Cryptology ePrint Archive: Report 2016/308
Strongly Leakage-Resilient Authenticated Key Exchange
Rongmao Chen and Yi Mu and Guomin Yang and Willy Susilo and Fuchun Guo
Abstract: Authenticated Key Exchange (AKE) protocols have been widely deployed in many real-world applications for securing communication channels. In this paper, we make the following contributions. First, we revisit the security modelling of leakage-resilient AKE protocols, and show that the existing models either impose some unnatural restrictions or do not sufficiently capture leakage attacks in reality. We then introduce a new strong yet meaningful security model, named challenge-dependent leakage-resilient eCK (CLR-eCK) model, to capture challenge-dependent leakage attacks on both long-term secret key and ephemeral secret key (i.e., randomness). Second, we propose a general framework for constructing one-round CLR-eCK-secure AKE protocols based on smooth projective hash functions (SPHFs). This framework ensures the session key is private and authentic even if the adversary learns a large fraction of both long-term secret key and ephemeral secret key, and hence provides stronger security guarantee than existing AKE protocols which become insecure if the adversary can perform leakage attacks during the execution of a session. Finally, we also present a practical instantiation of the general framework based on the Decisional Diffie-Hellman assumption without random oracle. Our result shows that the instantiation is efficient in terms of the communication and computation overhead and captures more general leakage attacks.
Category / Keywords: cryptographic protocols / Authenticated key exchange, challenge-dependent leakage, strong randomness extractor, smooth projective hash function.
Original Publication (with major differences): CT-RSA 2016
Date: received 17 Mar 2016
Contact author: rc517 at uowmail edu au
Available format(s): PDF | BibTeX Citation
Version: 20160318:092047 (All versions of this report)
Short URL: ia.cr/2016/308
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]