TY - GEN
T1 - On continual leakage of discrete log representations
AU - Agrawal, Shweta
AU - Dodis, Yevgeniy
AU - Vaikuntanathan, Vinod
AU - Wichs, Daniel
N1 - Copyright:
Copyright 2014 Elsevier B.V., All rights reserved.
PY - 2013
Y1 - 2013
N2 - Let double-struck G be a group of prime order q, and let g 1,...,gn be random elements of double-struck G. We say that a vector x = (x1,...,x2) ∈ ℤ qn is a discrete log representation of some some element y ∈ double-struck G (with respect to g1,...,gn) if g1x1⋯gnxn = y. Any element y has many discrete log representations, forming an affine subspace of ℤqn. We show that these representations have a nice continuous leakage-resilience property as follows. Assume some attacker A(g 1,...,gn, y) can repeatedly learn L bits of information on arbitrarily many random representations of y. That is, A adaptively chooses polynomially many leakage functions fi : ℤq n → {0,1}L, and learns the value fi(x i), where xi is a fresh and random discrete log representation of y. A wins the game if it eventually outputs a valid discrete log representation x* of y. We show that if the discrete log assumption holds in double-struck G, then no polynomially bounded A can win this game with non-negligible probability, as long as the leakage on each representation is bounded by L ≈ (n - 2) log q = (1 - 2/n)·|x|. As direct extensions of this property, we design very simple continuous leakage-resilient (CLR) one-way function (OWF) and public-key encryption (PKE) schemes in the so called "invisible key update" model introduced by Alwen et al. at CRYPTO'09. Our CLR-OWF is based on the standard Discrete Log assumption and our CLR-PKE is based on the standard Decisional Diffie-Hellman assumption. Prior to our work, such schemes could only be constructed in groups with a bilinear pairing. As another surprising application, we show how to design the first leakage-resilient traitor tracing scheme, where no attacker, getting the secret keys of a small subset of decoders (called "traitors") and bounded leakage on the secret keys of all other decoders, can create a valid decryption key which will not be traced back to at least one of the traitors.
AB - Let double-struck G be a group of prime order q, and let g 1,...,gn be random elements of double-struck G. We say that a vector x = (x1,...,x2) ∈ ℤ qn is a discrete log representation of some some element y ∈ double-struck G (with respect to g1,...,gn) if g1x1⋯gnxn = y. Any element y has many discrete log representations, forming an affine subspace of ℤqn. We show that these representations have a nice continuous leakage-resilience property as follows. Assume some attacker A(g 1,...,gn, y) can repeatedly learn L bits of information on arbitrarily many random representations of y. That is, A adaptively chooses polynomially many leakage functions fi : ℤq n → {0,1}L, and learns the value fi(x i), where xi is a fresh and random discrete log representation of y. A wins the game if it eventually outputs a valid discrete log representation x* of y. We show that if the discrete log assumption holds in double-struck G, then no polynomially bounded A can win this game with non-negligible probability, as long as the leakage on each representation is bounded by L ≈ (n - 2) log q = (1 - 2/n)·|x|. As direct extensions of this property, we design very simple continuous leakage-resilient (CLR) one-way function (OWF) and public-key encryption (PKE) schemes in the so called "invisible key update" model introduced by Alwen et al. at CRYPTO'09. Our CLR-OWF is based on the standard Discrete Log assumption and our CLR-PKE is based on the standard Decisional Diffie-Hellman assumption. Prior to our work, such schemes could only be constructed in groups with a bilinear pairing. As another surprising application, we show how to design the first leakage-resilient traitor tracing scheme, where no attacker, getting the secret keys of a small subset of decoders (called "traitors") and bounded leakage on the secret keys of all other decoders, can create a valid decryption key which will not be traced back to at least one of the traitors.
UR - http://www.scopus.com/inward/record.url?scp=84892419482&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84892419482&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-42045-0_21
DO - 10.1007/978-3-642-42045-0_21
M3 - Conference contribution
AN - SCOPUS:84892419482
SN - 9783642420443
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 401
EP - 420
BT - Advances in Cryptology, ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings
T2 - 19th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2013
Y2 - 1 December 2013 through 5 December 2013
ER -