You are viewing a javascript disabled version of the site. Please enable Javascript for this site to function properly.
Go to headerGo to navigationGo to searchGo to contentsGo to footer
In content section. Select this link to jump to navigation

Leakage-Resilient Revocable Certificateless Encryption with an Outsourced Revocation Authority

Abstract

To resolve both certificate management and key escrow problems, a certificateless public-key system (CLPKS) has been proposed. However, a CLPKS setting must provide a revocation mechanism to revoke compromised users. Thus, a revocable certificateless public-key system (RCLPKS) was presented to address the revocation issue and, in such a system, the key generation centre (KGC) is responsible to run this revocation functionality. Furthermore, a RCLPKS setting with an outsourced revocation authority (ORA), named RCLPKS-ORA setting, was proposed to employ the ORA to alleviate the KGC’s computational burden. Very recently it was noticed that adversaries may adopt side-channel attacks to threaten these existing conventional public-key systems (including CLPKS, RCLPKS and RCLPKS-ORA). Fortunately, leakage-resilient cryptography offers a solution to resist such attacks. In this article, the first leakage-resilient revocable certificateless encryption scheme with an ORA, termed LR-RCLE-ORA scheme, is proposed. The proposed scheme is formally shown to be semantically secure against three types of adversaries in the RCLPKS and RCLPKS-ORA settings while resisting side-channel attacks. In the proposed scheme, adversaries are allowed to continually extract partial ingredients of secret keys participated in various computational algorithms of the proposed scheme while retaining its security.

1Introduction

To eliminate the management of both public keys and their associated certificates in the traditional public-key systems (PKS), an identity (ID)-based public-key system (IDPKS) was proposed (Boneh and Franklin, 2001). In an IDPKS setting, a private key generator (PKG) is responsible to generate all participants’ secret keys. Hence, the IDPKS setting has an inborn disadvantage, namely, the key escrow problem in the sense that the PKG can decrypt any ciphertexts of all participants and sign any messages on behalf of all participants. To resolve both certificate management and key escrow problems, Al-Riyami and Paterson (2003) proposed the certificateless public-key system (CLPKS). In which, there are two kinds of participants, namely, a key generation center (KGC) and users. The KGC is responsible to generate all users’ identity secret keys. In the meantime, each user chooses a personal secret key and sets the associated public key. Therefore, each user has two secret keys, namely, identity secret key and personal secret key. Obviously, the CLPKS setting can solve both the key escrow and certificate management problems.

Under some situations, a user’s ID or public key has to be revoked before expiration. Although the certificate revocation list (CRL) (Housley et al., 2002) is a well-known revocation method, it is unsuitable for IDPKS and CLPKS settings because no certificate is required. Therefore, an IDPKS or CLPKS setting must provide a revocation mechanism to revoke compromised users. Tseng and Tsai (2012) has presented a revocable IDPKS setting. By this revocable concept of Tseng and Tsai, revocable CLPKS (RCLPKS) settings (Shen et al., 2014; Tsai and Tseng, 2015; Hung et al., 2016) were presented to address the revocation issue and the key generation center (KGC) is also responsible to run this revocation functionality. Furthermore, a RCLPKS setting with an outsourced revocation authority (ORA), named RCLPKS-ORA setting (Tsai et al., 2015; Du et al., 2018), was presented to employ the ORA to alleviate the KGC’s computational burden.

Typically, all public-key systems mentioned above have a nature assumption that secret (or private) keys are completely hidden to adversaries. However, a new type of attacks, called “side-channel attacks”, has threatened these existing public-key systems. An adversary may employ side-channel attacks, such as power analysis (Kocher et al., 1999) and timing attack (Kocher, 1996; Brumley and Boneh, 2005) to continually obtain partial ingredients of a participant’s secret (or private) keys so that the associated cryptographic schemes/protocols could be broken. Ways to withstand side-channel attacks on cryptographic schemes/protocols have received significant attention of researchers. Fortunately, leakage-resilient cryptography offers a solution to resist such attacks. Up to date, little research addresses leakage-resilient certificateless public-key systems. In this paper, our aim is to propose the first leakage-resilient revocable certificateless encryption (LR-RCLE) scheme with an outsourced revocation authority (ORA), termed LR-RCLE-ORA scheme.

1.1Related Work

In leakage-resilient cryptography, a cryptographic scheme/protocol remains secure even though partial ingredients of a participant’s secret (or private) keys in this scheme/protocol is leaked to adversaries. For leakage property, there are two leakage models, namely, bounded and continual. In the bounded leakage model (Katz and Vaikuntanathan, 2009; Alwen et al., 2009), total leaked bit sizes of secret keys for a cryptographic scheme/protocol are limited during its life cycle. Obviously, this limitation is impractical. In contrast, in the continual leakage model, adversaries may continually get leaked information of secret keys for each invocation of cryptographic scheme/protocol. Indeed, the continual leakage model is more accredited (Galindo and Virek, 2013; Wu et al., 2019, 2020; Tseng et al., 2020; Hsieh et al., 2020; Tsai et al., 2021) and it consists of four properties as follows:

  • Only computation leakage: An adversary can extract partial ingredients of secret keys involved in the current computation round.

  • Bounded leakage of single computational algorithm: A cryptographic scheme/protocol typically includes several computation rounds. In each computation round, an adversary can extract partial ingredients of secret keys. Namely, an adversary can select a leakage function f for each computation round and obtain the leaked information f(SK), where SK denotes the involved secret keys and f(SK) is bounded to λ bits.

  • Independent leakage: Any two leaked partial ingredients of secret keys in various computation rounds are mutually independent. For achieving this property, a secret key must be updated before (or after) running each computation round.

  • Overall unbounded leakage: The total amount of leaked information is overall unbounded. Indeed, by the independent leakage property, the total leakage amount of secret keys is unlimited.

According to the usage of secret key or public key, there are two kinds of encryption schemes, namely, symmetric encryption and asymmetric encryption based on various public-key systems. For a symmetric encryption scheme, a pre-shared secret key between a sender and a receiver is used to encrypt and decrypt procedures. A symmetric encryption scheme is typically employed to encrypt a large size of message and have high-throughput efficiency. On the contrary, for an asymmetric encryption scheme, a sender uses a designated receiver’s public key to encrypt message while the receiver uses her/his private key to decrypt it. Generally, an asymmetric encryption scheme is employed to encrypt a short size of message (e.g. a session key) or authenticate identity/message so that the throughput of encryption/decryption procedure is not their priority. Also, for considering leakage-resilient property, there are two kinds of leakage-resilient encryption schemes, namely, leakage-resilient symmetric encryption and leakage-resilient asymmetric encryption based on various public-key systems.

Here, let’s introduce the evolution of leakage-resilient symmetric encryption schemes. The first generic construction of leakage-resilient symmetric encryption based on minimal assumptions has been proposed by Hazay et al. (2013). However, the efficiency of Hazay et al.’s scheme is not good so that Abdalla et al. (2013) improved their scheme to propose an efficient leakage-resilient symmetric encryption scheme using the AES block cipher without constructing a leakage resilient block cipher. Recently, for enhancing the efficiency, several leakage-resilient authenticated symmetric encryption schemes based on hardware AES coprocessors (Unterstein et al., 2020; Bronchain et al., 2021) have been proposed.

In the following, several leakage-resilient asymmetric encryption (or key encapsulation) schemes based on traditional PKS, IDPKS and CLPKS settings are reviewed. Based on a traditional PKS setting, the first leakage-resilient encryption (LRE) scheme was presented by Akavia et al. (2009). Subsequently, several LRE schemes (Naor and Segev, 2009, 2012; Liu et al., 2013; Li et al., 2013) were proposed to improve security and performance of Akavia et al.’s scheme. However, all these LRE schemes above are secure only in the bounded leakage model. Moreover, Kiltz and Pietrzak (2010) presented the first LRE scheme under the continual leakage model. Furthermore, Galindo et al. (2016) presented an efficient ElGamal-like LRE scheme under the continual leakage model. Based on an IDPKS setting, Brakerski et al. (2010) proposed the first leakage-resilient ID-based encryption (LR-IBE) scheme under the continual leakage model. Subsequently, several LR-IBE schemes (Yuen et al., 2012; Li et al., 2016) were also proposed to improve security and performance of Brakerski et al.’s scheme.

Up to date, little research addresses leakage-resilient certificateless public-key systems. In 2013, the first leakage-resilient certificateless encryption (LR-CLE) scheme was presented by Xiong et al. (2013). To improve the security and performance of Xiong et al.’s scheme, Zhou et al. (2016) proposed a new leakage-resilient certificateless signcryption scheme. However, both Zhou et al.’s and Xiong et al.’s schemes are secure only under the bounded leakage model. In 2018, Wu et al. (2018) proposed the first LR-CLE scheme under the continual leakage model. In the generic bilinear group (GBG) model (Boneh et al.), Wu et al.’s LR-CLE scheme is semantically secure against chosen ciphertext attacks for two adversaries, namely, outsider and honest-but-curious KGC.

1.2Contribution and Organization

As mentioned earlier, a RCLPKS setting with an outsourced revocation authority (ORA), named RCLPKS-ORA setting, can revoke compromised users and alleviate the KGC’s revocation computation burden. However, up to date, there are no leakage-resilient revocable certificateless encryption (LR-RCLE) or leakage-resilient revocable certificateless key encapsulation scheme. In this article, the first leakage-resilient revocable certificateless encryption scheme with an ORA, termed LR-RCLE-ORA scheme, is proposed. By extending the adversary models of the revocable certificateless encryption (RCLE) (Tsai and Tseng, 2015) and leakage resilience certificateless encryption (LR-CLE) schemes (Xiong et al., 2013; Wu et al., 2018), a new adversary model of LR-RCLE-ORA schemes is presented. Under this new adversary model, the proposed scheme is formally shown to be semantically secure against three types of adversaries, namely, outsider, revoked user and honest-but-curious KGC. Finally, comparisons with previously proposed schemes (Tsai and Tseng, 2015; Xiong et al., 2013; Wu et al., 2018), the proposed scheme has the following merits. (1) It can resist side-channel attacks and has leakage resilience properties. (2) The revocation functionality is outsourced to an ORA to alleviate the computational load of the KGC. (3) It permits adversaries to continually extract partial ingredient of secret keys and offers the overall unbounded leakage property.

The remaining paper is organized as below. Several preliminaries are presented in Section 2. In Section 3, the syntax (framework) and adversary model (security notions) of LR-RCLE-ORA schemes are defined. The proposed LR-RCLE-ORA scheme is presented in Section 4. In Section 5, the security of the proposed scheme is formally established. The comparisons of the proposed scheme with some RCLE and LR-CLE schemes are given in Section 6. Conclusions are drawn in Section 7.

2Preliminaries

2.1Bilinear Groups

Let G1 be an additive group of a prime order p and Q be a generator of G1. Let G2 be a multiplicative group of the same order p. A bilinear admissible pairing eˆ:G1×G1G2 possesses the following properties:

  • Bilinear: for r,sZp, eˆ(r·Q,s·Q)=eˆ(Q,Q)rs;

  • Non-degenerate: eˆ(Q,Q)1;

  • Efficiently computable: for R,SG1,eˆ(R,S) is efficiently computed.

We say that {G1,G2,p,Q,eˆ} are the bilinear group parameters. A reader may refer to Boneh and Franklin (2001), Scott (2011) for detailed definitions of bilinear groups.

2.2Generic Bilinear Group Model

In 2005, Boneh et al. (2005) defined the generic bilinear group (GBG) model, which is a technique of proving the security of some cryptographic schemes. In the GBG model, the discrete logarithm problems on groups of a large order would be solved if collisions of the groups were found by adversaries after finishing the security games of the cryptographic scheme.

In the GBG model, as mentioned in Section 2.1, let {G1,G2,p,Q,eˆ} be the bilinear group parameters and let each element in two groups G1 and G2 be represented by distinct bit-strings. In such a case, a random injective mapping Φ1:ZpξG1 is used to encode all elements of G1, where ξG1 denotes the set of the encoded bit-strings of G1. By the same reason, the other random injective mapping Φ2:ZpξG2 is employed to encode all elements of G2, where ξG2 denotes the set of the encoded bit-strings of G2. Two sets ξG1 and ξG2 satisfy |ξG1|=|ξG2|=p and ξG1ξG2=ϕ. In addition, let three operations O1, O2 and Op, respectively, denote the addition of G1, the multiplication of G2 and the bilinear pairing eˆ. To perform these group operations, an adversary must request the associated operations (oracles) O1, O2 and Op which are defined as below:

  • O1(Φ1(r),Φ1(s))Φ1(r+smodp);

  • O2(Φ2(r),Φ2(s))Φ2(r+smodp);

  • Op(Φ1(r),Φ1(s))Φ2(rsmodp).

Note that r,sZp, Q=Φ1(1) and eˆ(Q,Q)=Φ2(1).

After finishing the security games in the GBG model of a cryptographic scheme, the discrete logarithm problem on G1 or G2 would be resolved if adversaries discovered a collision on G1 or G2. The discrete logarithm problem and assumption are presented as below:

  • Discrete logarithm (DL) problem and assumption: Let {G1,G2,p,Q,eˆ} be the bilinear group parameters. Given a group element r·QG1 or eˆ(Q,Q)rG2 for unknown rZp, the DL problem is to find r from r·Q or eˆ(Q,Q)r. The DL assumption is that no polynomial time algorithm A with non-negligible probability can discover r.

2.3The Security Measure of Leaked Information

To measure the security influence incurred by leaked information of secret keys (finite random variables) involved in a cryptographic scheme, we first introduce the concept of entropy. The entropy of a random variable is employed to denote its uncertainty for guessing this random variable. Let R be a finite random variable and let Pr[R=r] denote the associated probability of R=r. In the following, we present two kinds of min-entropies:

  • 1. Min-entropy of R:

    H(R)=log2(maxrPr[R=r]);

  • 2. Average conditional min-entropy of R under the condition S=s:

    H˜(R|S=s)=log2(EsS[maxrPr[R=r|S=s]]).

In 2008, Dodis et al. (2008) inferred the following consequence related to the security influence incurred by leaked information of a secret key (finite random variable).

Lemma 1.

Let λ denote the maximal bit-length of leaked information of a secret key (a finite random variable) R. Let f:R{0,1}λ denote the associated leakage function of R. Under the condition f(R), the average conditional min-entropy on R is H˜(R|f(R))H(R)λ.

Galindo and Virek (2013) further presented the following consequences related to multiple secret keys (finite random variables).

Lemma 2.

Let R1,R2,,Rn be n random variables. Let FZp[R1,R2,,Rn] be a polynomial with at most degree d. Let Pk denote a probability distribution on Zp such that H(Pk)logpλ and 0λlogp, for k=1,2,,n. If all Rk=rkZp with probability distribution Pk are mutually independent, we have Pr[F(R1=r1,R2=r2,,Rn=rn)=0](d/p)2λ.

Corollary 1.

Pr[F(R1=r1,R2=r2,,Rn=rn)=0] is negligible if λ<(1ϵ)logp, where ϵ is a positive value.

3Syntax and Adversary Model

Fig. 1

The system architecture of a LR-RCLE-ORA scheme.

The system architecture of a LR-RCLE-ORA scheme.

The syntax (framework) and adversary model (security notions) of LR-RCLE-ORA schemes are presented as follows.

3.1Syntax of LR-RCLE-ORA schemes

Here, let us present the system architecture of an LR-RCLE-ORA scheme as depicted in Fig. 1. An LR-RCLE-ORA scheme consists of three roles, namely, a key generation centre (KGC), an outsourced revocation authority (ORA) and users (senders and receivers). Each user with an identity ID randomly selects a personal secret key PSKID by herself/himself. For each user with ID, the KGC with a secret key KSK is responsible to generate and securely send an identity secret key ISKID to the user. For each non-revoked user with ID at each period Ts, the ORA with a time secret key TSK is responsible to generate and publicly send a time update key TUKID,s to the user. For compromised or revoked users, the ORA will not generate any associated time update keys. At period Ts, when a sender would like to encrypt a plaintext msg to a receiver with ID, the sender uses the receiver’s ID and associated public keys to encrypt msg to generate a ciphertext tuple (ID,Ts,θ) while sending (ID,Ts,θ) to the receiver. The receiver then uses her/his PSKID, ISKID and TUKID,s to decrypt (ID,Ts,θ) to obtain msg.

In the following, we summarize some notations used in the whole paper:

  • KSK: the KGC’s secret key;

  • KPK: the KGC’s public key;

  • TSK: the time secret key;

  • TPK: the time public key;

  • ID: a user’s identity;

  • PSKID: a user ID’s personal secret key;

  • PPKID: a user ID’s personal public key;

  • ISKID: a user ID’s identity secret key;

  • IPKID: a user ID’s identity public key;

  • Ts: a period Ts{0,1}, for s=1,,t, where t denotes the period length;

  • TUKID,s: a user ID’s time update key at period Ts;

  • TUPKID,s: a user ID’s time update public key at period Ts;

  • msg: a message;

  • θ: a ciphertext.

Fig. 2

The algorithm architecture of the proposed LR-RCLE-ORA scheme.

The algorithm architecture of the proposed LR-RCLE-ORA scheme.

Based on the syntax (framework) in (Tsai and Tseng, 2015; Xiong et al., 2013; Wu et al., 2018), the syntax of LR-RCLE-ORA schemes is defined as follows. An LR-RCLE-ORA scheme consists of three roles, namely, a key generation centre (KGC), an outsourced revocation authority (ORA) and users (senders and receivers) while including eight algorithms: (1) System setup; (2) Personal secret key setting; (3) Identity secret key extract; (4) Time update key extract; (5) Private key setting; (6) Public key setting; (7) Encrypting; (8) Decrypting. Fig. 2 depicts the algorithm architecture, interactions and their inputs/outputs of the proposed LR-RCLE-ORA scheme. Eight algorithms of the LR-RCLE-ORA scheme are presented in Definition 1 as below:

Definition 1.

An LR-RCLE-ORA scheme consists of three roles, namely, a key generation centre (KGC), an outsourced revocation authority (ORA) and users (senders and receivers). Eight algorithms of the LR-RCLE-ORA scheme are presented as below:

  • System setup: By taking as input a security parameter κ and a period number t, the KGC generates the KGC’s secret key KSK=(KSK0,1,KSK0,2) and associated public key KPK, the time secret key TSK=(TSK0,1,TSK0,2), and time public key TPK. The KGC then securely sends TSK to the ORA. Finally, the KGC publishes t periods T1,T2,,Tt and public system parameters PSP.

  • Personal secret key setting: Each user with an identity ID randomly selects a personal secret key PSKID=(PSKID,0,1,PSKID,0,2) and generates the associated personal public key PPKID.

  • Identity secret key extract: In this algorithm’s i-th round, by taking as input a user ID and (KSKi1,1, KSKi1,2), the KGC first carries out two sub-algorithms ISKExtract-1 (ID,KSKi1,1) and ISKExtract-2 (KSKi1,2) to set the new KGC’s secret key (KSKi,1,KSKi,2), and generate the user’s identity secret key ISKID and associated identity public key IPKID. Finally, the KGC securely sends IPKID and ISKID to the user.

  • Time update key extract: In this algorithm’s j-th round, by taking as input a user ID, a period Ts and (TSKj1,1,TSKj1,2), the ORA carries out two sub-algorithms TUKExtract-1 (ID,Ts,TSKj1,1) and TUKExtract-2 (TSKj1,2) to set the new time secret key (TSKj,1,TSKj,2), and generate the user’s time update key TUKID,s and associated time update public key TUPKID,s at period Ts. Finally, the ORA sends TUKID,s and TUPKID,s to the user.

  • Private key setting: At period Ts, a user ID’s private key tuple includes three parts, namely, PSKID, ISKID, and TUKID,s. The user also sets PSKID=(PSKID,0,1,PSKID,0,2) and ISKID=(ISKID,0,1,ISKID,0,2).

  • Public key setting: At period Ts, a user ID’s public key tuple includes three parts, namely, PPKID, IPKID, and TUPKID,s.

  • Encrypting: At period Ts, by taking as input a plaintext msg and a receiver ID with public key tuple (PPKID,IPKID,TUPKID,s), the sender generates a ciphertext tuple (ID,Ts,θ=(C,CT=EEK(msg))), where EEK(·) is a symmetric encryption function and EK is an encryption key encrypted to generate C. Finally, the sender returns the ciphertext tuple (ID,Ts,θ=(C,CT)).

  • Decrypting: In this algorithm’s k-th round, by taking as input (ID,Ts,θ=(C,CT)), a receiver with ID uses her/his private key tuple (PSKID=(PSKID,k1,1,PSKID,k1,2), ISKID=(ISKID,k1,1,ISKID,k1,2), TUKID,s) to carry out two sub-algorithms DEC-1(PSKID,k1,1,ISKID,k1,1) and DEC-2(PSKID,k1,2,ISKID,k1,2,TUKID,s,Ts,θ=(C,CT)) to set new private key tuple (PSKID=(PSKID,k,1,PSKID,k,2),ISKID=(ISKID,k,1,ISKID,k,2),TUKID,s), compute the encryption key EK from C, and decrypt msg=DEK(CT), where DEK(·) is the corresponding symmetric decryption function of EEK(·).

3.2Adversary Model of LR-RCLE-ORA Schemes

By the entropy concept of secret keys mentioned in Section 2.3, six leakage functions fISKE,i, hISKE,i, fTUKE,j, hTUKE,j, fDEC,k and hDEC,k are employed to present capabilities of adversaries obtaining leaked information of secrets keys. Both fISKE,i and hISKE,i are employed to obtain leaked information of the KGC’s secret key (KSKi,1, KSKi,2) used in the Identity secret key extract algorithm’s i-th round. Both fTUKE,j and hTUKE,j are employed to obtain leaked information of the time secret key (TSKj,1, TSKj,2) used in the Time update key extract algorithm’s j-th round. Furthermore, both fDEC,k and hDEC,k are employed to obtain leaked information of a receiver’s private key tuple (PSKID=(PSKID,k,1,PSKID,k,2),ISKID=(ISKID,k,1,ISKID,k,2),TUKID,s) used in the Decrypting algorithm’s k-th round of a user ID. An adversary can obtain at most λ bits of secret keys used in each associated algorithm, where λ is related to the security parameter selected in the System setup algorithm. Namely, |fISKE,i|, |hISKE,i|, |fTUKE,j|, |hTUKE,j|, |fDEC,k|, |hDEC,k|λ, where |·| denotes the output bit-length of a function. The leaked information of a leakage function f is denoted by Λf. In the sequel, leaked information of the six leakage functions are denoted as below:

  • ΛfISKE,i=fISKE,i(KSKi,1);

  • ΛhISKE,i=hISKE,i(KSKi,2);

  • ΛfTUKE,j=fTUKE,j(TSKj,1);

  • ΛhTUKE,j=hTUKE,j(TSKj,2);

  • ΛfDEC,k=fDEC,k(PSKID,k,1,ISKID,k,1);

  • ΛhDEC,k=hDEC,k(PSKID,k,2,ISKID,k,2,TUKID,k,2).

By extending the adversary model (security notions) in Tsai and Tseng (2015), Xiong et al. (2013), Wu et al. (2018), the adversary model of LR-RCLE-ORA schemes consists of three types of adversaries, namely, outsider (Type I, AI), revoked user (Type II, AII) and honest-but-curious KGC (Type III, AIII).

  • Outsider (AI): Although AI is not a legal user of the LR-RCLE-ORA scheme, it may obtain the time update key TUKID,s of any user ID at any period Ts from public channels. Also, AI may get the personal secret key PSKID and the identity secret key ISKID of any user ID, but it is disallowed to get the identity secret key ISKID of the target user ID. For leakage resilient property, AI can obtain leaked information of both the target user’s ISKID=(ISKID,k,1,ISKID,k,2) used in the Decrypting algorithm’s k-th round of the target user and the KGC’s secret key (KSKi,1,KSKi,2) used in the Identity secret key extract algorithm’s i-th round.

  • Revoked user (AII): When AII is a legal user of the LR-RCLE-ORA scheme who has been revoked, it knows the personal secret key PSKID and the identity secret key ISKID of any user ID. Also, AII may get the time update key TUKID,s of any user ID at any period Ts, except TUKID,s of the target user ID at target period Ts. For leakage resilient property, AII can obtain leaked information of the time secret key (TSKj,1, TSKj,2) used in the Time update key extract algorithm’s j-th round.

  • Honest-but-curious KGC (AIII): Since AIII knows the KGC’s secret key KSK and time secret key TSK, it can get the identity secret key ISKID and time update key TUKID,s of any user ID at any period Ts. Also, AIII may get the personal secret key PSKID of any user ID, except PSKID of the target user ID. For leakage resilient property, AIII can obtain leaked information of the target user’s PSKID=(PSKID,k,1,PSKID,k,2) used in the Decrypting algorithm’s k-th round of the target user.

In the continual model of leakage resilient property, the adversary model of LR-RCLE-ORA schemes is defined by the following security game GLR-RCLE-ORA played by both an adversary (AI, AII or AIII) and a challenger B.

Definition 2.

In the continual leakage model, an LR-RCLE-ORA scheme is semantically secure against chosen cipher-text attacks if no adversary (AI,AIIorAIII) with non-negligible advantage wins the security game GLR-RCLE-ORA in polynomial time. This security game GLR-RCLE-ORA consists of three phases:

  • Setup phase: By taking as input a security parameter κ and a period number t, a challenger B carries out the System setup algorithm of the LR-RCLE-ORA scheme to generate the KGC’s secret key KSK=(KSK0,1,KSK0,2), the KGC’s public key KPK, the time secret key TSK=(TSK0,1,TSK0,2), and the time public key TPK. Also, B sets t periods T1,T2,,Tt and publishes public system parameters PSP. Additionally, B sends messages to the adversary of various types by the following rules:

    • If the adversary is of AI, B sends out TSK;

    • If the adversary is of AII, B sends out KSK;

    • If the adversary is of AIII, B sends out KSK and TSK.

  • Query phase: In the phase, the adversary may request the following queries to B adaptively.

    • Identity secret key query (ID): For this query’s i-th round, B sets the new KGC’s secret key (KSKi,1,KSKi,2) by using (KSKi1,1,KSKi1,2). Also, B uses (KSKi,1,KSKi,2) to generate and return the associated identity secret key ISKID and identity public key IPKID.

    • Identity secret key leak query (fISKE,i,hISKE,i,i): In the Identity secret key query’s i-th round, this query is allowed to be requested only once. B returns leaked information (ΛfISKE,i,ΛhISKE,i).

    • Time update key query (ID,Ts): In this query’s j-th round, B sets the new time secret key (TSKj,1, TSKj,2) by using (TSKj1,1,TSKj1,2). Also, B uses (TSKj,1,TSKj,2), ID and Ts to generate and return the associated time update key TUKID,s and the time update public key TUPKID,s.

    • Time update key leak query (fTUKE,j,hTUKE,j,j): In the Time update key query’s j-th round, this query is allowed to be requested only once. B returns leaked information (ΛfTUKE,j,ΛhTUKE,j).

    • Public key retrieve query (ID,Ts): B returns the associated public key tuple (PPKID,IPKID,TUPKID,s).

    • Public key replace query (ID,Ts,(PPKID,IPKID,TUPKID,s)): B sets the new public key tuple (PPKID,IPKID,TUPKID,s) of the user ID at period Ts.

    • Personal secret key corrupt query (ID): If the Public key replace query (ID) has never been requested, B returns the associated personal secret key PSKID.

    • Decrypting query (ID,Ts,θ=(C,CT)): In this query’s k-th round, B sets the user ID’s new private key tuple (PSKID=(PSKID,k,1,PSKID,k,2),ISKID=(ISKID,k,1,ISKID,k,2),TUKID,s) by using (PSKID=(PSKID,k1,1,PSKID,k1,2),ISKID=(ISKID,k1,1,ISKID,k1,2), TUKID,s). Also, B uses the new private key tuple to compute the encryption key EK from C, and decrypt msg=DEK(CT). B returns msg.

    • Decrypting leak query (ID,Ts,fDEC,k,hDEC,k,k): In the Decrypting query’s k-th round of the user ID at period Ts, this query is allowed to be requested only once. B returns leaked information (ΛfDEC,k,ΛhDEC,k).

  • Challenge phase. The adversary sends a target identity ID, a target period Ts and a plaintext pair (msg0,msg1) to B. B chooses an unbiased random bit b{0,1} and carries out the Encrypting algorithm with (ID,Ts,(PPKID,IPKID,TUPKID,s),msgb) to generate C, EK and CT=EEK(msgb). Finally, B returns the ciphertext tuple (ID, Ts, θ=(C,CT)) to the adversary. Additionally, the associated conditions must be satisfied according to various types of adversaries:

    • 1. If the adversary is of AI, the Identity secret key query (ID) has never been requested;

    • 2. If the adversary is of AII, the Time update key query (ID, Ts) has never been requested;

    • 3. If the adversary is of AIII, both the Personal secret key corrupt query (ID) and the Public key replace query (ID,Ts,(PPKID,IPKID,TUPKID,s)) has never been requested.

  • Guess phase. In this phase, the adversary must output a bit b{0,1}. If b=b, we say that it wins the game GLR-RCLE-ORA and its advantage is |Pr[b=b]1/2|.

4The Proposed LR-RCLE-ORA Scheme

The proposed LR-RCLE-ORA scheme consists of eight algorithms as follows:

  • System setup: By taking as input a security parameter κ and a period number t, the KGC chooses the bilinear group parameters {G1,G2,p,Q,eˆ}, picks a symmetric encryption function E(·) and its associated decryption function D(·), and sets a period set T={T0,T1,T2,,Tt}. The KGC carries out the following procedures:

    • (1) Randomly select an integer αZp, and generate the KGC’s secret key KSK=α·Q and public key KPK=eˆ(Q,KSK). Additionally, the KGC randomly selects an integer x0Zp and generates the KGC’s current secret key (KSK0,1,KSK0,2)=(x0·Q,KSK+(x0)·Q).

    • (2) Randomly select an integer βZp, and generate the time secret key TSK=β·Q and time public key TPK=eˆ(Q,TSK). Additionally, the KGC securely sends TSK to the ORA. The ORA then selects a random integer y0Zp and generates the current time secret key (TSK0,1,TSK0,2)=(y0·Q,TSK+(y0)·Q).

    • (3) Randomly select four integers m,n,r,sZp, and compute M=m·Q, N=n·Q, R=r·Q and S=s·Q.

    • (4) Publish public system parameters PSP={G1,G2,p,Q,eˆ,KPK,TPK,T,D(),E(),M,N,R,S}.

  • Personal secret key setting: Each user with an identity ID randomly selects an integer γZp and generates personal secret key PSKID=γ·Q and the associated personal public key PPKID=eˆ(Q,PSKID).

  • Identity secret key extract: In this algorithm’s i-th round, by taking as input a user’s ID and (KSKi1,1,KSKi1,2), the KGC carries out two sub-algorithms ISKExtract-1(ID,KSKi1,1) and ISKExtract-2(KSKi1,2) as below:

    • ISKExtract-1(ID,KSKi1,1):

      • (1) Randomly select an integer xiZp, and compute KSKi,1=KSKi1,1+xi·Q.

      • (2) Randomly select an integer uZp, and compute IPKID=u·Q and temporary value TVISKE=KSKi,1+u·(M+ID·N).

    • ISKExtract-2(KSKi1,2):

      • (1) Compute KSKi,2=KSKi1,2+(xi)·Q and ISKID=KSKi,2+TVISKE.

      • (2) Send the user’s identity secret key ISKID and associated identity public key IPKID to the user using a secure channel.

  • Time update key extract: In this algorithm’s j-th round, by taking as input a user’s ID, a period Ts and (TSKj1,1,TSKj1,2), the ORA carries out two sub-algorithms TUKExtract-1(ID,Ts,TSKj1,1) and TUKExtract-2(TSKj1,2) as below:

    • TUKExtract-1(ID,Ts,TSKj1,1):

      • (1) Randomly select an integer yjZp, and compute TSKj,1=TSKj1,1+yj·Q.

      • (2) Randomly select an integer vZp, and compute TUPKID,s=v·Q and temporary value TVTUKE=TSKj,1+v·(R+(ID||Ts)·S).

    • TUKExtract-2(TSKj1,2):

      • (1) Compute TSKj,2=TSKj1,2+(yj)·Q and TUKID,s=TSKj,2+TVTUKE.

      • (2) Send the user’s time update key TUKID,s and associated time update public key TUPKID,s to the user.

  • Private key setting: At period Ts, a user ID’s private key tuple includes three parts, namely, PSKID, ISKID, and TUKID,s. The user carries out the following procedures:

    • (1) Randomly select an integer z0Zp and compute the current personal secret key (PSKID,0,1,PSKID,0,2)=(z0·Q,PSKID+(z0)·Q).

    • (2) Randomly select an integer w0Zp and compute the current identity secret key (ISKID,0,1,ISKID,0,2)=(w0·Q,ISKID+(w0)·Q).

    • (3) Set the user’s private key tuple (PSKID=(SKID,0,1,SKID,0,2),ISKID=(ISKID,0,1,ISKID,0,2),TUKID,s).

  • Public key setting: At period Ts, a user ID sets her/his public key tuple (PPKID,IPKID,TUPKID,s).

  • Encrypting: At period Ts, by taking as input a plaintext msg and a receiver ID with public key tuple (PPKID,IPKID,TUPKID,s), the sender carries out the following procedures:

    • (1) Randomly select an integer ekZp.

    • (2) Compute C=ek·Q, K1=(PPKID)ek, K2=(KPK·eˆ(IPKID,M+ID·N))ek and K3=(TPK·eˆ(TUPKID,s,R+(ID||Ts)·S))ek.

    • (3) Set the encryption key EK=K1K2K3.

    • (4) Compute CT=EEK(msg) and return the ciphertext tuple (ID,Ts,θ=(C,CT)).

  • Decrypting: In this algorithm’s k-th round, by taking as input (ID,Ts,θ=(C,CT)), a receiver ID uses her/his private key tuple (PSKID=(PSKID,k1,1,PSKID,k1,2),ISKID=(ISKID,k1,1,ISKID,k1,2),TUKID,s) to carry out two sub-algorithms DEC-1(PSKID,k1,1,ISKID,k1,1) and DEC-2(PSKID,k1,2,ISKID,k1,2,TUKID,s,Ts,θ=(C,CT)) as below:

    • DEC-1(PSKID,k1,1,ISKID,k1,1)

      • (1) Randomly select an integer zkZp, and compute PSKID,k,1=PSKID,k1,1+zk·Q.

      • (2) Randomly select an integer wkZp, and compute ISKID,k,1=ISKID,k1,1+wk·Q.

      • (3) Compute two temporary values TV1=eˆ(C,PSKID,k,1) and TV2=eˆ(C,ISKID,k,1).

    • DEC-2(PSKID,k1,2,ISKID,k1,2,TUKID,s,Ts,θ=(C,CT))

      • (1) Compute PSKID,k,2=PSKID,k1,2+(zk)·Q and ISKID,k,2=ISKID,k1,2+(wk)·Q.

      • (2) Compute K1=TV1·eˆ(C,PSKID,k,2), K2=TV2·eˆ(C,ISKID,k,2) and K3=eˆ(C,TUKID,s).

      • (3) Compute the encryption key EK=K1K2K3.

      • (4) Decrypt the plaintext msg=DEK(CT).

      In the following, by the key refreshing technique, we have
      KSK=KSK0,1+KSK0,2=KSK1,1+KSK1,2==KSKi,1+KSKi,2;TSK=TSK0,1+TSK0,2=TSK1,1+TSK1,2==TSKj,1+TSKj,2;PSKID=PSKID,0,1+PSKID,0,2=PSKID,1,1+PSKID,1,2PSKID==PSKID,k,1+PSKID,k,2;ISKID=ISKID,0,1+ISKID,0,2=ISKID,1,1+ISKID,1,2ISKID==ISKID,k,1+ISKID,k,2.

In the following, we show the correctness of EK=K1K2K3=K1K2K3=EK.

EK=K1K2K3=(PPKID)ek(KPK·eˆ(IPKID,M+ID·N))ek(TPK·eˆ(TUPKID,s,R+(ID||Ts)·S))ek=eˆ(Q,PSKID)ek(eˆ(Q,KSK)·eˆ(u·Q,M+ID·N))ek(eˆ(Q,TSK)·eˆ(v·Q,R+(ID||Ts)·S))ek=eˆ(Q,PSKID)ek(eˆ(Q,KSK)·eˆ(Q,u·(M+ID·N)))ek(eˆ(Q,TSK)·eˆ(Q,v·(R+(ID||Ts)·S)))ek=eˆ(Q,PSKID)ek(eˆ(Q,KSK+u·(M+ID·N)))ek(eˆ(Q,TSK+v·(R+(ID||Ts)·S)))ek=eˆ(ek·Q,PSKID)eˆ(ek·Q,KSK+u·(M+ID·N))eˆ(ek·Q,TSK+v·(R+(ID||Ts)·S))=eˆ(C,PSKID)eˆ(C,KSK+u·(M+ID·N))eˆ(C,TSK+v·(R+(ID||Ts)·S))=eˆ(C,PSKID)eˆ(C,KSKi,1+KSKi,2+u·(M+ID·N))eˆ(C,TSKj,1+TSKj,2+v·(R+(ID||Ts)·S))=eˆ(C,PSKID)eˆ(C,KSKi,2+TVISKE)eˆ(C,TSKj,2+TVTUKE)=eˆ(C,PSKID)eˆ(C,ISKID)eˆ(C,TUKID,s)=eˆ(C,PSKID,k,1+PSKID,k,2)eˆ(C,ISKID,k,1+ISKID,k,2)eˆ(C,TUKID,s)=(eˆ(C,PSKID,k,1)·eˆ(C,PSKID,k,2))(eˆ(C,ISKID,k,1)·eˆ(C,ISKID,k,2))eˆ(C,TUKID,s)=(TV1·eˆ(C,PSKID,k,2))(TV2·eˆ(C,ISKID,k,2))eˆ(C,TUKID,s)=K1K2K3=EK.

5Security Analysis

As the security game GLR-RCLE-ORA presented in Definition 2, the adversary model consists of three types of adversaries, namely, outsider (Type I, AI), revoked user (Type II, AII) and honest-but-curious KGC (Type III, AIII). Under the GBG model presented in Section 2, we employ three theorems to demonstrate that the proposed LR-RCLE-ORA scheme is semantically secure against chosen cipher-text attacks against three types of adversaries, respectively. The relationship and robustness of security analysis are depicted in Fig. 3. In Theorem 1, we first discuss the advantage (denoted by AdvAIW) of an outsider (AI) without requesting any leak queries and then evaluate the advantage (denoted by AdvAI) of an outsider (AI) with requesting Identity secret key leak and Decrypting leak queries. Indeed, by Corollary 1, AdvAI is negligible based on the DL assumption. For Theorems 2 and 3, by similar arguments as in Theorem 1, the advantages (denoted by AdvAII and AdvAIII) of a revoked user (AII) and an honest-but-curious KGC (AIII) are also negligible based on the DL assumption.

Fig. 3

The relationship and robustness of security analysis for the proposed scheme.

The relationship and robustness of security analysis for the proposed scheme.
Theorem 1.

In the GBG model, the proposed LR-RCLE-ORA scheme is semantically secure against chosen cipher-text attacks against an outsider (AI) in the security game GLR-RCLE-ORA.

Proof.

Let AI be an outsider of the security game GLR-RCLE-ORA played with a challenger B. In the GBG model, AI may request three queries (oracles) O1, O2 and Op to perform three corresponding group operations. In the security game GLR-RCLE-ORA, four phases are presented as below:

  • Setup phase: By taking as input a security parameter κ and a period number t, B carries out the System setup algorithm of the LR-RCLE-ORA scheme to generate the KGC’s secret key KSK=(KSK0,1,KSK0,2), the KGC’s public key KPK, the time secret key TSK, and the time pubic key TPK. Also, B sets a period set T={T0,T1,T2,,Tt} and publishes public system parameters PSP={G1,G2,p,Q,eˆ,KPK,TPK,T,D(),E(),M,N,R,S}. Additionally, B sends TSK to AI since AI is an outsider. To respond the queries requested by AI, five initially empty lists L1, L2, LISK, LTUK and LPSK are constructed as below:

    • L1 and L2 are used to encode elements of groups G1 and G2, respectively.

      • (1) L1 includes pairs of (ΞG1,t,u,v, ΘG1,t,u,v). An element in G1 is represented by a multivariate polynomial ΞG1,t,u,v and ΘG1,t,u,v is the corresponding encoded bit-string, where t, u and v, respectively, denote the query type t, the u-th query and the v-th element in G1. B initially adds seven pairs (ΞQ,ΘG1,I,0,1), (ΞKSK,ΘG1,I,0,2), (ΞTSK,ΘG1,I,0,3), (ΞM,ΘG1,I,0,4), (ΞN,ΘG1,I,0,5), (ΞR,ΘG1,I,0,6) and (ΞS,ΘG1,I,0,7) in L1.

      • (2) L2 includes pairs of (ΞG2,t,u,v,ΘG2,t,u,v). An element in G2 is represented by a multivariate polynomial ΞG2,t,u,v and ΘG2,t,u,v is the corresponding encoded bit-string, where t, u and v have the same meanings with those indices in L1. B initially adds two pairs (ΞKPK,ΘG2,I,0,1) and (ΞTPK,ΘG2,I,0,2) in L2, where ΞKPK=ΞQ·ΞKSK and ΞTPK=ΞQ·ΞTSK.

      It is worth mentioning the two transforming rules defined below.

      • (1) By taking as input a polynomial ΞG1,t,u,v/ΞG2,t,u,v, B looks for (ΞG1,t,u,v,ΘG1,t,u,v)/(ΞG2,t,u,v,ΘG2,t,u,v) in L1/L2. If it is found, B returns the encoded bit-string ΘG1,t,u,v/ΘG2,t,u,v. Otherwise, B randomly chooses and returns a distinct encoded bit-string ΘG1,t,u,v/ΘG2,t,u,v. In addition, B adds (ΞG1,t,u,v, ΘG1,t,u,v)/(ΞG2,t,u,v, ΘG2,t,u,v) in L1/L2.

      • (2) By taking as input an encoded bit-string ΘG1,t,u,v/ΘG2,t,u,v, B looks for (ΞG1,t,u,v,ΘG1,t,u,v)/(ΞG2,t,u,v,ΘG2,t,u,v) in L1/L2. If it is found, B returns the associated multivariate polynomial ΞG1,t,u,v/ΞG2,t,u,v. Otherwise, B terminates the game.

    • LISK includes tuples of (ID,ΞISKID,ΞIPKID), where ΞISKID and ΞIPKID, respectively, represent the user’s ISKID and IPKID.

    • LPSK includes tuples of (ID,ΞPSKID,ΞPPKID), where ΞPSKID and ΞPPKID, respectively, denote the user’s PSKID and PPKID.

    • LTUK includes tuples of (ID,Ts,ΞTUKID,s,ΞTUPKID,s), where ΞTUKID,s and ΞTUPKID,s, respectively, denote the user’s TUKID,s and TUPKID,s.

    Finally, these public system parameters ΞQ, ΞM, ΞN, ΞR, ΞS, ΞKPK and ΞTPK are sent to AI. Also, B sends the time secret key ΞTSK to AI.

  • Query phase: AI can adaptively request various queries to B at most q times. Note that AI does not need to request the Time update key leak query and Public key replace query, since AI may get the time update key TUKID,s of any user ID at any period Ts from public channels.

    • O1 query (ΘG1,Q,l,1,ΘG1,Q,l,2,OP): In this query’s l-th round, B carries out the following steps:

      • (1) Get a pair of polynomials (ΞG1,Q,l,1,ΞG1,Q,l,2) by transforming a pair of bit-strings (ΘG1,Q,l,1,ΘG1,Q,l,2) in L1.

      • (2) Compute the polynomial ΞG1,Q,l,3=ΞG1,Q,l,1+ΞG1,Q,l,2 if OP = “addition”, and ΞG1,Q,l,3=ΞG1,Q,l,1ΞG1,Q,l,2 if OP = “subtraction”.

      • (3) Return the encoded bit-string ΘG1,Q,l,3 by transforming ΞG1,Q,l,3 in L1.

    • O2 query (ΘG2,Q,l,1,ΘG2,Q,l,2,OP): In this query’s l-th round, B carries out the following steps:

      • (1) Get a pair of polynomials (ΞG2,Q,l,1,ΞG2,Q,l,2) by transforming a pair of bit-strings (ΘG2,Q,l,1,ΘG2,Q,l,2) in L2.

      • (2) Compute the polynomial ΞG2,Q,l,3=ΞG2,Q,l,1+ΞG2,Q,l,2 if OP = “multiplication”, and ΞG2,Q,l,3=ΞG2,Q,l,1ΞG2,Q,l,2 if OP = “division”.

      • (3) Return the encoded bit-string ΘG2,Q,l,3 by transforming ΞG2,Q,l,3 in L2.

    • Op query (ΘG1,P,l,1,ΘG1,P,l,2): In this query’s l-th round, B carries out the following steps:

      • (1) Get a pair of polynomials (ΞG1,P,l,1,ΞG1,P,l,2) by transforming a pair of bit-strings (ΘG1,P,l,1,ΘG1,P,l,2) in L1.

      • (2) Compute the polynomial ΞG2,P,l,1=ΞG1,P,l,1·ΞG1,P,l,2.

      • (3) Return the encoded bit-string ΘG2,P,l,1 by transforming ΞG2,P,l,1 in L2.

    • Identity secret key query (ID): In this query’s i-th round, B searches (ID, ΞISKID, ΞIPKID) in LISK. If it is found, B transforms (ΞISKID, ΞIPKID) to send two encoded bit-strings (ΘISKID, ΘIPKID) to AI. Otherwise, B carries out the following steps:

      • (1) Choose a new variate ΞTGISK,i,1 in G1.

      • (2) Set two polynomials ΞIPKID=ΞTGISK,i,1 and ΞTID=ID.

      • (3) Set the user’s identity secret key ΞISKID=ΞKSK+ΞTGISK,i,1·(ΞM+ΞN·ΞTID) while adding (ID,ΞISKID,ΞIPKID) in LISK.

      • (4) Transform (ΞISKID,ΞIPKID) to send two encoded bit-strings (ΘISKID,ΘIPKID) to AI.

    • Identity secret key leak query (fISKE,i,hISKE,i,i): In the Identity secret key query’s i-th round, this query is allowed to be requested only once. B returns leaked information (ΛfISKE,i,ΛhISKE,i), where ΛfISKE,i=fISKE,i(KSKi,1) and ΛhISKE,i=hISKE,i(KSKi,2).

    • Time update key query (ID,Ts): In this query’s j-th round, B searches (ID, Ts, ΞTUKID,s, ΞTUPKID,s) in LTUK. If it is found, B transforms (ΞTUKID,s,ΞTUPKID,s) to return two encoded bit-strings (ΘTUKID,s,ΘTUPKID,s). Otherwise, B carries out the following steps:

      • (1) Choose a new variate ΞTGTUK,ID,j,1 in G1.

      • (2) Set a polynomial ΞTUPKID,s=ΞTGTUK,ID,j,1 and ΞTTD=ID||Ts.

      • (3) Set the user’s time update key ΞTUKID,t=ΞTSK+ΞTGTUK,ID,j,1·(ΞR+ΞS·ΞTTD) while adding (ID,Ts,ΞTUKID,s,ΞTUPKID,s) in LTUK.

      • (4) Transform (ΞTUKID,s,ΞTUPKID,s) to return two encoded bit-strings (ΘTUKID,s,ΘTUPKID,s).

    • Time update key leak query (fTUKE,j,hTUKE,j,j): In the Time update key query’s j-th round, this query is allowed to be requested only once. B returns leaked information (ΛfTUKE,j,ΛhTUKE,j), where ΛfTUKE,j=fTUKE,j(TSKj,1) and ΛhTUKE,j=hTUKE,j(TSKj,2).

    • Public key retrieve query (ID,Ts): B applies ID and Ts to search LISK, LPSK and LTUK to get the associated public key tuple (ΞPPKID,ΞIPKID,ΞTUPKID,s). B returns the corresponding tuple (ΘPPKID,ΘIPKID,ΘTUPKID,s).

    • Public key replace query (ID,Ts,(ΘPPKID,ΘIPKID,ΘTUPKID,s)): B first transforms a tuple of bit-strings (ΘPPKID,ΘIPKID,ΘTUPKID,s) to get the corresponding tuple of polynomials (ΞPPKID,ΞIPKID,ΞTUPKID,s). B replaces the related tuples with (ID,,ΞPPKID) in LPSK,(ID,,IPKID) in LISK, and (ID,Ts,,ΞTUPKID,s) in LTUK.

    • Personal secret key corrupt query (ID): If the Public key replace query (ID) has never been requested, B uses ID to search (ID, ΞPSKID, ΞPPKID) in LPSK. If it is found, B transforms (ΞPSKID, ΞPPKID) to return two encoded bit-strings (ΘPSKID, ΘPPKID). Otherwise, B carries out the following steps:

      • (1) Choose a new variate ΞTGPSK,ID,1 in G1.

      • (2) Set two polynomials ΞPSKID=ΞTGPSK,ID,1 and ΞPPKID=ΞQ·ΞPSKID, and add (ID,ΞPSKID,ΞPPKID) in LPSK.

      • (3) Transform (ΞPSKID,ΞPPKID) to return two encoded bit-strings (ΘPSKID,ΘPPKID).

    • Decrypting query (ID,Ts,θ=(C,CT)): In this query’s k-th round, B carries out the following steps:

      • (1) By ID and Ts, B finds the associated private key tuple (ΞPSKID,ΞISKID,ΞTUKID,s) in LPSK, LISK and LTUK.

      • (2) B transforms the ciphertext C to the polynomial ΞC in L1 and sets three polynomials ΞK1=ΞPSKID·ΞC, ΞK2=ΞISKID·ΞC and ΞK3=ΞTUKID,s·ΞC. Moreover, B transforms ΞK1, ΞK2 and ΞK3 to obtain bit-strings ΘK1, ΘK2 and ΘK3, respectively. Hence, B can gain the encryption key ΘEK=ΘK1ΘK2ΘK3. Finally, B returns the encryption key ΘEK and the plaintext msg=DΘEK(CT).

    • Decrypting leak query (ID,Ts,fDEC,k,hDEC,k,k): In the Decrypting query’s k-th round of the user ID at period Ts, this query is allowed to be requested only once. B returns leaked information (ΛfDEC,k, ΛhDEC,k), where ΛfDEC,k=fDEC,k(PSKID,k,1,ISKID,k,1) and ΛhDEC,k=hDEC,k(PSKID,k,2,ISKID,k,2,TUKID,s).

  • Challenge phase. AI sends a target identity ID, a target period Ts and a plaintext pair (msg0, msg1) to B. Here the Identity secret key query (ID) must have never been requested by AI. B chooses an unbiased random bit b{0,1} and carries out the Encrypting algorithm with (ID,Ts,(PPKID,IPKID,TUPKID,s),msgb) to generate C, EK and CT=EEK(msgb). Finally, B returns the ciphertext tuple (ID,Ts,θ=(C,CT)) to the adversary.

  • Guess phase. In this phase, AI must output a bit b{0,1}. If b=b, we say that it wins the game GLR-RCLE-ORA and its advantage is |Pr[b=b]1/2|.

To evaluate the advantage that AI wins the game GLR-RCLE-ORA, we count the total number of elements in both L1 and L2. Subsequently, we count the maximal degrees of polynomials in L1 and L2, respectively.

  • The total number of elements in both L1 and L2:

    • 7 and 2 elements are increased in L1 and L2, respectively, in the Setup phase.

    • For each O1, O2 or Op query, at most 3 elements are increased in L1 or L2.

    • For each Identity secret key query, at most 3 elements are increased in L1.

    • For each Time update key query, at most 3 elements are increased in L1.

    • For each Decrypting query, at most 4 elements are increased in L1.

    Let qO denote the total number of O1, O2 and Op queries. Let qI, qT and qD, respectively, be the query numbers of the Identity secret key query, Time update key query and Decrypting query. Since AI is allowed to request all queries at most q times, we have
    |L1|+|L2|9+3qO+3qI+3qT+4qD4q.

  • The maximal degrees of polynomials in L1 and L2:

    • (1) The maximal degree of polynomials in L1 is 3 due to the following facts:

      • In the Setup phase, 7 new variates (polynomials) ΞQ, ΞKSK, ΞTSK, ΞM, ΞN, ΞR and ΞS are initially increased in L1. All these polynomials have degree 1.

      • For the O1 query, ΞG1,Q,l,3 has the maximal degree of ΞG1,Q,l,1 and ΞG1,Q,l,2.

      • For the Identity secret key query, ΞTGISK,i,1, ΞTID and ΞISKID have degrees 1, 1 and 3, respectively.

      • For the Time update key query, ΞTGTUK,ID,j,1, ΞTTD and ΞTUKID,t have degrees 1, 1 and 3, respectively.

    • (2) The maximal degree of polynomials in L2 is 6 by the following facts:

      • In the Setup phase, ΞKPK and ΞTPK have degree 2.

      • For the O2 query, ΞG2,Q,l,3 has the maximal degree of ΞG2,Q,l,1 and ΞG2,Q,l,2.

      • For the Op query, ΞG2,P,l,1 has degree at most 6 because ΞG2,P,l,1=ΞG1,P,l,1·ΞG1,P,l,2, and both ΞG1,P,l,1 and ΞG1,P,l,2 belong to L1.

      • For the Decrypting query, all ΞK1, ΞK2 and ΞK3 have degrees 2.

In the following, let us first evaluate the advantage that AI wins GLR-RCLE-ORA without requesting any leak query. Subsequently, the advantage of AI is evaluated when it is allowed to request two kinds of leak queries (Identity secret key leak query and Decrypting leak query).

  • The advantage of AI without requesting any leak query: If either of the following two cases occurs, AI wins the game.

    • Case 1: AI discovers a collision of two elements in L1 or L2. Let us first evaluate the collision probability in L1. Let n be the number of all variates in L1 and B selects n random values vlZp for l=1,2,,n. Let ΞG1,i and ΞG1,j be any two distinct polynomials in L1. B then computes ΞG1,C(v1,v2,,vn)=ΞG1,iΞG1,j. If ΞG1,C(v1,v2,,vn)=0, it is said that the collision occurs. By Lemma 2, the probability of ΞG1,C(v1,v2,,vn)=0 is at most 3/p because the maximal polynomial degree in L1 is 3 and no information (λ=0) is leaked. Since there are |L1|2 distinct pairs (ΞG1,i,ΞG1,j) in L1, the collision probability is (3/p)|L1|2. Similarly, the collision probability in L2 is (6/p)|L2|2. As mentioned earlier, we have |L1|+|L2|4q. Let the probability of Case 1 be denoted by Pr[Case 1]. Then we have

      Pr[Case1](3/p)|L1|2+(6/p)|L2|2(6/p)(|L1|+|L2|)296q2/p.

    • Case 2: If Case 1 does not occur and AI gets no leaked information, the success probability of b=b is 1/2 in the Guess phase. Let Pr[Case 2] denote the success probability that Case 2 occurs. Then we have Pr[Case2]1/2.

    Let PrAIW and AdvAIW be the probability and advantage, respectively, that AI wins the game without requesting any leak query. By Pr[Case 1] and Pr[Case 2], we have
    PrAIWPr[Case1]+Pr[Case2]96q2/p+(1/2),AdvAIW|96q2/p+(1/2)(1/2)|=96q2/p=O(q2/p).
    Hence, AdvAIW is negligible if q=poly(logp).

  • The advantage of AI with requesting two kinds of leak queries: AI can obtain leaked information of related secret keys by the Identity secret key leak query and Decrypting leak query.

    • (1) Identity secret key leak query (fISKE,i,hISKE,i,i): By this query, AI may derive leaked information (ΛfISKE,i,ΛhISKE,i) such that |fISKE,i|, |hISKE,i|λ, where ΛfISKE,i=fISKE,i(KSKi,1) and ΛhISKE,i=hISKE,i(KSKi,2) that are discussed as below:

      • (KSKi,1,KSKi,2): Indeed, the KGC’s secret key KSK has the property in the sense that KSK=KSK0,1+KSK0,2=KSK1,1+KSK1,2==KSKi,1+KSKi,2. By the refreshing technique, leaked information of KSKi1,1/KSKi1,2 is independent of that of KSKi,1/KSKi,2. Thus, AI may derive at most 2λ bits of KSK.

    • (2) Decrypting leak query (ID,Ts,fDEC,k,hDEC,k,k): As mentioned earlier, AI is not a legal user of the LR-RCLE-ORA scheme, but it may get the time update key TUKID,s of any user ID at any period Ts from public channels. Also, AI may get the personal secret key PSKID and the identity secret key ISKID of any user ID, but it is disallowed to get the identity secret key ISKID of the target user ID. Therefore, by this query, AI may derive leaked information (ΛfDEC,k,ΛhDEC,k), where ΛfDEC,k=fDEC,k(ISKID,k,1) and ΛhDEC,k=hDEC,k(ISKID,k,2) that are discussed as below:

      • (ISKID,k,1,ISKID,k1,2): Indeed, the identity secret key ISKID satisfies ISKID=ISKID,0,1+ISKID,0,2=ISKID,1,1+ISKID,1,2==ISKID,k,1+ISKID,k,2. Bythe refreshing technique, leaked information of ISKID,k1,1/ISKID,k1,2 is independent of that of ISKID,k,1/ISKID,k,2. Thus, AI may derive at most 2λ bits of ISKID.

    Let PrAI and AdvAI be the probability and advantage, respectively, that AI wins GLR-RCLE-ORA with requesting the Identity secret key leak query and Decrypting leak query. If AI can obtain the KGC’s secret key KSK or the target user’s identity key ISKID, AI may decrypt the message. Three events are defined as below:
    • (1) Let EKSK denote the event that AI gets the KSK by ΛfISKE,i and ΛhISKE,i. Additionally, EKSK is the complement event of EKSK.

    • (2) Let EISK that AI gets the ISKID by ΛfDEC,k and ΛhDEC,k. Additionally, EISK is the complement event of EISK.

    • (3) Let ECB denote the event that AI outputs a correct b.

    Hence, the advantage PrAI is Pr[ECB] and the following inequality holds:
    PrAI=Pr[ECB]=Pr[ECB(EKSKEISK)]+Pr[ECB(EKSKEISK)]Pr[(EKSKEISK)]+Pr[ECB(EKSKEISK)].
    For the event (EKSKEISK), AI can’t obtain the useful information to output a correct bit b. AI has probability 1/2 to guess the correct bit, so Pr[ECB(EKSKEISK)] is still 1/2 on average. Thus, we have:
    PrAIPr[(EKSKEISK)]+1/2,AdvAI|PrAI1/2|=Pr[(EKSKEISK)].

Because AdvAIWO(q2/p) and AI can learn at most 2λ bits of KSK and ISKID by the Identity secret key leak query and Decrypting leak query, we have
AdvAIAdvAIW·22λO((q2/p)·22λ).
By Corollary 1, AdvAI is negligible if λ<(1ε)logp.  □

Theorem 2.

In the GBG model, the proposed LR-RCLE-ORA scheme is semantically secure against chosen cipher-text attacks against a revoked user (AII) in the security game GLR-RCLE-ORA.

Proof.

Let AII be a revoked user of the security game GLR-RCLE-ORA played with a challenger B. AII may issue various queries to B at most q times in the game. This game consists of four phases as follows:

  • Setup phase: The phase is the same as that in the proof in Theorem 1. Additionally, B sends the time secret key TSK to AII since it is a revoked user.

  • Query phase: In this phase, AII can adaptively issue various queries to B at most q times. All queries are identical to those queries in the proof of Theorem 1. Note that AII knows the personal secret key PSKID and the identity secret key ISKID of any user ID. Also, AII may get the time update key TUKID,s of any user ID at any period Ts, except TUKID,s of the target user ID at target period Ts.

  • Challenge phase: AII sends a target identity ID, a target period Ts and a plaintext pair (msg0,msg1) to B. Here the Time update key query (ID,Ts) must have never been requested by AII. B chooses a unbiased random bit b{0,1} and carries out the Encrypting algorithm with (ID,Ts,(PPKID,IPKID,TUPKID,s),msgb) to generate C, EK and CT=EEK(msgb). Finally, B returns the ciphertext tuple (ID,Ts,θ=(C,CT)) to AII.

  • Guess phase: In this phase, AII must output a bit b{0,1}. If b=b, we say that it wins the game GLR-RCLE-ORA and its advantage is |Pr[b=b]1/2|.

In the following, let us first evaluate the advantage that AII wins GLR-RCLE-ORA without requesting any leak query. Subsequently, the advantage of AII is evaluated when it is allowed to request the Time update key leak query.

  • The advantage of AII without requesting any leak query: Let AdvAIIW be the advantage that AII wins the game without requesting the Time update key leak query. By the similar evaluations as in the proof of Theorem 1, we have AdvAIIW=O(q2/p).

  • The advantage of AII with requesting the Time update key leak query: By the Time update key leak query (fTUKE,j,hTUKE,j, j), AII may derive leaked information (ΛfTUKE,j,ΛhTUKE,j) such that |fTUKE,j|, |hTUKE,j|λ, where ΛfTUKE,j=fTUKE,j(TSKj,1) and ΛhTUKE,j=hTUKE,j(TSKj,2). Indeed, the time secret key TSK has the property in the sense that TSK=TSK0,1+TSK0,2=TSK1,1+TSK1,2==TSKi,1+TSKi,2. By the refreshing technique, leaked information of TSKi1,1/TSKi1,2 is independent of that of TSKi,1/TSKi,2. Thus, AII may derive at most 2λ bits of TSK.

    Let PrAII and AdvAII be the probability and advantage, respectively, that AII wins GLR-RCLE-ORA with requesting the Time update key leak query. Two events are defined as below:

    • (1) Let ETSK denote the event that AII gets the time secret key TSK by fTUKE,j and hTUKE,j. Additionally, ETSK is the complement event of ETSK.

    • (2) Let ECB denote the event that AII outputs a correct b.

    Hence, the advantage PrAII is Pr[ECB] and the following inequality holds:
    PrAII=Pr[ECB]=Pr[ECBETSK]+Pr[ECBETSK]Pr[ETSK]+Pr[ECBETSK].
    For the event ETSK, AII can’t obtain the useful information to output a correct bit b. AII has probability 1/2 to guess the correct bit, so Pr[ECBETSK] is still 1/2 on average. Thus, we have
    PrAIIPr[ETSK]+1/2,AdvAII|PrAII1/2|=Pr[ETSK].

Because AdvAIIWO(q2/p) and AII can learn at most 2λ bits of TSK by the Time update key leak query, we have
AdvAIIAdvAIIW·22λO((q2/p)·22λ).
By Corollary 1, AdvAII is negligible if λ<(1ε)logp.  □

Theorem 3.

In the GBG model, the proposed LR-RCLE-ORA scheme is semantically secure against chosen cipher-text attacks against an honest-but-curious KGC (AIII) in the security game GLR-RCLE-ORA.

Proof.

Let AIII be an honest-but-curious KGC of the security game GLR-RCLE-ORA played with a challenger B. AIII may issue various queries to B at most q times in the game. This game consists of four phases as follows:

  • Setup phase: The phase is the same as that in the proof in Theorem 1. Additionally, B sends the KGC’s secret key KSK and time secret key TSK to AIII since it is an honest-but-curious KGC.

  • Query phase: In this phase, AIII can adaptively issue various queries to B at most q times. All queries are identical to those queries in the proof of Theorem 1. Note that AIII knows the KGC’s secret key KSK and time secret key TSK so that it can get the identity secret key ISKID and time update key TUKID,s of any user ID for any period Ts. Also, AIII may get the personal secret key PSKID of any user ID, except PSKID of the target user ID.

  • Challenge phase: AIII sends a target identity ID, a target period Ts and a plaintext pair (msg0,msg1) to B. Here both the Personal secret key corrupt query (ID) and the Public key replace query (ID,Ts,(PPKID,IPKID,TUPKID,s)) must have never been requested by AIII. B chooses an unbiased random bit b{0,1} and carries out the Encrypting algorithm with (ID,Ts,(PPKID,IPKID,TUPKID,s),msgb) to generate C, EK and CT=EEK(msgb). Finally, B returns the ciphertext tuple (ID,Ts,θ=(C,CT)) to AIII.

  • Guess phase: In this phase, AIII must output a bit b{0,1}. If b=b, we say that it wins the game GLR-RCLE-ORA and its advantage is |Pr[b=b]1/2|.

In the following, let us first evaluate the advantage that AIII wins GLR-RCLE-ORA without requesting any leak query. Subsequently, the advantage of AIII is evaluated when it is allowed to request the Decrypting leak query (ID,Ts,fDEC,k,hDEC,k,k).
  • The advantage of AIII without requesting any leak query: Let AdvAIIIW be the advantage that AIII wins the game without requesting the Decrypting leak query. By the similar evaluations as in the proof of Theorem 1, we have AdvAIIIW=O(q2/p).

  • The advantage of AIII with requesting the Decrypting leak query: By the Decrypting leak query (ID,Ts,fDEC,k,hDEC,k,k), AIII may derive leaked information (ΛfDEC,k,ΛhDEC,k) such that |fDEC,k|,|hDEC,k|λ, where ΛfDEC,k=fDEC,k(PSKID,k,1) and ΛhDEC,k=hDEC,k(PSKID,k,2). Note that AIII may get the personal secret key PSKID of any user ID, except PSKID of the target user ID. For leakage resilient property, AIII can obtain leaked information of the target user’s PSKID=(PSKID,k,1,PSKID,k,2) used in the Decrypting algorithm’s k-th round of the target user. Indeed, the personal secret key PSKID has the property in the sense that PSKID=PSKID,0,1+PSKID,0,2=PSKID,1,1+PSKID,1,2==PSKID,k,1+PSKID,k,2. By the refreshing technique, leaked information of PSKID,k1,1/PSKID,k1,2 is independent of that of PSKID,k,1/PSKID,k,2. Thus, AIII may derive at most 2λ bits of PSKID.

    Let PrAIII and AdvAIII be the probability and advantage, respectively, that AIII wins GLR-RCLE-ORA with requesting the Decrypting leak query. Two events are defined as below:

    • (1) Let EPSK denote the event that AIII gets the personal secret key PSKID by fDEC,k and hDEC,k. Additionally, EPSK is the complement event of EPSK.

    • (2) Let ECB denote the event that AIII outputs a correct b.

    Hence, the advantage PrAIII is Pr[ECB] and the following inequality holds.
    PrAIII=Pr[ECB]=Pr[ECBEPSK]+Pr[ECBEPSK]Pr[EPSK]+Pr[ECBEPSK].
    For the event EPSK, AIII can’t obtain the useful information to output a correct bit b. AIII has probability 1/2 to guess the correct bit, so Pr[ECBEPSK] is still 1/2 on average. Thus, we have
    PrAIIIPr[EPSK]+1/2,AdvAIII|PrAIII1/2|=Pr[EPSK].

Because AdvAIIIWO(q2/p) and AIII can learn at most 2λ bits of PSK by the Decrypting leak query, we have
AdvAIIIAdvAIIIW·22λO((q2/p)·22λ).
By Corollary 1, AdvAIII is negligible if λ<(1ε)logp.  □

6Comparisons

Here, let’s first present the computation notations of several operations in bilinear groups. By employing the simulation experiences in Li et al. (2021), Table 1 lists two kinds of time-consuming operations and their computational time (in milliseconds). The environment of simulation experiences is a platform with the Intel Core i7-8550U CPU 1.80 GHz processor. The selection of security parameters are Fp, G1 and G2. Here, Fp is a finite field which consists of the set of integers {0,1,,p1}, where p is a 256-bit prime number. And, G1 and G2 are groups with 224-bit prime order over the finite field Fp. It is worth mentioning that the computation of a one-way hash function, an addition on an additive group G1 and a multiplication on a multiplicative group G2 are omitted because their computational costs are small and negligible.

Table 1

Computational time (in millisecond) of two time-consuming operations.

NotationOperationComputational time
Tpa bilinear pairing eˆ:G1×G1G27.84 ms
a scalar multiplication on an additive group G1
Tmeor0.48 ms
an exponentiation on a multiplicative group G2

Table 2 lists the comparisons of our LR-RCLE-ORA scheme with several RCLE and LR-CLE schemes (Tsai and Tseng, 2015; Xiong et al., 2013; Wu et al., 2018) in terms of encryption cost (time), decryption cost (time), security proof model, revocation property, outsourced revocation, resisting side-channel attacks and leakage resilience model. Note that a user’s private key in Xiong et al.’s LR-CLE scheme (2013) is a vector with n2 elements (here, let n=2). As compared to the bounded leakage property of Xiong et al.’s LR-CLE scheme (2013), Wu et al.’s scheme and ours possess continual leakage property and are practical for applications. To resist side-channel attacks, our scheme requires some extra computation costs than the RCLE scheme in Tsai and Tseng (2015). As compared with the LR-CLE scheme (Wu et al., 2018), our scheme requires one Tp for encryption cost and decryption cost, respectively, but our scheme offers outsourced revocation functionality to reduce the computational burden of the KGC for generating all non-revoked users’ time update keys. By Table 2, even though the computational cost of our scheme is worse than the other schemes, our scheme possesses four complete properties, namely, revocation property, outsourced revocation, resisting side-channel attacks and continual leakage property. We emphasize that our scheme is the first LR-RCLE-ORA scheme resisting side-channel attacks while possessing continual leakage property.

Table 2

Comparisons between our scheme and the previously proposed schemes.

Tsai and Tseng’s RCLE scheme (Tsai and Tseng, 2015)Xiong et al.’s LR-CLE scheme (Xiong et al., 2013)Wu et al.’s LR-CLE scheme (Wu et al., 2018)Our LR-RCLE-ORA scheme
Encryption cost3Tme+Tp6Tme4Tme+Tp4Tme+2Tp
(9.28 ms)(2.88 ms)(9.76 ms)(17.6 ms)
Decryption cost2Tme+Tp4Tp4Tme+4Tp4Tme+5Tp
(8.8 ms)(31.36 ms)(33.28 ms)(41.12 ms)
Security proof modelRandom oracle modelStandard model (Dual system)GBG modelGBG model
Revocation propertyYesNoNoYes
Outsourced revocationNoNoNoYes
Resisting side-channel attacksNoYesYesYes
Leakage resilience modelNoBoundedContinualContinual

7Conclusions

In this paper, the first leakage-resilient revocable certificateless encryption scheme with an outsourced revocation authority (LR-RCLE-ORA) was proposed. As compared to previous RCLE and LR-CLE schemes, our scheme possesses several merits. (1) It can resist side-channel attacks and has leakage resilience properties. (2) The revocation functionality is outsourced to the ORA to alleviate the computational load of the KGC. (3) It permits adversaries to continually extract partial ingredients of secret keys and offers the overall unbounded leakage property. By extending the adversary models of RCLE and LR-CLE schemes, a new adversary model was defined while three kinds of leak queries are added, namely, Identity secret key leak query, Time update key leak query and decrypting leak query. In the GBG model, the security of the proposed scheme is shown to be semantically secure against chosen cipher-text attacks for three kinds of adversaries, namely, outsider, revoked user and honest-but-curious KGC.

References

1 

Abdalla, M., Belaid, S., Fouque, P. (2013). Leakage-resilient symmetric encryption via re-keying. In: CHES’13, LNCS, Vol. 8086, pp. 471–488.

2 

Akavia, A., Goldwasser, S., Vaikuntanathan, V. (2009). Simultaneous hardcore bits and cryptography against memory attacks. In: TCC’09, LNCS, Vol. 5444, pp. 474–495.

3 

Al-Riyami, S.S., Paterson, K.G. (2003). Certificateless public key cryptography. In: ASIACRYPT’03, LNCS, Vol. 2894, pp. 452–473.

4 

Alwen, J., Dodis, Y., Wichs, D. (2009). Leakage-resilient public-key cryptography in the bounded-retrieval model. In: CRYPTO’09, LNCS, Vol. 5677, pp. 36–54.

5 

Boneh, D., Franklin, M. (2001). Identity-based encryption from the Weil pairing. In: CRYPTO’01, LNCS, Vol. 2139, pp. 213–229.

6 

Boneh, D., Boyen, X., Goh, E.J. (2005). Hierarchical identity-based encryption with constant size ciphertext. In: EUROCRYPT, LNCS, Vol. 3494, pp. 440–456.

7 

Brakerski, Z., Kalai, Y.T., Katz, J., Vaikuntanathan, V. (2010). Cryptography resilient to continual memory leakage. In: 51st Annual IEEE Symposium on Foundations of Computer Science. IEEE Press, pp. 501–510.

8 

Bronchain, O., Momin, C., Peters, T., Standaert, F. (2021). Improved leakage-resistant authenticated encryption based on hardware AES coprocessors. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(3), 641–676.

9 

Brumley, D., Boneh, D. (2005). Remote timing attacks are practical. Computer Networks, 48(5), 701–716.

10 

Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A. (2008). Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing, 38(1), 97–139.

11 

Du, H., Wen, Q., Zhang, S. (2018). A provably-secure outsourced revocable certificateless signature scheme without bilinear pairings. IEEE Access, 6, 73846–73855.

12 

Galindo, D., Virek, S. (2013). A practical leakage-resilient signature scheme in the generic group model. In: SAC’12, LNCS, Vol. 7707, pp. 50–65.

13 

Galindo, D., Grobschadl, J., Liu, Z., Vadnala, P.K., Vivek, S. (2016). Implementation of a leakage-resilient ElGamal key encapsulation mechanism. Journal of Cryptographic Engineering, 6(3), 229–238.

14 

Hazay, C., López-Alt, A., Wee, H., Wichs, D. (2013). Leakage-resilient cryptography from minimal assumptions. In: EUROCRYPT’13, LNCS, Vol. 7881, pp. 160–176.

15 

Housley, R., Polk, W., Ford, W., Solo, D. (2002). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. IETF, RFC 3280.

16 

Hsieh, T.-C., Tseng, Y.-M., Huang, S.-S. (2020). A leakage-resilient certificateless authenticated key exchange protocol withstanding side-channel attacks. IEEE Access, 8, 121795–121810.

17 

Hung, Y.-H., Tseng, Y.-M., Huang, S.S. (2016). A revocable certificateless short signature scheme and its authentication application. Informatica, 27(3), 549–572.

18 

Katz, J., Vaikuntanathan, V. (2009). Signature schemes with bounded leakage resilience. In: ASIACRYPT’09, LNCS, Vol. 5912, pp. 703–720.

19 

Kiltz, E., Pietrzak, K. (2010). Leakage resilient elgamal encryption. In: ASIACRYPT’10, LNCS, Vol. 6477, pp. 595–612.

20 

Kocher, P.C. (1996). Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: CRYPTO’96, LNCS, Vol. 1163, pp. 104–113.

21 

Kocher, P., Jaffe, J., Jun, B. (1999). Differential power analysis. In: CRYPTO’99, LNCS, Vol. 1666, pp. 388–397.

22 

Li, Y., Cheng, Q., Liu, X., Li, X. (2021). A secure anonymous identity-based scheme in new authentication architecture for mobile edge computing. IEEE Systems Journal, 15(1), 935–946.

23 

Li, J., Guo, Y., Yu, Q., Lu, Y., Zhang, Y. (2016). Provably secure identity based encryption resilient to post-challenge continuous auxiliary input leakage. Security and Communication Network, 9(10), 1016–1024.

24 

Li, S., Zhang, F., Sun, Y., Shen, L. (2013). Efficient leakage-resilient public key encryption from DDH assumption. Cluster Computing, 16(4), 797–806.

25 

Liu, S., Weng, J., Zhao, Y. (2013). Efficient public key cryptosystem resilient to key leakage chosen ciphertext attacks. In: CTRSA’13, LNCS, Vol. 7779, pp. 84–100.

26 

Naor, M., Segev, G. (2009). Public-key cryptosystems resilient to key leakage. In: CRYPTO’09, LNCS, Vol. 5677, pp. 18–35.

27 

Naor, M., Segev, G. (2012). Public-key cryptosystems resilient to key leakage. SIAM Journal on Computing, 41(4), 772–814.

28 

Scott, M. (2011). On the efficient implementation of pairing-based protocols. In: Cryptography and Coding, LNCS, Vol. 7089, pp. 296–308.

29 

Shen, L., Zhang, F., Sun, Y. (2014). Efficient revocable certificateless encryption secure in the standard model. Computer Journal, 57(4), 592–601.

30 

Tsai, T.-T., Tseng, Y.-M. (2015). Revocable certificateless public key encryption. IEEE Systems Journal, 9(3), 824–833.

31 

Tsai, T.-T., Tseng, Y.-M., Huang, S.-S. (2015). Efficient revocable certificateless public key encryption with a delegated revocation authority. Security and Communication Networks, 8(18), 3713–3725.

32 

Tsai, T.-T., Chuang, Y.-H., Tseng, Y.-M., Huang, S.-S., Hung, Y.-H. (2021). A leakage-resilient ID-based authenticated key exchange protocol with a revocation mechanism. IEEE Access, 9, 128633–128647.

33 

Tseng, Y.-M., Tsai, T.-T. (2012). Efficient revocable ID-based encryption with a public channel. Computer Journal, 55(4), 475–486.

34 

Tseng, Y.-M., Wu, J.-D., Huang, S.-S., Tsai, T.-T. (2020). Leakage-resilient outsourced revocable certificateless signature with a cloud revocation server. Information Technology and Control, 49(4), 464–481.

35 

Unterstein, F., Schink, M., Schamberger, T., Tebelmann, L., Ilg, M., Heyszl, J. (2020). Retrofitting leakage resilient authenticated encryption to microcontrollers. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(4), 365–388.

36 

Wu, J.-D., Tseng, Y.-M., Huang, S.-S., Chou, W.-C. (2018). Leakage-resilient certificateless key encapsulation scheme. Informatica, 29(1), 125–155.

37 

Wu, J.-D., Tseng, Y.-M., Huang, S.-S. (2019). An identity-based authenticated key exchange protocol resilient to continuous key leakage. IEEE Systems Journal, 13(4), 3968–3979.

38 

Wu, J.-D., Tseng, Y.-M., Huang, S.-S., Tsai, T.-T. (2020). Leakage-resilient revocable identity-based signature with cloud revocation authority. Informatica, 31(3), 597–620.

39 

Xiong, H., Yuen, T.-H., Zhang, C., Yiu, S.-M., He, Y.-J. (2013). Leakage-resilient certificateless public key encryption. In: The first ACM workshop on Asia Public-Key Cryptography. ACM Press, pp. 13–22.

40 

Yuen, T.-H., Chow, S.S.M., Zhang, Y., Yiu, S.-M. (2012). Identity-based encryption resilient to continual auxiliary leakage. In: EUROCRYPT’12, LNCS, Vol. 7237, pp. 117–134.

41 

Zhou, Y., Yang, B., Zhang, W. (2016). Provably secure and efficient leakage-resilient certificateless signcryption scheme without bilinear pairing. Discrete Applied Mathematics, 204, 185–202.