Fully leakage-resilient non-malleable identification schemes in the bounded-retrieval model

Abstract

Alwen, Dodis and Wichs first formulated the security notions of identification (ID) schemes resilient to key-leakage attacks, which is called leakage-resilient ID schemes. In fact, the notions they considered are the so-called active security where the adversary is only allowed to interact with the prover before the impersonation attempt. However, recently, there has been a huge emphasis on stronger attacks, such as man-in-the-middle (MIM) attacks. So can we extend the results about leakage-resilient ID schemes to man-in-the-middle security? Besides, we consider the setting where the adversary is allowed to perform leakage attacks on the entire state of the honest prover during the lifetime of the system, which is called full leakage attacks. Clearly, this type of leakage attacks is stronger and more meaningful than key-leakage attacks. In conclusion, we study the design of ID schemes resilient to MIM attacks and fully leakage attacks at the same time, which means that while attempting to impersonate a prover, the adversary can interact with an honest prover and obtain arbitrary bounded leakage on the entire state of the honest prover during the lifetime of the system. Informal speaking, an ID scheme secure against this type of attacks is said to be fully leakage-resilient non-malleable. To obtain fully leakage-resilient non-malleable ID schemes, we propose two variants of the so-called Knowledge-of-Exponent Assumption (KEA) over bilinear groups, called tag based Knowledge-of-Exponent Assumption (TagKEA) and Selective-tag based Knowledge-of-Exponent Assumption (Selective-TagKEA). To argue for believing in these two assumptions, we demonstrate that KEA implies TagKEA and is equivalent to Selective-TagKEA.