Cluster Comput (2013) 16:797–806
DOI 10.1007/s10586-013-0253-z
Efficient leakage-resilient public key encryption from DDH
assumption
Sujuan Li ·Futai Zhang ·Yinxia Sun ·Limin Shen
Received: 14 January 2013 / Accepted: 18 March 2013 / Published online: 20 April 2013
© Springer Science+Business Media New York 2013
Abstract For an encryption scheme to be applied in practi-
cal applications, it should withstand various leakage attacks.
In this paper, we present a new leakage-resilient public key
encryption scheme whose security is based on the classical
DDH (decisional Diffie-Hellman) assumption. In the com-
putational cost, our proposed scheme is more efficient than
the original Cramer-Shoup leakage-resilient public key en-
cryption scheme. At the same time, our new scheme also
enjoys a shorter (public and secret) key length, and a higher
relative key leakage ratio. We formally prove our new pro-
posal is semantically secure against adaptive posteriori cho-
sen ciphertext key-leakage attacks assuming the hardness of
the DDH problem without random models.
Keywords Decisional Diffie-Hellman assumption ·
Adaptive posteriori chosen ciphertext attack · Leakage
resilient · Cramer-Shoup encryption · Key leakage ·
Standard model
S. Li · F. Zhang (
) · Y. S u n · L. Shen
Nanjing Normal University, Nanjing, China
e-mail: zhangfutai@njnu.edu.cn
S. Li
e-mail: lisujuan1978@126.com
Y. S u n
e-mail: 73003@njnu.edu.cn
L. Shen
e-mail: 05343@njnu.edu.cn
S. Li
Nanjing University of Technology, Nanjing, China
1 Introduction
Traditionally, the security of cryptographic algorithms are
analyzed under an ideal assumption that the private keys
are randomly and independently chosen, and perfectly hid-
den from the adversaries. However, several works [5, 7,
22, 24, 25] indicate that the conventional attack model fails
to capture some attacks in the real application scenarios.
Most of these attacks are classified as the key-leakage at-
tacks in which the attackers may obtain some partial sen-
sible information about the secret states of the crypto-
graphic systems. Such attacks include the side-channel at-
tacks, where the attackers may get some secret information
from the physical realization of a cryptographic primitive,
such as the power consumption, computational time, radia-
tion/heat/noise emission et al.. Another example of a key-
leakage attack is the cold-boot attack [22], which is called
memory attacks in [1], where even after the computer is
powered off the adversary can also learn some information
about the memory of the machine, with momentary physical
access to the DRAM. To stand against such attacks, there has
been a surge of interest in creating leakage-resilient crypto-
graphic schemes [1, 3, 9, 11, 17, 18, 23, 29, 30].
In the public key settings, the first practical adaptive cho-
sen ciphertexts secure public key encryption system in the
standard model was presented by Cramer and Shoup [12, 14]
which is based on the decisional Diffie-Hellman (DDH) as-
sumption. They later generalized their construction by con-
sidering an algebraic primitive which they called universal
hash proof system and showed that this framework yields
not only the original DDH-based Cramer-Shoup scheme but
also encryption schemes based on Paillier’s assumption and
on quadratic residuosity [13].
In TCC’09, Akavia, Goldwasser and Vaikuntanathan [1]
firstly gave the framework of modeling key-leakage attacks