
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

PostChallenge Leakage Resilient PublicKey Cryptosystem in Split State Model
Eiichiro FUJISAKI Akinori KAWACHI Ryo NISHIMAKI Keisuke TANAKA Kenji YASUNAGA
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E98A
No.3
pp.853862 Publication Date: 2015/03/01
Online ISSN: 17451337
DOI: 10.1587/transfun.E98.A.853
Type of Manuscript: PAPER Category: Cryptography and Information Security Keyword: postchallenge (bounded) leakage, simultaneous secretkey and senderrandomness leakage, CCA2 security for multiple messages,
Full Text: PDF(864.8KB)>>
Summary:
Leakage resilient cryptography is often considered in the presence of a very strong leakage oracle: An adversary may submit arbitrary efficiently computable function f to the leakage oracle to receive f(x), where x denotes the entire secret that a party possesses. This model is somewhat too strong in the setting of publickey encryption (PKE). It is known that no secretkey leakage resilient PKE scheme exists if the adversary may have access to the secretkey leakage oracle to receive only one bit after it was given the challenge ciphertext. Similarly, there exists no senderrandomness leakage resilient PKE scheme if onebit leakage occurs after the target public key was given to the adversary. At TCC 2011, Halevi and Lin have broken the barrier of afterthefact leakage, by proposing the socalled split state model, where a secret key of a party is explicitly divided into at least two pieces, and the adversary may have not access to the entire secret at once, but each divided pieces, one by one. In the splitstate model, they have constructed postchallenge secretkey leakage resilient CPA secure PKEs from hash proof systems, but the construction of CCA secure postchallenge secretkey leakage PKE has remained open. They have also remained open to construct senderrandomness leakage PKE in the split state model. This paper provides a solution to the open issues. We also note that the proposal of Halevi and Lin is postchallenge secretkey leakage CPA secure against a single challenge ciphertext; not against multiple challenges. We present an efficient generic construction that converts any CCA secure PKE scheme into a multiplechallenge CCA secure PKE that simultaneously tolerates postchallenge secretkey and senderrandomness leakage in the split state model, without any additional assumption. In addition, our leakage amount of the resulting schemes is the same as that of Halevi and Lin CPA PKE, i.e., (1/2+γ)l/2 where l denotes the length of the entire secret (key or randomness) and γ denotes a universal (possitive) constant less than 1/2. Our conversion is generic and available for many other publickey primitives. For instance, it can convert any identitybased encryption (IBE) scheme to a postchallenge masterkey leakage and senderrandomness leakage secure IBE.

