Fully Homomorphic Distributed Identity-based Encryption Resilient to
Continual Auxiliary Input Leakage
Franc¸ois G
´
erard, Veronika Kuchta, Rajeev Anand Sahu, Gaurav Sharma and Olivier Markowitch
Universit
´
e Libre de Bruxelles, Belgium
Keywords:
Homomorphic Encryption, Identity-based Encryption, Leakage Resilient Cryptography, LWE.
Abstract:
History tells us that is not enough to base security solely on the unfeasability of solving the underlying hard
problem of a cryptosystem. In the real world, it is not uncommon for an adversary to get access to some key
dependent information potentially helping to perform cryptanalysis. Recently a lot of effort has been put into
designing cryptosystems such that the impact of leaking key related information is minimized, this area is
mostly known as leakage-resilient cryptography. In this work, we show how to construct a distributed fully
homomorphic identity-based encryption secure in the continual auxiliary input model. Our construction is
based on the fully homomorphic scheme of Gentry, Sahai and Waters and relies merely on the learning with
errors assumption, which is conjectured being resistant against quantum attacks.
1 INTRODUCTION AND
MOTIVATION
Leakage-Resilient Cryptography. Security of tra-
ditional public-key cryptographic schemes depends
on privacy of secret keys and can be analyzed in an
idealized model under the assumption that the secret
keys are hidden from adversary. Nevertheless many
schemes become insecure during their implementa-
tion into real systems. An adversary can often learn
auxiliary information on the secret inputs of the al-
gorithm (for example if the key is used somewhere
else or by studying the physical behavior of the device
performing cryptographic operations). Such attacks
are known as side-channel attacks. A solution for this
problem can be provided by what is called leakage re-
silient cryptography which guarantees security even if
we assume secret key leakage during implementation
procedure (Akavia et al., 2009).
An example of strong side-channel attack is the so-
called ”cold-boot attack” that was defined recently
(Halderman et al., 2009). Due to the fact that ev-
ery cryptographic algorithm is made to be eventually
used in a real environment, side-channel attacks of-
ten lead to loss of secrecy, during the implementation
which enables observations like the amount of power
consumption or the time required for this implemen-
tation. These observations lead to information leak-
age about secret-keys without breaking the underlying
assumptions of the considered schemes. Those side-
channel attacks which include all attacks in which
leakage of information is possible when while the
scheme performs any computations, are called com-
putational side-channel attacks as showed by Micali
and Reyzin (Micali and Reyzin, 2004). But not only
computation on secrets leak information. Akavia et
al. (Akavia et al., 2009) considered another family of
side-channel attacks, the so called ”memory attack”,
which is a generalization of the already mentioned
”cold-boot attack” introduced by Halderman et al.
(Halderman et al., 2009). Akavia et al.s work defined
the family of memory attacks by allowing leakage of a
bounded number of bits of the secret, which are com-
puted upon applying an arbitrary function with output
that is bounded by the size of the secret key. This
model is called the bounded leakage model indicat-
ing that the overall amount of information the attacker
can learn is bounded by a finite natural number. This
leads to the main question in leakage-resilient cryp-
tography which is exploring the suitable size of the
output of the leakage function without compromising
the security of cryptosystem. There are new results
on public-key encryption to provide security against
memory attacks. First one looks for redundant repre-
sentation of secret-keys which can enable the battling
memory attack. The other approach is just to con-
sider the already existing cryptosystems and to check
their consistency against memory attacks. Akavia et
al. (Akavia et al., 2009) took the second approach, ex-
Gérard, F., Kuchta, V., Sahu, R., Sharma, G. and Markowitch, O.
Fully Homomorphic Distributed Identity-based Encryption Resilient to Continual Auxiliary Input Leakage.
DOI: 10.5220/0006832200410052
In Proceedings of the 15th International Joint Conference on e-Business and Telecommunications (ICETE 2018) - Volume 2: SECRYPT, pages 41-52
ISBN: 978-989-758-319-3
Copyright © 2018 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
41
amined the learning with errors (LWE) problem and
proved semantic security against memory attack of an
LWE-based public-key encryption. The strength of
the LWE assumption depends on the size of the leak-
age one would like to tolerate.
The variety of side-channel attacks leads to the con-
clusion that information can every time leak the cryp-
tographic device while it performs certain computa-
tions. (Brakerski et al., 2010) presented new con-
structions of encryption schemes and identity-based
encryption which remain secure while information of
the secret key is leaked. Their constructions guaran-
tees leakage-resilience of the secret key even if an ad-
versary can test the memory and leak a proper frac-
tion of this key. However their construction cannot
tolerate leakage from the master secret key. There-
fore the authors left the problem open of finding an
IBE scheme that is resilient to the leakage of the mas-
ter secret key. The problem with a model in which
parameters are chosen according to the total leak-
age of the system during its lifetime is that it can
lead to huge key size. Brakerski et al. (Brakerski
et al., 2010) introduced a new model where the se-
cret key can be refreshed during different time periods
while the public key remains the same. The previ-
ously mentioned drawback is reduced by the fact that
the leakage bound exists only between refresh phases.
This leakage model is known as the continual leakage
model. There are also scenarios where information
leaks from the memory even if there is no computa-
tion taking place during the attack. In order to make
public key encryption secure against leakage attacks
the idea was not to store the complete secret memory
on the device but to add some auxiliary device. An-
other attack resulting from memory leakages forms a
class of ”auxiliary input attacks”, where the adversary
chooses an efficiently computable leakage auxiliary
function which is hard to invert in polynomial time.
Dodis et al. (Dodis et al., 2010a) provided the model
of such auxiliary leakage functions in case of public-
key encryptions. Analogously a symmetric encryp-
tion scheme was introduced by Dodis et al. (Dodis
et al., 2009). The first IBE scheme resilient to contin-
ual auxiliary leakage has been proposed by Yuen et al.
(Yuen et al., 2012), meaning that the identity-based
scheme remains secure even if the adversary has ac-
cess to some auxiliary input, where the auxiliary input
is modeled by an uninvertible function of the secret
key. The auxiliary input model represents a more gen-
eral model where the secret key cannot be recovered.
Another differentiation between the models is given
by the possibility of an adversary to see the public
key either before choosing a leakage function or af-
terward. The first case describes an adaptive model
where the adversary can adaptively choose a leakage
function after she has seen the public key. The latter
model is called non-adaptive model, where the leak-
age function has to be chosen by an adversary before
seeing the public key. Over the last 17 years, leakage-
resilience has become a popular research topic which
can be reflected in the following research articles (Al-
wen et al., 2010; Canetti et al., 2000; Dodis et al.,
2009; Dziembowski and Pietrzak, 2008; Micali and
Reyzin, 2004; Naor and Segev, 2009; Pietrzak, 2009;
Chow et al., 2010).
Fully-homomorphic Encryption. This property of
cryptographic encryption schemes became one of the
most fascinating research topics of modern cryptog-
raphy. It allows users to perform computations on en-
crypted data without decrypting it in advance. Even
though there were earlier attempts for a homomorphic
encryption (Rivest et al., 1978), the real breakthrough
came with work by Gentry (Gentry, 2009b) who intro-
duced the first fully homomorphic encryption scheme
based on a cryptographic assumption using the well-
known mathematical construct called ideal lattices.
Some other fully homomorphic encryption schemes
which are not based on lattices but relied on ideals
in rings were presented in (Smart and Vercauteren,
2010; Brakerski and Vaikuntanathan, 2011b; van Dijk
et al., 2010). Brakerski and Vaikuntanathan (Brak-
erski and Vaikuntanathan, 2011a) presented a fully
homomorphic scheme based on a well-studied as-
sumption - known as the learning with errors as-
sumption (LWE). A comparatively simple fully ho-
momorphic encryption scheme also based on LWE
problem has been introduced by Gentry et al. (Gen-
try et al., 2013). They presented a new technique
called approximate eigenvector method where homo-
morphic addition and multiplication are provided by
a simple matrix addition and multiplication. In con-
trast to previous fully homomoprhic schemes, Gen-
try et al.s construction does not require any evalua-
tion key and evaluation can even be calculated with-
out knowing user’s public key. This feature allowed
the authors to construct the first fully homomorphic
identity-based encryption without usage of any eval-
uation keys. Berkoff and Liu (Berkoff and Liu, 2014)
explored for the first time a new topic of leakage-
resilient fully homomorphic encryption. They instan-
tiated their construction by making the underlying
decisional learning with errors (DLWE) problem of
a fully homomorphic encryption scheme leakage re-
silient. They defined the scheme in adaptive bounded
leakage model. Later on, Goldwasser et al. (Gold-
wasser et al., 2010) showed in their work that the
leakage resilient DLWE involves leakage resilience of
symmetric-key encryption schemes which are secure
SECRYPT 2018 - International Conference on Security and Cryptography
42
under the DLWE assumption.
Our Contribution. In this work we present the first
leakage resilient IBE scheme which is defined in con-
tinual auxiliary leakage model and has the fully ho-
momorphic property. Furthermore we enhance our
construction by dividing the role of one decryption
server among two servers which decrypt the cipher-
text by running an interactive two party decryption
protocol. In contrast to the previous construction
of fully homomorphic encryption by Berkoff and
Liu (Berkoff and Liu, 2014), our scheme combines
the concepts of continual leakage model and auxil-
iary leakage model where the earlier model will be
achieved by refreshing the secret key shares of each
server while the latter model is achievable by the min-
imal restriction of the leakage function between up-
dates. The auxiliary input model provides another
appealing feature being useful for composible con-
structions which is an interesting question for fur-
ther research. We also instantiate the first fully ho-
momorphic IBE scheme which is secure under LWE
assumption. Identity-based encryption became an en-
grossing research topic because of its distinctive fu-
ture where any public string can be used as a public
key for the encryption process. Analogously to the
Berkoff and Liu construction (Berkoff and Liu, 2014)
our scheme also achieves adaptivity which allows an
adversary to choose the leakage function after seeing
the public key. For the fully homomorphic property
we assume a scenario where the different ciphertexts
are computed using the same public key. In order
to enhance the scheme to a scenario where different
ciphertext can be computed at different times using
distinct public keys, we refer to the multi-key FHE
technique used in (Clear and McGoldrick, 2015) and
leave the topic for our further research. Furthermore
our scheme profits from its distributed decryption pro-
cess, where the secret key will be shared between two
decryption parties. In order to realize the distribution
of the secret key we use a leakage resilient symmet-
ric encryption based on LWE. Finally, our leakage re-
silient lattice-based distributed IBE scheme is secure
against chosen-plaintext attacks.
Applications. Our leakage-resilient fully homomor-
phic IBE scheme has several applications. As men-
tioned shortly in the introduction, an identity-based
encryption has the attractive feature of no need to
managing a public key infrastructure since only re-
cipient’s identity and some public parameters are re-
quired to encrypt a message. Regarding privacy,
IBE schemes are especially suitable for those systems
which require anonymity of communicating parties.
Having an IBE scheme, a user can choose an anony-
mous certificate to achieve anonymity between those
parties. Fully homomorphic property is particularly
useful in applications concerning cloud security. Out-
sourcing private data to the cloud services increases
concerns about data owner’s privacy. Storing the data
on cloud in encrypted form and providing the homo-
morphic property, which allows the cloud servers to
perform arbitrary computations on encrypted data, ad-
dresses the question of privacy issues. In particular,
cloud services are appealing in the medical and finan-
cial sectors. Li et al. (Li et al., 2010) presented an
attribute-based encryption (ABE) scheme which al-
lows to secure personal health records in cloud com-
puting. Sahai and Waters (Sahai and Waters, 2005)
showed in their work how to generalize an IBE en-
cryption to fuzzy identity-based encryption, which on
its part can be generalized to and ABE scheme, as
showed by Goyal et al. (Goyal et al., 2006). This
applies that our leakage-resilient fully homomorphic
distributed IBE scheme can be generalized to an ABE
scheme, which on its part can be applied to secure
cloud services of medical and financial sectors.
2 PRELIMINARIES
Notations. In our paper, we follow common nota-
tions used in the recent literature. A column vector v
(with coefficients v
i
) is written as a bold lowercase let-
ter. A matrix M is written as a bold uppercase letter.
For a value v sampled from a distribution D, we write
v D. This notation is extended to vector, v D
n
indicates that the coefficients of v are sampled inde-
pendently from D. The uniform distribution over a set
S is written as U(S). Matrix multiplication will be de-
noted with either juxtaposition AB or with a small dot
A · B when it enhances readability. The dot product
between two (same size) vectors ha, bi or a
T
b corre-
sponds to
i
a
i
b
i
with the operations performed in the
algebraic structure of the vectors’ coefficients.
2.1 Learning with Errors
For some positive integers parameters q,n, a vec-
tor s U
Z
n
q
and an error distribution D
σ
with
standard deviation σ over the integers (usually a
discrete Gaussian), we define the LWE distribution
A
s,D
σ
which is obtained by sampling a vector a
U(Z
n
q
), an error term e D
σ
and outputting the tu-
ple (a,ha,si + e) U
Z
n
q
× Z
q
.
The LWE problem, first introduced by Regev
(Regev, 2005), comes in two flavors, a search prob-
lem and a decision problem.
Fully Homomorphic Distributed Identity-based Encryption Resilient to Continual Auxiliary Input Leakage
43
Definition 1 (Search-LWE
n,m,q,σ
). Given m samples
(a,ha,si + e) A
s,D
σ
, find s.
This can be seen as solving an over-determined
system of noisy linear equations over Z
q
. Indeed, if
we write the samples as a matrix, the problem be-
comes: given a public matrix A Z
m×n
and a target
vector t = As + e Z
m
q
, find s.
Definition 2 (Decision-LWE
n,m,q,σ
). Given m sam-
ples over Z
n
q
× Z
q
, determine if they come from
U(Z
n
q
× Z
q
) or A
s,D
σ
.
Stated otherwise, it is the problem of distinguish-
ing the LWE distribution from the uniform distribu-
tion over Z
n
q
× Z
q
.
Surprisingly, both problems are equivalently hard,
even for an adversary in possession of a quantum
computer.
Definition 3 (Goldreich-Levin Theorem(Dodis et al.,
2010a)). For a prime q, a set H Z(q), a function
h : H
m
{0,1}
, a secret vector s H
m
, a random
vector r U(Z
q
)
m
if there exists a distinguisher be-
tween hs,ri and U(Z
q
) given h(s), there exists an ef-
ficient inverter for h.
Definition 4 (Goldreich-Levin Theorem for LWE
(Goldwasser et al., 2010)). Let k > log q and h :
{0,1}
n
{0,1}
be a function that no polynomial
adversary can invert with probability greater than
2
k
. For a super-polynomial q, a polynomial m,
0 σ
1
,σ
2
q such that σ
2
/σ
1
is negligible,
(A,As + e, h(s))
c
(A,u,h(s)) (1)
where A U(Z
m×n
q
),s U(Z
n
q
),u U(Z
m
q
) are
uniformly random and the error vector e D
σ
1
if
the Decision-LWE
`,m,q,σ
2
assumption holds with ` =
kω(log n)
log q
.
This result was first introduced in (Goldwasser
et al., 2010). It express the leakage-resilient property
of LWE in the auxiliary input model. In it first form it
required required a super-polynomial q but, later on,
Alwen et al. (Alwen et al., 2013) showed that the
LWE-to-LWE reduction works even for larger param-
eters where the modulus and modulus-to-error ratio
have polynomial size.
2.2 Homomorphic Encryption
For several decades(Rivest et al., 1978), cryptog-
raphers asked themselves the following question:
is it possible to perform arbitrary computation on
encrypted data without revealing it? The final answer
came from Gentry in 2009(Gentry, 2009a). In his
thesis, he solved the open problem of constructing
a cryptosystem allowing to compute an arbitrary
function on encrypted data without decrypting first.
Despite being still quite inefficient, this technique,
called fully homomorphic encryption(FHE), fits
really well in the context of distributed computing, or
more generally, cloud applications. As surprising as
it can sounds, a small device can now ask a powerful
cloud to perform data analysis without altering the
privacy of the data. In the following, we recall the
basic definitions. A survey of the field can be found
in (Armknecht et al., 2015).
A homomorphic encryption scheme is made
of four algorithms (FHEKeyGen,FHEEncrypt,
FHEDecrypt,Eval) defined as follow:
FHEKeyGen(λ) : On input a security parameter λ, it
outputs the secret key sk, the public key pk and the
evaluation key evk.
FHEEncrypt(pk,m) : On input the public key pk and
a message m, it outputs a ciphertext c.
FHEDecrypt(sk, c) : On input the secret key sk and a
ciphertext c, it outputs a message m.
Eval(evk, f ,(c
0
,...,c
n
)) : On input the evalua-
tion key evk, a function f and some ciphertexts
c
0
,...,c
n
such that c
i
= Encrypt(pk,m
i
), it outputs
c
0
= Encrypt(pk , f (m
0
,...,m
n
)).
The correctness requirement for homomorphic
encryption scheme is the following:
FHEDecrypt(sk, Eval(evk, f ,(c
0
,...,c
n
)))
= f (m
0
,...,m
n
).
Correct decryption of evaluated ciphertext is suffi-
cient in the sense that one can always evaluate the
identity function on a ciphertext without explicitly
asking for the output of FHEEncrypt to be decrypt-
able. (Brakerski and Vaikuntanathan, 2011a)
Definition 5. A fully homomorphic encryption
scheme is said to be leveled if the depth of the circuit
evaluating the function f is bounded by a prespecified
parameter.
2.3 Gentry-Sahai-Waters FHE
Let us now describe the fully homomorphic encryp-
tion scheme of Gentry, Sahai and Waters(Gentry
et al., 2013)(GSW). This scheme has the beautiful
property that no evaluation key is required to perform
homomorphic operations. One can directly add and
multiply ciphertexts together (which is enough to de-
scribe a NAND gate) and get the expected result. The
construction is based on LWE.
Ciphertext flattening. We start by recalling the tech-
nique which keeps ciphertexts strongly bounded. We
SECRYPT 2018 - International Conference on Security and Cryptography
44
call a ciphertext C B-strongly-bounded if its associ-
ated messages µ and the coefficients of the cipher-
text C all have magnitude at most 1, while the co-
efficients of the error vector e all have magnitude
at most B ((Gentry et al., 2013)). The technique
was used to realize the first (leveled) fully homo-
morphic identity-based and (leveled) fully homomor-
phic attribute-based encryption as showed in (Gentry
et al., 2013). Using transformations from (Brakerski
and Vaikuntanathan, 2011a), vectors can be modified
without affecting dot products.
We assume two vectors a, b U
Z
k
q
and set
l =
b
log
2
q
c
+ 1 and N = k · l. Let BitDecomp(a)
be the N-dimensional vector (a
1,0
,...,a
1,l1
,...,a
k,0
,
...,a
k,l1
), where a
i, j
is the j-th bit in a
i
s binary rep-
resentation. For some vector a
0
= (a
1,0
,...,a
1,l1
,...,
a
k,0
,...,a
k,l1
), let
BitDecomp
1
(a
0
) =
l1
j=0
2
j
· a
1, j
,...,
l1
j=0
2
j
· a
k, j
!
be the inverse of BitDecomp, which is well defined.
That means even if the input is not a bit-vector, the in-
verse is well-defined. For an N-dimensional vector a
0
,
let Flatten(a
0
) = BitDecomp(BitDecomp
1
(a
0
)) a
N-dimensional bit vector. For a matrix A, let
BitDecomp(A), BitDecomp
1
(A),Flatten(A) be
applied to each row of A. Let Powerof2(b) =
(b
1
,2b
1
,...,2
l1
b
1
,...,b
k
,2b
k
,...,2
l1
b
k
). We ob-
serve the following properties for any N-dimensional
a
0
:
h
BitDecomp(a),Powerof2(b)
i
=
h
a,b
i
a
0
,Powerof2(b)
=
BitDecomp
1
(a
0
),b
=
Flatten(a
0
),Powerof2(b)
.
Encryption and Decryption. The fully homomor-
phic encryption (FHE) scheme from (Gentry et al.,
2013) works as follows. For suitable parameters
q,n,m = O(n log q) the LWE instance consists of a
m × (n + 1) matrix A such that there is a vector
s U
Z
n+1
q
, where the first entry is 1 and e = A · s
is a small error vector. We assume that A is pub-
lic and s is secret. A ciphertext C encrypts µ if
C · v = µv + e, where v is a N-dimensional secret
key. To decrypt message µ, the i-th row C
i
is ex-
tracted from C and x
h
C
i
,v
i
= µv
i
+ e
i
computed.
The vector v is called approximate eigenvector. Let
v = Powerof2(s), which is a vector of dimension
N = (n + 1) · l for l =
b
log
2
q
c
+ 1. Consider the fol-
lowing property:
Flatten(C) · v = C · v.
To encrypt a message µ Z
q
, a random matrix R
{0,1}
N×m
is generated and C = Flatten(µ · I
N
+
BitDecomp(R · A)) computed. Note that Flatten
operation does not affect the product with v, i.e.
C · v = µ · v + BitDecomp(R · A) · v
= µ · v + R · A · s = µ · v + small.
Homomorphic Properties. Homomorphism comes
naturally with the definition of a ciphertext C
i
on a
message µ
i
being a matrix such that C
i
·v = µ
i
·v +e
i
.
Indeed, for addition,
C
+
= Add(C
1
,C
2
) = C
1
+ C
2
implies C
+
· v = (µ
1
+ µ
2
) · v + (e
1
+ e
2
) and for mul-
tiplication,
C
×
= Mult(C
1
,C
2
) = C
1
· C
2
implies C
×
· v = C
1
· (C
2
· v) = C
1
· (µ
2
· v + e
2
) =
µ
2
·(µ
1
·v+e
1
)+C
1
·e
2
= µ
1
·µ
2
·v+µ
2
·e
1
+C
1
·e
2
=
µ
1
· µ
2
· v + small. Unfortunately, it is impossible to
prevent the error term to grow while performing ho-
momorphic operations. We refer to (Gentry et al.,
2013) for more details.
2.4 Identity-based Encryption
An identity-based encryption scheme is made of four
algorithms (Setup, Extract, Encrypt, Decrypt)
defined as follow:
IBE.Setup(λ) : On input a security parameter λ it
outputs a key pair (msk, mpk).
Extract(msk, ID) : On input the master secret key
msk and an identity ID, it outputs a secret key for the
given ID sk
ID
.
IBE.Encrypt(mpk,ID, m) : On input the master
public key mpk, an identity ID and a message m, it
outputs a ciphertext c
ID
intended to ID.
IBE.Decrypt(c
ID
,sk
ID
) : On input a ciphertext c
ID
and a secret key sk
ID
for both the same ID, it outputs
a message m.
For correctness to hold, it should be the case
that when sk
ID
is output by the algorithm
Extract(msk, ID), we have
IBE.Decrypt(IBE.Encrypt(mpk,ID,m),sk
ID
) = m.
3 MODELING CONTINUAL
KEY-LEAKAGE ATTACKS
We propose our scheme in the continual auxiliary
leakage model. A cryptosystem is secure in this
model if it remains secure even when an adversary is
given a computationally uninvertible function on in-
put a secret key as an auxiliary input. The scheme
achieves continual leakage resistance by refreshing
Fully Homomorphic Distributed Identity-based Encryption Resilient to Continual Auxiliary Input Leakage
45
the secret key in each time period with a restriction
that there is no polynomial time algorithm which can
invert the leakage function between two time periods.
The auxiliary input model was introduced by Dodis
et al. (Dodis et al., 2010a), while the continual leak-
age model was presented in (Dodis et al., 2010b). We
present a model which is defined in the chosen ci-
phertext security setting. In this case an adversary
has access to four oracles: extraction, leakage and re-
fresh oracle. The model is provided in the following
paragraph. Let A
ind
be an adversary which is playing
the following experiment Exp
INDIDCPAb
LRFHIBE,A
ind
for a bit
b {0,1}:
Setup: The challenger runs Setup algorithm and
outputs mpk,msk. The adversary specifies the leak-
age function h. The challenger constructs storage list
which consists of extracted secret keys L
ex
given by
(ID, sk
ID,1
,sk
ID,2
), where sk
ID,1
,sk
ID,2
are the two se-
cret shares.
Phase 1: Adversary A
ind
queries the following ora-
cles:
Extraction Oracle: Taking as input ID, index
i {1,2}, the oracle checks if (ID,sk
ID,i
,·) L
ex
.
If so it takes the corresponding secret key sk
ID
=
(sk
ID,1
,sk
ID,2
) and gives the secret share sk
ID,i
to
the adversary. Otherwise it runs the Extract al-
gorithm on input master public, master secret key
and an identity ID. It outputs then the computed
secret key shares sk
ID,i
to the adversary and stores
(ID, sk
ID,i
,·) in the list L
ex
.
Leakage Oracle: On input a PPT computable
leakage function h and an identity ID the oracle re-
turns h(mpk,ID, sk
ID,1
,sk
ID,2
).
Refresh Oracle: On input an identity ID and,
the oracle checks if (ID,sk
ID,1
,sk
ID,2
) L
ex
, if
not, it sets a counter count = 1. The ora-
cle generates {sk
ID,i
}
i∈{1,2}
Extract(msk,ID),
adds (ID,sk
ID,1
,sk
ID,2
) to the list, runs the
Refresh algorithm on input {sk
ID,1
,sk
ID,2
} and
returns (sk
f resh
ID,1
,sk
f resh
ID,2
) to A
ind
. Otherwise, if
(ID, sk
ID,1
,sk
ID,2
) is already in the list it runs
the Refresh algorithm on the existing secret key
shares from the list L
ex
and returns {sk
f resh
ID,i
}
i∈{1,2}
to A.
Challenge: A
ind
outputs m
0
,m
1
and an
identity ID
. The challenger computes
FHIB.Encrypt(mpk,m
b
,ID
), where ID
has
not been queried before to the leakage and refresh
oracles.
Phase 2: The adversary is allowed to issue further
extraction oracle queries excluding the queries on
input ID
.
Output: A
ind
returns a bit b
0
as a guess for b.
We say that an identity-based encryption is secure
against chosen-plaintext attacks in the continual aux-
iliary input model if for any probabilistic polynomial
time attacker A running the above experiment the
advantage to win, defined as
Adv
INDIDCPA
LRFHIBE,A
ind
= |Pr[Exp
INDIDCPA0
LRFHIBE,A
ind
= 1]
Pr[Exp
INDIDCPA1
LRFHIBE,A
ind
= 1]| ε(λ),
where ε(·) is a negligible function in λ.
4 LEAKAGE-RESILIENT
FULLY-HOMOMORPHIC
DISTRIBUTED
IDENTITY-BASED
ENCRYPTION WITH
AUXILIARY INPUTS
(LRFHIBE)
Intuition. Motivated by the scheme of (Akavia et al.,
2012) which introduced distributed public key en-
cryption schemes secure against continual leakage,
we present the new construction of a leakage-resilient
fully homomorphic IBE scheme (LRFHIBE) in the
distributed setting. We note that the secret key will be
shared among two computing devices which can com-
municate with each other via a public channel. This
distributed setting allows to reduce the risk of manip-
ulating the single device, by distributing the power of
a single device among two ones. Our construction
guarantees security against continual leakage of the
secret key where the leakage function consists of the
secret key and some auxiliary input. Decryption of
ciphertext is given by a two-party protocol. In order
to ensure a secure communication between the two
parties we use symmetric encryption during the ex-
ecution of the 2-party protocol. We use the approx-
imate eigenvector technique in order to achieve the
fully homomorphic property of our scheme, avoiding
the existence of any evaluation keys which makes our
scheme favorable in contrast to the so far existing ho-
momorphic encryption schemes with evaluation keys.
Definition 6 (Model for LRFHIBE Scheme). Let
ˆ
C
denote the evaluated ciphertext which can be either
ˆ
C
+
or
ˆ
C
×
, as introduced in Chapter 2.3. A LRFHIBE
consists of the following six algorithms:
FHIB.Setup(λ): On input security parameter λ it
generates the master public key and master secret key
mpk,msk.
FHIB.Extract(mpk,msk,ID) : On input mpk, msk,
ID the algorithm consists of two stages:
SECRYPT 2018 - International Conference on Security and Cryptography
46
Stage 1. Takes as input mpk,msk, ID. Outputs
sk
ID
.
Stage 2. On input secret key sk
ID
, it outputs se-
cret shares sk
ID,1
,sk
ID,2
for party P
1
and party P
2
,
respectively.
FHIB.Encrypt(mpk,ID, µ
i
) : On input master public
key mpk, identity ID and message µ
i
it outputs a
ciphertext C
ID
(µ
i
).
FHIB.Eval(mpk,C
ID
(µ
1
),...,C
ID
(µ
n
),F) : Take
as input the ciphertexts, C
ID
(µ
1
),...,C
ID
(µ
n
) and
an evaluation function F and output the evaluated
ciphertext
ˆ
C.
FHIB.Decrypt(mpk,
ˆ
C,sk
ID,1
,sk
ID,2
) : On input
master public key mpk, evaluated ciphertext
ˆ
C, two
secret shares sk
ID,1
,sk
ID,2
it runs an interactive
2-party protocol executed between P
1
and P
2
where
at the end of the protocol one of the parties outputs ˆµ,
which is an evaluated value of messages µ
1
,...,µ
n
,
i.e. ˆµ = F(µ
1
,...,µ
n
).
Refresh(sk
ID,1
,sk
ID,2
) : Is a 2-party protocol exe-
cuted between P
1
and P
2
taking as input their secret
shares sk
ID,1
= s and sk
ID,2
and outputting updated
secret shares sk
f resh
ID,1
,sk
f resh
ID,2
.
4.1 Building Block: Leakage-resilient
Symmetric Encryption
We recall a building block, termed leakage-resilient
symmetric encryption introduced in (Goldwasser
et al., 2010):
SymGen(λ) : On input λ outputs a uniformly random
secret key s U({0,1}
λ
).
SymEnc(s,µ) : On input a secret key s and a message
µ {0, 1}
m
, outputs the ciphertext C = (A,As + e +
µb
q
2
c), where A U(Z
m×n
q
) and e D
m
σ
.
SymDec(s,C) : On input a secret key s and a cipher-
text (A,y), computes y As and outputs the message
using a threshold decoder.
4.2 The Scheme
Intuition. Let Σ be an LWE-based IBE scheme con-
sisting of four algorithms (IBE.Setup,IBE.Extract,
IBE.Encrypt,IBE.Decrypt) as described in Section
2.4. To apply the transformation technique presented
via ”compiler” in (Gentry et al., 2013), the underlying
IBE scheme needs to have the following three proper-
ties:
The decryption key for identity ID and the cor-
responding ciphertext for ID, are sk
ID
,c
ID
U
Z
n
0
q
. We extend the decryption key by adding
1 as the first component.
If c
ID
encrypts 0, then
h
c
ID
,sk
ID
i
is small.
Encryptions of 0 are indistinguishable from uni-
form vectors over Z
q
(under LWE assumption).
Our transformation of Σ into a distributed LRFHIBE
scheme follows in the next paragraph. The main idea
of the compiler is that the encryption of a message
µ {0,1} is represented by encryption of 0 using
the encryption algorithm of the underlying IBE
scheme. The decryptor uses the decryption algorithm
of the fully homomorphic scheme FHE to recover
the message µ. In order to make our scheme resilient
against continual leakage our construction contains
an additional algorithm to refresh the secret keys.
At the beginning of the refresh protocol, P
1
holds a
secret key which is represented by a ciphertext of the
symmetric encryption and encrypts the secret key of
the underlying public key encryption. The other party
P
2
holds the secret key of the symmetric encryption
scheme. The role of the refresh algorithm is to update
the secret shares. As a result the new key of P
1
represents the new random symmetric encryption
of secret key of the underlying asymmetric scheme
using the new symmetric secret key which is to
be held by P
2
. During the refreshing process, P
2
chooses a new random secret and sends an encryption
combining the old ciphertext with the new one and
sends it to P
1
. For his part, P
1
chooses a new secret
key and sends a ciphertext to P
2
using its own share.
After decrypting the received ciphertext, P
1
will
receive a new secret share.
Note that the extraction algorithm first extracts
identity-based secret key, then it generates the key
shares for both parties. P
2
obtains encryption of the
identity-based secret key, using symmetric secret key
which is hold by P
1
as his secret key. Furthermore
we point out that the decryption algorithm does not
reconstruct the initial master secret key. The idea
is that the two servers interact in a protocol sending
each other certain values, where the final decryption
procedure is done by one of the servers.
As showed by Goldwasser et al. (Goldwasser
et al., 2010) the decisional LWE problem is leakage
resilient. Regev (Regev, 2005) proved the search
version of LWE (worst-case) is as hard as several
lattice problems in the worst case. Eventually we
know that decisional and search LWE are equivalent
up to a polynomial in q factors, where q is a prime
number. In order to achieve leakage resilience of
our fully homomorphic IBE scheme we need to
change the parameters of the underlying scheme
which is based on Gentry et al. construction (Gentry
et al., 2013). We assume that the circuit depth of the
scheme is given by L = poly(λ) and is a polynomial
in the security parameter λ. The observance in the pa-
Fully Homomorphic Distributed Identity-based Encryption Resilient to Continual Auxiliary Input Leakage
47
rameter setting is the fact that with a higher parameter
σ of error distribution D
σ
the security increases too.
But according to correctness constraint, σ must be set
low while q must grow exponentially with the depth
of circuit. This contradicts to the hardness constraint
where with an increasing circuit depth L, solving
the underlying gapSVP becomes easy. This problem
involves a solution where the parameter n has to be
polynomial in the depth L. A deeper discussion on
parameter settings has been provided by Berkoff and
Liu (Berkoff and Liu, 2014). Following the proofs
in (Berkoff and Liu, 2014) we set m = 2nlogq + 3λ,
where n = τ
2
and τ = max{L,λ
2
}. The suitable
error distribution parameter σ of D
σ
is set equal to
σ = 2
log
2
τ
and the prime q is bounded by q 2
τlog
2
τ
.
These parameters guarantee correctness of our
leakage resilient fully homomorphic IBE scheme
according to the analysis in (Berkoff and Liu, 2014).
Construction. A leakage-resilient fully-
homomorphic distributed IBE scheme consists
of the following six algorithms:
FHIB.Setup(λ): It runs the IBE.Setup algorithm of
Σ to generate the master public key and master secret
key mpk,msk.
FHIB.Extract(mpk,msk,ID) : The algorithm
consists of 2 stages:
Stage 1. It runs the extraction algorithm
IBE.Extract of Σ scheme in order to com-
pute sk
ID
U
Z
m
q
, which is the decryption
key of IBE scheme. It supplements the calcula-
tions by setting sk
0
ID
= (1,sk
ID
) U
Z
m+1
q
.
It computes the decryption key of LRFHIBE
scheme as Powerof2(sk
0
ID
) = v
ID
, where
v
ID
= (v
ID,1
,...,v
ID,N
) Z
l·(m+1)
q
, N = l(m + 1).
It outputs v
ID
.
Stage 2. The secret key shares of the two par-
ties are generated as follows: given the security
parameter and the identity-based secret key v
ID
it
runs the SymGen algorithm of symmetric scheme
and outputs a random value s U(Z
n
q
) which is
the secret share of P
1
, i.e. sk
ID,1
= s. The secret
share of P
2
is given by running the symmetric algo-
rithm Encrypt(s,v
ID
) = As +e +b
q
2
cv
ID
= sk
ID,2
,
where A U
Z
N×n
q
, e D
N
σ
.
FHIB.Encrypt(mpk,ID, µ
i
) : To encrypt the message
µ
i
U ({0,1}), the algorithm invokes IBE.Encrypt
of Σ to compute N = l · (m + 1) encryptions of 0. The
resulted ciphertext is denoted by C
0
ID
. Taking C
0
ID
it
computes the ciphertext of FHIBE by the following
calculation:
C
ID
= Flatten
µ · I
N
+ BitDecomp(C
0
ID
)
U
Z
N×N
q
.
FHIB.Eval(mpk,C
ID
(µ
1
),...,C
ID
(µ
n
),F) : Take as
input the ciphertexts, C
ID
(µ
1
),...,C
ID
(µ
n
) and an
evaluation function F {Add, Mult}. If F = Add,
output
ˆ
C = Add(C
ID
(µ
1
),...,C
ID
(µ
n
))
= Flatten(C
ID
(µ
1
) + . . . + C
ID
(µ
n
)),
else if F = Mult, output
ˆ
C = Mult(C
ID
(µ
1
),...,C
ID
(µ
n
))
= Flatten(C
ID
(µ
1
) × . . . × C
ID
(µ
n
)).
FHIB.Decrypt(mpk,
ˆ
C,sk
ID,1
,sk
ID,2
) : Is the follow-
ing 2-party protocol executed between P
1
and P
2
on
a given ciphertext
ˆ
C. Assume that both parties know
index i, which represents the required row i of cipher-
text
ˆ
C:
P
2
picks a uniformly random s
0
U(Z
n
q
), takes
the ith row of ciphertexts
ˆ
C
i
of the underlying
asymmetric scheme, and computes d = As
0
ˆ
C
i
+
sk
ID,2
ˆ
C
i
= As
0
ˆ
C
i
+ As
ˆ
C
i
+ e
ˆ
C
i
+
D
v
ID
,
ˆ
C
i
E
b
q
2
c.
Finally P
2
sends d to P
1
.
P
1
computes d
0
= d AsC
i
and sends it back to P
2
.
P
2
decrypts by executing the simple computation
d
0
As
0
ˆ
C
i
=
D
v
ID
,
ˆ
C
i
E
b
q
2
c + e.
Refresh(sk
ID,1
,sk
ID,2
) : Is a 2-party protocol exe-
cuted between P
1
and P
2
taking as input their secret
shares sk
ID,1
= s and sk
ID,2
= SymEnc
s
(v
ID
).
P
2
uses the previously picked secret s
0
, picks a new
error vector e
0
(D
σ
)
N
, computes f = sk
ID,2
+
As
0
+ e
0
and sends it to P
1
.
Using its secret key, P
1
computes As + e and tak-
ing f it sets f (As + e) = f
0
. In the next step P
1
chooses a new secret share sk
f resh
ID,1
given by s
00
U(Z
n
q
),e
00
(D
σ
)
N
, computes f
00
= As
00
+ e
00
+ f
0
and sends it to P
2
.
Upon receiving f
00
, P
2
subtracts As
0
+ e
0
and ob-
tains the refreshed secret key sk
f resh
ID,2
= As
00
+ e
00
+
v
ID
b
q
2
c.
Correctness. Correctness of the scheme follows
due to the fact that:
v
ID
,
ˆ
C
i
= µv
ID
+ small.
5 SECURITY ANALYSIS
Our scheme offers an extension of Berkoff and Liu
(Berkoff and Liu, 2014) scheme to a distributed set-
ting by introducing a 2-party protocol between two
SECRYPT 2018 - International Conference on Security and Cryptography
48
servers who run the decryption process. Furthermore
our scheme remains secure even if an adversary can
leak a part of the secret key at each time period, while
the leakage is represented by an uninvertible function.
This security model is called continual auxiliary leak-
age model and is particularly attractive in contrast to
the previous leakage models reviewed in the introduc-
tion of our work. Analogously to (Yuen et al., 2012)
our model does not require erasure of the secret key
after each update in every period.
Theorem 7. The fully homomorphic distributed
identity-based encryption is resilient to continual aux-
iliary input leakage under the assumption that the
LW E problem is hard, the underlying identity-based
encryption and symmetric encryption are both secure
under chosen-plaintext attacks.
Proof. Assume an adversary A which plays the
security experiment from section 4. The se-
curity holds even for auxiliary leakage functions
h(mpk,sk
ID,1
,sk
ID,2
) which are hard to invert. The
goal is to generate secret key shares which cannot
be used to decrypt the challenge ciphertext, in other
words those secret key shares will always decrypt to
. We show that if the leakage function is uninvert-
ible, an adversary will not be able to gain information
about the secret key which can be used to distinguish
the ciphertext from a random ciphertext. Later on we
have to show how to extend it to the continual leak-
age model where the secret key shares will be updated
in each time period. We will use a CPA adversary A
against our scheme to construct a polynomial time al-
gorithm B against the LWE problem.
Additionally we prove that our scheme achieves
the appealing property of adaptivity, where an adver-
sary can choose the leakage function after seeing the
public key. In order to achieve this property we need
to show that the ciphertext remains computational in-
distinguishable form random even if we assume that
the public key can be distinguished from a random
value. In the decisional LWE problem, the adversary
is provided with the access to a sampling oracle. Note
that this oracle can be either a pseudorandom oracle
O
pr
with some included secret s
0
or a truly random
oracle, with all random samples over Z
·
q
(where the
exponent differs according to the required vectors). B
samples N + 1 vectors a
0
,a
1
,...,a
N
U
Z
n
q
N
and
a vector v from Z
N
q
. Similarly it samples more vec-
tors for the simulation of master public key and mas-
ter secret key. Before we proceed with the proof, we
describe how B simulates the received queries from
A.
Extraction Queries: Whenever A issues ex-
traction queries on identity ID and an index i
U ({1, 2}), B picks the sampled vector v. Then
it takes the sampled n-dimensional vector a
0
and
the remained N vectors a
1
,...,a
N
and defines A =
[a
1
|...|a
N
]. It simulates sk
ID,1
= a
0
and sk
ID,2
=
Aa
0
+ e + v, where e D
N
σ
is a sample corre-
sponding to the Gaussian distribution D
N
σ
. It re-
turns {sk
ID,i
}
i∈{1,2}
to the adversary A
ind
, sets sk
ID
=
v
ID
= v and stores (ID,sk
ID,1
,sk
ID,2
) in the list L
ex
.
Leakage Queries: Whenever A issues leak-
age queries on input an identity ID and a leak-
age function h, B simulates the input of the leak-
age function by first running the simulation of the
secret share queries described above and returns
h(mpk,ID, sk
ID,1
,sk
ID,2
).
Refresh Queries: The challenger B simulates
the queries as follows: Whenever A
ind
issues a re-
fresh query on an identity ID, B first checks whether
(ID, sk
ID,1
,sk
ID,2
) L
ex
. If so, it picks a random
value s
0
U(Z
n
q
) and builds a matrix A of sampled
vectors a
0
,a
1
,...,a
N
. It picks a value e
0
D
N
σ
and
sets sk
f resh
ID,1
= (s
0
,e
0
). By picking another random
s
00
U(Z
n
q
) and e
00
D
N
σ
, the challenger simulates
sk
f resh
ID,2
= As
00
+ e
00
+ v
ID
(where v
ID
= v is the previ-
ously sampled vector.
For the continuation of the proof we use the hy-
brid argument with a sequence of games. The oracle
queries in each game are simulated as showed above.
The initial game Game
0
is the real game as described
in section 4. Each game profits from adversary’s com-
putational boundary and from the fact that this adver-
sary cannot distinguish the ciphertext from random.
Game
i
is different from the initial (real) Game
0
by
definition of secret key shares and ciphertext which
are so modified that the secret key shares do not de-
crypt correctly the modified ciphertext.
Gentry et al. (Gentry et al., 2013) defined a com-
piler that transforms any LWE-based IBE scheme into
a fully-homomorphic IBE scheme. Since we exploit
their technique, we recall the three main properties of
that should have the underlying IBE scheme which
we apply to our proof:
Ciphertext and Decryption Key Vectors: The
ID-based secret key sk
ID
and a ciphertext for c
ID
, are
vectors in Z
n+1
q
, where the first coefficient is 1.
Small Dot Product: If c
ID
encrypts 0, then
h
c
ID
,sk
ID
i
is small.
Security: Encryptions of 0 are indistinguishable
from uniform vectors over Z
q
under LWE assump-
tion.
To guarantee these properties we assume an un-
derlying identity-based encryption, which has the
required properties and is secure against chosen-
plaintext attacks. The most famous schemes satisfy-
Fully Homomorphic Distributed Identity-based Encryption Resilient to Continual Auxiliary Input Leakage
49
ing the mentioned features have been introduced in
(Gentry et al., 2008; Agrawal et al., 2010; Cash et al.,
2010).
We have to show that the compiler is leakage-
resilient in continual leakage model with auxiliary
input. Due to the fact that this compiler uses en-
cryption algorithm of the underlying IBE scheme and
generates N encryptions of 0, the ciphertext is in-
distinguishable from random according to the third
property mentioned above. Since the underlying IBE
scheme is assumed to be secure under LWE assump-
tion, which is known to be leakage resilient, we con-
clude that leakage resilience of the compiler is guar-
anteed too.
Furthermore, in order to prove resistance against
the continual auxiliary leakage we first define a class
of function family F having a minimal entropy ξ
min
of the ID-based secret shares, which at the same
time denotes the length of the secret shares. Ob-
serve a set S of all queries secret key shares for
both servers, (sk
ID
1
,sk
ID
2
). Assuming that S
de-
notes the set of all secret keys on the challenge iden-
tity ID
, then the intersection set S S
=
/
0. We de-
note by F (g(ξ
min
)) the class of all probabilistic poly-
nomial functions h such that for all leakage queries
i [1,...,q
l
], with access to the master public key,
challenge identity ID
, set S and the leakage func-
tion h(mpk,ID, sk
ID
1
,sk
ID
2
), where ID is one of the
queried identities to the leakage oracle, no PPT ad-
versary A can find the valid secret shares sk
ID
1
,sk
ID
2
with a greater probability than the hardness parameter
g(ξ
min
), where g(ξ
min
) 2
ξ
min
. We say that the un-
derlying IBE and symmetric encryption schemes are
supposed to be CPA secure against continual auxiliary
leakages if they are indistinguishable CPA secure with
respect to the family F (g(ξ
min
)) described above.
Let ID
be the challenge identity. The adversary’s
view in the real game is represented by the tu-
ple (mpk,C
ID
,h(mpk,sk
ID,1
,sk
ID,2
)), where C
ID
=
Flatten(µ · I
N
+ BitDecomp(C
0
ID
)), with C
0
ID
be-
ing a ciphertext from the underlying identity-based
encryption which represents N encryptions of 0 and
µ U ({0,1}). Upon applying BitDecomp
1
, we
obtain C
ID
= BitDecomp
1
(µ · I
N
) + C
0
ID
. We note
that BitDecomp and thus BitDecomp
1
are determin-
istic operation, it is easier to assume an adversary
A who runs the security experiment with
ˆ
C
ID
. That
means we have to show that A cannot distinguish C
0
ID
from a randomly picked value V U(Z
N×(n+1)
q
).
Adversary’s view in the real game Game0 is given
by the following hybrid tuple:
Hybrid
0
:=
mpk,A,b,C
0
ID
,h(mpk,sk
ID,1
,sk
ID,2
)
,
where a random hybrid tuple of a Game
r
is given
by Hybrid
r
:= (mpk,A,u,V, h(mpk,sk
ID,1
,sk
ID,2
)),
where A U
Z
N×n
q
and b = As + e is the pub-
lic key of the underlying symmetric scheme, which
is used during the key distribution process. We have
to show that the two hybrid tuples are computation-
ally equivalent, i.e Hybrid
0
c
Hybrid
r
. To represent
the view of adversary A in each other game Game
i
we define a tuple Hybrid
i
where each row of C
ID
is
replaced by a random vector v
ID,i
U
Z
n+1
q
. So
we have to show that Hybrid
i
c
Hybrid
i+1
, where
0 < i N.
According to the Definition 4 (after amending the
parameters) the following approximation holds:
(A,As + e, h(mpk,sk
ID,1
,sk
ID,2
))
c
(A,u,h(mpk,sk
ID,1
,sk
ID,2
)),
where u U(Z
N
q
). According to the security prop-
erty of our IBE compiler, C
0
ID
is indistinguishable
from uniform vectors v
ID,i
U
Z
n+1
q
, such that we
can say C
0
ID
c
{v
ID,i
}
i[N]
. Eventually, we obtain the
following result:
mpk,A,b,C
0
ID
,h(mpk,sk
ID,1
,sk
ID,2
)
(mpk , A,u,V,h(mpk, sk
ID,1
,sk
ID,2
)).
According to the second property of the IBE compiler,
the dot product of a ciphertext with the secret key is
small. That means an adversary cannot distinguish
the modified secret key from the real one, assuming
that the leakage function is uninvertible.
As next we have to handle with the fact that there is
a continual leakage, meaning existence of a certain
sequence of phases where leakage of the secret key
shares occurs. Each new phase follows after running
a refresh algorithm and generating fresh secret key
shares. Considering the refresh algorithm and choos-
ing a random s U
Z
n
q
as the first secret share, and
a random v
0
U
Z
N
q
it computes As + e + b
q
2
c · v
0
,
where e (D
σ
)
N
an error. After running the refresh
algorithm, we see that the new secret shares are indis-
tinguishable from random.
In order to complete the proof we show that inversion
of leakage function h can be reduced to the fact that
the consecutive hybrid games are indistinguishable
from each other. For reason of simplicity we shot that
the advantage between Hybrid
0
and Hybrid
r
is neg-
ligible. We show it by a contradiction assuming that
the advantage between the hybrids is non-negligible,
i.e. |Adv(Hybrid
0
) Adv(Hybrid
r
)| negl(λ). This
assumption would mean that there is an adversary B
against LWE, such that
Pr[B
A,As + e, h(mpk,sk
ID,1
,sk
ID,2
),C
0
ID
s
= 1]
Pr[B (A, u, h(mpk,sk
ID,1
,sk
ID,2
),V) = 1] ε(λ),
SECRYPT 2018 - International Conference on Security and Cryptography
50
This is a contradiction due to the computational in-
distinguishabilities we showed above. Thus we can
conclude
|Adv(Hybrid
0
) Adv(Hybrid
r
)| negl(λ).
6 CONCLUSION
In this work, we described how to construct a leakage-
resilient distributed identity-based encryption scheme
having the fully homomorphic property making the
scheme appealing to such applications like cloud se-
curity of medical and financial data. The leakage
model we considered is called continual auxiliary
leakage model. It aims at allowing a constant leakage
of information on the secret key. To achieve that, the
lifetime of the system is split in time frames during
which the adversary has access to an auxiliary input
represented by some uninvertible function. At the end
of each frame, the key is replaced by a new one and
the process can continue for an unbounded amount of
time.
Our construction lives in a distributed setting where
a secret key is shared between two devices. The re-
freshing procedure is made through a two party pro-
tocol updating the shares while keeping the same pub-
lic key. Security is proven under the LWE assumption
which enjoy strong leakage-resilient properties and is
believed to resist attacks from quantum adversaries.
REFERENCES
Agrawal, S., Boneh, D., and Boyen, X. ((2010)). Effi-
cient lattice (H)IBE in the standard model. In EU-
ROCRYPT, volume 6110 of LNCS, pages 553–572.
Springer.
Akavia, A., Goldwasser, S., and Hazay, C. (2012). Dis-
tributed public key schemes secure against continual
leakage. In ACM Symposium on Principles of Dis-
tributed Computing, PODC, 2012, pages 155–164.
ACM.
Akavia, A., Goldwasser, S., and Vaikuntanathan, V. (2009).
Simultaneous hardcore bits and cryptography against
memory attacks. In Theory of Cryptography, TCC,
2009. Proceedings, volume 5444 of Lecture Notes in
Computer Science, pages 474–495. Springer.
Alwen, J., Dodis, Y., Naor, M., Segev, G., Walfish, S.,
and Wichs, D. (2010). Public-key encryption in the
bounded-retrieval model. In Advances in Cryptology
- EUROCRYPT 2010. Proceedings, volume 6110 of
Lecture Notes in Computer Science, pages 113–134.
Springer.
Alwen, J., Krenn, S., Pietrzak, K., and Wichs, D. (2013).
Learning with rounding, revisited - new reduction,
properties and applications. In Advances in Cryptol-
ogy - CRYPTO 2013 - Proceedings, Part I, volume
8042 of Lecture Notes in Computer Science, pages
57–74. Springer.
Armknecht, F., Boyd, C., Carr, C., Gjøsteen, K.,
J
¨
aschke, A., Reuter, C. A., and Strand, M.
(2015). A guide to fully homomorphic encryp-
tion. Cryptology ePrint Archive, Report 2015/1192.
http://eprint.iacr.org/2015/1192.
Berkoff, A. and Liu, F. (2014). Leakage resilient fully ho-
momorphic encryption. In Theory of Cryptography -
11th Theory of Cryptography Conference, TCC 2014.
Proceedings, volume 8349 of Lecture Notes in Com-
puter Science, pages 515–539. Springer.
Brakerski, Z., Kalai, Y. T., Katz, J., and Vaikuntanathan, V.
(2010). Overcoming the hole in the bucket: Public-
key cryptography resilient to continual memory leak-
age. In 51th Annual IEEE Symposium on Foundations
of Computer Science, FOCS 2010, pages 501–510.
IEEE Computer Society.
Brakerski, Z. and Vaikuntanathan, V. (2011a). Efficient
fully homomorphic encryption from (standard) LWE.
In IEEE 52nd Annual Symposium on Foundations of
Computer Science, FOCS, 2011, pages 97–106. IEEE
Computer Society.
Brakerski, Z. and Vaikuntanathan, V. (2011b). Fully ho-
momorphic encryption from ring-lwe and security for
key dependent messages. In Advances in Cryptology
- CRYPTO 2011, Proceedings, pages 505–524.
Canetti, R., Dodis, Y., Halevi, S., Kushilevitz, E., and Sahai,
A. (2000). Exposure-resilient functions and all-or-
nothing transforms. In Advances in Cryptology - EU-
ROCRYPT 2000, Proceeding, volume 1807 of Lecture
Notes in Computer Science, pages 453–469. Springer.
Cash, D., Hofheinz, D., Kiltz, E., and Peikert, C. ((2010)).
Bonsai trees, or how to delegate a lattice basis. In EU-
ROCRYPT 2010, volume 6110 of LNCS, pages 523–
552. Springer.
Chow, S. S. M., Dodis, Y., Rouselakis, Y., and Waters, B.
(2010). Practical leakage-resilient identity-based en-
cryption from simple assumptions. In Proceedings of
the 17th ACM Conference on Computer and Commu-
nications Security, CCS 2010, Chicago, Illinois, USA,
October 4-8, 2010, pages 152–161. ACM.
Clear, M. and McGoldrick, C. (2015). Multi-identity and
multi-key leveled FHE from learning with errors. In
Advances in Cryptology - CRYPTO 2015 - Proceed-
ings, Part II, volume 9216 of LNCS, pages 630–656.
Springer.
Dodis, Y., Goldwasser, S., Kalai, Y. T., Peikert, C., and
Vaikuntanathan, V. (2010a). Public-key encryption
schemes with auxiliary inputs. In Theory of Cryptog-
raphy, 7th Theory of Cryptography Conference, TCC
2010. Proceedings, volume 5978 of Lecture Notes in
Computer Science, pages 361–381. Springer.
Dodis, Y., Haralambiev, K., L
´
opez-Alt, A., and Wichs, D.
(2010b). Cryptography against continuous memory
attacks. In 51th Annual IEEE Symposium on Founda-
Fully Homomorphic Distributed Identity-based Encryption Resilient to Continual Auxiliary Input Leakage
51
tions of Computer Science, FOCS 2010, pages 511–
520. IEEE Computer Society.
Dodis, Y., Kalai, Y. T., and Lovett, S. (2009). On cryp-
tography with auxiliary input. In Proceedings of the
41st Annual ACM Symposium on Theory of Comput-
ing, STOC 2009, Bethesda, MD, USA, May 31 - June
2, 2009, pages 621–630. ACM.
Dziembowski, S. and Pietrzak, K. (2008). Leakage-resilient
cryptography. In 49th Annual IEEE Symposium on
Foundations of Computer Science, FOCS 2008, Octo-
ber 25-28, 2008, Philadelphia, PA, USA, pages 293–
302. IEEE Computer Society.
Gentry, C. (2009a). A fully homomorphic encryption
scheme. PhD thesis, Stanford University.
Gentry, C. (2009b). Fully homomorphic encryption using
ideal lattices. In Proceedings of the 41st Annual ACM
Symposium on Theory of Computing, STOC 2009,
pages 169–178. ACM.
Gentry, C., Peikert, C., and Vaikuntanathan, V. ((2008)).
Trapdoors for hard lattices and new cryptographic
constructions. In STOC 2008, pages 197–206. ACM.
Gentry, C., Sahai, A., and Waters, B. ((2013)).
Homomorphic encryption from learning with er-
rors: Conceptually-simpler, asymptotically-faster,
attribute-based. In CRYPTO 2013, volume 8042 of
LNCS, pages 75–92. Springer.
Goldwasser, S., Kalai, Y. T., Peikert, C., and Vaikun-
tanathan, V. (2010). Robustness of the learning with
errors assumption. In Innovations in Computer Sci-
ence - ICS 2010, Tsinghua University, Beijing, China,
January 5-7, 2010. Proceedings, pages 230–240. Ts-
inghua University Press.
Goyal, V., Pandey, O., Sahai, A., and Waters, B. (2006).
Attribute-based encryption for fine-grained access
control of encrypted data. In CCS 2006, pages 89–98.
ACM.
Halderman, J. A., Schoen, S. D., Heninger, N., Clarkson,
W., Paul, W., Calandrino, J. A., Feldman, A. J., Ap-
pelbaum, J., and Felten, E. W. (2009). Lest we remem-
ber: cold-boot attacks on encryption keys. Commun.
ACM, 52(5):91–98.
Li, M., Yu, S., Ren, K., and Lou, W. (2010). Securing
personal health records in cloud computing: Patient-
centric and fine-grained data access control in multi-
owner settings. pages 89–106.
Micali, S. and Reyzin, L. (2004). Physically observable
cryptography (extended abstract). In Theory of Cryp-
tography, First Theory of Cryptography Conference,
TCC 2004, Proceedings, volume 2951 of Lecture
Notes in Computer Science, pages 278–296. Springer.
Naor, M. and Segev, G. (2009). Public-key cryptosystems
resilient to key leakage. In Advances in Cryptology -
CRYPTO 2009, 29th Annual International Cryptology
Conference, Santa Barbara, CA, USA, August 16-20,
2009. Proceedings, volume 5677 of Lecture Notes in
Computer Science, pages 18–35. Springer.
Pietrzak, K. (2009). A leakage-resilient mode of operation.
In Advances in Cryptology - EUROCRYPT 2009, 28th
Annual International Conference on the Theory and
Applications of Cryptographic Techniques, Cologne,
Germany, April 26-30, 2009. Proceedings, volume
5479 of Lecture Notes in Computer Science, pages
462–482. Springer.
Regev, O. ((2005)). On lattices, learning with errors, ran-
dom linear codes and cryptography. In STOC 2005,
pages 84–93. ACM.
Rivest, R. L., Adleman, L., and Dertouzos, M. L. (1978).
On data banks and privacy homomorphisms. Founda-
tions of Secure Computation, Academia Press, pages
169–179.
Sahai, A. and Waters, B. (2005). Fuzzy identity-based en-
cryption. In EUROCRYPT 2005, Proceedings, volume
3494 of LNCS, pages 457–473. Springer.
Smart, N. P. and Vercauteren, F. (2010). Fully homomor-
phic encryption with relatively small key and cipher-
text sizes. In Public Key Cryptography - PKC 2010,
Proceedings, volume 6056 of Lecture Notes in Com-
puter Science, pages 420–443. Springer.
van Dijk, M., Gentry, C., Halevi, S., and Vaikuntanathan,
V. (2010). Fully homomorphic encryption over the
integers. In Advances in Cryptology - EUROCRYPT,
2010, Proceedings, pages 24–43.
Yuen, T. H., Chow, S. S. M., Zhang, Y., and Yiu, S. (2012).
Identity-based encryption resilient to continual aux-
iliary leakage. In Advances in Cryptology - EURO-
CRYPT 2012, volume 7237 of LNCS, pages 117–134.
Springer.
SECRYPT 2018 - International Conference on Security and Cryptography
52