Topics In Cryptology Ctrsa 2019 The

Cryptographers Track At The Rsa Conference 2019

San Francisco Ca Usa March 48 2019 Proceedings
Mitsuru Matsui download
https://ebookbell.com/product/topics-in-cryptology-
ctrsa-2019-the-cryptographers-track-at-the-rsa-
conference-2019-san-francisco-ca-usa-march-48-2019-proceedings-
mitsuru-matsui-48693350

Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

Topics In Cryptology Ctrsa 2009 The Cryptographers Track At The Rsa

Conference 2009 San Francisco Ca Usa April 2024 2009 Proceedings 1st
Edition Benot Libert

https://ebookbell.com/product/topics-in-cryptology-ctrsa-2009-the-
cryptographers-track-at-the-rsa-conference-2009-san-francisco-ca-usa-
april-2024-2009-proceedings-1st-edition-benot-libert-2040170

Topics In Cryptology Ctrsa 2010 The Cryptographers Track At The Rsa

Conference 2010 San Francisco Ca Usa March 15 2010 Proceedings 1st
Edition Bart Preneel Auth

https://ebookbell.com/product/topics-in-cryptology-ctrsa-2010-the-
cryptographers-track-at-the-rsa-conference-2010-san-francisco-ca-usa-
march-15-2010-proceedings-1st-edition-bart-preneel-auth-4143666

Topics In Cryptology Ctrsa 2012 The Cryptographers Track At The Rsa

Conference 2012 San Francisco Ca Usa February 27 March 2 2012
Proceedings 1st Edition Amir Moradi

https://ebookbell.com/product/topics-in-cryptology-ctrsa-2012-the-
cryptographers-track-at-the-rsa-conference-2012-san-francisco-ca-usa-
february-27-march-2-2012-proceedings-1st-edition-amir-moradi-4143668

Topics In Cryptology Ctrsa 2011 The Cryptographers Track At The Rsa

Conference 2011 San Francisco Ca Usa February 1418 2011 Proceedings
1st Edition Marc Fischlin

https://ebookbell.com/product/topics-in-cryptology-ctrsa-2011-the-
cryptographers-track-at-the-rsa-conference-2011-san-francisco-ca-usa-
february-1418-2011-proceedings-1st-edition-marc-fischlin-4143672
Topics In Cryptology Ctrsa 2013 The Cryptographers Track At The Rsa
Conference 2013 San Franciscoca Usa February 25march 1 2013
Proceedings 1st Edition Aurlie Bauer

https://ebookbell.com/product/topics-in-cryptology-ctrsa-2013-the-
cryptographers-track-at-the-rsa-conference-2013-san-franciscoca-usa-
february-25march-1-2013-proceedings-1st-edition-aurlie-bauer-4241740

Topics In Cryptology Ctrsa 2016 The Cryptographers Track At The Rsa

Conference 2016 San Francisco Ca Usa February 29 March 4 2016
Proceedings 1st Edition Kazue Sako Eds

https://ebookbell.com/product/topics-in-cryptology-ctrsa-2016-the-
cryptographers-track-at-the-rsa-conference-2016-san-francisco-ca-usa-
february-29-march-4-2016-proceedings-1st-edition-kazue-sako-
eds-5355836

Topics In Cryptology Ctrsa 2017 The Cryptographers Track At The Rsa

Conference 2017 San Francisco Ca Usa February 1417 2017 Proceedings
1st Edition Helena Handschuh Eds

https://ebookbell.com/product/topics-in-cryptology-ctrsa-2017-the-
cryptographers-track-at-the-rsa-conference-2017-san-francisco-ca-usa-
february-1417-2017-proceedings-1st-edition-helena-handschuh-
eds-5737326

Topics In Cryptology Ctrsa 2010 The Cryptographers Track At The Rsa

Conference 2010 San Francisco Ca Usa March 15 2010 Proceedings 1st
Edition Bart Preneel Auth

https://ebookbell.com/product/topics-in-cryptology-ctrsa-2010-the-
cryptographers-track-at-the-rsa-conference-2010-san-francisco-ca-usa-
march-15-2010-proceedings-1st-edition-bart-preneel-auth-1373634

Topics In Cryptology Ctrsa 2011 The Cryptographers Track At The Rsa

Conference 2011 San Francisco Ca Usa February 1418 2011 Proceedings
1st Edition Marc Fischlin

https://ebookbell.com/product/topics-in-cryptology-ctrsa-2011-the-
cryptographers-track-at-the-rsa-conference-2011-san-francisco-ca-usa-
february-1418-2011-proceedings-1st-edition-marc-fischlin-1780656
 Mitsuru Matsui (Ed.)
LNCS 11405

Topics in Cryptology –
CT-RSA 2019
The Cryptographers' Track at the RSA Conference 2019
San Francisco, CA, USA, March 4–8, 2019
Proceedings

123
Lecture Notes in Computer Science 11405
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology Madras, Chennai, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
More information about this series at http://www.springer.com/series/7410
Mitsuru Matsui (Ed.)

Topics in Cryptology –
CT-RSA 2019
The Cryptographers’ Track at the RSA Conference 2019
San Francisco, CA, USA, March 4–8, 2019
Proceedings

123
Editor
Mitsuru Matsui
Mitsubishi Electric Corporation
Kamakura, Japan

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-12611-7 ISBN 978-3-030-12612-4 (eBook)
https://doi.org/10.1007/978-3-030-12612-4

Library of Congress Control Number: 2019930584

LNCS Sublibrary: SL4 – Security and Cryptology

© Springer Nature Switzerland AG 2019

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

The RSA conference has been a major international event for information security
experts since its inception in 1991. It is an annual event that attracts several hundreds of
vendors and over 40,000 participants from industry, government, and academia. Since
2001, the RSA conference has included the Cryptographer’s Track (CT-RSA), which
provides a forum for current research in cryptography. CT-RSA has become a major
publication venue for cryptographers.
This volume represents the proceedings of the 2019 RSA Conference Cryptogra-
pher’s Track, which was held in San Francisco, California, during March 4–8, 2019.
A total of 75 submissions were received for review, of which 28 papers were selected
for presentation and publication. As chair of the Program Committee, I would like to
deeply thank all the authors who contributed the results of their innovative research.
My appreciation also goes to all the members of the Program Committee and their
designated external reviewers who carefully read and reviewed these submissions. The
selection process was a difficult task since each contribution had its own merits. At
least three reviewers were assigned to each submission (four if the work included a
Program Committee member as an author), and the selection process was carried out
with great professionalism and transparency.
The submission process as well as the review process and the editing of the final
proceedings were greatly simplified by the software written by Shai Halevi. I would
like to thank him for his kind support throughout the entire process. In addition to the
contributed talks, the program included a panel discussion moderated by Bart Preneel
on “Cryptography and AI.”

March 2019 Mitsuru Matsui

 CT-RSA 2019

RSA Conference Cryptographer’s Track 2019

Moscone Center, San Francisco, California, USA

March 4–8, 2019

Program Chair
Mitsuru Matsui Mitsubishi Electric Corporation, Japan

Program Committee
Josh Benaloh Microsoft Research, USA
Alex Biryukov University of Luxembourg, Luxembourg
Alexandra Boldyreva Georgia Institute of Technology, USA
Joppe Bos NXP, Belgium
David Cash University of Chicago, USA
Jung Hee Cheon Seoul National University, South Korea
Jean-Sébastien Coron University of Luxembourg, Luxembourg
Henri Gilbert ANSSI, France
Helena Handschuh Rambus Cryptography Research, USA
Tibor Jager Paderborn University, Germany
Stanislaw Jarecki University of California at Irvine, USA
Marc Joye OneSpan, Belgium
Florian Kerschbaum University of Waterloo, Canada
Xuejia Lai Shanghai Jiao Tong University, China
Tancrède Lepoint SRI International, USA
Michael Naehrig Microsoft Research, USA
Miyako Ohkubo NICT, Japan
Elisabeth Oswald University of Bristol, UK
Léo Perrin Inria, France
David Pointcheval CNRS and Ecole Normale Supérieure, France
Bart Preneel KU Leuven and iMinds, Belgium
Reihaneh Safavi-Naini University of Calgary, Canada
Kazue Sako NEC, Japan
Peter Scholl Aarhus University, Denmark
Nigel Smart KU Leuven, Belgium and University of Bristol, UK
François-Xavier Standaert Université Catholique de Louvain, Belgium
Takeshi Sugawara The University of Electro-Communications, Japan
Mehdi Tibouchi NTT Corporation, Japan
Huaxiong Wang Nanyang Technological University, Singapore
VIII CT-RSA 2019

Additional Reviewers

Masayuki Abe Zhang Juanyang Kazuma Ohara

Mamun Akand Saqib Kakvi Jiaxin Pan
James Bartusek Sabyasachi Karati Louiza Papachristodoulou
Carsten Baum Andrey Kim Romain Poussier
Pascal Bemmann Dongwoo Kim Emmanuel Prouff
Ritam Bhaumik Duhyeong Kim Matt Robshaw
Jan Bobolz Jaeyun Kim Dragos Rotaru
Jie Chen Jiseung Kim Vladimir Rozic
Hang Cheng Rafael Kurek Yusuke Sakai
Wonhee Cho Virginie Lallemand Luan Cardoso dos Santos
Peter Chvojka Joohee Lee Tobias Schneider
Jan Pieter Denvers Keewoo Lee André Schrottenloher
Keita Emura Yang Li Peter Schwabe
Prastudy Fauzi Benoît Libert Jae Hong Seo
Kai Gellert Fuchun Lin Yongha Son
Benedikt Gierlichs Tingting Lin Koutarou Suzuki
Johann Großschädl Ximeng Liu Hiroto Tamiya
Cyprien Delpech de Saint Yunwen Liu Hikaru Tsuchida
Guilhem Yiyuan Luo Mike Tunstall
Chun Guo Fermi Ma Aleksei Udovenko
Mike Hamburg Mark Marson Rei Ueno
Kyoohyung Han Marco Martinoli Fre Vercauteren
Minki Hhan Alexander May Giuseppe Vitto
Viet Tung Hoang Rui Meng Hendrik Waldner
Seungwan Hong Rebekah Mercer Qingju Wang
James Howe Yusuke Naito Carolyn Whitnall
Jingwei Hu Sanami Nakagawa Keita Xagawa
Takanori Isobe Khoa Nguyen Hailun Yan
Toshiyuki Isshiki David Niehues Donggeon Yhee
Jeremy Jean Ventzi Nikov Kazuki Yoneyama
Jinhyuck Jeong Ryo Nishimaki Liang Feng Zhang
Shaoquan Jiang Sabine Oechsner
 Contents

Structure-Preserving Certificateless Encryption and Its Application . . . . . . . . 1

Tao Zhang, Huangting Wu, and Sherman S. M. Chow

Public Key Encryption Resilient to Post-challenge Leakage

and Tampering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Suvradip Chakraborty and C. Pandu Rangan

Downgradable Identity-Based Encryption and Applications . . . . . . . . . . . . . 44

Olivier Blazy, Paul Germouty, and Duong Hieu Phan

Large Universe Subset Predicate Encryption Based on Static Assumption

(Without Random Oracle) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Sanjit Chatterjee and Sayantan Mukherjee

An Improved RNS Variant of the BFV Homomorphic Encryption Scheme. . . 83

Shai Halevi, Yuriy Polyakov, and Victor Shoup

New Techniques for Multi-value Input Homomorphic Evaluation

and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Sergiu Carpov, Malika Izabachène, and Victor Mollimard

Efficient Function-Hiding Functional Encryption: From Inner-Products

to Orthogonality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Manuel Barbosa, Dario Catalano, Azam Soleimanian,
and Bogdan Warinschi

Robust Encryption, Extended . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Rémi Géraud, David Naccache, and Răzvan Roşie

Tight Reductions for Diffie-Hellman Variants in the Algebraic

Group Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Taiga Mizuide, Atsushi Takayasu, and Tsuyoshi Takagi

Doubly Half-Injective PRGs for Incompressible White-Box Cryptography . . . 189

Estuardo Alpirez Bock, Alessandro Amadori, Joppe W. Bos,
Chris Brzuska, and Wil Michiels

Error Detection in Monotone Span Programs with Application

to Communication-Efficient Multi-party Computation . . . . . . . . . . . . . . . . . 210
Nigel P. Smart and Tim Wood

Lossy Trapdoor Permutations with Improved Lossiness . . . . . . . . . . . . . . . . 230

Benedikt Auerbach, Eike Kiltz, Bertram Poettering, and Stefan Schoenen
X Contents

Post-quantum EPID Signatures from Symmetric Primitives. . . . . . . . . . . . . . 251

Dan Boneh, Saba Eskandarian, and Ben Fisch

Assessment of the Key-Reuse Resilience of NewHope. . . . . . . . . . . . . . . . . 272

Aurélie Bauer, Henri Gilbert, Guénaël Renault, and Mélissa Rossi

Universal Forgery and Multiple Forgeries of MergeMAC

and Generalized Constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Tetsu Iwata, Virginie Lallemand, Gregor Leander, and Yu Sasaki

Linking Stam’s Bounds with Generalized Truncation. . . . . . . . . . . . . . . . . . 313

Bart Mennink

Poly-Logarithmic Side Channel Rank Estimation via

Exponential Sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Liron David and Avishai Wool

Efficient Fully-Leakage Resilient One-More Signature Schemes . . . . . . . . . . 350

Antonio Faonio

MILP-Based Differential Attack on Round-Reduced GIFT . . . . . . . . . . . . . . 372

Baoyu Zhu, Xiaoyang Dong, and Hongbo Yu

Quantum Chosen-Ciphertext Attacks Against Feistel Ciphers . . . . . . . . . . . . 391

Gembu Ito, Akinori Hosoyamada, Ryutaroh Matsumoto, Yu Sasaki,
and Tetsu Iwata

Automatic Search for a Variant of Division Property Using Three Subsets . . . 412
Kai Hu and Meiqin Wang

Constructing TI-Friendly Substitution Boxes Using

Shift-Invariant Permutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Si Gao, Arnab Roy, and Elisabeth Oswald

Fast Secure Comparison for Medium-Sized Integers and Its Application

in Binarized Neural Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Mark Abspoel, Niek J. Bouman, Berry Schoenmakers,
and Niels de Vreede

EPIC: Efficient Private Image Classification (or: Learning

from the Masters) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Eleftheria Makri, Dragos Rotaru, Nigel P. Smart,
and Frederik Vercauteren

Context Hiding Multi-key Linearly Homomorphic Authenticators . . . . . . . . . 493

Lucas Schabhüser, Denis Butin, and Johannes Buchmann
 Contents XI

Revisiting the Secret Hiding Assumption Used in Verifiable

(Outsourced) Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Liang Zhao

Delegatable Anonymous Credentials from Mercurial Signatures . . . . . . . . . . 535

Elizabeth C. Crites and Anna Lysyanskaya

Accountable Tracing Signatures from Lattices. . . . . . . . . . . . . . . . . . . . . . . 556

San Ling, Khoa Nguyen, Huaxiong Wang, and Yanhong Xu

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

 Structure-Preserving Certificateless
Encryption and Its Application

Tao Zhang, Huangting Wu, and Sherman S. M. Chow(B)

Department of Information Engineering, The Chinese University of Hong Kong,

Shatin, New Territories, Hong Kong
[email protected]

Abstract. Certificateless encryption (CLE) combines the advantages

of public-key encryption (PKE) and identity-based encryption (IBE) by
removing the certificate management of PKE and the key escrow problem
of IBE. In this paper, we propose structure-preserving CLE schemes.
Structure preservation enables efficient non-interactive proof of certain
ciphertext properties, thus supporting efficient modular constructions of
advanced cryptographic protocols with a simple design.
As an illustration, we propose a structure-preserving group signature
scheme with certified limited (CL) opening from structure-preserving
CLE. CL opening allows a master certifier to certify openers. The opener
who is the designated one for a group signature can open it (i.e., revoke
its anonymity). Neither the certifier nor any non-designated openers can
perform the opening. The structure-preserving property of our scheme
can also hide who is the designated opener among a list of possibilities.

Keywords: Structure-preserving cryptography ·

Certificateless encryption

1 Introduction
Structure-preserving cryptography is a promising paradigm which enables mod-
ular designs of advanced cryptographic protocols, due to its compatibility with
efficient non-interactive zero-knowledge proof over the same structure, such as
Groth-Sahai proof [21]. Abe et al. [3] constructed structure-preserving signa-
ture (SPS) schemes which sign on a vector of group elements. They also used
SPS to design concurrently-secure group signatures among other applications.
Camenisch et al. [10] proposed the first CCA-secure structure-preserving encryp-
tion (SPE) scheme. Specifically, their integrity check before the final step in the
decryption algorithm does not hash the ciphertext, which is often required in
other CCA-secure scheme and its presence may hinder its compatibility with
S. S. M. Chow—Supported by General Research Funds (CUHK 14210217) of the
Research Grants Council, Hong Kong.
https://doi.org/10.1007/978-3-030-12612-4_1
2 T. Zhang et al.

Groth-Sahai proof. SPE found applications in joint computation of cipher-

text [10].
Many studies have been carried out on basic primitives which are structure-
preserving; yet, despite the numerous applications of identity-based encryption
(IBE), (fully) structure-preserving IBE (SP-IBE) has never been studied. SP-
IBE requires the public parameters, the plaintext, the ciphertext, and the user
identity, consists of only group elements. The user identity is of a particular
interest. For existing pairing-based IBE schemes, the user identity ID is not
a group element, but consists of integers or bits. Usually, these schemes hash
ID to a group element or to an exponent, which kills the original structure
of the identity. A notable exception is proposed by Libert and Joye [25], where
everything except the user identity consists of only group element. Such a scheme
found applications in group signature with message-dependent opening.
It is well known that any IBE construction implies an implicit signature
scheme. One may wonder if any of the existing SPS schemes feature a signature
which can be used as a decryption key for a certain SP-IBE scheme. In other
words, any valid signature can recover the ephemeral session key in the SP-IBE
scheme, by pairing up the signature (as a user decryption key) with the cipher-
text. However, to the best of the authors’ knowledge, existing SPS signatures
cannot be used for this purpose. The reason is that the verification equation
requires the computation of a pairing term where both of its input comes from
the signature. From another perspective, if one is going to generate a ciphertext
such that it is decryptable by such a decryption key, the pairing will involve
an unknown term since the decryption key is unknown to the encryptor. In this
paper, towards enriching the class of structure-preserving cryptographic schemes,
we move our focus to structure-preserving certificateless encryption (SP-CLE).
Certificateless encryption (CLE), introduced by Al-Riyami and Paterson [5],
strikes a balance between IBE and public-key encryption (PKE). In traditional
PKE, an encryptor needs to verify a certificate which ensures that a given public
key belongs to the recipient. This requires a public-key infrastructure to support
the storage and distribution of the certificates. The sender also needs to verify the
certificate before encrypting. To overcome this weakness of PKE, IBE provides
another solution in which every identity string can be mapped to a public key via
a publicly computable function. The corresponding private decryption key can
only be generated by the key generation center (KGC). Such kind of key-escrow
is inherent and introduces serious security concerns. CLE removes key-escrow
by requiring both the partial decryption key from the KGC and a user secret in
decryption. Yet, unlike PKE, CLE does not need any infrastructure to authenti-
cate users’ public keys. In contrast, implicit certification is ensured by the KGC
since decryption would be impossible without the partial decryption key.
In the CLE formulation of Al-Riyami and Paterson [5], a user can compute
and release its user public key before it obtains its partial decryption key from
the KGC. Such formulation implies the existence of both PKE and IBE [18].
Indeed, CLE can be constructed generically from IBE and PKE. Baek, Safavi-
Naini, and Susilo [6] formulated an alternative CLE notion in which a user must
 Structure-Preserving Certificateless Encryption and Its Application 3

obtain its partial decryption key from the KGC before it can compute its user
public key. Such formulation no longer implies IBE. Consequently, Baek et al.
constructed CLE from Schnorr signatures and ElGamal PKE. This gives us hope
in designing SP-CLE without first designing SP-IBE.
Another distinctive feature of CLE is its security under strong decryption [5].
A strong decryption oracle can provide correct decryption even when the public
key of a user is replaced by the adversary, without requiring the adversary to
surrender the decryption key corresponding to the replaced public key. This level
of security has important applications in complete non-malleability [7, 14]. Many
CLE schemes, under either formulation [5,6], rely on the random oracle to simu-
late the strong decryption oracle. Dent et al. [19] proposed the first CLE scheme
featuring strong decryption in the standard model. Yet, Groth-Sahai proof can-
not prove about its ciphertext well-formedness due to the presence of a hash.

Our Contribution. We propose the first SP-CLE schemes over groups with bilin-
ear map e : G × H → GT . We first present a construction encrypting plaintexts
in GT which is secure against chosen-plaintext attacks (CPA). Then, we extend
it to support message space of G (or H). Finally, we show how to extend it for
security against replayable chosen-ciphertext attacks (RCCA). Our proofs do
not rely on random oracles; yet, they are proven in the generic group model.
To illustrate the application of SP-CLE, we then build a (partially) structure-
preserving group signature scheme with certified limited (CL) opening from our
SP-CLE. We defer the relevant introduction and motivation to Sect. 5.

2 Preliminaries
2.1 Bilinear Group
For bilinear group context G = (G, H, GT , e, p, g, h), G, H, and GT are groups of
prime order p, where g and h are random generators for G and H respectively.
A bilinear map e : G × H → GT is a non-trivial and efficiently computable
pairing function such that, for all u ∈ G, v ∈ H, a, b ∈ Z, e(ua , v b ) = e(u, v)ab .
In Type-I groups, G = H. For Type II, there exists an efficient mapping from
G to H but not the other way around. For Type III, there exists no efficient
mapping between G and H. This paper uses Type-III groups which is the most
efficient.

2.2 Groth-Sahai Proof System

Groth and Sahai [21] proposed several instantiations for efficient NIZK proof
of knowledge, for statements about group elements satisfying a pairing product
equation. Their proof system (called Groth-Sahai proof hereinafter) consists of
four algorithms GS = (Setup, Prove, Verify, Extract). Setup(1λ ) generates the
common reference string crs and the extraction key ek. Prove() takes in a witness
and a statement to generate a proof of the statement w.r.t. the witness. We use
the notation PoK to refer to a proof. Verify() outputs 1 on a valid proof.
4 T. Zhang et al.

GS uses a commitment scheme (Commit() with commitment key ck) as a

building block, committing the witness to prepare for an NIZK proof of knowl-
edge. The remaining algorithm Extract() extracts the hidden element from a
proof with the extraction key ek. The commitment key ck is publicly accessible,
and the extraction key ek is only accessible to a knowledge extractor.

2.3 Structure-Preserving Signature

A signature scheme is a tuple of four algorithms (Setup, KeyGen, Sign, Verify).

It is structure preserving [3] if the verification key, the messages, and the signa-
tures consist of only group elements, andtheverification algorithm only evaluates
pairing product equations of the form i j e(Gi , Hj )aij = 1GT , where Gi ∈ G
and Hj ∈ H are group elements forming the verification key, the message(s), and
the public parameters, aij ∈ Zp are constants, and the element 1GT is the identity
element in GT . An SPS is existentially unforgeable under chosen-message attack
(EUF-CMA) if no probabilistic polynomial-time (PPT) adversary can output a
valid forgery (M, σ), given the public parameters param, the verification key vk,
and a signing oracle for adversarially chosen messages but M is never queried. If
the signing oracle can only be queried once, the scheme is called one-time secure.

3 Definitions of Certificateless Encryption

We follow Baek et al.’s formulation [6,31], where the user public key can only
be generated after the user has interacted with the KGC. We add one algorithm
SetUserSec() which is executed by a user and include a partial user public key
ppk as part of the input of Issue, an algorithm executed by the KGC for the user.
These changes have been discussed in the seminal work [5]. A benefit is that the
CLE scheme can reach trust level 3 named by Girault [20] as a traditional PKI.
The CLE definition in this paper consists of seven algorithms (Setup, MKeyGen,
SetUserSec, Issue, UKeyGen, Enc, Dec):

– Setup(1λ ) → param. This algorithm takes in a security parameter 1λ and

outputs the parameter param. We assume param is an implicit input to all
other algorithms.
– MKeyGen() → (mpk, msk). The KGC runs this algorithm. It generates the
master public-private key pair. The KGC publishes the master public key
mpk and keeps the master secret key msk in private.
– SetUserSec(mpk, ID) → (ppk, uk). A user takes as input the master public
key mpk and its own identity ID, and outputs a partial user public key ppk
and a user secret value uk.
– Issue(msk, mpk, ID, ppk) → psk. The KGC takes in the master public-private
key pair, a user identity ID, and a user partial public key ppk to generate the
user partial secret key psk for ID.
– UKeyGen(mpk, ppk, psk, uk) → (upk, usk). With respect to the master public
key mpk and a partial public key ppk, the user uses its partial secret key psk
 Structure-Preserving Certificateless Encryption and Its Application 5

and user secret value uk to generate the user public-private key pair (upk, usk).
The user publishes the user public key upk and keeps the full private key usk
in private.
– Enc(mpk, upk, ID, M ) → C. This algorithm takes in the master public key
mpk, the user public key upk, and an identity ID, to encrypt a plaintext M .
– Dec(mpk, upk, usk, C) → M . This deterministic algorithm takes in the master
public key, the user public-private key pair, and a ciphertext to recover the
plaintext M , or the error symbol ⊥ when C is invalid.

A CLE scheme is said to be correct if for any integer λ, param ← Setup(1λ ),

(mpk, msk) ← MKeyGen(param), any string ID, (ppk, uk) ← SetUserSec(mpk, ID),
psk ← Issue(msk, mpk, ID, ppk), (upk, usk) ← UKeyGen(mpk, ppk, psk, uk),
any message M , and C ← Enc(mpk, upk, ID, M ), we have M ←
Dec(mpk, upk, usk, C).
A CLE scheme is said to be structure-preserving if the encryption and decryp-
tion algorithms only operate on group elements. In other words, all elements in
mpk, upk, and usk, the identity ID, the message M to encrypt, and the ciphertext
C to be produced, are all group elements. We call a CLE scheme to be partially
structure-preserving if some elements in ID, M , or C are not group elements,
e.g., ID in Libert and Joye [25] and M and C in our basic scheme.
We consider two kinds of adversaries. Type-I adversary AI models the mali-
cious users who can replace the public key of a victim user to other “unauthenti-
cated” public keys since there is no certificate. Type-II adversary AII models an
honest-but-curious KGC who can obtain partial decryption keys for the users,
but cannot replace the user public key for any user. Obviously, these two types
of adversaries cannot collude. We first describe the oracles available to AI /AII :

– Replace Public Key. The adversary submits ID and a user public key upk
to this oracle, which replaces the previous user public key of ID to upk .
– Extract Partial Secret Key. The adversary submits an identity ID to this
oracle. This oracle returns the partial secret key psk generated for ID.
– Extract Full Private Key. The adversary supplies an identity ID to this
oracle. This oracle returns the full private key usk generated for ID.
– Strong Decrypt. The adversary supplies an identity ID and a ciphertext C.
This oracle creates a full private key usk for ID if it is not previously generated,
decrypts C with usk even if upk of ID used in C has been replaced, and sends
the plaintext to the adversary.
– Weak SV Decrypt. The adversary supplies an identity ID, a user secret
uk , and a ciphertext C to this oracle. This oracle creates usk for ID with the
real psk and uk , and decrypts C. The oracle returns the plaintext result.

Definition 1 (IND-CPA security against Type-I adversary). A CLE

scheme is indistinguishable under chosen-plaintext attacks (IND-CPA secure)
IND-CPA
against Type-I adversary if AdvAI
is negligible.

Setup. The challenger C executes Setup() and publishes param.

6 T. Zhang et al.

Master Key Generation. C runs MKeyGen(), sends mpk to AI , and keeps msk
private.
Query Phase. The adversary AI first makes registration queries for a polyno-
mial number of identities {IDi }qi=1 . C runs pski ← Issue(msk, mpk, IDi , ppki ) and
(upki , uski ) ← UKeyGen(mpk, pski ), and publishes upki for i ∈ [1, q]. Then, AI
can make Replace Public Key, Extract Partial Secret Key, and Extract
Full Private Key queries on any registered identity, but AI cannot request for
the partial or full private key of an identity ID after replacing its upk.
Challenge. AI submits an identity ID∗ and two messages M0 , M1 to C. C aborts
this game if any of the following events happen.
– AI made Extract Full Private Key query on ID∗ .
– AI made both Replace Public Key query and Extract Partial Secret
Key query on ID∗ .

C then randomly picks b ← {0, 1} and gives C ∗ = Enc(mpk, upk∗ , ID∗ , Mb ) to AI .

$

Guess. AI receives C ∗ and outputs a bit b . If b = b, AI wins the game. The

advantage of AI in this game is AdvA
IND-CPA
I
= Pr[b = b] − 12 .

Definition 2 (IND-CPA security against Type-II adversary). A CLE

IND-CPA
scheme is IND-CPA secure against Type-II adversary if AdvAII
defined
below is negligible.

Setup. The challenger C executes Setup() and publishes param.

Master Key Generation. The challenger C runs the algorithm (mpk, msk) ←
MKeyGen(param), publishes mpk, and sends msk to AII .
Query Phase. AII and C interact in the same way as in the experiment in
Definition 1 except for the following differences. First, C sends psk to AII . Second,
AII can create new pski for IDi by itself. Third, AII can only make Extract
Full Private Key queries in this game.
Challenge and Guess. These two phases are the same as in the experiment in
Definition 1. The advantage of AII in this game is AdvA IND-CPA
II
= Pr[b = b] − 12 .
The indistinguishability under chosen-ciphertext attacks (IND-CCA secu-
rity) games for SP-CLE against Strong Type-I and Strong Type-II adversaries
are similar to the experiments in Definitions 1 and 2 respectively, except that
in Query Phase, the adversaries can make Strong Decrypt and Weak SV
Decrypt queries on ciphertexts of its choice except C ∗ . The advantage of AI and
AII in IND-CCA game are defined as AdvA IND-CCA
I
and AdvA IND-CCA
II
respectively.
For replayable CCA (RCCA) security [11], decryption oracle returns replay if
the decryption result is M0 or M1 after the challenge phase.
 Structure-Preserving Certificateless Encryption and Its Application 7

4 A Specific Construction of SP-CLE

4.1 Intuition
Instead of using an SPE generically to perform encryption, we rely on the
pairings computed in the SPS verification for encryption or decryption. In our
scheme, a receiver generates and sends his partial public key ppk to the KGC. The
KGC creates a structure-preserving signature on the receiver identity together
with the partial public key. The receiver then publishes a part of the signature
together with his partial public key while keeping the remaining signature parts.
A general verification algorithm
m ofn an SPS consists of a series of pairing
product equations of the form i=1 j=1 e(Gi , Hj )aij = 1GT , where Gi ∈ G for
i ∈ [1, m], Hj ∈ H for j ∈ [1, n], and aij ∈ {−1, 0, 1}. The group elements Gi
and Hi are from the verification key of SPS, the signature being verified, or the
message. The exponents aij indicate whether they should be on the left or the
right side of the equation (1 or −1), or should not appear at all (0).
We divide the set {(Gi , Hj )}(i,j) into two indices sets: K which contains the
pairings used in encryption by the sender to construct a session key (or for
hiding the plaintext); and K which contains the rest of the pairing that are
used in decryption to recover the session key. To encrypt a plaintext M , the
$
) for (i, j) ∈ K and some randomness rij ← Zp together form
pairings e(Gi , Hi
aij ·rij
a session key as (i,j)∈K e(Gi , Hj ) . The ciphertext also contains elements
exponentiated with the randomness rij ({x, y, z} in our concrete scheme below).
The remaining pairings in set K can be used in the decryption algorithm to pair
up the ciphertext elements and the decryption key to recover the session key.
Whether a pairing should be put in the session key, included in the other
ciphertext elements, or used in decryption privately as part of the decryption
key, depends on whether the input of a pairing function is public or not.
We start with the basics. To make our exposition concrete, we consider the
SPS scheme due to Abe et al. [4]. We chose to build our SP-CLE based on this
SPS for its optimality. The verification key of the SPS scheme is the master
public key which should be public. This contains (g, h, U, Ṽ1 , Ṽ2 , W1 , W2 ). The
message vector signed by SPS contains a user identity and a (partial) user public
key Dα . Both elements are public. The signature (R̃, S̃, T ) contributes to the only
parts which can be private. Now, we classify the pairings in the SPS verification.
A similar classification has also been done in the literature [32] for a different
purpose (delegating computations of pairings).
(1) Both elements in a pairing are public: This type of pairing includes public
key-public key pairs and message-public key pairs. The involved elements
are available to the encryptor, so we use all of them in the session key. In
our scheme, these include e(W1 , h), e(ID, Ṽ1 ), e(Dα , Ṽ2 ), and e(g, h), where
Dα is a user-chosen public key. Our scheme also includes an additional term
e(Dα , h) to ensure that only the user but not the KGC (who can recreate the
SPS signature) can decrypt. Looking ahead, our scheme publishes R̃ from
the signature, so e(W2 , R̃) and e(U, R̃) eventually belong to this type (see
“both private” below).
8 T. Zhang et al.

(2) One of the elements in a pairing is public: This type of pairing includes
public key-signature pairs and message-signature pairs. In our scheme, that
is e(g, S̃). The public element can be used to embed randomness r in the
ciphertext in the form of Gri or Hjr . In our scheme, such elements include g
(and R̃ below).
(3) Both elements in a pairing are private: The private elements (from the SPS
signature) are part of the user private key. This type of pairing includes only
signature-signature pairs. In our scheme, e(T, R̃) “originally” belongs to this
type. As both of the elements are private, the encryptor has no way to know
what is the SPS signature (i.e., user private key) obtained by the intended
decryptor. We thus publish R̃ as part of the user public key (which is not
allowed in the IBE setting). We remark that such treatment is not possible
for IBE since the user public key in IBE should be purely derived from the
identity instead of any random choice made by the KGC during user private
key generation.

Such a choice (over T ) is due to multiple reasons. Firstly, R̃ is created as a

random term which by itself does not relate to the private signing key in any way.
It is intuitively safer to publish it instead of T which is a term created from the
private signing key on top of some public information like identity. Moreover,
R̃ is the term which “glues up” two equations in the SPS verification. If the
adversary chose to manipulate this term, it needs to deal with two equations.
From the efficiency perspective, publishing R̃ minimizes the number of public-
private pairings, which reduces the ciphertext size.
With R̃ published in our scheme, this makes e(T, R̃) becomes the type of
“one being public”. As discussed, the ciphertext in our scheme thus includes the
term R̃ to embed the ciphertext randomness. Also, e(W2 , R̃) and e(U, R̃) in the
pairing-product equations become the type of “both being public”, and hence
these pairing terms appear in the session key.

4.2 CPA-Secure SP-CLE Scheme

We construct our CPA-secure SP-CLE scheme called CLE 0 based on an existing

structure-preserving signature scheme of Abe et al. [4].
Setup(1λ ) → param. Choose a bilinear group context G = (G, H, GT , e, p, g, h),
and output param = G.
$
MKeyGen(param) → (mpk, msk). The KGC randomly picks u, v1 , v2 , w1 , w2 ← Z∗p
where u = −w2 , and computes U = g u , Ṽ1 = hv1 , Ṽ2 = hv2 , W1 = g w1 , and
W2 = g w2 . The master key pair is

mpk = (U, Ṽ1 , Ṽ2 , W1 , W2 ), msk = (u, v1 , v2 , w1 , w2 ).

This key pair is just the one for the SPS scheme by Abe et al. [4] with the
message space of G2 × H. Specifically, U is for the H part of the message space,
 Structure-Preserving Certificateless Encryption and Its Application 9

and (Ṽ1 , Ṽ2 ) is for G2 . Note that e(g, h) and e(W1 , h) can be pre-computed,
especially when W1 is never used as is except in e(W1 , h).
$
SetUserSec(mpk) → (ppk, uk). A user randomly picks α ← Zp , computes Dα =
g α and D̃α = hα , and sets ppk = Dα and uk = D̃α .
Issue(msk, mpk, ID, ppk) → psk. For ID ∈ G and ppk = Dα ∈ G, the KGC
$
randomly chooses r ← Z∗p and computes

S̃ = hw1 −r·w2 · R̃−u , T = (g · ID−v1 · Dα−v2 ) r ,

1
R̃ = hr ,

Output psk = (R̃, S̃, T ) as the partial secret key.

We remark that (R̃, S̃, T ) forms a signature on (ID, Dα , R̃) ∈ G2 × H for the
SPS scheme by Abe et al. [4] which can be verified with the equations below:

e(W2 , R̃)e(g, S̃)e(U, R̃) = e(W1 , h), e(T, R̃)e(ID, Ṽ1 )e(Dα , Ṽ2 ) = e(g, h).

Note that the first equation can be simplified to e(W2 · U, R̃)e(g, S̃) = e(W1 , h).
Different from the underlying signature scheme, we expect the signature to
sign on an element R̃ of itself. This remains secure in the generic group model.
UKeyGen(mpk, ppk, psk, uk) → (upk, usk). A user parses psk as (R̃, S̃, T ) and set
the key pair as

upk = (Dα , R̃), usk = (D̃α , S̃, T ) (recall: ppk = Dα and uk = D̃α ).

As R̃ is a part of upk, it can be replaced by an adversary. Our scheme thus also

requires the KGC to “implicitly certify” R̃ during partial secret key generation.
Enc(mpk, upk, ID, M ) → C. To encrypt M ∈ GT , the sender randomly picks
$
x, y, z ← Zp , and computes

K = {e(W2 , R̃)e(U, R̃)/e(W1 , h)}x {e(ID, Ṽ1 )e(Dα , Ṽ2 )/e(g, h)}y /e(Dα , h)z ,
C0 = M · K, Cg = g x , CR = R̃y , Cz = g z .

Output the ciphertext C = (C0 , Cg , CR , Cz ).

(Note that K = {e(W2 U, R̃)/e(W1 , h)}x {e(ID, Ṽ1 )/e(g, h)}y e(Dα , Ṽ2y /hz ).)
Dec(mpk, upk, usk, C) → M/⊥. Parse C as (C0 , Cg , CR , Cz ). Output

M = C0 · e(Cg , S̃)e(T, CR )e(Cz , D̃α ).

Analysis. Correctness. Recall that Dα = g α , D̃α = hα , C0 = M · K, and

K = e(W2 , R̃)x e(U, R̃)x e(W1 , h)−x · e(ID, Ṽ1 )y e(Dα , Ṽ2 )y e(g, h)−y · e(Dα , h)−z .
10 T. Zhang et al.

Hence, the decryption algorithm proceeds as below.

C0 · e(Cg , S̃)e(T, CR )e(Cz , D̃α )
= M · K · e(Cg , S̃)e(T, CR )e(Cz , D̃α )
= M · e(W2 , R̃)x e(U, R̃)x e(W1 , h)−x e(ID, Ṽ1 )y e(Dα , Ṽ2 )y e(g, h)−y e(Dα , h)−z
e(Cg , S̃)e(T, CR )e(Cz , D̃α )
= M · e(W2 , R̃)x e(U, R̃)x e(W1 , h)−x e(Cg , S̃)
e(ID, Ṽ1 )y e(Dα , Ṽ2 )y e(g, h)−y e(T, CR ) · e(Dα , h)−z e(Cz , D̃α )
= M · e(W2 , R̃)x e(U, R̃)x e(W1 , h)−x e(g, S̃)x
e(ID, Ṽ1 )y e(Dα , Ṽ2 )y e(g, h)−y e(T, R̃)y · e(g α , h)−z e(g z , hα )
= M · (e(W2 , R̃)e(g, S̃)e(U, R̃)e(W1 , h)−1 )x
(e(T, R̃)e(ID, Ṽ1 )e(Dα , Ṽ2 )e(g, h)−1 )y = M.

The second last equality holds because (R̃, S̃, T ) is a signature which satisfies
the verification equations mentioned when we describe Issue().
Efficiency. We first start with some basic observations of our scheme. The user
private key consists of 3 elements in base groups. The ciphertext consists of 3
group elements in base groups and 1 group element in the target group. The
decryption algorithm needs 3 pairings and 4 multiplications in the target group.
Comparison with the Generic Approach. It is mandatory to compare the
performance of our proposed scheme with the folklore approach of building a
CLE scheme “with certificate” [12]. Specifically, one can build a CLE scheme
from any SPS and SPE schemes in the following way. A user publishes an SPE
public key with an SPS signature on it as his public key. An encryptor encrypts to
the user using the SPE public key only if the SPS signature is verified successfully.
Instantiating this idea with the SPS due to Abe et al. [4] used in our concrete
construction, we can see that the user public key will then consists of at least 3
elements from the SPS (and at least 1 element from the SPE public key as the
CLE partial user public key). In contrast, for our concrete construction, the user
public key consists of only 2 elements in base groups, which is much shorter.
The explicit certificate verification step in the folklore approach using the
same SPS scheme as ours will require 3 multiplications in the target group and 5
pairings. While the complexity of the actual encryption steps depends on which
SPE scheme is used to instantiate this idea, the number of pairings involved is
already larger than what our proposed scheme requires. Our encryption algo-
rithm takes 5 exponentiations and 2 multiplications in base groups, 2 exponen-
tiations and 4 multiplications in the target group, and 3 pairing computations.
Theorem 1. CLE 0 is CPA-secure against Type-I and Type-II adversaries in the
generic group model (without any isomorphism between the two base groups).
To prove that CLE 0 is CPA-secure against Type-I and Type-II adversaries,
we replace the challenge ciphertext component C0∗ with a random element in GT
 Structure-Preserving Certificateless Encryption and Its Application 11

and show that the adversaries cannot distinguish this simulation with the real
scheme in the generic group model. The detailed proof is in the full version.

4.3 A Variant CLE Scheme for M ∈ G

This part proposes an SP-CLE scheme CLE 1 encrypting M ∈ G building on top
of CLE 0 . Based on the technique of encrypting group elements in the partially
structure-preserving IBE scheme [25], we present a generic way to transform a
scheme encrypting plaintexts in GT to a scheme encrypting plaintexts in G or H.
$
Setup(1λ ) → param. The KGC runs param0 ← CLE 0 .Setup(1λ ), picks Gi ← G
for i ∈ [1, l] where l is suitably large1 , and outputs param = (param0 , {Gi }li=1 ).
MKeyGen() → (mpk, msk). The KGC runs (mpk0 , msk0 ) ← CLE 0 .MKeyGen
(param0 ) and outputs the master key pair mpk = (mpk0 , {Gi }li=1 ), msk = msk0 .
SetUserSec(mpk) → (ppk, uk). A user runs (ppk, uk) ← CLE 0 .SetUserSec
(mpk0 ), and sets ppk, uk as its partial public key and the user secret value respec-
tively.
Issue(msk, mpk, ID, ppk) → psk. For a user ID ∈ H, the KGC runs psk0 ←
CLE 0 .Issue(msk0 , mpk0 , ID, ppk) and outputs the partial secret key psk = psk0 .
UKeyGen(mpk, ppk, psk, uk) → (upk, usk). The user computes its own user public-
private key pair as (upk, usk) ← CLE 0 .UKeyGen(mpk0 , psk0 , ppk, uk).
Enc(mpk, upk, ID, M ) → C. To encrypt M ∈ G, randomly choose τk ∈ {0, 1} for
k = 1, 2, · · · , l, and compute

l
τ
C0 = M · Gj j , Ck,M ← CLE 0 .Enc(mpk0 , upk, ID, e(Gk , h)τk ) ∀k ∈ {1, 2, · · · , l}.
j=1

Output C = (C0 , {Ck,M }lk=1 ) as the ciphertext (where {Ck,M } are still in GT ).
Dec(mpk, upk, usk, C) → M/⊥. Parse C as (C0 , {Ck,M }lk=1 ). For k = 1, 2, · · · , l,
compute Mk = CLE 0 .Dec(mpk0 , upk, usk, Ck,M ) and find τk such that Mk =
e(Gk , h)τk . Output M = l C0Gτk as the plaintext.
k=1 k

The scheme CLE 1 also supports plaintexts from H. If we choose H̃k ∈ H for
integer k ∈ [1, l] as part of the master public key, and encrypt the plaintext as
l
M · k=1 H̃kτk , we can then encrypt plaintext in H.

Correctness. The correctness of CLE 1 follows from the correctness of CLE 0 ,

which ensures that Mk can be calculated correctly. Thus, there is at most one
series {τk }lk=1 such that Mk = e(Gk , h)τk for all k ∈ [1, l], and this series can
l
cancel the term k=1 Gτkk in C0 to obtain the plaintext M . More details can be
seen from the correctness analysis in our CCA-secure extension presented below,
which also encrypts messages in the base group (H).
1
In the partially structure-preserving IBE scheme [25], this represents the bit-length
of the identity. In our scheme, ID is a group element, so l belongs to poly(λ).
12 T. Zhang et al.

Theorem 2. The SP-CLE scheme CLE 1 is IND-CPA secure if CLE 0 is IND-

CPA secure.

The proof is deferred to the full version.

4.4 RCCA-Secure Extension

Now we propose an RCCA-secure SP-CLE scheme CLE 2 with message space H,
which uses a one-time SPS scheme OT S and a simulation-sound NIZK proof
system GS as building blocks, following the idea of transforming CPA-secure
IBE to CCA-secure PKE [9]. We use the SPS scheme proposed by Abe et al. [2]
as OT S (which is also used in an CCA-secure SPE scheme by Libert et al. [27]).
Our RCCA-secure SP-CLE is derived from CLE 1 . Intuitively, the encryptor
generates an OT S key pair (ovk, osk), binds ovk with the session key, provides
extra elements computed from osk (which can be simulated without osk with
the “trapdoor” in param), and proves everything is faithfully constructed using
osk. We add a Groth-Sahai proof of the validity of the ciphertext embedding the
plaintext as a witness. When simulating Strong Decrypt oracle, the challenger
can extract the plaintext even for an identity with replaced user public key.
Setup(1λ ) → param. Run the two algorithms param1 ← CLE 1 .Setup(1λ ) and
paramOT S ← OT S.Setup(1λ , 1), and set up GS to generate a common reference
$
string crs. Randomly choose ui ← Zp for i ∈ [1, 4] to compute Ui = g ui , H̃i = hui ,
and output the public parameter param = (param1 , paramOT S , crs, {Ui , H̃i }4i=1 ).
MKeyGen(param) → (mpk, msk). The KGC runs the algorithm (mpk1 , msk1 ) ←
CLE 1 .MKeyGen(param1 ), and outputs the master public-private key pair as mpk =
(mpk1 , {Ui , H̃i }4i=1 ), msk = msk1 . The one-time public key ovk for OT S of our
choice [2] consists of 4 group elements in H. The elements {Ui , H̃i }4i=1 are for
binding ovk with a ciphertext. Generally, i can be in the range [1, k] where k is
the number of elements contained in ovk of the one-time SPS scheme.
SetUserSec(mpk) → (ppk, uk). A user runs (ppk, uk) ← CLE 1 .SetUserSec
(mpk1 ), and sets (ppk, uk) as its partial public key and the user secret value
respectively.
Issue(msk, mpk, ID, ppk) → psk. For a user with identity ID ∈ H, the KGC
outputs the partial secret key psk ← CLE 1 .Issue(msk1 , mpk1 , ID, ppk).
UKeyGen(mpk, psk, ppk, uk) → (upk, usk). The user computes its own user public-
private key pair as (upk, usk) ← CLE 1 .UKeyGen(mpk, psk, ppk, uk).
Enc(mpk, upk, ID, M ) → C. To encrypt M ∈ G, the sender randomly picks
$ $
τk ← {0, 1} and xk , yk , zk ← Zp for k ∈ [1, l]. The set {xk , yk , zk , τk } will be
used as the internal randomness for CLE 1 .Enc(). The sender also runs (ovk,
osk) ← OT S.KeyGen(paramOT S ) of Abe et al.’s one-time SPS scheme [2] which
the exponent {ai } for i ∈ [1, 4] such that ovk = (ha1 , ha2 , ha3 , ha4 ) are available.
For the ease of presentation, we use (Ã1 , Ã2 , Ã3 , Ã4 ) to represent ovk.
 Structure-Preserving Certificateless Encryption and Its Application 13

Finally, the sender computes

(C0 , {Ck,M }lk=1 ) ← CLE 1 .Enc(mpk1 , upk, ID, M ; {xk , yk , zk , τk }),


(Ck,0 , Ck,g , Ck,R , Ck,z ) ← Ck,M ,

4

Ck,0 = Ck,0 · e(Ui , Ãi )−xk for k ∈ [1, l],
i=1

Ca,i = H̃iai for i ∈ [1, 4],

π = PoK {(M, {xk , yk , zk , τk }lk=1 , {ai }4i=1 ) :

(C0 , {(Ck,0 , Ck,g , Ck,R , Ck,z )}lk=1 )
← CLE 1 .Enc(mpk1 , upk, ID, M ; {xk , yk , zk , τk }lk=1 )

l
τ
∧lk=1 C0 = M · Gj j ∧4i=1 Ca,i = H̃iai
j=1


4

∧lk=1 Ck,0 = Ck,0 · e(Ui , Ãi )−xk },
i=1
σ ← OT S.Sign(osk, C0 ).

Output (C0 , {Ãi , Ca,i }4i=1 , {Ck,0 , Ck,g , Ck,R , Ck,z }lk=1 , π, σ) as the ciphertext.
Dec(mpk, upk, usk, C) → M/⊥. The decryptor first performs the following checks.
1. Parse the ciphertext C as specified in the output of the algorithm Enc().
2. Verify the equations e(g, Ca,i ) = e(Ui , Ãi ) for i ∈ [1, 4].
3. Verify the signature σ using OT S.Verify((Ã1 , Ã2 , Ã3 , Ã4 ), C0 , σ).
4. Verify the proof π using the GS.Verify() algorithm.
If any one of the four equations does not hold, or either σ or π does not pass
the verification, output ⊥. Otherwise, for k ∈ [1, l], compute

4
Mk = Ck,0 · e(Ck,g , S̃ · Ca,i )e(T, Ck,R )e(Ck,z , D̃α ).
i=1

Find τk such that Mk = e(Gk , h)τk . Finally, output M = l C0 τk .

i=1 Gi

Correctness. For k ∈ [1, l],


4
Ck,0 · e(Ck,g , S̃ · Ca,i )e(T, Ck,R )e(Ck,z , D̃α )
i=1

4
= Mk · e(W2 , R̃)xk e(U, R̃)xk · e(Ui , Ãi )−xk · e(W1 , h)−xk
i=1

· e(ID, Ṽ1 )yk e(Dα , Ṽ2 )yk e(g, h)−yk e(Dα , h)−zk

4
· e(Ck,g , S̃ · Ca,i )e(T, Ck,R )e(Ck,z , D̃α )
i=1
14 T. Zhang et al.


4 
4
= Mk · e(W2 , R̃)xk e(U, R̃)xk · e(Ui , Ãi )−xk · e(W1 , h)−xk · e(Ck,g , S̃ · Ca,i )
i=1 i=1

· e(ID, Ṽ1 )yk e(Dα , Ṽ2 )yk e(g, h)−yk · e(T, Ck,R ) · e(Dα , h)−zk · e(Ck,z , D̃α )

4 
4
= Mk · (e(W2 , R̃)e(U, R̃) · e(Ui , Ãi )−1 · e(W1 , h)−1 · e(g, S̃ · Ca,i ))xk
i=1 i=1

· (e(ID, Ṽ1 )e(Dα , Ṽ2 )e(g, h)−1 · e(T, R̃))yk · e(g α , h)−zk · e(g z , hα ) = Mk .

With correct Mk , τk such that Mk = e(Gk , h)τk can be correctly recovered. With
all Mk for k ∈ [1, l], M = l C0Gτk can be correctly recovered as in Sect. 4.3.
i=1 i

Theorem 3. The SP-CLE scheme CLE 2 is RCCA-secure against Strong Type-I

and Strong Type-II adversaries if CLE 1 is CPA-secure against Type-I and Type-
II adversaries.

The proof is deferred to the full version.

Remark. A fully structure-preserving CLE scheme would be an overkill for

our application as it does not need to hide the ciphertext and prove about its
validity. Also, our application will apply yet another signature on top of the
CLE ciphertext (with other parts) such that any rerandomization of the CLE
ciphertext will invalidate the signature, so CLE 2 only aimed for RCCA-security.
Nevertheless, Appendix A outlines how to use the trick of Libert and Joye [25]
for converting GT values into base group elements in the ciphertext of our CLE 1 .

5 Group Signatures with Certified Limited Opening

We use our SP-CLE (in Sect. 4) as a building block to construct an example
application, a group signature scheme with certified limited (CL) opening, a
generalization of message-dependent opening [30]. Due to the page limit, we
present the formal definitions in the full version.
Group signature is a privacy-oriented signature scheme where the verifier can
be convinced that a given signature is signed by a group member, but not exactly
whom. Since perfect anonymity may be abused, group signatures come with an
opening mechanism such that the group manager, or in general, an opening
authority (OA), can use a secret key to reveal the true signer of a signature.
When there is purported abuse, we want to identify the signer of the suspi-
cious signatures. In traditional group signatures, it means all signatures must
be opened, which is undesirable for honest users. The notion of traceable signa-
tures (TS) [1, 23] extends that of the group signatures to mitigate this problem.
In TS, when a group member is classified as a misbehaving one. A user-specific
tracing trapdoor can be generated (by the group manager or the OA). Every
one with this user-specific trapdoor can check if a signature is actually signed by
the misbehaving user, or trace [13] the signatures generated by the misbehaving
 Structure-Preserving Certificateless Encryption and Its Application 15

user. TS can be regarded as a group signature scheme with signer-dependent

opening. Subsequently, Sakai et al. [30] proposed the notion of group signature
with message-dependent opening (GS-MDO). In GS-MDO, apart from the OA,
there is another entity called the admitter. The admitter can generate a message-
dependent opening key. The real signer of a group signature signing on a given
message can be revealed only when both the master opening key (of the OA)
and the message-dependent opening key (provided by the admitter) are used.

Difficulty in Construction. GS-MDO schemes are often constructed by IBE

since GS-MDO implies its existence (or precisely, identity-based key encap-
sulation) [30]. Existing schemes not relying on the pairing-based Groth-Sahai
proof are either not that efficient [26] or is proven secure in the random oracle
model [28]; however, typical pairing-based IBE schemes encrypt messages in the
target group, which are not compatible with Groth-Sahai proof that a correct
message (the signer identity in the case of GS-MDO) has been encrypted.
Consequently, the original work of Sakai et al. [30] proposed to use k-resilient
IBE to construct GS-MDO which remains secure only when adversary obtains
no more than a predefined bound of k message-dependent opening keys. Later,
Ohara et al. [28] proposed a GS-MDO scheme with unbounded MDO in the
random oracle model. A subsequent work of Libert and Joye [25] describes an
unbounded GS-MDO scheme in the standard model by proposing an IBE scheme
which encrypts messages in the base group. This IBE scheme is partially struc-
ture preserving in the sense that the identity is still a bit-string instead of a group
element. In an IBE-based GS-MDO scheme, the identity used in IBE is the same
as the message to be signed. So this scheme [25] is not structure-preserving and
cannot sign on group elements. Potential higher applications of GS-MDO thus
cannot hide yet prove about the message with another Groth-Sahai proof.

Certified Limited Opening. We consider an alternative way of limiting the

opening power which we call certified limited (CL) opening. CL opening features
an entity called a master certifier, who certifies openers case by case depending
on the context. For example, consider the application of group signatures for sign-
ing on votes in electronic voting. The government can be the master certifier, and
the openers can be those overseeing different districts/counties/provinces/states.
When issuing a group signature, the group member can designate an opener
during the signing process. The opener who is the designated one for a group
signature can open it (i.e., revoke the anonymity of the signature). Neither the
certifier nor any non-designated openers can perform opening.
CL opening is a variant of MDO which removes the reliance of a single
opening authority and minimizes the disturbance of honest users. Moreover,
it decouples the criteria of opening from the message being signed. In many
applications, the need for opening may not be originated from the message itself.
We can assign the openers depending on the applications. Consider the e-voting
scenario again, where the voting software in one of the voting booths could be
compromised. We can set the opener to be the authorities overseeing different
16 T. Zhang et al.

booths. If some anomaly happen with a particular booth, say, the candidate is
set to be an adversarially-chosen set under the hood, independent of what is
the vote cast by the voters; only the signatures in the concerned booth will be
opened, and only the affected voters will be asked to cast a correct vote again.
CL opening also simplifies the opening process. The existing MDO function-
ality [25,30] requires the master opening key and the message-dependent key as
inputs. That means the two parties holding the corresponding keys must cooper-
ate in an honest manner. In our formulation, the master certifier and the opening
authority interact once such that latter will get the opening key of limited power,
instead of performing joint decryption in every opening. Dealing with a single
key also allows an easier zero-knowledge proof for the opening correctness.

5.1 Our Group Signature Scheme with Certified Limited Opening

We build our group signature scheme with CL opening using SP-CLE. In a

nutshell, the signing algorithm uses SP-CLE to encrypt the identity of the signer
with respect to a SP-CLE user. In this way, we can realize new privacy-enhancing
features easily thanks to the preserved structures. In particular, since the identity
and the user public key in our SP-CLE scheme are both group elements, one
can include an additional proof about them to preserve the opener privacy. For
example, it can hide who is the designated opener among a list of possibilities.
Due to our formulation of the underlying SP-CLE scheme, our resulting group
signature scheme with CL opening can be considered as weaker than group
signatures with MDO since the message in the latter does not require prior
“certification” from any party. However, in case the message domain is small,
one can obtain MDO from CL opening by assigning an opener for each possible
message. Also, as argued above, we decouple the message to be signed from
the context of the opening. More importantly, from the technical perspective,
since SP-IBE does not exist, it is unclear how to “upgrade” the existing GS-
MDO schemes such that we can sign on a group element, while retaining the
MDO functionality. On the other hand, our group signature scheme with CL
opening is partially structure-preserving, in the sense that it can sign on group
element as a message (and the public-key and the identity of the opener are also
group elements, due to our SP-CLE). It can then sign on an encryption of vote
(for privacy) when the resulting ciphertext consists of only group elements, and
further allow a zero-knowledge proof of the message being encrypted and signed.
For example, the zero-knowledge proof can be proving that the vote is a valid
choice among the possible candidates. With the group structure preserved, the
encrypted votes can also be homomorphically-processed (when the underlying
encryption is homomorphic) such that only the aggregate results will be revealed.
Finally, as a generic construction, future constructions of SP-CLE in the
original formulation can be directly plugged into our proposed design.
 Structure-Preserving Certificateless Encryption and Its Application 17

5.2 Construction

Design Overview. We follow the two-level signature construction [8] and use
two SPS instances and one SP-CLE instance. The group manager generates
an SPS signature certID on an identity ID and a verification key vkID for an
SPS scheme as part of the user private key for ID. The user with identity ID
generates another SPS signature σ  on a message M , then proves the relation of
(ID, vkID , certID ) and that of (M, σ  ) without revealing ID, vkID , certID, nor σ  .
To implement the certified limited opening feature using SP-CLE, the KGC
(as the master certifier) interacts with an SP-CLE user (as an opener). After
they interact in the SP-CLE key-issuing process, the opener obtains a public-
private key pair. Suppose the identity of the opener is E, the user public key pkE
will be published, and the user private key oskE will be kept secret. The signer
uses pkE to encrypt ID, then generates a proof showing that this ciphertext is
well-formed. All the proofs and this ciphertext are output as the group signature.
The party holding oskE can decrypt the ciphertext to obtain ID.
Syntax. Our definition extends the one by Sakai et al. [30]. We replace the
input of the TrapGen algorithm from a message M with an identifier E and an
opener public key, and only require the output of TrapGen but not the “master”
opening key in the Open algorithm. We also split the key generation into Setup,
MKeyGen, and Issue. A detailed definition can be found in the full version.
Our Construction. We use an our CLE scheme for M ∈ G CLE, two SPS
schemes SPS G and SPS, and a GS-proof system GS as the building blocks to
construct a structure-preserving group signature with certified limited opening.
As Groth-Sahai proof is rerandomizable, we use a structure-preserving one-time
signature OT S to enforce CCA-anonymity.
This scheme also achieves the “hidden identity” features as in hidden identity-
based signatures [17,24] since its opening mechanism can directly recover the
signer identity without relying on the existence of any membership database.
Setup(1λ ) → param. Choose a Type III bilinear group G = (G, H, GT , e, p, g, h)
which is suitable for CLE, SPS G , and SPS. Generate the common reference
string crs for GS. Output param = (G, crs).
MKeyGen() → (mpk, msk). Generate the key-pair for the underlying structure-
preserving primitives as follows.

1. (vkG , skG ) ← SPS G .KeyGen().

2. (mpkCLE , mskCLE ) ← CLE.MKeyGen().
Output the master public-private key pair mpk = (vkG , mpkCLE ), msk = skG
to the KGC, and output the master opening key ok = mskCLE to the master
certifier.
Issue(msk, ID) → uskID . A user with identity ID and the KGC interactively
compute a certificate as part of the user secret key for the user.
18 T. Zhang et al.

1. The user runs (vkID , skID ) ← SPS.KeyGen(), sends (ID, vkID ) to the KGC.
2. The KGC runs certID ← SPS G .Sign(skG , (ID, vkID )), sends certID to the user.
The user sets uskID = (skID , vkID , certID ) as user private key.
TrapGen(mpk, ok, E) → (pkE , oskE ). The master certifier and an opener runs
this protocol such that the opener will get an opening key for an identity E ∈ H.

1. The opener first runs (ppkE , ukE ) ← SetUserSec(mpkCLE , E).

2. The master certifier runs pskE ← CLE.Issue(mskCLE , mpkCLE , E, ppkE ) and
(upkE,CLE , uskE,CLE ) ← CLE.UKeyGen(mpkCLE , ppkE , pskE , uskE ), where ok
is parsed as mskCLE .
3. The master certifier outputs uskE,CLE as the certified limited opening key
oskE , and publishes upkE,CLE as pkE for identity E.

Sign(mpk, uskID , pkE , E, M ) → σ. The input E is the identity of the opener, and
pkE is the public key of the opener generated by the algorithm TrapGen. To sign
on a message M ∈ H by uskID , a user performs the following steps.
1. (ovk, osk) ← OT S.KeyGen(),
2. σ  ← SPS.Sign(skID , (M, E, ovk)).
3. C ← CLE.Enc(mpkCLE , pkE , E, ID).
4. Run GS.Prove() to generate the proof

π = PoK {(vkID , certID , ID, σ  ) : 1 ← SPS.Verify(vkID , (M, E, ovk), σ  )

∧ 1 ← SPS G .Verify(vkG , (ID, vkID ), certID )
∧ C ← CLE.Enc(mpkCLE , pkE , E, ID)}.

5. σ  ← OT S.Sign(osk, (C, π)).

Output σ = (π, C, E, ovk, σ  ) as the group signature.
Verify(mpk, M, σ) → 1/0. The verifier parses σ as (π, C, E, ovk, σ  ). If the algo-
rithm OT S.Verify(ovk, (C, π), σ  ) outputs 1 and GS.Verify() outputs 1 for π
(i.e., π is a valid proof), the verifier outputs 1 and accepts the group signature σ;
Otherwise, the verifier outputs 0.
Open(mpk, pkE , oskE , σ) → ID/⊥. An opener parses mpk as (vkG , mpkCLE ) and
σ as (π, C, E, ovk, σ  ). It returns ⊥ if 0 ← Verify(mpk, M, σ). Otherwise, it
computes ID ← CLE.Dec(mpkCLE , pkE , pskE , C) and outputs ID.

Theorem 4. The proposed group signature scheme with certified limited opening
provides traceability, anonymity, and is existentially unforgeable against adap-
tive chosen-message attack (EUF-CMA secure) if GS is an non-interactive zero-
knowledge proof, CLE is CPA/CCA secure, SPS G and SPS are both EUF-CMA
secure, and OT S is one-time secure (only for CCA-anonymity).
 Structure-Preserving Certificateless Encryption and Its Application 19

The proof is deferred to the full version.

Remarks. Two specific steps of Sign(), namely, σ  ← SPS.Sign(skID ,

(M, E, ovk)) and C ← CLE.Enc(mpkCLE , pkE , E, ID) merit more discussion. With
the use of SPS, our group signature scheme can sign on group element M ∈ H.
With our SP-CLE, pkE and E are both group elements. It is thus easy to use
Groth-Sahai proof to, say prove that the opener is among one of a known list of
n openers.

6 Conclusion
We propose a series of structure-preserving certificateless encryption schemes by
extending an existing structure-preserving signature scheme. We illustrate their
applications in group signature with certified limited opening. We leave it as a
future work to use our structure-preserving certificateless encryption scheme for
other accountable privacy features, e.g., escrowed linkability [16] in which two
anonymous signatures from the same signer can only be linked by the one who
owns the private key (in our structure-preserving certificateless encryption).
Our scheme supports typical application of CLE except “encrypt to the
future” [15, 22, 29]. We leave it as an open problem to devise an SP-CLE under
the original formulation [5]. Another future work is to propose a generic way to
construct SP-CLE from any SPS scheme, without any step verifying an SPS in
the encryption algorithm. A challenge is to generically “upgrade” the complexity
assumption required for the SPS to its decisional variant required by SP-CLE.

A Towards Removing GT Elements from the Ciphertext

Recall that in our basic scheme (Sect. 4.2)

K = {e(W2 , R̃)e(U, R̃)/e(W1 , h)}x {e(ID, Ṽ1 )e(Dα , Ṽ2 )/e(g, h)}y /e(Dα , h)z .
4
We include the following terms in the ciphertext such that i=1 {e(Ci , C̃i )} = K.
1/r2
C1 = ((W2 · U )x )r1 , C̃1 = R̃1/r1 , C2 = (IDy )r2 , C̃2 = Ṽ1 ,
1/r3
C3 = (Dα y )r3 , C̃3 = Ṽ2 , C4 = (W1 x /g y /Dα z )r4 , C̃4 = h1/r4 .

K can be recovered by e(Cg , S̃)e(T, CR )e(Cz , D̃α ) as in the decryption algorithm.

The idea of encryption/decryption is still about encoding/recovering the bits
l τ
{τj } in C0 = M · j=1 Gj j (Sect. 4.3). Roughly, the trick [25] has two steps.
First, we replicate K into l versions by different randomness. Second, we replicate
the master public key and the private key into two versions based on different
generators. To encode τj = 0, both encryption and decryption should use the
first version of the corresponding key. Similarly, τj = 1 takes the second version.
20 T. Zhang et al.

References
1. Abe, M., Chow, S.S.M., Haralambiev, K., Ohkubo, M.: Double-trapdoor anony-
mous tags for traceable signatures. Int. J. Inf. Secur. 12(1), 19–31 (2013)
2. Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged one-time
signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.)
PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013). https://
doi.org/10.1007/978-3-642-36362-7 20
3. Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-
preserving signatures and commitments to group elements. In: Rabin, T. (ed.)
CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010).
https://doi.org/10.1007/978-3-642-14623-7 12
4. Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structure-preserving
signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011.
LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011). https://doi.org/10.
1007/978-3-642-22792-9 37
5. Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Laih,
C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg
(2003). https://doi.org/10.1007/978-3-540-40061-5 29
6. Baek, J., Safavi-Naini, R., Susilo, W.: Certificateless public key encryption with-
out pairing. In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS,
vol. 3650, pp. 134–148. Springer, Heidelberg (2005). https://doi.org/10.1007/
11556992 10
7. Barbosa, M., Farshim, P.: Relations among notions of complete non-malleability:
indistinguishability characterisation and efficient construction without random ora-
cles. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 145–163.
Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14081-5 10
8. Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal
definitions, simplified requirements, and a construction based on general assump-
tions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629.
Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9 38
9. Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from
identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007)
10. Camenisch, J., Haralambiev, K., Kohlweiss, M., Lapon, J., Naessens, V.: Structure
preserving CCA secure encryption and applications. In: Lee, D.H., Wang, X. (eds.)
ASIACRYPT 2011. LNCS, vol. 7073, pp. 89–106. Springer, Heidelberg (2011).
https://doi.org/10.1007/978-3-642-25385-0 5
11. Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In:
Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidel-
berg (2003). https://doi.org/10.1007/978-3-540-45146-4 33
12. Chow, S.S.M.: Certificateless encryption. In: Identity-Based Cryptography. Cryp-
tology and Information Security Series, vol. 2, pp. 135–155. IOS Press (2008)
13. Chow, S.S.M.: Real traceable signatures. In: Jacobson, M.J., Rijmen, V., Safavi-
Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 92–107. Springer, Heidelberg
(2009). https://doi.org/10.1007/978-3-642-05445-7 6
14. Chow, S.S.M., Franklin, M.K., Zhang, H.: Practical dual-receiver encryption -
soundness, complete non-malleability, and applications. In: The Cryptographer’s
Track at the RSA Conference (CT-RSA), pp. 85–105 (2014)
 Structure-Preserving Certificateless Encryption and Its Application 21

15. Chow, S.S.M., Roth, V., Rieffel, E.G.: General certificateless encryption and timed-
release encryption. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008.
LNCS, vol. 5229, pp. 126–143. Springer, Heidelberg (2008). https://doi.org/10.
1007/978-3-540-85855-3 9
16. Chow, S.S.M., Susilo, W., Yuen, T.H.: Escrowed linkability of ring signatures and
its applications. In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp.
175–192. Springer, Heidelberg (2006). https://doi.org/10.1007/11958239 12
17. Chow, S.S.M., Zhang, H., Zhang, T.: Real hidden identity-based signatures. In:
Financial Cryptography and Data Security (FC), pp. 21–38 (2017)
18. Dent, A.W.: A brief introduction to certificateless encryption schemes and their
infrastructures. In: Martinelli, F., Preneel, B. (eds.) EuroPKI 2009. LNCS, vol.
6391, pp. 1–16. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-
16441-5 1
19. Dent, A.W., Libert, B., Paterson, K.G.: Certificateless encryption schemes strongly
secure in the standard model. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp.
344–359. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-
1 20
20. Girault, M.: Self-certified public keys. In: Davies, D.W. (ed.) EUROCRYPT 1991.
LNCS, vol. 547, pp. 490–497. Springer, Heidelberg (1991). https://doi.org/10.1007/
3-540-46416-6 42
21. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups.
SIAM J. Comput. 41(5), 1193–1232 (2012)
22. Kasamatsu, K., Matsuda, T., Emura, K., Attrapadung, N., Hanaoka, G., Imai,
H.: Time-specific encryption from forward-secure encryption. In: Visconti, I., De
Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 184–204. Springer, Heidelberg
(2012). https://doi.org/10.1007/978-3-642-32928-9 11
23. Kiayias, A., Tsiounis, Y., Yung, M.: Traceable signatures. In: Cachin, C.,
Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 571–589.
Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3 34
24. Kiayias, A., Zhou, H.: Hidden identity-based signatures. IET Inf. Secur. 3(3), 119–
127 (2009)
25. Libert, B., Joye, M.: Group signatures with message-dependent opening in the
standard model. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 286–
306. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9 15
26. Libert, B., Mouhartem, F., Nguyen, K.: A lattice-based group signature scheme
with message-dependent opening. In: Manulis, M., Sadeghi, A.-R., Schneider, S.
(eds.) ACNS 2016. LNCS, vol. 9696, pp. 137–155. Springer, Cham (2016). https://
doi.org/10.1007/978-3-319-39555-5 8
27. Libert, B., Peters, T., Qian, C.: Structure-preserving chosen-ciphertext security
with shorter verifiable ciphertexts. In: Fehr, S. (ed.) PKC 2017. LNCS, vol.
10174, pp. 247–276. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-
662-54365-8 11
28. Ohara, K., Sakai, Y., Emura, K., Hanaoka, G.: A group signature scheme with
unbounded message-dependent opening. In: ACM SIGSAC Symposium on Infor-
mation, Computer and Communications Security (AsiaCCS), pp. 517–522. ACM
(2013)
29. Paterson, K.G., Quaglia, E.A.: Time-specific encryption. In: Garay, J.A., De Prisco,
R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 1–16. Springer, Heidelberg (2010).
https://doi.org/10.1007/978-3-642-15317-4 1
22 T. Zhang et al.

30. Sakai, Y., Emura, K., Hanaoka, G., Kawai, Y., Matsuda, T., Omote, K.: Group sig-
natures with message-dependent opening. In: Abdalla, M., Lange, T. (eds.) Pairing
2012. LNCS, vol. 7708, pp. 270–294. Springer, Heidelberg (2013). https://doi.org/
10.1007/978-3-642-36334-4 18
31. Sun, Y., Zhang, F., Baek, J.: Strongly secure certificateless public key encryption
without pairing. In: Bao, F., Ling, S., Okamoto, T., Wang, H., Xing, C. (eds.)
CANS 2007. LNCS, vol. 4856, pp. 194–208. Springer, Heidelberg (2007). https://
doi.org/10.1007/978-3-540-76969-9 13
32. Tsang, P.P., Chow, S.S.M., Smith, S.W.: Batch pairing delegation. In: Miyaji, A.,
Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 74–90.
Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75651-4 6
 Public Key Encryption Resilient
to Post-challenge Leakage
and Tampering Attacks

Suvradip Chakraborty(B) and C. Pandu Rangan

Department of Computer Science and Engineering, Indian Institute of Technology

Madras, Chennai, India
{suvradip,rangan}@cse.iitm.ac.in

Abstract. In this paper, we introduce a new framework for con-

structing public-key encryption (PKE) schemes resilient to joint post-
challenge/after-the-fact leakage and tampering attacks in the bounded
leakage and tampering (BLT) model, introduced by Damgård et al. (Asi-
acrypt 2013). All the prior formulations of PKE schemes considered leak-
age and tampering attacks only before the challenge ciphertext is made
available to the adversary. However, this restriction seems necessary,
since achieving security against post-challenge leakage and tampering
attacks in its full generality is impossible, as shown in previous works. In
this paper, we study the post-challenge/after-the-fact security for PKE
schemes against bounded leakage and tampering under a restricted yet
meaningful and reasonable notion of security, namely, the split-state leak-
age and tampering model. We show that it is possible to construct secure
PKE schemes in this model, tolerating arbitrary (but bounded) leak-
age and tampering queries; thus overcoming the previous impossibility
results.
To this end, we formulate a new notion of security, which we call
entropic post-challenge IND-CCA-BLT secure PKE. We first define a
weaker notion called entropic restricted post-challenge IND-CCA-BLT
secure PKE, which can be instantiated using the (standard) DDH
assumption. We then show a generic compiler from our entropic restricted
notion to the entropic notion of security using a simulation-extractable
non-interactive zero-knowledge argument system. This requires an
untamperable common reference string, as in previous works. Finally,
we demonstrate the usefulness of our entropic notion of security by giv-
ing a simple and generic construction of post-challenge IND-CCA-BLT
secure PKE scheme in the split-state leakage and tampering model. This
also settles the open problem posed by Faonio and Venturi (Asiacrypt
2016).

Keywords: After-the-fact · Post-challenge · Entropic PKE ·

Split-state · Memory tampering · Related-key attacks ·
Bounded leakage and tampering

https://doi.org/10.1007/978-3-030-12612-4_2
24 S. Chakraborty and C. P. Rangan

1 Introduction and Related Works

Traditionally, cryptographic schemes have been analyzed assuming that an
adversary only have black-box access to the underlying functionality, and in no
way is allowed to manipulate the internal state of the functionality. Leakage and
tamper-resilient cryptography studies on designing secure protocols and prim-
itives against an adversary who goes way beyond black-box access to protocol
algorithms and gets information by directly accessing/tampering the memory or
the internal computations of the system. These physical attacks can be broadly
categorized into passive and active attacks. In case of passive attacks, the adver-
sary tries to recover information via some side-channel attacks that include tim-
ing measurements, power analysis, electromagnetic measurements, microwave
attacks, memory attacks and many more [15, 17, 18]. In case of active attacks, the
adversary can modify the secret data/key of a targeted cryptographic scheme by
applying various physical attacks, and later violate the security of the primitive
by observing the effect of such changes at the output. These classes of attacks are
called memory tampering attacks or related key attacks (RKA). These attacks
can be launched both in software or hardware, like, injecting faults in the device,
altering the internal power supply or clock of the device, or shooting the chip
with a laser etc.
The formal study of security of cryptosystems, in particular block ciphers,
against related key attacks was initiated by Bellare and Kohno [3]. In their
setting, the adversary can continuously tamper with the secret key of the cryp-
tosystem by choosing tampering functions from a restricted class of functions.
One might hope to provably resist a cryptosystem against arbitrary efficiently
computable tampering functions. Unfortunately, this type of unrestricted tam-
pering is shown to be impossible by Gennaro et al. [13], without making further
assumptions, like self-destruct mechanism, where the device simply blows up and
erases all its intermediate values (including the secret key) after an tampering
attempt is detected by the device. One useful line of research is to investigate
the security of cryptosystems against restricted classes of tampering attacks. In
most of these schemes, it is assumed that the secret key belongs to some finite
field, and the allowed modifications consists of linear or affine functions, or all
polynomial of bounded degree applied to the secret key.
Another interesting line of research was initiated in Asiacrypt 2013 by
Damgård et al. [8], which is called the model of bounded tampering. In this model,
the adversary is allowed to make a bounded number of tampering queries, how-
ever, there is no further restriction on the functions, unlike the previous works.
Note that this model of bounded unrestricted tampering is orthogonal to the
model of continuous but restricted tampering model of [3]. In [8], the authors
showed a construction of signature scheme (in the random oracle model) and
public-key encryption scheme (in the standard model) in the bounded leakage
and tampering (BLT) model, where, apart from bounded unrestricted tamper-
ing, the adversary is also allowed to obtain bounded leakage from the secret
key of the cryptosystem. Faonio and Venturi [12] later improved the state-of-
the-art for the construction of signature schemes (in the standard model) and
 Public Key Encryption Resilient to Post-challenge Leakage 25

PKE scheme (without involving pairings and zero-knowledge proofs) in the BLT
model.
In all the above constructions of PKE schemes [8, 12], the adversary is allowed
to make only pre-challenge tampering queries. In other words, the adversary can
specify a bounded number (say τ ) of tampering queries Ti (i ∈ [τ ]) before the
challenge phase, and gets access to the tampered decryption oracle Dec(sk i , ·),

where sk i = Ti (sk). However, after receiving the challenge ciphertext, the adver-
sary is not allowed to make even a single tampering query. This severely restricts
the meaning and applicability of the existing security notions and that of the
resulting constructions of the cryptographic primitives satisfying these notions.
In particular, this means that even if the adversary tampers with the secret
key/memory only once, the secrecy of all the previously encrypted messages
before that tampering attempt cannot be guaranteed. However, note that, this
is not a limitation of the existing security notions or the constructions. Indeed,
as shown in [16, 20], tolerating post-challenge (also called after-the-fact) tamper-
ing in it full generality is impossible. In particular, the adversary could simply
overwrite the secret key depending on the bit b that is encrypted in the chal-
lenge ciphertext c∗ , and thus gain some advantage in guessing the value of b
by asking additional decryption queries. We refer the reader to [8, Sect. 4.4] for
the detailed attack. The above impossibility result holds even if the adversary
is allowed to make even a single post-challenge tampering query followed by a
single decryption query (with respect to the original secret key). Similar impos-
sibility result is known to hold for the setting of leakage as well, in the sense
that even if the adversary obtains a single bit of leakage in the post-challenge
phase, this is enough to completely break the security of the PKE scheme. This
is because the adversary can simply encode the decryption function with the
challenge ciphertext and the two challenge messages in the leakage function and
obtain exactly the bit b that the challenger tries to hide.
Halevi and Lin [16] addressed this issue of after-the-fact leakage, and defined
an appropriate security model, namely the split-state leakage model (more on
this below), and showed how to construct semantically-secure PKE scheme under
this restricted security model. This was later extended to handle CCA security
under the same split-state leakage model in [5,23]. However, note that, for the
case of tampering, there are no suitable security notions or definitions to handle
post-challenge tampering. This definitional problem was acknowledged in the
prior works [8,12]. However, no solution to this issue was offered. Indeed it
is mentioned in [12] that “it remains open how to obtain CCA security for
PKE against “after-the-fact” tampering and leakage, where both tampering and
leakage can still occur after the challenge ciphertext is generated”.

1.1 Our Contributions and Techniques

In this work, we study post-challenge/after-the-fact leakage and tampering

attacks in the context of public-key encryption. As discussed above, achiev-
ing resilience to post challenge tampering attack in its most general form is
26 S. Chakraborty and C. P. Rangan

impossible. To this end, we formulate an appropriate security model that avoids

the impossibility result shown in [8], and at the same time enables secure and
efficient construction of PKE schemes in our new model. Our approach to the
solution is modular in nature and is also surprisingly simple. In particular, we
show how to effectively (and in a non-trivial way) combine together the appro-
priate works from the domain of leakage and tamper-resilience to arrive at our
current solution. We discuss more on this below.
Split-State Leakage and Tampering Model: We draw the motivation of
our work from that of Halevi and Lin [16]. To take care of after-the-fact leakage,
the authors in [16] considered the split-state leakage model, where the secret
key of the cryptosystem is split into multiple disjoint parts, and the adversary
can observe (arbitrary) bounded leakage from each of these parts, but in an
independent fashion. In order to take care of leakage and tampering jointly, we
consider the split-state leakage and tampering model. Similar to the split-state
leakage model, this model also considers the case where the secret key is also split
into multiple disjoint parts (in our case only two, and hence optimal) and the
adversary can obtain independent leakages from each of these parts. In addition,
the adversary is also allowed to tamper each of the secret key components/parts
independently. Note that, the split-state tampering model is already a very useful
and widely used model and it captures bit tampering and block-wise tampering
attacks, where the adversary can tamper each bit or each block of the secret key
independently. The split-state tampering model is also well studied in the context
of non-malleable codes [1,10, 11], where similar type of impossibility results hold.
We then proceed to construct our PKE scheme in this model. Lastly, one may
note that, in the post-challenge setting in the context of a PKE scheme, the
adversary may specify a tampering function to be an identity function and get
the challenge ciphertext decrypted under the original secret keys (even in split-
state model), and trivially win the security game. To avoid this, we enforce the
condition that, when the adversary queries the (tampered) decryption oracle
with the challenge ciphertext, the tampered keys need to be different from the
original secret key. In other words, the post-challenge tampering functions must
not be identity functions with respect to the challenge ciphertext1 .
Entropic Restricted Post-challenge IND-CCA-BLT PKE: We first for-
mulate a new notion of entropic restricted post-challenge IND-CCA-BLT-secure
PKE scheme. Our notion can be seen as an entropic version of the notion of
restricted (pre-challenge) IND-CCA-BLT secure PKE of Damgård et al. [8],
augmented with post challenge leakage and tampering queries. The definition of
restricted IND-CCA-BLT-security [8] says that the adversary is given access to a
restricted (faulty) decryption oracle, i.e., it is allowed to query only valid cipher-
texts to the tampered decryption oracles (as opposed to any arbitrary ciphertexts
as in the full fledged IND-CCA-BLT security game). Note that, in the definition

1
However, note that, the tampering functions may be identity functions with respect
to ciphertexts c = c∗ , where c∗ is the challenge ciphertext. This also emulates access
to the (original) decryption oracle to the adversary.
 Public Key Encryption Resilient to Post-challenge Leakage 27

of [8], the adversary is allowed to make only pre-challenge leakage and tam-
pering queries. Our notion of entropic restricted post-challenge IND-CCA-BLT
security captures the following intuition: Suppose we sample a message M from a
high min-entropy distribution. Given a ciphertext encrypting M , and even given
(bounded) leakage from the secret key and access to a restricted (tampered)
decryption oracle (even if both leakage and tampering happens after observ-
ing the challenge ciphertext), the message M still retains enough min-entropy
in it. We then show that the cryptosystem of Boneh et al. [4] (referred to as
BHHO cryptosystem) satisfies our entropic restricted notion. The main idea of
our construction is the leakage to tamper reduction for the BHHO cryptosystem
as shown in [8]. Note that, using leakage to simulate tampering is non-trivial,
since for each tampered secret key the adversary can make polynomially many
(tampered) decryption oracle queries. Hence the amount of key-dependent infor-
mation that the adversary receives cannot be simulated by a small amount of
(bounded) leakage. However, as shown in [8], in case of BHHO cryptosystem
for each (pre-challenge) tampering query it is possible to simulate polynomially
many decryption queries under it by just leaking a single group element, thus
reducing tampering to leakage. We use similar ideas and show that the BHHO
cryptosystem with appropriate parameters satisfy our entropic restricted notion
of security, even if leakage and tampering is allowed in the post-challenge phase.
We note that, the work of Faonio and Venturi [12] gives a comparatively efficient
construction of IND-CCA-BLT secure PKE scheme compared to the work of
Damgård et al. [8]. Both these constructions rely on projective almost-universal
hash-proof system (HPS) as a common building block, and we observe that on
a high level, our entropic post-challenge BLT security relies on the statistical
soundness property of the HPS. However, we choose to start with the construc-
tion of Damgård et al. [8] due to its simplicity.
Entropic Post-challenge IND-CCA-BLT PKE: Next, we show how
to upgrade the entropic restricted post-challenge IND-CCA-BLT security to
entropic post-challenge IND-CCA-BLT security. In the entropic notion, the
adversary can query arbitrary ciphertexts to the (tampered) decryption oracles,
as opposed to the entropic restricted notion, where the adversary can only query
well-formed (valid) ciphertexts to the oracle. The adversary also has access to the
normal (non-tampered) decryption oracle Dec(sk, ·) both in the pre- and post-
challenge phase as in the IND-CCA security game. The transformation follows
the classical paradigm of converting a CPA-secure PKE to a CCA-secure one by
appending to the ciphertext a zero knowledge argument proving the knowledge of
the plaintext. Similar transformation was shown in [8] for converting a restricted
IND-CCA-BLT secure PKE scheme to a full fledged IND-CCA-BLT secure PKE
scheme in the context of pre-challenge leakage and tampering. We observe that
the same transformation goes through in the context of post-challenge leakage
and tampering as well, and also when the PKE scheme is entropic.
Upgrading to Full Fledged (Non-entropic) Security: We then show how
to compile such an entropic post-challenge IND-CCA-BLT secure PKE scheme
to a full-fledged post-challenge IND-CCA-BLT secure PKE scheme. For this, we
28 S. Chakraborty and C. P. Rangan

resort to our split-state leakage and tampering restriction2 . On a high level, our
construction bears similarity with the construction of [16], although the PKE
scheme of [16] was only proven to be CPA secure against leakage attacks. We
appropriately modify their construction to prove our scheme to be CCA-secure
and resilient to joint leakage and tampering attacks. To make the construction
more modular, we first show how to construct post-challenge IND-CCA-BLT
secure key encapsulation mechanism (KEM) and later show how to compile it
to a full-fledged PKE scheme.
On a high level, to generate an encapsulated symmetric key, we generate a
key pair (vk, sk) of a strong one-time signature (OTS) scheme. We then use
two instances of the entropic scheme to encrypt two random strings x1 and
x2 independently, with the verification key vk as the label/tag to generate two
ciphertexts c1 and c2 respectively. The ciphertext c = (c1 , c2 ) is then signed using
the OTS scheme to generate a signature, say, σ. Finally, we apply a seedless
2-source extractor to both x1 and x2 to generate the encapsulated key. We then
output the final ciphertext c = (vk, c1 , c2 , σ). On a high level, the security of the
entropic scheme guarantees that both the strings x1 and x2 still retain enough
average min-entropy even after chosen-ciphertext leakage and tampering attacks
(even in the post-challenge phase). In addition, the split-state model ensures that
the strings are independent. At this point, we can use an average-case seedless
2-source extractor to extract a random encapsulation key from both the strings.
The trick of generating a key pair of an OTS and setting the verification key
vk as a tag/label while encrypting, ensures that, a tag cannot be re-used by
an adversary in a decryption or tampering query, hence preventing “mix-and-
match” attacks (In fact, to re-use that tag, the adversary essentially has to forge
a signature under vk).
Compiling to a Post-challenge IND-CCA-BLT PKE: Finally, we show
how to construct a IND-CCA-BLT secure PKE from a IND-CCA-BLT secure
KEM as above. One natural idea to achieve this is to use standard hybrid encryp-
tion technique, where a symmetric-key encryption (SKE) scheme is used to
encrypt the message using the derived encapsulation key. However, we point
out, that unlike in standard PKE or even in leakage-resilient PKE settings, this
transformation needs a little careful analysis in the context of tampering. This
is because the adversary can also ask decryption queries with respect to the
tampered keys, and the security of the challenge ciphertext should hold even
given these tampered decryption oracle responses. This is not directly guar-
anteed by standard hybrid encryption paradigm. However, we leverage on the
security guarantee of our KEM scheme and show that it is indeed possible to
argue the above security. In particular, our KEM scheme guarantees that the
average min-entropy of the challenge KEM key K ∗ is negligibly close to an uni-
form distribution over the KEM key space, even given many tampered keys
K = (K  t ). So, in the hybrid, we can replace the key K ∗ with a uniform
1, · · · , K
random key. This implies that, with very high probability, K ∗ is independent
2
For our construction the secret key is split into only two parts/splits, which is the
optimal.
 Public Key Encryption Resilient to Post-challenge Leakage 29

of the tampered key distribution, and hence any function of the tampered keys
(in particular decryption function). We can then rely on the (standard) CCA
security of the SKE to argue indistinguishability of the challenge messages.
Finally, combining all the above ideas together, we obtain the full construction
of a post-challenge IND-CCA-BLT secure PKE scheme, thus solving the open
problem posed by Faonio and Venturi [12] (Asiacrypt 2016).
Lastly, we note that, it is instructive to compare our approach of constructing
post-challenge leakage and tamper-resilient PKE construction with that of Liu
and Lysyanskaya [19]. We observe that the framework of [19] instantiated with a
non-malleable extractor, would already produce a scheme with security against
post-challenge tampering. However, their model is not comparable with ours
in the following sense. In particular, the framework of [19] considers securing
any (deterministic) cryptographic functionality against leakage and tampering
attacks, where the leakage and tampering functions apply only on the memory
of the device implementing the functionality, and not on its computation. This
is because the construction of [19] relies on a (computationally secure) leakage-
resilient non-malleable code, which allow only leakage and tampering on the
memory of the device. However, in our model, we allow the adversary to leak from
the memory and also allow to tamper with the internal computations (modeled
by giving the adversary access to tampered decryption oracles). In this sense,
our model is more general, as it also considers tampering with the computation.
However, a significant feature of the framework of [19] is that, it considers the
model of continual leakage and tampering (in split-state), whereas our model
considers bounded leakage and tampering (as in [8]) in split-state.

1.2 Organization
The rest of the paper is organized as follows. In Sect. 2, we provide the nec-
essary preliminaries required for our constructions. In Sect. 3, we give our def-
inition of entropic post-challenge IND-CCA-BLT secure PKE schemes and its
restricted notion. In Sect. 3.2, we show our construction of entropic restricted
post-challenge IND-CCA-BLT secure PKE and show the transformation from
the entropic restricted notion to the entropic notion in Sect. 3.3. In Sect. 4, we
present the security definition of post-challenge IND-CCA-BLT secure KEM
scheme and show a generic compiler from entropic post-challenge IND-CCA-
BLT secure PKE scheme to a post-challenge IND-CCA-BLT secure PKE scheme
in the standard model. Section 5 shows the generic transformation from such
a KEM scheme to a full fledged IND-CCA-BLT secure PKE scheme secure
against post-challenge leakage and tampering attacks. Finally Sect. 6 concludes
the paper.

2 Preliminaries
2.1 Notations
For n ∈ N, we write [n] = {1, 2, · · · , n}. If x is a string, we denote |x| as the
$
length of x. For a set X , we write x ←
− X to denote that element x is chosen
30 S. Chakraborty and C. P. Rangan

uniformly at random from X . For a distribution or random variable X, we denote

x ← X the action of sampling an element x according to X. When A is an
algorithm, we write y ← A(x) to denote a run of A on input x and output y;
if A is randomized, then y is a random variable and A(x; r) denotes a run of A
on input x and randomness r. An algorithm A is probabilistic polynomial-time
(PPT) if A is randomized and for any input x, r ∈ {0, 1}∗ ; the computation of
A(x; r) terminates in at most poly(|x|) steps. For a set S, we let US denote the
uniform distribution over S. For an integer α ∈ N, let Uα denote the uniform
distribution over {0, 1}α , the bit strings of length α. Throughout this paper, we
denote the security parameter by κ. Vectors are written in boldface. Given a
vector x = {x1 , · · · , xn }, and some integer a, we write ax to denote the vector
(ax1 , · · · , axn ). Let D1 and D2 be two distributions on a finite set S. We denote
by D1 − D2  the statistical distance between them. For random variables X, Y ,
we denote min-entropy (conditional min-entropy) of X as H∞ (X) (H  ∞ (X|Y ))
respectively. We assume that the reader is familiar with the results related to
(conditional) min- entropy, and we refer to the full version of our paper [6]
for these definitions. We denote a distribution supported on {0, 1}n with min-
entropy k to be an (n, k)-source.

2.2 Two Source Extractors

In this section, we give an overview of two-source extractors [7,21, 22] and their
generalization, which will be required for our work.

Definition 1 (Seedless 2-source Extractor). A function Ext2 : {0, 1}n ×

{0, 1}n → {0, 1}m is a seedless 2-source extractor at min-entropy k and error 
if it satisfies
 the following property:
 If X and Y are independent (n, k)-sources, it
holds that  (Ext2(X, Y ) − Um )  < . where Um refer to a uniform m-bit string.

Definition 2 (Average-case Seedless 2-source Extractor). A function

Ext2 : {0, 1}n × {0, 1}n → {0, 1}m is an average-case seedless 2-source extractor
at min-entropy k and error  if it satisfies the following property: If for all ran-
dom variables X, Y ∈ {0, 1}n and Z, such  that, conditioned on Z, X and  Y are
independent (n, k)-sources, it holds that  ((Ext2(X, Y ), Z) − (Um , Z))  < .

Lemma 1 [16]. For any δ > 0, if Ext2 : {0, 1}n × {0, 1}n → {0, 1}m is a (worst-
case) (k − log 1δ , )-2-source extractor, then Ext2 is an average-case (k,  + 2δ)-
2-source extractor.

2.3 True Simulation Extractable Non-interactive Zero Knowledge

Argument System

In our construction, we require the notion of (same-string) true-simulation

extractable non-interactive zero knowledge argument system (tSE-NIZK) first
introduced in [9] and also its extension to support labels/tags. This notion is
 Public Key Encryption Resilient to Post-challenge Leakage 31

similar to the notion of simulation-sound extractable NIZKs [14] with the differ-
ence that the adversary has oracle access to simulated proofs only for true state-
ments, in contrast to any arbitrary statement as in simulation-sound extractable
NIZK argument system. In particular, we require the standard properties of
completeness, soundness and composable zero-knowledge. Additionally, we also
require the existence of another PPT extractor Ext which extracts a valid witness
from any proof produced by a malicious prover P ∗ , even if P ∗ has previously
seen some simulated proofs for true statements. We refer the reader to the full
version of our paper [6] for the formal definition of tSE-NIZK. For our purpose,
it is sufficient to rely on the (weaker) notion of one-time strong true simulation
extractability, where the adversary can query the simulation oracle SIMtk (.)
only once. Dodis et al. [9] showed how to generically construct tSE-NIZK argu-
ment systems supporting labels starting from any (labeled) CCA-secure PKE
scheme and a (standard) NIZK argument system.

3 Entropic Post-challenge IND-CCA-BLT Secure PKE

In this section, we introduce the definition of entropic post-challenge IND-

CCA-secure PKE resilient to both pre- and post-challenge bounded leakage and
tampering (BLT) attacks. In Sect. 3.1, we define a relaxation of our entropic
notion, which we call entropic restricted post-challenge IND-CCA BLT secure
PKE. We show that a variant of the cryptosystem of Boneh et al. [4] with
appropriate parameters, satisfies our entropic restricted notion of security (see
Sect. 3.2). Finally, in Sect. 3.3, we show a generic transformation from our
entropic restricted notion to the full-fledged entropic post-challenge IND-CCA-
BLT secure PKE scheme. Before defining these notions, we explain the working
of the leakage oracle and the tampering oracle.
The Leakage Oracle. In order to model key leakage attacks, we assume that
λ
the adversary may access a leakage oracle Osk (.), subject to some restrictions.
The adversary can query this oracle with arbitrary efficiently computable (poly-
time) leakage functions f and receive f (sk) in response, where sk denotes the
secret key. The restriction is that the output length of f must be less than
|sk|. Specifically, following the works of [2, 9], we require the output length of
the leakage function f to be at most λ bits, which means the entropy loss of
sk is at most λ bits upon observing f (sk). Formally, we define the bounded
leakage function family Fbbd (κ). The family Fbbd (κ) is defined as the class of all
polynomial-time computable functions: f : {0, 1}|sk| → {0, 1}λ , where λ < |sk|.
We then require that the leakage function submitted by the adversary should
satisfy that f ∈ Fbbd (κ).
The Tampering Oracle. To model related key attacks, the adversary is given
access to a tampering oracle. Let TSK denote the class of functions from SK to
SK, where SK is the secret key space. The adversary may query the tampering
oracle with arbitrary functions of its choice from TSK and the number of such
queries is bounded (say t ∈ N). In the ith tampering query (i ∈ [t]), the adversary
32 S. Chakraborty and C. P. Rangan

chooses a function Ti ∈ TSK and gets access to the (tampered) decryption ora-
i , ·), where sk
cle Dec(sk i = Ti (sk). The adversary may ask polynomially many
decryption queries with respect to the tampered secret key sk i . In other words,
the adversary gets access to information through decryption oracle executed on
keys related to the original secret key, where the relations are induced by the
tampering functions. If the encryption scheme supports labels, i.e., it is a labeled
encryption scheme, the adversary gets access to the (tampered) decryption ora-
i , ·, ·), where the third coordinate is a placeholder for labels. Also,
cle Dec(sk
the adversary gets access to the (tampered) decryption oracle both in the pre-
and post-challenge phases. Another (obvious) restriction that is imposed on the
tampering functions is that: In the post-challenge phase, when the adversary
gets access to the (tampered) decryption oracles with respect to the challenge
ciphertext c∗ , it should be the case that Ti (sk) = sk, i.e., the post-challenge tam-
pering functions Ti should not be identity functions with respect to the challenge
ciphertext3 .

Definition 3 (Entropic Post-challenge IND-CCA-BLT Secure PKE).

Our definition of entropic post-challenge IND-CCA-BLT secure PKE can be seen
as an entropic version of the notion of IND-CCA-BLT secure PKE introduced in
[8], augmented with post challenge leakage and tampering queries. Informally,
our definition captures the intuition that if we start with a message M with
high min-entropy, the message M still looks random to an adversary who gets
to see the ciphertext, some leakage information (even if this leakage happens
after observing the ciphertext), and access to the tampering oracle (both in pre-
and post-challenge phase) as defined above.
Formally, we define two games- “real” game and a “simulated” game. For
simplicity, we assume the message is chosen from Uk , i.e, the uniform distribution
over k bit strings. In general, it can be chosen from any arbitrary distribution as
long as the message has min-entropy k. Let (λpre , λpost ) and (tpre , tpost ) denote
the leakage bounds and the number of tampering queries allowed in the pre- and
post-challenge phases respectively.
 
The “real” game. Given the parameters k, (λpre , λpost ), (tpre , tpost ) and
a labeled encryption scheme E-BLT = (E-BLT.SetUp, E-BLT.Gen, E-BLT.Enc,
E-BLT.Dec), the real game is defined as follows:
$
0. Sampling: The challenger chooses a random message m ← − Uk .
1. SetUp: The challenger runs params ← E-BLT.SetUp(1κ ) and sends params
to the adversary A. The public parameters params are taken as (implicit)
input by all other algorithms.
2. Key Generation: The challenger chooses (sk, pk) ← E-BLT.Gen(params)
and sends pk to A. Set Lpre = Lpost = 0.

3
When Ti (sk) = sk, and the adversary gets access to the tampering oracle with
respect to c∗ , it is emulating the scenario when it gets decryption oracle access with
respect to sk on c∗ , which is anyway disallowed in the IND-CCA-2 security game.
 Public Key Encryption Resilient to Post-challenge Leakage 33

3. Pre-challenge Leakage: In this phase, the adversary A makes a pre-

challenge leakage query, specifying a function fpre (.). If Lpre +|fpre (sk)| ≤ λpre ,
then the challenger replies with fpre (sk), and sets Lpre = Lpre +|fpre (sk)|. Oth-
erwise, it ignores this query.
4. Pre-challenge Tampering queries: The adversary A may adaptively ask
at most tpre number of pre-challenge tampering queries. In the ith tampering
query (i ∈ [tpre ]), the adversary chooses Ti ∈ TSK , and gets access to the
decryption oracle E-BLT.Dec(sk θ , ·, ·)4 (where 1 ≤ θ ≤ i). In other words, the
decryption oracle may be queried with any of the tampered keys obtained till
this point. We assume that, the total number of decryption oracle queries be
q(k), for some polynomial q(k). Note that, when Tθ (sk) = sk, A gets access
to the (normal) decryption oracle.
5. Challenge: In this phase, the adversary submits a label (as a bit-string) L∗ .
The challenger encrypts the message m chosen at the beginning of the game
as c∗ ← E-BLT.Enc(pk, m, L∗ ) and sends c∗ to A.
6. Post-challenge Leakage: In this phase, the adversary A makes a post-
challenge leakage query, specifying a function fpost (.). If Lpost + |fpost (sk)| ≤
λpost , then the challenger replies with fpost (sk), and sets Lpost = Lpost +
|fpost (sk)|. Otherwise, it ignores this query.
7. Post-challenge Tampering queries: The adversary A may adaptively ask
tpost number of post-challenge tampering queries. In the j th tampering query
(j ∈ [tpost ]), the adversary chooses Tj ∈ Tsk , and gets access to the decryption
oracle E-BLT.Dec(sk ρ , ·, ·) (1 ≤ ρ ≤ j). We assume that, the total number of
decryption oracle queries be q  (k), for some polynomial q  (k). However, here
we impose the restriction that: A is not allowed to query the pair (c∗ , L∗ ) to
the (tampered) decryption oracle(s) E-BLT.Dec(sk ρ , ·, ·).

Note that all these queries can be made arbitrarily and adaptively in nature.
We denote the message m chosen at the onset of this game as M rl to empha-
size that it is used in the real game. Let the sets Qpre and Qpost contain
tpre
the tuples of the form (m  i1 , (ci1 , Li1 )), · · · , (m
 iq(κ) , (ciq(κ) , Liq(κ) )) i=1 and
tpost
 j1 , (cj1 , Lj1 )), · · · , (m
(m  jq(κ) , (ciq (κ) , Liq (κ) )) respectively, for some poly-
j=1

nomials q(κ) and q (κ). Let Lpre and Lpost be the random variables correspond-
ing to the pre- and post-challenge leakages. We define the view of the adversary
A in the real game as ViewrlE-BLT,A (κ) = (rand, Lpre , Qpre , c∗ , Lpost , Qpost ), where
rand denotes the random coins used by the adversary in the game. Finally, we
denote by (M rl , ViewrlE-BLT,A ) the joint distribution of the message M rl and A’s
view in a real game with M rl .
The “simulated” game: In the simulated game, we replace the challenger
from above by a simulator Simu that interacts with A in any way that it sees fit.

4
Recall when we write Dec(sk θ , ·, ·), the second coordinate is the placeholder for
ciphertexts input by the adversary; whereas the third coordinate is the placeholder
for labels.
34 S. Chakraborty and C. P. Rangan

Simu gets a uniformly chosen message M sm as input and it has to simulate the
interaction with A conditioned on M sm . We denote the view of the adversary
in the simulated game by Viewsm sm
Simu,A (κ) = (rand , Lpre , Qpre , c , Lpost , Qpost ).
sm sm sm sm sm

Now, we define what it means for the encryption scheme ER-BLT to be entropic
restricted post-challenge (bounded) leakage and tamper-resilient.

Definition4 (Entropic restricted post-challenge IND-CCA-BLT secu-

rity). Let k, (λpre , λpost ), (tpre , tpost ) be parameters as stated above, let TSK be
the family of allowable tampering functions. A public key encryption scheme is
said to be entropic restricted post-challenge IND-CCA-BLT secure with respect
to all these parameters if there exists a simulator Simu, such that, for every PPT
adversary A the following two conditions hold:

1. (M rl , ViewrlE-BLT,A (κ)) ≈c (M sm , Viewsm

Simu,A (κ)), i.e, the above two ensembles
(indexed by the security parameter) are computationally indistinguishable.
2. The average min-entropy of the message M sm given Viewsm Simu,A (κ) is

 ∞ (M sm | Viewsm
H Simu,A (κ)) ≥ k − λpost − F(tpost ).

where F(tpost ) denotes the entropy loss due to post-challenge tampering queries,
and the tampering functions come from the class TSK .5

Intuitively, even after the adversary sees the encryption of the message, pre-
and post-challenge leakages and the output of the (tampered) decryption oracle
both in the pre- and post-challenge phase, the message M sm still retains its initial
entropy, except for the entropy loss due to post-challenge leakage and tampering.

3.1 Entropic Restricted Post-challenge IND-CCA-BLT Secure PKE

We now define the notion of entropic restricted post-challenge IND-CCA-BLT
secure PKE (denoted by ER-BLT), which is a relaxation of the notion of the
entropic post-challenge IND-CCA-BLT secure PKE. The difference between the
two notions is with respect to the working of (tampered) decryption oracle, as
defined in the real game in Definition 3. In particular, in our entropic restricted
notion of security, the adversary cannot make pre- and post-challenge decryption
queries with respect to the original secret key (unlike the entropic notion in
Sect. 3) and working of the (tampered) decryption oracle is modified as follows:
Modified Decryption Oracle: In the restricted post-challenge IND-CCA-
BLT security game, the adversary is not given full access to the tampering
oracle. Instead, the adversary is allowed to see the output of the (tampered)
decryption oracle for only those ciphertexts c, for which he already knows
the plaintext m and the randomness r used to encrypt it (using the original
5
In our construction, we will show that F(tpost ) = tpost log p, i.e., for each post-
challenge tampering query we have to leak only one element of the base group
G of prime order p. This single element is sufficient to simulate polynomially many
(modified) decryption queries with respect to each tampering query.
 Public Key Encryption Resilient to Post-challenge Leakage 35

public key). This restricts the power of the adversary to submit only “well-
formed ” ciphertexts to the tampering oracle. In particular, in the ith tampering
query the adversary chooses a function Ti ∈ TSK and gets access to a (modi-
fied) decryption oracle ER-BLT.Dec∗ (sk i , ·, ·), where sk
i = Ti (sk). This oracle
answers polynomially many queries of the following form: Upon input a pair
(m, r) ∈ M × R, (where M and R are the message space and randomness
space of the PKE respectively), compute c ← ER-BLT.Enc(pk, m; r) and output
a plaintext m  = ER-BLT.Dec(sk i , c) under the current tampered key.
The real and simulated game for the above entropic restricted post-challenge
IND-CCA-BLT game, apart from the above restrictions, is identical to the real
and simulated games of the entropic post-challenge IND-CCA-BLT secure PKE
as defined in Definition 3. In particular, using the same notations from Defini-
tion 3, we denote the view of the adversary in the entropic restricted game as
ViewrlER-BLT,A (κ) = (rand, Lpre , Qpre , c∗ , Lpost , Qpost ), where Qpre and Qpost contain
answers to the (tampered) decryption oracle queries as described above with
respect to the tampered secret keys.

3.2 Construction of Entropic Restricted Post-challenge

IND-CCA-BLT Secure PKE
In this section, we show how to construct a CCA-2 secure entropic restricted
post-challenge PKE secure against bounded leakage and tampering (BLT)
attacks. We show that a variant of the encryption scheme proposed by Boneh
et al. (referred to as BHHO cryptosystem from herein) [4] is entropic restricted
post-challenge IND-CCA-BLT secure. It was shown in [8] that the (modified)
BHHO cryptosystem is a restricted (pre-challenge) IND-CCA-BLT secure PKE.
However, we observe that the same variant of the BHHO cryptosystem with the
parameters appropriately modified satisfies our new notion of entropic security,
even when the adversary is given post-challenge leakage and access to (restricted)
tampering oracle (even in the post-challenge phase).
– ER-BLT.SetUp(1κ ): Choose a group G of prime order p with generator g. Set
params := (G, g, p). All the algorithms take params as implicit input.
– ER-BLT.Gen(params): Sample random vectors x, α ∈ Zp ; compute g α =

(g1 , · · · , g ), and h = i=1 gixi . Set sk := x = (x1 , · · · , x ) and pk := (h, g α )
– ER-BLT.Enc(pk, m): Sample r ← Zp , and return c := (g1r , · · · , g r , hr · m)
– ER-BLT.Dec(sk, c): Parse c as (c1 , · · · , c , d) as sk as (x1 , · · · , x )., and out-

puts m ← d/ i=1 (gir )xi
It is easy to verify the correctness of the above cryptosystem.
Theorem 1. Let κ ∈ N be the security parameter, and assume that the DDH
 G. The BHHO cryptosystem
assumption holds in group  is entropic restricted
post-challenge IND-CCA- k, (λpre , λpost ), (tpre , tpost ) -BLT secure, where

 
λpre + λpost ≤ − 2 − tpre − tpost log p − ω(log κ) and (tpre + tpost ) ≤ − 3.
36 S. Chakraborty and C. P. Rangan

Proof. Before proceeding with the proof of the above theorem, we prove a lemma
(Lemma 2) that essentially shows that the BHHO cryptosystem is entropic
leakage-resilient with respect to pre- and post-challenge leakage,
 i.e., it satisfies 
the notion of entropic restricted post-challenge IND-CCA- k, (λpre , λpost ), (0, 0) -
BLT security (the adversary has no access to the tampering oracle), for appro-
priate choice of parameters. We then prove the above theorem by using Lemma 2
and showing a leakage to tamper reduction to take care of pre- and post-challenge
tampering queries.
Lemma 2. The BHHO  cryptosystem described  above is entropic restricted post-
challenge IND-CCA- k, (λpre , λpost ), (0, 0) -BLT secure, where
 
λpre + λpost ≤ − 2 log p − ω(log κ)

Proof. To prove Lemma 2 we need to describe a simulator, whose answers to

the adversary are indistinguishable from the real game, and at the same time
leave enough min-entropy in the message m. The main idea of the proof follows
from the observation that the BHHO cryptosystem can be viewed as a hash
proof system (HPS) (see [6] for the definition of HPS), with DDH-like tuples as
valid ciphertexts, and non-DDH tuples as invalid ciphertexts. In the real game,
the challenger samples a valid ciphertext (along with a witness) and proceeds
as in the original construction, whereas in the simulated game a random invalid
ciphertext is sampled. The indistinguishability of the real and simulated games
is implied by the subset membership problem. The left-over hash lemma then
guarantees uniformity of the challenge message. For details of the proof, please
refer to the full version of our paper [6].
We now proceed to prove our main theorem. Let us assume that there exists
 adversary A that breaks
an  the entropic restricted post-challenge IND-CCA
k, (λpre , λpost ), (tpre , tpost ) -BLT security with non-negligible advantage. We con-

struct an adversary A
 against the entropic restricted post-challenge IND-CCA

k, (λpre , λpost ), (0, 0) -BLT security, with the same advantage. The main idea
behind this proof is leakage to tamper reduction. For each tampering query made
by the adversary, the reduction simply leaks a single group element from Zp , and
simulates polynomially many decryption queries under that tampered key using
the leaked element. Hence, the reduction has to leak (tpre + tpost ) log p bits in all.
We appropriately set the parameters of BHHO to ensure that the message still
has enough min-entropy, even given the responses of the tampering oracle. We
refer the reader to the full version [6] for the detailed proof.

3.3 The General Transformation

In this section, we show a general transformation from an entropic-restricted
post-challenge IND-CCA-BLT secure PKE to an entropic post-challenge IND-
CCA-BLT secure PKE scheme (see Fig. 1). Let ER-BLT = (ER-BLT.SetUp,
ER-BLT.Gen, ER-BLT.Enc, ER-BLT.Dec)  be an entropic restricted post-challenge
IND-CCA- k, (λpre , λpost ), (tpre , tpost ) -BLT secure PKE scheme, and let
 Public Key Encryption Resilient to Post-challenge Leakage 37

Π = (Gen, P, V) be a one-time strong tSE-NIZK argument system supporting

labels for the following relation:

RER-BLT = {(m, r), (pk, c) | c = ER-BLT.Enc(pk, m; r)}

Let E-BLT = (E-BLT.SetUp , E-BLT.Gen , E-BLT.Enc , E-BLT.Dec ) be an entropic
post-challenge IND-CCA-BLT secure PKE.

Theorem 2. Let ER-BLT  be an entropic-restricted post-challenge IND-CCA-

k, (λpre , λpost ), (tpre , tpost ) -BLT secure PKE scheme, Π be a one-time strong
tSE NIZK argument system supporting label for the relation RER-BLT , then
 above encryption scheme
the  E-BLT is an entropic post-challenge IND-CCA-
k, (λpre , λpost ), (tpre , tpost ) -BLT secure PKE scheme.

Define the encryption scheme E-BLT as follows:

1. E-BLT.SetUp (1κ ): Obtain params ER-BLT.SetUp(1κ ), and sample
(crs, tk, ek) Gen(1κ ). Set params := (params, crs)
2. E-BLT.Gen (params ): Obtain (pk, sk) ER-BLT.Gen(params); set pk = pk,
and sk = sk.
3. E-BLT.Enc (pk, m, L): On input the public key pk, a message m and
$
a label L , sample r R, and compute c ER-BLT.Enc(pk, m; r), π
P(crs, L, (m, r), (pk, c)). Output c = (c, π)
4. E-BLT.Dec (sk, c , L): Parse c as c = (c, π). Check if V(crs, L, (pk, c), π) = 1. If
not output , else output m = ER-BLT.Dec(sk, c)

Fig. 1. Entropic post-challenge IND-CCA-BLT PKE scheme E-BLT

Proof Sketch. We now give an intuitive proof sketch of the above theorem. Infor-
mally, the zero-knowledge argument enforces the adversary to submit to the
(tampered) decryption oracle only valid ciphertexts, for which he knows the
corresponding plaintext (and the randomness used to encrypt it). The plaintext-
randomness pair (m, r) (which acts as a witness) can then be extracted using the
extraction trapdoor of the tSE-NIZK argument system, thus allowing to reduce
entropic IND-CCA BLT security to entropic restricted IND-CCA BLT security.
Since the extraction trapdoor is never used in the real encryption scheme, the
adversary neither gets any leakage from it, nor gets to tamper with it. This
essentially makes the (tampered) decryption oracle useless and the adversary
learns no additional information from the decryption oracle access. The proof
also relies on the fact that the CRS is untamperable, a notion that is used in all
the previous works [8,12]. This can be achieved by (say) hard-coding the CRS
in the encryption algorithm. The detailed proof of this theorem can be found in
the full version [6] of our paper.
38 S. Chakraborty and C. P. Rangan

4 Post-challenge IND-CCA-BLT Secure KEM

in Split-State Model

In this section, we present our construction of post-challenge IND-CCA-BLT

secure Key Encapsulation Mechanism (KEM) in the (bounded) split-state leak-
age and tampering model. Note that, achieving security against post-challenge
leakage and tampering in its most general form is impossible as already shown
in [8,16,20], even if a single bit of leakage is allowed or the adversary is allowed
to ask even a single tampering query after receiving the challenge ciphertext.
To this end, we resort to the 2-split-state leakage and tampering model. In this
model, the secret key of the KEM scheme is split into two disjoint parts, and
the adversary can ask arbitrary (pre- and post-challenge) leakage and tamper-
ing queries on each of these two parts independently. However, the adversary is
allowed to adaptively ask leakage/tampering functions depending on the answers
of the previous queries. The tampering queries allow the adversary to have access
to the tampered decryption oracle. The adversary also gets access to the (stan-
dard) decryption oracle by specifying the tampering functions to be identity
functions. Finally, the adversary has to guess whether the challenger KEM key
is a randomly sampled key or a real key. Due to space constraints, we refer the
reader to the full version [6] for the formal definition and the security model for
IND-CCA-BLT secure KEM.

4.1 Construction of Post-challenge IND-CCA-BLT Secure KEM

We now show the construction of our post-challenge/after-the-fact IND-CCA-

BLT secure KEM scheme KEM = (KEM.Setup, KEM.Gen, KEM.Encap,
KEM.Decap) (see Fig. 2).
The main ingredients required for our construction are as follows:

– An entropic post-challenge IND-CCA-BLT-secure PKE scheme E-BLT =

(E-BLT.Setup, E-BLT.Gen, E-BLT.Enc, E-BLT.Dec), that encrypts ν bit mes-
sages, and supports labels. Also, assume that E-BLT is entropic with respect
to parameters (λpre , λpost , tpre , tpost ) (refer to Definition 3).
– A (ϑ, ε) average-case (seedless) 2-source extractor Ext2 : {0, 1}ν × {0, 1}ν →
{0, 1}u , with ε = 2−u−ω(log κ) (see Sect. 2.2 for its definition).
– A strong one-time signature (OTS) scheme SS = (SS.Gen, SS.Sig, SS.Ver),
with message space poly(κ) (see [6] for the definition of OTS).

Design Rationale: On a high level, to generate an encapsulated symmetric key,

first we generate a key pair (vk, sk) of a one-time signature (OTS) scheme. We
then use an entropic post-challenge IND-CCA-BLT secure PKE scheme (E-BLT)
to encrypt two random strings x1 and x2 independently with the verification
key vk as the label/tag, and generate a signature on both the ciphertexts c1
and c2 . The security of E-BLT guarantees that both the strings x1 and x2 still
have enough average min-entropy after chosen-ciphertext leakage and tampering
Random documents with unrelated
content Scribd suggests to you:
 By E. W. Hornung
Illustrated By George W. Lambert

CONTENTS

Page
I. A Voice in the Wilderness 1
II. The Black Hole of Glenranald 32
III. "To the Vile Dust" 70
IV. A Bushranger at Bay 98
V. The Taking of Stingaree 121
VI. The Honor of the Road 144
VII. The Purification of Mulfera 168
VIII. A Duel in the Desert 190
IX. The Villain-Worshipper 215
X. The Moth and the Star 252

ILLUSTRATIONS

"My name's Stingaree!" Frontispiece

"Any message, young fellow?" 66
Mr. Kentish watched the little operation of "sticking up"
98
without a word
The gray sergeant flung his arms round their prisoner 166
Stingaree toppled out of the saddle 198
The mare spun round, bucking as she spun 238
Stingaree knocked in vain 246

THE CAMERA FIEND

By E. W. Hornung
CONTENTS

A CONSCIENTIOUS ASS
A BOY ABOUT TOWN
HIS PEOPLE
A GRIM SAMARITAN
THE GLASS EYE
AN AWAKENING
BLOOD-GUILTY
POINTS OF VIEW
MR. EUGENE THRUSH
SECOND THOUGHTS
ON PAROLE
HUNTING WITH THE HOUNDS
BOY AND GIRL
BEFORE THE STORM
A LIKELY STORY
MALINGERING
ON THE TRACK OF THE TRUTH
A THIRD CASE
THE FOURTH CASE
WHAT THE THAMES GAVE UP
AFTER THE FAIR
THE SECRET OF THE CAMERA
A THIEF IN THE NIGHT
FURTHER ADVENTURES OF A. J. RAFFLES

CRICKETER AND CRACKSMAN

 By E. W. Hornung
ILLUSTRATED BY CYRUS CUNEO

CONTENTS

Page
Out of Paradise 1
The Chest of Silver 32
The Rest Cure 58
The Criminologists' Club 88
The Field of Philippi 122
A Bad Night 156
A Trap to Catch a Cracksman 184
The Spoils of Sacrilege 216
The Raffles Relics 247
The Last Word 278

ILLUSTRATIONS

I think she must have seen us, even in the dim light Frontispiece
Facing Page
Raffles in the strong-room 54
It was the fire-eating and prison-inspecting colonel
76
himself. He was ready for me, a revolver in his hand
Raffles was as excited as any of us now; he
106
outstripped us all
He kept us laughing in his study until the chapel bells
152
rang him out
The ragged trousers stripped from an evening pair 176
Down went the trap-door with a bang 232
No one can make out what this little thick velvet bag's
260
for

THE SHADOW OF A MAN

By E. W. Hornung

CONTENTS

Page
I. The Belle of Toorak 1
II. Injury 14
III. Insult 28
IV. Bethune of the Hall 39
V. A Red Herring 58
VI. Below Zero 67
VII. A Cavalier 84
VIII. The Kind of Life 97
IX. Pax in Bello 120
X. The Truth by Inches 134
XI. Bethune v. Bethune 147
XII. An Escapade 166
XIII. Blind Man's Block 180
XIV. His Own Coin 196
XV. The Fact of the Matter 206

WITCHING HILL
 By E. W. Hornung

CONTENTS

CHAPTER I UNHALLOWED GROUND

CHAPTER II THE HOUSE WITH RED BLINDS
CHAPTER III A VICIOUS CIRCLE
CHAPTER IV THE LOCAL COLOUR
CHAPTER V THE ANGEL OF LIFE
CHAPTER VI UNDER ARMS
CHAPTER VII THE LOCKED ROOM
CHAPTER VIII THE TEMPLE OF BACCHUS

LIST OF ILLUSTRATIONS

"You won't improve his chances by keeping anything back."

I saw a bedizened beauty go mad before my eyes.
I drove Delavoye before me.
A handsome, sinister creature, in a brown flowing wig and raiment
as fine as any on the walls.
Trying to tug the fierce moustache out of his mild face.
A heavy blackthorn held in murderous poise.
His thin arms locked round the neck of the young nurse.
Delavoye fired over my head.
AT LARGE
 E. W. Hornung

CONTENTS

A Nucleus of Fortune 1
Sundown 11
After Four Years 20
How Dick Came Home 28
The First Evening at Graysbrooke 41
Sisyphus 53
South Kensington 64
The Admirable Miles 72
A Dancing Lesson and its Consequences 86
An Old Friend and an Old Memory 98
Dressing, Dancing, Looking on 109
"To-Morrow, and To-Morrow, and To-Morrow" 123
In Bushey Park 132
Quits 152
The Morning After 163
Military Manœuvres 174
"Miles's Beggars" 185
Alice Speaks for Herself 196
Conterminous Courses 206
Strange Humility 216
An Altered Man 227
Extremities 234
The Effect of a Photograph 244
The Effect of a Song 256
Melmerbridge Church 271
At Bay 286
The Fatal Tress 296
The Effort 307
Elizabeth Ryan 313
Sweet Revenge 325
The Charity of Silence 333
Suspense: Reaction 343
How Dick Said Good-Bye 353

PECCAVI
 By E. W. Hornung

CONTENTS

Chapter Page
I. Dust to Dust 1
II. The Chief Mourner 11
III. A Confession 18
IV. Midsummer Night 29
V. The Man Alone 45
VI. Fire 51
VII. The Sinner's Prayer 66
VIII. The Lord of the Manor 77
IX. A Duel Begins 89
X. The Letter of the Law 100
XI. Labour of Hercules 115
XII. A Fresh Discovery 125
XIII. Devices of a Castaway 131
XIV. The Last Resort 137
XV. His Own Lawyer 150
XVI. End of the Duel 162
XVII. Three Weeks and a Night 186
XVIII. The Night's Work 193
XIX. The First Winter 209
XX. The Way of Peace 230
 XXI. At the Flint House 249
XXII. A Little Child 262
XXIII. Design and Accident 275
XXIV. Glamour and Rue 291
XXV. Signs of Change 306
XXVI. A Very Few Words 316
XXVII. An Escape 323
XXVIII. The Turning Tide 335
XXIX. A Haven of Hearts 348
XXX. The Woman's Hour 362
XXXI. Advent Eve 378
XXXII. The Second Time 390
XXXIII. Sanctuary 397

THE THOUSANDTH WOMAN

By Ernest W. Hornung
Illustrated By Frank Snapp

CONTENTS

CHAPTER PAGE
I. A Small World 1
II. Second Sight 16
III. In the Train 29
IV. Down the River 42
V. An Untimely Visitor 64
VI. Voluntary Service 83
VII. After Michelangelo 98
VIII. Finger-Prints 117
IX. Fair Warning 134
X. The Week of Their Lives 146
XI. In Country and In Town 156
XII. The Thousandth Man 169
XIII. Quid Pro Quo 181
XIV. Faith Unfaithful 205
XV. The Person Unknown 214

TINY LUTTRELL
 By Ernest W. Hornung

CONTENTS

CHAPTER PAGE
I. The Coming of Tiny, 1
II. Swift of Wallandoon, 21
III. The Tail of the Season, 44
IV. Ruth and Christina, 63
V. Essingham Rectory, 84
VI. A Matter of Ancient History, 102
VII. The Shadow of the Hall, 116
VIII. Countess Dromard at Home, 133
IX. Mother and Son, 148
X. A Threatening Dawn, 162
XI. In the Ladies' Tent, 176
XII. Ordeal by Battle, 193
XIII. Her Hour of Triumph, 213
XIV. A Cycle of Moods, 233
XV. The Invisible Ideal, 248
XVI. Foreign Soil, 263
XVII. The High Seas, 286
XVIII. The Third Time of Asking, 306
XIX. Counsel's Opinion, 317
XX. In Honor Bound, 327
XXI. A Deaf Ear, 339
XXII. Summum Bonum, 348

MY LORD DUKE
By E. W. Hornung
 CONTENTS
I. The Head of the Family 1
II. "Happy Jack" 16
III. A Chance Lost 31
IV. Not in the Programme 44
V. With the Elect 63
VI. A New Leaf 77
VII. The Duke's Progress 90
VIII. The Old Adam 105
IX. An Anonymous Letter 122
X. "Dead Nuts" 137
XI. The Night of the Twentieth 151
XII. The Wrong Man 163
XIII. The Interregnum 180
XIV. Jack and his Master 189
XV. End of the Interregnum 199
XVI. "Love the Gift" 215
XVII. An Anti-Toxine 223
XVIII. Heckling a Minister 233
XIX. The Cat and the Mouse 244
XX. "Love the Debt" 257
XXI. The Bar Sinister 266
XXII. De Mortuis 282

THE CRIME DOCTOR

By Ernest W. Hornung

CONTENTS

I The Physician Who Healed Himself 1

II The Life-Preserver 40
III A Hopeless Case 77
IV The Golden Key 118
V A Schoolmaster Abroad 159
VI One Possessed 199
VII The Doctor's Assistant 237
VIII The Second Murderer 272

DENIS DENT
By Ernest W. Hornung
CONTENTS

Chapter Page
I. The Second Officer 1
II. Sauve Qui Peut 10
III. The Castaways 18
IV. Lost and Found 30
V. A Touch of Fever 37
VI. New Conditions 48
VII. Denis and Nan 57
VIII. Cold Water 70
IX. The Canvas City 79
X. Thieves in the Night 90
XI. Strange Bedfellows 102
XII. El Dorado 114
XIII. The Enemy's Camp 122
XIV. The First Claim 133
XV. A Pious Fraud 146
XVI. A Windfall 158
XVII. Hate and Money 168
XVIII. Rotten Gully 178
XIX. New Blood 187
XX. The Jeweler's Shop 196
XXI. The Courier of Death 211
XXII. Atra Cura 220
XXIII. Broken Off 231
 XXIV. Death's Door 243
XXV. Beat of Drum 251
XXVI. Homeward Bound 265
XXVII. The Great Gulf 277
XXVIII. News of Battle 289
XXIX. Guy Fawkes Day 299
XXX. The Sandbag Battery 310
XXXI. Time's Whirligig 319

A BRIDE FROM THE BUSH

By Ernest Wm. Hornung
 CONTENTS
CHAP. PAGE
I. A LETTER FROM ALFRED 9
II. HOME IN STYLE 24
III. PINS AND NEEDLES 35
IV. A TASTE OF HER QUALITY 49
V. GRANVILLE ON THE SITUATION 61
VI. COMPARING NOTES 71
VII. IN RICHMOND PARK 81
VIII. GRAN’S REVENGE 96
IX. E TENEBRIS LUX 112
X. PLAIN SAILING 129
XI. A THUNDER-CLAP 142
XII. PAST PARDON 151
XIII. A SOCIAL INFLICTION 160
XIV. ‘HEAR MY PRAYER!’ 172
XV. THE FIRST PARTING 186
XVI. TRACES 194
XVII. WAITING FOR THE WORST 209
XVIII. THE BOUNDARY-RIDER OF THE YELKIN PADDOCK 228
XIX. ANOTHER LETTER FROM ALFRED 244

THE BOSS OF TAROOMBA

By E. W. Hornung

CONTENTS

CHAPTER I
PAGE
The Little Musician 1

CHAPTER II
A Friend Indeed 13

CHAPTER III
"Hard Times" 25

CHAPTER IV
The Treasure in the Store 41

CHAPTER V
Masterless Men 55

CHAPTER VI
£500 71

CHAPTER VII
The Ringer of the Shed 83
CHAPTER VIII
"Three Shadows" 102

CHAPTER IX
No Hope for Him 120

CHAPTER X
Missing 138

CHAPTER XI
Lost in the Bush 152

CHAPTER XII
Fallen Among Thieves 162

CHAPTER XIII
A Smoking Concert 179

CHAPTER XIV
The Raid on the Station 194

CHAPTER XV
The Night Attack 210

CHAPTER XVI
In the Midst of Death 232

YOUNG BLOOD
By E. W. Hornung
CONTENTS

PAGE
CHAPTER I.
The Old Home 1
CHAPTER II.
The Breaking of the News 11
CHAPTER III.
The Sin of the Father 20
CHAPTER IV.
The New Home 32
CHAPTER V.
A Wet Blanket 40
CHAPTER VI.
The Game of Bluff 57
CHAPTER VII.
On Richmond Hill 71
CHAPTER VIII.
A Millionaire in the Making 85
CHAPTER IX.
The City of London 95
CHAPTER X.
A First Offence 111
CHAPTER XI.
Beggar and Chooser 122
CHAPTER XII.
The Champion of the Gods 135
CHAPTER XIII.
The Day of Battle 150
CHAPTER XIV.
A Change of Luck 165
CHAPTER XV.
It Never Rains but it Pours 175
CHAPTER XVI.
A Dame's School 183
CHAPTER XVII.
At Fault 195
CHAPTER XVIII.
Mr. Scrafton 203
CHAPTER XIX.
Assault and Battery 214
CHAPTER XX.
Biding his Time 226
CHAPTER XXI.
Hand to Hand 234
CHAPTER XXII.
Man to Man 247
CHAPTER XXIII.
The End of the Beginning 259
CHAPTER XXIV.
Young Ink 276
CHAPTER XXV.
Scrafton's Story 287
CHAPTER XXVI.
A Masterstroke 304
CHAPTER XXVII.
 Restitution 315
CHAPTER XXVIII.
A Tale Apart 326

SOME PERSONS UNKNOWN

 By E. W. Hornung
CONTENTS

PAGE
Kenyon's Innings 1
A Literary Coincidence 40
"Author! Author!" 71
The Widow of Piper's Point 87
After the Fact 104
The Voice of Gunbar 151
The Magic Cigar 168
The Governess at Greenbush 186
A Farewell Performance 234
A Spin of the Coin 244
The Star of the Grasmere 256

FATHERS OF MEN

CONTENTS

CHAPTER PAGE
I. Behind the Scenes 1
II. Change and Chance 11
III. Very Raw Material 21
IV. Settling In 33
V. Nicknames 43
VI. Boy to Boy 53
VII. Reassurance 62
VIII. Likes and Dislikes 75
IX. Coram Populo 90
X. Elegiacs 105
XI. A Merry Christmas 123
XII. The New Year 133
XIII. The Haunted House 146
XIV. Summer-Term 174
XVI. Similia Similibus 186
XVII. The Fun of the Fair 196
XVIII. Dark Horses 212
XIX. Fame and Fortune 225
XX. The Eve of Office 240
XXI. Out of Form 250
XXII. The Old Boys' Match 259
XXIII. Interlude in a Study 266
XXIV. The Second Morning's Play 277
XXV. Interlude in the Wood 290
XXVI. Close of Play 304
XXVII. The Extreme Penalty 317
XXVIII. Chips and Jan 336
XXX. His Last Fling 349
XXXI. Vale 360

THE YOUNG GUARD

 By E. W. Hornung
CONTENTS

CONSECRATION
LORD'S LEAVE
LAST POST
THE OLD BOYS
RUDDDY YOUNG GINGER
THE BALLAD OF ENSIGN JOY
BOND AND FREE
SHELL-SHOCK IN ARRAS
THE BIG THING
FORERUNNERS *
UPPINGHAM SONG
WOODEN CROSSES

THE UNBIDDEN GUEST

By Ernest William Hornung

CONTENTS

THE UNBIDDEN GUEST.

CHAPTER I. THE GIRL FROM HOME.
CHAPTER II. A BAD BEGINNING.
CHAPTER III. AU REVOIR.
CHAPTER IV. A MATTER OF TWENTY POUNDS.
CHAPTER V. A WATCH AND A PIPE.
CHAPTER VI. THE WAYS OF SOCIETY.
CHAPTER VII. MOONLIGHT SPORT.
CHAPTER VIII. THE SAVING OF ARABELLA.
CHAPTER IX. FACE TO FACE.
CHAPTER X. THE THINNING OF THE ICE.
CHAPTER XI. A CHRISTMAS OFFERING.
CHAPTER XII. “THE SONG OF MIRIAM.”
CHAPTER XIII. ON THE VERANDAH.
CHAPTER XIV. A BOLT FROM THE BLUE.
CHAPTER XV. A DAY OF RECKONING.
CHAPTER XVI. A MAN'S RESOLVE.
CHAPTER XVII. THE TWO MIRIAMS.
CHAPTER XVIII. THE WAY OF ALL FLESH.
CHAPTER XIX. TO THE TUNE OF RAIN.
CHAPTER XX. THE LAST ENCOUNTER.
Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.

More than just a book-buying platform, we strive to be a bridge

connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.

Join us on a journey of knowledge exploration, passion nurturing, and

personal growth every day!

ebookbell.com