In order to tolerate possible leakage of secret keys, leakage-resilient cryptosystem models a class of attractive leakage output by allowing an adversary to provide any computable leakage function and learning the par...In order to tolerate possible leakage of secret keys, leakage-resilient cryptosystem models a class of attractive leakage output by allowing an adversary to provide any computable leakage function and learning the partial keys or other possible intemal states from the output of function. In this work, we present an adaptively secure broadcast encryption resilient to key continual leakage in the standard model. Our scheme provides the tolerance of continual leakage, in which any user can generate multiple private keys per user by periodically updating the key. We use the dual system encryption mechanism to implement the leakage resilience and adaptive security, and intrinsically set an algorithm to refresh a key and produce a same distributed new key. We also give the evaluation of the leakage bound and leakage fraction, and the simulations show that our scheme can tolerate about 71% leakage fraction with 3.34× 10^-52 failure probability in standard 80-bit security level when we adjust the leakage factor to allow the private key to be 100 Kb.展开更多
Fiat-Shamir is a mainstream construction paradigm of lattice-based signature schemes.While its theoretical security is well-studied,its implementation security in the presence of leakage is a relatively under-explored...Fiat-Shamir is a mainstream construction paradigm of lattice-based signature schemes.While its theoretical security is well-studied,its implementation security in the presence of leakage is a relatively under-explored topic.Specifically,even some side-channel attacks on lattice-based Fiat-Shamir signature(FS-Sig)schemes have been proposed since 2016,little work on the leakage resilience of these schemes appears.Worse still,the proof idea of the leakage resilience of FS-Sig schemes based on traditional number-theoretic assumptions does not apply to most lattice-based FS-Sig schemes.For this,we propose a framework to construct fully leakage resilient lattice-based FS-Sig schemes in the bounded memory leakage(BML)model.The framework consists of two parts.The first part shows how to construct leakage resilient FS-Sig schemes in BML model from leakage resilient versions of nonlossy or lossy identification schemes,which can be instantiated based on lattice assumptions.The second part shows how to construct fully leakage resilient FS-Sig schemes based on leakage resilient ones together with a new property called state reconstruction.We show almost all lattice-based FS-Sig schemes have this property.As a concrete application of our fundamental framework,we apply it to existing lattice-based FS-Sig schemes and provide analysis results of their security in the leakage setting.展开更多
基金Acknowledgements The work was supported by the National Natural Science Foundation of China (Grant No. 61370224), the Key Program of Natural Science Foundation of Hubei Province (2013CFA046), and the Open Fund Program for State Key Laboratory of Information Security of China.
文摘In order to tolerate possible leakage of secret keys, leakage-resilient cryptosystem models a class of attractive leakage output by allowing an adversary to provide any computable leakage function and learning the partial keys or other possible intemal states from the output of function. In this work, we present an adaptively secure broadcast encryption resilient to key continual leakage in the standard model. Our scheme provides the tolerance of continual leakage, in which any user can generate multiple private keys per user by periodically updating the key. We use the dual system encryption mechanism to implement the leakage resilience and adaptive security, and intrinsically set an algorithm to refresh a key and produce a same distributed new key. We also give the evaluation of the leakage bound and leakage fraction, and the simulations show that our scheme can tolerate about 71% leakage fraction with 3.34× 10^-52 failure probability in standard 80-bit security level when we adjust the leakage factor to allow the private key to be 100 Kb.
基金This work was supported in part by National Natural Science Foundation of China(Grant Nos.61632020,U1936209,62002353)Beijing Natural Science Foundation(4192067).
文摘Fiat-Shamir is a mainstream construction paradigm of lattice-based signature schemes.While its theoretical security is well-studied,its implementation security in the presence of leakage is a relatively under-explored topic.Specifically,even some side-channel attacks on lattice-based Fiat-Shamir signature(FS-Sig)schemes have been proposed since 2016,little work on the leakage resilience of these schemes appears.Worse still,the proof idea of the leakage resilience of FS-Sig schemes based on traditional number-theoretic assumptions does not apply to most lattice-based FS-Sig schemes.For this,we propose a framework to construct fully leakage resilient lattice-based FS-Sig schemes in the bounded memory leakage(BML)model.The framework consists of two parts.The first part shows how to construct leakage resilient FS-Sig schemes in BML model from leakage resilient versions of nonlossy or lossy identification schemes,which can be instantiated based on lattice assumptions.The second part shows how to construct fully leakage resilient FS-Sig schemes based on leakage resilient ones together with a new property called state reconstruction.We show almost all lattice-based FS-Sig schemes have this property.As a concrete application of our fundamental framework,we apply it to existing lattice-based FS-Sig schemes and provide analysis results of their security in the leakage setting.
