Updatable Lossy Trapdoor Functions Under Consecutive Leakage

Lossy trapdoor functions (LTFs), introduced by Peikert and Waters (STOC’08), have already been found to be a very useful tool in constructing complex cryptographic primitives in a black-box manner, such as one-way trapdoor functions, deterministic public-key encryption, CCA-secure public-key encryption, etc. Due to the existence of the side-channel attack, the leakage of trapdoor information in lossy trapdoor function systems can lead to the impossibility of provable security. Recently, Zhang et al. introduced a model of consecutive and continual leakage-resilient and updatable lossy trapdoor functions (ULTFs) and provided a concrete construction to achieve the security. Meanwhile, they proposed a consecutive and continual leakage-resilient public-key encryption scheme. However, in this paper, we demonstrate that the correctness of injective function can not be satisfied. Furthermore, the attacker can easily distinguish the evaluation key of ULTFs generated by the challenger according to the security model. Finally, we show two new constructions based on the continual leakage-resilient public-key encryption scheme of Brakerski et al. (FOCS 2010) and demonstrate the security of our scheme in the consecutive and continual leakage model.

CCA Secure Public Key Encryption against After-the-Fact Leakage without NIZK Proofs

In leakage resilient cryptography, there is a seemingly inherent restraint on the ability of the adversary that it cannot get access to the leakage oracle after the challenge. Recently, a series of works made a breakthrough to consider a postchallenge leakage. They presented achievable public key encryption (PKE) schemes which are semantically secure against after-the-fact leakage in the split-state model. This model puts a more acceptable constraint on adversary’s ability that the adversary cannot query the leakage of secret states as a whole but the functions of several parts separately instead of prechallenge query only. To obtain security against chosen ciphertext attack (CCA) for PKE schemes against after-the-fact leakage attack (AFL), existing works followed the paradigm of “double encryption” which needs noninteractive zero knowledge (NIZK) proofs in the encryption algorithm. We present an alternative way to achieve AFL-CCA security via lossy trapdoor functions (LTFs) without NIZK proofs. First, we formalize the definition of LTFs secure against AFL (AFLR-LTFs) and all-but-one variants (ABO). Then, we show how to realize this primitive in the split-state model. This primitive can be used to construct AFLR-CCA secure PKE scheme in the same way as the method of “CCA from LTFs” in traditional sense.

All-But-Many Lossy Trapdoor Functions under Decisional RSA Subgroup Assumption and Application

Lossy trapdoor functions (LTDFs) were introduced by Peikert and Waters (STOC 2008) and have a number of applications in cryptography. All-but-many lossy trapdoor functions (ABM-LTDFs) are generalizations of LTDFs studied by Hofheinz (Eurocrypt 2012). Specially, using ABM-LTDFs to construct public key encryption (PKE) scheme with selective opening security has been proven feasible. Existing ABM-LTDFs were built on pairings, lattices and decisional composite residuosity (DCR) assumption. However, pairing-based ABM-LTDFs and DCR-based ABM-LTDFs rely on non-standard assumptions. In this paper, we construct an ABM-LTDF under the decisional RSA subgroup (DRSA) assumption, and we employ it to construct PKE scheme with selective opening security. We also propose a construction of DCR-based ABM-LTDF relying on standard assumption in Appendix.

Tightly Secure Lossy Trapdoor Functions: Constructions and Applications

Lossy trapdoor functions (LTFs), introduced by Peiker and Waters in STOC’08, are functions that may be working in another injective mode or a lossy mode. Given such a function key, it is impossible to distinguish an injective key from a lossy key for any (probabilistic) polynomial-time adversary. This paper studies lossy trapdoor functions with tight security. First, we give a formal definition for tightly secure LTFs. Loosely speaking, a collection of LTFs is tightly secure if the advantage to distinguish a tuple of injective keys from a tuple of lossy keys does not degrade in the number of function keys. Then, we show that tightly secure LTFs can be used to construct public-key encryption schemes with tight CPA security in a multiuser, multichallenge setting, and with tight CCA security in a multiuser, one-challenge setting. Finally, we present a construction of tightly secure LTFs from the decisional Diffie-Hellman assumption.