Efficient chosen ciphertext secure identity-based encryption against key leakage attacks

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm Networks 26; 9: Published online 2 February 26 in Wiley Online Library (wileyonlinelibrarycom) DOI: 2/sec429 RESEARCH ARTICLE Efficient chosen ciphertext secure identity-based encryption against key leakage attacks Shi-Feng Sun, Dawu Gu* and Shengli Liu Department of Computer Science & Engineering, Shanghai Jiao Tong University, Shanghai 224, China ASTRACT Due to the proliferation of side-channel attacks, many efforts have been made to construct cryptographic systems that remain provably secure even if part of the secret information is leaked to the adversary Recently, there have been many identity-based encryption (IE) schemes proposed in this context, almost all of which, however, can only achieve chosen plaintext attack (CPA) security As far as we know, Alwen et al s IE is the unique practical scheme secure against adaptive chosen ciphertext attacks (CCA2) in the standard model Unfortunately, this scheme suffers from an undesirable shortcoming that the leakage parameter and the message length m are subject to + m log p!(log ), where and p denote the security parameter and the prime order of the underlying group, respectively eyond that, the leakage ratio in this scheme is very low, which can just reach /6 In this work, we put forward two new IE schemes, both of which are -leakage-resilient CCA2 secure in the standard model Specifically, the first construction is proposed based on Gentry s IE, which is quite practical and almost as efficient as the original scheme Moreover, its leakage parameter, log p!(log ), is independent of the size of the message space To the best of our knowledge, it is the first practical leakage-resilient fully CCA2 secure IE scheme in the standard model, tolerating up to (log p!(log ))-bit leakage of the private key and its leakage parameter being independent of the message length As to the second construction, it is proposed based on the scheme of Alwen et al, which has the same leakage parameter as Alwen et al, but has a better efficiency performance and a higher leakage ratio As far as we know, it is the first practical and fully CCA2 secure leakage-resilient IE scheme with leakage ratio up to /4 Copyright 26 John Wiley & Sons, Ltd KEYWORDS identity-based encryption; leakage resilience; full security; key leakage attack; chosen ciphertext security *Correspondence Dawu Gu, Department of Computer Science & Engineering, Shanghai Jiao Tong University, Shanghai 224, China dwgu@sjtueducn INTRODUCTION Identity-based encryption (IE), as an attractive alternative to the traditional public key infrastructure, has drawn greater attention in recent years This concept was first introduced by Shamir [] in 94 In this cryptosystem, each user can use an arbitrary identity string, such as his or her name or address, as his or her public key The corresponding private key is produced and secretly sent by one trusted authority, usually called private key generator (PKG) In this system, any person who wants to send some encrypted messages to a receiver just needs to encrypt the messages using the receiver s identity without relying on any certificate However, the first efficient Part of this work was published in Pairing 23, this is an extended and full version and secure IE scheme [2] is presented until 2 Following this work, many IE schemes [3 7] have been presented recently Customarily, the security analysis of these cryptographic systems is conducted in an idealized model, where the secret states are assumed to be generated using perfectly random bits and completely hidden from the adversary That is, an adversary in this setting can only see the specified input and output behaviors of one system but can not access any internal secret states However, an important observation is that the assumption previously actually does not hold in the real world In practice, the potential attackers may exploit the variously physical characteristics, such as running time, power consumption, and electro-magnetic radiation, of the execution of a cryptographic device to learn partial information of the secret states, which are usually called side-channel Copyright 26 John Wiley & Sons, Ltd 47

2 Efficient chosen ciphertext secure identity-based encryption against key leakage attacks S-F Sun, D Gu and S Liu attacks [ 2] What s more, another kind of attack called cold-boot attack is presented by Halderman et al [3] in 2, where an attacker is allowed to learn a significant fraction of the memory information of a machine, even after it loses power Under such attacks, many cryptographic systems, proved secure in the traditional security models (without any key leakage), may become completely broken, even if the attacker leaks only a small quantity of information about the secret states To take account of these attacks in the security proof, leakage-resilient cryptography has been initiated by the cryptographic community Its goal is to construct stronger secure cryptographic systems, which can still be proved secure even though the adversary can obtain some key leakage Recently, many excellent works on public key encryption (PKE), symmetric encryption, and identitybased encryption [4 9,9 2] have been proposed in this new setting, and they are proved secure in several different leakage models, such as the only computation leakage model and the auxiliary input leakage model In this work, we focus on identity-based encryption in the bounded memory-leakage model (sometimes called relative leakage model) This model is a simple and general leakage model, where the attacker is allowed to obtain arbitrary information about the secret key, with the only restriction that the amount of leakage on the secret key is bounded by some leakage parameter In recent years, the bounded memory-leakage model has received considerable attention Related work To capture the cold-boot attack, the bounded memoryleakage model was first introduced by Akavia et al [22], also proposed the first concrete CPA secure PKE scheme and identity-based encryption scheme in this leakage model, based on the learning with errors assumption Subsequently, Naor and Segev [] gave a general construction of CPA secure leakage-resilient PKE derived from hash proof system [23], and they presented two efficient concrete constructions in this framework under the decisional Diffie-Hellman (DDH) and K-linear assumptions, the leakage ratio (the bit size of leakage bits/the total size of secret key) of which is almost to approach Moreover, in the same work, they considered how to achieve chosen ciphertext attack (CCA) secure leakage-resilient PKE and showed that given any CPA leakage-resilient PKE, the corresponding CCA leakage-resilient PKE can be obtained by leveraging Naor Yung paradigm [24] Except this inefficiently general method, they still gave two efficient CCA secure leakage-resilient constructions based on the practical Cramer Shoup cryptosystem [25], one CCA and the other CCA2 However, these schemes suffer from one undesirable shortcoming that the leakage parameter is dependent to the message length m The relationship between them is + m log q!(log ), where denotes the security parameter and q refers to the prime order of the underlying group In order to solve this problem, Liu et al [26] gave a new leakage-resilient PKE based on Cramer Shoup cryptosystem, in which the number of leakage bits log q!(log ) Furthermore, Alwen et al [9] generalized hash proof system in [23] to the identity-based setting and referred to it as identity-based hash proof system Moreover, they showed how to use it to construct leakage-resilient IE schemes In particular, they presented three instantiations based on the IE of oneh et al [27], Gentry et al [2], and Gentry [5], respectively In addition, based on the framework presented by Alwen et al, the work of [29] presented three new leakage-resilient IE schemes, which were constructed from the IE of Waters [4], Lewko et al [3], and oneh et al [3], and Chen et al [3] also proposed a new IE in this new setting Different from these works, Yuen et al [32] put forward a novel IE scheme in the auxiliary input model, which can tolerate a more general form of leakage Among all these leakage-resilient IE schemes, those presented in [29,32] can achieve security in the standard model, in contrast to the others most of which are proved secure in the random oracle model Nevertheless, all these leakage-resilient IE schemes are only proved CPA secure, except the only one presented in the work [9] Unfortunately, this unique CCA secure scheme also suffers from the undesirable drawback that the leakage parameter and the message length m are subject to + m log q!(log ), where refers to the security parameter and q is the prime order of the underlying group In this case, when the message length m approaches to log q, the number of leakage bits approaches to, vice versa Hence, it is quite natural for us to ask whether there exists one IE scheme that can achieve CCA security in the context of leakage resilience and does not suffer from this inherent drawback Additionally, the leakage ratio (the amount of private key leakage/the total size of private key) in this CCA secure scheme is very low compared with the existing CPA secure leakage-resilient IE schemes, so how to construct CCA secure leakage-resilient IE scheme with higher leakage ratio is also an interesting problem eyond these PKE and IE schemes mentioned previously, there still exist many other primitives presented in the context of leakage resilience They are constructed in the bounded-memory leakage model or some other leakage models, such as leakage-resilient signatures [33 35] and leakage-resilient zero knowledge proofs [36,37] 2 Our contributions In this work, we put forward two new leakage-resilient IE schemes, both of which not only are quite practical but also can be proved CCA2 secure without random oracles Specifically, the first scheme is constructed based on Gentry s IE The new scheme has a larger message space and can tolerate a larger amount of secret key leakage, simultaneously without suffering from the undesirable drawback as in [9] The second construction is proposed based on the construction of Alwen et al This new construction has the same message space as Alwen et al but can achieve a higher leakage ratio up to /4 Thus, it can tolerate a relatively larger amount of leakage and can achieve a higher security 4 Security Comm Networks 26; 9: John Wiley & Sons, Ltd DOI: 2/sec

3 S-F Sun, D Gu and S Liu Efficient chosen ciphertext secure identity-based encryption against key leakage attacks 3 Organization The remainder of this work is organized as follows In Section 2, we describe some preliminaries, including the basic notations, definitions, and security models Two concrete constructions and their security analysis are given in Sections 3 and 4, respectively Section 5 gives a detailed performance analysis At last, the work is ended with a brief conclusion 2 PRELIMINARIES In this section, we first give the notations, definitions, and assumptions used in our work and then review the security model of IE in the bounded memory leakage setting 2 Notations Let denote the security parameter For a set S, we write s S to denote the process of sampling s uniformly at random from S, and S the cardinality of the set S; ifs is a random variable or distribution, it denotes sampling a random s according to S For a randomized algorithm A(), a A() denotes the process of running the algorithm A with uniformly chosen random coins, and obtaining a as an output PPT and negl() denote the probabilistic polynomial time and the negligible function of, respectively 22 ilinear maps and complexity assumption Suppose that G and G T are two multiplicative cyclic groups of prime order p, with g as a generator of G, and that the discrete logarithm problems in both G and G T are intractable Let e : G G! G T be a bilinear map with the following three properties: () ilinear: For any u, v 2 G, and a, b 2 Z p *, the equation e(u a, v b )=e(u, v) ab holds (2) Non-degenerate: in the sense that e(g, g) GT (3) Computable: There exists an efficient algorithm to evaluate e(u, v) for any u, v 2 G A bilinear map satisfying the aforementioned properties is named an admissible bilinear map It can be obtained from the modified Weil and Tate pairings Definition (Complexity Assumption [5]) Let G and G T be two multiplicative cyclic groups of prime order p, which are determined by some security parameter The complexity assumption used in our scheme is a truncated version of the decisional q-augmented bilinear Diffie Hellman exponent assumption (q-adhe) [5] That is, the ensembles P ADHE ={(G, g,(g ) q+2, g, g, :::, g q, e(g, g ) q+ )}, and R ADHE ={(G, g,(g ) q+2, g, g, :::, g q, Z)} are computationally indistinguishable, where the elements g, g 2 G, Z 2 G T and 2 Z p are chosen uniformly at random and independently 23 Entropy and randomness extractors Definition 2 (Average Min-entropy [3]) Let X 2 X and Z 2 Z be two random variables; the min-entropy of random variable X, denoted by H (X), is defined as H (X) = min{ log(pr[x = x])} = log(max Pr[X = x]) x2x x2x Given a (correlated) random variable Z, the average minentropy of random variable X conditioned on Z is defined as follows: QH (X Z) = log E z2z = log Pr[X = x Z = z] max x2x h E i z2z 2 H (X Z=z) This notion (average min-entropy) captures the optimal probability of guessing X for an adversary who may observe the knowledge of Z Lemma [3] Let U, V, and W be arbitrarily correlated random variables, V taking at most 2 l possible values, then QH (U (V, W)) QH (U W) l Specifically, QH (U V) H (U) l Definition 3 (Statistical Distance and Extractors [3,39]) Let U and V be two random variables with the same range X ; the statistical distance between these two random variables, denoted by SD(U, V), is defined as SD(U, V) = P 2 x2x Pr[U = x] Pr[V = x] A function Ext : U R! V is called an average-case (l, ı) strong extractor; if for all random variables U and Z such that U 2 U and QH (U Z) l, the statistical distance SD((Ext(U, R), R, Z), (V, R, Z)) ı, where R and V are distributed uniformly and independently over their domain R and V, respectively Definition 4 (Universal Hash [4,4]) A family H of hash functions H ={h k : X! Y} k2k is called universal if for every x, x 2 2 X with x x 2, Pr k2k [h k (x )=h k (x 2 )] Y Two specific examples of universal hash are given as follows: The family H of functions {h k,k 2,:::,k t : X! Y} ki 2Z p,i=,2,:::,t is universal, where h k,k 2,:::,k t (x, x, :::, x t )=x + x k + + x t k t ; all the operations are in the prime field F p The family H of functions {h k,k 2,:::,k t : G t+! G} ki 2Z p,i=,2,:::,t is universal, where G is a multiplicative group of prime order p with a generator g, Security Comm Networks 26; 9: John Wiley & Sons, Ltd 49 DOI: 2/sec

4 Efficient chosen ciphertext secure identity-based encryption against key leakage attacks S-F Sun, D Gu and S Liu and h k,k 2,:::,k t (g, g, :::, g t )=g g k ::: gk t t (= g x +x k ++x t k t), with gi = g x i for i =,,:::, t Actually, the second family of universal hash is derived from the fact that the multiplicative group (G, ) with prime order p is isomorphic to (Z p, +) Lemma 2 (Leftover hash lemma and its generalization [3]) Assume that H = {h k : X! Y} k2k is a family of universal hash functions; then for arbitrarily random variables X 2 X, K 2 K, and Z, we have SD((h K (X), K), (U Y, K)) p 2 2 H (X) Y, and q SD((h K (X), K, Z), (U Y, K, Z)) 2 2 QH (X Z) Y The leftover hash lemma states that a family of universal hash functions gives an average-case (l, ı) extractor Ext : X K! Y, with log Y l 2 log(/ı)+2 24 CCA2 security of leakage-resilient identity-based encryption Similar to previous works [3,9,29], an IE system E usually consists of four algorithms, E =(Setup, KeyGen, Encrypt, Decrypt) Specifically, Setup algorithm takes a security parameter as input and establishes PKG s public parameters params and the master secret key msk KeyGen algorithm takes as input the master secret key msk and one user identity ID and generates the private key for this user On input, the system parameters params, a message, and an identity ID, Encrypt algorithm outputs a ciphertext for ID Receiving a ciphertext, the recipient with identity ID decrypts the ciphertext using algorithm Decrypt, with the ciphertext and its private key as input In our work, we focus on the bounded memory leakage model, which is simple and general and used in many PKE and IE settings In the following, we define the CCA2 security of leakage-resilient IE via an interactive game, played between a challenger and an adversary The game is refined from the definition in [9] Consistent with the work of [9,29], our security definition also only allows secret information leakage on the user s private key, but not on the master secret key Additionally, just as noted by [,9,22], the adversary in our definition is also only allowed to make key leakage queries before seeing the challenge ciphertext Setup: The challenger C generates (params, msk) Setup( ) and then gives the adversary A params Phase : In this phase, the adversary A is allowed to adaptively make the three kinds of queries as follows: Key generation queries: On input an identity ID, the challenger responds by invoking KeyGen on ID and then returns the result sk ID as the corresponding private key Leakage queries: Taking an identity ID and an efficient leakage function f i : {, } *! {, } i as input, the challenger C evaluates f i (sk ID ) and sends it as the response, if P i k= k, otherwise, outputs? Decryption queries: With the ciphertext (ID, C) as input, C first generates the corresponding private key by running KeyGen on ID and then decrypts C using the resulting key Challenge: The adversary submits two equal length messages m and m, and a challenge identity ID * The identity is required never appearing in a key generation query but allowed to appear in the leakage queries with at most bits leakage Then, the challenger C randomly chooses bit b 2 {, } and sends C * Encrypt(params, ID *, m b ) as the challenge ciphertext to the adversary A Phase 2: This phase is almost the same as phase, under the constraint that neither key generation queries on ID * nor decryption queries on (ID *, C * ) are allowed to make Also, as mentioned previously, no leakage query is allowed to make in this phase Guess: Finally, A outputs a guess b 2 {, } and wins the game if b = b In the aforementioned game, we call the adversary A an IND-LR-ID-CCA2 adversary and define its advantage as Adv LR CCA2 IE IE,A (, ) = Pr[A wins ] 2 Definition 5 (-LR-CCA2-IE) An IE scheme, E =(Setup, KeyGen, Encrypt, Decrypt), is -leakageresilient CCA2 secure if for all probabilistic polynomial time IND-LR-ID-CCA2 adversary A, it holds that Adv LR CCA2 IE IE,A (, ) negl(), where denotes the security parameter and is the leakage parameter 3 CONCRETE CONSTRUCTION In this part, the first construction is presented based on Gentry s IE and proved fully CCA2 secure under the q- ADHE assumption The construction can tolerate a larger amount of secret key leakage, compared with the existing schemes, and can encrypt a longer message The new proposal is composed of four algorithms, each of which is described as follows: Setup ( ): Taking the security parameter as input, PKG generates the system parameters as follows First, it randomly chooses generators g, h, h 2 and h 3 from G and picks a random from Z p It then chooses a hash function H from a universal one-way hash function family H and sets the public parameters params and the master secret key msk to be 42 Security Comm Networks 26; 9: John Wiley & Sons, Ltd DOI: 2/sec

5 S-F Sun, D Gu and S Liu Efficient chosen ciphertext secure identity-based encryption against key leakage attacks params = G, g, g = g, h, h 2, h 3, H, msk = KeyGen (params, ID, and msk): On input params, msk, and identity ID 2 Z p, the corresponding private key sk ID is generated as follows PKG first chooses random elements r ID,i 2 Z p for i 2 {, 2, 3} and then computes h ID,i = (h i g r ID,i) /( ID) At last, it outputs the private key sk ID = {(r ID,i, h ID,i )} for i 2 {, 2, 3} In case of ID =, PKG will abort The private key for the same ID is required to be generated by using the same values r ID,i, i 2 {, 2, 3} Encrypt (params, m, and ID): Taking as input params, ID, and message m 2 G T, the sender generates the ciphertext for ID in the following steps First, it picks r, s 2 Z p at random and then outputs the ciphertext C =(u, v, w, r, y) as follows: u = g s g sid, v = e(g, g) s, w = m e g, h 3 h r s s, y = e g, h 2 hˇ 3, where ˇ = H(u, v, w, r) Decrypt (params, sk ID, and C): Receiving the ciphertext C =(u, v, w, r, y), the recipient with identity ID decrypts it using the private key as follows It first computes ˇ = H(u, v, w, r) and checks whether y = e u, h ID,2 hˇ ID,3 v (r ID,2+r ID,3 ˇ) If so, it outputs m = w e(u, h ID,3 h r ID, )v(r ID,3+r ID, r), otherwise, outputs? 3 Correctness Assuming the ciphertext C = (u, v, w, r, y) received by the recipient with identity ID is well formed, we have the following: e u, h ID,2 hˇ ID,3 v (r ID,2+r ID,3 ˇ) /( ID) = e g s( ID), h 2 hˇ 3 g (r ID,2 +r ID,3 ˇ)/( ID) e(g, g) s r ID,2 +r ID,3 ˇ s = e g, h 2 hˇ 3, where ˇ = H(u, v, w, r) and e u, h ID,3 h r ID, v rid,3 +r ID, r = e g s( ID), h 3 h r /( ID) g (r ID,3 +r ID, r)/( ID) e(g, g) s r ID,3 +r ID, r = e g, h 3 h r s 32 Security analysis In this part, we prove that the aforementioned construction is semantically secure against the -bounded memory leakage and CCA2 attacks (-leakage-resilient CCA2 secure), under the assumption that the truncated decision q-adhe problem is hard Theorem Under the hardness assumption of the truncated decision q-adhe problem, where q = q ID +2, the aforementioned IE scheme is (log p!(log ))-leakageresilient CCA2 secure, where q ID denotes the maximum number of key generation queries made by the adversary, p is the prime order of the underlying group, and denotes the security parameter Proof Suppose that there exists an adversary A that, making at most q ID key generation queries and at most q C decryption queries, breaks the -LR-CCA2 security of the presented IE scheme previously Then, we can use A as a subroutine to design an algorithm, which can break the truncated decision q-adhe assumption On input, a random truncated decision q-adhe challenge instance (G, g,(g ) q+2, g, g, :::, g q, Z), which is either from P ADHE (ie, Z equals e(g, g ) q+ ) or from R ADHE (ie, Z is a random element of G T ), the algorithm executes the following steps: Setup: For i 2 {, 2, 3}, the algorithm randomly chooses f i (x) of degree q from Z p [x] and sets h i = g f i( ), which can be computed from (g, g, :::, g q) Then the public parameters are published as params = {G, g, g, h, h 2, h 3, H}, where H is randomly chosen from a universal oneway hash function family H and g is set to be g Phase : In this phase, the adversary A can adaptively make three kinds of queries, each of which is simulated as follows Key generation queries: On input an identity ID 2 Z p, in case ID =, the algorithm can use to solve the truncated decision q-adhe problem at once Otherwise, can generate the corresponding private key sk ID as follows First, let F ID,i (x) = (f i (x) f i (ID))/(x ID) and then set sk ID =(r ID,i, h ID,i )=(f i (ID), g FID,i( ) ) Obviously, it is a valid private key for ID, because g FID,i( ) = ID =(g fi( ) g fi(id) ) ID =(h i g r ID,i) ID, as required Leakage queries: On input an efficient leakage function L i : {, } *! {, } i for ID, in case ID =, the truncated decision q-adhe problem can be solved immediately by the algorithm using Else, replies with L i (sk ID ), if P i k= k, otherwise, outputs? g f i( ) fi(id) Security Comm Networks 26; 9: John Wiley & Sons, Ltd 42 DOI: 2/sec

6 Efficient chosen ciphertext secure identity-based encryption against key leakage attacks S-F Sun, D Gu and S Liu Decryption queries: On input a ciphertext (ID, C) for ID, the algorithm first generates the corresponding private key sk ID as in phase and then uses the resulting private key to decrypt the ciphertext C by running the usual Decrypt algorithm At last, it sends the result as the response to this query Challenge: A outputs two messages m, m with equal length, and the challenge identity ID * IfID * =, can easily settle the truncated decision q-adhe problem using Otherwise, randomly picks b 2 {, }, generates a private key sk ID * = (r ID *,i, h ID *,i ) for ID* as previously, and then uses this private key to produce the challenge ciphertext as follows First, let f 4 (x) = x q+2 and compute the polynomial, F 4,ID *(x) =(f 4 (x) f 4 (ID * ))/(x ID * ), of degree q +, and then set u * = g f 4( ) f 4 (ID *), v * = Z e(g, Q q i= gf 4,ID *,i i) and w * = m b /e(u *, h ID *,3 h r* ID *, )v*(r ID *,3 +r ID *, r* ), where F4,ID *,i denotes the coefficient of x i in F 4,ID *(x) and r * is randomly chosen from Z p Subsequently, y * is set to be e(u *, h hˇ * ID *,2 ID *,3 )v*(r ID *,2 +r ID *,3 ˇ *), where ˇ* = H(u *, v *, w *, r * ) At last, C * =(u *, v *, w *, r *, y * ) is sent to the adversary as the corresponding response Phase 2: This phase is almost the same as phase, except that no leakage queries, and neither key generation queries on ID * nor decryption queries on (ID *, C * ) are allowed to make Guess: Finally, A outputs a guess b of b and checks whether b = b If so, it outputs, indicating that the challenge instance is from P ADHE (ie, Z = e(g, g ) q+ ); otherwise, it returns Lemma 3 If the challenge instance (G, g,(g ) q+2, g, g, :::, g q, Z) is from P ADHE (ie, Z = e(g, g ) q+ ), the adversary A s view is identical to the actual attack Proof It is clear that the public parameters in the simulation, from the adversary s view of point, are identically distributed to that in the actual construction This is from the fact that the elements g and and the polynomials f i (x) for i 2 {, 2, 3} are all chosen uniformly at random In this way, h, h 2 and h 3 are all uniformly random distributed, and thus, the public parameters have a proper distribution As to the challenge ciphertext, it also has the correct distribution in the case of s input taking from P ADHE, that is, Z = e(g, g ) q+ Indeed, in this case, u * = g s* (), v * = e(g, g) s*, m b /w * = e(g, h 3 h r* )s* and y * =e(g, h 2 hˇ * 3 )s*, where s * is implicitly set to be (log g g ) F 4,ID *( ) Moreover, s * is uniformly random because of the uniform randomness of log g g, and r * is uniformly random, so the tuple (u *, v *, w *, r *, y * ) is a valid and properly distributed ciphertext for (ID *, m b ) with randomness s * and r *, which is the challenge ciphertext returned to the adversary A At last, with similar analysis to [5], it is easy to show that, from the adversary s view, the private keys queried by A in the simulation are all appropriately distributed, which follows from the fact that the polynomials, f i (x) for i 2 {, 2, 3}, of degree q are all chosen uniformly at random from Z p [x] Lemma 4 If the challenge instance (G, g,(g ) q+2, g, g, :::, g q, Z) is from R ADHE (ie, Z is a random element of G T ), the algorithm A has only a negligible advantage in outputting the correct bit b The lemma follows from the following two claims In later parts, a ciphertext C = (u, v, w, r, y ) for ID is called invalid, if v e(u, g) /( ID) Claim If all the invalid ciphertexts are rejected by the decryption oracle, then the adversary A outputs the correct bit b with only a negligible advantage Proof If all the invalid ciphertexts queried by A are rejected by the decryption oracle, then A cannot gain anymore information about the private key from it The only information regarding the private key, known by A, relates to the evaluations of ( f (x), f 2 (x), f 3 (x)) at point (from the components of public parameters), q ID identities (from the key generation queries made by A), the -bit leakage on the private key, and the challenge ciphertext C * = (u *, v *, w *, r *, y * ) for identity ID * The information gained from the public parameters and the key generation queries can be represented as follows: f (ID i )=r IDi,, for i 2 {, 2,, q ID } g f( ) = h ˆ< f 2 (ID i )=r IDi,2, for i 2 {, 2,, q ID } g f2( ) () = h 2 f 3 (ID i )=r IDi,3, for i 2 {, 2,, q ID } ˆ: g f3( ) = h 3 Hence, the secret vector! f = (f,, f,, :::, f,q, f 2,, f 2,,, f 2,q, f 3,, f 3,,, f 3,q ), f i,j being the coefficient of x j in the polynomial f i (x), satisfies the following matrix product: 422 Security Comm Networks 26; 9: John Wiley & Sons, Ltd DOI: 2/sec

7 S-F Sun, D Gu and S Liu Efficient chosen ciphertext secure identity-based encryption against key leakage attacks! f > r ID, ID ID qid ID q r IDq q ID q IDq ID, log g h r ID,2 ID ID qid = ID q r IDq IDq ID q ID q,2 log g h 2 r ID,3 ID ID C C r IDq ID q ID,3 A IDq q ID q log g h 3 where > denotes matrix transposition In addition, from the challenger ciphertext C * = (u *, v *, w *, r *, y * ), we can obtain the following: e u *, h ID *,3 v *r ID *,3 = A ˆ< e u *, h ID *, v *r ID *, = (2) ˆ: e u *, h hˇ * ID *,2 ID * v * r ID *,2 +r ID *,3 ˇ * = y *,3 in which equation system is equal to the following: a u * log g h ID *,3 + a v *r ID *,3 = log e(g,g) A ˆ< a u * log g h ID *, + a v *r ID *, = log e(g,g) a u * log g h ID *,2 + ˇ* log g h ID *,3 + ˆ: a v * r ID *,2 + ˇ* r ID *,3 = a y * (3) where a u *, a v *, and a y * are equal to log g u *, log e(g,g) v *, and log e(g,g) y *, respectively Combining the following equations (4) got by the generation of the private key, log ˆ< g h =( ID * ) log g h ID *, + r ID *, log g h 2 =( ID * ) log g h ID ˆ: *,2 + r ID *,2 log g h 3 =( ID * ) log g h ID *,3 + r ID *,3 equation (3) can be rephrased as follows: (4) ˆ< a u * log g h 3 + a v * a u * a u * log g h + r ID *,3 = log e(g,g) A a v * a u * r ID *, = log e(g,g) a u * log g h 2 + ˇ* log g h 3 + ˆ: a v * a u r * ID *,2 + ˇ* r ID *,3 = a y * from which we know that the secret vector! f also satisfies the following matrix product: ID * ID *q! ID * f = ID a y * a u * ˇ* ID * ˇ*ID C A ID *q ˇ*ID *q log e(g,g) A a u * log g h 3 a v * a u * log e(g,g) a u * log g h a v * a u * log g h 2 +ˇ * log g h 3 a v * a u * (5) > C A where > denotes matrix transposition In what follows, we will show that m b /w * is in fact the output of a (2 log p, ı)-extractor, with A = e(u *, h ID *,3 )v*r ID *,3 and = e(u *, h ID *, )v*r ID *, as input y the matrix products derived from equation systems () and (5), we can obtain the following coefficient matrix: Security Comm Networks 26; 9: John Wiley & Sons, Ltd 423 DOI: 2/sec

8 Efficient chosen ciphertext secure identity-based encryption against key leakage attacks S-F Sun, D Gu and S Liu ID ID qid ID * ID q IDq q ID q ID *q ID ID qid ID * ID q IDq q ID q ID *q ˇ* ID ID qid ID * ˇ*ID C A ID q IDq q ID q ID *q ˇ*ID *q It is easy to prove that the columns of the (3q +3) (3q) coefficient matrix previously denoted by M are linearly independent, where q = q ID + 2 Specifically, let! v,! v 2,,! v 3q be the 3q columns of M Suppose that they are linearly dependent, then there must be 3q integers a, a 2,, a 3q, at least one of which is nonzero, such that a! v + a! 2v2 + + a! 3qv3q = From this equation, we have a! v + a! 2v2 + + a! q vq + a! 3q v 3q =, where! v i consists of the first q + components of the column! v i for i 2 {, 2, :::, q,3q } ecause all the columns! v,! v 2, :::, v! q, v! 3q constitute a Vandermonde matrix, we get that a = a 2 = = a q = a 3q = Similarly, we can obtain a q = a q+ = = a 2q 2 = a 3q = and a 2q = a 2q = = a 3q 3 = (a 3q 2 + ˇ*a 3q ) = Through these equations, it is easy to get that a = a 2 = = a 3q = Thus, this forms a contradiction Then, through the equation system derived from () and (5),! f M =! v, where! v =(r ID,,, r IDq ID,, log g h, r ID,2,, r IDq ID,2, log g h 2, r ID,3,, r IDq ID,3, log g h 3, (log e(g,g) A a u * log g h 3)/(a v * a u * ), (log e(g,g) a u * log g h )/(a v * a u * ), (a y * a u * (log g h 2 + ˇ* log g h 3 ))/(a v * a u * )), we get that for each (A, ) 2 G T G T, the equation system has a three-dimensional solution space for! f, and that, even given (h, h 2, h 3,(sk, sk 2,, sk qid ), y * ), (A, ) is still uniformly distributed over G T G T Hence, we obtain the following: QH (A, ) h, h 2, h 3, sk, sk 2,, sk qid, y * = 2 log p esides the knowledge previously, the adversary also obtains at most -bit leakage on the private key Thus, from the point of the adversary s view, we have the following: QH (A, ) h, h 2, h 3, sk, sk 2, :::, sk qid, y *, -bit leakage 2 log p, where the inequality is obtained from the Lemma Moreover, from the construction of the ciphertext C * = (u *, v *, w *, r *, y * ), we have the following: m b /w * = e u *, h ID *,3 hr* ID *, = e u *, h ID *,3 = h r *(A, ) v *r ID *,3 v * r ID *,3 +r ID *, r * h i r e u *, h ID *, v *r ID * *, According to the definition of universal hash function (see, example 2, with t=), we know that m b /w * is the output of the universal hash h r *(A, ) =A r*, with A and as input y the generalized leftover hash lemma, the statical distance r between w * and w is given by SD(w *, w) 2 p 2 p 2 = 2/2 p p = ı, where w is chosen uniformly at random from G T The strong randomness extractor then guarantees that the part w * of challenge ciphertext that depends on the random bit b, even given the adversary A s view, is ı close to the uniform on G T, where ı is negligible From the condition log Y l 2 log(/ı) + 2 satisfied by the (l, ı)-extractor Ext : X K! Y, we can obtain that log p 2 log(/ı)+2 Claim 2 All the invalid ciphertexts are rejected by the decryption oracle, except with a negligible probability Proof Suppose that the adversary A submits a ciphertext (u, v, w, r, y ) for an unqueried identity ID to the decryption oracle, where the ciphertext (u, v, w, r, y )is invalid and the tuple (u, v, w, r, y, ID) is not equal to (u *, v *, w *, r *, y *, ID * ) In the following, let {(r ID,i, h ID,i ): i 2 {, 2, 3}} be the private key for the identity ID For the invalid ciphertext to be accepted, it must satisfy y = e(u, h ID,2 hˇ ID,3 )v (r ID,2 +r ID,3 ˇ ), which is equal to the following: a y = a u log g h ID,2 +ˇ log g h ID,3 +a v rid,2 +ˇ r ID,3 (6) 424 Security Comm Networks 26; 9: John Wiley & Sons, Ltd DOI: 2/sec

9 S-F Sun, D Gu and S Liu Efficient chosen ciphertext secure identity-based encryption against key leakage attacks where ˇ, a u, a v, and a y equal H(u, v, w, r ), log g u, log e(g,g) v and log e(g,g) y, respectively In order to compute the probability of A generating such a y, next, we consider the distribution of the private key for ID from the point of the adversary s view According to the private key s construction, we know that the private key {(r ID,i, h ID,i ):i 2 {, 2, 3}} satisfies the following equations: ˆ< log g h =( ID) log g h ID, + r ID, log g h 2 =( ID) log g h ID,2 + r ID,2 (7) ˆ: log g h 3 =( ID) log g h ID,3 + r ID,3 Combined with the aforementioned equations (7), equation (6) can be rephrased as follows: a y = a u log ID g h 2 + ˇ log g h 3 a + a v u rid,2 + ˇ r ID,3 ID a where a v u ID, because the ciphertext (u, v, w, r, y ) is invalid It is known to us that r ID,i is generated by computing f i (ID) for each identity in the simulation, in contrast to its generation in the actual construction where each r ID,i is picked uniformly at random and independently Therefore, the adversary A could conceivably obtain some information regarding (r ID,, r ID,2, r ID,3 ) from its information regarding f (x), f 2 (x), and f 3 (x) In the following, we denote the simulator s secret vector (f,, f,,, f,q, f 2,, f 2,,, f 2,q, f 3,, f 3,,, f 3,q )by! f and the identity vector (, ID, ID 2,, ID q )by! ID, where f i,j denotes the coefficient of x j in f i (x) Then we rephrase equation () and obtain the following version: () where and k denote the dot product and the concatenation of the coordinates of! ID and ˇ! ID, respectively Prior to submitting the first invalid ciphertext, A is given the public parameters (G, g, g, h, h 2, h 3, H), the challenge ciphertext (u *, v *, w *, r *, y * ) for ID *, the answers {(r IDi,j, h IDi,j ) : i 2 {, 2,, q ID }, j 2 {, 2, 3}} to the q ID key generation queries on identities (ID,, ID qid ), the -bit leakage on the private key, and the answers to the decryption queries on the valid ciphertexts It could gain the information regarding (f (x), f 2 (x), f 3 (x)) from the evaluations of these values, but except the valid ciphertext queries Actually, submitting a valid ciphertext to the decryption oracle only makes the adversary A learn the linear combinations of log g h, log g h 2 and log g h 3, which are already known from the public parameters Ignoring the -bit leakage for now, the knowledge gained by A can be represented as follows: f (ID i )=r IDi,, for i 2 {, 2,, q ID } g f( ) = h f 2 (ID i )=r IDi,2, for i 2 {, 2,, q ID } g ˆ< f2( ) = h 2 f 3 (ID i )=r IDi,3, for i 2 {, 2,, q ID } ˆ: g f3( ) = h 3 e u *, h hˇ * ID *,2 ID *,3 e u *, h ID *,3 hr* ID *, v * r ID *,2 +r ID *,3 ˇ * = y * v * r ID *,3 +r ID *, r * = m b /w * () From the preceding text, it is easy to get the coefficient matrix V of the matrix product corresponding to equation system (): r * ID ID qid r * ID * ID q IDq q ID q r * ID *q ID ID qid ID * ID q IDq q ID q ID *q ˇ* ID ID qid ˇ*ID * ID C A ID q IDq q ID q ˇ*ID *q ID *q a y = a u log ID g h 2 + ˇ log g h 3 a + a v u!f! k! ID k ˇ! (9) ID ID where the first 3q ID +3 columns of V correspond to the public terms h, h 2, h 3 and q ID key generation queries asked by the adversary A and the last two columns correspond to the challenge ciphertext for ID * In particular, from the challenge ciphertext (u *, v *, w *, r *, y * ), we know that Security Comm Networks 26; 9: John Wiley & Sons, Ltd 425 DOI: 2/sec

10 Efficient chosen ciphertext secure identity-based encryption against key leakage attacks S-F Sun, D Gu and S Liu ˆ< e u *, h hˇ * ID *,2 ˆ: e u *, h ID *,3 hr* ID *, ID * v * r ID *,2 +r ID *,3 ˇ * = y *,3 v * r ID *,3 +r ID *, r * = m b /w * () Combining with the following equations derived from the construction of the private key for ID *, ˆ< log g h =( ID * ) log g h ID *, + r ID *, log g h 2 =( ID * ) log g h ID ˆ: *,2 + r ID *,2 (2) log g h 3 =( ID * ) log g h ID *,3 + r ID *,3 they can be rephrased as follows: a u * log g h 2 + ˇ* log g h 3 ˆ< + a v * a u r * ID *,2 + ˇ* r ID *,3 = a y * a u * r * log g h + log g h 3 ˆ: + a v * a u r * * r ID *, + r ID *,3 = log e(g,g) m b /w * (3) where a u * = log g u *, a v * = log e(g,g) v *, and a y * = log e(g,g) y *, from which the last two columns of V are obtained eyond that, the adversary learns at most -bit leakage on the private key Now, there are three cases to consider: (u, v, w, r )=(u *, v *, w *, r * ): If this happens, we have ˇ = ˇ* When ID = ID * and y y *, the decryption oracle certainly rejects the ciphertext When ID ID *, for the decryption oracle accepting the invalid ciphertext, the adversary A must generate a y that satisfies equation (9) However, it is not hard to find that the vector (! k! ID k ˇ! ID ) > corresponding to equation (9) and the columns of V in Zp 3(q+) are linearly independent, where > denotes matrix transposition That is, the new matrix V = (V,(! k! ID k ˇ! ID ) > ) is column-full rank Thus, for each y 2 G T, the equation system with the coefficient matrix V, obtained by combining (9) with (), has a three-dimensional solution space for! f, and y is uniformly distributed over G T, even conditioned on the adversary A s view excluding the -bit leakage Hence, ignoring the leakage on the private key for the time being, the adversary can guess a correct y with probability /p, evengiven the public parameters params, key generation queries on (ID,, ID qid ), and the challenge ciphertext (u *, v *, w *, r *, y * ) for ID * Now, taking the -bit leakage in account, we have QH (y view) log p, where view denotes the adversary s whole view prior to submitting the first invalid ciphertext to the decryption oracle According to the definition of the average min-entropy, this implies that the adversary A generates a correct y with probability at most 2H Q (y view) 2 /p Thus, the first invalid ciphertext is accepted by the decryption oracle with probability at most 2 /p For all the subsequent invalid ciphertext queries, an almost identical argument holds The probability that the decryption oracle accepts the i-th invalid ciphertext is at most 2 /(p i +) 2 /(p q c ), where q c is the total number of decryption queries Therefore, the probability that at least one of the invalid ciphertexts can be accepted is at most 2 q c /(p q c ), which is negligible This follows from the restriction that log p!(log ), and from the fact that q c is a polynomial 2 (u, v, w, r ) (u *, v *, w *, r * ) and ˇ = ˇ*: If this happens, it violates the universal one-wayness property of the hash function H A rigorous argument can be made, analogously to that in Cramer Shoup cryptosystem [25] 3 (u, v, w, r ) (u *, v *, w *, r * ) and ˇ ˇ*: If this happens, to pass the decryption algorithm, A must generate such a y for ID that satisfies equation (9) When ID ID *, A just can do this with a negligible probability, the reason for which is essentially the same as that discussed in case When ID = ID *, then (! k! ID k ˇ! ID ) >, and the columns of V are also linearly independent because of ˇ ˇ* Similar to the analysis in the first case, A can guess y correctly in this case with only a negligible probability Combining the previous Lemmas, we complete the proof of Theorem Remark Due to the underlying design rationale, we can also obtain some other variants of our proposal, such as w = me(g, h 2 ) s e(g, h ) sr, y = e(g, h 2 ) s e(g, h 3 ) sˇ, w = m e(g, h 2 h 3 ) s e(g, h ) sr, and y = e(g, h h 2 ) s e(g, h 3 ) sˇ In this section, a new CCA secure leakage-resilient IE scheme is presented based on Gentry s IE This new scheme can encrypt a longer message and tolerate a larger amount of secret key leakage compared with the existing CCA schemes Moreover, it overcomes the undesirable drawback in the scheme of Alwen et al [9] However, as with the scheme of Alwen et al, the leakage ratio (the amount of leakage/the bit size of secret key) in this new construction is still very low, just reaching /6 To improve this important parameter and allow relatively more secret information to leak, we present a second construction in the following part 4 CONCRETE CONSTRUCTION 2 To achieve a higher leakage ratio, we present the second construction in this section The new construction is proved fully CCA2 secure under the assumption that the q- ADHE problem is intractable The new proposal mainly includes four algorithms, each of which is described as follows: 426 Security Comm Networks 26; 9: John Wiley & Sons, Ltd DOI: 2/sec

11 S-F Sun, D Gu and S Liu Efficient chosen ciphertext secure identity-based encryption against key leakage attacks Setup ( ): Taking as input the security parameter, PKG generates the system parameters as follows First, it randomly chooses an element from Z p and generators g, h, h 2 from G It also chooses a hash function H from a universal one-way hash function family H and an averagecase (log p, ı)-strong extractor Ext : G T {, } d! {, } m, where ı is a negligible function of the security parameter and log p m!(log ) It then sets the master secret key msk and the public parameters params as follows: msk =, params = G, g, g = g, h, h 2, H, Ext KeyGen (params, ID, and msk): On input params, msk, and identity ID 2 Z p, the private key sk ID for ID is generated as follows First, PKG randomly chooses r ID,i 2 Z p for i 2 {, 2} and computes h ID,i = (h i g r ID,i) /( ID) and then outputs the corresponding private key sk ID = {(r ID,i, h ID,i )} for i 2 {, 2} In case of ID =, PKG will abort The private key for the same ID is required to be generated by using the same values r ID,i for i 2 {, 2} Encrypt (params, m, and ID): Taking as input params, ID, and message m 2 {, } m, the sender generates the ciphertext for ID as follows It first picks s 2 Z p and r 2 {, } d uniformly at random and independently and then outputs the ciphertext C =(u, v, w, r, y) as follows: u = g s g sid, v = e(g, g) s, w = m Ext e(g, h 2 ) s, r, y = e g, h hˇ 2 s, where ˇ = H(u, v, w, r) Decrypt (params, sk ID, and C): Receiving the ciphertext C =(u, v, w, r, y), the recipient uses its private key sk ID to decrypt the ciphertext C as follows It first computes ˇ = H(u, v, w, r) and then checks whether y = e u, h ID, hˇ ID,2 v rid, +r ID,2 ˇ If so, it outputs m = w Ext(e(u, h ID,2 )v r ID,2, r), otherwise, outputs? 4 Correctness Assuming the ciphertext C =(u, v, w, r, y) received by the recipient with ID is well formed, we have the following: e u, h ID, hˇ ID,2 = e g s( ID), = e h hˇ 2 e(g, g) s r ID, +r ID,2 ˇ g, h hˇ 2 s, v rid, +r ID,2 ˇ /( ID) g r ID, +r ID,2 ˇ/( ID) where ˇ = H(u, v, w, r), and e u, h ID,2 v r ID,2 = e g s( ID), h 2 g r ID,2 /( ID) e(g, g) sr ID,2 = e(g, h 2 ) s 42 Security analysis In this part, we prove that the new proposal is -leakageresilient CCA2 secure Actually, its security proof is similar to the first construction For completeness, we elaborate it as follows Theorem 2 Under the truncated decisional q-adhe assumption, where q = q ID +2, the aforementioned IE scheme is (log p m!(log ))-leakage-resilient CCA2 secure, where q ID denotes the maximum number of key generation queries made by the adversary, p is the prime order of the underlying group, and denotes the security parameter Proof Suppose that there exists an adversary A that can break the -LR-CCA2 security of the proposed IE scheme previously, where the adversary makes at most q ID key generation queries and at most q C decryption queries Exploiting A as a subroutine, we can construct an algorithm that can solve the truncated decision q-adhe problem Taking a random truncated decision q-adhe challenge instance (G, g,(g ) q+2, g, g, :::, g q, Z), which is either from P ADHE (ie, Z equals e(g, g ) q+ ) or from R ADHE (ie, Z is a random element of G T ), the algorithm executes the following steps: Setup: For i 2 {, 2}, the algorithm randomly chooses f i (x) of degree q from Z p [x] and sets h i = g f i( ), which can be computed from (g, g, :::, g q) It then publishes the public parameters as params = {G, g, g, h, h 2, H, Ext}, where H is randomly chosen from a universal one-way hash function family H, Ext is a randomly chosen average-case (log p, ı)-strong randomness extractor, and g is set to be g Phase : In this phase, the adversary A can adaptively make three kinds of queries, each of which is simulated by as follows Key generation queries: On input an identity ID 2 Z p, in case ID =, the truncated decision q-adhe problem can be solved immediately by the algorithm using Otherwise, can generate the private key sk ID as follows First, let F ID,i (x) = (f i (x) f i (ID))/(x ID) and set r ID,i = f i (ID) and h ID,i = g F ID,i( ) and then output sk ID =(r ID,i, h ID,i ) as the Security Comm Networks 26; 9: John Wiley & Sons, Ltd 427 DOI: 2/sec

12 Efficient chosen ciphertext secure identity-based encryption against key leakage attacks S-F Sun, D Gu and S Liu corresponding private key Obviously, it is a valid private key for ID, because g F ID,i( ) = g f i( ) fi(id) ID = (g fi( ) g fi(id) ) ID = (h i g r ID,i) ID, just as required Leakage queries: On input an efficient leakage function L i : {, } *! {, } i for ID, in case ID =, the truncated decision q-adhe problem can be solved immediately by the algorithm using Else, replies with L i (sk ID ), if P i k= k, otherwise, outputs? Decryption queries: On input a ciphertext (ID, C) for ID, the algorithm first generates the corresponding private key sk ID as in phase and then uses sk ID to decrypt the ciphertext C by running the usual Decrypt algorithm At last, it sends the result to the adversary as the response Challenge: A outputs two equal length messages m andm, and the challenge identity ID * If ID * =, the truncated decision q-adhe problem can be solved immediately by using Otherwise, picks a random bit b 2 {, } and generates a private key sk ID * = (r ID *,i, h ID *,i ) for ID * as the first phase and then uses sk ID * to produce the challenge ciphertext as follows First, let f 4 (x) = x q+2 and compute the polynomial, F 4,ID *(x) =(f 4 (x) f 4 (ID * ))/(x ID * ), of degree q +, and then set u * = g f 4( ) f 4 (ID *), v * = Z e(g, Q q i= gf 4,ID *,i i) and w * = m b Ext(e(u *, h ID *,2 )v*r ID *,2, r * ), where F 4,ID *,i denotes the coefficient of x i in F 4,ID *(x) and r * is randomly chosen from {, } d Subsequently, y * is set to be e(u *, h ID *, hˇ * ID *,2 )v*(r ID *, +r ID *,2 ˇ *), where ˇ* = H(u *, v *, w *, r * ) At last, C * =(u *, v *, w *, r *, y * ) is sent to the adversary as the corresponding response Phase 2: This phase is almost the same as phase, except that no leakage queries, and neither key generation queries on ID * nor decryption queries on (ID *, C * ) are allowed to make Guess: Finally, the adversary A outputs a guess b of b, and the algorithm checks whether b = bifso, it outputs, which indicates that the challenge instance is from P ADHE (ie, Z = e(g, g ) q+ ); otherwise, it returns Lemma 5 If the challenge instance (G, g,(g ) q+2, g, g, :::, g q, Z) is from P ADHE (ie, Z = e(g, g ) q+ ), the adversary A s view is identical to the actual attack Proof It is clear that the public parameters in the simulation, from the adversary s view of point, are identically distributed to that in the actual construction In particular, the elements g and and the polynomials f i (x) for i 2 {, 2} are all chosen uniformly at random, so h and h 2 are both uniformly random distributed, and the public parameters have a proper distribution As to the challenge ciphertext, it also has the correct distribution in the case of s input taking from P ADHE, that is, Z = e(g, g ) q+ Indeed, in this case, u * = g s* (), v * = e(g, g) s*, w * = m b Ext(e(g, h 2 ) s*, r * ), and y * = e(g, h hˇ * 2 )s*, where s * is implicitly set to be (log g g ) F 4,ID *( ) Due to the uniform randomness of log g g, s * is uniformly random distributed esides, r * is chosen uniformly at random from {, } d Thus, the tuple (u *, v *, w *, r *, y * ) is a valid and properly distributed ciphertext for ID * and m b with randomness s * and r *, which is the corresponding challenge ciphertext returned to the adversary At last, with similar analysis to [5], it is easy to get that the private keys simulated by the algorithm are all appropriately distributed for the adversary A, which follows from the fact that f i (x) 2 Z p [x] for i 2 {, 2} are uniformly random polynomials of degree q Lemma 6 If the challenge instance (G, g,(g ) q+2, g, g, :::, g q, Z) is from R ADHE (ie, Z is a random element of G T ), the adversary A has only a negligible advantage in outputting the correct bit b The lemma follows from the following two claims In later parts, we call C = (u, v, w, r, y ) an invalid ciphertext for ID if v e(u, g) /( ID) Claim 3 If all the invalid ciphertexts are rejected by the decryption oracle, then the adversary A outputs the correct bit b with only a negligible advantage Proof To prove this claim, we analyze the average min-entropy of e(u *, h ID *,2 )v*r ID *,2 from the adversary s point of view Provided that all the invalid ciphertexts are rejected by the decryption oracle, then the adversary A cannot gain anymore information about the private key from it The information regarding the private key, which can be obtained by A, only relates to the evaluations of (f (x), f 2 (x)) at point (from the components of public parameters), q ID identities (from the key generation queries made by A), the -bit leakage on the private key, and the challenge ciphertext C * =(u *, v *, w *, r *, y * ) for ID * The information gained from the public key parameters and the key generation queries can be represented as follows: f (ID i )=r IDi,, for i 2 {, 2,, q ID } ˆ< g f( ) = h f 2 (ID i )=r IDi,2, for i 2 {, 2,, q ID } ˆ: g f2( ) = h 2 (4) 42 Security Comm Networks 26; 9: John Wiley & Sons, Ltd DOI: 2/sec