Continuous Leakage Resilient Lossy Trapdoor Functions

Abstract

Lossy trapdoor functions (LTFs) were first introduced by Peikert and Waters (STOC’08). Since their introduction, lossy trapdoor functions have found numerous applications. They can be used as tools to construct important cryptographic primitives such as injective one-way trapdoor functions, chosen-ciphertext-secure public key encryptions, deterministic encryptions, et al. In this paper, we focus on the lossy trapdoor functions in the presence of continuous leakage. We introduce the new notion of updatable lossy trapdoor functions (ULTFs) and give their formal definition and security properties. Based on these, we extend the security model to the LTFs against continuous leakage when the evaluation algorithm is leakage resilient. Under the standard DDH assumption and DCR assumption, respectively, we show two explicit lossy trapdoor functions against continuous leakage in the standard model. In these schemes, using the technology of matrix kernel, the trapdoor can be refreshed at regular intervals and the adversaries can learn unbounded leakage information on the trapdoor along the whole system life. At the same time, we also show the performance of the proposed schemes compared with the known existing continuous leakage resilient lossy trapdoor functions.

1. Introduction

Lossy trapdoor functions (LTFs) were firstly introduced by Peikert and Waters (STOC 2008) [1]. A collection of lossy trapdoor functions can be divided into two computationally indistinguishable families. The first family is the injective functions which can be efficiently inverted using a trapdoor. The other family is the lossy functions under which the image size of these functions is significantly smaller than the size of their domain. Hence, the lossy functions loose a lot of information about their input. Additionally, injective and lossy functions are efficiently samplable.

Since their introduction, lossy trapdoor functions have found numerous applications. It can be used as a tool to construct important cryptographic primitives such as injective one-way trapdoor functions, chosen plaintext secure (CPA) and chosen ciphertext secure (CCA) public key encryptions (PKE) in the standard model and oblivious transfer (OT). In addition, LTFs have already found various other applications, including deterministic PKE schemes [2,3], OAEP-based PKE schemes, “hedged” PKE schemes for protecting against bad randomness [4], selective opening attack (SOA) secure PKE scheme [5] and efficient non-interactive string commitments [6].

Leakage-resilient cryptographic systems have received a lot of attention in recent years. The feature of a leakage resilient cryptosystem is that it remains secure even when some secret internal information, including the secret key, is leaked to the adversary. In the traditional security analysis, security models treat such internal information as perfectly hidden from the adversary. With the development of various side-channel attacks, it is clear that the traditional view is inconsistent with some physical realities [7]. To stand against such attacks, cryptographic researchers have paid much to the design of leakage-resilient cryptosystems [8,9,10,11,12,13,14].

The continuous leakage resilient (CLR) model was introduced by Dodis et al. [15] and Brakerski et al. [16]. It is a more powerful security model since it allows the adversary to learn unbounded leakage on the system’s secret memory during the main operation of the system. There are a variety of CLR schemes, including CLR one-way relations [15,17], CLR probability PKE [16,17,18], CLR Identity-based encryption (IBE) [16,19], CLR secure multiparty computation [20], CLR interactive proofs [21], CLR signatures, CLR identification schemes and CLR authenticated key agreement protocols [15].

To withstand continuous leakage, the secret key must be continuously refreshed requiring that: (1) the functionality of the cryptosystem is preserved even after updating the keys an arbitrary number of times; (2) one can not combine the leaked values from different versions of the secret key to break the system. Such a model of invisible key updates was formalized by Alwen et al. [22], where one assumes that there exists a trusted and leak-free device who uses some updatable key $uk$ to continuously refresh the secret key in a way that still satisfies the above two requirements. The leak-free device is only present during the key updates, but not during the normal operations just like decryption when the leakage actually happens. In [17], they informally refer to this CLR model of invisible key updates as the floppy model where there is assumed an external leak-free storage that is only present for refreshing operations.

1.1. Our Motivation

Lossy trapdoor functions play an important role in public key cryptosystems. Its special construction and properties decide that it is the building block of the cryptosystems. As we all know, the CLR model is the most demanding security model in the cryptosystem. Therefore, designing lossy trapdoor functions against continuous leakage is an interesting and practical topic.

Based on the work of Brakerski et al. [16], Koppula et al. [23] firstly gave the security model of lossy trapdoor functions under continuous leakage and presented the lossy trapdoor functions against continuous leakage, which is a base of the deterministic public key encryption against continuous leakage. Their security model is mainly based on the all-but-one (ABO) LTFs of Peikert and Waters in [1]. Under this model, their proposal is not concise and efficient in which they utilized many bi-linear parings to encrypt only one bit. Hence, their LTFs against continuous leakage is so complicated that it can not be used in practice efficiently. Qin and Liu et al. first introduced the leakage resilient lossy trapdoor functions [24]. In their work, the structure of LTFs is slightly different from the one introduced by Peikert and Waters in [1]. In [1], the evaluation key of a LTF includes the public parameters. However, in [24], they distinguish between the public parameters and the evaluation key with two independent algorithms. However, the slight change on the constructure did not have an influence on their scheme to satisfy the security properties of LTFs.

Motivated by the work of Qin and Liu et al. [24], we focus on how to construct efficient and practical LTFs against continuous leakage in the floppy model.

1.2. Our Contribution

In this work, our contribution is described as follows:

• We introduce the new notion of updatable lossy trapdoor functions (ULTFs) based on the LTF structure of [24], where the key sample algorithm is divided into two independent steps. In the first algorithm, it takes in the security parameter $1^{\kappa }$ and outputs a public parameter $\mathsf{pp}$ and the trapdoor $td$; in the second algorithm, it takes in $\mathsf{pp}$ and injective/lossy parameter $b\in \{0,1\}$ and outputs the injective/lossy evaluation key $ek$, which is related to b. At the same time, we also give the security requirements such as the indistinguishability of injective/lossy evaluation key, etc. When the evaluation algorithm $\mathsf{F}$ is leakage resilient, we can achieve the LTFs against continuous leakage, which we denote as CLR-LTFs for short. With the help of the new notion of ULTFs, we achieve the security model of CLR-LTFs in the floppy model. When the adversary is equipped with the public parameter and additional information from the leakage oracle during each time period, it still is not able to distinguish the injective and lossy evaluation keys.
• Based on the ElGamal-like PKE scheme in vector form [17,25,26], which is additively homomorphic and CPA-secure against continuous leakage, we achieve two proposals of CLR-LTFs under the standard Decisional Diffie–Hellman (DDH) and Decisional Composite Residuosity (DCR) assumptions, respectively. In the two CLR-LTF schemes, with the public parameters and the evaluation key fixed, we utilize the technology of the matrix kernel to complete the refreshment of the trapdoor. Our first proposal is obtained by embedding the CLR ElGamal-like PKE scheme into the matrix-based LTFs of [1] n times, where the ciphertexts constitute the rows of the matrix R and the columns of the matrix Q, respectively. Through the n-time expansion of the secret key of a single ElGamal-like PKE scheme, the leakage rate of the achieved CLR-LTF is decreased from $1-o\left(1\right)$ into $\frac{1}{n}$ for maintaining the indistinguishability of the injective or lossy evaluation keys. In order to improve the leakage rate in each time period, we extend the group from a prime order group to a composite order group and get the second CLR-LTFs based on the DCR assumption, where the leakage rate can arrive at 1.
• Compared with the other known CLR-LTFs constructions introduced by Koppula et al. [23], we give an efficiency comparison as below (

  Table 1. Efficiency comparison.

  Scheme	Hardness Assumption	Leakage Rate	$\left|\mathit{m}\right|$	Pairing	Group
  [23]	DDH	$1/2$	1-bit	Yes	Prime order
  [23]	SXDH	$1-o\left(1\right)$	1-bit	Yes	Prime order
  Ours	DDH	$1/n$	n-bit	No	Prime order
  Ours	DCR	$1-o\left(1\right)$	$\alpha \log N$-bit	No	Composite order

  $\left|m\right|$ denotes the length of the encrypted massage; $n\approx \Theta \left(\kappa \right)$ where $\kappa$ is the security parameter; N is an RSA modulus which will be explained by detail in Section 6; $\alpha \ge 1$ is a nature number; DDH means Decisional Diffie-Hellman assumption; SXDH means Symmetric External Diffie-Hellman assumption; DCR means Decisional Composite Residuosity assumption.

  ).

1.3. Organization

The rest of the article is organized as follows. In Section 2, we review some preliminaries which would be used in this paper. In Section 3, we introduce the new notion of updatable lossy trapdoor functions and present the formal definition and security properties. Meanwhile, we extend the security model to continuous leakage. Next, we introduce the CLR ElGamal-like PKE scheme with some important security properties which will be borrowed for the following concrete CLR-LTFs in Section 4. Then, we present two explicit CLR-LTFs. The first CLR-LTF under the DDH assumption in the prime order group is shown in Section 5. The second CLR-LTF under the DCR assumption in the composite order group is presented in Section 6, respectively. We also prove that these schemes are satisfying the security properties that have been given in Section 4. Lastly, we get a conclusion and direct the future work in Section 7.

• Notion:
• $\mathrm{negl}\left(\kappa \right)$ is negligible function with security parameter $\kappa$;
• $\left[t\right]$ denotes the set $\{1,2,\cdots ,t\},$ where t is a natural number;
• $\log x$ denotes the discrete logarithm of x in the base 2;
• ${\mathsf{Rk}}_i\left({\mathbb{Z}}_p^{n\times m}\right)$ denotes the uniform distribution on any n-by-m matrices over ${\mathbb{Z}}_p$ of rank i.

2. Preliminaries

In this section, we present some basic tools that will be used in our constructions and security proofs. We formally state some decisional assumptions and present some results about the leftover hash lemma.

2.1. Decisional Assumptions

2.1.1. Decisional Diffie–Hellman (DDH) Assumption

We assume a probability polynomial time (PPT) algorithm $\mathcal{G}\left(1^{\kappa }\right)$ which takes as input $1^{\kappa }$ and outputs a tuple of $\mathbb{G}=(G,p,g)$, where G is a cyclic group of prime order p and g is a generation of G. The Decisional Diffie–Hellman (DDH) assumption holds iff

$${\mathrm{Adv}}_{G,\mathcal{A}}^{\mathrm{DDH}}:=|\mathrm{Pr}[\mathcal{A}(g_1,g_2,g_1^r,g_2^r)=1]-\mathrm{Pr}[\mathcal{A}(g_1,g_2,g_1^r,g_2^{r^{\prime }})=1]|\le \mathrm{negl}\left(\kappa \right)$$

for any PPT adversary $\mathcal{A},$ where $g_1,g_2\in G$ and $r\in {\mathbb{Z}}_q$, $r^{\prime }\in {\mathbb{Z}}_q\backslash \left\{r\right\}$.

We can extend the standard DDH assumption to the following form. For a group $(G,p,g)$ and random elements $g_1,g_2,\cdots ,g_l\in G$, we define the two sets:

$$L:=\{(g_1^r,g_2^r,\cdots ,g_l^r):r\in {\mathbb{Z}}_p\};$$

$$X:=\{(g_1^{r_1},g_2^{r_2},\cdots ,g_l^{r_l}):r_1,r_2,\cdots ,r_l\in {\mathbb{Z}}_p\}.$$

If $x\in L$, the corresponding r is called a witness for x. At the same time, $(X,L)$ forms a subset membership problem [26] whose hardness is subject to the DDH assumption [25].

On the other hand, Ref. [26] showed that the DDH assumption is equivalent to the assumption that it is hard to distinguish between an n-by-m matrix X with rank $i\ge 1$ and one with rank $j>i$ in the exponent of a generator g of a prime order group G.

2.1.2. Rank Hiding Assumption

Following the parameters of the DDH assumption, let ${\mathsf{Rk}}_i\left({\mathbb{Z}}_p^{n\times m}\right)$ denote the uniform distribution on all n-by-m matrices over ${\mathbb{Z}}_p$ of rank i. The rank hiding assumption [17] holds iff

$$\begin{gathered} {\mathrm{Adv}}_{G,\mathcal{A}}^{rh}:=|\mathrm{Pr}[\mathcal{A}((G,p,g,g^X):X\leftarrow {\mathsf{Rk}}_i\left({\mathbb{Z}}_p^{n\times m}\right))=1] \\ -\mathrm{Pr}[\mathcal{A}((G,p,g,g^X):X\leftarrow {\mathsf{Rk}}_j\left({\mathbb{Z}}_p^{n\times m}\right))=1]|\le \mathrm{negl}\left(\kappa \right) \end{gathered}$$

for any PPT adversary $\mathcal{A}$.

2.1.3. Extended Rank Hiding Assumption

Based on the rank hiding assumption, the extended rank hiding assumption [17] states that, for any PPT adversary $\mathcal{A}$, the advantage

$$\begin{gathered} {\mathrm{Adv}}_{G,\mathcal{A}}^{\mathrm{erh}}:=|\mathrm{Pr}[\mathcal{A}((G,p,g,g^X,v_1,\cdots ,v_t):X\leftarrow {\mathsf{Rk}}_i\left({\mathbb{Z}}_p^{n\times m}\right);{\left\{v_l\right\}}_{l=1}^t\in \mathsf{kernel}\left(X\right))=1] \\ -\mathrm{Pr}[\mathcal{A}((G,p,g,g^X,v_1,\cdots ,v_t):X\leftarrow {\mathsf{Rk}}_j\left({\mathbb{Z}}_p^{n\times m}\right);{\left\{v_l\right\}}_{l=1}^t\in \mathsf{kernel}\left(X\right))=1]|\le \mathrm{negl}\left(\kappa \right), \end{gathered}$$

where $m,n\in \mathbb{N},j>i\in \mathbb{N}$ and $t\le$ min$\{n,m\}-$max$\{i,j\}$.

2.1.4. Decisional Composite Residuosity (DCR) Assumption

We assume a group $Z_{N^{\alpha +1}}^{*}$ is a multiplicative group where $s\ge 1$ is an integer. In addition, the integer $N=PQ$ is an RSA modulus, which means that P and Q are odd primes of equivalent bit length. The decisional composite residuosity (DCR) assumption holds on the group $Z_{N^{\alpha +1}}^{*}$ iff

$${\mathrm{Adv}}_{N,\mathcal{A}}^{DCR}:=|\mathrm{Pr}[\mathcal{A}(N,g)=1]-\mathrm{Pr}[\mathcal{A}(N,g·T)=1]|\le \mathrm{negl}\left(\kappa \right)$$

for any PPT adversary $\mathcal{A}$, where $g\in \mathsf{G}$ is chosen at random (where $\mathsf{G}$ is a cyclic group of order $N^{\alpha }$) and $T:=1+N($mod$N^{\alpha +1})$.

2.2. Generalized Leftover Hash Lemma

The statistical distance between two random variables X and Y over a finite domain $\Omega$ is SD($X,Y$)=$\frac{1}{2}{\sum }_{\omega \in \Omega }|Pr[X=\omega ]-\mathrm{Pr}[Y=\omega ]|$. We write $X{\approx }_{ϵ}Y$ to denote SD($X,Y$)$\le ϵ$, and $X\approx Y$ to denote that the statistical distance is negligible. The min-entropy of a random variable X is $H_{\infty }\left(X\right)=-\log \left(ma{x}_x\mathrm{Pr}[X=x]\right)$.

We use the notion of average min-entropy, which captures the remaining unpredictability of a random variable X conditioned on another random variable Y, formally defined as:

$${\tilde{H}}_{\infty }\left(X\right|Y)=-log\left(E_{y\in Y}\left[2^{-H_{\infty }\left(X\right|Y=y)}\right]\right),$$

where $E_{y\in Y}$ denotes the expected value over all values of Y.

Lemma 1 [27].

For any random variables $X,Y,Z$, if Y has $2^r$ possible values, then

$${\tilde{H}}_{\infty }\left(X\right|(Y,Z))\ge {\tilde{H}}_{\infty }\left(X\right|Z)-r.$$

In particular,

$${\tilde{H}}_{\infty }\left(X\right|Y)\ge H_{\infty }\left(X\right)-r.$$

Definition 1 [27].

A function $\mathsf{Ext}:\mathcal{X}\times {\{0,1\}}^t\to \mathcal{Y}$ is an average-case ($m,ϵ$)-strong extractor if, for all pairs of random variables ($X,Z$) such that $X\in \mathcal{X}$ and ${\tilde{H}}_{\infty }\left(X\right|Z)\ge m,$ it holds that

$$\mathrm{SD}((\mathsf{Ext}(X,S),S,Z),(U_{\mathcal{Y}},S,Z))\le ϵ,$$

where S is uniform in ${\{0,1\}}^t$ and $U_{\mathcal{Y}}$ is uniform over $\mathcal{Y}$.

Definition 2 (Universal Hashing).

A family $\mathcal{H}$, consisting of deterministic functions $h:\mathcal{X}\to \mathcal{Y}$, is a universal hash family if, for any $x_1\ne x_2\in \mathcal{X}$, we have Pr${}_{h\leftarrow \mathcal{H}}[h\left(x_1\right)=h\left(x_2\right)]\le 1/\left|\mathcal{Y}\right|.$

Lemma 2 (Generalized Leftover Hash Lemma) [27].

Assume that the family $\mathcal{H}={\{H_k:\mathcal{X}\to \mathcal{Y}\}}_{k\in \mathcal{K}}$ is a universal hash family. Then, for any two random variables $X,Z$ and $k\in \mathcal{K}$, it holds that

$$\mathrm{SD}((H_k\left(X\right),k,Z),(U_{\mathcal{Y}},k,Z)) \le \frac{1}{2}\sqrt{2^{-{\tilde{H}}_{\infty }\left(X\right|Z)}\left|\mathcal{Y}\right|}.$$

This lemma implies that any universal hash functions are good extractors. For two random variables X and Y, a family of universal hash functions ${\{H_k:\mathcal{X}\to \mathcal{Y}\}}_{k\in \mathcal{K}}$ is an average-case ($m,ϵ$)-strong extractor $\mathsf{Ext}:\mathcal{X}\times \mathcal{K}\to \mathcal{Y}$ as long as ${\tilde{H}}_{\infty }\left(X\right|Z)\ge m$ and $\log \left|\mathcal{Y}\right|\le m-2\log (1/ϵ)+2.$

3. Updatable Lossy Trapdoor Function

In this section, we will introduce the new notion of updatable lossy trapdoor functions (ULTFs). Though Koppula et al. [23] has introduced a notion of LTFs resilient to continual memory leakage, their notion was mainly based on the all-but-one (ABO) LTFs of Peikert and Waters in [1]. The new notion, which will be presented as follows, is mainly based on the LTFs structure of Qin and Liu et al. [24], which is slightly different from the one introduced by Peikert and Waters in [1]. In [1], the evaluation key of a LTF includes the public parameters. However, in [24], they distinguish between the public parameters and the evaluation key with two independent algorithms. As a result, the change in the structure does not have any influence on the security. Based on the new notion, we can extend the ULTFs to CLR-LTFs naturally when the evaluation algorithm is leakage resilient.

3.1. Definition of Updatable Lossy Trapdoor Functions

At first, we give some related functions about the security parameter $\kappa$:

• $d(\kappa$): the inpute lenghth of the polynomial about $\kappa$;
• $k(\kappa$): the lossiness $k\left(\kappa \right)\le d\left(\kappa \right)$.

Now, we introduce the new notion of updatable lossy trapdoor functions.

Definition 3 (Updatable Lossy Trapdoor Functions).

A collection of updatable ($d,k$)-lossy trapdoor functions is a 5-tuple of (possible probabilistic) polynomial-time algorithms (PTAs) ($\mathsf{G},\mathsf{S},\mathsf{F},{\mathsf{F}}^{-1},\mathsf{U}$) such that:

1.

Public Parameter. G($1^{\kappa }$): It is a probabilistic PTA which takes in the security parameter $1^{\kappa }$ and outputs the public parameter and the trapdoor ($\mathsf{pp},td$).

2.

Public Parameter. $\mathsf{S}$($\mathsf{pp}$, b): It is a probabilistic PTA which takes in the public parameter $\mathsf{pp}$ and $b\in \{0,1\}$ and samples an evaluation key $ek$ which is also called the function index.

3.

Evaluation. $\mathsf{F}$($ek,x$): It is a deterministic PTA which takes in the evaluation key $ek$ and $x\in {\{0,1\}}^d$ and outputs the image y.

4.

Inversion. $\mathsf{F}$${}^{-1}(td,y$): It is a deterministic PTA which takes in the image y and the trapdoor $td$ and outputs $x\in {\{0,1\}}^d$ or ⊥.

5.

Update. $\mathsf{U}$($uk,td$): It is a probabilistic PTA which takes in the updatable key $uk$ and the original trapdoor $td$ and outputs the updated trapdoor $t{d}^{\prime }$ such that $\left|td\right|=|t{d}^{\prime }|$.

3.2. Basic Properties

We require that the ULTF ($\mathsf{G},\mathsf{S},\mathsf{F},{\mathsf{F}}^{-1},\mathsf{U}$) has some basic properties, indicating its correctness an hardness requirements:

• Correctness. For all $(\mathsf{PP},td)\leftarrow \mathsf{G}\left(1^{\kappa }\right)$, all $ek\leftarrow \mathsf{S}(\mathsf{pp},1)$ and all $x\in {\{0,1\}}^d$, it holds that ${\mathsf{F}}^{-1}(td,\mathsf{F}(ek,x))=x,$ which is the preimage of y. On the other hand, it requires that, with the fixed public parameter $\mathsf{pp}$ and the evaluation key $ek$, the updated trapdoor $t{d}^{\prime }$ can also recover the preimage x of y correctly in the injective mode, i.e., it holds that ${\mathsf{F}}^{-1}(t{d}^{\prime },\mathsf{F}(ek,x))=x$.
• Injective/Lossy. For the third evaluation algorithm $\mathsf{F}$($ek,·$), it requires that, for any $ek\leftarrow \mathsf{S}(\mathsf{pp},1),$ the function $\mathsf{F}$($ek,·$) is in the injective mode; and for any $ek\leftarrow \mathsf{S}(\mathsf{pp},0)$ the function $\mathsf{F}$($ek,·$) is in the lossy mode. The image size of the lossy function $\mathsf{F}$($ek,x$) is at most $2^{d-k}$. Even when the evaluation $\mathsf{F}$($ek,x$) is in the injective mode, it requires that it can be inverted to the correct preimage using either the trapdoor $td$ or any of its polynomial frequency updated trapdoor $t{d}^{\prime }$.
• Indistinguishability. For the second public parameter algorithm $\mathsf{S}$($\mathsf{pp},b$), the two evaluation keys $ek$ respectively produced by $\mathsf{S}(\mathsf{pp},1)$ and $\mathsf{S}(\mathsf{pp},0)$ are computationally indistinguishable even after the trapdoor updates.

3.3. Extension

For the particular structure, the ULTFs can be viewed as a special lossy trapdoor function which served as a fundamental tool in constructing cryptographic primitives in both leakage-free and leaky settings. Here, if we combine the ULTF with the leakage property efficiently, we can achieve the continuous leakage resilient (CLR) LTFs. Based on the new notion of ULTFs, we give the security model of the CLR-LTFs as follows.

We consider the security model in the floppy model [17]. This means that during the trapdoor update, there is leak-free device available and between two trapdoor updates there is bounded leakage about the trapdoor (see [17] for more details).

Definition 4 (Lossy Trapdoor Functions against Continuous Leakage).

We say that ULTFs ($\mathsf{G},\mathsf{S},\mathsf{F},{\mathsf{F}}^{-1},\mathsf{U}$) is a collection of continuous λ-bit (weak) leakage resilient ($d,k$)-LTFs (denoted λ-CLR-LTFs) in the floppy model if the ULTFs satisfy the basic properties above, and, for any PPT λ-key leakage adversary $\mathcal{A}=({\mathcal{A}}_1,{\mathcal{A}}_2),$ the advantage

$${\mathrm{Adv}}_{\mathrm{ULTF},\mathcal{A}}^{\lambda -\mathrm{CL>R}}\left(\kappa \right):=|\mathrm{Pr}[\mathrm{Ex}{\mathrm{p}}_{\mathrm{ULTF},\mathcal{A}}^{\lambda -\mathrm{CLR}}(\kappa ,0)=1]-\mathrm{Ex}{\mathrm{p}}_{\mathrm{ULTF},\mathcal{A}}^{\lambda -\mathrm{CLR}}(\kappa ,1)=1\left]\right|\le \mathrm{negl}\left(\kappa \right),$$

where the experiment $\mathrm{Ex}{\mathrm{p}}_{\mathrm{ULTF},\mathcal{A}}^{\lambda -\mathrm{CLR}}(\kappa ,\gamma )$ ($\gamma \in \{0,1\}$) is described as:

Experiment 

Exp${}_{\mathrm{ULTF},\mathcal{A}}^{\lambda -\mathrm{CLR}}(\kappa ,\gamma )$:

• $(\mathsf{pp},t{d}_0)\leftarrow \mathsf{G}\left(1^{\kappa }\right)$
• For $i=0,1,2,\cdots ,t$, where t is polynomial in the security parameter $\kappa$
• $\{Stat{e}_i\leftarrow {\mathcal{A}}_1^{\mathrm{leakage}\left(t{d}_i\right)}\left(\mathsf{pp}\right),$ where $\left|\mathrm{leakage}\right(t{d}_i\left)\right|\le \lambda$
• $t{d}_{i+1}\leftarrow \mathsf{U}(uk,t{d}_i)\},$ where $uk$ is the update key
• $ek\leftarrow \mathsf{S}(\mathsf{pp},\gamma )$
• ${\gamma }^{\prime }\leftarrow {\mathcal{A}}_2(Stat{e}_{i\in \left[t\right]},ek)$
• output ${\gamma }^{\prime }$.

Remark 1.

In this security model, the adversary is only allowed to obtain leakage before it can see the evaluation key $ek$; therefore, the security of CLR-LTF in this paper is weak key leakage.

4. ElGamal-Like Public Key Encryption Scheme

Briefly, we introduce the ElGamal-like Encryption scheme which will be elegantly embedded into the following continuous leakage resilient LTFs. In addition, we will utilize some good algebraic properties of this cryptographic structure in the following. For the security parameter, $\kappa$, $\mathbb{G}=(G,p,g)\leftarrow \mathcal{G}\left(1^{\kappa }\right)$. The scheme is run in group G with prime order p, for some negligible $ϵ=ϵ\left(\kappa \right)$ set $l=2+\frac{\lambda +2\log (1/ϵ)-2}{\log p}$. The ElGamal-like PKE ($\mathsf{KeyGen},\mathsf{Encrypt},\mathsf{Decrypt}$) is operated as follows:

• $\mathsf{KeyGen}\left(1^{\kappa }\right)$: Run $\mathbb{G}=(G,p,g)\leftarrow \mathcal{G}\left(1^{\kappa }\right)$. Choose vector $\mathit{w}\in {\mathbb{Z}}_p^l$ and $\mathbf{s}\in {\mathbb{Z}}_p^l$ and let $h=g^{\langle \mathit{w},\mathit{s}\rangle }\in G$. The public key is $pk=(G,p,g,g^{\mathit{w}},h)$. The secret key is set to $sk=\mathit{s}$.
• $\mathsf{Encrypt}$($pk,m$): Given a public key $pk=(G,p,g,g^{\mathbf{w}},h)$ along with a message $m\in G$, pick a random scalar $r\in {\mathbb{Z}}_q$ uniformly at random and output the ciphertext $c=(c_1,c_2)=(g^{r\mathbf{w}},h^r·m).$
• $\mathsf{Decrypt}$($sk,c$): Given a ciphertext $c=(c_1,c_2)$ along with a secret key $sk=\mathit{s}$ output $m=c_2·c_1^{-\mathit{s}}$.

The correctness holds directly with $h^r=g^{r\langle \mathit{w},\mathit{s}\rangle }=g^{\langle r\mathit{w},\mathit{s}\rangle }$. Evidently, the above scheme is a variant of the ElGamal public key encryption in vector form. On the other hand, it also can been seen as the BHHO (Boneh, Halevi, Hamburg, Ostrovsky) public key encryption [25] when $\mathit{s}\in {\{0,1\}}^n$. As we all know, this primitive has some good cryptographic properties. We will use these properties in our LTFs against continuous key leakage.

From the leakage resilient aspect, Ref. [25,26] showed that, given the public key and any $\lambda$ bits of leakage, $\tilde{H}\left(sk\right|(pk,\lambda ))\ge \log p+2\log (1/ϵ)-2$. The leftover hash lemma provides that, with overwhelming probability over the choice of $c_1\in X\backslash L$, it holds that $h^r$ is $ϵ$-close to the uniform distribution over G.

Lemma 3.

If the DDH assumption is hard in the p-prime order group G, then the above scheme is a λ-LR-CPA secure PKE scheme as long as the leakage parameter $\lambda \le (l-2)\log \left(p\right)-2\log (1/ϵ)+2$, where $ϵ=ϵ\left(\kappa \right)$ is some negligible function about the security parameter κ.

From the continuous leakage resilient aspect, Ref. [17] showed that, with the updated key $\mathit{w}\in {\mathbb{Z}}_p^l$, we can update the secret key with $s{k}^{\prime }=sk+\mathit{\beta },$ where $\mathit{\beta }\in \mathsf{kernal}\left(\mathit{w}\right)$. With the fixed public key, the updated key $s{k}^{\prime }$ can also decrypt the ciphertext correctly. Combined with the above lemma, with the help of the (extended) rank hiding assumption, the above scheme is a $\lambda$-CLR-CPA secure PKE scheme.

Lemma 4.

Under the extended rank hinging assumption and the DDH assumption for $\mathcal{G}$, then the above scheme is a λ-CLR-CPA secure PKE scheme in the floppy model as long as the leakage parameter $\lambda \le (l-2)\log \left(p\right)-2\log (1/ϵ)+2,$ where $ϵ=ϵ\left(\kappa \right)$ is some negligible function about the security parameter κ.

5. Continuous Leakage Resilient LTF from the DDH Assumption

In this section, based on the ElGamal-like Encryption scheme, we show a lossy trapdoor function against continuous trapdoor leakage.

5.1. The Scheme

In this section, we show how to construct continuous leakage resilient lossy trapdoor function (CLR-LTF) from the continuous leakage resilient CPA-secure ElGamal-like PKE.

For some negligible $ϵ=ϵ\left(\kappa \right)$ set, $l=2+\frac{\lambda +2\log (1/ϵ)-2}{\log p}$. The construction CLR-TDF=($\mathsf{G},\mathsf{S},\mathsf{F},{\mathsf{F}}^{-1},\mathsf{U}$) is presented as follows:

• $\mathsf{G}$($1^{\kappa }$): Run $\mathbb{G}=(G,p,g)\leftarrow \mathcal{G}\left(1^{\kappa }\right)$. Choose $g_1=g^{w_1},g_2=g^{w_2},\cdots ,g_l=g^{w_l}\in G$ and let $\mathit{w}=(w_1,w_2,\cdots ,w_l)\in {\mathbb{Z}}_p^l$, then $g^{\mathit{w}}=(g_1,g_2,\cdots ,g_l)$. Choose n tuples of secret keys ${\mathit{s}}_i=(s_{i1},s_{i2},\cdots s_{il})\in {\mathbb{Z}}_p^l$ for $i\in \left[n\right].$ Let $h_i={\Pi }_{j=1}^l{g}_j^{s_{ij}}=g^{\langle \mathit{w},{\mathit{s}}_i\rangle }$. Output

  $$\mathsf{pp}=(G,p,g,g^{\mathit{w}},h_1,h_2,\cdots ,h_n),td=({\mathit{s}}_1,{\mathit{s}}_2,\cdots ,{\mathit{s}}_n),uk=\mathit{w}.$$
• $\mathsf{S}$($\mathsf{pp},b$): Given $b\in \{0,1\}$. For $i\in \left[n\right]$, let ${\mathit{R}}_i=(g_1^{r_i},g_2^{r_i},\cdots ,g_l^{r_i})\in L$ with a witness $r_i\in {\mathbb{Z}}_p$ independently at random.
  Let $R=\left(\begin{array}{c}{\mathit{R}}_1\\ {\mathit{R}}_2\\ ⋮\\ {\mathit{R}}_n\end{array}\right)$ = ${\left(\begin{array}{cccc}{g}_1^{r_1}& g_2^{r_1}& \cdots & g_l^{r_1}\\ g_1^{r_2}& g_2^{r_2}& \cdots & g_l^{r_2}\\ ⋮& ⋮& \ddots & ⋮\\ g_1^{r_n}& g_2^{r_n}& \cdots & g_l^{r_n}\end{array}\right)}_{n\times l}$ and $Q=({\mathit{Q}}_1,{\mathit{Q}}_2,\cdots ,{\mathit{Q}}_n){}^T$ = ${\left(\begin{array}{cccc}{h}_1^{r_1}·g^b& h_1^{r_2}& \cdots & h_1^{r_n}\\ h_2^{r_1}& h_2^{r_2}·g^b& \cdots & h_2^{r_n}\\ ⋮& ⋮& \ddots & ⋮\\ h_n^{r_1}& h_n^{r_2}& \cdots & h_n^{r_n}·g^b\end{array}\right)}_{n\times n}$.
  When $b=1$, we say it is in injective mode; otherwise, let $g^0=1_G$ and we say it is in lossy mode. At last, the evaluation key is $ek=(R,Q)$.
• $\mathsf{F}$($ek,x$): Given a message $x=x_1{x}_2\cdots x_n\in {\{0,1\}}^n$. Given a function index $(R,Q),$ then calculate $F_{R,Q}\left(x\right)=(c_1,c_2),$ where
  $c_1=x·R=(c_{11},c_{12},\cdots ,c_{1l}),$ where $c_{1i}={\prod }_{j=1}^n{g}_i^{r_j{x}_j},i\in \left[l\right];$
  $c_2=x·Q=(c_{21},c_{22},\cdots ,c_{2n}),$ where $c_{2i}={\prod }_{j=1}^n{Q}_{ij}^{x_j},i\in \left[n\right].$
  Output $c=(c_1,c_2)\in G^l\times G^n.$
• ${\mathsf{F}}^{-1}(td,c$): Firstly, parse c as $(c_1,c_2)=((c_{11},c_{12},\cdots ,c_{1l}),(c_{21},c_{22},\cdots ,c_{2n}))$.
  If ${\prod }_{j=1}^l{c}_{1j}^{s_{ij}}=c_{2i}$, then $x_i=0,i\in \left[n\right];$ if ${\prod }_{j=1}^l{c}_{1j}^{s_{ij}}\ne c_{2i}$, then $x_i=1,i\in \left[n\right].$
  At last, output the message $x=x_1{x}_2\cdots x_n\in {\{0,1\}}^n.$
• $\mathsf{U}$($td,uk$): Input the update key $uk=\mathit{w}$ and the trapdoor is updated into the new one $t{d}^{\prime }=td+({\mathit{\beta }}_1,{\mathit{\beta }}_2,\cdots ,{\mathit{\beta }}_n)=({\mathit{s}}_1+{\mathit{\beta }}_1,{\mathit{s}}_2+{\mathit{\beta }}_2,\cdots ,{\mathit{s}}_n+{\mathit{\beta }}_n),$ where ${\mathit{\beta }}_i=(b_{i1},b_{i2},\cdots ,b_{il})\leftarrow$ $\mathsf{kernel}\left(\mathit{w}\right)$ (i.e., $s_{ij}^{\prime }=s_{ij}+b_{ij}$ for $\forall i\in \left[n\right],j\in \left[l\right]$).

5.2. Correctness and Security

5.2.1. Correctness

• Since the updated trapdoor is $t{d}^{\prime }={({\mathit{s}}_i+{\mathit{\beta }}_i)}_{i\in \left[n\right]}={(s_{ij}+b_{ij})}_{i\in \left[n\right],j\in \left[l\right]}$, we have $h_i^{\prime }={\Pi }_{j=1}^l{g}_j^{s_{ij}+b_{ij}}=g^{\langle \mathit{w},{\mathit{s}}_i+{\mathit{\beta }}_i\rangle }=g^{\langle \mathit{w},{\mathit{s}}_i\rangle }=h_i$.
• For any evaluation key $ek$ and $\forall i\in \left[n\right]$, there is
  $c_{2i}={\prod }_{j=1}^n{Q}_{ij}^{x_j}=g^{b{x}_i}·{\prod }_{j=1}^n{h}_i^{\prime r_j{x}_j}=g^{b{x}_i}·h_i^{\prime {\sum }_{j=1}^n{r}_j{x}_j}$
  $=g^{b{x}_i}·g^{\langle \mathit{w},{\mathit{s}}_i+{\mathit{\beta }}_i\rangle ·{\sum }_{j=1}^n{r}_j{x}_j}$
  $=g^{b{x}_i}·g^{\langle \mathit{w},{\mathit{s}}_i\rangle ·{\sum }_{j=1}^n{r}_j{x}_j}$.
  On the other hand,
  ${\prod }_{j=1}^l{c}_{1j}^{s_{ij}^{\prime }}=c_{11}^{s_{i1}^{\prime }}{c}_{12}^{s_{i2}^{\prime }}\cdots c_{1l}^{s_{il}^{\prime }}$
  $={\left({\prod }_{j=1}^n{g}_1^{r_j{x}_j}\right)}^{s_{i1}^{\prime }}{\left({\prod }_{j=1}^n{g}_2^{r_j{x}_j}\right)}^{s_{i2}^{\prime }}\cdots {\left({\prod }_{j=1}^n{g}_l^{r_j{x}_j}\right)}^{s_{il}^{\prime }}$
  $=g_1^{s_{i1}^{\prime }{\sum }_{j=1}^n{r}_j{x}_j}{g}_2^{s_{i2}^{\prime }{\sum }_{j=1}^n{r}_j{x}_j}\cdots g_l^{s_{il}^{\prime }{\sum }_{j=1}^n{r}_j{x}_j}$
  $=g^{w_1{s}_{i1}^{\prime }{\sum }_{j=1}^n{r}_j{x}_j}{g}^{w_2{s}_{i2}^{\prime }{\sum }_{j=1}^n{r}_j{x}_j}\cdots g^{w_l{s}_{il}^{\prime }{\sum }_{j=1}^n{r}_j{x}_j}$
  $=g^{\langle \mathit{w},{\mathit{s}}_i+{\mathit{\beta }}_i\rangle {\sum }_{j=1}^n{r}_j{x}_j}$
  $=g^{\langle \mathit{w},{\mathit{s}}_i\rangle ·{\sum }_{j=1}^n{r}_j{x}_j}.$
  Since in injective mode (i.e., $b=1$), $g^{b{x}_i}=g^{x_i}$ holds and the correctness of $\mathsf{F}$ and ${\mathsf{F}}^{-1}$ follows.

Theorem 1.

Under the DDH assumption and the (extended) rank hiding assumption in group G with the prime order p, the proposed scheme is a collection of λ-CLR-LTFs with $\lambda \le (l-2)\log p-2\left(\log \right(1/ϵ\left)\right)+2,$ where $ϵ=ϵ\left(\kappa \right)$ is some negligible function of the security parameter κ in the floppy model. Therefore, the leakage rate is $\frac{\lambda }{\left|td\right|}=\frac{(l-2)\log p-2\left(\log \right(1/ϵ)+2}{nl\log p}\approx \frac{1}{n}$, and the lossiness is $n-logp$ bits.

Proof. 

Firstly, we prove the lossiness of the proposed scheme is still $n-$logp bits after each trapdoor update.

Lossiness. 

In the lossy mode, after each trapdoor update, it holds that

$$h_i^{\prime }={\Pi }_{j=1}^l{g}_j^{s_{ij}+b_{ij}}=g^{\langle \mathit{w},{\mathit{s}}_i+{\mathit{\beta }}_i\rangle }=g^{\langle \mathit{w},{\mathit{s}}_i\rangle }=h_i.$$

Therefore, the evaluation key Q in the lossy mode (i.e., $g^b=1_G$) is

$$Q={\left(\begin{array}{cccc}{g}^{\langle \mathit{w},{\mathit{s}}_{\mathbf{1}}\rangle ·r_1}& g^{\langle \mathit{w},{\mathit{s}}_{\mathbf{1}}\rangle ·r_2}& \cdots & g^{\langle \mathit{w},{\mathit{s}}_{\mathbf{1}}\rangle ·r_n}\\ g^{\langle \mathit{w},{\mathit{s}}_{\mathbf{2}}\rangle ·r_1}& g^{\langle \mathit{w},{\mathit{s}}_{\mathbf{2}}\rangle ·r_2}& \cdots & g^{\langle \mathit{w},{\mathit{s}}_{\mathbf{2}}\rangle ·r_n}\\ ⋮& ⋮& \ddots & ⋮\\ g^{\langle \mathit{w},{\mathit{s}}_{\mathbf{n}}\rangle ·r_1}& g^{\langle \mathit{w},{\mathit{s}}_{\mathbf{n}}\rangle ·r_2}& \cdots & g^{\langle \mathit{w},{\mathit{s}}_{\mathbf{n}}\rangle ·r_n}\end{array}\right)}_{n\times n}$$

$${=g}^{{\left(\begin{array}{cccc}\langle \mathit{w},{\mathit{s}}_{\mathbf{1}}\rangle ·r_1& \langle \mathit{w},{\mathit{s}}_{\mathbf{1}}\rangle ·r_2& \cdots & \langle \mathit{w},{\mathit{s}}_{\mathbf{1}}\rangle ·r_n\\ \langle \mathit{w},{\mathit{s}}_{\mathbf{2}}\rangle ·r_1& \langle \mathit{w},{\mathit{s}}_{\mathbf{2}}\rangle ·r_2& \cdots & \langle \mathit{w},{\mathit{s}}_{\mathbf{2}}\rangle ·r_n\\ ⋮& ⋮& \ddots & ⋮\\ \langle \mathit{w},{\mathit{s}}_{\mathbf{n}}\rangle ·r_1& \langle \mathit{w},{\mathit{s}}_{\mathbf{n}}\rangle ·r_2& \cdots & \langle \mathit{w},{\mathit{s}}_{\mathbf{n}}\rangle ·r_n\end{array}\right)}_{n\times n}}=g^{Q^{\prime }}.$$

Hence, $Q^{\prime }$ is a matrix of rank 1 since the i-th column is $r_i/r_1$ times of the first column for all $i\in \left[n\right]$ and $i\ne 1$. Therefore, the image of $\mathsf{F}$ has size at most logp. The lossiness is $n-$logp bits.

In the following, we give the lemma to support the theorem. Based on the $\lambda$-CLR-CPA-security of the ElGamal-like public key encryption in the floppy model (Section 4 Lemma 4), the proposed lossy trapdoor function can satisfy the indistinguishability between the injective and lossy functions tolerating at most $\lambda$-bit leakage about the trapdoor at each time period, where $\lambda \le (l-2)\log p-2\log (1/ϵ)+2$.

Lemma 5 (Indistinguishability).

For $\lambda \le (l-2)\log p-2\left(\log \right(1/ϵ)+2$, injective and lossy functions are computationally indistinguishable as long as the leakage number of the trapdoor is less than λ bits between the two trapdoor updates.

Proof. 

Let $F_{\mathrm{inj}}$ and $F_{\mathrm{loss}}$ be the distributions on the injective evaluation key and the lossy evaluation key, respectively. Let $F_i$ be the distribution which is identical to the distribution $F_{\mathrm{inj}}$ except for letting the latter i-th main diagonal element $b=0$ in matrix Q. In evidence, $F_0=F_{\mathrm{inj}},$ which is the distribution on injective evaluation key and $F_n=F_{\mathrm{loss}},$ which is the distribution on the lossy evaluation key. Therefore, to prove that $F_{\mathrm{inj}}$ and $F_{\mathrm{loss}}$ are computationally indistinguishable, it is enough to prove that $F_{i-1}$ and $F_i$ are computationally indistinguishable for any $i\in \left[n\right]$.

In the following, we show that any distinguisher $\mathcal{D}$ of the two distributions $F_{i-1}$ and $F_i$ can be used to attack the $\lambda$-CLR-CPA security of the ElGmal-like PKE scheme. The game is played between a simulator $\mathcal{S}$ and the distinguisher $\mathcal{D}$.

• Given the public key $pk=(G,p,g,g_1,g_2,\cdots ,g_l,h)$ of ElGamal-like PKE, the simulator $\mathcal{S}$ chooses a random index $i^{*}\in \left[n\right]$. For $i=[n\backslash i^{*}]$, the pairs (${\mathit{s}}_i,h_i$) are produced the same as in ElGamal-like PKE. For $i=i^{*}$, let $h_{i^{*}}=h$ and ${\mathit{s}}_i=sk$, where the secret key $sk$ is correlated with the challenge public key $pk$. Finally, $\mathcal{S}$ sends $pp=(G,p,g,g_1,g_2,\cdots ,g_l,h_1,h_2,\cdots ,h_n)$ to the distinguisher $\mathcal{D}$.
• Consequently, the simulator $\mathcal{S}$ simulates $\mathcal{D}$’s continuous leakage queries as follows. Suppose that there are polynomial $t=t\left(\kappa \right)$ times continuous trapdoor leakage queries. Set $t{d}_0=({\mathit{s}}_1,{\mathit{s}}_2,\cdots ,{\mathit{s}}_n)$ and $t{d}_i=t{d}_0+{\mathsf{kernal}}_i\left(\mathit{w}\right)(i\in \left[t\right])$. We know that the leakage information is a function of $t{d}_i=({\mathit{s}}_1,{\mathit{s}}_2,\cdots ,{\mathit{s}}_n)+{\mathsf{kernal}}_i\left(\mathit{w}\right)(i\in \left[t\right])$ and the simulator $\mathcal{S}$ knows all ${\mathit{s}}_i$ except for ${\mathit{s}}_{i^{*}}$. According to $\mathcal{D}$’s leakage query function f of $t{d}_i=({\mathit{s}}_1,{\mathit{s}}_2,\cdots ,{\mathit{s}}_n)+{\mathsf{kernal}}_i\left(\mathit{w}\right)(i\in \left[t\right])$, the simulator $\mathcal{S}$ adapts f as a function of ${\mathit{s}}_{i^{*}}$ and presents the function to its own leakage oracles as long as the length of the whole output of f is smaller than $\lambda$ bits, which is the upper bound of the leakage information of the updatable ElGamal-like PKE scheme. At last, the simulator $\mathcal{S}$ achieves the value $f\left(t{d}_i\right)(i\in \left[t\right])$ returned from its leakage oracle and then responds with $\mathcal{D}$’s leakage queries.
• The simulator $\mathcal{S}$ simulates the challenge evaluation key as follows. For $(m_0,m_1)=(g,1_G)$, $\mathcal{S}$ queries its own encryption oracle and gets the challenge ciphertext $C^{*}=(u_1^{*},u_2^{*},\cdots ,u_l^{*},e^{*}),$ which is the encryption of $m_0$ or $m_1$ (i.e., g or $1_G$):

  –

  For $i=[n\backslash i^{*}]$, choose ${\mathit{R}}_i=(g_1^{r_i},g_2^{r_i},\cdots ,g_l^{r_i})\in L$ with the same witness $r_i$ uniformly at random. Let ${\mathit{R}}_{i^{*}}=(u_1^{*},u_2^{*},\cdots ,u_l^{*})$ and set $R={({\mathit{R}}_1,{\mathit{R}}_2,\cdots ,{\mathit{R}}_n)}^T$.

  –

  For $i=[n\backslash i^{*}]$ and $j\in \left[n\right]$, compute $h_j^{r_i}$ using the same witness $r_i$. For $i=i^{*},j\in \left[n\right]$, let $h_j^{r_i^{*}}={\Pi }_{k=1}^l{\left(u_k^{*}\right)}^{s_{jk}}$ with the secret keys ${\mathit{s}}_j$.

  –

  For $i\ne j$, let $Q_{ij}=h_i^{r_j}$. For $1\le i\le i^{*}-1$, let $Q_{ii}=h_i^{r_i}$; for $i^{*}+1\le i\le n$, let $Q_{ii}=h_i^{r_i}g$; for $i=i^{*}$, let $Q_{i^{*}{i}^{*}}=e^{*}$.

The simulator $\mathcal{S}$ sends $ek=(R,Q)$ to $\mathcal{A}$. We can see that when $e^{*}$ is the encryption of g, the simulator $\mathcal{S}$ simulates a function index based on the distribution $F_{i^{*}-1}$ perfectly. On the other hand, when $e^{*}$ is the encryption of $1_G$, the simulator $\mathcal{S}$ simulates a function index based on the distribution $F_{i^{*}}$ perfectly.

At last, the simulator $\mathcal{S}$ outputs what the distinguisher $\mathcal{D}$ outputs. Since $\mathcal{S}$ perfectly simulates $F_{i-1}^{*}$ or $F_{i^{*}},$ according to the challenge ciphertext $e^{*}$, for any $\lambda$-bit key leakage adversary $\mathcal{D},$ it holds that

$$\mathrm{Pr}[\mathcal{D}(F_{\mathrm{inj}})=1]-\mathrm{Pr}[\mathcal{D}\left(F_{\mathrm{loss}}\right)=1]\le n·{\mathrm{Adv}}_{\mathrm{ElGamal}-\mathrm{like},\mathcal{S}}^{\lambda -\mathrm{CLR}-\mathrm{CPA}}\left(\kappa \right).$$

Remark 2.

In this section, we can see that the leakage ratio of the DDH-based CLR-LTF is only $\frac{1}{n},$ where the lossiness is $n-$logp. This relationship implies that the higher the leakage rate, the lower the lossiness. Therefore, it is hard to improve the leakage rate in the prime order group. In the next part, we would like to present an instantiation in the composite order group, which would provide some help in improving the leakage rate to $1-o\left(1\right)$.

6. Continuous Leakage Resilient LTFs from the DCR Assumption

In this section, we show how to construct CLR-LTF under the decisional composite residuosity (DCR) assumption. The group ${\mathbb{Z}}_{N^{\alpha +1}}^{*}$ is a multiplicative group where $\alpha \ge 1$ is an integer. In addition, the integer $N=PQ$ is an RSA modulus, which means that P and Q are odd primes of equivalent bit length. Obviously, the group ${\mathbb{Z}}_{N^{\alpha +1}}^{*}$ is a direct product $\mathsf{G}\times \mathsf{H},$ where $\mathsf{G}$ is a cyclic group of order $N^{\alpha }$ and $\mathsf{H}$ is isomorphic to ${\mathbb{Z}}_N^{*}$. We define $T:=1+N($mod$N^{\alpha +1})$; therefore, T generates the group $\mathsf{H}$. In addition, the discrete logarithm with respect to T over group $\mathsf{H}$ is efficiently computable. Such an N will be called admissible in the following discussion.

6.1. The Scheme

Set $l=2+\frac{\lambda +2\log (1/ϵ)}{\log N-3}$ for some negligible $ϵ=ϵ\left(\kappa \right)$. The construction CLR-TDF=($\mathsf{G},\mathsf{S},\mathsf{F},{\mathsf{F}}^{-1},\mathsf{U}$) is operated over the group $Z_{N^{\alpha +1}}^{*}$ as follows.

• G($1^{\kappa }$): On inputting $1^{\kappa }$, the generation algorithm chooses an admissible $\kappa$-bit RSA modulus $N=PQ$ and a natural number $\alpha \ge 1$. Note that this fixes the groups $\mathsf{G}$ and $\mathsf{H}$ (where $g\in \mathsf{G}$ is chosen at random). Set $l(\log N-2)=\lambda$. Choose $\mathit{s}=(s_1,s_2,\cdots ,s_l)\in Z_{\frac{N-1}{4}}^l$ at random. Select $g_1=g^{w_1},g_2=g^{w_2},\cdots ,g_l=g^{w_l}\in \mathsf{G}$ uniformly and let $\mathit{w}=(w_1,w_2,\cdots ,w_l)\in {\mathbb{Z}}_{\frac{N-1}{4}}^l$. Then, $g^{\mathit{w}}=(g_1,g_2,\cdots ,g_l)$. Given $h={\Pi }_{i=1}^l{g}_i^{s_i}=g^{\langle \mathit{w},\mathit{s}\rangle }$, output

  $$\mathsf{pp}=(N,\alpha ,g,g^{\mathit{w}},h),td=\mathit{s},uk=\mathit{w}.$$
• $\mathsf{S}$($\mathsf{pp},b$): Given $b\in \{0,1\}$, choose $r\in Z_N^{*}$ and define

  $$R=g^{\mathit{w}r},Q=h^r·T^b.$$
  When $b=1$, we say it is in injective mode; otherwise, we say it is in lossy mode. At last, the evaluation key is $ek=(R,Q)\in {\mathsf{G}}^l\times Z_{N^{\alpha +1}}^{*}$.
• $\mathsf{F}$($ek,x$): Given a message $x\in Z_{N^{\alpha }}$. Given a function index $(R,Q)$, then calculate $F_{R,Q}\left(x\right)=(c_1,c_2),$ where

  $$c_1=x·R=R^x;c_2=x·Q=Q^x.$$
  Output $c=(c_1,c_2)\in {\mathsf{G}}^l\times Z_{N^{\alpha +1}}^{*}.$
• ${\mathsf{F}}^{-1}(td,c$): Firstly, parse c as $(c_1,c_2)$. In the injective mode, we compute $X=c_2·\left(c_1^{-\mathit{s}}\right)=T^x$. At last, output the message $x={\log }_{T}X.$
• $\mathsf{U}$($td,uk$): Given the update key $uk=\mathit{w}$ and the trapdoor is updated into the new one $t{d}^{\prime }=td+\mathit{\beta }=\mathit{s}+\mathit{\beta },$ where $\mathit{\beta }\leftarrow \mathsf{kernel}\left(\mathit{w}\right)$.

6.2. Correctness and Security

6.2.1. Correctness

• Since the updated trapdoor is $t{d}^{\prime }=\mathit{s}+\mathit{\beta }$, we have $h^{\prime }=g^{\langle \mathit{w},\mathit{s}+\mathit{\beta }\rangle }=g^{\langle \mathit{w},\mathit{s}\rangle }=h$.
• For any evaluation key $ek$, there exist

  $$c_2·\left(c_1^{-\mathit{s}}\right)=Q^x·{\left(R^x\right)}^{-\mathit{s}}=h^{rx}·T^{bx}·{\left(g^{\mathit{w}·rx}\right)}^{-\mathit{s}}=h^{rx}·T^{bx}·h^{-rx}=T^{bx},$$

since in injective mode (i.e., $b=1$), $T^{bx}=T^x$ holds and the correctness of $\mathsf{F}$ and ${\mathsf{F}}^{-1}$ follows.

Theorem 2.

If the DDH assumption is hard in $\mathsf{G}$ and the DCR problem is hard in $Z_{N^{\alpha +1}}^{*}$, then we can construct a collection of λ-CLR-TDFs. During each time interval, the proposed scheme can tolerate at most $\lambda \le (l-2)(\log N-3)-2\log (1/ϵ)$ bits on the trapdoor, where $ϵ=ϵ\left(\kappa \right)$ is some negligible function with the security parameter κ. Therefore, the leakage rate is $\frac{\lambda }{\left|td\right|}=\frac{(l-2)(\log N-3)-2\log (1/ϵ)}{l(\log N-3)}\approx 1-o\left(1\right)$. In addition, the lossiness is at least $\alpha logN-(logN-2)$ bits.

Proof. 

Firstly, we prove the lossiness of the proposed scheme is still $\alpha \log N-(\log N-2)$ bits even after any trapdoor update.

Lossiness. 

After each trapdoor update, $h^{\prime }=g^{\langle \mathit{w},\mathit{s}+\mathit{\beta }\rangle }=g^{\langle \mathit{w},\mathit{s}\rangle }=h$. Therefore, in the lossy mode (i.e., $b=0$), it holds $c_2=x·Q=h^{rx}·T^{bx}=h^{rx}\in \mathsf{G}$ for any $x\in Z_{N^{\alpha }}.$ The image of $\mathsf{F}$ has size at most $\left|\mathsf{G}\right|$. Since $N/8\le \left|\mathsf{G}\right|\le N/4$, the lossiness is at least $\alpha \mathit{log}N-(\mathit{log}N-2)$ bits.

6.2.2. Leakage Rate

Since $N/8\le \left|\mathsf{G}\right|\le N/4$, the min-entropy of the trapdoor is at least $l(\log N-3)$ bits. The entropy information about the trapdoor revealed by the public key h is at most $\log N-2$ bits. According to the leftover hash lemma [27]

$${\tilde{H}}_{\infty }\left(td\right|(\mathsf{pp},\lambda ))\ge l(\log N-3)-(\log N-2)-\lambda \ge (\log N-2)+2\log (1/ϵ)-2.$$

Therefore, it holds that $\lambda \le (l-2)(\log N-3)-2\log (1/ϵ)$. As a result, the leakage rate is $\frac{\lambda }{\left|td\right|}=\frac{(l-2)(\log N-3)-2\log (1/ϵ)}{l(\log N-3)}\approx 1-o\left(1\right)$. Clearly, the leakage rate would arrive at 1 with the parameter l increasing.

Lemma 6.

Under the assumption that the DDH assumption is hard in $\mathsf{G}$ and the DCR problem is hard in $Z_{N^{\alpha +1}}^{*}$, if the extended rank hiding assumption holds, then the scheme implies a λ-CLR-CPA secure PKE scheme as long as the leakage parameter $\lambda \le (l-2)(\mathit{log}N-3)-2\mathit{log}(1/ϵ),$ where $ϵ=ϵ\left(\kappa \right)$ is some negligible function about κ.

Proof. 

Obviously, we can extract a DCR-Based ElGamal-like PKE scheme against continuous leakage from the proposed scheme where we can replace the variant b with a message m. As a result, the evaluation key ($R,Q$) is just the ciphertext of the message m. It is clear that the DCR assumption is properly embedded into the ElGamal-like PKE scheme. Therefore, with the assumption of the DDH and DCR assumptions holding in group $\mathsf{G}$ and in $Z_{N^{\alpha +1}}^{*}$, respectively, and with the extended rank hiding assumption, the result scheme is a CLR-CPA secure PKE scheme with the leakage parameter $\lambda \le (l-2)(\log N-3)-2\log (1/ϵ)$.

According to this lemma, it is natural to reduce the following lemma about the indistinguishability of the injective and lossy function.

Lemma 7  (Indistinguishability).

Under the assumption that the DDH assumption is hard in $\mathsf{G}$ and the DCR problem is hard in $Z_{N^{\alpha +1}}^{*}$, if the extended rank hiding assumption holds, then the injective and lossy functions are still computationally indistinguishable from the continuous leakage as long as the leakage number of the trapdoor is less than λ bits, where $\lambda \le (l-2)(\mathit{log}N-3)-2\mathit{log}(1/ϵ)$, and where $ϵ=ϵ\left(\kappa \right)$ is some negligible function about κ.

7. Conclusions

In this paper, we focus on the lossy trapdoor functions in the presence of continuous leakage. Firstly, we introduce the new notion of updatable lossy trapdoor functions and give the formal definition and security requirements. Meanwhile, we extend the notion of ULTFs to CLR-LTFs and give the explicit security model of CLR-LTFs. Then, we introduce the security properties of the CLR ElGamal-like PKE scheme, which will be embedded into our proposed scheme. Under the standard DDH assumption and DCR assumption, respectively, we introduce two concrete lossy trapdoor functions against continuous leakage in the standard model. In these schemes, the trapdoor can be refreshed at regular intervals and the adversaries can learn unbounded leakage information on the trapdoor along the whole system life. Even though, the proposed CLR-LTFs can also be indistinguishable between the injective and lossy evaluation keys. On the other hand, we also show the performance of the proposed schemes compared with the known existing CLR-LTFs. In form, our proposed scheme can also be seen as a deterministic public key encryption, and we think it is of independent interest in the study of efficient deterministic PKE against continuous leakage.