#### Abstract

The adversary is able to obtain some secret information from side channel attacks, which further damages the security for the system. To resolve this issue, we provide a hierarchical identity-based online/offline encryption scheme which resists side channel attacks. In our scheme, most encryption operations are preprocessed in the offline stage and only a small amount of lightweight calculation needs to be performed in the online stage for generating ciphertext. The presented scheme greatly reduces the workload of online encryption and is suitable for the resource-constrained device. The security of the proposed scheme is proved by the dual system technique. The leakage performance analysis shows that the presented scheme is resilient to leakage for almost the whole symmetric key.

#### 1. Introduction

In recent years, many side channel attacks [1–5] have been presented. The adversary is able to obtain some secret information of the system by measuring timing, energy consumptions, and other characteristics from the cryptosystems. Cold start attack [6] is a special form of side channel attacks. The adversary gets part information from internal storage after the machine is shut down. Under these side channel attacks, if some secret information is exposed, the security for the whole cryptosystem is broken. Therefore, the research on leakage-resilient encryption scheme has attracted the attention of many cryptography researchers.

##### 1.1. Related Work

Micali and Reyzin [7] first proposed the model “only computing leaks (OCL).” In the OCL model, an attacker selects an effective and computable function and inputs the internal state and key and outputs some secret information. The complexity of the leakage function is unlimited. The only limitation is that the part which is not involved in the current operation does not leak secret information. Dziembowski and Pietrzak [8, 9] presented two leakage-resilient stream cipher schemes in the OCL model.

Considering that the leakage not only occurs in the calculation process, Akavia et al. [10] presented the bounded leakage model (BLM). In BLM, the leakage function does not expose the whole private key. BLM does not solve the problem that the length of the leaked information obtained by the attacker is longer than the private key information and the amount of useful information is relatively small. To resolve the problem, Naor and Segev [11] presented “entropy bounded leakage model,” in which the entropy about leakage information is limited.

Because it can reduce the burden of the key generation center, the hierarchical identity-based encryption (HIBE) schemes have been widely used and attracted the attention of many researchers. Guo et al. [12] proposed an efficient HIBE scheme with high computational efficiency by reasonably reducing the use of parameters. Langrehr and Pan [13] gave two tightly secure HIBE schemes by the matrix Diffie–Hellman assumption. Takayasu [14] presented an efficient adaptively secure revocable hierarchical identity-based encryption (RHIBE) with compact ciphertexts. Emura et al. [15] gave a generic construction about RHIBE by using HIBE and the complete subtree method.

The hierarchical structure is conducive to protecting the confidentiality of data, and it is suitable for IoT systems, smart home systems, distributed data systems, cloud storage systems, etc. Private key delegation can also reduce the burden on the root private key generator (PKG).

We use Figure 1 to illustrate the hierarchical structure of the national medical diagnosis system. For the national medical system, the root node (the Ministry of Health, which is abbreviated as MH) generates the public key information of the user and acts as the root private key generation center to generate the private key of the secondary node (the Department of Health which is abbreviated as DH and the national hospital which is abbreviated as NH). The secondary node is responsible for generating the private key of the health bureau (HB) and the private key of the city hospital (CH). The third level city node is responsible for generating the private key of the town health center (THC) and the private key of the township hospital (TH). The medical management organization can delegate the private key to the staff, and each hospital can also delegate the private key to the doctors.

For example, one user with the identity of “A1 City: Hospital B1” can delegate the private key to the user with the identity “A1 City: Hospital B1: C1 Doctor” but cannot delegate the private key to the user with the identity of “A1 City: Hospital B2: C1 Doctor.”

The delegation solves the problem that the key generation center is overloaded. In fact, the layer’s user with the identity vector generates the private key of the layer’s user with the identity vector .

Generally speaking, the “delegation” algorithm is given explicitly or implicitly for the HIBE schemes. The most HIBE schemes explicitly give the delegation algorithm. For example, the “Delegate” algorithm of the paper [12] is the delegation algorithm, and the “Del” algorithm of the paper [13] is the delegation algorithm. In addition, some HIBE schemes implicitly give the delegation algorithm. For example, the subalgorithm “Delegation Key Generation” of the algorithm “GenSK” in the paper [14] acts as the delegation algorithm. The “GenSK” algorithm of the paper [15] has key delegation function. In fact, the two methods are essentially the same. From Figure 1, we can see that the root user (the root key generation center, for short root KGC) mainly runs the private key generation algorithm, and the other level nodes (the subkey generation center) generally only run the private key delegation algorithm.

In order to improve the encryption efficiency, Guo et al. [16] first presented an identity-based online/offline encryption system. They repartitioned encryption processing into two phases: offline phase and online phase. For the offline phase, most encryption preprocessing is carried out and offline ciphertext is produced. In the online stage, a small amount of offline ciphertext is processed to obtain the encrypted ciphertext. Later, some online/offline encryption schemes are presented [17–20]. However, these schemes do not consider the problem of key leakage. Zhang et al. [21] put forward a leakage-resilient identity-based online/offline encryption scheme that is proposed by using the private key extension technique.

##### 1.2. Our Motivations and Contributions

Based on the scheme [22], this paper proposes a leakage-resilient identity-based hierarchical online/offline encryption (**LR-HIOOE**) scheme. By binary extractor technology [23], our scheme can resist the leakage of the symmetric key used for message encryption in the system.

Our **LR-HIOOE** includes six algorithms: **Setup, KeyGen, Delegation, Enc**^{off}**, Enc**^{on}, and **Decryption.** The specific description of these algorithms is given in Section 3.1. Here, we only use them to explain the idea of our scheme which is shown in Figure 2.

Encryption consists of two phases. A large number of complex operations are carried out in the offline stage, and a small number of simple calculations are carried out in the online stage. It is very suitable for resource-constrained scenes. Offline phase operations are outsourced to cloud service providers (CSP). The online phase operation is completed by the encryptor himself on the lightweight device.

In essence, the binary extractor can transform the input source with a certain entropy into a more uniform output. The binary extractor is a component of many cryptographic primitives. Now, it has become an important tool for designing cryptography schemes against side channel attacks. In such cases, the proof of leakage resilience usually relies on the result that leakage information allowed for every call of the extractor is bounded. Medved and Standaert [24] and Chen et al. [25] show that the hardware implementation of the binary extractor can ensure that bounded leakage is allowed in the case of limited number of measurements. This also gives the reason why the binary extractor can be used as a leakage-resilient cryptography component. Our scheme uses the binary extractor to achieve leakage resilience.

Waters [26] presented the dual system technique. The private key and ciphertext have two appearances: semifunctional appearance and normal appearance. The normal key correctly decrypts two kinds of ciphertext. The semifunctional private key only decrypts the normal ciphertext correctly. Inspired by the works [27–31], we present the syntax description and security model of LR-HIBOOE. To the best of our knowledge, there is no LR-HIBOOE scheme by using the binary extractor in the literature. We propose the first LR-HIBOOE scheme by using the binary extractor. Our scheme is proved to be secure and leakage-resilient by dual system encryption technology. Overall, the binary extractor provides leakage resilience, and the dual system encryption technology provides security.

#### 2. Preliminaries

##### 2.1. Minimum Entropy and Statistical Distance

*Definition 1. *If random variables and are in a finite domain , is regarded as their statistical distance for and .

*Definition 2. *The uncertainty measure of random variables is called minimum entropy, which is . Given variable , the uncertainty measure of random variables is called conditional minimum entropy, which is .

*Conclusion 1. *(see [23]): given three random variables , , and in which is bit length, there is . In the paper, denotes the leakage amount.

##### 2.2. Binary Extractor

*Definition 3. *On the condition that as long as and , there is ,where can be ignored, is uniform distribution of and is uniform distribution of , the binary function is called a -strong binary extractor [23].

##### 2.3. Bilinear Group of Composite Order

For the algorithm which generates a bilinear group of composite order [28], it takes the system security parameter as input. It generates the bilinear group of composite order, where , and are three -bit length primes. The order of cyclic groups and is . Bilinear map meets the following two conditions.(1)Bilinearity: For any and , we get that .(2)Non degeneracy: such that .

, and are used to represent subgroups with orders , and in . For example, if , , and , becomes an identity element of . Further, if , , and is a generator of , generates , generates , and generates . So, there exists such that , , and , . Thus, , and are orthogonal.

Three assumptions are given to prove the security of our scheme.

*Assumption 1. *For a composite order bilinear group generation algorithm : , , , and , the advantage that algorithm distinguishes from is

If the advantages of any probabilistic polynomial algorithm can be ignored, it is said that the algorithm satisfies Assumption 1.

expresses the product for certain element in and certain element in , which are called the part of and the part of , respectively.

*Assumption 2. *For a composite order bilinear group generation algorithm : , , , , and , the advantage that algorithm distinguishes from is

If the advantages of any probabilistic polynomial algorithm can be ignored, it is said that the algorithm satisfies Assumption 2.

*Assumption 3. *For a composite order bilinear group generation algorithm : , , , , and , the advantage that algorithm distinguishes from is

If the advantages of any probabilistic polynomial algorithm can be ignored, it is said that the algorithm satisfies Assumption 3.

#### 3. Syntax and Security Model of LR-HIBOOE

##### 3.1. Syntax of LR-HIBOOE

The presented **LR-HIBOOE** consists of the following six algorithms: Setup: given security parameter , the algorithm generates system public parameter and master private key . . KeyGen: given master private key , public parameter , and identity vector , the private key generator generates the private key . . Delegation: the algorithm inputs system public parameter , the private key of identity vector , and identity and outputs the private key of identity vector with layer. . Enc^{off}: given system public parameter , the algorithm outputs the offline ciphertext . . Enc^{on}: the algorithm inputs system public parameter , the identity vector , the offline ciphertext , and the message and produces the final ciphertext . . Decryption: the algorithm inputs , , and the final ciphertext and outputs the message . .

We use Figures 3 and 4 to show the technology roadmap of our **LR-HIBOOE**. Figure 3 shows the relations about the main algorithms of **HIBOOE** without leakage resilience. Figure 4 shows the relations about the main algorithms of **LR-HIBOOE**. In the offline encryption, we refresh the symmetric key by using an extractor.

The adversary can obtain the confidential information of the cryptography system through side channel attacks, which leads to the disclosure of the system’s secret information, such as the private key information. For example, in a timing attack, the adversary can obtain relevant parameter information through the execution time of the algorithm. When the secret information is leaked, it will mainly cause a certain loss of the private key entropy. That is, the probability that the adversary guesses the private key is greater than the probability of the random guess. When the leaked information reaches a certain amount, the adversary can guess the entire private key. In order to prevent the adversary from guessing the whole private key, it is necessary to make up for the lost entropy. There are usually two ways. One is to extend the private key appropriately so that even if some entropy is lost, certain “entropy” can be retained, which will make it difficult for the adversary to guess the private key correctly. This method will make the private key longer, increase the storage cost, and increase the computing cost. The second way is to make up for the lost entropy in time, which requires an additional function “binary extractor” to rerandomize the private key and make up for the lost entropy of the private key. This method does not increase the storage cost of the system, and the computing cost is almost unchanged. In our scheme, the extractor rerandomizes the symmetric key. It is used to compensate for the entropy loss of the symmetric key which is used to encrypt the plaintext.

##### 3.2. Security Model of LR-HIBOOE

The following game which is played by the attacker and the challenger is used to describe the security of our **LR-HIBOOE** scheme. : Initialize: the challenger calls the algorithm “Setup” to obtain the public parameter *PK* and master key and gives PK to the attacker. We use W to record private keys that are given to the attacker. The initial value of set *W* is empty. Phase 1: the attacker makes some queries as follows: Private key query. the adversary gives the identity vector to the challenger. Then, the challenger calls the private key generation algorithm to obtain and send it to the attacker. The challenger puts it into the set *W*. Private key delegation query: a private key in *W* and an identity are given to the challenger by the attacker. The challenger calls the algorithm delegation to obtain the corresponding private key () and send it to the attacker. The challenger puts it into the set W. Leakage query: in terms of private key for the identity vector , the challenger obtains the corresponding symmetric key of and sends it to the attacker. The attacker selects a function which is called as leakage function. The challenger sends to the attacker. Let represent the length of the output value of . Challenge: the attacker sends the message or and a certain identity vector to the challenger, where and each prefix vector of are not in *W*. The challenger obtains the private key and randomly selects to encrypt . The challenger sends the attacker the ciphertext . Phase 2: for the attacker, he makes the private key inquiry and the private key delegation inquiry with the restraint that the required identity vector cannot be a prefix vector of . In addition, the attacker cannot make leakage query. Guess: the attacker gives the guess about . If , the attacker wins the game .

The scheme is said to be secure on the condition that the advantage which is gained by any attacker in the above game is ignored.

#### 4. Construction of LR-HIBOOE

Assuming that the maximum layer depth is , in the offline encryption stage, each layer needs some random numbers to generate an offline ciphertext and carry some additional information. In the online encryption stage, only integer operations are needed to get the corresponding ciphertext. Our **LR-HIBOOE** scheme contains the following algorithms. Setup: the algorithm runs to obtain a bilinear group with order . We use to represent the maximum depth of identity vector in LR-HIBOOE. Let denote message space and . denotes a hash function . The algorithm randomly selects , and gets system public parameter , where is a generator of . The master private key is . KeyGen: private key generator (PKG) inputs system public parameters and identity vector . PKG randomly selects and . PKG generates private key , Delegation: the delegation algorithm inputs the private key of the identity vector . The algorithm randomly selects and . The algorithm generates the private key about the identity vector : , , . Enc^{off}: the algorithm randomly selects . It calculates , , , , , . It gains the ciphertext . Enc^{on}: given the message , identity vector and , it sets . The algorithm calculates . The final ciphertext is Decryption: if the identity vectors of ciphertext and private key are . The decryption process is as follows:

We show the specific operations of our leakage-resilient scheme (**LR-HIBOOE**) in Figure 5. As a comparison, we also give the specific operations of the scheme without leakage resilience (**HIBOOE**).

#### 5. Security Proof

By constructing semifunctional private key and ciphertext, we prove the security of our **LR-HIBOOE** scheme. Semifunctional ciphertext: we randomly select a generator of . For identity vector , we randomly select and calculate , , , , , , , , and . The semifunctional ciphertext is . Semifunctional private key: for the normal private key , we select the random numbers and generate the semifunctional private key:

The semifunctional private key correctly decrypts the normal ciphertext via the normal private key. The normal private key correctly decrypts the semifunctional ciphertext. If the semifunctional private key decrypts the semifunctional ciphertext, we have

If , the ciphertext can be decrypted correctly. At this time, we call the semifunctional private key as nominal one. Although it contains components of , it correctly decrypts the ciphertext.

Our **LR-HIBOOE** scheme is proved to be secure through some games as follows: . This game is given in Section 3.2. . The only difference between and is the way that they respond to the private key inquiry. In , the challenger obtains a private key through the private key generation algorithm, while the challenger obtains a private key through the private key delegation algorithm in . . The game is similar to . The only restriction is that the attacker cannot query the prefix vector of the challenging identity vector modulo . This restriction also applies to the following games: We use to indicate the number of private key inquiries. (). The game is similar to . The ciphertext which is sent to the attacker is the semifunctional one. The first private key responses are semifunctional ones, and the rest private key responses are normal ones. In particular, in , the challenge ciphertext is in semifunctional form, and the private key is in normal form. In , all private keys and challenge ciphertexts are in semifunctional form. . The only difference between and is the ciphertext. In , the challenge ciphertext is a semifunctional one about any random message, while in , the ciphertext is a ciphertext about either of the two submitted messages.

The next five lemmas are given to illustrate that the series of games are not indistinguishable from the point of the attacker.

Lemma 1. *From the point of any attacker , we have .*

*Proof. *The distribution of private keys is exactly the same from the private key generation algorithm and private key delegation algorithm. Therefore, in the view of the attacker, this is not fundamentally different. Thus, the attacker can only gain the same advantage in the two games.

Lemma 2. *If there is an algorithm who obtains the advantage in differentiating from , i.e., . An algorithm is designed to destroy Assumption 2 over the same advantage .*

*Proof. *In consideration of , the attacker and the algorithm simulate the game . has a probability to obtain the identity vector and on the condition that . calculates to get one factor of *N*. Let . Because is divided by and , there are three cases as follows:(1) and are and , respectively.(2) and are and , respectively(3) and are and , respectively.

*Case 1. * calculates and . If , . Otherwise, if , . If , can conclude that does not contain a component of . Otherwise, does contain the component of .

*Case 2. * calculates and . If they are not unit elements and do not meet Case 1, it meets Case 2. calculates and . If , . Otherwise, if , . Without loss of generality, we suppose that and . In case is a unit element, can conclude that contains the component of . Otherwise, does not contain the component of .

*Case 3. * calculates and . If , . Otherwise, if , .

We suppose that . If is a unit element, can conclude that does not contain the component of . Otherwise, contains the component of . Thus, breaks Assumption 2 over the advantage which is larger than .

Lemma 3. *If there is an algorithm who achieves the advantage in differentiating from , i.e., . One algorithm is designed to destroy Assumption 1 over the same advantage .*

*Proof. *In consideration of , the attacker and the algorithm simulate the game or . randomly selects . computes and . sends the public parameters to the attacker . For the entity vector which is given by the attacker , selects randomly . computes

For the message , and the challenged entity vector which are given by the attacker , randomly selects and . computes , , , , , , , and . gets the ciphertext:This implicitly sets as the component of . Supposing that , the ciphertext is one semifunctional form, where . simulates . As for , the ciphertext is one normal ciphertext. The attacker simulates . Therefore, the algorithm breaks Assumption 1 and obtains advantage .

Lemma 4. *If there exists an algorithm which gains the advantage in differentiating from , i.e., . One algorithm is designed to destroy Assumption 2 over the same advantage .*

*Proof. *In consideration of , randomly selects . sends the parameters to the attacker .

The attacker asks the private key about the identity vector .

When , is given one semifunctional private key. selects random number and calculates , where . The semifunctional key is evenly distributed.

When , produces one normal private key. selects random number and calculates

When , the algorithm sets . selects random number and calculates .

Supposing that , the private key has normal form, where is the component of . As for , the private key takes on semifunctional form.

Challenge. For two message , and the challenged entity vector which are given by the attacker , randomly selects and . calculates , , , , , , , and . obtains the ciphertext .

It indirectly makes that and . Because the entity vector cannot be a prefix modulo of the challenged entity vector , i.e. , the attacker thinks that are randomly distributed.

and have an important relationship. When needs to judge whether the private key of entity vector is semifunctional one, it generates one semifunctional ciphertext.

Because , even if the private key of entity vector is semifunctional, the decryption can succeed, which is equivalent to generate a nominally semifunctional private key.

If , simulates . If , simulates . Therefore, breaks Assumption 2 and obtains advantage .

Lemma 5. *Supposing that there exists an attacker who gains the advantage in distinguishing and , i.e., . One algorithm is designed to destroy Assumption 3 over the same advantage .*

*Proof. *In consideration of , randomly selects and sends the public parameters , to the attacker .

When the attacker makes one private key inquiry about the identity vector , selects random number and calculates .

Challenge. For the message , and the challenged entity vector which are given by the attacker , randomly selects and . calculates , , , , , , , and . obtains the ciphertext .

This implicitly sets that . What is more, is only related to module . Because are only the elements of , modulo are not related to modulo .

In case , the challenge ciphertext about the message is semifunctional form. In the case, is one random number in , and the challenge ciphertext is about one random message and is semifunctional. Therefore, the algorithm breaks Assumption 3 over advantage .

Theorem 1. *As long as Assumptions 1–3 hold, our scheme is fully secure.*

*Proof. *Lemmas 1–5 show that the advantages gained by attackers in the game and are the same and can be ignored. In addition, is hidden in the game . In this way, the advantage of the attacker to break the proposed scheme is ignored.

Specifically, let denote the advantage that the attacker breaks assumption .

In view of Lemmas 1–5, the difference of the advantage that the attacker may gain in different games is as follows:Furthermore, we have . Thus, any attacker only gains negligible advantages.

#### 6. Analysis of Leakage Resilience

Theorem 2. *The relative leakage rate of the encapsulated key of our scheme is .*

*Proof. *From the real security game, we know . If the leakage information obtained by the attacker through the leakage query is bits; that is, has values. Then, from Conclusion 1 it can be obtained that .

Therefore, if the extractor is strong, it can be obtained that ,where is uniformly distributed. In fact, when the extractor is good enough, the leakage can approach . Then, and uniform distribution are indistinguishable. Therefore, the leakage ratio of the encapsulated key . Thus, Theorem 2 holds.

#### 7. Efficiency Evaluation and Experimental Simulation

We use Table 1 to show the comparisons between our scheme and the schemes [21, 22]. We mainly compared the offline encryption, online encryption, decryption, and some other aspects. Let denote the maximum number of the level. Let denote the pairing operation in . Let and denote the length of and , respectively. Let denote the exponential operation in . Let denote the multiplication operation in or . Let denote the operation time of extractor function. In the scheme [21], is a parameter which determines the leakage [21, 22] rate.

It can be seen from Table 1 that our scheme and the scheme [22] have the same calculation efficiency about offline encryption and decryption. In the online encryption phase, our scheme has one more extractor operation than the scheme [22]. In particular, the operation time of the extractor is relatively short, so the overall time about online encryption of our scheme and that of the scheme [22] is almost the same. Compared with the literature [21], their scheme has no hierarchal function, which is equivalent to the special case of our scheme when . The efficiency of the scheme [21] is affected by parameter ( is a parameter which determines the leakage rate). Therefore, under the same conditions, our scheme is more efficient than the scheme [21]. In the paper [21], they obtain the leakage resilience through the private key extension technology. In our scheme, we use the extractor to rerandomize the private key to obtain the leakage resilience. These are two different ideas.

The experimental platform is a PC with 64 bit operating system Windows 10, 3.40 GHz main frequency, 8.00 G RAM and Intel (R) Core (™) i7-6700 CPU. Based on Java Pairing Based Cryptography Library 2.0.0 [32], we use Eclipse 4.4.1 for simulation software. The 160 bit composite order elliptic curve is selected for our experiment. When the maximum level is 10, the online encryption time is 0.018 seconds, the offline encryption time is 0.460 seconds, and the decryption time is 0.39 seconds.

#### 8. Conclusions

In this article, we provide an online/offline identity-based hierarchal encryption scheme with leakage resilience which is presented. By using the dual system technique, we prove the security of the scheme. The use of the binary extractor provides the leakage resilience. The entropy leakage ratio of the encapsulated symmetric key is close to 1. Because leakage-resilient cryptography is a relatively new research direction in cryptography, there are still many problems worthy of further research. For example, we will focus on the construction of efficient and leakage-resilient cryptography scheme.

#### Data Availability

The data used to support the findings of this study are included within the article.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This research was supported by the National Natural Science Foundation of China (62172292, 62072104, 61972095, U21A20465), the Natural Science Foundation of the Jiangsu Higher Education Institutions of China (17KJB520042, 20KJB413003), the Suqian Sci&Tech Program (S201820, Z2019109), the Jiangsu Province Engineering Research Center of Smart Poultry Farming and Intelligent Equipment, the cloud computing and big data security research team of Suqian University, and sponsored by Qing Lan Project. This work was also supported by the Natural Science Foundation of the Fujian Province, China (2020J01159).