,F

??

ExptWeakLeakage

Π,A,F

(1) = 1

is negligible in n, where ExptWeakLeakage

4A Generic Construction from Hash Proof Systems

In this section we present a generic construction of a public-key encryption scheme that is resilient

to key-leakage attacks. We then present an instantiation of our generic construction with a simple

and efficient hash proof system based on the DDH assumption. The resulting encryption scheme

is resilient to any leakage of L(1/2 − o(1)) bits, where L is the length of the secret key. Although

one can instantiate our generic construction with any hash proof system, we find this specific

instantiation rather elegant.

11

Page 13

4.1 The Construction

Let HPS = (Param,Pub,Priv) be an ?1-almost 1-universal hash proof system (see Section 2.3

for an overview of hash proof systems), where Param(1n) generates parameterized instances of

(group,K,C,V,SK,PK,Λ(·),µ) which are used as the public parameters of the encryption scheme.

Let λ = λ(n) be a bound on the amount of leakage, and let Ext : K × {0,1}t→ {0,1}mbe

an average-case (log|K| − λ,?2)-strong extractor. We assume that ?1and ?2are negligible in the

security parameter. The following describes the encryption scheme Π = (G,E,D):

• Key generation: Choose a random sk ∈ SK and let pk = µ(sk) ∈ PK. Output the pair

(sk,pk).

• Encryption: On input a message M ∈ {0,1}m, choose a random C ∈ V together with a

corresponding witness w, and a random seed s ∈ {0,1}t. Let Ψ = Ext(Pub(pk,C,w),s)⊕M,

and output the ciphertext (C,s,Ψ).

• Decryption: On input a ciphertext (C,s,Ψ), output the message M = Ψ ⊕ Ext(Λsk(C),s).

The correctness of the scheme follows from the property that Λsk(C) = Pub(pk,C,w) for any

C ∈ V with witness w. Thus, a decryption of an encrypted plaintext is always the original plaintext.

The security of the scheme (i.e., its resilience to key leakage) follows from the universality of the

proof system (see Equation (2.1) in Section 2.3): for all C ∈ C \ V it holds that

SD((pk,Λsk(C)),(pk,K)) ≤ ?1 ,

where sk ∈ SK and K ∈ K are sampled uniformly at random, and pk = µ(sk). Therefore, even

given pk and any leakage of λ bits, the distribution Λsk(C) is ?1-close to a distribution with average

min-entropy at least log|K| − λ. The strong extractor is then applied to Λsk(C) using a fresh seed

(chosen during the challenge phase and thus independent of the leakage), and guarantees that the

plaintext is properly hidden. The following theorem establishes the security of the scheme:

Theorem 4.1. Assuming that HPS is a 1-universal hash proof system, the encryption scheme Π is

semantically secure against λ(n)-key-leakage attacks for any λ(n) ≤ log|K| − ω(logn) − m, where

n is the security parameter and m is the length of plaintexts.

Proof. Assume that HPS is an ?1-almost 1-universal hash proof system, and recall that Ext is

chosen to be an average-case (log|K| − λ,?2)-strong extractor (see, for example, Lemma 2.3 for a

generalization of the leftover hash lemma to the setting of average min-entropy). We show that

for any efficient λ-key-leakage adversary A = (A1,A2) there exists an efficient adversary A?for the

subset membership problem of the hash proof system HPS such that

?

For S ∈ {V,C \ V} and b ∈ {0,1} consider the following experiment denoted ExptLeakage

1. Generate (K,C,V,SK,PK,Λ(·),µ) ← Param(1n), choose a random sk ∈ SK and let pk =

µ(sk) ∈ PK.

2. (M0,M1,state) ← ALeakage(sk,pk)

3. Choose a random C ← S, a random seed s ∈ {0,1}t, and let Ψ = Ext(Λsk(C),s) ⊕ Mb.

AdvLeakage

Π,A

(n) ≤ 2

AdvSM

HPS,A(n) + ?1(n) + ?2(n)

?

.

Π,A

(S,b):

1

(pk) such that |M0| = |M1|.

12

Page 14

4. b?← A2((C,s,Ψ),state).

5. Output b?.

Using the notation of Definition 3.1 and the triangle inequality, for any adversary A it holds that

AdvLeakage

Π,A

=

ExptLeakage

Π,A

≤

+

ExptLeakage

Π,A

+

ExptLeakage

Π,A

(n) =

???Pr

???Pr

?

ExptLeakage

Π,A

(0) = 1

?

− Pr

?

?

ExptLeakage

Π,A

− Pr

− Pr

?

− Pr

(1) = 1

????

???Pr

?

(V,0) = 1

(V,0) = 1

(C \ V,0) = 1

(C \ V,1) = 1

?

ExptLeakage

Π,A

ExptLeakage

Π,A

− Pr

?

(V,1) = 1

(C \ V,0) = 1

ExptLeakage

Π,A

ExptLeakage

Π,A

????

(4.1)

?

ExptLeakage

Π,A

???Pr

??

????

(4.2)

??

(C \ V,1) = 1

(V,1) = 1

????

(4.3)

???Pr

?

?

???? ,

(4.4)

where the equality in (4.1) follows from the property that Λsk(C) = Pub(pk,C,w) for any C ∈ V

with witness w. It is straightforward that there exists an adversary A?for the subset membership

problem of the hash proof system HPS such that the terms (4.2) and (4.4) are upper bounded by

AdvSM

HPS,A(n). The following claim bounds the term (4.3) and concludes the proof of the theorem.

Claim 4.2. For any probabilistic polynomial-time adversary A it holds that

???Pr

Proof. For each b ∈ {0,1} we claim that in experiment ExptLeakage

challenge ciphertext is (?1+ ?2)-close to the uniform distribution over m bits from the adversary’s

point of view. Noting that the experiments ExptLeakage

Π,A

on Ψ, this implies that the statistical distance between the distributions of the adversary’s view in

these experiments is at most 2(?1+ ?2).

The hash proof system guarantees that for C ∈ C \ V the value Λsk(C) is ?1-close to uniform

over the set K given pk and C. In our setting, however, the adversary learns additional λ bits of

information using the leakage oracle. However, Lemma 2.1 states that this can reduce the average

min-entropy of Λsk(C) by at most λ. That is, Λsk(C) is ?1-close to a distribution that has average

min-entropy at least log|K|−λ given the adversary’s view. The application of the strong extractor

with a randomly chosen seed (that is independent of the adversary’s view so far) guarantees that

Ext(Λsk(C),s) is ?2-close to the uniform distribution over m bits, and therefore Ψ is (?1+?2)-close

to uniform.

?

ExptLeakage

Π,A

(C \ V,0) = 1

?

− Pr

?

ExptLeakage

Π,A

(C \ V,1) = 1

???? ≤ 2(?1(n) + ?2(n)) .

(C \ V,b) the value Ψ in the

Π,A

(C \V,0) and ExptLeakage

Π,A

(C \V,1) differ only

4.2 Example: A DDH-Based Instantiation

Let G be a group of prime order q, let λ = λ(n) be the leakage parameter, and let Ext : G×{0,1}t→

{0,1}mbe an average-case (logq − λ,?)-strong extractor for some negligible ? = ?(n).

• Key generation: Choose x1,x2∈ Zqand g1,g2∈ G uniformly at random. Let h = gx1

and output the keys

SK = (x1,x2),

1gx2

2,

PK = (g1,g2,h) .

13

Page 15

• Encryption: On input a message M, choose r ∈ Zqand s ∈ {0,1}tuniformly at random,

and output the ciphertext

(gr

1,gr

2,s,Ext(hr,s) ⊕ M) .

• Decryption: On input a ciphertext (u1,u2,s,e), output e ⊕ Ext(ux1

The hash proof system underlying the above encryption scheme is the one described in Section

2.3. This hash proof system 1-universal based on the DDH assumption, and as an immediate

consequence we obtain the following corollary of Theorem 4.1:

1ux2

2,s).

Corollary 4.3. Assuming the hardness of DDH, the above encryption scheme is semantically-

secure against (L/2 − ω(logn) − m)-key-leakage attacks, where n denotes the security parameter,

L = L(n) denotes the length of the secret key and m = m(n) denotes the length of the plaintext.

5Improved Resilience Based on DDH and d-Linear

In this section we propose two encryption schemes that are resilient to any key leakage of L(1−o(1))

bits, where L is the length of the secret key. These proposals are based on the observation that

our generic construction from hash proof systems can in fact be based on hash proof systems with

a slightly weaker 1-universality property. Specifically, the 1-universality property asks that for all

C ∈ C \ V it holds that

SD((pk,Λsk(C)),(pk,K)) ≤ ?

where sk ∈ SK and K ∈ K are sampled uniformly at random, and pk = µ(sk). It is rather

straightforward that our generic construction only requires this property to hold with overwhelming

probability over the choice of C ∈ C \ V.

For our first proposal we construct a new hash proof system that is based on the d-Linear

assumption (for any d ≥ 1) and satisfies this weaker 1-universality property4. The hash proof system

is a generalization of the hash proof system underlying the simple encryption scheme described

in Section 4.2. The resulting encryption scheme is then obtained by instantiating our generic

construction with this hash proof system.

Our second proposal is a recent encryption scheme of Boneh et al. [6], that is secure under key

cycles (and more generally, under encryptions of linear functions of the secret keys). This is the

first and only known encryption scheme with this property. We refer to this scheme as the BHHO

scheme, and show that it fits into our generic approach using an appropriate hash proof system

(that satisfies the same weaker universality property). As a corollary we derive that the BHHO

scheme is resilient to any leakage of L(1 − o(1)) bits5.

We then provide a comparison between these two proposed schemes, indicating that the two

schemes complement each other in terms of efficiency.

5.1Proposal 1: A New Hash Proof System

We begin by presenting the encryption scheme, and then turn to describe the underlying hash proof

system and its properties.

Notation.

v = (g1,...,gk) ∈ Gkand u = (u1,...,uk) ∈ Zk

naturally extends to matrix-vector and matrix-matrix multiplications.

Let G = (G,q,g) where G a group of order q that is generated by g. For two vectors

qwe define v ·uT=?k

4Recall that the DDH is the 1-Linear assumption.

5We do not claim that every circular-secure scheme is also resilient to key leakage.

i=1gui

i, and note the notation

14

Page 16

The encryption scheme.

parameter, and let Ext : Gk−d× {0,1}t→ {0,1}mbe an average-case ((k − d)logq − λ,?)-strong

extractor for some negligible ? = ?(n).

The following encryption scheme has a secret key of size essentially klogq bits (k group ele-

ments), and is resilient to any leakage of λ ≤ (k−d)logq−ω(logn)−m bits, where m is the length

of plaintexts. That is, the scheme is resilient to any leakage of essentially a (1 − d/k)-fraction of

the length of the secret key.

Let k = k(n) ≥ d+1 be any polynomial, let λ = λ(n) be the leakage

• Key generation: Choose x ∈ Zk

and output the keys

qand Φ ∈ Gd×kuniformly at random. Let y = Φx ∈ Gd,

SK = x, PK = (Φ,y) .

• Encryption: On input a message M, choose R ∈ Z(k−d)×d

random, and output the ciphertext

q

and s ∈ {0,1}tuniformly at

(RΦ,s,Ext(Ry,s) ⊕ M) .

• Decryption: On input a ciphertext (Ψ,s,e) output e ⊕ Ext(Ψx,s).

The following theorem establishes the security of the scheme:

Theorem 5.1. Assuming the hardness of d-Linear, for any polynomial k = k(n) ≥ d + 1 the

above encryption scheme is semantically-secure against a ((1 − d/k)L − ω(logn) − m)-key-leakage

attack, where n denotes the security parameter, L = L(n) denotes the length of the secret key and

m = m(n) denotes the length of the plaintext.

The hash proof system.

{0,1}mbe a ((k − d)logq,?)-strong extractor for some negligible ? = ?(n).

We define a hash proof system HPS = (Param,Pub,Priv) as follows. The algorithm Param(1n)

generates instances (group,K,C,V,SK,PK,Λ,µ), where:

• group = (G,Φ,s), where Φ ∈ Gd×kand s ∈ {0,1}tare chosen uniformly at random.

• C = G(k−d)×d, V =

• SK = Zk

• For sk ∈ SK we define µ(sk) = Φx ∈ PK.

• For C ∈ V with witness R ∈ Z(k−d)×d

• For C ∈ V we define Priv(sk,C) = Λsk(C) = Ext(Cx,s).

Before analyzing the hash proof system, we note that in the above encryption scheme we did not

include the strong extractor that is a part of the hash proof system. The reason is that the generic

transformation in Section 4 utilizes a strong extractor (using a fresh seed for every ciphertext), and

in this specific case there is no need to apply two extractors.

We now analyze the hash proof system. It is straightforward that for every C ∈ V with witness

R ∈ Z(k−d)×d

Λsk(C) = Ext(Cx,s) = Ext(RΦx,s) = Ext(Ry,s) = Pub(pk,C,R) .

Let k = k(n) ≥ d+1 be any polynomial, and let Ext : Gk−d×{0,1}t→

?

RΦ : R ∈ Z(k−d)×d

q

?

, K = {0,1}m.

q, PK = Gd.

q

we define Pub(pk,C,R) = Ext(Ry,s).

q

it holds that

15

Page 17

For the remainder of the analysis we introduce for following additional notation. We denote by

Rki(Za×b

q

) the set of all matrices in Za×b

q

with rank i. For a matrix R = {ri,j}i∈[a],j∈[b]∈ Za×b

denote by gRthe matrix {gi,j}i∈[a],j∈[b]= {gri,j}i∈[a],j∈[b]∈ Ga×b. We denote by Rki(Ga×b) the set

of all matrices gR∈ Ga×bfor R ∈ Rki(Za×b

In Appendix A we show that the d-Linear assumption implies the hardness of the subset mem-

bership problem in HPS. Specifically, we introduce the matrix d-Linear assumption stating that in

Gk×ka random matrix of rank d is computationally indistinguishable from a random matrix of rank

at least d + 1. We prove that the d-Linear assumption implies the matrix d-Linear assumption6.

Note that in the hash proof system, the matrix Φ has rank d with overwhelming probability, and

in this case the matrix

Ψ =

C

q

we

q

).

?

Φ

?

∈ Gk×k

has rank d for every C ∈ V, and has rank at least d + 1 for every C ∈ C \ V.

In the following claim we prove the universality of the proof system. As noted above, it suffices

in our setting to argue 1-universality with overwhelming probability over the choice of C ∈ C \ V.

Claim 5.2. With overwhelming probability over the choice of C ∈ C \ V it holds that

SD((pk,Λsk(C)),(pk,K)) ≤ ? ,

where sk ∈ SK and K ∈ K are sampled uniformly at random, and pk = µ(sk).

Proof. With overwhelming probability the matrix Φ ∈ Gd×khas rank d (alternatively, it is possible

to just sample Φ from the set of rank d matrices to begin with). In this case, with overwhelming

probability over the choice over of C ∈ C \ V the matrix

?

is invertible. Therefore, the mapping x → Cx is injective given Φ and Φx, and this implies that

H∞(Cx | Φ,Φx) = H∞(x | Φ,Φx) ≥ (k − d)logq .

The strong extractor then guarantees that Λsk(C) = Ext(Cx,s) is ?-close to the uniform distribution

over K given pk.

Ψ =

Φ

C

?

∈ Gk×k

5.2 Proposal 2: The BHHO Scheme

We show that a simple setting of the parameters in the BHHO encryption scheme [6] results in

an encryption scheme that is resilient any key leakage of L(1 − o(1)) bits, where L is the length

of the secret key. Let G = (G,q,g) where G a group of order q that is generated by g, and set

? = λ + logq + 2log(1/?) for some negligible ? = ?(n).

• Key generation: Choose s1,...,s?∈ {0,1} and g1,...,g?∈ G uniformly at random. Let

h =??

SK = (s1,...,s?),

i=1gsi

i, and output the keys

PK = (g1,...,g?,h) .

6We note that the case d = 1 was proved by Boneh et al. [6].

16

Page 18

• Encryption: On input a message M ∈ G, choose r ∈ Zquniformly at random, and output

the ciphertext

(gr

1,...,gr

?,hr· M) .

• Decryption: On input a ciphertext (u1,...,uk,e) output e ·

The encryption scheme can be viewed as based on a hash proof system with the following subset

membership problem (whose hardness follows from DDH):

C =??gr1

???

i=1usi

i

?−1.

1,...,gr?

1,...,gr

?

?: r1,...,r?∈ Zq

?

V = {(gr

?) : r ∈ Zq} .

The leftover hash lemma guarantees that with overwhelming probability over the choice of C =

(u1,...,u?) ∈ C \ V it holds that Λsk(C) =??

i=1usi

iis ?-close to the uniform distribution over G,

even given any leakage of length λ bits.

5.3Comparison

The main difference between the two schemes proposed in this section is in their method of ex-

tracting randomness from the secret key. In the first proposal an invertible function is applied

to the secret key (thus preserving its min-entropy), and then a strong extractor is applied to the

resulting value. In the second proposal, the entropy of the secret key is extracted directly using

the subset-product hash functions. Although the second proposal uses a more direct method to

extract the randomness of the secret key, it requires the subset-product functions to operate on

the individual bits of the secret key, since otherwise the subset-product functions are not pairwise

independent. In contrast, in the first proposal the extractor operates on the secret key as group

elements. This leads to significant differences in performance.

For any leakage parameter λ, the size of the secret keys in the two proposals is essentially the

same, whereas the size of the public key in the first proposal is shorter by a factor of logq. When

considering the length of the ciphertexts and the number of exponentiations per ciphertext, the

first proposal performs better than the second proposal when roughly λ < L(1−1/logq), where L

is the length of the secret key (note that such a λ is a considerable amount of leakage).

For example, by setting k = 2 in the first proposal one obtains the simple scheme described

in Section 4.2 which is resilient to any leakage of L(1/2 − o(1)) bits, and requires only 3 exponen-

tiations per ciphertext. For achieving the same resilience in the second proposal more than logq

exponentiations are required.

In Table 1 we present a comparison between the efficiency of the schemes. Since the second

proposal scheme is based on DDH and encrypts group elements, we compare it to the first proposal

using d = 1 (i.e., based on DDH), and m = logq (i.e., logq-bit plaintexts). For simplicity we assume

that λ is an integer multiple of logq, and note that the table presents asymptotical estimates, and

not exact numbers.

6Protecting Against Chosen-Ciphertext Key-Leakage Attacks

In this section we present public-key encryption schemes that are resilient to chosen-ciphertext

key-leakage attacks (see Definitions 3.2 and 3.3).

17

Page 19

Proposal 1 (Section 5.1)Proposal 2 (Section 5.2)

Secret key (bits)

λ + 2logq + 2log(1/?)

λ + logq + 2log(1/?)

Public key (bits)

λ + 2logq + 2log(1/?) logq (λ + logq + 2log(1/?))

Ciphertext (bits)

(λ+2logq+2log(1/?))2

logq

?λ+2logq+2log(1/?)

Table 1: Comparison between the two proposals.

logq (λ + logq + 2log(1/?))

Exponentiations

logq

?2

λ + logq + 2log(1/?)

6.1 A Generic Construction

We prove that the Naor-Yung “double encryption” paradigm [14, 36] is applicable also in the

setting of key leakage attacks. That is, we show that any public-key encryption scheme that is

semantically secure against chosen-plaintext key-leakage attacks can be transformed into a scheme

that is semantically secure against a-posteriori chosen-ciphertext key-leakage attacks using non-

interactive zero-knowledge proofs.

The key property of the transformation is that the size of the secret key in the resulting CCA-

secure scheme is exactly the same as in the underlying CPA-secure scheme. This enables us to

prove that the resulting CCA-secure scheme is resilient to exactly the same amount of leakage as

the underlying CPA-secure scheme.

Our construction in this section are based on the refinements of Sahai [42] and Lindell [33] to

the encryption schemes of Naor and Yung [36] and Dolev, Dwork and Naor [14]. These refinements

enable us to achieve CCA2 security without increasing the size of the secret key. We refer the

reader to [33, 42] for comprehensive overviews of the construction.

The construction.

secure against chosen-plaintext λ-key-leakage attacks, and let (P,V) be a one-time simulation-sound

adaptive NIZK proof system7for the following NP-language:

Let Π = (G,E,D) be a public-key encryption scheme that is semantically

L = {(c0,c1,pk0,pk1) | ∃m,r0,r1s.t. c0= Epk0(m;r0) and c1= Epk1(m;r1)} .

The encryption scheme Π?= (G?,E?,D?) is defined as follows:

• Key generation: Sample (sk0,pk0),(sk1,pk1) ← G(1n) independently, and a reference string

σ for the NIZK proof system. Output SK = sk0and PK = (pk0,pk1,σ).

• Encryption: On input a message M choose r0,r1∈ {0,1}∗, and compute c0= Epk0(M;r0)

and c1= Epk1(M;r1). Then, invoke the NIZK prover P to obtain a proof π for the statement

(c0,c1,pk0,pk1) ∈ L with respect to the reference string σ. Output the ciphertext (c0,c1,π).

• Decryption: On input a ciphertext (c0,c1,π), invoke the NIZK verifier V to verify that π is

an accepting proof with respect to the reference string σ. If V accepts then output Dsk0(c0),

and otherwise output ⊥.

7We refer the reader to [33, 42] for the definitions of a one-time simulation-sound adaptive NIZK proof system.

18

Page 20

Proof of security.

adapting the ideas of Lindell [33] and Sahai [42] to key leakage attacks. Specifically, we show that

any adversary that breaks the security of the scheme can be used to either break the simulation

soundness of the proof system (P,V) or to break the encryption scheme Π. The main point in our

setting, is that we can always simulate both the leakage oracle and the decryption oracle to such

an adversary:

In the remainder of the section we prove the security of the scheme Π?by

• When attacking the proof system (P,V) we know the key sk0. We use this key to simulate

the leakage oracle, and use this key together with the verifier of the proof system to simulate

the decryption oracle.

• When attacking the public key pk1we again know the key sk0as in the previous case. In fact,

pk1can even be sampled from a CPA-secure encryption scheme that is not resilient to key

leakage (both in the actual scheme and in the proof of security the adversary never obtains

leakage information from sk1).

• When attacking the public key pk0 we know the key sk1. We simulate the leakage oracle

by forwarding all queries to the leakage oracle of sk0, and we simulate the decryption oracle

using sk1and the verifier of the proof system.

We prove the following theorem:

Theorem 6.1. Assume that Π is semantically secure against chosen-plaintext λ-key-leakage at-

tacks, and that (P,V) is a one-time simulation-sound NIZK proof system. Then, Π?is semantically

secure against a-posteriori chosen-ciphertext λ-key-leakage attacks.

Proof. Given a probabilistic polynomial-time λ-key-leakage adversary A we begin by describing a

mental experiment in which A runs its attack. The difference between the mental experiment and

a real attack is that the challenge ciphertext received by A is not properly generated. Rather, the

NIZK proof is generated by the NIZK simulator S = (S1,S2) and the two encryptions may not be

to the same message.

Experiment ExptS

A(b0,b1):

1. Key generation:

• (σ,s) ← S1(1n) (a simulated reference string σ is used for the public key).

• (sk0,pk0),(sk1,pk1) ← G(1n).

• Set SK = sk0and PK = (pk0,pk1,r).

2. (M0,M1,state) ← ALeakage(SK),D?(SK,·)

3. Set up the challenge ciphertext c = (c0,c1,π):

1

(PK).

• c0← Epk0(Mb0).

• c1← Epk1(Mb1).

• π ← S2((c0,c1,pk0,pk1),σ,s) (a simulated proof π is used for the challenge).

4. b?← A

D?

2

?=c(SK,·)

(c,state).

19

Page 21

Given the above experiment, the advantage of A in attacking the scheme Π?can be bounded as

follows:

???Pr

+??Pr?ExptS

+

AdvLeakageCCA2

Π?,A

(n) =

?

ExptLeakageCCA2

Π?,A

ExptLeakageCCA2

Π?,A

A(1,1) = 1?− Pr?ExptS

???Pr?ExptS

(1) = 1

?

− Pr

− Pr?ExptS

A(0,0) = 1???

?

ExptLeakageCCA2

Π?,A

A(1,1) = 1????

(0) = 1

????

≤

???Pr

+??Pr?ExptS

?

(1) = 1

?

(6.1)

A(0,1) = 1???

ExptLeakageCCA2

Π?,A

(6.2)

(6.3)

A(0,1) = 1?− Pr?ExptS

A(0,0) = 1?− Pr

?

(0) = 1

???? .

(6.4)

The following claim shows that the terms (6.1) and (6.4) are negligible.

Claim 6.2. For every probabilistic polynomial-time A and b ∈ {0,1} it holds that

???Pr

?

ExptLeakageCCA2

Π?,A

(b) = 1

?

− Pr?ExptS

A(b,b) = 1???? ≤ ?(n)

for some negligible function ?(n).

Proof. The correctness of the claim follows from the zero-knowledge property of the NIZK proof

system (P,V). Given a probabilistic polynomial-time λ-key-leakage adversary A and a bit b ∈ {0,1}

for which

ExptLeakageCCA2

Π?,A

polynomial-time distinguisher A?that distinguishes a simulated proof from a real proof with ad-

vantage ?(n). Thus, the adaptive zero-knowledge property of (P,V) implies that ?(n) is negligible.

The distinguisher A?works as follows: it receives a reference string σ, samples two pairs of keys

(sk0,pk0),(sk1,pk1) ← G(1n) and invokes A on the public-key PK = (pk0,pk1,σ) while emulating

the decryption oracle and the leakage oracle for A using SK = sk0(note that anyone can verify

the NIZK proofs for the decryption process). When A outputs two messages (M0,M1) for the

challenge, A?computes c0= Epk0(Mb) and c1= Epk1(Mb), and asks for a proof π of the (correct)

statement (c0,c1,pk0,pk1) ∈ L. The distinguisher A?then gives A the challenge ciphertext (c0,c1,π)

and outputs whatever A does. Notice that if A?receives a real proof then it perfectly simulates

ExptLeakageCCA2

Π?,A

the advantage of A?is exactly ?(n).

Before proceeding, we prove a claim stating that in the experiment ExptS

whelming probability all ciphertext queries to the decryption oracle that contain accepting NIZK

proofs, are of valid ciphertexts. Formally, we say that a ciphertext c = (c0,c1,π) is invalid with an

accepting NIZK proof if Dsk0(c0) ?= Dsk1(c1) and V ((c0,c1,pk0,pk1),σ,π) = 1. The following claim

shows that if any of A’s ciphertext queries are of the above form, then A can be used to contradict

the one-time simulation-soundness of the NIZK proof system.

???Pr

?

(b) = 1

?

− Pr?ExptS

A(b,b) = 1???? ≥ ?(n), we construct a probabilistic

(b), and if A?receives a simulated proof then it perfectly simulates ExptS

A(b,b). Thus,

A(b0,b1), with over-

Claim 6.3. For every probabilistic polynomial-time adversary A and b0,b1∈ {0,1}, the probability

that in the experiment ExptS

ciphertext that has an accepting NIZK proof is negligible.

A(b0,b1) the adversary A queries the decryption oracle with an invalid

Proof. The correctness of the claim follows from the one-time simulation-soundness of the NIZK

proof system (P,V). Given a probabilistic polynomial-time adversary A and b0,b1 ∈ {0,1} for

which with a non-negligible probability A queries the decryption oracle with an invalid ciphertext

20

Page 22

that has an accepting NIZK proof, we construct a probabilistic polynomial-time A?that contradicts

the one-time simulation-soundness of (P,V).

A?receives a simulator-generated reference string σ and runs the rest of experiment ExptS

as in the proof of Claim 6.2 (the only difference is that A?computes c0 = Epk0(Mb0) and c1 =

Epk1(Mb1)). If during the simulation A queries the decryption oracle with an invalid ciphertext

that has an accepting NIZK proof, then A?outputs this ciphertext and halt (A?can check this

because it knows both decryption keys and because it can verify the validity of the NIZK proofs).

The simulation by A?is perfect, and therefore if A outputs an invalid ciphertext with an accepting

proof in ExptS

A(b0,b1)

A(b0,b1), then A?outputs a false statement with an accepting proof.

We are now ready to prove that the terms (6.2) and (6.3) are negligible.

Claim 6.4. For every probabilistic polynomial-time A it holds that

??Pr?ExptS

Proof. The correctness of the claim follows from the security of the scheme Π = (G,E,D). Given a

probabilistic polynomial-time adversary A for which??Pr?ExptS

essentially the same advantage.

The adversary A?receives as input a public-key pk generated by G(1n), and simulates the view

of A as follows:

1. Key generation:

A(1,1) = 1?− Pr?ExptS

A(0,1) = 1???≤ ?(n)

for some negligible function ?(n).

A(1,1) = 1?− Pr?ExptS

A(0,1) = 1???≥

?(n), we construct a probabilistic polynomial-time adversary A?that breaks the security of Π with

• A?sets pk0= pk, and samples (sk1,pk1) ← G(1n) and (σ,s) ← S1(1n).

• A?sets PK = (pk0,pk1,σ).

2. Leakage queries: Any leakage query f is forwarded to the leakage oracle corresponding to pk.

3. Decryption queries: Given a ciphertext c = (c0,c1,π) the adversary A?invokes the NIZK

verifier V to verify that π is an accepting proof with respect to the reference string σ. If V

accepts then A?outputs Dsk1(c1), and otherwise A?outputs ⊥.

4. When A outputs two messages M0and M1, the adversary A?obtains c0= Epk0(Mb) for a

random b ∈ {0,1}, and outputs the challenge ciphertext c = (c0,c1,π), where:

• c1← Epk1(M1).

• π ← S2((c0,c1,pk0,pk1),σ,s) (a simulated NIZK proof).

5. A?outputs the output of A.

From the point of view of A, the only difference between the view simulated by A?and the

experiment ExptS

views are identical as long as A does not submit an invalid ciphertext that has an accepting NIZK

proof. Claim 6.3 guarantees that the latter event has only a negligible probability.

A(b,1) is that A?performs the decryption using sk1and not sk0. However, these

Claim 6.5. For every probabilistic polynomial-time A it holds that

??Pr?ExptS

A(0,1) = 1?− Pr?ExptS

A(0,0) = 1???≤ ?(n)

for some negligible function ?(n).

21

Page 23

Proof. The correctness of the claim follows from the security of the scheme Π = (G,E,D). Given a

probabilistic polynomial-time adversary A for which??Pr?ExptS

essentially the same advantage.

The adversary A?receives as input a public-key pk generated by G(1n), and simulates the view

of A as follows:

1. Key generation:

A(0,1) = 1?− Pr?ExptS

A(0,0) = 1???≥

?(n), we construct a probabilistic polynomial-time adversary A?that breaks the security of Π with

• A?sets pk1= pk, and samples (sk0,pk0) ← G(1n) and (σ,s) ← S1(1n).

• A?sets PK = (pk0,pk1,σ).

2. Leakage queries: Given a function f the simulator A?outputs f(sk0).

3. Decryption queries: Given a ciphertext c = (c0,c1,π) the simulator A?invokes the NIZK

verifier V to verify that π is an accepting proof with respect to the reference string σ. If V

accepts then A outputs Dsk0(c0), and otherwise A outputs ⊥.

4. When A outputs two messages M0and M1, the simulator A?obtains c1= Epk1(Mb) for a

random b ∈ {0,1}, and outputs the challenge ciphertext c = (c0,c1,π), where:

• c0← Epk0(M0).

• π ← S2((c0,c1,pk0,pk1),σ,s) (a simulated NIZK proof).

5. A?outputs the output of A.

The claim now follows by noting that the simulated view of A is in fact identical to the exper-

iment ExptS

A(0,b).

This concludes the proof of the theorem.

6.2An Efficient CCA1-Secure Scheme

In this section we prove that a variant of the Cramer-Shoup “Lite” cryptosystem [9] (along the

lines of our generic construction in Section 4) is secure against a-priori chosen-ciphertext key-leakage

attacks.

Let G be a group of prime order q, let λ = λ(n) be the leakage parameter, and let Ext :

G×{0,1}t→ {0,1}mbe an average-case (logq−λ,?)-strong extractor for some negligible ? = ?(n).

We present an encryption scheme with a secret key of size essentially 4logq bits (four group

elements), and show that the scheme is secure for any leakage of length λ ≤ logq − ω(logn) − m,

where m is the length of plaintexts. The following describes the encryption scheme:

• Key generation: Choose x1,x2,z1,z2 ∈ Zq and g1,g2 ∈ G uniformly at random. Let

c = gx1

1gx2

2, h = gz1

1gz2

2, and output the keys

SK = (x1,x2,z1,z2), PK = (g1,g2,c,h) .

• Encryption: On input a message M ∈ {0,1}m, choose r ∈ Zqand s ∈ {0,1}tuniformly at

random, and output the ciphertext

(gr

1,gr

2,cr,s,Ext(hr,s) ⊕ M) .

• Decryption: On input a ciphertext (u1,u2,v,s,e), if v ?= ux1

output e ⊕ Ext(uz1

1ux2

2then output ⊥ and otherwise

1uz2

2,s).

22

Page 24

Correctness.

it holds that ux1

decryption algorithm is always correct.

For any sequence of coin tosses of the key generation and encryption algorithms

1ux2

2

= (gx1

1gx2

2)r= cr= v and that uz1

1uz2

2= (gz1

1gz2

2)r= hr, and therefore the

Proof of security.

with the ideas presented in Section 4. We prove the following theorem:

The proof of security is based on augmenting the proof of Cramer and Shoup

Theorem 6.6. Assuming the hardness of DDH, the above encryption scheme is semantically-secure

against a-priori chosen-ciphertext (L/4 − ω(logn) − m)-key-leakage attacks, where n denotes the

security parameter, L = L(n) denotes the length of the secret key and m = m(n) denotes the length

of the plaintext.

Proof. We show that any efficient adversary A that breaks the security of the scheme (recall

Definition 3.2) can be used to construct an efficient algorithm A?that distinguishes between a DH

instance and a non-DH instance with a non-negligible advantage. On input (g1,g2,u1,u2) ∈ G4the

algorithm A?acts as follows:

1. A?chooses x1,x2,z1,z2∈ Zq uniformly at random, and sets c = gx1

(x1,x2,z1,z2), and PK = (g1,g2,c,h). Then A?invokes A with input PK.

2. A?simulates the leakage oracle and the decryption oracle to A using SK.

3. When A outputs two messages M0and M1, the simulator A?chooses b ∈ {0,1} and s ∈ {0,1}t

uniformly at random, and sends A the challenge ciphertext (u1,u2,ux1

Mb).

1gx2

2, h = gz1

1gz2

2, SK =

1ux2

2,s,Ext(uz1

1uz2

2,s)⊕

4. If A outputs b then A?outputs 1, and otherwise A?outputs 0.

In the following we say that a ciphertext (u1,u2,v,s,e) is invalid if logg1(u1) ?= logg2(u2). The

remainder of the proof proceeds as follows. First, we prove that if (g1,g1,u1,u2) is a DH instance

then A’s view is identical to the actual attack. Then, we prove that in both the actual attack and

in the simulated attack the decryption oracle rejects all invalid ciphertexts except with a negligible

probability. Finally, we prove that if (g1,g1,u1,u2) is a non-DH instance and the decryption oracle

rejects all invalid ciphertexts then A has only a negligible advantage in outputting the bit b. Thus,

if A has a non-negligible advantage in the actual attack, then A?has a non-negligible advantage in

distinguishing between DH instances and non-DH instances.

Claim 6.7. If (g1,g2,u1,u2) is a DH instance then A’s view is identical to the actual attack.

Proof. The actual attack and the simulated attack are identical up to the challenge phase. It

remains to prove that the challenge ciphertext has the correct distribution when (g1,g2,u1,u2) is

a DH instance. Indeed, in this case u1= gr

therefore ux1

1and u2= gr

2for some randomly chosen r ∈ Zq, and

1ux2

2= crand uz1

1uz2

2= hras it should be.

Claim 6.8. In both the actual attack and the simulated attack, the decryption algorithm rejects all

invalid ciphertexts except with a negligible probability.

Proof. The actual attack and the simulated attack are identical up to the challenge phase. There-

fore, the probability that the decryption algorithm rejects all invalid ciphertexts is the same in both

attacks.

23

Page 25

We prove the claim by considering the distribution of the point (x1,x2) ∈ Z2

sary’s point of view. The adversary is given the public key (g1,g2,c,h) and therefore from the

adversary’s point of view the point (x1,x2) is uniformly random subject to logg1(c) = x1+ γx2,

where γ = logg1(g2). Moreover, by submitting valid ciphertexts to the decryption oracle the ad-

versary does not learn any more information on (x1,x2) (in fact, by submitting a valid ciphertext

the adversary only learns a linear combination of the constraint logg1(h) = z1+γz2that is already

known from the public key).

Denote by (u?

gr?

the adversary prior to submitting the invalid ciphertext. The value aux obtains at most 2λvalues,

and therefore Lemma 2.1 implies that from the adversary’s point of view prior to submitting the

invalid ciphertext it holds that

qfrom the adver-

1,u?

2,v?,s?,e?) the first invalid ciphertext submitted by the adversary, where u?

1?= r?

1=

1

1, u?

2= gr?

2

2, and r?

2. Denote by aux the output of all leakage functions that were submitted by

?H∞((x1,x2)|PK,aux) ≥ H∞((x1,x2)|PK) − λ ≥ logq − λ .

In particular, the definition of average min-entropy implies that prior to submitting the invalid

ciphertext the probability of A in guessing (x1,x2) is at most 2−?H∞((x1,x2)|PK,aux)≤ 2λ/q. However,

note that if the decryption algorithm accepts the invalid ciphertext then we obtain the following

linear equations:

?logg1(v?) = r?

As long as γ(r?

can be used to guess (x1,x2). Thus, the probability that the decryption algorithm accepts the first

invalid ciphertext is at most 2λ/q.

An almost identical argument holds for all the subsequent invalid decryption queries. The only

difference is that each time the decryption oracle rejects an invalid ciphertext the adversary can rule

out one more value of (x1,x2) from the set {(x1,x2) ∈ Z2

the decryption algorithm accepts the i-th invalid ciphertext with probability at most 2λ/(q−i+1).

The claim now follows from the fact that the number of decryption queries is polynomial, and from

the restriction λ ≤ logq − ω(logn).

Claim 6.9. If (g1,g2,u1,u2) is a non-DH instance and the decryption algorithm rejects all invalid

ciphertexts, then A has only a negligible advantage in outputting the bit b.

Proof. We show that if (g1,g2,u1,u2) is a non-DH instance and the decryption algorithm rejects

all invalid ciphertexts then with overwhelming probability the value uz1

at least logq−λ ≥ m+ω(logn) given all the other values in the adversary’s view. The average-case

strong extractor then guarantees that the part of the challenge ciphertext that depends on the bit

b is ?-close to uniform given the adversary’s view, for a negligible ? = ?(n).

We prove the claim by considering the distribution of the point (z1,z2) ∈ Zqfrom the adversary’s

point of view. The adversary is given the public key (g1,g2,c,h) and therefore from the adversary’s

point of view the point (z1,z2) is uniformly random subject to logg1(h) = z1+ γz2, where γ =

logg1(g2). We assume that the decryption algorithm rejects all invalid ciphertext, and note that

by submitting valid ciphertexts to the decryption oracle the adversary does not learn any more

information (the adversary only learns a linear combination of the constraint logg1(h) = z1+ γz2).

Thus, the adversary does not learn any information on (z1,z2) via decryption queries.

1x1+ γr?

2x2

logg1(c) = x1+ γx2

1− r?

2) ?= 0 these equations are linearly independent, and therefore the adversary

q: logg1(c) = x1+ γx2}. This shows that

1uz2

2has average min-entropy

24

Page 26

Let u1= gr1

adversary. Then from the adversary’s point of view in the challenge phase it holds that

1, u2= gr2

2, and denote by aux the output of all leakage functions chosen by the

?H∞(uz1

1uz2

2| g1,g2,c,h,aux,u1,u2) =?H∞(r1z1+ γr2z2| γ,c,h,aux,r1,r2) .

z2) are linearly independent:

?logg1(h) = z1+ γz2

which implies that given (γ,h,r1,r2) the function (z1,z2) → r1z1+γr2z2is injective. Applying an

injective function to a distribution preserves its min-entropy, and therefore

Note that as long as γ(r1−r2) ?= 0, then for any w = uz1

1uz2

2the following two equations (in z1and

logg1(w) = r1z1+ γr2z2

?H∞(r1z1+ γr2z2| γ,c,h,aux,r1,r2) =?H∞((z1,z2) | γ,c,h,aux,r1,r2)

where the second equality follows from the fact that (z1,z2,γ,c,h,aux) are all chosen independently

of (r1,r2). Finally, the leakage aux obtains at most 2λpossible values, and therefore (see Lemma

2.1)

=?H∞((z1,z2) | γ,c,h,aux) ,

?H∞((z1,z2) | γ,c,h,aux) ≥ H∞((z1,z2) | γ,c,h) − λ

≥ logq − λ .

Combining all of the above, with overwhelming probability it holds that

= H∞((z1,z2) | γ,z1+ γz2) − λ

?H∞(uz1

1uz2

2| g1,g2,c,h,aux,u1,u2) ≥ logq − λ .

This concludes the proof of Theorem 6.6.

6.3An Efficient CCA2-Secure Scheme

In this section we prove that a variant of the Cramer-Shoup cryptosystem [9] (along the lines of

our generic construction in Section 4) is secure against a-posteriori chosen-ciphertext key-leakage

attacks.

Let G be a group of prime order q, let λ = λ(n) be the leakage parameter, let Ext : G×{0,1}t→

{0,1}mbe an average-case (logq −λ,?)-strong extractor for some negligible ? = ?(n), and let H be

a family of universal one-way hash functions H : G3→ Zq. Rompel [41] showed that universal one-

way hash functions can be constructed from one-way functions, and in particular, such functions

exist based on the hardness of DDH.

We present an encryption scheme with a secret key of size essentially 6logq bits (six group

elements), and show that the scheme is secure for any leakage of length λ ≤ logq − ω(logn) − m,

where m is the length of the plaintext. The following describes the encryption scheme:

• Key generation: Choose x1,x2,y1,y2,z1,z2 ∈ Zq, g1,g2 ∈ G, and H ∈ H uniformly at

random. Let c = gx1

1gx2

2, d = gy1

1gy2

2, h = gz1

1gz2

2, and output the keys

SK = (x1,x2,y1,y2,z1,z2),PK = (g1,g2,c,d,h,H) .

25

Page 27

• Encryption: On input a message M ∈ {0,1}m, choose r ∈ Zqand s ∈ {0,1}tuniformly at

random, and compute

u1= gr

1, u2= gr

2, e = Ext(hr,s) ⊕ M, α = H(u1,u2,s,e), v = crdrα.

Output the ciphertext (u1,u2,v,s,e).

• Decryption: On input a ciphertext (u1,u2,v,s,e) compute α = H(u1,u2,s,e), and if v =

ux1+y1α

12

then output the message

ux2+y2α

M = e ⊕ Ext(uz1

1uz2

2,s) .

Otherwise output ⊥.

Correctness.

it holds that ux1+y1α

algorithm is always correct.

For any sequence of coin tosses of the key generation and encryption algorithms

ux2+y2α

2

= crdrα= v and that uz1

11uz2

2

= hr, and therefore the decryption

Proof of security.

Cramer and Shoup with the ideas presented in Section 4. Specifically, we show that any efficient

adversary that breaks the security of the scheme can be used to either distinguish between a DH

instance and a non-DH instance or to break the security of the universal one-way hash functions.

We prove the following theorem:

As in Section 6.2, the proof of security is based on augmenting the proof of

Theorem 6.10. Assuming the hardness of DDH, the above encryption scheme is semantically-

secure against a-posteriori chosen-ciphertext (L/6 − ω(logn) − m)-key-leakage attacks, where n

denotes the security parameter, L = L(n) denotes the length of the secret key and m = m(n)

denotes the length of the plaintext.

Proof. Given an adversary A consider the algorithm A?that on input (g1,g2,u1,u2) ∈ G4acts as

follows:

1. A?chooses x1,x2,y1,y2,z1,z2∈ Zq and H ∈ H uniformly at random, and sets c = gx1

d = gy1

invokes A with input PK.

2. A?simulates the leakage oracle and the decryption oracle to A using SK.

3. When A outputs two messages M0and M1, the simulator A?chooses b ∈ {0,1} and s ∈ {0,1}t

independently and uniformly at random, computes

1gx2

2,

1gy2

2, h = gz1

1gz2

2, SK = (x1,x2,y1,y2,z1,z2), and PK = (g1,g2,c,d,h,H). Then A?

e = Ext(uz1

1uz2

2,s) ⊕ M, α = H(u1,u2,s,e), v = ux1+y1α

1

ux2+y2α

2

,

and sends A the challenge ciphertext (u1,u2,v,s,e).

4. If A outputs b then A?outputs 1, and otherwise A?outputs 0.

An immediate observation is that if (g1,g2,u1,u2) is a DH instance, then the simulation is

identical to the actual attack (and therefore A should have a non-negligble advantage in outputting

the bit b).

Claim 6.11. If (g1,g2,u1,u2) is a DH instance then A’s view is identical to the actual attack.

26

Page 28

Proof. The actual attack and the simulated attack are identical except for the challenge ciphertext.

It remains to prove that the challenge ciphertext has the correct distribution when (g1,g2,u1,u2)

is a DH instance. Indeed, in this case u1= gr

therefore ux1+y1α

12

= crdrαand uz1

1and u2= gr

2= hras it should be.

2for some randomly chosen r ∈ Zq, and

ux2y1α

1uz2

The more interesting part of the proof is devoted for showing that if (g1,g2,u1,u2) is a non-DH

instance then A has only a negligible advantage in outputting the bit b. From now on we assume

that (g1,g2,u1,u2) is a non-DH instance, where logg1(u1) = r1, logg2(u2) = r2, and r1?= r2.

We denote by (u∗

the event in which for one of A’s decryption queries (u1,u2,v,s,e) it holds that (u1,u2,s,e) ?=

(u∗

invalid if logg1(u?

In what follows we prove that if the event Collision does not occur then A has only a negligible

advantage in outputting the bit b. Specifically, we prove that: (1) if the event Collision does not

occur then the decryption oracle rejects all invalid ciphertexts except with a negligible probability,

and (2) if the decryption oracle rejects all invalid ciphertexts then A has only a negligible advantage

in outputting the bit b. We conclude by proving that the event Collision has a negligible probability

due to the security of the family H of universal one-way hash functions.

Claim 6.12. If (g1,g2,u1,u2) is a non-DH instance and the event Collision does not occur, then

the decryption algorithm rejects all invalid ciphertext except with a negligible probability.

1,u∗

2,v∗,s∗,e∗) the challenge ciphertext given to A, and denote by Collision

1,u∗

2,s∗,e∗) and H(u1,u2,s,e) = H(u∗

1) ?= logg2(u?

1,u∗

2,s∗,e∗). We say that a ciphertext (u?

1,u?

2,v?,s?,e?) is

2).

Proof. We prove the claim by considering the distribution of the point (x1,x2,y1,y2) ∈ Z4

the adversary’s point of view. Ignoring the leakage functions for now, the adversary is given the

public key (g1,g2,c,d,h,H) and the challenge ciphertext (u1,u2,v,s,e), and therefore from the

adversary’s point of view the point (x1,x2,y1,y2) is uniformly random subject to

where γ = logg1(g2).Note that by submitting valid ciphertexts to the decryption oracle the

adversary does not learn any more information on (x1,x2,y1,y2) (in fact, by submitting a valid

ciphertext the adversary only learns a linear combination of the constraint logg1(h) = z1+γz2that

is already known from the public key).

Denote by (u?

versary, where u?

the adversary prior to submitting the invalid ciphertext. The adversary learns at most λ bits of

leakage, and therefore

?H∞((x1,x2,y1,y2)|view) ≥ logq − λ .

ciphertext the probability of A in guessing (x1,x2,y1,y2) is at most 2−?H∞((x1,x2,y1,y2)|view)≤ 2λ/q.

There are three cases to consider:

qfrom

logg1(c) = x1+ γx2

logg1(d) = y1+ γy2

logg1(v) = r1x1+ r2γx2+ αr1y1+ αr2γy2

,

1,u?

1= gr?

2,v?,s?,e?) ?= (u1,u2,v,s,e) the first invalid ciphertext submitted by the ad-

1

1, u?

2= gr?

2

2, r?

1?= r?

2, and α?= H(u?

1,u?

2,s?,e?). Denote by view the view of

In particular, the definition of average min-entropy implies that prior to submitting the invalid

1. (u?

1,u?

2,s?,e?) = (u1,u2,s,e). In this case α?= α but v ?= v?and therefore the decryption

algorithm rejects.

2. (u?

1,u?

2,s?,e?) ?= (u1,u2,s,e) and α?= α. This is impossible since we assume that the event

Collision does not occur.

27

Page 29

3. (u?

1,u?

2,s?,e?) ?= (u1,u2,s,e) and α??= α. In this case, if the decryption algorithm accepts the

invalid ciphertext then we obtain the following linear equations:

As long as γ2(r1− r2)(r?

therefore the adversary can be used to guess (x1,x2,y1,y2). Thus, the probability that the

decryption algorithm accepts the first invalid ciphertext is at most 2λ/q.

logg1(c) = x1+ γx2

logg1(d) = y1+ γy2

logg1(v) = r1x1+ r2γx2+ αr1y1+ αr2γy2

logg1(v?) = r?

1x1+ r?

2γx2+ α?r?

1y1+ α?r?

2γy2

,

1− r?

2)(α − α?) ?= 0 these equations are linearly independent, and

An almost identical argument holds for all the subsequent invalid decryption queries. The only

difference is that each time the decryption oracle rejects an invalid ciphertext the adversary can

rule out one more value of (x1,x2,y1,y2). This shows that the decryption algorithm accepts the

i-th invalid ciphertext with probability at most 2λ/(q−i+1). The claim now follows from the fact

that the number of decryption queries is polynomial, and from the restriction λ ≤ logq −ω(logn).

Claim 6.13. If (g1,g2,u1,u2) is a non-DH instance and the decryption algorithm rejects all invalid

ciphertexts, then A has only a negligible advantage in outputting the bit b.

Proof. We show that if (g1,g2,u1,u2) is a non-DH instance and the decryption algorithm rejects

all invalid ciphertexts then with overwhelming probability the value uz1

at least logq−λ ≥ m+ω(logn) given all the other values in the adversary’s view. The average-case

strong extractor then guarantees that the part of the challenge ciphertext that depends on the bit

b is ?-close to uniform given the adversary’s view, for a negligible ? = ?(n).

We prove the claim by considering the distribution of the point (z1,z2) ∈ Zqfrom the adversary’s

point of view. The adversary is given the public key (g1,g2,c,d,h,H) and therefore from the

adversary’s point of view the point (z1,z2) is uniformly random subject to logg1(h) = z1+γz2, where

γ = logg1(g2). We assume that the decryption algorithm rejects all invalid ciphertext, and note

that by submitting valid ciphertexts to the decryption oracle the adversary does not learn any more

information (the adversary only learns a linear combination of the constraint logg1(h) = z1+ γz2).

Thus, the adversary does not learn any information on (z1,z2) via decryption queries.

Let u1= gr1

adversary. Then from the adversary’s point of view it holds that

1uz2

2has average min-entropy

1, u2= gr2

2, and denote by aux the output of all leakage functions chosen by the

?H∞(uz1

1uz2

2| g1,g2,c,d,h,H,aux,u1,u2) =?H∞(r1z1+ γr2z2| γ,c,d,h,H,aux,r1,r2) .

Note that as long as γ(r1−r2) ?= 0, then for any w = uz1

z2) are linearly independent:

?logg1(h) = z1+ γz2

which implies that given (γ,h,r1,r2) the function (z1,z2) → r1z1+γr2z2is injective. Applying an

injective function to a distribution preserves its min-entropy, and therefore

1uz2

2the following two equations (in z1and

logg1(w) = r1z1+ γr2z2

?H∞(r1z1+ γr2z2| γ,c,d,h,H,aux,r1,r2) =?H∞((z1,z2) | γ,c,d,h,H,aux,r1,r2)

=?H∞((x1,x2) | γ,c,d,h,H,aux) ,

28

Page 30

where the second equality follows from the fact that (z1,z2,γ,c,d,h,H,aux) are all chosen indepen-

dently of (r1,r2). Finally, the leakage aux obtains at most 2λpossible output values, and therefore

(see Lemma 2.1)

?H∞((z1,z2) | γ,c,d,h,H,aux) ≥ H∞((z1,z2) | γ,c,d,h,H) − λ

≥ logq − λ .

Combining all of the above, with overwhelming probability it holds that

= H∞((z1,z2) | γ,z1+ γz2) − λ

?H∞(uz1

1uz2

2| g1,g2,c,d,h,H,aux,u1,u2) ≥ logq − λ .

Claim 6.14. If (g1,g2,u1,u2) is a non-DH instance then the event Collision occurs with only a

negligible probability.

Proof. Given an adversary A for which the event Collision occurs with only a negligible probability,

we construct an algorithm A??that breaks the security of the universal one-way hash functions. A??

is essentially identical to A?that was described above, except for choosing (u1,u2,s,e) before the

function H is chosen, where e ∈ {0,1}mis chosen uniformly at random instead of as a function of

the messages M0and M1. We claim, however, that as long as the event Collision does not occur

then A cannot distinguish between A?and A??(the argument is identical to the proofs of Claims

6.12 and 6.13). Therefore, A helps A??to find a collision with H(u1,u2,s,e) with a non-negligible

probability.

Formally, consider the following algorithm A??that attacks the family H of universal one-way

hash functions:

1. A??chooses (g1,g2,u1,u2) ∈ G4, s ∈ {0,1}tand e ∈ {0,1}muniformly at random, and

announces (u1,u2,s,e).

2. A??is given as input a randomly chosen function H ∈ H.

3. A??chooses x1,x2,y1,y2,z1,z2∈ Zq independently and uniformly at random, and sets c =

gx1

Then A?sends PK to A.

4. A?simulates the leakage oracle and the decryption oracle to A using SK.

5. In the challenge phase A?ignores the two messages M0,M1∈ {0,1}m, computes

α = H(u1,u2,s,e), v = ux1+y1α

1gx2

2, d = gy1

1gy2

2, h = gz1

1gz2

2, SK = (x1,x2,y1,y2,z1,z2), and PK = (g1,g2,c,d,h,H).

1

ux2+y2α

2

,

and sends A the challenge ciphertext (u1,u2,v,s,e).

6. If at some point A submits a decryption query (u?

(u1,u2,s,e) and H(u?

A??outputs ⊥.

1,u?

2,v?,s?,e?) such that (u?

1,u?

2,s?,e?) ?=

1,u?

2,s?,e?) = H(u1,u2,s,e) then A??outputs (u?

1,u?

2,s?,e?). Otherwise

29

Page 31

Claim 6.12 guarantees that as long as the event Collision does not occur, then the decryp-

tion algorithm rejects all invalid ciphertexts except with a negligible probability. Claim 6.13 that

guarantees that as long as the decryption algorithm rejects all invalid ciphertexts then A cannot

distinguish between A?and A??. Specifically, both in the execution with A?and in the execution

with A??the component in the challenge ciphertext that depends on the bit b is ?-close to ran-

dom given the adversary’s view (for some negligible ? = ?(n)). Therefore, with a non-negligible

probability A submits a ciphertext (u?

H(u?

1,u?

2,v?,s?,e?) such that (u?

1,u?

2,s?,e?) ?= (u1,u2,s,e) and

1,u?

2,s?,e?) = H(u1,u2,s,e), and in this case A??finds a collision.

This concludes the proof of Theorem 6.10.

7Protecting Against Weak Key-Leakage Attacks

In this section we consider weak key-leakage attacks (see Definition 3.4), in which a leakage function

with output length λ is chosen by the adversary ahead of time without any knowledge of the public

key. We present a generic construction that transforms any encryption scheme to one that is

resilient to any weak leakage of L(1 − o(1)) bits, where L is the length of the secret key. The

resulting scheme is essentially as efficient as the original one, and does not rely on additional

computational assumptions.

As discussed in Section 1.1, although this notion of key leakage seems very limited, it still

captures many realistic attacks in which the leakage does not depend on the parameters of the

encryption scheme. Specifically, this notion captures the cold boot attack of Halderman et al. [21],

in which the leakage depends only on the properties of the hardware devices that are used for

storing the secret key.

Let Π = (G,E,D) be any public-key encryption scheme, and denote by m = m(n) the length

of the random string used by G(1n). Given a leakage parameter λ = λ(n), let Ext : {0,1}k(n)×

{0,1}t(n)→ {0,1}m(n)be an average-case (k − λ,?)-strong extractor for some negligible ? = ?(n).

Consider the encryption scheme Πλ= (Gλ,Eλ,Dλ) defined as follows:

• Key generation: On input 1nchoose x ∈ {0,1}k(n)and s ∈ {0,1}t(n)uniformly at random,

and compute (pk,sk) = G(Ext(x,s)). Output PK = (pk,s) and SK = x.

• Encryption: On input a message M and a public-key PK = (pk,s), choose r ∈ {0,1}∗

uniformly at random and output (E(pk,M;r),s).

• Decryption: On input a ciphertext (c,s) and a secret key SK = x, compute (pk,sk) =

G(Ext(x,s)) and output D(sk,c).

The following theorem states that if Π is semantically secure, then Πλis resilient to any weak

key leakage of λ bits.

Theorem 7.1. Let (G,E,D) be a semantically secure public-key encryption scheme. Then, for

any polynomial λ = λ(n) the scheme (Gλ,Eλ,Dλ) is semantically secure against weak λ-key-leakage

attacks.

Proof. We show that for any efficient adversary A and ensemble F of efficiently computable leakage

functions, there exists an efficient adversary A?such that

AdvWeakLeakage

Πλ,A,F

For b ∈ {0,1} consider the following experiment denoted ExptΠ,A,F(b):

(n) ≤ AdvCPA

Π,A?(n) + 2?(n) .

30

Page 32

1. Choose x ∈ {0,1}k(n), s ∈ {0,1}t(n), and y ∈ {0,1}m(n)uniformly at random. Compute

(pk,sk) = G(y). Let PK = (pk,s) and SK = sk.

2. (M0,M1,state) ← A1(PK,fn(x)) such that |M0| = |M1|.

3. C ← Epk(Mb).

4. b?← A2(C,state)

5. Output b?.

Using the notation of Definition 3.4 and the triangle inequality, for any adversary A it holds that

AdvWeakLeakage

Πλ,A,F

≤

+??Pr?ExptΠ,A,F(0) = 1?− Pr?ExptΠ,A,F(1) = 1???

(n) =

???Pr

?

ExptWeakLeakage

Πλ,A,F

ExptWeakLeakage

Πλ,A,F

(0) = 1

?

− Pr

− Pr?ExptΠ,A,F(0) = 1????

?

?

ExptWeakLeakage

Πλ,A,F

(1) = 1

????

???Pr

+

?

(0) = 1

?

(7.1)

(7.2)

???Pr?ExptΠ,A,F(1) = 1?− Pr

ExptWeakLeakage

Πλ,A,F

(1) = 1

???? .

(7.3)

The experiment ExptΠ,A,F(b) is identical to the experiment ExptWeakLeakage

that the key generation algorithm G is invoked on a truly random input y and not on input Ext(x,s).

Note, however, that the average min-entropy of x given fn(x) is at least k − λ, and therefore the

average-case strong extractor guarantees that the statistical distance between the views of the

adversary in these two experiments is at most ?. A crucial point here is that the leakage function

is independent of the public key, and specifically, independent of the seed s. This implies that each

of the terms (7.1) and (7.3) is upper bounded by ?.

In addition, it is rather straightforward that there exists a CPA-adversary A?for which the

term (7.2) is upper bounded by AdvCPA

Πλ,A,F

(b) other than the fact

Π,A?(n), and this concludes the proof.

Generalization to hard-to-invert leakage.

in which the secret key is information-theoretically unpredictable given the leakage information.

One can also consider leakage attacks in which the secret key is only computationally unpredictable.

That is, the leakage may completely determine the secret key, but it is computationally hard to

actually recover the secret key. Such a notion of key leakage was studied by Dodis, Tauman Kalai,

and Lovett [13] in the setting of symmetric-key encryption. They introduced a new computational

assumption that is a generalization of learning parity with noise, and constructed symmetric-key

encryption schemes that are resilient to leakage of the form f(sk), where f is any exponentially-hard

one-way function.

The above construction for protecting against weak key-leakage attacks can be generalized in a

straightforward manner to provide protection against any leakage that is sufficiently hard to invert.

Specifically, the only modification to the above construction is that the strong extractor Ext(x,s)

is replaced by Goldreich-Levin hard-core bits GL(x,s) [17] (recall that x is the secret key, and s is

part of the public key). Thus, the resulting encryption scheme is secure with respect to any leakage

of the form f(x), where GL(x,s) is a string of m?bits (for some constant ? > 0) that is hard core

for f (note that a pseudorandom generator can be applied to GL(x,s) to obtain a pseudorandom

string of length m to be used by the key-generation algorithm). In particular, this is known to

be satisfied by any 2Ω(m?)-hard one-way function f : {0,1}m→ {0,1}m?(see, for example, [17,

Corollary 1]).

So far in this paper we considered leakage attacks

31

Page 33

8Protecting Against Generalized Forms of Key-Leakage Attacks

In this section we present several generalizations of key-leakage attacks that extend the framework

presented in Section 3, and show that they are satisfied by our schemes.

8.1Noisy Leakage

In the side-channel attack of Halderman et al. [21] the adversary learns a noisy version of all of the

memory. This is a more general scenario than the scenario captured by Definition 3.1: The leakage

is not of bounded length, but it is guaranteed that the secret key is still somewhat unpredictable

given the leakage. This motivates a realistic generalization that allows the adversary to learn

any random variable W (representing the leakage information) for which the conditional mutual

information (adapted to average min-entropy8) of the secret key and W given the public key is at

most λ. That is, the adversary can learn any random variable W for which

?I∞(SK;W|PK)def

=?H∞(SK|PK) −?H∞(SK|PK,W) ≤ λ

In the information-theoretic setting, this generalization does not necessarily strengthen the defi-

nition, since W may be compressed to essentially λ bits. However, in the computational setting

(which is the setting we consider in this work) we can conjecture that this notion is stronger9.

Our generic construction from hash proof systems satisfies this notion of security assuming an

additional property of the underlying hash proof system (that is satisfied by all the constructions

in this paper). Informally, using the notation introduced in Section 2.3, the required property is

that with overwhelming probability over the choice of an invalid ciphertext C ∈ C \ V, there is no

substantial gap between the min-entropy of the secret key sk ∈ SK and the min-entropy of the

encapsulated key Λsk(C) ∈ K, both conditioned on the public key pk ∈ PK. For example, for the

hash proof systems underlying the schemes in Sections 4.2 and 5.1 it holds that?I∞(Λsk(C);W|pk) =

property holds for the hash proof system underlying the scheme in Section 5.2). In addition, it is

rather straightforward to verify that our CCA-secure constructions (both the generic construction

and the two specific constructions) and the generic construction for protecting against weak leakage

attacks satisfy this notion of security.

?I∞(sk;W|pk), and this suffices for the same proofs of security to go through (a slightly more subtle

8.2 Leakage of Intermediate Values from the Key-Generation Process

Definition 3.1 assumes that the adversary does not learn any of the intermediate values that occur

during the generation of the secret and public keys. In practice, however, this is not always a valid

assumption. Specifically, in the attack of Halderman et al. [21] the adversary learns a noisy version

of all of the memory, and it is rather likely that intermediate values from the generation of the keys

are not always completely erased. This motivates a natural generalization that allows the adversary

to learn functions of the random bits that are used by the key generation algorithm. Encryption

schemes that satisfy this notion of security are more robust to leakage in the sense that the key

generation algorithm does not have to make sure that all intermediate key-related values have been

deleted. In addition, this generalization is especially important to security under composition of

cryptographic primitives. For example, the key generation algorithm may use random bits (or

8For Shannon entropy, the conditional mutual information of X and Y given Z is defined as I(X;Y |Z) = H(X|Z)−

H(X|Y,Z).

9See, as an analogy, the trade-off presented by Harsha et al. [22] between communication complexity and compu-

tation.

32

Page 34

pseudorandom bits) that are the output of another primitive (say, a pseudorandom generator)

which may also suffer from unintended leakage of sensitive information.

All of our constructions in this paper, except for the generic CCA-secure construction in Section

6.1, are secure according to this generalization10. Informally, the proofs of security of our schemes

(other than the generic CCA-secure scheme) rely on an indistinguishability argument over the

challenge ciphertext and not over the public key. As a result, the simulators in the proofs of

security always generate the secret key and public key by themselves, and therefore they know

the random bits used by the key generation algorithm and can simulate the leakage oracle to the

adversary. A minor comment is that the simulators do not always generate the public parameters of

the hash proof system by themselves. These public parameters, however, can be shared among all

users and therefore they do not have to be included in the key generation algorithm. For example,

when instantiating the generic construction presented in Section 4.1 with the Paillier-based hash

proof system of Cramer and Shoup [8], the public parameters include a modulus N = PQ. In this

case, as demonstrated by Rivest and Shamir [40], an adversary that obtains leakage information

on the random bits used to generate N can efficiently compute its factorization and completely

compromise the security of the scheme. However, the factorization of N is not needed for the

encryption scheme (i.e., it is not part of the secret key), and therefore it is possible to assume that

N is publicly known and is not part of the key generation algorithm (exactly as suggested in [8]).

8.3Keys Generated using Weak Random Sources

When considering leakage of the random bits that are used by the key generation algorithm (as in

Section 8.2), then from the adversary’s point of view these bits are uniformly distributed subject

to the leakage information. A natural generalization in this setting is to consider cases in which

the keys are generated using a weak source of random bits. This is relevant, in particular, in light

of crucial security vulnerabilities that were recently identified in pseudorandom generators that are

used by many systems [15, 20, 45].

Formally, we consider the following security experiment. First, a global algorithm generates

public parameters for the encryption scheme. These parameters are generated using truly random

(or pseudorandom) bits, and are shared among all users. Next, we allow the adversary to specify a

distribution of random bits that will be used to generate the secret key and public key of a specific

user. The adversary can choose this distribution as a function of the public parameters, and the

only restriction is a predetermined lower bound on the min-entropy of the distribution. Then, the

experiment continues as in the standard indistinguishability of encryptions experiment.

10The generic CCA-secure construction in Section 6.1 can be made secure against such attacks by requiring two

additional simple properties from its building blocks. First, the public key pk1 should be sampled without producing

a corresponding secret key (note that the secret key of the resulting scheme does not include sk1 anyway). That

is, there should be an efficient algorithm that generates pk1, such that the scheme is secure even if the adversary

knows the random bits used for generate pk1. This property is satisfied by the schemes in Sections 4.2, 5.1, and 5.2.

Moreover, we note that in fact pk1 does not have to come from an encryption scheme that is resilient to key-leakage

attacks – only pk0 has to be resilient to key-leakage attacks (as shown by the proofs of Claims 6.4 and 6.5), and

therefore any public-key encryption scheme with such an oblivious sampling algorithm can be used for pk1. Second,

the NIZK proof system should also have such a property with respect to the common reference string. That is, the

NIZK proof system should maintain its security even if the adversary knows the random bits used for generating the

common reference string (note that this should hold only for the “real” reference string, and not for the “simulated”

one). In particular, this is satisfied by any NIZK proof system in which the common reference string is a uniformly

random string. A similar comment is in place also for the CCA2-secure construction in Section 6.3: the universal one-

way hash functions should be secure even if the adversary knows the random bits used for generating the description

of a function. In general, this is a seemingly stronger requirement (see [24]), but in practice this is not a concern

since the universal one-way hash functions can be instantiated with a fixed hash function, such as SHA-256.

33

Page 35

Our schemes in Sections 4.2, 5.1, 5.2, and 6.2 satisfy this notion of security. For simplicity, we

exemplify this fact using the scheme from Section 4.2, and note that ideas we present here easily

extend to the other schemes11. The public parameters of the scheme consist of a description of

a group G of prime order q, and two generators g1,g2∈ G that are chosen uniformly at random

(these are the public parameters of the corresponding hash proof system). The secret key of the

scheme is a pair (x1,x2) ∈ Z2

the secret key is sampled. The adversary can choose this distribution as a function of the public

parameters, and we only require that it has min-entropy at least logq + ω(logn) + m, where m

is the length of plaintexts (note that this is rather far from the uniform distribution over Z2

a wide range of parameters). The public key is then computed as h = gx1

security, we observe that if (g1,g2,u1,u2) is not a Diffie-Hellman tuple (i.e., u1= gr1

r1?= r2), then it holds that

q, and we allow the adversary to specify the distribution from which

qfor

1gx2

2. For the proof of

1, u2= gr2

2, and

?H∞(ux1

1ux2

2|h) =?H∞((x1,x2)|h) ≥ H∞(x1,x2) − logq = m + ω(logn)

Thus, the average-case strong-extractor Ext guarantees that Ext(ux1

m-bit challenge plaintext.

1ux2

2,s) statistically masks the

8.4Leakage of Intermediate Values from the Decryption Process

An additional strengthening of Definition 3.1 is to consider leakage that may occur during com-

putation, and not only leakage from the stored key. Specifically, an invocation of the decryption

algorithm may produce various intermediate values, whose leakage may compromise the security

of the scheme even if the scheme is robust against leakage from the stored key. Such a notion of

security is generically guaranteed when considering leakage of fixed bounded length (as in Defini-

tion 3.1). However, it is not always guaranteed when the adversary obtains all of the memory in a

noisy fashion (as discussed in Section 8.1).

Consider the seemingly contrived example of a decryption algorithm that first encodes the secret

key using a good error-correcting code, and then performs the actual decryption. In this case, an

adversary that obtains a noisy variant of the memory can clearly recover the secret key. This exam-

ple, however, is not so contrived, since as demonstrated by Halderman et al., encryption schemes

typically compute intermediate key-related values whose representation is rather redundant, and

this can be used to attack the scheme. Moreover, even if the encryption scheme itself does not ex-

plicitly instructs to compute intermediate values, it may be the case that such values are computed

by a specific implementation of the encryption scheme.

Although when presenting our encryption schemes in this paper we do not specify exact im-

plementations of their decryption algorithms, we point out that they can be implemented while

introducing only minimal redundancy. That is, the key-related computation has “low bandwidth”:

at any point in time the (natural) decryption algorithm works on a limited part of the key and the

intermediate results are also succinct. For example, the natural implementation of the decryption

algorithms of the schemes in Section 5 require space that is significantly smaller than the size of

their corresponding secret keys: for the scheme in Section 5.2, the length of the secret key is ? bits,

and the decryption algorithm requires only O(logq) bits where ? is significantly larger than logq,

and a similar property is satisfied by the scheme in Section 5.1.

11We note that these feasibility results do not contradict the negative result of Dodis et al. [10] on the possibility

of public-key encryption with imperfect randomness. Specifically, our generalization circumvents their impossibility

result by assuming that truly random bits are available for the encryption algorithm, and that only the keys are

generated using imperfect randomness.

34

Page 36

References

[1] M. Abe, R. Gennaro, K. Kurosawa, and V. Shoup. Tag-KEM/DEM: A new framework for

hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In Advances in Cryptology

– EUROCRYPT ’05, pages 128–146, 2005.

[2] A. Akavia, S. Goldwasser, and V. Vaikuntanathan. Simultaneous hardcore bits and cryptog-

raphy against memory attacks. In Proceedings of the 6th Theory of Cryptography Conference,

pages 474–495, 2009.

[3] E. Biham and A. Shamir. Differential fault analysis of secret key cryptosystems. In Advances

in Cryptology – CRYPTO ’97, pages 513–525, 1997.

[4] D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In Advances in Cryptology –

CRYPTO ’04, pages 41–55, 2004.

[5] D. Boneh, R. A. DeMillo, and R. J. Lipton. On the importance of checking cryptographic

protocols for faults. In Advances in Cryptology – EUROCRYPT ’97, pages 37–51, 1997.

[6] D. Boneh, S. Halevi, M. Hamburg, and R. Ostrovsky. Circular-secure encryption from decision

Diffie-Hellman. In Advances in Cryptology – CRYPTO ’08, pages 108–125, 2008.

[7] R. Canetti, Y. Dodis, S. Halevi, E. Kushilevitz, and A. Sahai. Exposure-resilient functions

and all-or-nothing transforms. In Advances in Cryptology – EUROCRYPT ’00, pages 453–469,

2000.

[8] R. Cramer and V. Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext

secure public-key encryption. In Advances in Cryptology – EUROCRYPT ’02, pages 45–64,

2002.

[9] R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure

against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1):167–226, 2003.

[10] Y. Dodis, S. J. Ong, M. Prabhakaran, and A. Sahai. On the (im)possibility of cryptography

with imperfect randomness. In Proceedings of the 45th Annual IEEE Symposium on Founda-

tions of Computer Science, pages 196–205, 2004.

[11] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith. Fuzzy extractors: How to generate strong

keys from biometrics and other noisy data. SIAM Journal on Computing, 38(1):97–139, 2008.

[12] Y. Dodis, A. Sahai, and A. Smith. On perfect and adaptive security in exposure-resilient

cryptography. In Advances in Cryptology – EUROCRYPT ’01, pages 301–324, 2001.

[13] Y. Dodis, Y. Tauman Kalai, and S. Lovett. On cryptography with auxiliary input. To appear

in Proceedings of the 41st Annual ACM Symposium on Theory of Computing, 2009.

[14] D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography. SIAM Journal on Computing,

30(2):391–437, 2000.

[15] L. Dorrendorf, Z. Gutterman, and B. Pinkas. Cryptanalysis of the windows random number

generator. In Proceedings of the 2007 ACM Conference on Computer and Communications

Security, pages 476–485, 2007.

35

Page 37

[16] S. Dziembowski and K. Pietrzak. Leakage-resilient cryptography. In Proceedings of the 49th

Annual IEEE Symposium on Foundations of Computer Science, pages 293–302, 2008.

[17] O. Goldreich and L. A. Levin. A hard-core predicate for all one-way functions. In Proceedings

of the 21st Annual ACM Symposium on Theory of Computing, pages 25–32, 1989.

[18] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System

Sciences, 28(2):270–299, 1984.

[19] S. Goldwasser, Y. Tauman Kalai, and G. N. Rothblum. One-time programs. In Advances in

Cryptology – CRYPTO ’08, pages 39–56, 2008.

[20] Z. Gutterman, B. Pinkas, and T. Reinman. Analysis of the linux random number generator.

In IEEE Symposium on Security and Privacy, pages 371–385, 2006.

[21] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J.

Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption

keys. In Proceedings of the 17th USENIX Security Symposium, pages 45–60, 2008.

[22] P. Harsha, Y. Ishai, J. Kilian, K. Nissim, and S. Venkatesh. Communication versus com-

putation. In Proceedings of the 31st International Colloquium on Automata, Languages and

Programming, pages 745–756, 2004.

[23] N. Heninger and H. Shacham. Improved RSA private key reconstruction for cold boot attacks.

Cryptology ePrint Archive, Report 2008/510, 2008.

[24] C.-Y. Hsiao and L. Reyzin. Finding collisions on a public road, or do secure hash functions

need secret coins? In Advances in Cryptology – CRYPTO ’04, pages 92–105, 2004.

[25] Y. Ishai, M. Prabhakaran, A. Sahai, and D. Wagner. Private circuits II: Keeping secrets in

tamperable circuits. In Advances in Cryptology – EUROCRYPT ’06, pages 308–327, 2006.

[26] Y. Ishai, A. Sahai, and D. Wagner. Private circuits: Securing hardware against probing attacks.

In Advances in Cryptology – CRYPTO ’03, pages 463–481, 2003.

[27] A. Joux and K. Nguyen. Separating decision Diffie-Hellman from computational Diffie-Hellman

in cryptographic groups. Journal of Cryptology, 16(4):239–247, 2003.

[28] E. Kiltz. Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie-Hellman.

In Proceedings of the 10th International Conference on Practice and Theory in Public-Key

Cryptography, pages 282–297, 2007.

[29] E. Kiltz, K. Pietrzak, M. Stam, and M. Yung. A new randomness extraction paradigm for

hybrid encryption. To appear in Advances in Cryptology – EUROCRYPT ’09, 2009.

[30] P. C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other

systems. In Advances in Cryptology – CRYPTO ’96, pages 104–113, 1996.

[31] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Advances in Cryptology –

CRYPTO ’99, pages 388–397, 1999.

[32] K. Kurosawa and Y. Desmedt. A new paradigm of hybrid encryption scheme. In Advances in

Cryptology – CRYPTO ’04, pages 426–442, 2004.

36

Page 38

[33] Y. Lindell. A simpler construction of CCA2-secure public-key encryption under general as-

sumptions. Journal of Cryptology, 19(3):359–377, 2006.

[34] U. M. Maurer. On the oracle complexity of factoring integers. Computational Complexity,

5(3-4):237–247, 1995.

[35] S. Micali and L. Reyzin. Physically observable cryptography. In Proceedings of the 1st Theory

of Cryptography Conference, pages 278–296, 2004.

[36] M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen ciphertext

attacks. In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, pages

427–437, 1990.

[37] C. Petit, F.-X. Standaert, O. Pereira, T. Malkin, and M. Yung. A block cipher based pseudo

random number generator secure against side-channel key recovery. In Proceedings of the ACM

Symposium on Information, Computer and Communications Security (ASIACCS), pages 56–

65, 2008.

[38] K. Pietrzak. A leakage-resilient mode of operation. To appear in Advances in Cryptology –

EUROCRYPT ’09, 2009.

[39] O. Regev.

Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pages 84–93, 2005.

On lattices, learning with errors, random linear codes, and cryptography.In

[40] R. L. Rivest and A. Shamir. Efficient factoring based on partial information. In Advances in

Cryptology – EUROCRYPT ’85, pages 31–34, 1985.

[41] J. Rompel. One-way functions are necessary and sufficient for secure signatures. In Proceedings

of the 22nd Annual ACM Symposium on Theory of Computing, pages 387–394, 1990.

[42] A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext secu-

rity. In Proceedings of the 40th Annual IEEE Symposium on Foundations of Computer Science,

pages 543–553, 1999.

[43] H. Shacham. A Cramer-Shoup encryption scheme from the Linear assumption and from pro-

gressively weaker Linear variants. Cryptology ePrint Archive, Report 2007/074, 2007.

[44] V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryp-

tology – EUROCRYPT ’97, pages 256–266, 1997.

[45] S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. PRNG PR0N: Understanding

the Debian OpenSSL debacle. Manuscript, 2008.

A The Matrix d-Linear Assumption

Let G be an algorithm that takes as input a security parameter and outputs a triplet G = (G,q,g)

where G a group of order q that is generated by g. We denote by Rki(Za×b

matrices over Zqwith rank i. For a matrix R = {ri,j}i∈[a],j∈[b]∈ Za×b

{gi,j}i∈[a],j∈[b]= {gri,j}i∈[a],j∈[b]∈ Ga×b.

The matrix d-Linear assumption is that for any integers a and b, and for any d ≤ i < j ≤

min{a,b} the ensembles {(G,gR)}R∈Rki(Za×b

indistinguishable, where G = (G,q,g) ← G(1n). We prove the following lemma (noting that Boneh

et al. [6] proved it for d = 1):

q

) the set of all a × b

we denote by gRthe matrix

q

q

),n∈Nand {(G,gR)}R∈Rkj(Za×b

q

),n∈Nare computationally

37

Page 39

Lemma A.1. The d-Linear assumption implies the matrix d-Linear assumption.

Proof. We show that for any d ≤ i < min{a,b} an efficient distinguisher A that distinguishes be-

tween the ensembles {(G,gR)}R∈Rki(Za×b

advantage can be used to construct an efficient distinguisher A?for the d-Linear problem.

On input

d+1

where G = (G,q,g) ← G(1n), the distinguisher A?

constructs the following matrices:

gr1

1

gr2

2

···

q

),n∈Nand {(G,gR)}R∈Rki+1(Za×b

?

···

g0

···

...

...

···

grd−1

d−1

Φ1

Idi−d

0a−i,b−i

q

),n∈Nwith a non-negligible

?G,g1,...,gd+1,gr1

1,...,grd+1

Φ1=

g1

g0

...

...

g0

g0

g2

...

...

···

···

g0

g0

...

...

gd

grd

d

gd+1

gd+1

...

...

gd+1

grd+1

d+1

g0

∈ G(d+1)×(d+1)

Φ2=

∈ Ga×b

where Idi−dis the identity matrix of size i − d of G (i.e., g on the main diagonal and g0all other

entries), 0a−i,b−iis the zero matrix of G of size (a − i) × (b − i) (i.e., g0all entries), and all the

other blocks in Φ2are zero matrices.

Then, A?chooses invertible matrices L ∈ Za×a

random, invokes A on input Φ3 = L ⊗ Φ2⊗ R ∈ Ga×b(where ⊗ is naturally defined using Zq

operations in the exponent), and outputs whatever A outputs.

In what follows we prove that with overwhelming probability if rd+1=?d

Ψ3∈ Rki+1(Za×b

w1r1

w2r2

···

The elements g1,...,gd+1are chosen uniformly at random, and therefore with overwhelming prob-

ability it holds that?d+1

q

and R ∈ Zb×b

q

independently and uniform at

i=1rithen Φ3= gΨ3

for a randomly chosen Ψ3∈ Rki(Za×b

q

). For every 1 ≤ i ≤ d + 1 let wi= logg(gi). Then Φ1= gΨ1where

0

···

0

w2

0

...

...

0

···

wd−1rd−1

q

), and if rd+1?=?d

i=1rithen Φ3= gΨ3for a randomly chosen

Ψ1=

w1

···

···

0

0

...

...

wd+1

wd+1

...

...

wd+1

wd+1rd+1

...

...

...

...

0

···

wd

wdrd

∈ Z(d+1)×(d+1)

q

.

i=1wi ?= 0. In this case, if rd+1 =?d

i=1ri then Ψ1 has rank d, and if

rd+1?=?d

i=1rithen Ψ1has rank d + 1. There, the matrix

Ψ2=

R1

Idi−d

0a−i,b−i

∈ Za×b

q

either has rank i if rd+1=?d

with rank i + 1.

i=1rior has rank i + 1 if rd+1?=?d

i=1ri. This implies that Ψ3=

LΨ2R ∈ Za×b

q

is either a uniformly distributed matrix with rank i or a uniformly distributed matrix

38