Any implementation of the cryptographic function leads to the recovery of some private information by some third-party entities. The paper tackles the problem of leakage deterring in public-key cryptosystems.

The authors clearly present their proposed idea and implementation, and also talk in detail about the main security requirements needed for the algorithms at each step. They emphasize the fact that any leakage deterring primitive should offer privacy and recoverability for the owner. This means that as long as no implementation of the primitive is leaked, the user is safe. It is also important that the introduction of the additional functionality does not disturb the standard cryptographic properties of the primitive.

The construction starts with a comparison against additive homomorphic encryption schemes and a security analysis in which the authors analyze correctness and the security properties.

The identification of leakage deterring signatures, in order to prevent forgeries and impersonations by an adversary, is also discussed. “The security proofs of these signatures rely on the fact that if the adversary can forge one signature, then he could also forge another correlated signature for the same message with the same random [input] but a different random oracle,” leading to the extraction of the secret key. The signature algorithm is “based on two independent digital signatures ... that are unforgeable under adaptively chosen message attacks.”

Finally, the authors present some applications of their algorithms in practice. More exactly, depending on the application scenario, they embedded various types of private owner information to prevent the leakage of a cryptographic functionality, such as self-enforcement, all-or-nothing sharing of cryptographic functions, and anonymity revocation from implementations.