Hierarchical Identity-Based Online/Offline Encryption Scheme with Leakage Resilience

Yu, Qihong; Li, Jiguo; Ji, Sai

doi:https://doi.org/10.1155/2022/6849761

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 6849761 | https://doi.org/10.1155/2022/6849761

Hierarchical Identity-Based Online/Offline Encryption Scheme with Leakage Resilience

Qihong Yu,¹Jiguo Li,²and Sai Ji³

Academic Editor: Barbara Masucci

Received19 Jul 2022

Revised03 Nov 2022

Accepted16 Nov 2022

Published30 Nov 2022

Abstract

The adversary is able to obtain some secret information from side channel attacks, which further damages the security for the system. To resolve this issue, we provide a hierarchical identity-based online/offline encryption scheme which resists side channel attacks. In our scheme, most encryption operations are preprocessed in the offline stage and only a small amount of lightweight calculation needs to be performed in the online stage for generating ciphertext. The presented scheme greatly reduces the workload of online encryption and is suitable for the resource-constrained device. The security of the proposed scheme is proved by the dual system technique. The leakage performance analysis shows that the presented scheme is resilient to leakage for almost the whole symmetric key.

1. Introduction

In recent years, many side channel attacks [1–5] have been presented. The adversary is able to obtain some secret information of the system by measuring timing, energy consumptions, and other characteristics from the cryptosystems. Cold start attack [6] is a special form of side channel attacks. The adversary gets part information from internal storage after the machine is shut down. Under these side channel attacks, if some secret information is exposed, the security for the whole cryptosystem is broken. Therefore, the research on leakage-resilient encryption scheme has attracted the attention of many cryptography researchers.

1.1. Related Work

Micali and Reyzin [7] first proposed the model “only computing leaks (OCL).” In the OCL model, an attacker selects an effective and computable function and inputs the internal state and key and outputs some secret information. The complexity of the leakage function is unlimited. The only limitation is that the part which is not involved in the current operation does not leak secret information. Dziembowski and Pietrzak [8, 9] presented two leakage-resilient stream cipher schemes in the OCL model.

Considering that the leakage not only occurs in the calculation process, Akavia et al. [10] presented the bounded leakage model (BLM). In BLM, the leakage function does not expose the whole private key. BLM does not solve the problem that the length of the leaked information obtained by the attacker is longer than the private key information and the amount of useful information is relatively small. To resolve the problem, Naor and Segev [11] presented “entropy bounded leakage model,” in which the entropy about leakage information is limited.

Because it can reduce the burden of the key generation center, the hierarchical identity-based encryption (HIBE) schemes have been widely used and attracted the attention of many researchers. Guo et al. [12] proposed an efficient HIBE scheme with high computational efficiency by reasonably reducing the use of parameters. Langrehr and Pan [13] gave two tightly secure HIBE schemes by the matrix Diffie–Hellman assumption. Takayasu [14] presented an efficient adaptively secure revocable hierarchical identity-based encryption (RHIBE) with compact ciphertexts. Emura et al. [15] gave a generic construction about RHIBE by using HIBE and the complete subtree method.

The hierarchical structure is conducive to protecting the confidentiality of data, and it is suitable for IoT systems, smart home systems, distributed data systems, cloud storage systems, etc. Private key delegation can also reduce the burden on the root private key generator (PKG).

We use Figure 1 to illustrate the hierarchical structure of the national medical diagnosis system. For the national medical system, the root node (the Ministry of Health, which is abbreviated as MH) generates the public key information of the user and acts as the root private key generation center to generate the private key of the secondary node (the Department of Health which is abbreviated as DH and the national hospital which is abbreviated as NH). The secondary node is responsible for generating the private key of the health bureau (HB) and the private key of the city hospital (CH). The third level city node is responsible for generating the private key of the town health center (THC) and the private key of the township hospital (TH). The medical management organization can delegate the private key to the staff, and each hospital can also delegate the private key to the doctors.

For example, one user with the identity of “A1 City: Hospital B1” can delegate the private key to the user with the identity “A1 City: Hospital B1: C1 Doctor” but cannot delegate the private key to the user with the identity of “A1 City: Hospital B2: C1 Doctor.”

The delegation solves the problem that the key generation center is overloaded. In fact, the layer’s user with the identity vector generates the private key of the layer’s user with the identity vector .

Generally speaking, the “delegation” algorithm is given explicitly or implicitly for the HIBE schemes. The most HIBE schemes explicitly give the delegation algorithm. For example, the “Delegate” algorithm of the paper [12] is the delegation algorithm, and the “Del” algorithm of the paper [13] is the delegation algorithm. In addition, some HIBE schemes implicitly give the delegation algorithm. For example, the subalgorithm “Delegation Key Generation” of the algorithm “GenSK” in the paper [14] acts as the delegation algorithm. The “GenSK” algorithm of the paper [15] has key delegation function. In fact, the two methods are essentially the same. From Figure 1, we can see that the root user (the root key generation center, for short root KGC) mainly runs the private key generation algorithm, and the other level nodes (the subkey generation center) generally only run the private key delegation algorithm.

In order to improve the encryption efficiency, Guo et al. [16] first presented an identity-based online/offline encryption system. They repartitioned encryption processing into two phases: offline phase and online phase. For the offline phase, most encryption preprocessing is carried out and offline ciphertext is produced. In the online stage, a small amount of offline ciphertext is processed to obtain the encrypted ciphertext. Later, some online/offline encryption schemes are presented [17–20]. However, these schemes do not consider the problem of key leakage. Zhang et al. [21] put forward a leakage-resilient identity-based online/offline encryption scheme that is proposed by using the private key extension technique.

1.2. Our Motivations and Contributions

Based on the scheme [22], this paper proposes a leakage-resilient identity-based hierarchical online/offline encryption (LR-HIOOE) scheme. By binary extractor technology [23], our scheme can resist the leakage of the symmetric key used for message encryption in the system.

Our LR-HIOOE includes six algorithms: Setup, KeyGen, Delegation, Enc^off, Enc^on, and Decryption. The specific description of these algorithms is given in Section 3.1. Here, we only use them to explain the idea of our scheme which is shown in Figure 2.

Encryption consists of two phases. A large number of complex operations are carried out in the offline stage, and a small number of simple calculations are carried out in the online stage. It is very suitable for resource-constrained scenes. Offline phase operations are outsourced to cloud service providers (CSP). The online phase operation is completed by the encryptor himself on the lightweight device.

In essence, the binary extractor can transform the input source with a certain entropy into a more uniform output. The binary extractor is a component of many cryptographic primitives. Now, it has become an important tool for designing cryptography schemes against side channel attacks. In such cases, the proof of leakage resilience usually relies on the result that leakage information allowed for every call of the extractor is bounded. Medved and Standaert [24] and Chen et al. [25] show that the hardware implementation of the binary extractor can ensure that bounded leakage is allowed in the case of limited number of measurements. This also gives the reason why the binary extractor can be used as a leakage-resilient cryptography component. Our scheme uses the binary extractor to achieve leakage resilience.

Waters [26] presented the dual system technique. The private key and ciphertext have two appearances: semifunctional appearance and normal appearance. The normal key correctly decrypts two kinds of ciphertext. The semifunctional private key only decrypts the normal ciphertext correctly. Inspired by the works [27–31], we present the syntax description and security model of LR-HIBOOE. To the best of our knowledge, there is no LR-HIBOOE scheme by using the binary extractor in the literature. We propose the first LR-HIBOOE scheme by using the binary extractor. Our scheme is proved to be secure and leakage-resilient by dual system encryption technology. Overall, the binary extractor provides leakage resilience, and the dual system encryption technology provides security.

2. Preliminaries

2.1. Minimum Entropy and Statistical Distance

Definition 1. If random variables and are in a finite domain , is regarded as their statistical distance for and .

Definition 2. The uncertainty measure of random variables is called minimum entropy, which is . Given variable , the uncertainty measure of random variables is called conditional minimum entropy, which is .

Conclusion 1. (see [23]): given three random variables , , and in which is bit length, there is . In the paper, denotes the leakage amount.

2.2. Binary Extractor

Definition 3. On the condition that as long as and , there is ,where can be ignored, is uniform distribution of and is uniform distribution of , the binary function is called a -strong binary extractor [23].

2.3. Bilinear Group of Composite Order

For the algorithm which generates a bilinear group of composite order [28], it takes the system security parameter as input. It generates the bilinear group of composite order, where , and are three -bit length primes. The order of cyclic groups and is . Bilinear map meets the following two conditions.(1)Bilinearity: For any and , we get that .(2)Non degeneracy: such that .

, and are used to represent subgroups with orders , and in . For example, if , , and , becomes an identity element of . Further, if , , and is a generator of , generates , generates , and generates . So, there exists such that , , and , . Thus, , and are orthogonal.

Three assumptions are given to prove the security of our scheme.

Assumption 1. For a composite order bilinear group generation algorithm : , , , and , the advantage that algorithm distinguishes from is
If the advantages of any probabilistic polynomial algorithm can be ignored, it is said that the algorithm satisfies Assumption 1.
expresses the product for certain element in and certain element in , which are called the part of and the part of , respectively.

Assumption 2. For a composite order bilinear group generation algorithm : , , , , and , the advantage that algorithm distinguishes from is
If the advantages of any probabilistic polynomial algorithm can be ignored, it is said that the algorithm satisfies Assumption 2.

Assumption 3. For a composite order bilinear group generation algorithm : , , , , and , the advantage that algorithm distinguishes from is
If the advantages of any probabilistic polynomial algorithm can be ignored, it is said that the algorithm satisfies Assumption 3.

3. Syntax and Security Model of LR-HIBOOE

3.1. Syntax of LR-HIBOOE

The presented LR-HIBOOE consists of the following six algorithms: Setup: given security parameter , the algorithm generates system public parameter and master private key . . KeyGen: given master private key , public parameter , and identity vector , the private key generator generates the private key . . Delegation: the algorithm inputs system public parameter , the private key of identity vector , and identity and outputs the private key of identity vector with layer. . Enc^off: given system public parameter , the algorithm outputs the offline ciphertext . . Enc^on: the algorithm inputs system public parameter , the identity vector , the offline ciphertext , and the message and produces the final ciphertext . . Decryption: the algorithm inputs , , and the final ciphertext and outputs the message . .

We use Figures 3 and 4 to show the technology roadmap of our LR-HIBOOE. Figure 3 shows the relations about the main algorithms of HIBOOE without leakage resilience. Figure 4 shows the relations about the main algorithms of LR-HIBOOE. In the offline encryption, we refresh the symmetric key by using an extractor.

The adversary can obtain the confidential information of the cryptography system through side channel attacks, which leads to the disclosure of the system’s secret information, such as the private key information. For example, in a timing attack, the adversary can obtain relevant parameter information through the execution time of the algorithm. When the secret information is leaked, it will mainly cause a certain loss of the private key entropy. That is, the probability that the adversary guesses the private key is greater than the probability of the random guess. When the leaked information reaches a certain amount, the adversary can guess the entire private key. In order to prevent the adversary from guessing the whole private key, it is necessary to make up for the lost entropy. There are usually two ways. One is to extend the private key appropriately so that even if some entropy is lost, certain “entropy” can be retained, which will make it difficult for the adversary to guess the private key correctly. This method will make the private key longer, increase the storage cost, and increase the computing cost. The second way is to make up for the lost entropy in time, which requires an additional function “binary extractor” to rerandomize the private key and make up for the lost entropy of the private key. This method does not increase the storage cost of the system, and the computing cost is almost unchanged. In our scheme, the extractor rerandomizes the symmetric key. It is used to compensate for the entropy loss of the symmetric key which is used to encrypt the plaintext.

3.2. Security Model of LR-HIBOOE

The following game which is played by the attacker and the challenger is used to describe the security of our LR-HIBOOE scheme. : Initialize: the challenger calls the algorithm “Setup” to obtain the public parameter PK and master key and gives PK to the attacker. We use W to record private keys that are given to the attacker. The initial value of set W is empty. Phase 1: the attacker makes some queries as follows: Private key query. the adversary gives the identity vector to the challenger. Then, the challenger calls the private key generation algorithm to obtain and send it to the attacker. The challenger puts it into the set W. Private key delegation query: a private key in W and an identity are given to the challenger by the attacker. The challenger calls the algorithm delegation to obtain the corresponding private key () and send it to the attacker. The challenger puts it into the set W. Leakage query: in terms of private key for the identity vector , the challenger obtains the corresponding symmetric key of and sends it to the attacker. The attacker selects a function which is called as leakage function. The challenger sends to the attacker. Let represent the length of the output value of . Challenge: the attacker sends the message or and a certain identity vector to the challenger, where and each prefix vector of are not in W. The challenger obtains the private key and randomly selects to encrypt . The challenger sends the attacker the ciphertext . Phase 2: for the attacker, he makes the private key inquiry and the private key delegation inquiry with the restraint that the required identity vector cannot be a prefix vector of . In addition, the attacker cannot make leakage query. Guess: the attacker gives the guess about . If , the attacker wins the game .

The scheme is said to be secure on the condition that the advantage which is gained by any attacker in the above game is ignored.

4. Construction of LR-HIBOOE

Assuming that the maximum layer depth is , in the offline encryption stage, each layer needs some random numbers to generate an offline ciphertext and carry some additional information. In the online encryption stage, only integer operations are needed to get the corresponding ciphertext. Our LR-HIBOOE scheme contains the following algorithms. Setup: the algorithm runs to obtain a bilinear group with order . We use to represent the maximum depth of identity vector in LR-HIBOOE. Let denote message space and . denotes a hash function . The algorithm randomly selects , and gets system public parameter , where is a generator of . The master private key is . KeyGen: private key generator (PKG) inputs system public parameters and identity vector . PKG randomly selects and . PKG generates private key , Delegation: the delegation algorithm inputs the private key of the identity vector . The algorithm randomly selects and . The algorithm generates the private key about the identity vector : , , . Enc^off: the algorithm randomly selects . It calculates , , , , , . It gains the ciphertext . Enc^on: given the message , identity vector and , it sets . The algorithm calculates . The final ciphertext is Decryption: if the identity vectors of ciphertext and private key are . The decryption process is as follows:

We show the specific operations of our leakage-resilient scheme (LR-HIBOOE) in Figure 5. As a comparison, we also give the specific operations of the scheme without leakage resilience (HIBOOE).

5. Security Proof

By constructing semifunctional private key and ciphertext, we prove the security of our LR-HIBOOE scheme. Semifunctional ciphertext: we randomly select a generator of . For identity vector , we randomly select and calculate , , , , , , , , and . The semifunctional ciphertext is . Semifunctional private key: for the normal private key , we select the random numbers and generate the semifunctional private key:

The semifunctional private key correctly decrypts the normal ciphertext via the normal private key. The normal private key correctly decrypts the semifunctional ciphertext. If the semifunctional private key decrypts the semifunctional ciphertext, we have

If , the ciphertext can be decrypted correctly. At this time, we call the semifunctional private key as nominal one. Although it contains components of , it correctly decrypts the ciphertext.

Our LR-HIBOOE scheme is proved to be secure through some games as follows: . This game is given in Section 3.2. . The only difference between and is the way that they respond to the private key inquiry. In , the challenger obtains a private key through the private key generation algorithm, while the challenger obtains a private key through the private key delegation algorithm in . . The game is similar to . The only restriction is that the attacker cannot query the prefix vector of the challenging identity vector modulo . This restriction also applies to the following games: We use to indicate the number of private key inquiries. (). The game is similar to . The ciphertext which is sent to the attacker is the semifunctional one. The first private key responses are semifunctional ones, and the rest private key responses are normal ones. In particular, in , the challenge ciphertext is in semifunctional form, and the private key is in normal form. In , all private keys and challenge ciphertexts are in semifunctional form. . The only difference between and is the ciphertext. In , the challenge ciphertext is a semifunctional one about any random message, while in , the ciphertext is a ciphertext about either of the two submitted messages.

The next five lemmas are given to illustrate that the series of games are not indistinguishable from the point of the attacker.

Lemma 1. From the point of any attacker , we have .

Proof. The distribution of private keys is exactly the same from the private key generation algorithm and private key delegation algorithm. Therefore, in the view of the attacker, this is not fundamentally different. Thus, the attacker can only gain the same advantage in the two games.

Lemma 2. If there is an algorithm who obtains the advantage in differentiating from , i.e., . An algorithm is designed to destroy Assumption 2 over the same advantage .

Proof. In consideration of , the attacker and the algorithm simulate the game . has a probability to obtain the identity vector and on the condition that . calculates to get one factor of N. Let . Because is divided by and , there are three cases as follows:(1) and are and , respectively.(2) and are and , respectively(3) and are and , respectively.

Case 1. calculates and . If , . Otherwise, if , . If , can conclude that does not contain a component of . Otherwise, does contain the component of .

Case 2. calculates and . If they are not unit elements and do not meet Case 1, it meets Case 2. calculates and . If , . Otherwise, if , . Without loss of generality, we suppose that and . In case is a unit element, can conclude that contains the component of . Otherwise, does not contain the component of .

Case 3. calculates and . If , . Otherwise, if , .
We suppose that . If is a unit element, can conclude that does not contain the component of . Otherwise, contains the component of . Thus, breaks Assumption 2 over the advantage which is larger than .

Lemma 3. If there is an algorithm who achieves the advantage in differentiating from , i.e., . One algorithm is designed to destroy Assumption 1 over the same advantage .

Proof. In consideration of , the attacker and the algorithm simulate the game or . randomly selects . computes and . sends the public parameters to the attacker . For the entity vector which is given by the attacker , selects randomly . computes
For the message , and the challenged entity vector which are given by the attacker , randomly selects and . computes , , , , , , , and . gets the ciphertext:This implicitly sets as the component of . Supposing that , the ciphertext is one semifunctional form, where . simulates . As for , the ciphertext is one normal ciphertext. The attacker simulates . Therefore, the algorithm breaks Assumption 1 and obtains advantage .

Lemma 4. If there exists an algorithm which gains the advantage in differentiating from , i.e., . One algorithm is designed to destroy Assumption 2 over the same advantage .

Proof. In consideration of , randomly selects . sends the parameters to the attacker .
The attacker asks the private key about the identity vector .
When , is given one semifunctional private key. selects random number and calculates , where . The semifunctional key is evenly distributed.
When , produces one normal private key. selects random number and calculates
When , the algorithm sets . selects random number and calculates .
Supposing that , the private key has normal form, where is the component of . As for , the private key takes on semifunctional form.
Challenge. For two message , and the challenged entity vector which are given by the attacker , randomly selects and . calculates , , , , , , , and . obtains the ciphertext .
It indirectly makes that and . Because the entity vector cannot be a prefix modulo of the challenged entity vector , i.e. , the attacker thinks that are randomly distributed.
and have an important relationship. When needs to judge whether the private key of entity vector is semifunctional one, it generates one semifunctional ciphertext.
Because , even if the private key of entity vector is semifunctional, the decryption can succeed, which is equivalent to generate a nominally semifunctional private key.
If , simulates . If , simulates . Therefore, breaks Assumption 2 and obtains advantage .

Lemma 5. Supposing that there exists an attacker who gains the advantage in distinguishing and , i.e., . One algorithm is designed to destroy Assumption 3 over the same advantage .

Proof. In consideration of , randomly selects and sends the public parameters , to the attacker .
When the attacker makes one private key inquiry about the identity vector , selects random number and calculates .
Challenge. For the message , and the challenged entity vector which are given by the attacker , randomly selects and . calculates , , , , , , , and . obtains the ciphertext .
This implicitly sets that . What is more, is only related to module . Because are only the elements of , modulo are not related to modulo .
In case , the challenge ciphertext about the message is semifunctional form. In the case, is one random number in , and the challenge ciphertext is about one random message and is semifunctional. Therefore, the algorithm breaks Assumption 3 over advantage .

Theorem 1. As long as Assumptions 1–3 hold, our scheme is fully secure.

Proof. Lemmas 1–5 show that the advantages gained by attackers in the game and are the same and can be ignored. In addition, is hidden in the game . In this way, the advantage of the attacker to break the proposed scheme is ignored.
Specifically, let denote the advantage that the attacker breaks assumption .
In view of Lemmas 1–5, the difference of the advantage that the attacker may gain in different games is as follows:Furthermore, we have . Thus, any attacker only gains negligible advantages.

6. Analysis of Leakage Resilience

Theorem 2. The relative leakage rate of the encapsulated key of our scheme is .

Proof. From the real security game, we know . If the leakage information obtained by the attacker through the leakage query is bits; that is, has values. Then, from Conclusion 1 it can be obtained that .
Therefore, if the extractor is strong, it can be obtained that ,where is uniformly distributed. In fact, when the extractor is good enough, the leakage can approach . Then, and uniform distribution are indistinguishable. Therefore, the leakage ratio of the encapsulated key . Thus, Theorem 2 holds.

7. Efficiency Evaluation and Experimental Simulation

We use Table 1 to show the comparisons between our scheme and the schemes [21, 22]. We mainly compared the offline encryption, online encryption, decryption, and some other aspects. Let denote the maximum number of the level. Let denote the pairing operation in . Let and denote the length of and , respectively. Let denote the exponential operation in . Let denote the multiplication operation in or . Let denote the operation time of extractor function. In the scheme [21], is a parameter which determines the leakage [21, 22] rate.

It can be seen from Table 1 that our scheme and the scheme [22] have the same calculation efficiency about offline encryption and decryption. In the online encryption phase, our scheme has one more extractor operation than the scheme [22]. In particular, the operation time of the extractor is relatively short, so the overall time about online encryption of our scheme and that of the scheme [22] is almost the same. Compared with the literature [21], their scheme has no hierarchal function, which is equivalent to the special case of our scheme when . The efficiency of the scheme [21] is affected by parameter ( is a parameter which determines the leakage rate). Therefore, under the same conditions, our scheme is more efficient than the scheme [21]. In the paper [21], they obtain the leakage resilience through the private key extension technology. In our scheme, we use the extractor to rerandomize the private key to obtain the leakage resilience. These are two different ideas.

The experimental platform is a PC with 64 bit operating system Windows 10, 3.40 GHz main frequency, 8.00 G RAM and Intel (R) Core (™) i7-6700 CPU. Based on Java Pairing Based Cryptography Library 2.0.0 [32], we use Eclipse 4.4.1 for simulation software. The 160 bit composite order elliptic curve is selected for our experiment. When the maximum level is 10, the online encryption time is 0.018 seconds, the offline encryption time is 0.460 seconds, and the decryption time is 0.39 seconds.

8. Conclusions

In this article, we provide an online/offline identity-based hierarchal encryption scheme with leakage resilience which is presented. By using the dual system technique, we prove the security of the scheme. The use of the binary extractor provides the leakage resilience. The entropy leakage ratio of the encapsulated symmetric key is close to 1. Because leakage-resilient cryptography is a relatively new research direction in cryptography, there are still many problems worthy of further research. For example, we will focus on the construction of efficient and leakage-resilient cryptography scheme.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was supported by the National Natural Science Foundation of China (62172292, 62072104, 61972095, U21A20465), the Natural Science Foundation of the Jiangsu Higher Education Institutions of China (17KJB520042, 20KJB413003), the Suqian Sci&Tech Program (S201820, Z2019109), the Jiangsu Province Engineering Research Center of Smart Poultry Farming and Intelligent Equipment, the cloud computing and big data security research team of Suqian University, and sponsored by Qing Lan Project. This work was also supported by the Natural Science Foundation of the Fujian Province, China (2020J01159).

References

Y. S. Won, S. Chatterjee, D. Jap, A. Basu, and S. Bhasin, “WaC: first results on practical side-channel attacks on commercial machine learning accelerator,” in Proceedings of the 5th Workshop on Attacks and Solutions in Hardware Security, pp. 111–114, New York, NY, USA, November 2021.
View at: Google Scholar
A. Dubey, R. Cammarota, and A. Aysu, “Maskednet: The First Hardware Inference Engine Aiming Power Side-Channel protection,” in Proceedings of the 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 197–208, IEEE, San Jose, CA, USA, December 2020.
View at: Google Scholar
C. S. Chen, T. Wang, and J. Tian, “Improving timing attack on RSA-CRT via error detection and correction strategy,” Information Sciences, vol. 232, no. 232, pp. 464–474, 2013.
View at: Publisher Site | Google Scholar
M. Lipp, M. Schwarz, and D. GrussT. Prescher, W. Haas, J. Horn et al., “Meltdown: reading kernel memory from user space,” in Proceedings of the 27th USENIX Security Symposium, pp. 973–990, Baltimore, MD, USA, August 2018.
View at: Google Scholar
B. J. Van, M. Minkin, O. Weisse et al., “Foreshadow: extracting the keys to the intel SGX kingdom with transient out-of-order execution,” in Proceedings of the 27th USENIX Security Symposium, pp. 991–1008, Baltimore MD, USA, August 2018.
View at: Google Scholar
J. A. Halderman, S. D. Schoen, N. Heninger et al., “Lest we remember: cold-boot attacks on encryption keys,” Communications of the ACM, vol. 52, no. 5, pp. 91–98, 2009.
View at: Publisher Site | Google Scholar
S. Micali and L. Reyzin, “Physically observable cryptography,” in Proceedings of the 1st Theory of Cryptography Conference, pp. 278–296, Cambridge, MA, USA, February 2004.
View at: Google Scholar
S. Dziembowski and K. Pietrzak, “Leakage-resilient cryptography,” in Proceedings of the FOCS 2008, pp. 293–302, IEEE, Philadelphia, PA, USA, October 2008.
View at: Google Scholar
K. Pietrzak, “A leakage-resilient mode of operation,” in Proceedings of the 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques EUROCRYPT 2009, LNCS 5479, pp. 462–482, Cologne, Germany, April 2009.
View at: Google Scholar
A. Akavia, S. Goldwasser, and V. Vaikuntanathan, “Simultaneous hardcore bits and cryptography against memory attacks,” in Proceedings of the Sixth Theory of Cryptography Conference, TCC 2009, vol. 544, pp. 474–495, San Francisco, CA, USA, March 2009.
View at: Google Scholar
M. Naor and G. Segev, “Public-key cryptosystems resilient to key leakage,” SIAM Journal on Computing, vol. 41, no. 4, pp. 772–814, 2012.
View at: Publisher Site | Google Scholar
L. Guo, J. Wang, and W. C. Yau, “Efficient hierarchical identity-based encryption system for internet of things infrastructure,” Symmetry, vol. 11, no. 7, p. 913, 2019.
View at: Publisher Site | Google Scholar
R. Langrehr and J. Pan, “Tightly secure hierarchical identity-based encryption,” Journal of Cryptology, vol. 33, no. 4, pp. 1787–1821, 2020.
View at: Publisher Site | Google Scholar
A. Takayasu, “More efficient adaptively secure revocable hierarchical identity-based encryption with compact ciphertexts: achieving shorter keys and tighter reductions,” 2021, https://eprint.iacr.org/2021/539.pdf.
View at: Google Scholar
K. Emura, A. Takayasu, and Y. Watanabe, “Generic constructions of revocable hierarchical identity-based encryption,” 2021, https://eprint.iacr.org/2021/515.pdf.
View at: Google Scholar
F. Guo, Y. Mu, and Z. Chen, “Identity-based online/offline encryption,” in Proceedings of the 2008 International Conference on Financial Cryptography and Data Security, pp. 247–261, Cozumel, Mexico, January 2008.
View at: Google Scholar
J. Lai, Y. Mu, F. Guo, and W. Susilo, “Improved identity-based online/offline encryption,” in Proceedings of the 2015Australasian Conference on Information Security and Privacy, pp. 160–173, Brisbane, Australia, July 2015.
View at: Google Scholar
A. Elkhalil, J. Zhang, and R. Elhabob, “An efficient heterogeneous block chain-based online/offline signcryption systems for internet of vehicles,” Cluster Computing, vol. 24, no. 3, pp. 2051–2068, 2021.
View at: Publisher Site | Google Scholar
J. Lai, Y. Mu, and F. Guo, “Efficient identity-based online/offline encryption and signcryption with short ciphertext,” International Journal of Information Security, vol. 16, no. 3, pp. 299–311, 2017.
View at: Publisher Site | Google Scholar
Z. Wang, H. Ma, and J. Wang, “Attribute-based online/offline encryption with outsourcing decryption,” Journal of Information Science and Engineering, vol. 32, no. 6, pp. 1595–1611, 2016.
View at: Google Scholar
X. Zhang, X. Fu, L. Hong, Y. Liu, and L. Wang, “Provable secure identity-based online/offline encryption scheme with continual leakage resilience for wireless sensor network,” International Journal of Distributed Sensor Networks, vol. 16, no. 6, Article ID 155014772092873, 2020.
View at: Publisher Site | Google Scholar
Z. Wang, H. Ma, and J. Wang, “Fully secure hierarchical identity-based online/offline encryption,” Journal of Computer Applications, vol. 35, no. 9, pp. 2522–2526, 2015.
View at: Google Scholar
Q. Yu, J. Li, and Y. Zhang, “Leakage-resilient certificate-based encryption,” Security and Communication Networks, vol. 8, no. 18, pp. 3346–3355, 2015.
View at: Publisher Site | Google Scholar
M. Medwed and F. X. Standaert, “Extractors against side-channel attacks: weak or strong?” Journal of Cryptographic Engineering, vol. 1, no. 3, pp. 231–241, 2011.
View at: Publisher Site | Google Scholar
D. Chen, Y. Zhou, Y. Han, R. Xue, and Q. He, “On hardening leakage resilience of random extractors for instantiations of leakage-resilient cryptographic primitives,” Information Sciences, vol. 271, pp. 213–223, 2014.
View at: Publisher Site | Google Scholar
B. Waters, “Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions,” in Proceedings of the Advances in Cryptology-CRYPTO 2009, pp. 619–636, Santa Barbara, CA, USA, August 2009.
View at: Google Scholar
J. Li, Q. Yu, Y. Zhang, and J. Shen, “Key-policy attribute-based encryption against continual auxiliary input leakage,” Information Sciences, vol. 470, pp. 175–188, 2019.
View at: Publisher Site | Google Scholar
J. Li, Q. Yu, and Y. Zhang, “Hierarchical attribute based encryption with continuous leakage-resilience,” Information Sciences, vol. 484, pp. 113–134, 2019.
View at: Publisher Site | Google Scholar
J. Li, Y. Zhang, J. Ning, X. Huang, G. S. Poh, and D. Wang, “Attribute based encryption with privacy protection and accountability for CloudIoT,” IEEE Transactions on Cloud Computing, vol. 10, no. 2, pp. 762–773, 2022.
View at: Publisher Site | Google Scholar
J. Li, N. Chen, and Y. Zhang, “Extended file hierarchy access control scheme with attribute based encryption in cloud computing,” IEEE Transactions on Emerging Topics in Computing, vol. 9, no. 2, pp. 983–993, 2021.
View at: Publisher Site | Google Scholar
N. Chen, J. Li, Y. Zhang, and Y. Guo, “Efficient CP-abe scheme with shared decryption in cloud storage,” IEEE Transactions on Computers, vol. 71, no. 1, pp. 175–184, 2022.
View at: Publisher Site | Google Scholar
A. De Caro and V. Iovino, “JPBC: java pairing based cryptography,” in Proceedings of the 2011 IEEE symposium on computers and communications (ISCC), pp. 850–855, IEEE, Kerkyra, Greece, June 2011.
View at: Google Scholar

Copyright

Copyright © 2022 Qihong Yu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

317

Downloads

280

Citations