Paper 2020/736

Forward Security under Leakage Resilience, Revisited

Abstract

As both notions employ the same key-evolution paradigm, Bellare \emph{et al.} (CANS 2017) study combining forward security with leakage resilience. The idea is for forward security to serve as a hedge in case at some point the full key gets exposed from the leakage. In particular, Bellare \emph{et al.} combine forward security with \emph{continual} leakage resilience, dubbed FS+CL. Our first result improves on Bellare \emph{et al.}'s FS+CL secure PKE scheme by building one from any continuous leakage-resilient binary-tree encryption (BTE) scheme; in contrast, Bellare \emph{et al.} require extractable witness encryption. Our construction also preserves leakage rate of the underlying BTE scheme and hence, in combination with existing CL-secure BTE, yields the first FS+CL secure encryption scheme with optimal leakage rate from standard assumptions. \ind We next explore combining forward security with other notions of leakage resilience. Indeed, as argued by Dziembowski \emph{et al.} (CRYPTO 2011), it is desirable to have a \emph{deterministic} key-update procedure, which FS+CL does not allow for arguably pathological reasons. To address this, we combine forward security with \emph{entropy-bounded} leakage (FS+EBL). We construct FS+EBL non-interactive key exchange (NIKE) with deterministic key update based on indistinguishability obfuscation ($$), and DDH or LWE. To make the public keys constant size, we rely on the Superfluous Padding Assumption (SuPA) of Brzuska and Mittelbach (ePrint 2015) \emph{without} auxiliary information, making it more plausible. SuPA notwithstanding, the scheme is also the first FS-secure NIKE from $$ rather than multilinear maps. We advocate a future research agenda that uses FS+EBL as a hedge for FS+CL, whereby a scheme achieves the latter if key-update randomness is good and the former if not.