Certificate-Based Encryption Resilient to Continual Leakage in the Standard Model

Guo, Yuyan; Li, Jiguo; Jiang, Mingming; Yu, Lei; Wei, Shimin

doi:https://doi.org/10.1155/2020/1492681

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 1492681 | https://doi.org/10.1155/2020/1492681

Certificate-Based Encryption Resilient to Continual Leakage in the Standard Model

Yuyan Guo,¹Jiguo Li,²Mingming Jiang,¹Lei Yu,¹and Shimin Wei¹

Academic Editor: Prosanta Gope

Received02 Feb 2020

Revised31 Mar 2020

Accepted03 Jun 2020

Published28 Jun 2020

Abstract

The security for many certificate-based encryption schemes was considered under the ideal condition, where the attackers rarely have the secret state for the solutions. However, with a side-channel attack, attackers can obtain partial secret values of the schemes. In order to make the scheme more practical, the security model for the certificate-based encryption which is resilient to continual leakage is first formalized. The attackers in the security model are permitted to get some secret information continuously through the side-channel attack. Based on the certificate-based key encapsulation scheme, a novel certificate-based encryption scheme is proposed, which is resilient to the continual leakage. In the standard model, the new scheme we propose is proved to be secure under the decisional truncated q-augmented bilinear Diffie–Hellman exponent hard problem and the decisional 1-bilinear Diffie–Hellman inversion hard problem. Additionally, the new scheme can resist the chosen-ciphertext attack. Moreover, a comparison is performed with other related schemes, where the proposed solution further considers the continual leakage-resilient property and exhibits less computation cost.

1. Introduction

The certificate-based cryptography (CBC) is a novel public key cryptosystem (PKC) which is proposed by Gentry [1]. CBC combines the traditional PKC and the identity-based cryptosystem to overcome the key escrow and key distribution issues existing in the identity-based cryptosystem, such that the management complexity of the public key certificate can be reduced for the conventional public key infrastructure. In CBC, a public-private key pair will be first generated for every client and applied for a certificate to the trusted certificate authority (CA). Different from the traditional PKC, the CBC provides a hidden certificate mechanism. The certificate of CBC has the function of the traditional public key certificate, and hence it can also be regarded as a part of the secret key for the users [1]. Any user needs to combine his own secret key and certificate to perform decryption or signature operation, and the sender of the message or the signature verifier does not need to pay attention to the certificate status of the communicating party. The implicit certificate mechanism in the CBC eliminates third party inquiries; therefore, CBC offers an efficient method for constructing an efficient and secure public key infrastructure. Due to its good nature, the CBC has been intensively focused on in recent years, and a series of certificate-based encryption (CBE) schemes [2–10] have been proposed. Many certificate-based signature (CBS) proposals [11–14] have also been constructed.

Typically, cryptography is considered to be secure ideally, in which the adversaries do not steal the secret values for the cryptographic system. However, the adversaries are able to access partial secret key by side-channel attack. Therefore, a number of approaches are proposed to model the leakage for such side-channel attacks. Micali and Reyzin [15] constructed the “only computation leaks information” model in 2004. Although this model examines a large type of leak attacks, the disadvantage is that it does not consider the case where the information is leaked from the inactive memory parts, e.g., the cold boot attack [16]. To capture more leaks, Halderman et al. [16] proposed a model named “relative leakage.” However, the major disadvantages are obvious; i.e., the secret key does not have sufficient length, and the allowed leakage number is limited. Akavia et al. [17] proposed a “bounded retrieval” model to make the size of the secret key more flexible without increasing the size of the public key and encryption and decryption time. This model is verified to be more powerful than the one with “only computation leaks information.” For the “bounded retrieval” model, the leakage from inactive parts of memory is also taken into account. To further relax the limitations of the secret key-leakage constraint, Dodis et al. [18] and Yang et al. [19] considered the “auxiliary input” model and more kinds of one-way leakage functions. However, the above-mentioned three models do not involve continual leakage attacks. The “continual leakage” model [20–22] was designed to examine attacks where bounded information of the secret internal state is available at the attacker when the cryptographic primitive is invoked.

Researchers have been dedicated to finding a provably secure cryptographic solution to deal with the leakage attack problem, with various proposals. In addition, the “continual leakage” model was applied in many encryption schemes, for example, attribute-based encryption (ABE), public key encryption, and identity-based encryption (IBE). A public key encryption approach was made by Agrawal et al. in [23] aiming to cope with the continual leakage. Yuen et al. [24] proposed an IBE system with the aim of being resilient to continual auxiliary input leakage. Zhou et al. [25] constructed an IBE method with tight security which is resilient to the continuous leakage attacks in the standard model. Then, three continuous leakage-resilient IBE methods [26–28] have been put forward. Leakage amplification was proposed in [26] which constructs continuous leakage-resilient secure IBE scheme, which is considered an arbitrary length of the leakage parameter. The authors in [27] offered a new updatable identity-based hash proof system which is adopted to construct the continuous leakage-resilience identity-based cryptosystem. Zhou et al. [28] designed an improved continuous leakage-resilient IBE scheme with arbitrary length of the parameter leakage. Furthermore, Zhou et al. [29] presented an IBE scheme with leakage-amplified chosen-ciphertext attacks security. Li et al. [30–34] extended IBE to present some attribute-based encryption scheme, which can achieve fine-grained access control in cloud storage and can be applied in social network [35]. However, the above attribute-based encryption schemes did not consider key-leakage problem. In order to solve this problem, Zhang [36] delivered a concrete construction for resilient-leakage ciphertext-policy attribute-based encryption (CP-ABE) and provided a key update procedure to support continual leakage tolerance. Zhang et al. [37] proposed a new notion and construction for attribute-based hash proof system (AB-HPS) in the bounded key-leakage model. They also provided the general leakage-resilient attribute-based encryption construction using the AB-HPS as the primitive without indistinguishable obfuscator. Furthermore, Zhang et al. [38] designed the concrete ABE constructions in the bilinear groups with prime order and the security has been shown in the continual memory leakage model. A key-policy attribute-based encryption was defined and modeled by Li et al. [39], which is resilient to the problem of continual auxiliary input leakage. The proposed approach is also shown to have high security under the static assumptions. Li et al. [40] proposed an efficient extended file hierarchy attribute-based encryption scheme, which is very practical and greatly saves storage space and computation cost for those large institutions or companies. Moreover, Li et al. [41] presented a continuous leakage-resilient hierarchical attribute-based encryption scheme, which is shown to be resilient to the master and secret keys leakage. Zhou and Yang [42] presented a continual leakage-resilient certificateless public key encryption scheme which not only tolerates continual leakage attacks, but also achieves better performances. Li et al. [43] provided a continuous leakage-resilient CBE scheme which is proved secure against adaptive chosen-ciphertext attack in the random oracle model. Authenticated key exchange protocol is used to establish a secure communication channel over a public network. However, it has been demonstrated that some standardized AKE protocols suffer from side-channel and key-leakage attacks. In order to defend against these attacks, Chen et al. [44–46] and Yang et al. [47] presented several leakage-resilient authenticated key exchange protocols.

1.1. Motivations and Contributions

Currently, there are few researches for the certificate-based encryption resilient to continual leakage. Actually, some previous CBE schemes which have been constructed in the ideal setting may be insecure under the continuous leakage attacks. The main reason is that the adversary can recover the complete secret key via continuously accessing the partial information of the secret key. Therefore, it is meaningful for us to construct a CBE scheme to resist the continual leakage attack.

The primary objective of our work is to establish a secure certificate-based encryption scheme which is resilient to continual leakage. Referring to [3–8, 21–25], we design the outline and the security model of CBE resilient to continual leakage. On the basis of the certificate-based key encapsulation method, a CBE scheme is proposed which is shown to be secure in the standard model and can resist the continual leakage attack. The encapsulated symmetric key is randomized using the strong extractor. Furthermore, the encapsulated symmetric key allowing leakage is employed to encrypt the message.

The CBE schemes created in [6, 8] only tolerate the leakage. Further, our CBE scheme added the secret key update algorithm to obtain the continuous leakage-resilience. Our approach can resist a larger leakage by performing the secret key updating algorithm, where the keys are periodically updated and the leakage will not be allowed during updates, but only between the updates. We further consider the leakage limit of the encapsulated symmetric key, and the leakage ratio of our scheme is approximately equal to 1.

We provide a proof to show that our CBE scheme is secure against chosen-ciphertext attack under the hardness of the decisional truncated q-augmented bilinear Diffie–Hellman exponent (q-ABDHE) problem and the decisional 1-bilinear Diffie–Hellman inversion (1-BDHI) problem.

Compared with the existing CBE schemes, our proposed scheme enhances the continual leakage-resilient property and has a lower communication cost. Therefore, our CBE scheme has obvious advantage. We implement the proposed CBE scheme and the relevant schemes using C++ programming language with the PBC library, and the simulation results show that our scheme has better performance.

1.2. Paper Organization

The required preliminary knowledge is presented in Section 2. In Section 3, we demonstrate the outline and the security model of CBE resilient to continual leakage. In Section 4, a CBE scheme resilient to continual leakage is proposed. Section 5 provides the proof of our CBE scheme. Then, the comparison in terms of the efficiency is shown in Section 6. Finally, we conclude this work in Section 7.

2. Preliminaries

Definition 1. Let and denote multiplicative cyclic groups of the prime order , respectively. A generator of is represented by . A bilinear map e if has the following properties, as(i)Bilinear: for all and (ii)Nondegenerate: (iii)Computable: the map is efficiently computableThe security of our CBE scheme is resilient to continual leakage depending on the following problems.

Definition 2. The decisional truncated q-ABDHE problem is described as follows: given = , where and , output 1 if and 0 otherwise.
The advantage of a probabilistic polynomial time (PPT) adversary A deciding whether is given as = .
It is said that the decisional truncated q-ABDHE problem is hard if is arbitrarily small for all PPT adversaries A.

Definition 3. We define the decisional 1 − BDHI problem as follows: given = , where and , output 1 if and 0 otherwise.
The advantage that A decides whether is given as = .
We say that the decisional 1 − BDHI problem is hard if is ignorable for all PPT adversaries A.

Definition 4. The min-entropy of a random variable (RV) X is .

Definition 5. For RV’s X and Y, the averaged conditional min-entropy is represented by with denoting the expectation of Y.

Lemma 1. If X, Y, and Z are random variables such that Y contains () potential elements, it has that [48].

Definition 6. The statistical distance between random variables X and Y is given by , with , where F denotes a finite field.

Definition 7. A random function is regarded as an average-case -strong extractor if , , and for all X, Y, we obtain , with two variables and having uniform distributions over respectively, and being negligible.

3. The Outline and Security Model of CBE Resilient to Continual Leakage

3.1. The Outline of CBE Resilient to Continual Leakage

The definition of CBE resilient to continual leakage which is referred in references [3–8] includes a group of algorithms, i.e., Setup, UserKeyGen, CertGen, SymmetricKeyGen, Encrypt, Decrypt, and UpdateSK, which are described as follows: Setup: for a security parameter (), the setup process generates a collection of public parameters params and a corresponding master secret key MSK UserKeyGen: for the input identity ID, a secret key and a public key are produced by the algorithm CertGen: for the inputs params, an identity ID, MSK, and , the algorithm generates a certificate , which is transmitted to the user SymmetricKeyGen: taking params, ID, as its input, the algorithm generates the secret symmetric key K and the intermediate state Encrypt: for the inputs params, ID, , K, , and the message M, the algorithm returns a ciphertext on the message M, where is the encapsulation of K and is the ciphertext of the message M which is encrypted with K Decrypt: for the inputs params,, , and C, the algorithm generates K and returns either M via K or ⊥ if C is an invalid ciphertext UpdateSK: for the inputs and params, the algorithm produces an updated secret key where

3.2. Security Model for CBE Resilient to Continual Leakage

Inspired by the schemes in references [3–8, 21–25], we propose a security model for the CBE which is resilient to the continual leakage. The model is described through Game-1 and Game-2. We evaluate the security based on these two games resilient to continual leakage and the adaptive chosen-ciphertext attacks (IND-RCL-CCA). In Game-1, an adversary which simulates the uncertified client is able to substitute the public key and obtain the secret key of any client, but does not access the MSK. In Game-2, another adversary which plays an honest-but-curious certifier owns the master key. Such adversary is able to obtain the certificate of any client, but cannot substitute the public keys of any user. The challenger interacts with and by the following games.

3.2.1. IND-RCL-CCA Game-1

Setup: the challenger performs the Setup algorithm, keeps the master secret key MSK, and returns params to Phase 1: creates the queries adaptively as follows: Public key queries: holds a list to record both the secret and public keys, where , denotes that has not been substituted, and denotes that has been replaced. is initially empty. generates the query for , and seeks from . If exists, returns . Otherwise, UserKeyGen will be used to produce , is inserted into and is returned. For simplicity, for any , it is stipulated that must first make the public key query before making any other queries as follows. Public key replacing queries: produces the replace query for . looks for from the list . If it is not found, will insert into . Otherwise, updates the item to . Secret key queries: inputs ; checks from . If , returns to . Otherwise outputs ⊥ to . Certificate queries: makes the certificate query of ID and gets from , and then runs algorithm CertGen and outputs to . Leakage queries: generates a list in which the form of the item is , where and K is utilized for encrypting the message as the symmetric key. is initially empty. finds in the list . If the item does not exist, will add into . If is found or after this step, will check the condition , where . If not, returns ⊥. Otherwise, selects a leakage function , sets for , and outputs to . Decryption queries: For queries on and the ciphertext C, obtains from ; if , has to provide the corresponding secret key; otherwise, gets from . makes the certificate queries to get and applies Decrypt algorithm to obtain the symmetric key K and uses K to decrypt C. The challenger returns either M or ⊥ to . Challenge: gives two messages , of equal length and a target identity to with the following restriction: is prohibited from issuing the certificate query for and does not replace the public key of . executes the SymmetricKeyGen algorithm to get a symmetric key and randomly chooses . chooses and uniformly at random, runs the Encrypt algorithm to encrypt for , and yields the encapsulation of and the challenge ciphertext to , where . Phase 2: continually makes the queries similar to Phase 1 with the following constraints: is prohibited from making the certificate queries for , as well as the decryption queries on . Guess: returns a bit . We say that wins the game if .

The advantage of winning the IND-RCL-CCA Game-1 is described as .

3.2.2. IND-RCL-CCA Game-2

Setup: the challenger performs the Setup algorithm and returns the master secret key MSK and params to . Phase 1: adaptively inquires for the following queries. Public key queries: holds a list to record the secret keys and the public keys. is empty in the initial step of the game. For the queries about , finds a tuple from . If it exists, returns to . Otherwise, uses UserKeyGen to produce and , inserts into , and returns to . For simplicity, for any , it is stipulated that must first make the public key query before making any other queries as follows. Secret key queries: For a secret key query under , seeks from the list and returns to . Leakage queries: generates a list in which the form of the item is , where and K represents the symmetric key which is adopted to encrypt the message. is initially empty. finds from the list . If the item does not exist, inserts an item into the list . Following this step or if the item exists, decides whether where . If not, returns ⊥. Otherwise, selects a leakage function , sets for , and outputs to . Decryption queries: for queries on and ciphertext C, obtains from . conducts the CertGen algorithm to obtain , then performs Decrypt algorithm to obtain the symmetric key K, and adopts K to decrypt C. The challenger returns either M or ⊥ to . Challenge: gives two messages and with an equal length and a target identity to with the following restrictions: is not allowed to issue the secret key query for . runs the SymmetricKeyGen algorithm to get a symmetric key and randomly chooses . randomly selects and from the uniform distribution, runs the Encrypt algorithm to encrypt for , and produces the encapsulation of and the challenge ciphertext to , where . Phase 2: similar to Phase 1, the queries will be continuously made by under the following constraints: is prohibited from making the secret key queries for and the decryption queries on . Guess: returns a bit . We say that wins the game if .

The advantage of winning the IND-RCL-CCA Game-2 is defined to be .

Definition 8. A CBE scheme resilient to continual leakage is regarded to be secure under the adaptive chosen-ciphertext attacks, if no PPT adversary has non-negligible advantage in the IND-RCL-CCA Game-1 and IND-RCL-CCA Game-2.

4. Our CBE Scheme Resilient to Continual Leakage

Inspired by the schemes in [3–8, 22, 49], a strong extractor technology is proposed in [48] with a CBE scheme which is resilient to the continual leakage. Seven related algorithms are introduced as follows: Setup: Define two groups and with prime order . A bilinear mapping is given by . Let be a bound of all leakages. In this procedure, an average scenario is selected with -strong extractor where , and two collision resistant hash functions and are chosen. The message space is . The algorithm uses random value , , and computes and , with being a generator of . It outputs the master secret key and a tuple of public parameter . UserKeyGen: given params, the algorithm picks random numbers , and sets the secret key for the user ; then it computes the public key . CertGen: given params, MSK, , and , the CertGen algorithm computes , selects random numbers , computes and , and outputs . SymmetricKeyGen: Given params, ID, , the SymmetricKeyGen algorithm computes , selects random number , and computes and . Then, it outputs the secret symmetric key where and the intermediate state . Encrypt: Given params, ID, , K, , and the message M, the algorithm selects a random value and calculates . It sets and returns the ciphertext . Decrypt: Given params, , , and , the algorithm computes , generates , and returns . UpdateSK: Given , the secret key updating algorithm randomly selects and . It then generates a new secret key . Correctness of our scheme.

We have .

5. Security Analysis

Our CBE approaches resilient to continual leakage are proved to be secure under the standard model as follows.

Theorem 1. If there is a PPT adversary against the CBE scheme resilient to continual leakage with advantage that makes at most q_c certificate queries, q_d decryption queries in the case of bits entropy leakage for the symmetric key, then there exists a PPT algorithm against the q-ABDHE problem with an advantage , where .

Proof. Given , the algorithm B can be regarded as the challenger of IND-RCL-CCA Game-1 to interact with ; the target of B is to decide whether . Setup: The algorithm B sets and computes ; B randomly chooses two q-degree unary polynomials , and computes and (B can compute based ). Two collision resistant hash functions are chosen by B, i.e., , and an average-case -strong extractor , , and sends to . Phase 1: makes the following queries adaptively: Public key queries: inputs ; B seeks from . If it exists, B returns . Otherwise, B randomly picks , computes , inserts into , and returns . Public key replace queries: makes the query for where . B checks whether . If it is not true, B outputs ⊥, which denotes that this replace query is invalid. Otherwise, B seeks from ; if it is not found, B inserts into ; otherwise, B updates to . Secret key queries: inputs ; B checks from . If , B returns to . Otherwise, B outputs ⊥ to . Certificate queries: inputs ID; B gets from and defines two polynomials and , where . B computes and outputs to (obviously, B can compute based . Due to and , therefore is a valid certificate). Leakage queries: inputs ; B finds from . B adds into if the item does not exist. If it exists, or in the next step, B decides whether , where is the upper bound of the allowed leak. If not, B returns ⊥. Otherwise, B selects a leakage function , sets for , and outputs to . Decryption queries: For queries on and the ciphertext , B obtains from ; if , has to provide the corresponding secret key; otherwise, B gets the secret key from . B makes the certificate queries to gain the certificate ; then he computes the symmetric key where and . Finally, B returns either M or ⊥ to . Challenge: provides B with two identical-length messages and , and a target identity with the following restrictions: is prohibited from issuing certificate queries for and does not replace the public key of . B defines a q + 1-degree polynomial , where is the i-term coefficient of . B computes , , where and . B then computes where . B randomly selects , and , sets , , and produces the challenge ciphertext to . Phase 2: continues making the queries as in Phase 1 with the following restriction: has no permission to issue certificate queries for , as well as the decryption queries on . Guess: returns the guess . If holds, B will output 1, indicating that . Otherwise, B outputs 0, indicating that .

5.1. Probability analysis

If , we set , and we have , . Thus, is a valid ciphertext, outputs correct with the advantage . If is a random value, is not a valid ciphertext; it cannot provide useful information for the guess of . Thus, outputs correct with the advantage .

Thus, breaks the q-ABDHE problem with advantage .

Theorem 2. If there is a PPT adversary against the CBE scheme resilient to continual leakage with advantage that makes at most q_sk secret key queries, q_d decryption queries with bits entropy leakage for the symmetric key, then there exists a PPT algorithm against the 1-BDHI problem with advantage .

Proof. Given , the algorithm B performs as the challenger of IND-RCL-CCA Game-2 to interact with ; the target of B is to decide whether . Setup: the algorithm B randomly picks and computes , , and . B chooses two collision resistant hash functions , , and an average-case -strong extractor , , and sends and MSK = x to . Phase 1: asks B for queries adaptively as follows: Public key queries: inputs ; B randomly chooses . B checks the tuple from the . If it exists, B returns to . Otherwise, if , B randomly picks , computes , inserts the tuple into , and returns ; if , B sets , inserts the tuple into , and outputs to . Secret key queries: For a secret key query under , if , B seeks from the list and returns to ; otherwise, B ends the game and outputs a failure information. Leakage queries: inputs ; B finds from . If the item does not exist, B adds into . If the item exists, or in the next step, B decides whether where . If not, B returns ⊥. Otherwise, B sets for and returns to , where is a leakage function and . Decryption queries: For queries on and ciphertext . If , B obtains the secret key and certificate of ; then B obtains the symmetric key K and uses K to decrypt C. Otherwise, B computes the symmetric key where and and computes . B returns either M or ⊥ to . Challenge: provides B with two identical-length messages and and a target identity with the following restriction: is not allowed to issue the secret key queries for . If , B ends the game and outputs failure. Otherwise, B will randomly select and compute , , where and . B randomly selects and and computes where . B randomly chooses , , and , sets , , and outputs the challenge ciphertext to . Phase 2: continues making the queries which is similar to Phase 1 under the following restriction: has no permission to perform secret key queries for , as well as the decryption queries on . Guess: returns the guess . If holds, B outputs 1, indicating that . Otherwise, B outputs 0, which indicates .

5.2. Probability analysis

If , we set , and we have , . . Thus, is a valid ciphertext; outputs correct with the advantage . If is a random value, is an invalid ciphertext; it cannot provide useful information for the guess of . Thus, outputs correct with the advantage .

Thus, breaks the 1-BDHI problem with advantage . Furthermore, the probability that chooses as the target identity is . Therefore breaks the 1-BDHI problem with advantage .

5.3. Leakage Ratio Analysis

We mainly consider the leakage of the symmetric key K. Firstly, a set Z is defined which consists of public parameters, secret keys, and certificates. As an adversary, A acquires at most bits for leakage of the symmetric key K. Based on Lemma 1, we have , where Leak has possible values and is the leakage length. If we pick the average-case -strong extractor where is negligible, we know that , where and have uniform distributions over , respectively. Thus, the ciphertext and the uniform distribution cannot be distinguished. Moreover, can be close to zero, the leakage bound l is roughly equal to , and the leakage ratio of K is .

6. Efficiency Comparison

Three CBE schemes [3, 6, 8] are compared with our proposed approach, to evaluate their security and efficiency. The security properties and leakage ratio comparison for four CBE schemes are shown in Table 1.

Table 1 demonstrates that the schemes in [6, 8] and our CBE scheme are leakage-resilient while the scheme in [3] is not. The key-leakage ratio of the scheme [8] is up to 1/3. However, the symmetric key-leakage ratio of scheme [6] and our scheme is close to 1. In addition, our scheme is resistant to continual leakage. In conclusion, our CBE scheme has obvious advantage.

Let and denote the subgroups of orders and in , respectively, where and are distinct primes. An NIZK proof is represented by in [8], and n is an integer. We analyze the communication cost for the four schemes as follows.

From Table 2, the difference of communication performance between the scheme in [6] and our scheme is not obvious. The length of the public/secret key, the certificate, and the ciphertext in the proposed approach is less than that required in [3]. Moreover, the length of the certificate and ciphertext in our proposed approach is also less than that required in [8]. Therefore, our CBE scheme achieves a lower communication cost, compared with the two schemes in [3, 8].

We also implement these schemes in a Windows 10 environment (Intel (R) Core (TM) i7-6500U CPU, 8.00 GB RAM) using C++ language and PBC [50] library, where a.param is used as the configuration file, and the message length is fixed at 1024 bits. Note that every comparative scheme is separately run ten times, in order to obtain the average running time. The required running times of the four schemes are listed below.

From both Table 3 and Figure 1, it can be found that although our scheme was added with the secret key update algorithm, the total operating time is shorter than that of the other three schemes in [3, 6, 8]. This indicates that our proposed method outperforms the other approaches with higher efficiency.

The message space in scheme [6] and our scheme is ; we therefore analyze these two schemes based on the relationship between different lengths of the messages and encryption/decryption running times. Figure 2 shows the relation between encryption running times and the message lengths for scheme [6] and our scheme. The relation between decryption running times and message sizes for both schemes is shown in Figure 3.

According to Figure 2, it can be seen that the required time for encryption in the two approaches and the message sizes are linearly increased. Although the longer the message, the longer the encryption time, the growth of our scheme has a relatively lower amplitude than scheme [6]. From Figure 3, the decryption times for two schemes are not greatly affected by the lengths of the messages. In addition, it can be seen that, for different message lengths, the required time for decryption in our scheme is shown to be less than that of the scheme in [6]. Hence, our proposed scheme has certain advantages from this perspective.

7. Conclusions

In this work, we give a formal definition and the security model for CBE resilient to continual leakage. Besides, we construct a CBE scheme which is resilient to continual leakage. The security of our scheme is reduced to the hardness of the decisional truncated q-augmented bilinear Diffie–Hellman exponent problem and the decisional 1-bilinear Diffie–Hellman inversion problem. Moreover, comparative studies are provided with other existing solutions, in terms of their performance analyses. Our scheme is proved secure against the chosen-ciphertext attack in the standard model. To construct CBE scheme with stronger leakage-resilient property (such as auxiliary inputs, post-challenge leakage, etc.) and leakage-resilient certificateless encryption scheme with keyword search [51], leakage-resilient location determination scheme [52] is left as our future study.

Data Availability

The nature of the data is the c++ language source code. The data used in the finding of this study are included in the article (the environment configuration of the simulation). The corresponding data are attached, which need to invoke the pairing-based cryptography library (PBC) library in [37].

Conflicts of Interest

The authors declare that they have no conflicts of interest regarding the publication of this article.

Acknowledgments

This paper was supported by the National Natural Science Foundation of China under Grant nos. 61902140, 60573026, 61972095, and U1736112, the Anhui Provincial Natural Science Foundation under Grant nos. 1908085QF288 and 1708085QF154, and the Nature Science Foundation of Anhui Higher Education Institutions under Grant nos. KJ2018A0398, KJ2018A0678, KJ2018A0396, and KJ2019A0605.

References

C. Gentry, “Certificate-based encryption and the certificate revocation problem,” in Proceedings of the EUROCRYPT, pp. 272–293, Warsaw, Poland, May 2003.
View at: Google Scholar
D. Galindo, P. Morillo, and C. Ràfols, “Improved certificate-based encryption in the standard model,” Journal of Systems and Software, vol. 81, no. 7, pp. 1218–1226, 2008.
View at: Publisher Site | Google Scholar
J. K. Liu and J. Zhou, “Efficient certificate-based encryption in the standard model,” in Proceedings of the International Conference on Security and Cryptography For Networks, pp. 144–155, Amalfi, Italy, September 2008.
View at: Google Scholar
Y. Lu, J. Li, and Y. Zhang, “Secure channel free certificate-based searchable encryption withstanding outside and inside keyword guessing attacks,” IEEE Transactions on Services Computing.
View at: Publisher Site | Google Scholar
W. Wu, Y. Mu, W. Susilo, X. Huang, and L. Xu, “A provably secure construction of certificate-based encryption from certificateless encryption,” The Computer Journal, vol. 55, no. 10, pp. 1157–1168, 2012.
View at: Publisher Site | Google Scholar
Y. Guo, J. Li, Y. Lu, Y. Zhang, and F. Zhang, “Provably secure certificate-based encryption with leakage resilience,” Theoretical Computer Science, vol. 711, pp. 1–10, 2018.
View at: Publisher Site | Google Scholar
Q. Yu, J. Li, and Y. Zhang, “Leakage-resilient certificate-based encryption,” Security and Communication Networks, vol. 8, no. 18, pp. 3346–3355, 2015.
View at: Publisher Site | Google Scholar
Q. Yu, J. Li, Y. Zhang, W. Wu, X. Huang, and Y. Xiang, “Certificate-based encryption resilient to key leakage,” Journal of Systems & Software, vol. 116, pp. 101–112, 2016.
View at: Publisher Site | Google Scholar
W. Yang, J. Weng, A. Yang, C. Xie, and Y. Yang, “Notes on a provably-secure certificate-based encryption against malicious CA attacks,” Information Sciences, vol. 463, pp. 86–91, 2018.
View at: Publisher Site | Google Scholar
J. Li, L. Chen, Y. Lu, and Y. Zhang, “Anonymous certificate-based broadcast encryption with constant decryption cost,” Information Sciences, vol. 454, pp. 110–127, 2018.
View at: Publisher Site | Google Scholar
J. Li, X. Huang, Y. Mu, and W. Susilo, “Constructions of certificate-based signature secure against key replacement attacks,” Journal of Computer Security, vol. 18, no. 3, pp. 421–449, 2010.
View at: Publisher Site | Google Scholar
J. Li, X. Huang, Y. Zhang, and L. Xu, “An efficient short certificate-based signature scheme,” Journal of Systems and Software, vol. 85, no. 2, pp. 314–322, 2012.
View at: Publisher Site | Google Scholar
J. Li, Z. Wang, and Y. Zhang, “Provably secure certificate-based signature scheme without pairings,” Information Sciences, vol. 233, pp. 313–320, 2013.
View at: Publisher Site | Google Scholar
J. Li, X. Huang, M. Hong, and Y. Zhang, “Certificate-based signcryption with enhanced security features,” Computers and Mathematics with Applications, vol. 64, no. 6, pp. 1587–1601, 2012.
View at: Publisher Site | Google Scholar
S. Micali and L. Reyzin, “Physically observable cryptography,” in Proceedings of the Theory of Cryptography Conference, pp. 278–296, Cambridge, MA, USA, February 2004.
View at: Google Scholar
J. A. Halderman, S. D. Schoen, N. Heninger, and W. Clarkson, “Lest we remember: cold-boot attacks on encryption keys,” Communications of the ACM, vol. 52, no. 5, pp. 91–98, 2009.
View at: Publisher Site | Google Scholar
A. Akavia, S. Goldwasser, and V. Vaikuntanathan, “Simultaneous hardcore bits and cryptography against memory attacks,” in Proceedings of the Theory of Cryptography Conference, pp. 474–495, San Francisco, CA, USA, March 2009.
View at: Google Scholar
Y. Dodis, S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan, “Public-key encryption schemes with auxiliary inputs,” in Proceedings of the Theory of Cryptography Conference, pp. 361–381, Zurich, Switzerland, February 2010.
View at: Google Scholar
G. Yang, Y. Mu, W. Susilo, and D. S. Wong, “Leakage resilient authenticated key exchange secure in the auxiliary input model,” in Proceedings of the International Conference on Information Security Practice And Experience, pp. 204–217, Lanzhou, China, May 2013.
View at: Google Scholar
E. Kiltz and K. Pietrzak, “Leakage resilient elgamal encryption,” in Proceedings of the ASIACRYPT, pp. 595–612, Singapore, December 2010.
View at: Google Scholar
Z. Brakerski, Y. T. Kalai, J. Katz, and V. Vaikuntanathan, “Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage,” in Proceedings of the IEEE 16th Annual Symposium on Foundations of Computer Science, pp. 501–510, Las Vegas, NV, USA, October 2010.
View at: Google Scholar
Y. Dodis, K. Haralambiev, A. Lopez-Alt, and D. Wichs, “Cryptography against continuous memory attacks,,” in Proceedings of the IEEE 16th Annual Symposium on Foundations of Computer Science, pp. 511–520, Las Vegas, NV, USA, October 2010.
View at: Google Scholar
S. Agrawal, Y. Dodis, V. Vaikuntanathan, and D. Wichs, “On continual leakage of discrete log representations,” in Proceedings of the ASIACRYPT, pp. 401–420, Bengaluru, India, December 2013.
View at: Google Scholar
T. H. Yuen, S. S. M. Chow, Y. Zhang, and S. M. Yiu, “Identity-based encryption resilient to continual auxiliary leakage,” in Proceedings of the EUROCRYPT, pp. 117–134, Cambridge, UK, April 2012.
View at: Google Scholar
Y. Zhou, B. Yang, H. Hou, L. Zhang, T. Wang, and M. Hu, “Continuous leakage-resilient identity-based encryption with tight security,” The Computer Journal, vol. 62, no. 8, 2019.
View at: Publisher Site | Google Scholar
Y. Zhou, B. Yang, and Y. Mu, “Continuous leakage-resilient identity-based encryption with leakage amplification,” Designs Codes & Cryptography, vol. 87, no. 9, pp. 2061–2090, 2019.
View at: Publisher Site | Google Scholar
Y. Zhou, B. Yang, and Y. Mu, “The generic construction of continuous leakage-resilient identity-based cryptosystems,” Theoretical Computer Science, vol. 772, pp. 1–45, 2019.
View at: Publisher Site | Google Scholar
Y. Zhou, B. Yang, Y. Mu, T. Wang, and X. Wang, “Identity-based encryption resilient to continuous key leakage,” IET Information Security, vol. 13, no. 5, pp. 426–434, 2019.
View at: Publisher Site | Google Scholar
Y. Zhou, B. Yang, Z. Xia, M. Zhang, and Y. Mu, “Identity-based encryption with leakage-amplified chosen-ciphertext attacks security,” Theoretical Computer Science, vol. 809, pp. 277–295, 2020.
View at: Publisher Site | Google Scholar
J. Li, W. Yao, Y. Zhang, H. Qian, and J. Han, “Flexible and fine-grained attribute-based data storage in cloud computing,” IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 785–796, 2017.
View at: Publisher Site | Google Scholar
J. Li, W. Yao, J. Han, Y. Zhang, and J. Shen, “User collusion avoidance CP-ABE with efficient attribute revocation for cloud storage,” IEEE Systems Journal, vol. 12, no. 2, pp. 1767–1777, 2018.
View at: Publisher Site | Google Scholar
J. Li, Y. Wang, Y. Zhang, and J. Han, “Full verifiability for outsourced decryption in attribute based encryption,” IEEE Transactions on Services Computing, vol. 13, no. 3, pp. 478–487, 2020.
View at: Publisher Site | Google Scholar
J. Li, X. Lin, Y. Zhang, and J. Han, “KSF-OABE: outsourced attribute-based encryption with keyword search function for cloud storage,” IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 715–725, 2017.
View at: Publisher Site | Google Scholar
J. Li, Y. Zhang, J. Ning, X. Huang, G. S. Poh, and D. Wang, “Attribute-based encryption with privacy protection and accountability for cloudiot,” IEEE Transactions on Cloud Computing, 2020.
View at: Publisher Site | Google Scholar
C. Wang, C. Wang, Z. Wang, X. Ye, J. X. Yu, and B. Wang, “Deepdirect: learning directions of social ties with edge-based network embedding,” IEEE Transactions on Knowledge and Data Engineering, vol. 31, no. 12, pp. 2277–2291, 2019.
View at: Publisher Site | Google Scholar
M. Zhang, “New model and construction of ABE: achieving key resilient-leakage and attribute direct-revocation,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 192–208, Wollongong, NSW, Australia, July 2014.
View at: Google Scholar
M. Zhang, Y. Zhang, Y. Su, Q. Huang, and Y. Mu, “Attribute-based hash proof system under learning-with-errors assumption in obfuscator-free and leakage-resilient environments,” IEEE System Journal, vol. 11, no. 2, pp. 1018–1026, 2017.
View at: Publisher Site | Google Scholar
J. Zhang, J. Chen, J. Gong, A. Ge, and C. Ma, “Leakage-resilient attribute based encryption in prime-order groups via predicate encodings,” Designs Codes & Cryptography, vol. 86, no. 6, pp. 1–28, 2018.
View at: Publisher Site | Google Scholar
J. Li, Q. Yu, and Y. Zhang, “Key-policy attribute-based encryption against continual auxiliary input leakage,” Information Sciences, vol. 470, pp. 175–188, 2019.
View at: Publisher Site | Google Scholar
J. Li, N. Chen, and Y. Zhang, “Extended file hierarchy access control scheme with attribute-based encryption in cloud computing,” IEEE Transactions on Emerging Topics in Computing.
View at: Publisher Site | Google Scholar
J. Li, Q. Yu, and Y. Zhang, “Hierarchical attribute-based encryption with continuous leakage-resilience,” Information Sciences, vol. 484, pp. 113–134, 2019.
View at: Publisher Site | Google Scholar
Y Zhou and B. Yang, “Continuous leakage-resilient certificateless public key encryption with CCA security,” Knowledge-Based Systems, vol. 136, pp. 27–36, 2017.
View at: Publisher Site | Google Scholar
J. Li, Y. Guo, Q. Yu, Y. Lu, Y. Zhang, and F. Zhang, “Continuous leakage-resilient certificate-based encryption,” Information Sciences, vol. 355, pp. 1–14, 2016.
View at: Publisher Site | Google Scholar
R. Chen, Y. Mu, G. Yang, W. Susilo, and F. Guo, “Strongly leakage-resilient authenticated key exchange,,” in Proceedings of the Cryptographers’ Track at the RSA Conference, pp. 19–36, San Francisco, CA, USA, February 2016.
View at: Google Scholar
R. Chen, Y. Mu, G. Yang, W. Susilo, and F. Guo, “Strong authenticated key exchange with auxiliary inputs,” Designs, Codes and Cryptography, vol. 85, no. 1, pp. 145–173, 2017.
View at: Publisher Site | Google Scholar
R. Chen, Y. Mu, G. Yang, W. Susilo, F. Guo, and Z. Yang, “A note on the strong authenticated key exchange with auxiliary inputs,” Designs, Codes and Cryptography, vol. 85, no. 1, 2017.
View at: Publisher Site | Google Scholar
G. Yang, R. Chen, Y. Mu, W. Susilo, F. Guo, and J. Li, “Strongly leakage-resilient authenticated key exchange, revisited,” Designs, Codes and Cryptography, vol. 87, no. 12, pp. 2885–2911, 2019.
View at: Publisher Site | Google Scholar
Y Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: how to generate strong keys from biometrics and other noisy data,” in Proceedings of the EUROCRYPT, pp. 523–540, Interlaken, Switzerland, May 2004.
View at: Google Scholar
Y. Lu and J. Li, “Efficient and provably-secure certificate-based key encapsulation mechanism in the standard model,” Journal of Computer Research and Development, vol. 51, no. 7, pp. 1497–1505, 2014, in Chinese.
View at: Google Scholar
B. Lynn, PBC (Pairing-Based Cryptography) Library, Springer, Berlin, Germany, 2012.
Y. Lu, J. Li, and Y. Zhang, “Privacy-preserving and pairing-free multi-recipient certificateless encryption with keyword search for cloud-assisted IIoTs,” IEEE Internet of Things Journal, vol. 7, no. 4, pp. 2553–2562, 2020.
View at: Publisher Site | Google Scholar
H. Shen, M. Zhang, H. Wang, F. Guo, and S. Willy, “A lightweight privacy-preserving fair meeting location determination scheme,” IEEE Internet of Things Journal, vol. 7, no. 4, pp. 3083–3093, 2020.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Yuyan Guo et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

401

Downloads

663

Citations