In this section we present the stateful bilinear ElGamal key encapsulation mechanism (BEG-KEM) from [18]. First, we recall the basics of the notion of min-entropy. Then we introduce the concept of stateful KEM and security under non-adaptive chosen-ciphertext attacks in the presence of continual min-entropy leakage (CCmLA1). We note again that the class of leakage functions allowed in our model (based on lowering min-entropy) is broader than the bounded length model (CCLA1) used in [18].Footnote 1
Min-entropy
Let X be a finite random variable with probability distribution \(\Pr \). The min-entropy of X, denoted \(\mathbf {H}_{\infty }(X)\), is defined as
$$\begin{aligned} \mathbf {H}_{\infty }(X):=-\log _{2}\left( \underset{x}{\max }\,\,\text {Pr}[X=x]\right) . \end{aligned}$$
Min-entropy is a standard measure of the worst-case predictability of a random variable. Let Z be a random variable. The average conditional min-entropy of X given Z, denoted \(\tilde{\mathbf {H}}_{\infty }(X\,|\, Z)\), is defined as
$$\begin{aligned} \tilde{\mathbf {H}}_{\infty }(X\,|\, Z):=-\log _{2}\Bigl (\underset{z\leftarrow Z}{\mathbb {E}}\Bigl [\underset{x}{\max } \text {Pr}[X=x\,|\, Z=z]\Bigr ]\Bigr ). \end{aligned}$$
Average conditional min-entropy is a measure of the worst-case predictability of a random variable given a correlated random variable.
Lemma 1
[9] Let \(f:X\rightarrow \{0,1\}^{\lambda '}\) be a function on X. Then \(\tilde{\mathbf {H}}_{\infty }(X\,|\, f(X))\)
\(\ge \)
\(\mathbf {H}_{\infty }(X)-\lambda '\).
The following result is a variant of the Schwartz–Zippel Lemma [13, 28, 38].
Lemma 2
(Schwartz–Zippel; min-entropy version) Let \(\mathsf {F}\in \mathbb {Z}_{q}[\mathsf {X}_{1},\ldots ,\mathsf {X}_{n}]\) be a non-zero polynomial of (total) degree at most d. Let \(P_{i}\)
\((i=1,\ldots ,n)\) be probability distributions on \(\mathbb {Z}_{q}\) such that \(\mathbf {H}_{\infty }(P_{i})\ge \log q-\lambda '\), where \(0\le \lambda '\le \log q\). If \(x_{i}\overset{P_{i}}{\leftarrow }\mathbb {Z}_{q}\)
\((i=1,\ldots ,n)\) are independent, then \(\text {Pr}[\mathsf {F}(x_{1},\ldots ,x_{n})=0]\le {\displaystyle 2^{\lambda '}\frac{d}{q}}\).
Corollary 1
If \(\lambda '<\log q-\omega \left( \log \log q\right) \) in Lemma 2, then \(\text {Pr}[\mathsf {F}(x_{1},\ldots ,x_{n})=0]\) is negligible (in \(\log q\)).
Stateful key encapsulation mechanism
Formally, a split-state key encapsulation mechanism \(\mathsf {KEM}=(\mathsf {KG},\mathsf {Enc},\mathsf {Dec1},\mathsf {Dec2})\) consists of four polynomial time algorithms. Let \(\kappa \) denote the security parameter and \(\lambda \) denote the leakage parameter. The key generation procedure \(\mathsf {KG}\left( \kappa ,\lambda \right) \) takes as input \(\kappa \) and \(\lambda \), and outputs the public key pk, a pair of initial (stateful) secret states \(\left( \sigma _{0},\sigma '_{0}\right) \), and the public parameters \(\mathbb {PP}\). The encapsulation procedure \(\mathsf {Enc}(pk)\) takes as input pk, and outputs a secret symmetric key K and the corresponding ciphertext C. The stateful decapsulation procedure takes C as an input and outputs \(K\in \mathcal {K}\). This procedure is split into two consecutive steps \(\mathsf {Dec1}\) and \(\mathsf {Dec2}\), where each step accesses distinct parts of the two secret states. The procedures \(\mathsf {Dec1}\) and \(\mathsf {Dec2}\) may also update the secret key using locally generated fresh randomness:
$$\begin{aligned} (\sigma _{i},w_{i})\overset{r_{i}}{\leftarrow }\mathsf {Dec1}(\sigma _{i-\text {1}},C)\;;\;(\sigma '_{i},K)\overset{r'_{i}}{\leftarrow }\mathsf {Dec2}(\sigma '_{i-\text {1}},w_{i}). \end{aligned}$$
The scheme \(\mathsf {KEM}\) is required to satisfy the following correctness property:
$$\begin{aligned}&\text {Pr}\left[ \mathsf {Dec2}\left( \mathsf {Dec1}\left( \mathsf {Enc}\left( pk\right) ,\sigma _{i-1}\right) \backslash \sigma _{i},\;\sigma '_{i-1}\right) =K :\right. \\&\quad \left. \big (\,pk,\left( \sigma _{i-1},\sigma '_{i-1}\right) \big )\leftarrow \left( \mathsf {KG},\mathsf {Dec1},\mathsf {Dec2}\right) \right. \!, \\&\quad \left. K\leftarrow \mathsf {Enc}\left( pk\right) \right] = 1. \end{aligned}$$
The security of the scheme \(\mathsf {KEM}\) is defined by the experiment in Table 1.
Table 1 CCmLA1 security experiment for KEM
In this experiment, \(f_{i}(\sigma _{i-1},r_{i})\) and \(h_{i}(\sigma '_{i-1},r'_{i},w_{i})\) are (efficiently computable) leakage functions that the adversary can choose adaptively between the rounds. The functions \(f_{i}(\cdot )\) and \(h_{i}(\cdot )\) are such that the min-entropy of the individual inputs of the leakage functions is decreased by at most \(\lambda \) bits, given the corresponding leakages. More precisely, the requirement on the leakage functions is that
$$\begin{aligned} \tilde{\mathbf {H}}_{\infty }\left( \mathfrak {t} \left| \right. f_{i}(\sigma _{i-1},r_{i}) \right) \ge \mathbf {H}_{\infty }\left( \mathfrak {t} \right) - \lambda \quad \forall \mathfrak {t} \; \in \;\sigma _{i-1} \cup r_{i}, \end{aligned}$$
and
$$\begin{aligned} \tilde{\mathbf {H}}_{\infty }\left( \mathfrak {t} \left| \right. h_{i}(\sigma '_{i-1},r'_{i},w_{i}) \right) \!\ge \! {\mathbf {H}}_{\infty }\left( \mathfrak {t} \right) \!-\! \lambda \quad \forall \mathfrak {t} \;\in \; \sigma '_{i-1} \!\cup \!r'_{i} \!\cup \!w_{i}. \end{aligned}$$
Essentially, the above equations restrict the class of allowed leakage functions to those that do not decrease the min-entropy of each atomic parameter of the secret state by more than \(\lambda \) bits. For instance, if \(w_i = \left\{ w_{i,1},w_{i,2} \right\} \), then we require that individually \(w_{i,1}\) and \(w_{i,2}\) have their min-entropy reduced by at most \(\lambda \) bits given the leakages.
Definition 1
(CCmLA1 security for KEM) A key encapsulation mechanism \(\mathsf {KEM}\) is secure under non-adaptive chosen-ciphertext attacks in the presence of continual split-state leakage (CCmLA1), with min-entropy leakage bound \(\lambda \), if \(\Pr \,[b'=b]\) is at most negligibly greater than \(\frac{1}{2}\) in the Experiment \(\mathrm {KEM}\)-\(\mathrm {CCmLA1}_{\mathsf {KEM}}(\mathcal {A},\kappa ,\lambda )\) for any efficient adversary \(\mathcal {A}\).
Note that if in the above definition we would force the leakage functions to have output length of at most \(\lambda \) bits, then we would obtain the CCLA1 security for KEM as defined in [18]. From Lemma 1, we have that the conditional min-entropy of a random variable, given the leakage output of at most \(\lambda \) bits, cannot decrease by more than \(\lambda \) bits. Hence, if a KEM is CCLA1 secure, then it is also CCmLA1 secure.
Bilinear groups
Let \(\mathsf {BGen'}(\kappa ,\lambda )\) be a probabilistic bilinear group generator that outputs \((\mathbb {G},\mathbb {G}_{T},q,\)
\(e',\)
g) such that:
-
1.
\(\mathbb {G}=\langle g\rangle \) and \(\mathbb {G}_{T}\) are (multiplicatively written) cyclic groups of prime order q with binary operations \(\cdot \) and \(\star ,\) respectively. The size of q is \(\kappa \) bits.
-
2.
\(e':\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}\) is a map that is:
-
(a)
bilinear: \(\forall u,v\in \mathbb {G}\) and \(\forall a,b\in \mathbb {Z}\), \(e'(u^{a},v^{b})\)
\(=\)
\(e'(u,v)^{ab}\).
-
(b)
non-degenerate: \(e'(g,g)\ne 1\).
Such a group \(\mathbb {G}\) is said to be a bilinear group if the above properties hold and the group operations in \(\mathbb {G}\) and \(\mathbb {G}_{T}\), and the map \(e'\) are efficiently computable. The group \(\mathbb {G}\) is called as base group and \(\mathbb {G}_{T}\) as target group.
Generic bilinear group model
The generic bilinear group (GBG) model [6] is an extension of the generic group model [31]. The encodings of the elements of \(\mathbb {G}\) and \(\mathbb {G}_{T}\) are given by random bijective maps \(\xi :\mathbb {Z}_{q}\rightarrow \varXi \) and \(\xi _{T}:\mathbb {Z}_{q}\rightarrow \varXi _{T}\), respectively, where \(\varXi \) and \(\varXi _{T}\) are sets of bit-strings. The group operations in \(\mathbb {G}\) and \(\mathbb {G}_{T}\), and evaluation of the bilinear map e are performed by three public oracles \(\mathcal {O}\), \(\mathcal {O}_{T}\) and \(\mathcal {O}_{e}\), respectively, defined as follows. For all \(a,b\in \mathbb {Z}_{q}\)
-
\(\mathcal {O}(\xi (a),\xi (b)):=\xi (a+b\,\text {mod}\, q)\)
-
\(\mathcal {O}_{T}(\xi _{T}(a),\xi _{T}(b)):=\xi _{T}(a+b\,\text {mod}\, q)\)
-
\(\mathcal {O}_{e}(\xi (a),\xi (b)):=\xi _{T}(ab\,\text {mod}\, q)\)
We assume that the (fixed) generator g of \(\mathbb {G}\) satisfies \(g=\xi (1)\), and also the (fixed) generator \(g_{T}\) of \(\mathbb {G}_{T}\) satisfies \(g_{T}=e(g,g)=\xi _{T}(1)\). The encoding of g is provided to all users of the group oracles. The users can thus efficiently sample random elements in both \(\mathbb {G}\) and \(\mathbb {G}_{T}\).
We further assume that \(\varXi \cap \varXi _{T}=\phi \), \(|\varXi |=|\varXi _{T}|=q\), and that the elements of \(\varXi \) and \(\varXi _{T}\) are efficiently recognizable. For instance, the encodings in \(\varXi \) can comprise of the binary representation of the set \(\{0,1,\ldots ,q-1\}\), where every string begins with ‘0’ and all are of uniform length. The encodings in \(\varXi _{T}\) are similarly defined but instead begin with ‘1’. Since the encodings are efficiently recognizable, the queries to a group oracle with an invalid encoding can be detected and an error can be raised. For simplicity, we assume that the users’ queries to the oracles are all valid.
Bilinear ElGamal KEM
The scheme \(\mathsf {BEG}=\bigl (\mathsf {KG}_{\mathsf {BEG}}\), \(\mathsf {Enc}_{\mathsf {BEG}}\), \(\mathsf {Dec}1_{\mathsf {BEG}}\), \(\mathsf {Dec}2_{\mathsf {BEG}}\bigr )\) is as follows:
-
1.
\(\mathsf {KG}_{\mathsf {BEG}}(\kappa )\): Compute \(\mathbb {PP}{=}\left( \mathbb {G},\mathbb {G}_{T},e',q,g\right) \leftarrow \mathsf {BGen'}(\kappa ,\lambda )\) and randomly choose \(x,t_{0}\overset{\$}{\leftarrow }\mathbb {F}_{q}\). Set \(X=g^{x}\), \(\sigma _{0}=g^{t_{0}}\), \(\sigma '_{0}=g^{x-t_{0}}\), and \(X_{T}=e'\left( g,g\right) ^{x}\). Return \(\left( pk,sk_{0}\right) \), where
-
(a)
the public key is \(pk{=}\left( \mathbb {PP},X_{T}\right) \).
-
(b)
the secret state is \(sk_{0}=\left( \sigma _{0},\sigma '_{0}\right) \in \mathbb {G\times G}\).
-
2.
\(\mathsf {Enc}_{\mathsf {BEG}}(pk)\): Choose a random \(r\overset{\$}{\leftarrow }\mathbb {F}_{q}\). Compute the ciphertext \(C=g^{r}\), and the derived key \(K=X_{T}^{r}\). Return (C, K).
-
3.
\(\mathsf {Dec}1_{\mathsf {BEG}}(\sigma _{i-1},C)\): Choose a random \(t_{i}\overset{\$}{\leftarrow }\mathbb {F}_{q}\), set \(\sigma _{i}=\sigma _{i-1}\cdot g^{t_{i}}\), \(Y_{i}=e'\left( \sigma _{i},C\right) \). Return \(\left( t_{i},Y_{i}\right) \).
-
4.
\(\mathsf {Dec}2_{\mathsf {BEG}}(\sigma '_{i-1},\left( t_{i},Y_{i}\right) ,C)\): Set \(\sigma '_{i}=\sigma '_{i-1}\cdot g^{-t_{i}}\), and \(Y'_{i} = e'\left( \sigma '_{i},C\right) \). Compute the derived key \(K=Y_{i}\cdot Y'_{i}\in \mathbb {G}_{T}\). Return K.
The correctness of the scheme follows from the fact that \(\sigma _{i}\cdot \sigma '_{i}=X\)
\(\forall i\ge 0\) and using the bilinearity of \(e'\left( \right) \).
Theorem 1
[18, Theorem 1] The scheme \(\mathsf {BEG}\) (also called BEG-KEM) is CCLA1 secure in the generic bilinear group model. The advantage of an s-query adversary who gets at most \(\lambda \) bits of leakage per each invocation of \(\mathsf {Dec}1_{\mathsf {BEG}}\) or \(\mathsf {Dec}2_{\mathsf {BEG}}\) is at most \(\frac{s^{3}}{q}2^{2\lambda +1}\).