On continual leakage of discrete log representations

Shweta Agrawal; Yevgeniy Dodis; Vinod Vaikuntanathan; Daniel Wichs

doi:10.1007/978-3-642-42045-0_21

On continual leakage of discrete log representations

Shweta Agrawal, Yevgeniy Dodis, Vinod Vaikuntanathan, Daniel Wichs

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Let double-struck G be a group of prime order q, and let g ₁,...,g_n be random elements of double-struck G. We say that a vector x = (x₁,...,x₂) ∈ ℤ _qⁿ is a discrete log representation of some some element y ∈ double-struck G (with respect to g₁,...,g_n) if g₁^x1⋯g_n^xn = y. Any element y has many discrete log representations, forming an affine subspace of ℤ_qⁿ. We show that these representations have a nice continuous leakage-resilience property as follows. Assume some attacker A(g ₁,...,g_n, y) can repeatedly learn L bits of information on arbitrarily many random representations of y. That is, A adaptively chooses polynomially many leakage functions f_i : ℤ_q ⁿ → {0,1}^L, and learns the value f_i(x _i), where x_i is a fresh and random discrete log representation of y. A wins the game if it eventually outputs a valid discrete log representation x* of y. We show that if the discrete log assumption holds in double-struck G, then no polynomially bounded A can win this game with non-negligible probability, as long as the leakage on each representation is bounded by L ≈ (n - 2) log q = (1 - 2/n)·|x|. As direct extensions of this property, we design very simple continuous leakage-resilient (CLR) one-way function (OWF) and public-key encryption (PKE) schemes in the so called "invisible key update" model introduced by Alwen et al. at CRYPTO'09. Our CLR-OWF is based on the standard Discrete Log assumption and our CLR-PKE is based on the standard Decisional Diffie-Hellman assumption. Prior to our work, such schemes could only be constructed in groups with a bilinear pairing. As another surprising application, we show how to design the first leakage-resilient traitor tracing scheme, where no attacker, getting the secret keys of a small subset of decoders (called "traitors") and bounded leakage on the secret keys of all other decoders, can create a valid decryption key which will not be traced back to at least one of the traitors.

Original language	English (US)
Title of host publication	Advances in Cryptology, ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings
Pages	401-420
Number of pages	20
Edition	PART 2
DOIs	https://doi.org/10.1007/978-3-642-42045-0_21
State	Published - 2013
Event	19th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2013 - Bengaluru, India Duration: Dec 1 2013 → Dec 5 2013

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Number	PART 2
Volume	8270 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	19th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2013
Country	India
City	Bengaluru
Period	12/1/13 → 12/5/13

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-642-42045-0_21

Fingerprint Dive into the research topics of 'On continual leakage of discrete log representations'. Together they form a unique fingerprint.

Cite this

Agrawal, S., Dodis, Y., Vaikuntanathan, V., & Wichs, D. (2013). On continual leakage of discrete log representations. In Advances in Cryptology, ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings (PART 2 ed., pp. 401-420). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8270 LNCS, No. PART 2). https://doi.org/10.1007/978-3-642-42045-0_21

On continual leakage of discrete log representations. / Agrawal, Shweta; Dodis, Yevgeniy; Vaikuntanathan, Vinod; Wichs, Daniel.

Advances in Cryptology, ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings. PART 2. ed. 2013. p. 401-420 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8270 LNCS, No. PART 2).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Agrawal, S, Dodis, Y, Vaikuntanathan, V & Wichs, D 2013, On continual leakage of discrete log representations. in Advances in Cryptology, ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings. PART 2 edn, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), no. PART 2, vol. 8270 LNCS, pp. 401-420, 19th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2013, Bengaluru, India, 12/1/13. https://doi.org/10.1007/978-3-642-42045-0_21

Agrawal S, Dodis Y, Vaikuntanathan V, Wichs D. On continual leakage of discrete log representations. In Advances in Cryptology, ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings. PART 2 ed. 2013. p. 401-420. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); PART 2). https://doi.org/10.1007/978-3-642-42045-0_21

Agrawal, Shweta ; Dodis, Yevgeniy ; Vaikuntanathan, Vinod ; Wichs, Daniel. / On continual leakage of discrete log representations. Advances in Cryptology, ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings. PART 2. ed. 2013. pp. 401-420 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); PART 2).

@inproceedings{3cfa242526664d168d43f9c249e6b401,

title = "On continual leakage of discrete log representations",

abstract = "Let double-struck G be a group of prime order q, and let g 1,...,gn be random elements of double-struck G. We say that a vector x = (x1,...,x2) ∈ ℤ qn is a discrete log representation of some some element y ∈ double-struck G (with respect to g1,...,gn) if g1x1⋯gnxn = y. Any element y has many discrete log representations, forming an affine subspace of ℤqn. We show that these representations have a nice continuous leakage-resilience property as follows. Assume some attacker A(g 1,...,gn, y) can repeatedly learn L bits of information on arbitrarily many random representations of y. That is, A adaptively chooses polynomially many leakage functions fi : ℤq n → {0,1}L, and learns the value fi(x i), where xi is a fresh and random discrete log representation of y. A wins the game if it eventually outputs a valid discrete log representation x* of y. We show that if the discrete log assumption holds in double-struck G, then no polynomially bounded A can win this game with non-negligible probability, as long as the leakage on each representation is bounded by L ≈ (n - 2) log q = (1 - 2/n)·|x|. As direct extensions of this property, we design very simple continuous leakage-resilient (CLR) one-way function (OWF) and public-key encryption (PKE) schemes in the so called {"}invisible key update{"} model introduced by Alwen et al. at CRYPTO'09. Our CLR-OWF is based on the standard Discrete Log assumption and our CLR-PKE is based on the standard Decisional Diffie-Hellman assumption. Prior to our work, such schemes could only be constructed in groups with a bilinear pairing. As another surprising application, we show how to design the first leakage-resilient traitor tracing scheme, where no attacker, getting the secret keys of a small subset of decoders (called {"}traitors{"}) and bounded leakage on the secret keys of all other decoders, can create a valid decryption key which will not be traced back to at least one of the traitors.",

author = "Shweta Agrawal and Yevgeniy Dodis and Vinod Vaikuntanathan and Daniel Wichs",

note = "Copyright: Copyright 2014 Elsevier B.V., All rights reserved.; 19th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2013 ; Conference date: 01-12-2013 Through 05-12-2013",

year = "2013",

doi = "10.1007/978-3-642-42045-0_21",

language = "English (US)",

isbn = "9783642420443",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

number = "PART 2",

pages = "401--420",

booktitle = "Advances in Cryptology, ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings",

edition = "PART 2",

}

TY - GEN

T1 - On continual leakage of discrete log representations

AU - Agrawal, Shweta

AU - Dodis, Yevgeniy

AU - Vaikuntanathan, Vinod

AU - Wichs, Daniel

PY - 2013

Y1 - 2013

N2 - Let double-struck G be a group of prime order q, and let g 1,...,gn be random elements of double-struck G. We say that a vector x = (x1,...,x2) ∈ ℤ qn is a discrete log representation of some some element y ∈ double-struck G (with respect to g1,...,gn) if g1x1⋯gnxn = y. Any element y has many discrete log representations, forming an affine subspace of ℤqn. We show that these representations have a nice continuous leakage-resilience property as follows. Assume some attacker A(g 1,...,gn, y) can repeatedly learn L bits of information on arbitrarily many random representations of y. That is, A adaptively chooses polynomially many leakage functions fi : ℤq n → {0,1}L, and learns the value fi(x i), where xi is a fresh and random discrete log representation of y. A wins the game if it eventually outputs a valid discrete log representation x* of y. We show that if the discrete log assumption holds in double-struck G, then no polynomially bounded A can win this game with non-negligible probability, as long as the leakage on each representation is bounded by L ≈ (n - 2) log q = (1 - 2/n)·|x|. As direct extensions of this property, we design very simple continuous leakage-resilient (CLR) one-way function (OWF) and public-key encryption (PKE) schemes in the so called "invisible key update" model introduced by Alwen et al. at CRYPTO'09. Our CLR-OWF is based on the standard Discrete Log assumption and our CLR-PKE is based on the standard Decisional Diffie-Hellman assumption. Prior to our work, such schemes could only be constructed in groups with a bilinear pairing. As another surprising application, we show how to design the first leakage-resilient traitor tracing scheme, where no attacker, getting the secret keys of a small subset of decoders (called "traitors") and bounded leakage on the secret keys of all other decoders, can create a valid decryption key which will not be traced back to at least one of the traitors.

AB - Let double-struck G be a group of prime order q, and let g 1,...,gn be random elements of double-struck G. We say that a vector x = (x1,...,x2) ∈ ℤ qn is a discrete log representation of some some element y ∈ double-struck G (with respect to g1,...,gn) if g1x1⋯gnxn = y. Any element y has many discrete log representations, forming an affine subspace of ℤqn. We show that these representations have a nice continuous leakage-resilience property as follows. Assume some attacker A(g 1,...,gn, y) can repeatedly learn L bits of information on arbitrarily many random representations of y. That is, A adaptively chooses polynomially many leakage functions fi : ℤq n → {0,1}L, and learns the value fi(x i), where xi is a fresh and random discrete log representation of y. A wins the game if it eventually outputs a valid discrete log representation x* of y. We show that if the discrete log assumption holds in double-struck G, then no polynomially bounded A can win this game with non-negligible probability, as long as the leakage on each representation is bounded by L ≈ (n - 2) log q = (1 - 2/n)·|x|. As direct extensions of this property, we design very simple continuous leakage-resilient (CLR) one-way function (OWF) and public-key encryption (PKE) schemes in the so called "invisible key update" model introduced by Alwen et al. at CRYPTO'09. Our CLR-OWF is based on the standard Discrete Log assumption and our CLR-PKE is based on the standard Decisional Diffie-Hellman assumption. Prior to our work, such schemes could only be constructed in groups with a bilinear pairing. As another surprising application, we show how to design the first leakage-resilient traitor tracing scheme, where no attacker, getting the secret keys of a small subset of decoders (called "traitors") and bounded leakage on the secret keys of all other decoders, can create a valid decryption key which will not be traced back to at least one of the traitors.

UR - http://www.scopus.com/inward/record.url?scp=84892419482&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84892419482&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-42045-0_21

DO - 10.1007/978-3-642-42045-0_21

M3 - Conference contribution

AN - SCOPUS:84892419482

SN - 9783642420443

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 401

EP - 420

BT - Advances in Cryptology, ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings

T2 - 19th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2013

Y2 - 1 December 2013 through 5 December 2013

ER -