Page 1
Public-Key Cryptosystems Resilient to Key Leakage
Moni Naor∗
Gil Segev†
Abstract
Most of the work in the analysis of cryptographic schemes is concentrated in abstract ad-
versarial models that do not capture side-channel attacks. Such attacks exploit various forms
of unintended information leakage, which is inherent to almost all physical implementations.
Inspired by recent side-channel attacks, especially the “cold boot attacks”, Akavia, Goldwasser
and Vaikuntanathan (TCC ’09) formalized a realistic framework for modeling the security of
encryption schemes against a wide class of side-channel attacks in which adversarially cho-
sen functions of the secret key are leaked. In the setting of public-key encryption, Akavia et al.
showed that Regev’s lattice-based scheme (STOC ’05) is resilient to any leakage of L/polylog(L)
bits, where L is the length of the secret key.
In this paper we revisit the above-mentioned framework and our main results are as follows:
• We present a generic construction of a public-key encryption scheme that is resilient to key
leakage from any universal hash proof system. The construction does not rely on additional
computational assumptions, and the resulting scheme is as efficient as the underlying proof
system. Existing constructions of such proof systems imply that our construction can be
based on a variety of number-theoretic assumptions, including the decisional Diffie-Hellman
assumption (and its progressively weaker d-Linear variants), the quadratic residuosity
assumption, and Paillier’s composite residuosity assumption.
• We construct a new hash proof system based on the decisional Diffie-Hellman assumption
(and its d-Linear variants), and show that the resulting scheme is resilient to any leakage
of L(1−o(1)) bits. In addition, we prove that the recent scheme of Boneh et al. (CRYPTO
’08), constructed to be a “circular-secure” encryption scheme, is resilient to any leakage of
L(1−o(1)) bits. These two proposed schemes complement each other in terms of efficiency.
• We extend the framework of key leakage to the setting of chosen-ciphertext attacks. On
the theoretical side, we prove that the Naor-Yung paradigm is applicable in this setting
as well, and obtain as a corollary encryption schemes that are CCA2-secure with any
leakage of L(1 − o(1)) bits. On the practical side, we prove that variants of the Cramer-
Shoup cryptosystem (along the lines of our generic construction) are CCA1-secure with
any leakage of L/4 bits, and CCA2-secure with any leakage of L/6 bits.
∗Incumbent of the Judith Kleeman Professorial Chair, Department of Computer Science and Applied Mathematics,
Weizmann Institute of Science, Rehovot 76100, Israel. Email: moni.naor@weizmann.ac.il. Research supported in
part by a grant from the Israel Science Foundation.
†Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100,
Israel. Email: gil.segev@weizmann.ac.il. Research supported by the Adams Fellowship Program of the Israel
Academy of Sciences and Humanities, and by a grant from the Israel Science Foundation.
Page 2
Contents
1 Introduction
1.1Our Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Paper Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
2
5
6
2Preliminaries, Assumptions, and Tools
2.1 Computational Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2Randomness Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3 Hash Proof Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6
6
7
7
3Defining Key-Leakage Attacks
3.1 Chosen-Plaintext Key-Leakage Attacks . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 Chosen-Ciphertext Key-Leakage Attacks . . . . . . . . . . . . . . . . . . . . . . . . .
3.3 Weak Key-Leakage Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9
9
10
11
4A Generic Construction from Hash Proof Systems
4.1The Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2 Example: A DDH-Based Instantiation . . . . . . . . . . . . . . . . . . . . . . . . . .
11
12
13
5Improved Resilience Based on DDH and d-Linear
5.1Proposal 1: A New Hash Proof System . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Proposal 2: The BHHO Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.3Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
14
16
17
6Protecting Against Chosen-Ciphertext Key-Leakage Attacks
6.1A Generic Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2 An Efficient CCA1-Secure Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.3An Efficient CCA2-Secure Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . .
17
18
22
25
7Protecting Against Weak Key-Leakage Attacks 30
8Protecting Against Generalized Forms of Key-Leakage Attacks
8.1Noisy Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.2 Leakage of Intermediate Values from the Key-Generation Process . . . . . . . . . . .
8.3Keys Generated using Weak Random Sources . . . . . . . . . . . . . . . . . . . . . .
8.4 Leakage of Intermediate Values from the Decryption Process
32
32
32
33
34 . . . . . . . . . . . . .
A The Matrix d-Linear Assumption37
1
Page 3
1Introduction
Proving the security of a cryptographic scheme consists of two main ingredients: (1) an adver-
sarial model that specifies the adversarial access to the system and the adversary’s computational
capabilities, and (2) a notion of security that specifies what it means to “break” the security of
the scheme. Whereas notions of security have significantly evolved over the years (following the
seminal work of Goldwasser and Micali [18]), the vast majority of cryptographic schemes are ana-
lyzed in abstract adversarial models that do not capture side-channel attacks. Such attacks exploit
unintended leakage of information which is inherent to almost all physical implementations. Over
the years side-channel attacks exposed crucial vulnerabilities of systems that are considered secure
in standard adversarial models (see, for example, [3, 5, 30, 31]).
Countermeasures for protecting against side-channel attacks are taken on two complementing
levels: the hardware level and the software level. Preventing unintended leakage on the hardware
level is typically rather inefficient and expensive, and is even impossible in some cases. It is thus
highly desirable to protect, as much as possible, against side-channel attacks on the software level
by modeling such attacks using abstract notions of computation.
Physically observable cryptography.
forward a powerful and comprehensive framework for modeling security against side-channel at-
tacks. Their framework captures any such attack in which leakage of information occurs as a result
of computation. The framework relies on the basic assumption that computation and only compu-
tation leaks information, that is, there is no leakage of information in the absence of computation.
This assumption has led to the construction of various cryptographic primitives that are robust to
“computational” leakage (see, for example, [16, 19, 35, 37, 38]).
In their pioneering work, Micali and Reyzin [35] put
Memory-leakage attacks.
violate the basic assumption underlying the framework of Micali and Reyzin. Halderman et al.
showed that, contrary to popular assumptions, a computer’s memory is not erased when it loses
power. They demonstrated that ordinary DRAMs typically lose their contents gradually over a
period of seconds, and that residual data can be recovered using simple, non-destructive techniques
that require only momentary physical access to the machine. Halerman et al. presented attacks
that exploit DRAM remanence effects to recover cryptographic keys held in memory. Specifically,
their “cold boot” attacks showed that a significant fraction of the bits of a cryptographic key can
be recovered if the key is ever stored in memory. Halderman et al. managed to completely com-
promise the security of several popular disk encryption systems (including BitLocker, TrueCrypt,
and FileVault), and to reconstruct DES, AES, and RSA keys (see also the improved RSA key
reconstruction by Heninger and Shacham [23]).
Inspired by the cold boot attacks, Akavia, Goldwasser and Vaikuntanathan [2] formalized a
general framework for modeling “memory attacks” in which adversarially chosen functions of the
secret key are leaked in an adaptive fashion, with the only restriction that the total amount of
leakage is bounded. Akavia et al. showed that the lattice-based public-key encryption scheme of
Regev [39] is resilient to such key leakage (to an extent that depends on the amount of leakage) by
slightly strengthening the computational assumption that is required by the original scheme.
Recently, Halderman et al. [21] presented a suite of attacks that
1.1 Our Contributions
In this work we revisit the framework of key-leakage attacks introduced by Akavia et al. in the setting
of public-key encryption. We present a generic construction of a public-key encryption scheme that
2
Page 4
is resilient to key leakage, and show that the construction can be based on a variety of number-
theoretic assumptions (see below). Moreover, we demonstrate that our approach leads to encryption
schemes that are both resilient to significantly large amounts of leakage, and that are very efficient
and can be used in practice (see, in particular, the instantiation in Section 4.2 that is based on
the decisional Diffie-Hellman assumption). In addition, we extend the framework of key-leakage
attacks to the setting of chosen-ciphertext attacks. We present both a generic transformation from
chosen-plaintext security to chosen-ciphertext security in the context of key-leakage attacks, and
efficient schemes that are based on specific number-theoretic assumptions.
In what follows we present a more elaborated exposition of our results, but first, we briefly
describe the framework of Akavia et al. and their results. Informally, an encryption scheme is
resilient to key-leakage attacks if it is semantically secure even when the adversary obtains sensitive
leakage information. This is modeled by providing the adversary with access to a leakage oracle:
the adversary can submit any function f and receive f(sk), where sk is the secret key (we note that
the leakage functions can be chosen depending on the public key, which is known to the adversary).
The adversary can query the leakage oracle adaptively, with only one restriction: the sum of output
lengths of all the leakage functions has to be bounded by a predetermined parameter λ (clearly,
λ has to be less than the length of the secret key)1. A formal definition is provided in Section 3.
Akavia et al. showed that Regev’s public-key encryption scheme is resilient to any key leakage of
L/polylog(L) bits, where L is the length of the secret key. We are now ready to state our results
more clearly:
A generic construction.
that is resilient to key leakage from any universal hash proof system, a very useful primitive in-
troduced by Cramer and Shoup [8]. The construction does not rely on additional computational
assumptions, and the resulting scheme is as efficient as the underlying proof system. Existing
constructions of such proof systems [8, 29, 43] imply that our construction can be based on a va-
riety of number-theoretic assumptions, including the decisional Diffie-Hellman (DDH) assumption
and its progressively weaker d-Linear variants, the quadratic residuosity assumption, and Paillier’s
composite residuosity assumption. The natural approach for achieving security against partial key
leakage is to add redundancy to the private key, so that every (short) function of it will still keep
many possibilities for the “real secret”. Hash proof systems yield a convenient method for doing
just that.
We then emphasize a specific instantiation with a simple and efficient DDH-based hash proof
system. The resulting encryption scheme is resilient to any leakage of L(1/2 − o(1)) bits, where L
is the length of the secret key. Although one can instantiate our construction with any hash proof
system, we find this specific instantiation rather elegant (we refer the reader to Section 4.2).
The schemes that result from our generic construction satisfy in fact a more general notion of
leakage resilience: these schemes are secure even if the leakage functions chosen by the adversary
are applied to the random bits used by the key generation algorithm. This clearly generalizes
the framework of Akavia et al. and guarantees security even in case that intermediate values from
the process of generating the secret and public keys are leaked2. In addition, we consider several
We present a generic construction of a public-key encryption scheme
1Akavia et al. refer to such attacks as adaptive memory attacks. They also define the notion of non-adaptive
memory attacks which we discuss later on.
2We note that it is not clear that Regev’s scheme is resilient to leakage of intermediate key-related values, or at
least, the proof of security of Akavia et al. does not seem to generalize to this setting. The main reason is that their
proof of security involves an indistinguishability argument over the public key, and an adversary that has access to
the randomness of the key generation algorithm (via leakage queries) can identify that the public key was not sampled
from its specified distribution.
3
Page 5
other important generalizations of the framework of Akavia et al. that are satisfied by our schemes.
These include a scenario in which the adversary obtains a noisy version of all of the memory as in
the attack of Halderman et al. (i.e., the leakage may be as long as the whole memory and not of
bounded length), and a scenario in which partial results of the decryption process are leaked (we
refer the reader to Section 8 for a more elaborated discussion on our generalizations).
Improved key-leakage resilience.
resilient to any key leakage of L(1 − o(1)) bits, where L is the length of the secret key. Our
proposals are based on the observation that our generic construction from hash proof systems can
in fact be based on hash proof systems with a slightly weaker universality property. When viewing
hash proof systems as key-encapsulation mechanisms, relaxing the universality property enables us
to achieve essentially the best possible ratio between the length of the secret key and the length
of the encapsulated symmetric key. This ratio translates to the relative amount of key leakage to
which the encryption schemes are resilient3.
For our first proposal we construct a new hash proof system based on the decisional Diffie-
Hellman assumption (and more generally, on any of the d-Linear assumptions) that satisfies this
weaker universality property. The resulting encryption scheme is then obtained by instantiating
our generic construction with this hash proof system. For our second proposal, we show the recent
“circular-secure” encryption scheme of Boneh et al. [6] fits into our generic approach using a different
hash proof system (that satisfies the same weaker universality property). We then compare our two
proposals both conceptually and practically, indicating that they complement each other in terms
of efficiency.
We propose two public-key encryption schemes that are
Chosen-ciphertext security.
ciphertext security. Technically, this is a very natural extension by providing the adversary with
access to both a leakage oracle and a decryption oracle (a formal definition is provided in Section
3). On the theoretical side, we show that the Naor-Yung “double encryption” paradigm [14, 36] can
be used as a general transformation from chosen-plaintext security to chosen-ciphertext security in
the presence of key leakage. As an immediate corollary of our above-mentioned results, we obtain
a scheme that is CCA2-secure with any leakage of L(1 − o(1)) bits, where L is the length of the
secret key.
The schemes resulting from the Naor-Yung paradigm are rather inefficient due to the usage
of generic non-interactive zero-knowledge proofs. To complement this situation, on the practical
side, we prove that variants of the Cramer-Shoup cryptosystem [9] (along the lines of our generic
transformation from hash proof systems) are CCA1-secure with any leakage of L(1/4 − o(1)) bits,
and CCA2-secure with any leakage of L(1/6−o(1)) bits. It is left as an open problem to construct
a practical CCA-secure scheme that is resilient to any leakage of L(1−o(1)) bits (where a possible
approach is to examine recent refinements of the Cramer-Shoup cryptosystem [1, 29, 32]).
We extend the framework of key leakage to the setting of chosen-
“Weak” key-leakage security.
leakage (which they refer to as “non-adaptive” leakage): a leakage function f with output length
λ is chosen by the adversary ahead of time (without any knowledge of the public key), and then
the adversary is given (pk,f(sk)). That is, in a “weak” key-leakage attack the leakage function f
is chosen independently of pk. Akavia et al. proved that Regev’s encryption scheme is resilient to
any weak key leakage of L(1 − o(1)) bits.
3We do not argue that such a relaxation is in fact necessary for achieving the optimal ratio.
Akavia et al. also considered the following weaker notion of key
4
Page 6
Although this notion of key leakage seems rather limited, it still captures many realistic attacks
in which the leakage does not depend on the parameters of the encryption scheme. Specifically,
this notion captures the cold boot attack of Halderman et al. [21], in which the leakage depends
only on the properties of the hardware devices that are used for storing the secret key.
For weak key-leakage attacks we present a generic construction that transforms any encryption
scheme to one that is resilient to any weak leakage of L(1−o(1)) bits, where L is the length of the
secret key. The resulting scheme is essentially as efficient as the original one, and does not rely on
additional computational assumptions. Our approach crucially relies on the fact that the leakage
is independent of the public key. One may interpret our construction as evidence to the deficiency
of this weaker notion of key-leakage attacks.
1.2 Related Work
Extensive work has been devoted for protecting against side-channel attacks, and for exploiting
side-channels to compromise the security of cryptographic schemes. It is far beyond the scope of
this paper to present an exhaustive overview of this ever-growing line of work. We focus here on
the results that are most relevant to our work. Already in 1985 Rivest and Shamir [40] introduced
a model for leakage attacks in the context of factoring. They considered a scenario in which an
adversary is interested in factoring an n-bit modulus N = PQ, and is allowed to ask a certain
number of arbitrary “Yes/No” questions. Rivest and Shamir asked the following question: how
many questions are needed in order to factor N in polynomial time? Clearly, if the adversary is
allowed to ask about n/2 questions, then the binary representation of P can be fully revealed.
Rivest and Shamir showed an attack that requires only n/3 questions. Specifically, in their attack
the adversary requests the top n/3 bits of P. This was later improved by Maurer [34] who showed
that ?n questions are sufficient, for any constant ? > 0.
Canetti et al. [7] introduced the notion of exposure resilient cryptographic primitives, which
remain secure even if an adversary is able to learn almost all of the secret key of the primitive.
Most notably, they introduced the notion of an exposure resilient function: a deterministic function
whose output appears random even if almost all the bits of the input are known (see also the work
of Dodis et al. [12] on adaptive security of such functions). Ishai et al. [25, 26] considered the more
general problem of protecting privacy in circuits, where the adversary can access a bounded number
of wires in the circuit. Ishai et al. proposed several techniques for dealing with this type of attacks.
Dziembowski and Pietrzak [16] and Pietrzak [38] introduced a general framework for leakage-
resilient cryptography, following the assumption of Micali and Reyzin that only computation leaks
information. Their main contributions are constructions of leakage-resilient stream-ciphers. In-
formally, their model considers cryptographic primitives that proceed in rounds, and update their
internal state after each round. In each round, the adversary can obtain bounded leakage informa-
tion from the portions of memory that were accessed during that round.
Dodis, Tauman Kalai, and Lovett [13] studied the security of symmetric-key encryption schemes
under key leakage attacks. They considered leakage of the form f(sk), where sk is the secret key
and f is any exponentially-hard one-way function. On one hand they do not impose any restriction
on the min-entropy of the secret key given the leakage, but on the other hand, they require that the
leakage is a function that is extremely hard to invert. Dodis et al. introduced a new computational
assumption that is a generalization of learning parity with noise, and constructed symmetric-key
encryption schemes that are resilient to any key leakage that is exponentially hard to invert.
5
Page 7
1.3Paper Organization
The remainder of the paper is organized as follows. In Section 2 we present some basic notions,
as well as several tools that are used in our constructions. In Section 3 we formally describe the
framework of key-leakage attacks, and extend it to the setting of chosen-ciphertext attacks. In
Section 4 we present our generic construction from hash proof systems, and provide a simple and
efficient instantiation. In Section 5 we present our two proposals that are resilient to any key leakage
of L(1 − o(1)) bits, and provide a comparison between them. In Section 6 we present encryption
schemes that are secure against chosen-ciphertext key-leakage attacks. In Section 7 we present a
generic construction for protecting against weak key-leakage attacks. In Section 8 we discuss several
important generalizations of the framework of key leakage that are satisfied by our schemes. In
Appendix A we introduce the matrix d-Linear assumption on which we base our new hash proof
system in Section 5, and prove that it is implied by the d-Linear assumption.
2 Preliminaries, Assumptions, and Tools
In this section we present some basic notions, definitions, and tools that are used in our construc-
tions. We formally state the decisional Diffie-Hellman and the d-Linear assumptions, and present
the notions of an average-case strong extractor and hash proof systems.
2.1 Computational Assumptions
Let G be a probabilistic polynomial-time algorithm algorithm that takes as input a security pa-
rameter, and outputs a triplet G = (G,q,g) where G is a group of order q that is generated by
g ∈ G.
The decisional Diffie-Hellman assumption.
tion is that the ensembles {(G,g1,g2,gr
indistinguishable, where G ← G(1n), and the elements g1,g2 ∈ G and r,r1,r2 ∈ Zq are chosen
independently and uniformly at random.
The decisional Diffie-Hellman (DDH) assump-
2)}n∈Nand {(G,g1,g2,gr1
1,gr
1,gr2
2)}n∈Nare computationally
The d-Linear assumption.
intended to take the place of DDH in groups where DDH is easy (specifically, in bilinear groups).
They showed that the hardness of DDH implies that hardness of Linear, but at least in generic
groups (see, for example, [27, 44]), Linear remains hard even if DDH is easy. The DDH and Linear
assumptions naturally generalize to the family of d-Linear assumptions [28, 43], where for every
d ≥ 1 the d-Linear assumption is that the ensembles
??
??G,g1,...,gd,gd+1,gr1
are computationally indistinguishable, where G ← G(1n), and the elements g1,...,gd+1∈ G and
r1,...,rd+1∈ Zqare chosen independently and uniformly at random.
Note that DDH is the 1-Linear assumption, and that Linear is the 2-Linear assumption. These
assumptions are progressively weaker: the hardness of d-Linear implies the hardness of (d + 1)-
Linear, but in generic groups (d + 1)-Linear remains hard even if d-Linear is easy.
Boneh, Boyen, and Shacham [4] introduced the Linear assumption,
G,g1,...,gd,gd+1,gr1
1,...,grd
d,g
?d
i=1ri
d+1
??
n∈N
1,...,grd
d,grd+1
d+1
??
n∈N,
6
Page 8
2.2Randomness Extraction
The statistical distance between two random variables X and Y over a finite domain Ω is SD(X,Y ) =
1
2
is at most ?. The min-entropy of a random variable X is H∞(X) = −log(maxxPr[X = x]).
Dodis et al. [11] formalized the notion of average min-entropy that captures the remaining
unpredictability of a random variable X conditioned on the value of a random variable Y , formally
defined as follows:
?H∞(X|Y ) = −log
edge of Y . The following bound on average min-entropy was proved in [11]:
?
ω∈Ω|Pr[X = ω]−Pr[Y = ω]|. We say that two variables are ?-close if their statistical distance
?
Ey←Y
?
2−H∞(X|Y =y)??
.
The average min-entropy corresponds exactly to the optimal probability of guessing X, given knowl-
Lemma 2.1 ([11]). If Y has 2rpossible values and Z is any random variable, then?H∞(X|(Y,Z)) ≥
A main tool in our constructions in this paper is a strong randomness extractor. The following
definition naturally generalizes the standard definition of a strong extractor to the setting of average
min-entropy:
H∞(X|Z) − r.
Definition 2.2 ([11]). A function Ext : {0,1}n×{0,1}t→ {0,1}mis an average-case (k,?)-strong
extractor if for all pairs of random variables (X,I) such that X ∈ {0,1}nand?H∞(X|I) ≥ k it
SD((Ext(X,S),S,I),(Um,S,I)) ≤ ? ,
where S is uniform over {0,1}t.
Dodis et al. proved that any strong extractor is in fact an average-case strong extractor, for an
appropriate setting of the parameters. As a specific example, they proved the following generalized
variant of the leftover hash lemma, stating that any family of pairwise independent hash functions
is an average-case strong extractor:
holds that
Lemma 2.3 ([11]). Let X,Y be random variables such that X ∈ {0,1}nand?H∞(X|Y ) ≥ k. Let
holds that
SD((Y,h,h(X)),(Y,h,Um)) ≤ ?
as long as m ≤ k − 2log(1/?).
H be a family of pairwise independent hash functions from {0,1}nto {0,1}m. Then for h ← H, it
2.3Hash Proof Systems
We present the framework of hash proof systems, introduced by Cramer and Shoup [8]. For sim-
plicity we frame the description by viewing hash proof systems as key-encapsulation mechanisms
(using the notation of Kiltz et al. [29]), and refer the reader to [8] for a more complete description.
A key-encapsulation mechanism is a public-key encryption scheme that is used for encrypting
random messages. Typically, these messages are used as encryption keys for a symmetric-key
encryption scheme, which in turn encrypts the actual plaintext. In this setting, hash proof systems
may be viewed as key-encapsulation mechanisms in which ciphertexts can be generated in two
modes. Ciphertexts generated using the first mode are referred to as valid ciphertexts, and are
indeed encapsulations of symmetric keys. That is, given a public key and a valid ciphertext, the
encapsulated key is well defined, and can be decapsulated using the secret key. In addition, the
generation process of a valid ciphertext also produces a “witness” to the fact that the ciphertext
7
Page 9
is indeed valid. Ciphertexts generated using the second mode are referred to as invalid ciphertexts,
and essentially contain no information on the encapsulated key. That is, given a public key and an
invalid ciphertext, the distribution of the encapsulated key (as it will be produced by the decryption
process) is almost uniform. This is achieved by introducing redundancy into the secret key: each
public key has many corresponding secret keys. The only computational requirement is that the
two modes are computational indistinguishable: any efficient adversary that is given a public key
cannot distinguish with a noticeable advantage between valid ciphertexts and invalid ciphertexts.
We note that the secret and public keys are always generated using the same algorithm, and the
indistinguishability requirement is only over the ciphertexts.
Smooth projective hashing.
keys, PK as the set of public keys, and K as the set of encapsulated symmetric keys. Let C and
V ⊂ C be sets, where we view C as the set of all ciphertexts, V as the set of all valid ciphertexts (i.e.,
those generated appropriately with a corresponding witness). We assume that there are efficient
algorithms for sampling sk ∈ SK, C ∈ V together with a witness w, and C ∈ C \ V.
Let Λsk: C → K be a hash function indexed with sk ∈ SK that maps ciphertexts to symmetric
keys. The hash function Λ(·)is projective if there exists a projection µ : SK → PK such that
µ(sk) ∈ PK defines the action of Λskover the subset V of valid ciphertexts. That is, for every valid
ciphertext C ∈ V, the value K = Λsk(C) is uniquely determined by pk = µ(sk) and C. In other
words, even though there are many different secret keys sk corresponding to the same public key
pk, the action of Λskover the subset of valid ciphertexts in completely determined by the public
key pk. On the other hand, the action of Λsk over the subset of invalid ciphertexts should be
completely undetermined: A projective hash function is ?-almost 1-universal if for all C ∈ C \ V,
SD((pk,Λsk(C)),(pk,K)) ≤ ?
where sk ∈ SK and K ∈ K are sampled uniformly at random, and pk = µ(sk).
Let SK, PK, and K be sets where we view SK as the set of secret
(2.1)
Hash proof systems.
that run in polynomial time. The randomized algorithm Param(1n) generates parameterized in-
stances of the form (group,K,C,V,SK,PK,Λ(·),µ), where group may contain public parameters.
The deterministic public evaluation algorithm Pub is used to decapsulate valid ciphertexts C ∈ V
given a “witness” w of the fact that C is indeed valid (specifically, one can think of w as the
random coins used to sample C from the set V). The algorithm Pub receives as input a public
key pk = µ(sk), a valid ciphertext C ∈ V, and a witness w of the fact that C ∈ V, and outputs
the encapsulated key K = Λsk(C). The deterministic private evaluation algorithm Priv is used to
decapsulate valid ciphertexts without knowing a witness w, but by using the secret key sk. That is,
the algorithm Priv receives as input a secret key sk ∈ SK and a valid ciphertext C ∈ V, and outputs
the encapsulated key K = Λsk(C). We assume that µ and Λ(·)are efficiently computable. We say
that a hash proof system is 1-universal if for all possible outcomes of Param(1n) the underlying
projective hash function is ?(n)-almost 1-universal for some negligible ?(n).
A hash proof system HPS = (Param,Pub,Priv) consists of three algorithms
Subset membership problem.
bership problem is hard in HPS, which means that for random valid ciphertext C0∈ V and random
invalid ciphertext C1∈ C\V, the two ciphertexts C0and C1are computationally indistinguishable.
This is formally captured by defining the advantage function AdvSM
HPS,A(n) =??PrC0←V[A(C,V,C0) = 1] − PrC1←C\V[A(C,V,C1) = 1]??,
As a computational problem we require that the subset mem-
HPS,A(n) of an adversary A as
AdvSM
where C and V are generated using Param(1n).
8
Page 10
Example: A DDH-based hash proof system.
on a variety of number-theoretic assumptions: the decisional Diffie-Hellman assumption and its
progressively weaker d-Linear variants, the quadratic residuosity assumption, and Paillier’s com-
posite residuosity assumption [8, 29, 43]. We conclude this section by presenting a simple example
of a hash proof system (due to Cramer and Shoup [8]) that is based on the decisional Diffie-Hellman
assumption. This hash proof system is used in Section 4.2 to instantiate our generic construction
of a public-key encryption scheme that is resilient to key leakage.
Let G be a group of prime order q. We define a hash proof system HPS = (Param,Pub,Priv) as
follows. The algorithm Param(1n) generates instances (group,K,C,V,SK,PK,Λ,µ), where:
• group = (G,g1,g2), where g1,g2∈ G are uniformly chosen generators.
• C = G2, V = {(gr
• SK = Z2
• For sk = (x1,x2) ∈ SK we define µ(sk) = gx1
• For C = (gr
• For C = (c1,c2) ∈ V we define Priv(sk,C) = Λsk(C) = cx1
This hash proof system can be easily shown to be 1-universal based on the DDH assumption
(see, for example, [29] for a complete proof).
Hash proof systems are known to exist based
1,gr
2) : r ∈ Zq}, K = G.
q, PK = G.
1gx2
2∈ PK.
1,gr
2) ∈ V with witness r ∈ Zqwe define Pub(pk,C,r) = pkr.
1cx2
2.
3Defining Key-Leakage Attacks
In this section we define the notion of a key-leakage attack, as introduced as Akavia et al. [2]. In
addition, we present a natural extension of this notion to the setting of chosen-ciphertext attacks,
and define the notion of a weak key-leakage attack. In Section 8 we discuss several generalizations
of this framework.
3.1 Chosen-Plaintext Key-Leakage Attacks
Informally, an encryption scheme is resilient to key-leakage attacks if it is semantically secure
even when the adversary obtains sensitive leakage information. This is modeled by providing the
adversary with access to a leakage oracle: the adversary can submit any function f and receive
f(SK), where SK is the secret key. The adversary can query the leakage oracle adaptively, with
only one restriction: the sum of output lengths of all the leakage functions has to be bounded by
a predetermined parameter λ.
More formally, for a public-key encryption scheme (G,E,D) we denote by SKnand PKnthe sets
of secret keys and public keys that are produced by G(1n). That is, G(1n) : {0,1}∗→ SKn×PKnfor
every n ∈ N. The leakage oracle, denoted Leakage(SK), takes as input a function f : SKn→ {0,1}∗
and outputs f(SK). We say that an oracle machine A is a λ-key-leakage adversary if the sum of
output lengths of all the functions that A submits to the leakage oracle is at most λ.
Definition 3.1 (key-leakage attacks). A public-key encryption scheme Π = (G,E,D) is seman-
tically secure against λ(n)-key-leakage attacks if for any probabilistic polynomial-time λ(n)-key-
leakage adversary A = (A1,A2) it holds that
AdvLeakage
Π,A
is negligible in n, where ExptLeakage
Π,A
(n)def
=
???Pr
?
ExptLeakage
Π,A
(b) is defined as follows:
(0) = 1
?
− Pr
?
ExptLeakage
Π,A
(1) = 1
????
9
Page 11
1. (SK,PK) ← G(1n).
2. (M0,M1,state) ← ALeakage(SK)
3. C ← Epk(Mb).
4. b?← A2(C,state)
5. Output b?.
1
(PK) such that |M0| = |M1|.
Challenge-dependent key leakage.
oracle after the challenge phase. This restriction is necessary: the adversary can clearly encode the
decryption algorithm, the challenge ciphertext, and the two messages M0and M1into a function
that outputs the bit b. It will be very interesting to find an appropriate definition that allows a
certain form of challenge-dependent leakage.
Note that the adversary is not allowed to access the leakage
Adaptivity.
in which the adversary queries the leakage oracle only once. Informally, the adversary can encode
its adaptive behavior into a single polynomial-size leakage function. It is not clear, however, that
the same equivalence holds when we extend the definition to consider chosen-ciphertext attacks.
Therefore, for consistency, we chose to present this adaptive definition.
As pointed out by Akavia et al. [2], Definition 3.1 is in fact equivalent to a definition
3.2Chosen-Ciphertext Key-Leakage Attacks
Extending the above definition to the setting of chosen-ciphertext security is rather natural. In
this case the adversary is allowed to adaptively access a decryption oracle D(SK,·) that receives as
input a ciphertext and outputs a decryption using the secret key SK. We denote by D?=C(SK,·)
a decryption oracle that decrypts any ciphertext other than C. As in the standard definition of
chosen-ciphertext attacks we distinguish between a-priori chosen-ciphertext attacks (CCA1) and
a-posteriori chosen-ciphertext attacks (CCA2).
Definition 3.2 (a-priori chosen-ciphertext key-leakage attacks). A public-key encryption scheme
Π = (G,E,D) is semantically secure against a-priori chosen-ciphertext λ(n)-key-leakage attacks if
for any probabilistic polynomial-time λ(n)-key-leakage adversary A = (A1,A2) it holds that
(n)def
=
ExptLeakageCCA1
Π,A
AdvLeakageCCA1
Π,A
???Pr
Π,A
?
(0) = 1
?
− Pr
?
ExptLeakageCCA1
Π,A
(1) = 1
????
is negligible in n, where ExptLeakageCCA1
(b) is defined as follows:
1. (SK,PK) ← G(1n).
2. (M0,M1,state) ← ALeakage(SK),D(SK,·)
3. C ← Epk(Mb).
4. b?← A2(C,state)
5. Output b?.
1
(PK) such that |M0| = |M1|.
10
Page 12
Definition 3.3 (a-posteriori chosen-ciphertext key-leakage attacks). A public-key encryption sche-
me Π = (G,E,D) is semantically secure against a-posteriori chosen-ciphertext λ(n)-key-leakage
attacks if for any probabilistic polynomial-time λ(n)-key-leakage adversary A = (A1,A2) it holds
that
AdvLeakageCCA2
Π,A
is negligible in n, where ExptLeakageCCA2
Π,A
1. (SK,PK) ← G(1n).
2. (M0,M1,state) ← ALeakage(SK),D(SK,·)
3. C ← Epk(Mb).
4. b?← AD?=C(SK,·)
5. Output b?.
(n)def
=
???Pr
?
ExptLeakageCCA2
Π,A
(b) is defined as follows:
(0) = 1
?
− Pr
?
ExptLeakageCCA2
Π,A
(1) = 1
????
1
(PK) such that |M0| = |M1|.
2
(C,state)
3.3 Weak Key-Leakage Attacks
Akavia et al. also considered the following weaker notion of leakage (which they refer to as “non-
adaptive” leakage): a leakage function f with output length λ is chosen by the adversary ahead
of time (without any knowledge of the public key), and then the adversary is given (PK,f(SK)).
That is, the leakage function f is chosen independently of the public key. Although this notion
seems rather weak, it nevertheless captures realistic attacks in which the leakage depends only on
hardware devices (as in [21]) and is independent of the parameters of the system, including the
public-key.
Definition 3.4 (weak key-leakage attacks). A public-key encryption scheme Π = (G,E,D) is
semantically secure against weak λ(n)-key-leakage attacks if for any probabilistic polynomial-time
adversary A = (A1,A2), and for any ensemble F =
computable functions, it holds that
???Pr
Π,A,F
1. (SK,PK) ← G(1n).
2. (M0,M1,state) ← A1(PK,fn(SK)) such that |M0| = |M1|.
3. C ← Epk(Mb).
4. b?← A2(C,state)
5. Output b?.
?fn: SKn→ {0,1}λ(n)?
(0) = 1
− Pr
(b) is defined as follows:
n∈Nof efficiently
????
AdvWeakLeakage
Π,A,F
(n)def
=
?
ExptWeakLeakage
Π,A,F
??
ExptWeakLeakage
Π,A,F
(1) = 1
is negligible in n, where ExptWeakLeakage
4A Generic Construction from Hash Proof Systems
In this section we present a generic construction of a public-key encryption scheme that is resilient
to key-leakage attacks. We then present an instantiation of our generic construction with a simple
and efficient hash proof system based on the DDH assumption. The resulting encryption scheme
is resilient to any leakage of L(1/2 − o(1)) bits, where L is the length of the secret key. Although
one can instantiate our generic construction with any hash proof system, we find this specific
instantiation rather elegant.
11
Page 13
4.1 The Construction
Let HPS = (Param,Pub,Priv) be an ?1-almost 1-universal hash proof system (see Section 2.3
for an overview of hash proof systems), where Param(1n) generates parameterized instances of
(group,K,C,V,SK,PK,Λ(·),µ) which are used as the public parameters of the encryption scheme.
Let λ = λ(n) be a bound on the amount of leakage, and let Ext : K × {0,1}t→ {0,1}mbe
an average-case (log|K| − λ,?2)-strong extractor. We assume that ?1and ?2are negligible in the
security parameter. The following describes the encryption scheme Π = (G,E,D):
• Key generation: Choose a random sk ∈ SK and let pk = µ(sk) ∈ PK. Output the pair
(sk,pk).
• Encryption: On input a message M ∈ {0,1}m, choose a random C ∈ V together with a
corresponding witness w, and a random seed s ∈ {0,1}t. Let Ψ = Ext(Pub(pk,C,w),s)⊕M,
and output the ciphertext (C,s,Ψ).
• Decryption: On input a ciphertext (C,s,Ψ), output the message M = Ψ ⊕ Ext(Λsk(C),s).
The correctness of the scheme follows from the property that Λsk(C) = Pub(pk,C,w) for any
C ∈ V with witness w. Thus, a decryption of an encrypted plaintext is always the original plaintext.
The security of the scheme (i.e., its resilience to key leakage) follows from the universality of the
proof system (see Equation (2.1) in Section 2.3): for all C ∈ C \ V it holds that
SD((pk,Λsk(C)),(pk,K)) ≤ ?1 ,
where sk ∈ SK and K ∈ K are sampled uniformly at random, and pk = µ(sk). Therefore, even
given pk and any leakage of λ bits, the distribution Λsk(C) is ?1-close to a distribution with average
min-entropy at least log|K| − λ. The strong extractor is then applied to Λsk(C) using a fresh seed
(chosen during the challenge phase and thus independent of the leakage), and guarantees that the
plaintext is properly hidden. The following theorem establishes the security of the scheme:
Theorem 4.1. Assuming that HPS is a 1-universal hash proof system, the encryption scheme Π is
semantically secure against λ(n)-key-leakage attacks for any λ(n) ≤ log|K| − ω(logn) − m, where
n is the security parameter and m is the length of plaintexts.
Proof. Assume that HPS is an ?1-almost 1-universal hash proof system, and recall that Ext is
chosen to be an average-case (log|K| − λ,?2)-strong extractor (see, for example, Lemma 2.3 for a
generalization of the leftover hash lemma to the setting of average min-entropy). We show that
for any efficient λ-key-leakage adversary A = (A1,A2) there exists an efficient adversary A?for the
subset membership problem of the hash proof system HPS such that
?
For S ∈ {V,C \ V} and b ∈ {0,1} consider the following experiment denoted ExptLeakage
1. Generate (K,C,V,SK,PK,Λ(·),µ) ← Param(1n), choose a random sk ∈ SK and let pk =
µ(sk) ∈ PK.
2. (M0,M1,state) ← ALeakage(sk,pk)
3. Choose a random C ← S, a random seed s ∈ {0,1}t, and let Ψ = Ext(Λsk(C),s) ⊕ Mb.
AdvLeakage
Π,A
(n) ≤ 2
AdvSM
HPS,A(n) + ?1(n) + ?2(n)
?
.
Π,A
(S,b):
1
(pk) such that |M0| = |M1|.
12
Page 14
4. b?← A2((C,s,Ψ),state).
5. Output b?.
Using the notation of Definition 3.1 and the triangle inequality, for any adversary A it holds that
AdvLeakage
Π,A
=
ExptLeakage
Π,A
≤
+
ExptLeakage
Π,A
+
ExptLeakage
Π,A
(n) =
???Pr
???Pr
?
ExptLeakage
Π,A
(0) = 1
?
− Pr
?
?
ExptLeakage
Π,A
− Pr
− Pr
?
− Pr
(1) = 1
????
???Pr
?
(V,0) = 1
(V,0) = 1
(C \ V,0) = 1
(C \ V,1) = 1
?
ExptLeakage
Π,A
ExptLeakage
Π,A
− Pr
?
(V,1) = 1
(C \ V,0) = 1
ExptLeakage
Π,A
ExptLeakage
Π,A
????
(4.1)
?
ExptLeakage
Π,A
???Pr
??
????
(4.2)
??
(C \ V,1) = 1
(V,1) = 1
????
(4.3)
???Pr
?
?
???? ,
(4.4)
where the equality in (4.1) follows from the property that Λsk(C) = Pub(pk,C,w) for any C ∈ V
with witness w. It is straightforward that there exists an adversary A?for the subset membership
problem of the hash proof system HPS such that the terms (4.2) and (4.4) are upper bounded by
AdvSM
HPS,A(n). The following claim bounds the term (4.3) and concludes the proof of the theorem.
Claim 4.2. For any probabilistic polynomial-time adversary A it holds that
???Pr
Proof. For each b ∈ {0,1} we claim that in experiment ExptLeakage
challenge ciphertext is (?1+ ?2)-close to the uniform distribution over m bits from the adversary’s
point of view. Noting that the experiments ExptLeakage
Π,A
on Ψ, this implies that the statistical distance between the distributions of the adversary’s view in
these experiments is at most 2(?1+ ?2).
The hash proof system guarantees that for C ∈ C \ V the value Λsk(C) is ?1-close to uniform
over the set K given pk and C. In our setting, however, the adversary learns additional λ bits of
information using the leakage oracle. However, Lemma 2.1 states that this can reduce the average
min-entropy of Λsk(C) by at most λ. That is, Λsk(C) is ?1-close to a distribution that has average
min-entropy at least log|K|−λ given the adversary’s view. The application of the strong extractor
with a randomly chosen seed (that is independent of the adversary’s view so far) guarantees that
Ext(Λsk(C),s) is ?2-close to the uniform distribution over m bits, and therefore Ψ is (?1+?2)-close
to uniform.
?
ExptLeakage
Π,A
(C \ V,0) = 1
?
− Pr
?
ExptLeakage
Π,A
(C \ V,1) = 1
???? ≤ 2(?1(n) + ?2(n)) .
(C \ V,b) the value Ψ in the
Π,A
(C \V,0) and ExptLeakage
Π,A
(C \V,1) differ only
4.2 Example: A DDH-Based Instantiation
Let G be a group of prime order q, let λ = λ(n) be the leakage parameter, and let Ext : G×{0,1}t→
{0,1}mbe an average-case (logq − λ,?)-strong extractor for some negligible ? = ?(n).
• Key generation: Choose x1,x2∈ Zqand g1,g2∈ G uniformly at random. Let h = gx1
and output the keys
SK = (x1,x2),
1gx2
2,
PK = (g1,g2,h) .
13
Page 15
• Encryption: On input a message M, choose r ∈ Zqand s ∈ {0,1}tuniformly at random,
and output the ciphertext
(gr
1,gr
2,s,Ext(hr,s) ⊕ M) .
• Decryption: On input a ciphertext (u1,u2,s,e), output e ⊕ Ext(ux1
The hash proof system underlying the above encryption scheme is the one described in Section
2.3. This hash proof system 1-universal based on the DDH assumption, and as an immediate
consequence we obtain the following corollary of Theorem 4.1:
1ux2
2,s).
Corollary 4.3. Assuming the hardness of DDH, the above encryption scheme is semantically-
secure against (L/2 − ω(logn) − m)-key-leakage attacks, where n denotes the security parameter,
L = L(n) denotes the length of the secret key and m = m(n) denotes the length of the plaintext.
5Improved Resilience Based on DDH and d-Linear
In this section we propose two encryption schemes that are resilient to any key leakage of L(1−o(1))
bits, where L is the length of the secret key. These proposals are based on the observation that
our generic construction from hash proof systems can in fact be based on hash proof systems with
a slightly weaker 1-universality property. Specifically, the 1-universality property asks that for all
C ∈ C \ V it holds that
SD((pk,Λsk(C)),(pk,K)) ≤ ?
where sk ∈ SK and K ∈ K are sampled uniformly at random, and pk = µ(sk). It is rather
straightforward that our generic construction only requires this property to hold with overwhelming
probability over the choice of C ∈ C \ V.
For our first proposal we construct a new hash proof system that is based on the d-Linear
assumption (for any d ≥ 1) and satisfies this weaker 1-universality property4. The hash proof system
is a generalization of the hash proof system underlying the simple encryption scheme described
in Section 4.2. The resulting encryption scheme is then obtained by instantiating our generic
construction with this hash proof system.
Our second proposal is a recent encryption scheme of Boneh et al. [6], that is secure under key
cycles (and more generally, under encryptions of linear functions of the secret keys). This is the
first and only known encryption scheme with this property. We refer to this scheme as the BHHO
scheme, and show that it fits into our generic approach using an appropriate hash proof system
(that satisfies the same weaker universality property). As a corollary we derive that the BHHO
scheme is resilient to any leakage of L(1 − o(1)) bits5.
We then provide a comparison between these two proposed schemes, indicating that the two
schemes complement each other in terms of efficiency.
5.1Proposal 1: A New Hash Proof System
We begin by presenting the encryption scheme, and then turn to describe the underlying hash proof
system and its properties.
Notation.
v = (g1,...,gk) ∈ Gkand u = (u1,...,uk) ∈ Zk
naturally extends to matrix-vector and matrix-matrix multiplications.
Let G = (G,q,g) where G a group of order q that is generated by g. For two vectors
qwe define v ·uT=?k
4Recall that the DDH is the 1-Linear assumption.
5We do not claim that every circular-secure scheme is also resilient to key leakage.
i=1gui
i, and note the notation
14
Page 16
The encryption scheme.
parameter, and let Ext : Gk−d× {0,1}t→ {0,1}mbe an average-case ((k − d)logq − λ,?)-strong
extractor for some negligible ? = ?(n).
The following encryption scheme has a secret key of size essentially klogq bits (k group ele-
ments), and is resilient to any leakage of λ ≤ (k−d)logq−ω(logn)−m bits, where m is the length
of plaintexts. That is, the scheme is resilient to any leakage of essentially a (1 − d/k)-fraction of
the length of the secret key.
Let k = k(n) ≥ d+1 be any polynomial, let λ = λ(n) be the leakage
• Key generation: Choose x ∈ Zk
and output the keys
qand Φ ∈ Gd×kuniformly at random. Let y = Φx ∈ Gd,
SK = x, PK = (Φ,y) .
• Encryption: On input a message M, choose R ∈ Z(k−d)×d
random, and output the ciphertext
q
and s ∈ {0,1}tuniformly at
(RΦ,s,Ext(Ry,s) ⊕ M) .
• Decryption: On input a ciphertext (Ψ,s,e) output e ⊕ Ext(Ψx,s).
The following theorem establishes the security of the scheme:
Theorem 5.1. Assuming the hardness of d-Linear, for any polynomial k = k(n) ≥ d + 1 the
above encryption scheme is semantically-secure against a ((1 − d/k)L − ω(logn) − m)-key-leakage
attack, where n denotes the security parameter, L = L(n) denotes the length of the secret key and
m = m(n) denotes the length of the plaintext.
The hash proof system.
{0,1}mbe a ((k − d)logq,?)-strong extractor for some negligible ? = ?(n).
We define a hash proof system HPS = (Param,Pub,Priv) as follows. The algorithm Param(1n)
generates instances (group,K,C,V,SK,PK,Λ,µ), where:
• group = (G,Φ,s), where Φ ∈ Gd×kand s ∈ {0,1}tare chosen uniformly at random.
• C = G(k−d)×d, V =
• SK = Zk
• For sk ∈ SK we define µ(sk) = Φx ∈ PK.
• For C ∈ V with witness R ∈ Z(k−d)×d
• For C ∈ V we define Priv(sk,C) = Λsk(C) = Ext(Cx,s).
Before analyzing the hash proof system, we note that in the above encryption scheme we did not
include the strong extractor that is a part of the hash proof system. The reason is that the generic
transformation in Section 4 utilizes a strong extractor (using a fresh seed for every ciphertext), and
in this specific case there is no need to apply two extractors.
We now analyze the hash proof system. It is straightforward that for every C ∈ V with witness
R ∈ Z(k−d)×d
Λsk(C) = Ext(Cx,s) = Ext(RΦx,s) = Ext(Ry,s) = Pub(pk,C,R) .
Let k = k(n) ≥ d+1 be any polynomial, and let Ext : Gk−d×{0,1}t→
?
RΦ : R ∈ Z(k−d)×d
q
?
, K = {0,1}m.
q, PK = Gd.
q
we define Pub(pk,C,R) = Ext(Ry,s).
q
it holds that
15
Page 17
For the remainder of the analysis we introduce for following additional notation. We denote by
Rki(Za×b
q
) the set of all matrices in Za×b
q
with rank i. For a matrix R = {ri,j}i∈[a],j∈[b]∈ Za×b
denote by gRthe matrix {gi,j}i∈[a],j∈[b]= {gri,j}i∈[a],j∈[b]∈ Ga×b. We denote by Rki(Ga×b) the set
of all matrices gR∈ Ga×bfor R ∈ Rki(Za×b
In Appendix A we show that the d-Linear assumption implies the hardness of the subset mem-
bership problem in HPS. Specifically, we introduce the matrix d-Linear assumption stating that in
Gk×ka random matrix of rank d is computationally indistinguishable from a random matrix of rank
at least d + 1. We prove that the d-Linear assumption implies the matrix d-Linear assumption6.
Note that in the hash proof system, the matrix Φ has rank d with overwhelming probability, and
in this case the matrix
Ψ =
C
q
we
q
).
?
Φ
?
∈ Gk×k
has rank d for every C ∈ V, and has rank at least d + 1 for every C ∈ C \ V.
In the following claim we prove the universality of the proof system. As noted above, it suffices
in our setting to argue 1-universality with overwhelming probability over the choice of C ∈ C \ V.
Claim 5.2. With overwhelming probability over the choice of C ∈ C \ V it holds that
SD((pk,Λsk(C)),(pk,K)) ≤ ? ,
where sk ∈ SK and K ∈ K are sampled uniformly at random, and pk = µ(sk).
Proof. With overwhelming probability the matrix Φ ∈ Gd×khas rank d (alternatively, it is possible
to just sample Φ from the set of rank d matrices to begin with). In this case, with overwhelming
probability over the choice over of C ∈ C \ V the matrix
?
is invertible. Therefore, the mapping x → Cx is injective given Φ and Φx, and this implies that
H∞(Cx | Φ,Φx) = H∞(x | Φ,Φx) ≥ (k − d)logq .
The strong extractor then guarantees that Λsk(C) = Ext(Cx,s) is ?-close to the uniform distribution
over K given pk.
Ψ =
Φ
C
?
∈ Gk×k
5.2 Proposal 2: The BHHO Scheme
We show that a simple setting of the parameters in the BHHO encryption scheme [6] results in
an encryption scheme that is resilient any key leakage of L(1 − o(1)) bits, where L is the length
of the secret key. Let G = (G,q,g) where G a group of order q that is generated by g, and set
? = λ + logq + 2log(1/?) for some negligible ? = ?(n).
• Key generation: Choose s1,...,s?∈ {0,1} and g1,...,g?∈ G uniformly at random. Let
h =??
SK = (s1,...,s?),
i=1gsi
i, and output the keys
PK = (g1,...,g?,h) .
6We note that the case d = 1 was proved by Boneh et al. [6].
16
Page 18
• Encryption: On input a message M ∈ G, choose r ∈ Zquniformly at random, and output
the ciphertext
(gr
1,...,gr
?,hr· M) .
• Decryption: On input a ciphertext (u1,...,uk,e) output e ·
The encryption scheme can be viewed as based on a hash proof system with the following subset
membership problem (whose hardness follows from DDH):
C =??gr1
???
i=1usi
i
?−1.
1,...,gr?
1,...,gr
?
?: r1,...,r?∈ Zq
?
V = {(gr
?) : r ∈ Zq} .
The leftover hash lemma guarantees that with overwhelming probability over the choice of C =
(u1,...,u?) ∈ C \ V it holds that Λsk(C) =??
i=1usi
iis ?-close to the uniform distribution over G,
even given any leakage of length λ bits.
5.3Comparison
The main difference between the two schemes proposed in this section is in their method of ex-
tracting randomness from the secret key. In the first proposal an invertible function is applied
to the secret key (thus preserving its min-entropy), and then a strong extractor is applied to the
resulting value. In the second proposal, the entropy of the secret key is extracted directly using
the subset-product hash functions. Although the second proposal uses a more direct method to
extract the randomness of the secret key, it requires the subset-product functions to operate on
the individual bits of the secret key, since otherwise the subset-product functions are not pairwise
independent. In contrast, in the first proposal the extractor operates on the secret key as group
elements. This leads to significant differences in performance.
For any leakage parameter λ, the size of the secret keys in the two proposals is essentially the
same, whereas the size of the public key in the first proposal is shorter by a factor of logq. When
considering the length of the ciphertexts and the number of exponentiations per ciphertext, the
first proposal performs better than the second proposal when roughly λ < L(1−1/logq), where L
is the length of the secret key (note that such a λ is a considerable amount of leakage).
For example, by setting k = 2 in the first proposal one obtains the simple scheme described
in Section 4.2 which is resilient to any leakage of L(1/2 − o(1)) bits, and requires only 3 exponen-
tiations per ciphertext. For achieving the same resilience in the second proposal more than logq
exponentiations are required.
In Table 1 we present a comparison between the efficiency of the schemes. Since the second
proposal scheme is based on DDH and encrypts group elements, we compare it to the first proposal
using d = 1 (i.e., based on DDH), and m = logq (i.e., logq-bit plaintexts). For simplicity we assume
that λ is an integer multiple of logq, and note that the table presents asymptotical estimates, and
not exact numbers.
6Protecting Against Chosen-Ciphertext Key-Leakage Attacks
In this section we present public-key encryption schemes that are resilient to chosen-ciphertext
key-leakage attacks (see Definitions 3.2 and 3.3).
17
Page 19
Proposal 1 (Section 5.1)Proposal 2 (Section 5.2)
Secret key (bits)
λ + 2logq + 2log(1/?)
λ + logq + 2log(1/?)
Public key (bits)
λ + 2logq + 2log(1/?) logq (λ + logq + 2log(1/?))
Ciphertext (bits)
(λ+2logq+2log(1/?))2
logq
?λ+2logq+2log(1/?)
Table 1: Comparison between the two proposals.
logq (λ + logq + 2log(1/?))
Exponentiations
logq
?2
λ + logq + 2log(1/?)
6.1 A Generic Construction
We prove that the Naor-Yung “double encryption” paradigm [14, 36] is applicable also in the
setting of key leakage attacks. That is, we show that any public-key encryption scheme that is
semantically secure against chosen-plaintext key-leakage attacks can be transformed into a scheme
that is semantically secure against a-posteriori chosen-ciphertext key-leakage attacks using non-
interactive zero-knowledge proofs.
The key property of the transformation is that the size of the secret key in the resulting CCA-
secure scheme is exactly the same as in the underlying CPA-secure scheme. This enables us to
prove that the resulting CCA-secure scheme is resilient to exactly the same amount of leakage as
the underlying CPA-secure scheme.
Our construction in this section are based on the refinements of Sahai [42] and Lindell [33] to
the encryption schemes of Naor and Yung [36] and Dolev, Dwork and Naor [14]. These refinements
enable us to achieve CCA2 security without increasing the size of the secret key. We refer the
reader to [33, 42] for comprehensive overviews of the construction.
The construction.
secure against chosen-plaintext λ-key-leakage attacks, and let (P,V) be a one-time simulation-sound
adaptive NIZK proof system7for the following NP-language:
Let Π = (G,E,D) be a public-key encryption scheme that is semantically
L = {(c0,c1,pk0,pk1) | ∃m,r0,r1s.t. c0= Epk0(m;r0) and c1= Epk1(m;r1)} .
The encryption scheme Π?= (G?,E?,D?) is defined as follows:
• Key generation: Sample (sk0,pk0),(sk1,pk1) ← G(1n) independently, and a reference string
σ for the NIZK proof system. Output SK = sk0and PK = (pk0,pk1,σ).
• Encryption: On input a message M choose r0,r1∈ {0,1}∗, and compute c0= Epk0(M;r0)
and c1= Epk1(M;r1). Then, invoke the NIZK prover P to obtain a proof π for the statement
(c0,c1,pk0,pk1) ∈ L with respect to the reference string σ. Output the ciphertext (c0,c1,π).
• Decryption: On input a ciphertext (c0,c1,π), invoke the NIZK verifier V to verify that π is
an accepting proof with respect to the reference string σ. If V accepts then output Dsk0(c0),
and otherwise output ⊥.
7We refer the reader to [33, 42] for the definitions of a one-time simulation-sound adaptive NIZK proof system.
18
Page 20
Proof of security.
adapting the ideas of Lindell [33] and Sahai [42] to key leakage attacks. Specifically, we show that
any adversary that breaks the security of the scheme can be used to either break the simulation
soundness of the proof system (P,V) or to break the encryption scheme Π. The main point in our
setting, is that we can always simulate both the leakage oracle and the decryption oracle to such
an adversary:
In the remainder of the section we prove the security of the scheme Π?by
• When attacking the proof system (P,V) we know the key sk0. We use this key to simulate
the leakage oracle, and use this key together with the verifier of the proof system to simulate
the decryption oracle.
• When attacking the public key pk1we again know the key sk0as in the previous case. In fact,
pk1can even be sampled from a CPA-secure encryption scheme that is not resilient to key
leakage (both in the actual scheme and in the proof of security the adversary never obtains
leakage information from sk1).
• When attacking the public key pk0 we know the key sk1. We simulate the leakage oracle
by forwarding all queries to the leakage oracle of sk0, and we simulate the decryption oracle
using sk1and the verifier of the proof system.
We prove the following theorem:
Theorem 6.1. Assume that Π is semantically secure against chosen-plaintext λ-key-leakage at-
tacks, and that (P,V) is a one-time simulation-sound NIZK proof system. Then, Π?is semantically
secure against a-posteriori chosen-ciphertext λ-key-leakage attacks.
Proof. Given a probabilistic polynomial-time λ-key-leakage adversary A we begin by describing a
mental experiment in which A runs its attack. The difference between the mental experiment and
a real attack is that the challenge ciphertext received by A is not properly generated. Rather, the
NIZK proof is generated by the NIZK simulator S = (S1,S2) and the two encryptions may not be
to the same message.
Experiment ExptS
A(b0,b1):
1. Key generation:
• (σ,s) ← S1(1n) (a simulated reference string σ is used for the public key).
• (sk0,pk0),(sk1,pk1) ← G(1n).
• Set SK = sk0and PK = (pk0,pk1,r).
2. (M0,M1,state) ← ALeakage(SK),D?(SK,·)
3. Set up the challenge ciphertext c = (c0,c1,π):
1
(PK).
• c0← Epk0(Mb0).
• c1← Epk1(Mb1).
• π ← S2((c0,c1,pk0,pk1),σ,s) (a simulated proof π is used for the challenge).
4. b?← A
D?
2
?=c(SK,·)
(c,state).
19
Page 21
Given the above experiment, the advantage of A in attacking the scheme Π?can be bounded as
follows:
???Pr
+??Pr?ExptS
+
AdvLeakageCCA2
Π?,A
(n) =
?
ExptLeakageCCA2
Π?,A
ExptLeakageCCA2
Π?,A
A(1,1) = 1?− Pr?ExptS
???Pr?ExptS
(1) = 1
?
− Pr
− Pr?ExptS
A(0,0) = 1???
?
ExptLeakageCCA2
Π?,A
A(1,1) = 1????
(0) = 1
????
≤
???Pr
+??Pr?ExptS
?
(1) = 1
?
(6.1)
A(0,1) = 1???
ExptLeakageCCA2
Π?,A
(6.2)
(6.3)
A(0,1) = 1?− Pr?ExptS
A(0,0) = 1?− Pr
?
(0) = 1
???? .
(6.4)
The following claim shows that the terms (6.1) and (6.4) are negligible.
Claim 6.2. For every probabilistic polynomial-time A and b ∈ {0,1} it holds that
???Pr
?
ExptLeakageCCA2
Π?,A
(b) = 1
?
− Pr?ExptS
A(b,b) = 1???? ≤ ?(n)
for some negligible function ?(n).
Proof. The correctness of the claim follows from the zero-knowledge property of the NIZK proof
system (P,V). Given a probabilistic polynomial-time λ-key-leakage adversary A and a bit b ∈ {0,1}
for which
ExptLeakageCCA2
Π?,A
polynomial-time distinguisher A?that distinguishes a simulated proof from a real proof with ad-
vantage ?(n). Thus, the adaptive zero-knowledge property of (P,V) implies that ?(n) is negligible.
The distinguisher A?works as follows: it receives a reference string σ, samples two pairs of keys
(sk0,pk0),(sk1,pk1) ← G(1n) and invokes A on the public-key PK = (pk0,pk1,σ) while emulating
the decryption oracle and the leakage oracle for A using SK = sk0(note that anyone can verify
the NIZK proofs for the decryption process). When A outputs two messages (M0,M1) for the
challenge, A?computes c0= Epk0(Mb) and c1= Epk1(Mb), and asks for a proof π of the (correct)
statement (c0,c1,pk0,pk1) ∈ L. The distinguisher A?then gives A the challenge ciphertext (c0,c1,π)
and outputs whatever A does. Notice that if A?receives a real proof then it perfectly simulates
ExptLeakageCCA2
Π?,A
the advantage of A?is exactly ?(n).
Before proceeding, we prove a claim stating that in the experiment ExptS
whelming probability all ciphertext queries to the decryption oracle that contain accepting NIZK
proofs, are of valid ciphertexts. Formally, we say that a ciphertext c = (c0,c1,π) is invalid with an
accepting NIZK proof if Dsk0(c0) ?= Dsk1(c1) and V ((c0,c1,pk0,pk1),σ,π) = 1. The following claim
shows that if any of A’s ciphertext queries are of the above form, then A can be used to contradict
the one-time simulation-soundness of the NIZK proof system.
???Pr
?
(b) = 1
?
− Pr?ExptS
A(b,b) = 1???? ≥ ?(n), we construct a probabilistic
(b), and if A?receives a simulated proof then it perfectly simulates ExptS
A(b,b). Thus,
A(b0,b1), with over-
Claim 6.3. For every probabilistic polynomial-time adversary A and b0,b1∈ {0,1}, the probability
that in the experiment ExptS
ciphertext that has an accepting NIZK proof is negligible.
A(b0,b1) the adversary A queries the decryption oracle with an invalid
Proof. The correctness of the claim follows from the one-time simulation-soundness of the NIZK
proof system (P,V). Given a probabilistic polynomial-time adversary A and b0,b1 ∈ {0,1} for
which with a non-negligible probability A queries the decryption oracle with an invalid ciphertext
20
Page 22
that has an accepting NIZK proof, we construct a probabilistic polynomial-time A?that contradicts
the one-time simulation-soundness of (P,V).
A?receives a simulator-generated reference string σ and runs the rest of experiment ExptS
as in the proof of Claim 6.2 (the only difference is that A?computes c0 = Epk0(Mb0) and c1 =
Epk1(Mb1)). If during the simulation A queries the decryption oracle with an invalid ciphertext
that has an accepting NIZK proof, then A?outputs this ciphertext and halt (A?can check this
because it knows both decryption keys and because it can verify the validity of the NIZK proofs).
The simulation by A?is perfect, and therefore if A outputs an invalid ciphertext with an accepting
proof in ExptS
A(b0,b1)
A(b0,b1), then A?outputs a false statement with an accepting proof.
We are now ready to prove that the terms (6.2) and (6.3) are negligible.
Claim 6.4. For every probabilistic polynomial-time A it holds that
??Pr?ExptS
Proof. The correctness of the claim follows from the security of the scheme Π = (G,E,D). Given a
probabilistic polynomial-time adversary A for which??Pr?ExptS
essentially the same advantage.
The adversary A?receives as input a public-key pk generated by G(1n), and simulates the view
of A as follows:
1. Key generation:
A(1,1) = 1?− Pr?ExptS
A(0,1) = 1???≤ ?(n)
for some negligible function ?(n).
A(1,1) = 1?− Pr?ExptS
A(0,1) = 1???≥
?(n), we construct a probabilistic polynomial-time adversary A?that breaks the security of Π with
• A?sets pk0= pk, and samples (sk1,pk1) ← G(1n) and (σ,s) ← S1(1n).
• A?sets PK = (pk0,pk1,σ).
2. Leakage queries: Any leakage query f is forwarded to the leakage oracle corresponding to pk.
3. Decryption queries: Given a ciphertext c = (c0,c1,π) the adversary A?invokes the NIZK
verifier V to verify that π is an accepting proof with respect to the reference string σ. If V
accepts then A?outputs Dsk1(c1), and otherwise A?outputs ⊥.
4. When A outputs two messages M0and M1, the adversary A?obtains c0= Epk0(Mb) for a
random b ∈ {0,1}, and outputs the challenge ciphertext c = (c0,c1,π), where:
• c1← Epk1(M1).
• π ← S2((c0,c1,pk0,pk1),σ,s) (a simulated NIZK proof).
5. A?outputs the output of A.
From the point of view of A, the only difference between the view simulated by A?and the
experiment ExptS
views are identical as long as A does not submit an invalid ciphertext that has an accepting NIZK
proof. Claim 6.3 guarantees that the latter event has only a negligible probability.
A(b,1) is that A?performs the decryption using sk1and not sk0. However, these
Claim 6.5. For every probabilistic polynomial-time A it holds that
??Pr?ExptS
A(0,1) = 1?− Pr?ExptS
A(0,0) = 1???≤ ?(n)
for some negligible function ?(n).
21
Page 23
Proof. The correctness of the claim follows from the security of the scheme Π = (G,E,D). Given a
probabilistic polynomial-time adversary A for which??Pr?ExptS
essentially the same advantage.
The adversary A?receives as input a public-key pk generated by G(1n), and simulates the view
of A as follows:
1. Key generation:
A(0,1) = 1?− Pr?ExptS
A(0,0) = 1???≥
?(n), we construct a probabilistic polynomial-time adversary A?that breaks the security of Π with
• A?sets pk1= pk, and samples (sk0,pk0) ← G(1n) and (σ,s) ← S1(1n).
• A?sets PK = (pk0,pk1,σ).
2. Leakage queries: Given a function f the simulator A?outputs f(sk0).
3. Decryption queries: Given a ciphertext c = (c0,c1,π) the simulator A?invokes the NIZK
verifier V to verify that π is an accepting proof with respect to the reference string σ. If V
accepts then A outputs Dsk0(c0), and otherwise A outputs ⊥.
4. When A outputs two messages M0and M1, the simulator A?obtains c1= Epk1(Mb) for a
random b ∈ {0,1}, and outputs the challenge ciphertext c = (c0,c1,π), where:
• c0← Epk0(M0).
• π ← S2((c0,c1,pk0,pk1),σ,s) (a simulated NIZK proof).
5. A?outputs the output of A.
The claim now follows by noting that the simulated view of A is in fact identical to the exper-
iment ExptS
A(0,b).
This concludes the proof of the theorem.
6.2An Efficient CCA1-Secure Scheme
In this section we prove that a variant of the Cramer-Shoup “Lite” cryptosystem [9] (along the
lines of our generic construction in Section 4) is secure against a-priori chosen-ciphertext key-leakage
attacks.
Let G be a group of prime order q, let λ = λ(n) be the leakage parameter, and let Ext :
G×{0,1}t→ {0,1}mbe an average-case (logq−λ,?)-strong extractor for some negligible ? = ?(n).
We present an encryption scheme with a secret key of size essentially 4logq bits (four group
elements), and show that the scheme is secure for any leakage of length λ ≤ logq − ω(logn) − m,
where m is the length of plaintexts. The following describes the encryption scheme:
• Key generation: Choose x1,x2,z1,z2 ∈ Zq and g1,g2 ∈ G uniformly at random. Let
c = gx1
1gx2
2, h = gz1
1gz2
2, and output the keys
SK = (x1,x2,z1,z2), PK = (g1,g2,c,h) .
• Encryption: On input a message M ∈ {0,1}m, choose r ∈ Zqand s ∈ {0,1}tuniformly at
random, and output the ciphertext
(gr
1,gr
2,cr,s,Ext(hr,s) ⊕ M) .
• Decryption: On input a ciphertext (u1,u2,v,s,e), if v ?= ux1
output e ⊕ Ext(uz1
1ux2
2then output ⊥ and otherwise
1uz2
2,s).
22
Page 24
Correctness.
it holds that ux1
decryption algorithm is always correct.
For any sequence of coin tosses of the key generation and encryption algorithms
1ux2
2
= (gx1
1gx2
2)r= cr= v and that uz1
1uz2
2= (gz1
1gz2
2)r= hr, and therefore the
Proof of security.
with the ideas presented in Section 4. We prove the following theorem:
The proof of security is based on augmenting the proof of Cramer and Shoup
Theorem 6.6. Assuming the hardness of DDH, the above encryption scheme is semantically-secure
against a-priori chosen-ciphertext (L/4 − ω(logn) − m)-key-leakage attacks, where n denotes the
security parameter, L = L(n) denotes the length of the secret key and m = m(n) denotes the length
of the plaintext.
Proof. We show that any efficient adversary A that breaks the security of the scheme (recall
Definition 3.2) can be used to construct an efficient algorithm A?that distinguishes between a DH
instance and a non-DH instance with a non-negligible advantage. On input (g1,g2,u1,u2) ∈ G4the
algorithm A?acts as follows:
1. A?chooses x1,x2,z1,z2∈ Zq uniformly at random, and sets c = gx1
(x1,x2,z1,z2), and PK = (g1,g2,c,h). Then A?invokes A with input PK.
2. A?simulates the leakage oracle and the decryption oracle to A using SK.
3. When A outputs two messages M0and M1, the simulator A?chooses b ∈ {0,1} and s ∈ {0,1}t
uniformly at random, and sends A the challenge ciphertext (u1,u2,ux1
Mb).
1gx2
2, h = gz1
1gz2
2, SK =
1ux2
2,s,Ext(uz1
1uz2
2,s)⊕
4. If A outputs b then A?outputs 1, and otherwise A?outputs 0.
In the following we say that a ciphertext (u1,u2,v,s,e) is invalid if logg1(u1) ?= logg2(u2). The
remainder of the proof proceeds as follows. First, we prove that if (g1,g1,u1,u2) is a DH instance
then A’s view is identical to the actual attack. Then, we prove that in both the actual attack and
in the simulated attack the decryption oracle rejects all invalid ciphertexts except with a negligible
probability. Finally, we prove that if (g1,g1,u1,u2) is a non-DH instance and the decryption oracle
rejects all invalid ciphertexts then A has only a negligible advantage in outputting the bit b. Thus,
if A has a non-negligible advantage in the actual attack, then A?has a non-negligible advantage in
distinguishing between DH instances and non-DH instances.
Claim 6.7. If (g1,g2,u1,u2) is a DH instance then A’s view is identical to the actual attack.
Proof. The actual attack and the simulated attack are identical up to the challenge phase. It
remains to prove that the challenge ciphertext has the correct distribution when (g1,g2,u1,u2) is
a DH instance. Indeed, in this case u1= gr
therefore ux1
1and u2= gr
2for some randomly chosen r ∈ Zq, and
1ux2
2= crand uz1
1uz2
2= hras it should be.
Claim 6.8. In both the actual attack and the simulated attack, the decryption algorithm rejects all
invalid ciphertexts except with a negligible probability.
Proof. The actual attack and the simulated attack are identical up to the challenge phase. There-
fore, the probability that the decryption algorithm rejects all invalid ciphertexts is the same in both
attacks.
23
Page 25
We prove the claim by considering the distribution of the point (x1,x2) ∈ Z2
sary’s point of view. The adversary is given the public key (g1,g2,c,h) and therefore from the
adversary’s point of view the point (x1,x2) is uniformly random subject to logg1(c) = x1+ γx2,
where γ = logg1(g2). Moreover, by submitting valid ciphertexts to the decryption oracle the ad-
versary does not learn any more information on (x1,x2) (in fact, by submitting a valid ciphertext
the adversary only learns a linear combination of the constraint logg1(h) = z1+γz2that is already
known from the public key).
Denote by (u?
gr?
the adversary prior to submitting the invalid ciphertext. The value aux obtains at most 2λvalues,
and therefore Lemma 2.1 implies that from the adversary’s point of view prior to submitting the
invalid ciphertext it holds that
qfrom the adver-
1,u?
2,v?,s?,e?) the first invalid ciphertext submitted by the adversary, where u?
1?= r?
1=
1
1, u?
2= gr?
2
2, and r?
2. Denote by aux the output of all leakage functions that were submitted by
?H∞((x1,x2)|PK,aux) ≥ H∞((x1,x2)|PK) − λ ≥ logq − λ .
In particular, the definition of average min-entropy implies that prior to submitting the invalid
ciphertext the probability of A in guessing (x1,x2) is at most 2−?H∞((x1,x2)|PK,aux)≤ 2λ/q. However,
note that if the decryption algorithm accepts the invalid ciphertext then we obtain the following
linear equations:
?logg1(v?) = r?
As long as γ(r?
can be used to guess (x1,x2). Thus, the probability that the decryption algorithm accepts the first
invalid ciphertext is at most 2λ/q.
An almost identical argument holds for all the subsequent invalid decryption queries. The only
difference is that each time the decryption oracle rejects an invalid ciphertext the adversary can rule
out one more value of (x1,x2) from the set {(x1,x2) ∈ Z2
the decryption algorithm accepts the i-th invalid ciphertext with probability at most 2λ/(q−i+1).
The claim now follows from the fact that the number of decryption queries is polynomial, and from
the restriction λ ≤ logq − ω(logn).
Claim 6.9. If (g1,g2,u1,u2) is a non-DH instance and the decryption algorithm rejects all invalid
ciphertexts, then A has only a negligible advantage in outputting the bit b.
Proof. We show that if (g1,g2,u1,u2) is a non-DH instance and the decryption algorithm rejects
all invalid ciphertexts then with overwhelming probability the value uz1
at least logq−λ ≥ m+ω(logn) given all the other values in the adversary’s view. The average-case
strong extractor then guarantees that the part of the challenge ciphertext that depends on the bit
b is ?-close to uniform given the adversary’s view, for a negligible ? = ?(n).
We prove the claim by considering the distribution of the point (z1,z2) ∈ Zqfrom the adversary’s
point of view. The adversary is given the public key (g1,g2,c,h) and therefore from the adversary’s
point of view the point (z1,z2) is uniformly random subject to logg1(h) = z1+ γz2, where γ =
logg1(g2). We assume that the decryption algorithm rejects all invalid ciphertext, and note that
by submitting valid ciphertexts to the decryption oracle the adversary does not learn any more
information (the adversary only learns a linear combination of the constraint logg1(h) = z1+ γz2).
Thus, the adversary does not learn any information on (z1,z2) via decryption queries.
1x1+ γr?
2x2
logg1(c) = x1+ γx2
1− r?
2) ?= 0 these equations are linearly independent, and therefore the adversary
q: logg1(c) = x1+ γx2}. This shows that
1uz2
2has average min-entropy
24
Page 26
Let u1= gr1
adversary. Then from the adversary’s point of view in the challenge phase it holds that
1, u2= gr2
2, and denote by aux the output of all leakage functions chosen by the
?H∞(uz1
1uz2
2| g1,g2,c,h,aux,u1,u2) =?H∞(r1z1+ γr2z2| γ,c,h,aux,r1,r2) .
z2) are linearly independent:
?logg1(h) = z1+ γz2
which implies that given (γ,h,r1,r2) the function (z1,z2) → r1z1+γr2z2is injective. Applying an
injective function to a distribution preserves its min-entropy, and therefore
Note that as long as γ(r1−r2) ?= 0, then for any w = uz1
1uz2
2the following two equations (in z1and
logg1(w) = r1z1+ γr2z2
?H∞(r1z1+ γr2z2| γ,c,h,aux,r1,r2) =?H∞((z1,z2) | γ,c,h,aux,r1,r2)
where the second equality follows from the fact that (z1,z2,γ,c,h,aux) are all chosen independently
of (r1,r2). Finally, the leakage aux obtains at most 2λpossible values, and therefore (see Lemma
2.1)
=?H∞((z1,z2) | γ,c,h,aux) ,
?H∞((z1,z2) | γ,c,h,aux) ≥ H∞((z1,z2) | γ,c,h) − λ
≥ logq − λ .
Combining all of the above, with overwhelming probability it holds that
= H∞((z1,z2) | γ,z1+ γz2) − λ
?H∞(uz1
1uz2
2| g1,g2,c,h,aux,u1,u2) ≥ logq − λ .
This concludes the proof of Theorem 6.6.
6.3An Efficient CCA2-Secure Scheme
In this section we prove that a variant of the Cramer-Shoup cryptosystem [9] (along the lines of
our generic construction in Section 4) is secure against a-posteriori chosen-ciphertext key-leakage
attacks.
Let G be a group of prime order q, let λ = λ(n) be the leakage parameter, let Ext : G×{0,1}t→
{0,1}mbe an average-case (logq −λ,?)-strong extractor for some negligible ? = ?(n), and let H be
a family of universal one-way hash functions H : G3→ Zq. Rompel [41] showed that universal one-
way hash functions can be constructed from one-way functions, and in particular, such functions
exist based on the hardness of DDH.
We present an encryption scheme with a secret key of size essentially 6logq bits (six group
elements), and show that the scheme is secure for any leakage of length λ ≤ logq − ω(logn) − m,
where m is the length of the plaintext. The following describes the encryption scheme:
• Key generation: Choose x1,x2,y1,y2,z1,z2 ∈ Zq, g1,g2 ∈ G, and H ∈ H uniformly at
random. Let c = gx1
1gx2
2, d = gy1
1gy2
2, h = gz1
1gz2
2, and output the keys
SK = (x1,x2,y1,y2,z1,z2),PK = (g1,g2,c,d,h,H) .
25
Page 27
• Encryption: On input a message M ∈ {0,1}m, choose r ∈ Zqand s ∈ {0,1}tuniformly at
random, and compute
u1= gr
1, u2= gr
2, e = Ext(hr,s) ⊕ M, α = H(u1,u2,s,e), v = crdrα.
Output the ciphertext (u1,u2,v,s,e).
• Decryption: On input a ciphertext (u1,u2,v,s,e) compute α = H(u1,u2,s,e), and if v =
ux1+y1α
12
then output the message
ux2+y2α
M = e ⊕ Ext(uz1
1uz2
2,s) .
Otherwise output ⊥.
Correctness.
it holds that ux1+y1α
algorithm is always correct.
For any sequence of coin tosses of the key generation and encryption algorithms
ux2+y2α
2
= crdrα= v and that uz1
11uz2
2
= hr, and therefore the decryption
Proof of security.
Cramer and Shoup with the ideas presented in Section 4. Specifically, we show that any efficient
adversary that breaks the security of the scheme can be used to either distinguish between a DH
instance and a non-DH instance or to break the security of the universal one-way hash functions.
We prove the following theorem:
As in Section 6.2, the proof of security is based on augmenting the proof of
Theorem 6.10. Assuming the hardness of DDH, the above encryption scheme is semantically-
secure against a-posteriori chosen-ciphertext (L/6 − ω(logn) − m)-key-leakage attacks, where n
denotes the security parameter, L = L(n) denotes the length of the secret key and m = m(n)
denotes the length of the plaintext.
Proof. Given an adversary A consider the algorithm A?that on input (g1,g2,u1,u2) ∈ G4acts as
follows:
1. A?chooses x1,x2,y1,y2,z1,z2∈ Zq and H ∈ H uniformly at random, and sets c = gx1
d = gy1
invokes A with input PK.
2. A?simulates the leakage oracle and the decryption oracle to A using SK.
3. When A outputs two messages M0and M1, the simulator A?chooses b ∈ {0,1} and s ∈ {0,1}t
independently and uniformly at random, computes
1gx2
2,
1gy2
2, h = gz1
1gz2
2, SK = (x1,x2,y1,y2,z1,z2), and PK = (g1,g2,c,d,h,H). Then A?
e = Ext(uz1
1uz2
2,s) ⊕ M, α = H(u1,u2,s,e), v = ux1+y1α
1
ux2+y2α
2
,
and sends A the challenge ciphertext (u1,u2,v,s,e).
4. If A outputs b then A?outputs 1, and otherwise A?outputs 0.
An immediate observation is that if (g1,g2,u1,u2) is a DH instance, then the simulation is
identical to the actual attack (and therefore A should have a non-negligble advantage in outputting
the bit b).
Claim 6.11. If (g1,g2,u1,u2) is a DH instance then A’s view is identical to the actual attack.
26
Page 28
Proof. The actual attack and the simulated attack are identical except for the challenge ciphertext.
It remains to prove that the challenge ciphertext has the correct distribution when (g1,g2,u1,u2)
is a DH instance. Indeed, in this case u1= gr
therefore ux1+y1α
12
= crdrαand uz1
1and u2= gr
2= hras it should be.
2for some randomly chosen r ∈ Zq, and
ux2y1α
1uz2
The more interesting part of the proof is devoted for showing that if (g1,g2,u1,u2) is a non-DH
instance then A has only a negligible advantage in outputting the bit b. From now on we assume
that (g1,g2,u1,u2) is a non-DH instance, where logg1(u1) = r1, logg2(u2) = r2, and r1?= r2.
We denote by (u∗
the event in which for one of A’s decryption queries (u1,u2,v,s,e) it holds that (u1,u2,s,e) ?=
(u∗
invalid if logg1(u?
In what follows we prove that if the event Collision does not occur then A has only a negligible
advantage in outputting the bit b. Specifically, we prove that: (1) if the event Collision does not
occur then the decryption oracle rejects all invalid ciphertexts except with a negligible probability,
and (2) if the decryption oracle rejects all invalid ciphertexts then A has only a negligible advantage
in outputting the bit b. We conclude by proving that the event Collision has a negligible probability
due to the security of the family H of universal one-way hash functions.
Claim 6.12. If (g1,g2,u1,u2) is a non-DH instance and the event Collision does not occur, then
the decryption algorithm rejects all invalid ciphertext except with a negligible probability.
1,u∗
2,v∗,s∗,e∗) the challenge ciphertext given to A, and denote by Collision
1,u∗
2,s∗,e∗) and H(u1,u2,s,e) = H(u∗
1) ?= logg2(u?
1,u∗
2,s∗,e∗). We say that a ciphertext (u?
1,u?
2,v?,s?,e?) is
2).
Proof. We prove the claim by considering the distribution of the point (x1,x2,y1,y2) ∈ Z4
the adversary’s point of view. Ignoring the leakage functions for now, the adversary is given the
public key (g1,g2,c,d,h,H) and the challenge ciphertext (u1,u2,v,s,e), and therefore from the
adversary’s point of view the point (x1,x2,y1,y2) is uniformly random subject to
where γ = logg1(g2).Note that by submitting valid ciphertexts to the decryption oracle the
adversary does not learn any more information on (x1,x2,y1,y2) (in fact, by submitting a valid
ciphertext the adversary only learns a linear combination of the constraint logg1(h) = z1+γz2that
is already known from the public key).
Denote by (u?
versary, where u?
the adversary prior to submitting the invalid ciphertext. The adversary learns at most λ bits of
leakage, and therefore
?H∞((x1,x2,y1,y2)|view) ≥ logq − λ .
ciphertext the probability of A in guessing (x1,x2,y1,y2) is at most 2−?H∞((x1,x2,y1,y2)|view)≤ 2λ/q.
There are three cases to consider:
qfrom
logg1(c) = x1+ γx2
logg1(d) = y1+ γy2
logg1(v) = r1x1+ r2γx2+ αr1y1+ αr2γy2
,
1,u?
1= gr?
2,v?,s?,e?) ?= (u1,u2,v,s,e) the first invalid ciphertext submitted by the ad-
1
1, u?
2= gr?
2
2, r?
1?= r?
2, and α?= H(u?
1,u?
2,s?,e?). Denote by view the view of
In particular, the definition of average min-entropy implies that prior to submitting the invalid
1. (u?
1,u?
2,s?,e?) = (u1,u2,s,e). In this case α?= α but v ?= v?and therefore the decryption
algorithm rejects.
2. (u?
1,u?
2,s?,e?) ?= (u1,u2,s,e) and α?= α. This is impossible since we assume that the event
Collision does not occur.
27
Page 29
3. (u?
1,u?
2,s?,e?) ?= (u1,u2,s,e) and α??= α. In this case, if the decryption algorithm accepts the
invalid ciphertext then we obtain the following linear equations:
As long as γ2(r1− r2)(r?
therefore the adversary can be used to guess (x1,x2,y1,y2). Thus, the probability that the
decryption algorithm accepts the first invalid ciphertext is at most 2λ/q.
logg1(c) = x1+ γx2
logg1(d) = y1+ γy2
logg1(v) = r1x1+ r2γx2+ αr1y1+ αr2γy2
logg1(v?) = r?
1x1+ r?
2γx2+ α?r?
1y1+ α?r?
2γy2
,
1− r?
2)(α − α?) ?= 0 these equations are linearly independent, and
An almost identical argument holds for all the subsequent invalid decryption queries. The only
difference is that each time the decryption oracle rejects an invalid ciphertext the adversary can
rule out one more value of (x1,x2,y1,y2). This shows that the decryption algorithm accepts the
i-th invalid ciphertext with probability at most 2λ/(q−i+1). The claim now follows from the fact
that the number of decryption queries is polynomial, and from the restriction λ ≤ logq −ω(logn).
Claim 6.13. If (g1,g2,u1,u2) is a non-DH instance and the decryption algorithm rejects all invalid
ciphertexts, then A has only a negligible advantage in outputting the bit b.
Proof. We show that if (g1,g2,u1,u2) is a non-DH instance and the decryption algorithm rejects
all invalid ciphertexts then with overwhelming probability the value uz1
at least logq−λ ≥ m+ω(logn) given all the other values in the adversary’s view. The average-case
strong extractor then guarantees that the part of the challenge ciphertext that depends on the bit
b is ?-close to uniform given the adversary’s view, for a negligible ? = ?(n).
We prove the claim by considering the distribution of the point (z1,z2) ∈ Zqfrom the adversary’s
point of view. The adversary is given the public key (g1,g2,c,d,h,H) and therefore from the
adversary’s point of view the point (z1,z2) is uniformly random subject to logg1(h) = z1+γz2, where
γ = logg1(g2). We assume that the decryption algorithm rejects all invalid ciphertext, and note
that by submitting valid ciphertexts to the decryption oracle the adversary does not learn any more
information (the adversary only learns a linear combination of the constraint logg1(h) = z1+ γz2).
Thus, the adversary does not learn any information on (z1,z2) via decryption queries.
Let u1= gr1
adversary. Then from the adversary’s point of view it holds that
1uz2
2has average min-entropy
1, u2= gr2
2, and denote by aux the output of all leakage functions chosen by the
?H∞(uz1
1uz2
2| g1,g2,c,d,h,H,aux,u1,u2) =?H∞(r1z1+ γr2z2| γ,c,d,h,H,aux,r1,r2) .
Note that as long as γ(r1−r2) ?= 0, then for any w = uz1
z2) are linearly independent:
?logg1(h) = z1+ γz2
which implies that given (γ,h,r1,r2) the function (z1,z2) → r1z1+γr2z2is injective. Applying an
injective function to a distribution preserves its min-entropy, and therefore
1uz2
2the following two equations (in z1and
logg1(w) = r1z1+ γr2z2
?H∞(r1z1+ γr2z2| γ,c,d,h,H,aux,r1,r2) =?H∞((z1,z2) | γ,c,d,h,H,aux,r1,r2)
=?H∞((x1,x2) | γ,c,d,h,H,aux) ,
28
Page 30
where the second equality follows from the fact that (z1,z2,γ,c,d,h,H,aux) are all chosen indepen-
dently of (r1,r2). Finally, the leakage aux obtains at most 2λpossible output values, and therefore
(see Lemma 2.1)
?H∞((z1,z2) | γ,c,d,h,H,aux) ≥ H∞((z1,z2) | γ,c,d,h,H) − λ
≥ logq − λ .
Combining all of the above, with overwhelming probability it holds that
= H∞((z1,z2) | γ,z1+ γz2) − λ
?H∞(uz1
1uz2
2| g1,g2,c,d,h,H,aux,u1,u2) ≥ logq − λ .
Claim 6.14. If (g1,g2,u1,u2) is a non-DH instance then the event Collision occurs with only a
negligible probability.
Proof. Given an adversary A for which the event Collision occurs with only a negligible probability,
we construct an algorithm A??that breaks the security of the universal one-way hash functions. A??
is essentially identical to A?that was described above, except for choosing (u1,u2,s,e) before the
function H is chosen, where e ∈ {0,1}mis chosen uniformly at random instead of as a function of
the messages M0and M1. We claim, however, that as long as the event Collision does not occur
then A cannot distinguish between A?and A??(the argument is identical to the proofs of Claims
6.12 and 6.13). Therefore, A helps A??to find a collision with H(u1,u2,s,e) with a non-negligible
probability.
Formally, consider the following algorithm A??that attacks the family H of universal one-way
hash functions:
1. A??chooses (g1,g2,u1,u2) ∈ G4, s ∈ {0,1}tand e ∈ {0,1}muniformly at random, and
announces (u1,u2,s,e).
2. A??is given as input a randomly chosen function H ∈ H.
3. A??chooses x1,x2,y1,y2,z1,z2∈ Zq independently and uniformly at random, and sets c =
gx1
Then A?sends PK to A.
4. A?simulates the leakage oracle and the decryption oracle to A using SK.
5. In the challenge phase A?ignores the two messages M0,M1∈ {0,1}m, computes
α = H(u1,u2,s,e), v = ux1+y1α
1gx2
2, d = gy1
1gy2
2, h = gz1
1gz2
2, SK = (x1,x2,y1,y2,z1,z2), and PK = (g1,g2,c,d,h,H).
1
ux2+y2α
2
,
and sends A the challenge ciphertext (u1,u2,v,s,e).
6. If at some point A submits a decryption query (u?
(u1,u2,s,e) and H(u?
A??outputs ⊥.
1,u?
2,v?,s?,e?) such that (u?
1,u?
2,s?,e?) ?=
1,u?
2,s?,e?) = H(u1,u2,s,e) then A??outputs (u?
1,u?
2,s?,e?). Otherwise
29
Page 31
Claim 6.12 guarantees that as long as the event Collision does not occur, then the decryp-
tion algorithm rejects all invalid ciphertexts except with a negligible probability. Claim 6.13 that
guarantees that as long as the decryption algorithm rejects all invalid ciphertexts then A cannot
distinguish between A?and A??. Specifically, both in the execution with A?and in the execution
with A??the component in the challenge ciphertext that depends on the bit b is ?-close to ran-
dom given the adversary’s view (for some negligible ? = ?(n)). Therefore, with a non-negligible
probability A submits a ciphertext (u?
H(u?
1,u?
2,v?,s?,e?) such that (u?
1,u?
2,s?,e?) ?= (u1,u2,s,e) and
1,u?
2,s?,e?) = H(u1,u2,s,e), and in this case A??finds a collision.
This concludes the proof of Theorem 6.10.
7Protecting Against Weak Key-Leakage Attacks
In this section we consider weak key-leakage attacks (see Definition 3.4), in which a leakage function
with output length λ is chosen by the adversary ahead of time without any knowledge of the public
key. We present a generic construction that transforms any encryption scheme to one that is
resilient to any weak leakage of L(1 − o(1)) bits, where L is the length of the secret key. The
resulting scheme is essentially as efficient as the original one, and does not rely on additional
computational assumptions.
As discussed in Section 1.1, although this notion of key leakage seems very limited, it still
captures many realistic attacks in which the leakage does not depend on the parameters of the
encryption scheme. Specifically, this notion captures the cold boot attack of Halderman et al. [21],
in which the leakage depends only on the properties of the hardware devices that are used for
storing the secret key.
Let Π = (G,E,D) be any public-key encryption scheme, and denote by m = m(n) the length
of the random string used by G(1n). Given a leakage parameter λ = λ(n), let Ext : {0,1}k(n)×
{0,1}t(n)→ {0,1}m(n)be an average-case (k − λ,?)-strong extractor for some negligible ? = ?(n).
Consider the encryption scheme Πλ= (Gλ,Eλ,Dλ) defined as follows:
• Key generation: On input 1nchoose x ∈ {0,1}k(n)and s ∈ {0,1}t(n)uniformly at random,
and compute (pk,sk) = G(Ext(x,s)). Output PK = (pk,s) and SK = x.
• Encryption: On input a message M and a public-key PK = (pk,s), choose r ∈ {0,1}∗
uniformly at random and output (E(pk,M;r),s).
• Decryption: On input a ciphertext (c,s) and a secret key SK = x, compute (pk,sk) =
G(Ext(x,s)) and output D(sk,c).
The following theorem states that if Π is semantically secure, then Πλis resilient to any weak
key leakage of λ bits.
Theorem 7.1. Let (G,E,D) be a semantically secure public-key encryption scheme. Then, for
any polynomial λ = λ(n) the scheme (Gλ,Eλ,Dλ) is semantically secure against weak λ-key-leakage
attacks.
Proof. We show that for any efficient adversary A and ensemble F of efficiently computable leakage
functions, there exists an efficient adversary A?such that
AdvWeakLeakage
Πλ,A,F
For b ∈ {0,1} consider the following experiment denoted ExptΠ,A,F(b):
(n) ≤ AdvCPA
Π,A?(n) + 2?(n) .
30
Page 32
1. Choose x ∈ {0,1}k(n), s ∈ {0,1}t(n), and y ∈ {0,1}m(n)uniformly at random. Compute
(pk,sk) = G(y). Let PK = (pk,s) and SK = sk.
2. (M0,M1,state) ← A1(PK,fn(x)) such that |M0| = |M1|.
3. C ← Epk(Mb).
4. b?← A2(C,state)
5. Output b?.
Using the notation of Definition 3.4 and the triangle inequality, for any adversary A it holds that
AdvWeakLeakage
Πλ,A,F
≤
+??Pr?ExptΠ,A,F(0) = 1?− Pr?ExptΠ,A,F(1) = 1???
(n) =
???Pr
?
ExptWeakLeakage
Πλ,A,F
ExptWeakLeakage
Πλ,A,F
(0) = 1
?
− Pr
− Pr?ExptΠ,A,F(0) = 1????
?
?
ExptWeakLeakage
Πλ,A,F
(1) = 1
????
???Pr
+
?
(0) = 1
?
(7.1)
(7.2)
???Pr?ExptΠ,A,F(1) = 1?− Pr
ExptWeakLeakage
Πλ,A,F
(1) = 1
???? .
(7.3)
The experiment ExptΠ,A,F(b) is identical to the experiment ExptWeakLeakage
that the key generation algorithm G is invoked on a truly random input y and not on input Ext(x,s).
Note, however, that the average min-entropy of x given fn(x) is at least k − λ, and therefore the
average-case strong extractor guarantees that the statistical distance between the views of the
adversary in these two experiments is at most ?. A crucial point here is that the leakage function
is independent of the public key, and specifically, independent of the seed s. This implies that each
of the terms (7.1) and (7.3) is upper bounded by ?.
In addition, it is rather straightforward that there exists a CPA-adversary A?for which the
term (7.2) is upper bounded by AdvCPA
Πλ,A,F
(b) other than the fact
Π,A?(n), and this concludes the proof.
Generalization to hard-to-invert leakage.
in which the secret key is information-theoretically unpredictable given the leakage information.
One can also consider leakage attacks in which the secret key is only computationally unpredictable.
That is, the leakage may completely determine the secret key, but it is computationally hard to
actually recover the secret key. Such a notion of key leakage was studied by Dodis, Tauman Kalai,
and Lovett [13] in the setting of symmetric-key encryption. They introduced a new computational
assumption that is a generalization of learning parity with noise, and constructed symmetric-key
encryption schemes that are resilient to leakage of the form f(sk), where f is any exponentially-hard
one-way function.
The above construction for protecting against weak key-leakage attacks can be generalized in a
straightforward manner to provide protection against any leakage that is sufficiently hard to invert.
Specifically, the only modification to the above construction is that the strong extractor Ext(x,s)
is replaced by Goldreich-Levin hard-core bits GL(x,s) [17] (recall that x is the secret key, and s is
part of the public key). Thus, the resulting encryption scheme is secure with respect to any leakage
of the form f(x), where GL(x,s) is a string of m?bits (for some constant ? > 0) that is hard core
for f (note that a pseudorandom generator can be applied to GL(x,s) to obtain a pseudorandom
string of length m to be used by the key-generation algorithm). In particular, this is known to
be satisfied by any 2Ω(m?)-hard one-way function f : {0,1}m→ {0,1}m?(see, for example, [17,
Corollary 1]).
So far in this paper we considered leakage attacks
31
Page 33
8Protecting Against Generalized Forms of Key-Leakage Attacks
In this section we present several generalizations of key-leakage attacks that extend the framework
presented in Section 3, and show that they are satisfied by our schemes.
8.1Noisy Leakage
In the side-channel attack of Halderman et al. [21] the adversary learns a noisy version of all of the
memory. This is a more general scenario than the scenario captured by Definition 3.1: The leakage
is not of bounded length, but it is guaranteed that the secret key is still somewhat unpredictable
given the leakage. This motivates a realistic generalization that allows the adversary to learn
any random variable W (representing the leakage information) for which the conditional mutual
information (adapted to average min-entropy8) of the secret key and W given the public key is at
most λ. That is, the adversary can learn any random variable W for which
?I∞(SK;W|PK)def
=?H∞(SK|PK) −?H∞(SK|PK,W) ≤ λ
In the information-theoretic setting, this generalization does not necessarily strengthen the defi-
nition, since W may be compressed to essentially λ bits. However, in the computational setting
(which is the setting we consider in this work) we can conjecture that this notion is stronger9.
Our generic construction from hash proof systems satisfies this notion of security assuming an
additional property of the underlying hash proof system (that is satisfied by all the constructions
in this paper). Informally, using the notation introduced in Section 2.3, the required property is
that with overwhelming probability over the choice of an invalid ciphertext C ∈ C \ V, there is no
substantial gap between the min-entropy of the secret key sk ∈ SK and the min-entropy of the
encapsulated key Λsk(C) ∈ K, both conditioned on the public key pk ∈ PK. For example, for the
hash proof systems underlying the schemes in Sections 4.2 and 5.1 it holds that?I∞(Λsk(C);W|pk) =
property holds for the hash proof system underlying the scheme in Section 5.2). In addition, it is
rather straightforward to verify that our CCA-secure constructions (both the generic construction
and the two specific constructions) and the generic construction for protecting against weak leakage
attacks satisfy this notion of security.
?I∞(sk;W|pk), and this suffices for the same proofs of security to go through (a slightly more subtle
8.2 Leakage of Intermediate Values from the Key-Generation Process
Definition 3.1 assumes that the adversary does not learn any of the intermediate values that occur
during the generation of the secret and public keys. In practice, however, this is not always a valid
assumption. Specifically, in the attack of Halderman et al. [21] the adversary learns a noisy version
of all of the memory, and it is rather likely that intermediate values from the generation of the keys
are not always completely erased. This motivates a natural generalization that allows the adversary
to learn functions of the random bits that are used by the key generation algorithm. Encryption
schemes that satisfy this notion of security are more robust to leakage in the sense that the key
generation algorithm does not have to make sure that all intermediate key-related values have been
deleted. In addition, this generalization is especially important to security under composition of
cryptographic primitives. For example, the key generation algorithm may use random bits (or
8For Shannon entropy, the conditional mutual information of X and Y given Z is defined as I(X;Y |Z) = H(X|Z)−
H(X|Y,Z).
9See, as an analogy, the trade-off presented by Harsha et al. [22] between communication complexity and compu-
tation.
32
Page 34
pseudorandom bits) that are the output of another primitive (say, a pseudorandom generator)
which may also suffer from unintended leakage of sensitive information.
All of our constructions in this paper, except for the generic CCA-secure construction in Section
6.1, are secure according to this generalization10. Informally, the proofs of security of our schemes
(other than the generic CCA-secure scheme) rely on an indistinguishability argument over the
challenge ciphertext and not over the public key. As a result, the simulators in the proofs of
security always generate the secret key and public key by themselves, and therefore they know
the random bits used by the key generation algorithm and can simulate the leakage oracle to the
adversary. A minor comment is that the simulators do not always generate the public parameters of
the hash proof system by themselves. These public parameters, however, can be shared among all
users and therefore they do not have to be included in the key generation algorithm. For example,
when instantiating the generic construction presented in Section 4.1 with the Paillier-based hash
proof system of Cramer and Shoup [8], the public parameters include a modulus N = PQ. In this
case, as demonstrated by Rivest and Shamir [40], an adversary that obtains leakage information
on the random bits used to generate N can efficiently compute its factorization and completely
compromise the security of the scheme. However, the factorization of N is not needed for the
encryption scheme (i.e., it is not part of the secret key), and therefore it is possible to assume that
N is publicly known and is not part of the key generation algorithm (exactly as suggested in [8]).
8.3Keys Generated using Weak Random Sources
When considering leakage of the random bits that are used by the key generation algorithm (as in
Section 8.2), then from the adversary’s point of view these bits are uniformly distributed subject
to the leakage information. A natural generalization in this setting is to consider cases in which
the keys are generated using a weak source of random bits. This is relevant, in particular, in light
of crucial security vulnerabilities that were recently identified in pseudorandom generators that are
used by many systems [15, 20, 45].
Formally, we consider the following security experiment. First, a global algorithm generates
public parameters for the encryption scheme. These parameters are generated using truly random
(or pseudorandom) bits, and are shared among all users. Next, we allow the adversary to specify a
distribution of random bits that will be used to generate the secret key and public key of a specific
user. The adversary can choose this distribution as a function of the public parameters, and the
only restriction is a predetermined lower bound on the min-entropy of the distribution. Then, the
experiment continues as in the standard indistinguishability of encryptions experiment.
10The generic CCA-secure construction in Section 6.1 can be made secure against such attacks by requiring two
additional simple properties from its building blocks. First, the public key pk1 should be sampled without producing
a corresponding secret key (note that the secret key of the resulting scheme does not include sk1 anyway). That
is, there should be an efficient algorithm that generates pk1, such that the scheme is secure even if the adversary
knows the random bits used for generate pk1. This property is satisfied by the schemes in Sections 4.2, 5.1, and 5.2.
Moreover, we note that in fact pk1 does not have to come from an encryption scheme that is resilient to key-leakage
attacks – only pk0 has to be resilient to key-leakage attacks (as shown by the proofs of Claims 6.4 and 6.5), and
therefore any public-key encryption scheme with such an oblivious sampling algorithm can be used for pk1. Second,
the NIZK proof system should also have such a property with respect to the common reference string. That is, the
NIZK proof system should maintain its security even if the adversary knows the random bits used for generating the
common reference string (note that this should hold only for the “real” reference string, and not for the “simulated”
one). In particular, this is satisfied by any NIZK proof system in which the common reference string is a uniformly
random string. A similar comment is in place also for the CCA2-secure construction in Section 6.3: the universal one-
way hash functions should be secure even if the adversary knows the random bits used for generating the description
of a function. In general, this is a seemingly stronger requirement (see [24]), but in practice this is not a concern
since the universal one-way hash functions can be instantiated with a fixed hash function, such as SHA-256.
33
Page 35
Our schemes in Sections 4.2, 5.1, 5.2, and 6.2 satisfy this notion of security. For simplicity, we
exemplify this fact using the scheme from Section 4.2, and note that ideas we present here easily
extend to the other schemes11. The public parameters of the scheme consist of a description of
a group G of prime order q, and two generators g1,g2∈ G that are chosen uniformly at random
(these are the public parameters of the corresponding hash proof system). The secret key of the
scheme is a pair (x1,x2) ∈ Z2
the secret key is sampled. The adversary can choose this distribution as a function of the public
parameters, and we only require that it has min-entropy at least logq + ω(logn) + m, where m
is the length of plaintexts (note that this is rather far from the uniform distribution over Z2
a wide range of parameters). The public key is then computed as h = gx1
security, we observe that if (g1,g2,u1,u2) is not a Diffie-Hellman tuple (i.e., u1= gr1
r1?= r2), then it holds that
q, and we allow the adversary to specify the distribution from which
qfor
1gx2
2. For the proof of
1, u2= gr2
2, and
?H∞(ux1
1ux2
2|h) =?H∞((x1,x2)|h) ≥ H∞(x1,x2) − logq = m + ω(logn)
Thus, the average-case strong-extractor Ext guarantees that Ext(ux1
m-bit challenge plaintext.
1ux2
2,s) statistically masks the
8.4Leakage of Intermediate Values from the Decryption Process
An additional strengthening of Definition 3.1 is to consider leakage that may occur during com-
putation, and not only leakage from the stored key. Specifically, an invocation of the decryption
algorithm may produce various intermediate values, whose leakage may compromise the security
of the scheme even if the scheme is robust against leakage from the stored key. Such a notion of
security is generically guaranteed when considering leakage of fixed bounded length (as in Defini-
tion 3.1). However, it is not always guaranteed when the adversary obtains all of the memory in a
noisy fashion (as discussed in Section 8.1).
Consider the seemingly contrived example of a decryption algorithm that first encodes the secret
key using a good error-correcting code, and then performs the actual decryption. In this case, an
adversary that obtains a noisy variant of the memory can clearly recover the secret key. This exam-
ple, however, is not so contrived, since as demonstrated by Halderman et al., encryption schemes
typically compute intermediate key-related values whose representation is rather redundant, and
this can be used to attack the scheme. Moreover, even if the encryption scheme itself does not ex-
plicitly instructs to compute intermediate values, it may be the case that such values are computed
by a specific implementation of the encryption scheme.
Although when presenting our encryption schemes in this paper we do not specify exact im-
plementations of their decryption algorithms, we point out that they can be implemented while
introducing only minimal redundancy. That is, the key-related computation has “low bandwidth”:
at any point in time the (natural) decryption algorithm works on a limited part of the key and the
intermediate results are also succinct. For example, the natural implementation of the decryption
algorithms of the schemes in Section 5 require space that is significantly smaller than the size of
their corresponding secret keys: for the scheme in Section 5.2, the length of the secret key is ? bits,
and the decryption algorithm requires only O(logq) bits where ? is significantly larger than logq,
and a similar property is satisfied by the scheme in Section 5.1.
11We note that these feasibility results do not contradict the negative result of Dodis et al. [10] on the possibility
of public-key encryption with imperfect randomness. Specifically, our generalization circumvents their impossibility
result by assuming that truly random bits are available for the encryption algorithm, and that only the keys are
generated using imperfect randomness.
34
Page 36
References
[1] M. Abe, R. Gennaro, K. Kurosawa, and V. Shoup. Tag-KEM/DEM: A new framework for
hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In Advances in Cryptology
– EUROCRYPT ’05, pages 128–146, 2005.
[2] A. Akavia, S. Goldwasser, and V. Vaikuntanathan. Simultaneous hardcore bits and cryptog-
raphy against memory attacks. In Proceedings of the 6th Theory of Cryptography Conference,
pages 474–495, 2009.
[3] E. Biham and A. Shamir. Differential fault analysis of secret key cryptosystems. In Advances
in Cryptology – CRYPTO ’97, pages 513–525, 1997.
[4] D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In Advances in Cryptology –
CRYPTO ’04, pages 41–55, 2004.
[5] D. Boneh, R. A. DeMillo, and R. J. Lipton. On the importance of checking cryptographic
protocols for faults. In Advances in Cryptology – EUROCRYPT ’97, pages 37–51, 1997.
[6] D. Boneh, S. Halevi, M. Hamburg, and R. Ostrovsky. Circular-secure encryption from decision
Diffie-Hellman. In Advances in Cryptology – CRYPTO ’08, pages 108–125, 2008.
[7] R. Canetti, Y. Dodis, S. Halevi, E. Kushilevitz, and A. Sahai. Exposure-resilient functions
and all-or-nothing transforms. In Advances in Cryptology – EUROCRYPT ’00, pages 453–469,
2000.
[8] R. Cramer and V. Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext
secure public-key encryption. In Advances in Cryptology – EUROCRYPT ’02, pages 45–64,
2002.
[9] R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure
against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1):167–226, 2003.
[10] Y. Dodis, S. J. Ong, M. Prabhakaran, and A. Sahai. On the (im)possibility of cryptography
with imperfect randomness. In Proceedings of the 45th Annual IEEE Symposium on Founda-
tions of Computer Science, pages 196–205, 2004.
[11] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith. Fuzzy extractors: How to generate strong
keys from biometrics and other noisy data. SIAM Journal on Computing, 38(1):97–139, 2008.
[12] Y. Dodis, A. Sahai, and A. Smith. On perfect and adaptive security in exposure-resilient
cryptography. In Advances in Cryptology – EUROCRYPT ’01, pages 301–324, 2001.
[13] Y. Dodis, Y. Tauman Kalai, and S. Lovett. On cryptography with auxiliary input. To appear
in Proceedings of the 41st Annual ACM Symposium on Theory of Computing, 2009.
[14] D. Dolev, C. Dwork, and M. Naor. Non-malleable cryptography. SIAM Journal on Computing,
30(2):391–437, 2000.
[15] L. Dorrendorf, Z. Gutterman, and B. Pinkas. Cryptanalysis of the windows random number
generator. In Proceedings of the 2007 ACM Conference on Computer and Communications
Security, pages 476–485, 2007.
35
Page 37
[16] S. Dziembowski and K. Pietrzak. Leakage-resilient cryptography. In Proceedings of the 49th
Annual IEEE Symposium on Foundations of Computer Science, pages 293–302, 2008.
[17] O. Goldreich and L. A. Levin. A hard-core predicate for all one-way functions. In Proceedings
of the 21st Annual ACM Symposium on Theory of Computing, pages 25–32, 1989.
[18] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System
Sciences, 28(2):270–299, 1984.
[19] S. Goldwasser, Y. Tauman Kalai, and G. N. Rothblum. One-time programs. In Advances in
Cryptology – CRYPTO ’08, pages 39–56, 2008.
[20] Z. Gutterman, B. Pinkas, and T. Reinman. Analysis of the linux random number generator.
In IEEE Symposium on Security and Privacy, pages 371–385, 2006.
[21] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J.
Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption
keys. In Proceedings of the 17th USENIX Security Symposium, pages 45–60, 2008.
[22] P. Harsha, Y. Ishai, J. Kilian, K. Nissim, and S. Venkatesh. Communication versus com-
putation. In Proceedings of the 31st International Colloquium on Automata, Languages and
Programming, pages 745–756, 2004.
[23] N. Heninger and H. Shacham. Improved RSA private key reconstruction for cold boot attacks.
Cryptology ePrint Archive, Report 2008/510, 2008.
[24] C.-Y. Hsiao and L. Reyzin. Finding collisions on a public road, or do secure hash functions
need secret coins? In Advances in Cryptology – CRYPTO ’04, pages 92–105, 2004.
[25] Y. Ishai, M. Prabhakaran, A. Sahai, and D. Wagner. Private circuits II: Keeping secrets in
tamperable circuits. In Advances in Cryptology – EUROCRYPT ’06, pages 308–327, 2006.
[26] Y. Ishai, A. Sahai, and D. Wagner. Private circuits: Securing hardware against probing attacks.
In Advances in Cryptology – CRYPTO ’03, pages 463–481, 2003.
[27] A. Joux and K. Nguyen. Separating decision Diffie-Hellman from computational Diffie-Hellman
in cryptographic groups. Journal of Cryptology, 16(4):239–247, 2003.
[28] E. Kiltz. Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie-Hellman.
In Proceedings of the 10th International Conference on Practice and Theory in Public-Key
Cryptography, pages 282–297, 2007.
[29] E. Kiltz, K. Pietrzak, M. Stam, and M. Yung. A new randomness extraction paradigm for
hybrid encryption. To appear in Advances in Cryptology – EUROCRYPT ’09, 2009.
[30] P. C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other
systems. In Advances in Cryptology – CRYPTO ’96, pages 104–113, 1996.
[31] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In Advances in Cryptology –
CRYPTO ’99, pages 388–397, 1999.
[32] K. Kurosawa and Y. Desmedt. A new paradigm of hybrid encryption scheme. In Advances in
Cryptology – CRYPTO ’04, pages 426–442, 2004.
36
Page 38
[33] Y. Lindell. A simpler construction of CCA2-secure public-key encryption under general as-
sumptions. Journal of Cryptology, 19(3):359–377, 2006.
[34] U. M. Maurer. On the oracle complexity of factoring integers. Computational Complexity,
5(3-4):237–247, 1995.
[35] S. Micali and L. Reyzin. Physically observable cryptography. In Proceedings of the 1st Theory
of Cryptography Conference, pages 278–296, 2004.
[36] M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen ciphertext
attacks. In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, pages
427–437, 1990.
[37] C. Petit, F.-X. Standaert, O. Pereira, T. Malkin, and M. Yung. A block cipher based pseudo
random number generator secure against side-channel key recovery. In Proceedings of the ACM
Symposium on Information, Computer and Communications Security (ASIACCS), pages 56–
65, 2008.
[38] K. Pietrzak. A leakage-resilient mode of operation. To appear in Advances in Cryptology –
EUROCRYPT ’09, 2009.
[39] O. Regev.
Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pages 84–93, 2005.
On lattices, learning with errors, random linear codes, and cryptography.In
[40] R. L. Rivest and A. Shamir. Efficient factoring based on partial information. In Advances in
Cryptology – EUROCRYPT ’85, pages 31–34, 1985.
[41] J. Rompel. One-way functions are necessary and sufficient for secure signatures. In Proceedings
of the 22nd Annual ACM Symposium on Theory of Computing, pages 387–394, 1990.
[42] A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext secu-
rity. In Proceedings of the 40th Annual IEEE Symposium on Foundations of Computer Science,
pages 543–553, 1999.
[43] H. Shacham. A Cramer-Shoup encryption scheme from the Linear assumption and from pro-
gressively weaker Linear variants. Cryptology ePrint Archive, Report 2007/074, 2007.
[44] V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryp-
tology – EUROCRYPT ’97, pages 256–266, 1997.
[45] S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. PRNG PR0N: Understanding
the Debian OpenSSL debacle. Manuscript, 2008.
A The Matrix d-Linear Assumption
Let G be an algorithm that takes as input a security parameter and outputs a triplet G = (G,q,g)
where G a group of order q that is generated by g. We denote by Rki(Za×b
matrices over Zqwith rank i. For a matrix R = {ri,j}i∈[a],j∈[b]∈ Za×b
{gi,j}i∈[a],j∈[b]= {gri,j}i∈[a],j∈[b]∈ Ga×b.
The matrix d-Linear assumption is that for any integers a and b, and for any d ≤ i < j ≤
min{a,b} the ensembles {(G,gR)}R∈Rki(Za×b
indistinguishable, where G = (G,q,g) ← G(1n). We prove the following lemma (noting that Boneh
et al. [6] proved it for d = 1):
q
) the set of all a × b
we denote by gRthe matrix
q
q
),n∈Nand {(G,gR)}R∈Rkj(Za×b
q
),n∈Nare computationally
37
Page 39
Lemma A.1. The d-Linear assumption implies the matrix d-Linear assumption.
Proof. We show that for any d ≤ i < min{a,b} an efficient distinguisher A that distinguishes be-
tween the ensembles {(G,gR)}R∈Rki(Za×b
advantage can be used to construct an efficient distinguisher A?for the d-Linear problem.
On input
d+1
where G = (G,q,g) ← G(1n), the distinguisher A?
constructs the following matrices:
gr1
1
gr2
2
···
q
),n∈Nand {(G,gR)}R∈Rki+1(Za×b
?
···
g0
···
...
...
···
grd−1
d−1
Φ1
Idi−d
0a−i,b−i
q
),n∈Nwith a non-negligible
?G,g1,...,gd+1,gr1
1,...,grd+1
Φ1=
g1
g0
...
...
g0
g0
g2
...
...
···
···
g0
g0
...
...
gd
grd
d
gd+1
gd+1
...
...
gd+1
grd+1
d+1
g0
∈ G(d+1)×(d+1)
Φ2=
∈ Ga×b
where Idi−dis the identity matrix of size i − d of G (i.e., g on the main diagonal and g0all other
entries), 0a−i,b−iis the zero matrix of G of size (a − i) × (b − i) (i.e., g0all entries), and all the
other blocks in Φ2are zero matrices.
Then, A?chooses invertible matrices L ∈ Za×a
random, invokes A on input Φ3 = L ⊗ Φ2⊗ R ∈ Ga×b(where ⊗ is naturally defined using Zq
operations in the exponent), and outputs whatever A outputs.
In what follows we prove that with overwhelming probability if rd+1=?d
Ψ3∈ Rki+1(Za×b
w1r1
w2r2
···
The elements g1,...,gd+1are chosen uniformly at random, and therefore with overwhelming prob-
ability it holds that?d+1
q
and R ∈ Zb×b
q
independently and uniform at
i=1rithen Φ3= gΨ3
for a randomly chosen Ψ3∈ Rki(Za×b
q
). For every 1 ≤ i ≤ d + 1 let wi= logg(gi). Then Φ1= gΨ1where
0
···
0
w2
0
...
...
0
···
wd−1rd−1
q
), and if rd+1?=?d
i=1rithen Φ3= gΨ3for a randomly chosen
Ψ1=
w1
···
···
0
0
...
...
wd+1
wd+1
...
...
wd+1
wd+1rd+1
...
...
...
...
0
···
wd
wdrd
∈ Z(d+1)×(d+1)
q
.
i=1wi ?= 0. In this case, if rd+1 =?d
i=1ri then Ψ1 has rank d, and if
rd+1?=?d
i=1rithen Ψ1has rank d + 1. There, the matrix
Ψ2=
R1
Idi−d
0a−i,b−i
∈ Za×b
q
either has rank i if rd+1=?d
with rank i + 1.
i=1rior has rank i + 1 if rd+1?=?d
i=1ri. This implies that Ψ3=
LΨ2R ∈ Za×b
q
is either a uniformly distributed matrix with rank i or a uniformly distributed matrix
38