| To tackle with physical attacks to real world cryptosystems, leakage resilient cryp-tography is developed. In this setting, the adversary is allowed to have access to the in-ternal state of a cryptographic computation during its executions, thus more challenging compared to traditional cryptography. Especially when this kind of unintended informa-tion leakage is continual, i.e., there is no predetermined bound on the size of the leakage, the task can be extremely tough. New techniques are demanded to solve this problem, and in this paper we foucs on the technique of Hash Proof System (HPS) and investiate how it can be applied to construct Public key Encryption (PKE) schemes in the Continual Memory Leakage (CML) model.Hash proof system serves as a fundamental tool in constructing PKE schemes in both leakage-free and leaky settings. However, it is not known how to construct HPS-based PKE schemes in the continual leakage scenario. In this paper, we solve this problem by introducing a new primitive called updatable hash proof system (UHPS). A UHPS can be viewed as a variant of HPS, which is capable of updating its secret key while keeping several basic properties in the CML settings. We show that UHPS is suitable to construct PKE schemes with various security guarantee in the CML setting and give instantiations of UHPS from widely-accepted assumptions. Our contribution is three-fold:First, our proposed primitive UHPS provides a new insight into the construction of PKE schemes in the CML setting. Next, we demonstrate that for nearly all known HPS-based PKE schemes, merely by substituting HPS with UHPS as applied in the previous construction, one can upgrade original schemes to PKE schemes with corresponding se-curity level in the CML setting. Note that in these resulting schemes, the CML-security comes with UPHS itself, and the whole structure of these well-established paradigms remains unchanged at all. Finally, we show that UHPS can be based on hardness assump-tions in bilinear groups, including the symmetric external Diffie-Hellman assumption and the d-Linear assumption. This also provides concrete PKE schemes with a fair efficiency. Especially, our chosen-ciphertext secure PKE scheme is much more efficient than known results. |
PDF Full Text Request