Leakage-Resilient Inner-Product Functional Encryption in the Bounded-Retrieval Model

Abstract

We propose a leakage-resilient inner-product functional encryption scheme (IPFE) in the bounded-retrieval model (BRM). This is the first leakage-resilient functional encryption scheme in the BRM. In our leakage model, an adversary is allowed to obtain at most l-bit knowledge from each secret key. And our scheme can flexibly tolerate arbitrarily leakage bound l, by only increasing the size of secret keys, while kee** all other parts small and independent of l.

Technically, we develop a new notion: Inner-product hash proof system (IP-HPS). IP-HPS is a variant of traditional hash proof systems. Its output of decapsulation is an inner-product value, instead of the encapsulated key. We propose an IP-HPS scheme under DDH-assumption. Then we show how to make an IP-HPS scheme to tolerate \(l'\)-bit leakage, and we can achieve arbitrary large \(l'\) by only increasing the size of secret keys. Finally, we show how to build a leakage-resilient IPFE in the BRM with leakage bound \(l=\frac{l'}{n}\) from our IP-HPS scheme.

Appendices

A Proof of Theorem 3

Correctness and Valid/Invalid Ciphertext Indistinguishiability. For any \(\varvec{z},\varvec{y}\) with length \(n+1\) and n respectively, and for any correctly generated \(\mathrm {mpk},\mathrm {msk},\mathrm {sk}_{\varvec{y}}\) from the above algorithms, if \((C,D,\{E_i\}_{i=1}^{n+1},\varvec{z})\) is generated by \(\mathrm {Encap}(\varvec{z})\), then correctness is proved by calculating \(\log _g(E_{\varvec{y}})\):

$$\begin{aligned} E_{\varvec{y}}&=\frac{\prod _{i=1}^{n+1}E_i^{y_i^*z_i}}{C^{\mathrm {sk}_{\varvec{y}}(1)}D^{\mathrm {sk}_{\varvec{y}}(2)}}=\frac{\prod _{i=1}^{n+1}g^{x_i^*y_i^*}g^{rs_iy_i^*}h^{rt_iy_i^*}}{g^{r\langle \varvec{s},\varvec{y}^*\rangle }h^{r\langle \varvec{t}, \varvec{y}^*\rangle }}=\prod _{i=1}^{n+1}g^{x_i^*y_i^*}=\prod _{i=1}^{n}g^{x_iy_i}=g^{\langle \varvec{x},\varvec{y}\rangle }. \end{aligned}$$

For the valid/invalid ciphertext indistinguishability, we show how to use an adversary \(\mathcal {A}\), which can distinguish valid and invalid ciphertexts, to construct an adversary \(\mathcal {B}\), which can distinguish whether \(c=ab\) or c is randomly chosen from \(\mathbb {Z}_p\). \(\mathcal {B}\) receives a DDH tuple \((g,g^a,g^b,g^c)\), then it sets \(C=g^a\), \(h_i=g^b\) and \(E_i=g^{\frac{x^*_i}{z_i}}g^{\frac{c}{z_i}}\), where i is randomly chosen from [n], and sends \(\mathrm {mpk}\) and the challenge ciphertext to \(\mathcal {A}\). If \(\mathcal {A}\) outputs it is a valid ciphertext, then \(\mathcal {B}\) outputs \(c=ab\). Otherwise, \(\mathcal {B}\) outputs that c is randomly chosen from \(\mathbb {Z}_p\).

0-Universality of \(\varPi _1\). We show that the decapsulation function of \(\varPi _1\) is a 0-universal hash family. Fix any \((\mathrm {mpk},\mathrm {msk})\) produced by \(\mathrm {Setup}(1^\lambda ,1^n)\), a set of linear independent vectors \(\{\varvec{y}_i\}_{i=1}^n\) and \(\varvec{z}\), let \(\mathrm {ct}=(C,D,\{E_i\}_{i=1}^{n+1},\varvec{z})\leftarrow \mathrm {Encap}^*(\varvec{z})\). From our construction of \(\mathrm {Encap}^*\) we have \(C=g^r, D=h^r, E_i=g^{\frac{x_i^*}{z_i}}h_i^{\frac{r'}{z_i}}\), where \(r,r'\) are uniformly sampled from \(\mathbb {Z}_p\) with \(r\ne r'\). Then, for any secret key \(\mathrm {sk}_{\varvec{y}}=(\langle \varvec{s},\varvec{y}^*\rangle ,\langle \varvec{t},\varvec{y}^*\rangle ,u)\), it’s a random variable generated from \(\mathrm {KeyGen}(\mathrm {msk},\varvec{y})\) with \(\varvec{y}\in \{\varvec{y}_i\}_{i=1}^n\). Then we can obtain (Assume \(h=g^w\)):

$$\begin{aligned} \begin{aligned} \mathrm {Decap}(\mathrm {ct},\mathrm {sk}_{\varvec{y}})&= \log _g\left( \frac{\prod _{i=1}^{n+1}E_i^{y_i^*z_i}}{C^{\mathrm {sk}_{\varvec{y}}(1)}D^{\mathrm {sk}_{\varvec{y}}(2)}}\right) = \log _g\left( \frac{\prod _{i=1}^{n+1}g^{x_i^*y_i^*}g^{r's_iy_i^*}h^{r't_iy_i^*}}{g^{r\langle \varvec{s},\varvec{y}^*\rangle }h^{r\langle \varvec{t},\varvec{y}^*\rangle }}\right) \\&= \log _g \left( \frac{g^{\langle \varvec{x},\varvec{y} \rangle }g^{r'\langle \varvec{s},\varvec{y}^* \rangle }h^{r'\langle \varvec{t},\varvec{y}^* \rangle }}{g^{\langle \varvec{s},\varvec{y}^* \rangle }h^{\langle \varvec{t},\varvec{y}^*\rangle }}\right) = \log _g \left( g^{\langle \varvec{x},\varvec{y} \rangle }g^{(r'-r)\langle \varvec{s},\varvec{y}^* \rangle }h^{(r'-r)\langle \varvec{t},\varvec{y}^* \rangle }\right) \\&= \log _g \left( g^{\langle \varvec{x},\varvec{y} \rangle +(r'-r)(\langle \varvec{s},\varvec{y}^*\rangle +w\langle \varvec{t},\varvec{y}^*\rangle )}\right) = \langle \varvec{x},\varvec{y} \rangle +(r'-r)\langle \varvec{s}+w\varvec{t},\varvec{y}||u\rangle \end{aligned} \end{aligned}$$

(1)

Note that if \(\mathrm {sk}_{\varvec{y}}\) is fixed, the randomness of \(\mathrm {Decap}(\mathrm {ct}, \mathrm {sk}_{\varvec{y}})\) is only from \(\mathrm {ct}\), i.e. from \(r'-r\), which is uniformly random over \(\mathbb {Z}_p\setminus \{0\}\). Further, we can define a hash function family \(\mathcal {H}=\{\mathrm {Decap}(\mathrm {ct},\cdot )|\mathrm {ct}\leftarrow \mathrm {Encap}^*(\varvec{z})\}\). To obtain universality of \(\mathcal {H}\), we need to show that given \(\mathrm {msk},\mathrm {mpk}\) and \(\varvec{y}\), for any fixed \(\mathrm {sk}_{\varvec{y}},\mathrm {sk}'_{\varvec{y}}\) both generated from \(\mathrm {KeyGen}(\mathrm {msk},\varvec{y})\), with \(\mathrm {sk}_{\varvec{y}}\ne \mathrm {sk}'_{\varvec{y}}\), the following probability is tiny: \(\mathbf {Pr}_{\mathrm {ct}\leftarrow \mathrm {Encap}^*(\varvec{z})}[\mathrm {Decap}(\mathrm {ct},\mathrm {sk}_{\varvec{y}})=\mathrm {Decap}(\mathrm {ct},\mathrm {sk}'_{\varvec{y}})]\).

In fact we can prove that this probability is 0. Let \(u'\) be the associated u in \(\mathrm {sk}'_{\varvec{y}}\). Note that by our construction of \(\mathrm {KeyGen}\), \(\mathrm {sk}_{\varvec{y}}\ne \mathrm {sk}'_{\varvec{y}}\) implies \(u\ne u'\). By our construction of \(\mathrm {Setup}\), the \((n+1)\)-th entry of \(\varvec{s}+w\varvec{t} \ne 0\). Then, for any \(\mathrm {sk}_{\varvec{y}}\ne \mathrm {sk}'_{\varvec{y}}\), \(\langle \varvec{s}+w\varvec{t},\varvec{y}||u\rangle \ne \langle \varvec{s}+w\varvec{t},\varvec{y}||u'\rangle \). By \(r\ne r'\), we know that \(\mathbf {Pr}_{\mathrm {ct}\leftarrow \mathrm {Encap}^*(\varvec{z})}[\mathrm {Decap}(\mathrm {ct},\mathrm {sk}_{\varvec{y}})=\mathrm {Decap}(\mathrm {ct},\mathrm {sk}'_{\varvec{y}})]=0\). We conclude that \(\mathcal {H}\) is a 0-universal hash family.

B Proof of Theorem 5

Proof

The correctness of decryption follows by the correctness of decapsulation in \(\varPi _2\). We use a series of games to analyze the security:

• Game 0: Define Game 0 to be the IND-security game with leakage l. In the challenge stage of Game 0, the challenger computes \(\mathrm {ct}_{\varvec{x}_b} \leftarrow \mathrm {Encrypt}(\mathrm {mpk},\varvec{x}_b)\) which we parse \(\mathrm {ct}_{\varvec{x}_b}=(c_1,c_2)\), where \(c_1=\mathrm {ct}_{\varvec{z}},c_2=\varvec{k}+\varvec{x}_b\).

• Game 1: We modify the challenge stage, so that the challenger uses the secret keys \(\{\mathrm {sk}_{\varvec{y}_i},i\}_{i=1}^t, t \le n\) queried by \(\mathcal {A}\) in Query 1, together with some new keys \(\mathrm {sk}_{(\varvec{y}_{t+1},t+1)},...,\mathrm {sk}_{(\varvec{y}_{n},n)}\) generated by running \(\varPi _2.\mathrm {KeyGen}(\mathrm {msk},\varvec{y}_{t+j},t+j), j \in [n-t]\) with the same random numbers as \(\mathrm {sk}_{(\varvec{y}_i,i)}, i \in [t]\), where \(\varvec{y}_{t+1},...,\varvec{y}_n\) are randomly chosen subject to the condition that \(Y=[\varvec{y}_1,...,\varvec{y}_n]\) is an \(n \times n\) invertible matrix. It computes \((c_1,\varvec{k}_1)\leftarrow \mathrm {Encap}(\varvec{z})\), then finds \(\varvec{k}_2\) such that \(\varvec{k}_2^T=[\mathrm {Decap}(c_1,\mathrm {sk}_{(\varvec{y}_1,1)}),...,\) \(\mathrm {Decap}(c_1,\mathrm {sk}_{(\varvec{y}_n,n)})]Y^{-1}\), and computes \(c_2=\varvec{k}_2+\varvec{x}_b\). The difference between Game 0 and Game 1 is only the use of \(\varvec{k}_1\) versus \(\varvec{k}_2\). However, by the correctness of Decapsulation, we have \(\varvec{k}_1\ne \varvec{k}_2\) with negligible probability, given that \(\varvec{y}_1,...,\varvec{y}_n\) are linear independent. So Game 0 and Game 1 are statistically indistinguishable.

• Game 2: We modify the challenge stage again, so that the challenger uses \(\mathrm {Encap}^*\) to compute the ciphertext. It computes \(c_1\leftarrow \mathrm {Encap}^*(\varvec{z})\), then finds \(\varvec{k}_2\) such that \(\varvec{k}_2^T=[\mathrm {Decap}(c_1,\mathrm {sk}_{(\varvec{y}_1,1)}),...,\) \(\mathrm {Decap}(c_1,\mathrm {sk}_{(\varvec{y}_n,n)})]Y^{-1}\), and computes \(c_2=\varvec{k}_2+\varvec{x}_b\). We claim that Game 1 and Game 2 are computationally indistinguishable by the valid/invalid ciphertext indistinguishability of IP-HPS. Although the valid/invalid ciphertext indistinguishability game does not have leakage queries, it allows the adversary to learn at most n secret keys. The total number of leakage queries the adversary have made in Query 1 is at most n, and all secret keys have been queried by the adversary were generated by the same randomness \(\mathcal {R}\). Therefore, indistinguishability between Game 1 and Game 2 holds even if the adversary sees all the full secret keys \(\mathrm {sk}_{\varvec{y}}\) that the adversary have made leakage queries in Query 1.

• Game 3: The challenge ciphertext \(\mathrm {ct}_{\varvec{x}_b}=(c_1,c_2)\) is computed by: \(c_1\leftarrow \mathrm {Encap}^*(\varvec{z}), c_2 \leftarrow U_{\mathcal {K}}\). We claim that Game 2 and Game 3 are statistically indistinguishable by the \(l'\)-leakage-smoothness of IP-HPS. Indeed, for a fixed value of \(\mathrm {mpk},\mathrm {msk}\), and \(i \in [n]\), the only things in Game 2 correlated to \(\mathrm {sk}_{\varvec{y}_i}\) are the outputs of leakage query with size \(l\le \frac{l'}{n}\) bits. So the outputs of leakage queries of \(\{\mathrm {sk}_{\varvec{y}_i}\}_{i=1}^n\) are at most \(l'\) bits. Recall the definition of \(l'\)-leakage-smoothness, by making all leakage queries together as a single randomized function \(f(\mathcal {Y})\) with \(\mathcal {Y} = \{\mathrm {sk}_{\varvec{y}_i}\}_{i=1}^n\), \(\varvec{k}_2\) is indistinguishable from choosing a completely independent random variable from \(U_{\mathcal {K}}\).

Therefore Game 0 and Game 3 are indistinguishable by any PPT adversary. And the advantage of any adversary in Game 3 is 0, since the challenge ciphertext in Game 3 is independent of the bit b. \(\square \)