Paper 2025/332

Towards Leakage-Resilient Ratcheted Key Exchange

Daniel Collins, Texas A&M University
Simone Colombo, King’s College London
Sina Schaeffler, ETH Zurich, IBM Research - Zurich
Abstract

Ratcheted key exchange (RKE) is at the heart of modern secure messaging, enabling protocol participants to continuously update their secret material to protect against full state exposure through forward security (protecting past secrets and messages) and post-compromise security (recovering from compromise). However, many practical attacks only provide the adversary with partial access to a party's secret state, an attack vector studied under the umbrella of leakage resilience. Existing models of RKE provide suboptimal guarantees under partial leakage due to inherent limitations in security under full state exposure. In this work, we initiate the study of leakage-resilient ratcheted key exchange that provides typical guarantees under full state exposure and additional guarantees under partial state exposure between ratchets of the protocol. We consider unidirectional ratcheted key exchange (URKE) where one party acts as the sender and the other as receiver. Building on the notions introduced by Balli, Rösler and Vaudenay (ASIACRYPT 2020), we formalise a key indistinguishability game under randomness manipulation and bounded leakage (KIND), which in particular enables the adversary to continually leak a bounded amount of the sender's state between honest send calls. We construct a corresponding protocol from a key-updatable key encapsulation mechanism (kuKEM) and a leakage-resilient one-time MAC. By instantiating this MAC in the random oracle model (ROM), results from Balli, Rösler and Vaudenay imply that in the ROM, kuKEM and KIND-secure URKE are equivalent, i.e., can be built from each other. To address the strong limitations that key indistinguishability imposes on the adversary, we formalise a one-wayness game that also permits leakage on the receiver. We then propose a corresponding construction from leakage-resilient kuKEM, which we introduce, and a leakage-resilient one-time MAC. We further show that leakage-resilient kuKEM and one-way-secure URKE are equivalent in the ROM, highlighting the cost that strong one-way security entails. Our work opens exciting directions for developing leakage-resilient messaging protocols.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in PKC 2025
Keywords
leakage resilienceratchetingsecure messagingratcheted key exchange
Contact author(s)
danielpatcollins @ gmail com
simone colombo @ kcl ac uk
sschaeffle @ ethz ch
History
2025-02-25: revised
2025-02-24: received
See all versions
Short URL
https://ia.cr/2025/332
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/332,
      author = {Daniel Collins and Simone Colombo and Sina Schaeffler},
      title = {Towards Leakage-Resilient Ratcheted Key Exchange},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/332},
      year = {2025},
      url = {https://eprint.iacr.org/2025/332}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.