After-the-Fact Leakage in Public-Key Encryption
What does it mean for an encryption scheme to be leakage-resilient? Prior formulations require that the scheme remains semantically secure even in the presence of leakage, but only considered leakage that occurs before the challenge ciphertext is generated. Although seemingly necessary, this restriction severely limits the usefulness of the resulting notion. In this paper the authors study after-the-fact leakage, namely leakage that the adversary obtains after seeing the challenge ciphertext. They seek a "Natural" and realizable notion of security, which is usable in higher-level protocols and applications.