On the leakage-resilient key exchange

Continuous leakage model.

In the pioneering work of Micali and Reyzin [35], a general framework was introduced to model the leakage that occurs when computation takes place on secret parameters. This framework relies on the assumption that “only computation leaks information”. Further, Micali and Reyzin mentioned that leakage only occurs from the secret memory portions which are actively involved in computations, and the amount of leakage per occurrence is less than the size of the corresponding secret memory portion, hence bounded by a leakage parameter λ. The adversary is allowed to obtain leakage from an arbitrarily large number of computations, hence the overall leakage amount is unbounded and it can be larger than the size of the secret key. This leakage model addresses side-channel attacks such as timing attacks, power analysis attacks and EM emission based attacks, which obtain leakage of secret values whenever computations take place on them. This model is suitable to analyze stateful leakage-resilient cryptographic schemes [20, 39], where at the end of each ith execution round a new secret key state ski+1 is computed using the current secret key state ski. This key state ski+1 is going to be used as the secret parameter of the next execution round i+1. Before the ith round an attacker chooses (adaptively) a leakage function fi and after the execution of the round, it receives fi⁢(ski), under the constrain that |fi⁢(ski)|≤λ.

Bounded leakage model.

Inspired by “cold boot” attacks, Akavia, Goldwasser and Vaikuntanathan constructed a general framework to model memory attacks [3]. The adversary can adaptively choose an efficiently computable arbitrary leakage function fi and send it to the leakage oracle. The leakage oracle gives fi⁢(sk) to the adversary where sk is the secret key. The only restriction comes here is that ∑|fi⁢(sk)|≤λ, where λ is the leakage parameter, which is smaller than the size of sk. This model is suitable to analyze stateless leakage-resilient cryptographic schemes which are not using new secret states for each round.

After-the-fact leakage.

Leakage which happens after the challenge is given to the adversary is considered as after-the-fact leakage. In security experiments for public-key cryptosystems, the challenge to the adversary is, given a ciphertext, distinguish the corresponding plaintext. In key exchange security models, the challenge to the adversary is to identify the real session key of a chosen session from a random session key [9, 13, 31]. In leakage models for public-key cryptosystems, after-the-fact leakage is the leakage which happens after the challenge ciphertext is given whereas in leakage-resilient key exchange security models, after-the-fact leakage is the leakage which happens after the session key is established.

Earlier leakage models only consider the leakage which happens before the challenge is given (before-the-fact leakage). Hence the adversary is not allowed to obtain leakage after the challenge is given. Recent leakage models facilitate more granular leakage by allowing the adversary to issue leakage functions, and obtain leakage even after the challenge is given, either under the bounded or continuous leakage assumptions as explained above.

For leakage-resilient public-key encryption there are three properties which may be important differentiators for the different models. One is whether the model allows access to decryption of chosen ciphertexts before (CCA1) and after (CCA2) the challenge is known. The second is whether the leakage allowed to the adversary is continuous or bounded. The third is whether the leakage is allowed only before the challenge ciphertext is known or also after the fact.

In earlier models, such as that of Naor and Segev [38], it was expected that although the adversary is given access to the decryption oracle (CCA2), the adversary cannot be allowed to obtain leakage after the challenge ciphertext is given. This is because the adversary can encode the decryption algorithm and challenge ciphertext with the leakage function and by revealing a few bits of the decrypted value of the challenge ciphertext trivially win the challenge. Subsequently, Halevi and Lin [22] introduced after-the-fact leakage-resilient semantic security (CPLA2) on public-key cryptosystems, in the bounded leakage model. In their security experiment, the adversary is not allowed to access the decryption oracle. Dziembowski and Faust [19] defined an adaptively-chosen ciphertext after-the-fact leakage (CCLA2) in which the adversary is allowed to access the decryption oracle adaptively and obtain leakage information even after the challenge ciphertext is given. Furthermore, they allow continuous leakage, so the total leakage amount is unbounded.

Parties and long-term keys.

Let 𝒰={U1,…,UNP} be a set of NP parties. Each party Ui, where i∈[1,NP], has a pair of long-term public and secret keys, (pkUi,skUi). Each party Ui owns at most NS number of protocol sessions.

Sessions.

Each party may run multiple instances of the protocol concurrently or sequentially; we use the term principal to refer a party involved in a protocol instance, and the term session to identify a protocol instance at a principal. The notation ΠU,Vs represents the sth session at the owner principal U, with intended partner principal V. The principal which sends the first protocol message of a session is the initiator of the session, and the principal which responds to the first protocol message is the responder of the session. A session ΠU,Vs enters an accepted state when it computes a session key. Note that a session may terminate without ever entering into the accepted state. The information of whether a session has terminated with or without acceptance is public.

Partnering.

Legitimate execution of a key exchange protocol between two principals U and V makes two partnering sessions owned by U and V respectively. Two sessions ΠU,Vs and ΠU′,V′s′ are said to be partners if all of the following hold:

1. Both ΠU,Vs and ΠU′,V′s′ have computed session keys.

2. Messages sent from ΠU,Vs and messages received by ΠU′,V′s′ are identical.

3. Messages sent from the session ΠU′,V′s′ and messages received by ΠU,Vs are identical.

4. U′=V and V′=U.

5. Exactly one of U and V is the initiator and the other is the responder.

The protocol is correct if two partner sessions compute identical session keys.

Adversarial powers.

The adversary 𝒜 is a probabilistic polynomial time algorithm in the security parameter k that has the control over the whole network. Note that 𝒜 interacts with set of sessions which represent protocol instances, and 𝒜 can adaptively ask the following queries:

1. Send(U,V,s,m) query: This query allows 𝒜 to run the protocol. It sends the message m to the session ∏U,Vs as coming from the session ∏V,Us′; and ∏U,Vs will return to 𝒜 the next message according to the protocol conversation so far or decision on whether to accept or reject the session. The adversary 𝒜 can also use this query to initiate a new protocol instance with blank m. This query captures capabilities of active adversary, who can initiate sessions and modify or delay protocol messages.

2. SessionKeyReveal(U,V,s) query: If a session ∏U,Vs has accepted and holds a session key, then 𝒜 gets the session key of ∏U,Vs. A session can only accept a session key once. This query captures the known key attacks.

3. EphemeralKeyReveal(U,V,s) query: This query gives all the ephemeral keys (per session randomness) of the session ∏U,Vs to 𝒜.

4. Corrupt(U) query: 𝒜 gets all the long-term secrets of the principal U. But this query does not reveal any session keys to 𝒜. This query captures the key compromise impersonation (KCI) attacks, unknown key share (UKS) attacks and forward secrecy.

5. Test(U,s) query: Once a session ∏U,Vs has accepted and holds a session key, 𝒜 can attempt to distinguish it from a random key. When 𝒜 asks this query, the session ∏U,Vs first chooses a random bit b∈{0,1} and if b=1, the actual session key is returned to 𝒜, otherwise a random session key is chosen uniformly at random from the same session key distribution, and is returned to 𝒜. This query is only allowed to be asked once.

Freshness.

A session ∏U,Vs is fresh if and only if all of the following hold:

1. Session ∏U,Vs and its partner (if it exists) ∏V,Us′ have not been asked the SessionKeyReveal query.

2. If the partner ∏V,Us′ exists, none of the following combinations have been asked:

   1. Corrupt(U) and EphemeralKeyReveal(U,V,s).

   2. Corrupt(V) and EphemeralKeyReveal(V,U,s′).

3. If the partner ∏V,Us′ does not exist, none of the following combinations have been asked:

   1. Corrupt(V).

   2. Corrupt(U) and EphemeralKeyReveal(U,V,s).

Security game.

Proceed as follows:

1. Stage 0: The challenger generates the keys using the security parameter k.

2. Stage 1:𝒜 is executed and may ask any of Send, SessionKeyReveal, EphemeralKeyReveal and Corrupt queries to any session at will.

3. Stage 2: At some point 𝒜 chooses a fresh session and asks the Test query.

4. Stage 3:𝒜 may continue asking Send, SessionKeyReveal, EphemeralKeyReveal and Corrupt queries. The only condition is that 𝒜 cannot violate the freshness of the test session.

5. Stage 4: At some point 𝒜 outputs the bit b′∈{0,1} which is its guess of the value b on the test session. 𝒜 wins if b′=b.

Definition of security.

Let Succ𝒜 be the event that the adversary 𝒜 wins the eCK game.

Moriyama–Okamoto freshness.

A session ∏U,Vs is λ-leakage fresh if the following conditions hold:

1. ∏U,Vs is a fresh session in the sense of the eCK model.

2. Before the adversary activates the session ∏U,Vs, the total amount of leakage that the adversary obtains from each partner principal of the session ∏U,Vs: U and V, is bounded by the leakage parameter λ.

3. After the session ∏U,Vs is activated, no leakage is allowed from the partner principals of the session ∏U,Vs.

Apart from the freshness condition, partnering and the security game are the same as in the eCK model.

Modelling leakage.

This key exchange security model considers continuous leakage of the long-term secret keys of protocol principals, because long-term secret keys are not one-time secrets, but they last for multiple protocol sessions. Leakage of long-term secret key from one session affects the security of another session which uses the same long-term secret key. By considering side-channel attacks which can be mounted against key exchange protocols, the most realistic way to obtain the leakage information of long-term secret keys is from the protocol computations which use long-term secret keys. Hence, following the premise “only computation leaks information” [35], the leakage is modelled to occur where computation takes place using secret keys. By issuing a 𝚂𝚎𝚗𝚍 query, the adversary will get a protocol message which is computed according to the normal protocol computations. Therefore, the instance of a 𝚂𝚎𝚗𝚍 query would be the appropriate instance to address the leakage which occurs due to a computation which uses a long-term secret key. Thus, sending an adversary-chosen leakage function, f, with the 𝚂𝚎𝚗𝚍 query would reflect the premise “only computation leaks information”. The leakage function f is an efficiently computable, adaptive leakage function.

Further, the amount of leakage of a secret key is bounded by a leakage parameter λ, per computation. The adversary is allowed to obtain leakage from many computations continuously. Hence, the overall leakage amount is unbounded.

Adversarial powers.

The adversary (a probabilistic algorithm) controls all interaction and communication between parties. In particular, the adversary initiates sessions at parties and delivers protocol messages; it can create, change, delete, or reorder messages. The adversary can also compromise certain short-term and long-term secrets. Notably, whenever the party performs an operation using its long-term key, the adversary obtains some leakage information about the long-term key. The following query allows the adversary 𝒜 to run the protocol, modelling normal communication:

1. 𝚂𝚎𝚗𝚍⁢(U,V,s,m,f) query: The session ΠU,Vs, computes the next protocol message according to the protocol specification on receipt of m, and sends it to the adversary 𝒜, along with the leakage f⁢(skU) as described in Section 3.1. The adversary 𝒜 can also use this query to activate a new protocol instance as an initiator with blank m.

The following queries allow the adversary 𝒜 to compromise certain session specific ephemeral secrets and long-term secrets from the protocol principals:

1. 𝚂𝚎𝚜𝚜𝚒𝚘𝚗𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(U,V,s) query: 𝒜 is given the session key of the session ΠU,Vs if the session ΠU,Vs is in the accepted state.

2. 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(U,V,s) query: 𝒜 is given the ephemeral keys of the session ΠU,Vs.

3. 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(U) query: 𝒜 is given the long-term secrets of the principal U. This query does not reveal any session keys or ephemeral keys to 𝒜.

Defining security.

In this part we give formal definitions for partner sessions, freshness of a session and security in the CAFL model.

A protocol is correct if two partner sessions compute identical session keys in the presence of a passive adversary (an adversary that can only listen to the communications, but cannot directly tamper with them).

We now define what it means for a session to be λ-CAFL-fresh in the CAFL model.

Limitations of λ-CAFL-freshness.

When the adversary asks 𝙲𝚘𝚛𝚛𝚞𝚙𝚝 and 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 queries, there are two 𝙲𝚘𝚛𝚛𝚞𝚙𝚝--𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query combinations which trivially expose the session key of a session, in a scenario that a partner to that particular session exists:

1. 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(U) and 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(U,V,s).

2. 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(V) and 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(V,U,s′).

As in the other models we have compared with [31, 37] CAFL does not allow above combinations in the freshness condition, as they trivially expose the session key of sessions ΠU,Vs and ΠV,Us′. Differently, in the other models we have compared with, there are four 𝙲𝚘𝚛𝚛𝚞𝚙𝚝--𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query combinations which do not trivially expose the session key a session, in a scenario that a partner to that particular session exists:

1. 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(U) and 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(V).

2. 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(U) and 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(V,U,s).

3. 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(V) and 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(U,V,s′).

4. 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(V,U,s) and 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(U,V,s′).

All the models we consider [31, 37] allow above combinations in the freshness condition, whereas the CAFL model does not allow the query combinations (1) and (4) in the freshness condition.

When the adversary asks 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 and 𝙲𝚘𝚛𝚛𝚞𝚙𝚝 queries, there are two query combinations which trivially expose the session key of a session, in a scenario that a partner to that particular session does not exist:

1. 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(V).

2. 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(U) and 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(U,V,s).

As in the other models we have compared with [31, 37] the CAFL does not allow above combinations in the freshness condition, as they trivially expose the session key of sessions ΠU,Vs and ΠV,Us′. By weakening that condition, the CAFL model does not allow following two query combinations in the freshness condition when a partner to the test session does not exist:

1. 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(V).

2. 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(U,V,s) (instead of the queries 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(U,V,s) and 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(U) as in other models).

Thus, the freshness of a non-leakage variant of the CAFL model (without conditions (4) and (5)) is weaker than the eCK-freshness definition, because of the restriction enforced in conditions (2) (a) and (2) (d). Differently, the λ-CAFL-freshness allows partial leakage of the long-term secret key of a protocol principal, even when the partner principal is corrupted or 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query is asked to the partner session. In some sense that is stronger than the eCK-freshness definition, because according to the eCK-freshness, once 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query have been asked to a session, revealing the long-term secret key of the partner is not allowed. Hence, although the freshness of a non-leakage variant of the CAFL model is weaker than the eCK-freshness in some sense, λ-CAFL-freshness achieved an improvement over eCK-freshness by means of partial leakage of long-term secrets.

We explain why the additional restrictions are introduced (restriction enforced in conditions (2) (a) and (2) (d)) to the freshness condition of the CAFL model, more than in the freshness condition of the eCK model as follows: Their aim was to construct a simple leakage-resilient two-pass key exchange protocol, using a leakage-resilient public-key encryption scheme, in which each of the principals randomly chooses its ephemeral secret key, encrypts it with the public key of the intended partner principal, and sends the encrypted message to the intended partner principal. Defining eCK-style freshness makes it impossible to prove the security of the simple two-pass key exchange protocol, because corrupting both principals to the target session or revealing the ephemeral key from both sessions to the target session will trivially expose the session key. Therefore, additional restrictions are enforced to the λ-CAFL-freshness condition, but allow the partial leakage of long-term secret keys, as the aim is to model the side-channel attacks.

Security of a key exchange protocol in the CAFL model is defined using the a security game (similar to the security game in the eCK model), which is played by a probabilistic polynomial time adversary 𝒜 against the protocol challenger. Succ𝒜 is the event that 𝒜 wins the security game. The security is defined as follows:

Practical interpretation of security of CAFL model.

We review the relationship between the CAFL model and real world attack scenarios.

1. Active adversarial capabilities:𝚂𝚎𝚗𝚍 queries address the powers of an active adversary who can control the message flow over the network. In the previous security models, this property is addressed by introducing the send query.

2. Side-channel attacks: Leakage functions are embedded with the 𝚂𝚎𝚗𝚍 query. Thus, assuming that the leakage happens when computations take place in principals, a wide variety of side-channel attacks, such as timing attacks, EM emission based attacks, power analysis attacks, which are based on continuous leakage of long-term secrets, are addressed. This property is not addressed in the earlier security models such as the BR models, the CK model, the eCK model and the Moriyama–Okamoto model.

3. Cold boot attacks: The CAFL model allows the adversary to reveal either the long-term secret key (𝙲𝚘𝚛𝚛𝚞𝚙𝚝 query) or the ephemeral secret key (𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query) of the target session (same as in the eCK model and the Moriyama–Okamoto model). Thus these queries address the cold boot attacks to some extent, where the cold boot attacks reveal either (i) the long-term secret key or (ii) the ephemeral secret key of the target session. Note that the Moriyama–Okamoto model addresses the cold boot attacks by additionally covering the situation, where the attacker reveals (iii) the ephemeral secret key and part of the long-term secret key of the target session. Thus, the Moriyama–Okamoto model is more suitable to model cold boot attacks.

4. Malware attacks:𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 queries cover the malware attacks which steal stored ephemeral keys, given that the long-term keys may be securely stored separately from the ephemeral keys in places such as smart cards or hardware security modules. Separately, 𝙲𝚘𝚛𝚛𝚞𝚙𝚝 queries address malware attacks which steal the long-term secret keys of protocol principals. In the previous security models, this property is addressed by introducing the ephemeral-key reveal, session-state reveal and corrupt queries.

5. Weak random number generators: Due to weak random number generators, the adversary may correctly determine the produced random number. 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query addresses situations where the adversary can get the ephemeral secrets. In the previous security models, this property is addressed by introducing the ephemeral-key reveal query or the session-state reveal query.

6. Known key attacks:𝚂𝚎𝚜𝚜𝚒𝚘𝚗𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query covers the attacks which can be mounted by knowing past session keys. In the previous security models, this property is addressed by introducing the session key reveal query.

7. Key compromise impersonation attacks: λ-CAFL-freshness allows the adversary to corrupt the owner of the test session before the activation of the test session. Hence, the CAFL model security protects against the key compromise impersonation attacks. In the eCK model and the Moriyama–Okamoto model, this property is addressed by introducing the long-term key reveal query to the owner of the target session, before the session is completed. Earlier models such as the BR models and the CK model do not allow the adversary to reveal the long-term secret key of the owner of the target session before it is expired, and hence do not address this property.

8. Partial weak forward secrecy: λ-CAFL-freshness allows the adversary to corrupt either of the protocol principals, after the test session is activated. Hence, the CAFL model addresses partial weak forward secrecy. The eCK model and the Moriyama–Okamoto model allow the adversary to reveal the long-term secret keys of both protocol principals of the target session after the target session is activated, as long as the adversary is passive. Hence they address weak forward secrecy. The CK model allows the adversary to reveal the long-term secret keys of both protocol principals of the target session, after the session is expired but regardless of whether the adversary is passive or active. Therefore, the CK model address perfect forward secrecy.

Protocol construction.

In Table 2, we show the construction of protocol π⁢1 with the fixture to the mentioned problem. Here KG, Enc and Dec are the key generation, encryption and decryption algorithms of the underlying adaptively chosen ciphertext after-the-fact leakage (CCLA2) secure public-key cryptosystem PKE (Section C.3.2), and PRF is a pseudo-random function (Section C.2.2) which generates the session key of length k.

Security proof of Protocol π⁢1 in the CAFL model.

The detailed proof of this theorem is in Appendix A.

Leakage tolerance of the CAFL-secure protocol π⁢1.

In the created protocol, a principal simply encrypts a randomly-chosen ephemeral key using a CCLA2-secure public key encryption scheme, and sends it to the partner principal. Therefore, the leakage tolerance is exactly same as the leakage tolerance of the underlying CCLA2-secure public key encryption scheme.

Dziembowski and Faust [19] constructed a CCLA2-secure public-key cryptosystem, where the secret key sk=(x1,x2)∈(ℤq*)2 is split into two parts ℓsk, rsk such that ℓsk←$(ℤq*)n at random and rsk←(ℤq*)n×2 holding ℓsk⋅rsk=sk, where n is the statistical security parameter. They proved their public-key cryptosystem is CCLA2-secure for λ=0.15⋅n⋅log⁡q-1. So if we consider n=20 and log⁡(q-1) to be 1024, we can allow λ=3072 bits of leakage, from each split per occurrence. Considering only the most expensive computations, the computation cost of Enc and Dec is five exponentiations for each.

Modelling leakage.

A tuple of n~ adaptively chosen efficiently computable leakage functions

are introduced; the size n~ of the tuple is protocol-specific, and j indicates the jth leakage occurrence. A key exchange protocol may use more than one cryptographic primitive and each primitive uses a distinct secret key or secret state (in signature schemes). Hence, it is needed to address the leakage of secret keys or secret states from each of those primitives. Also, some cryptographic primitives which have been used to construct a key exchange protocol may be stateful cryptographic primitives. The execution of a stateful cryptographic primitive is split into a number of sequential stages and each of these stages uses one part of the secret key. The tuple of leakage functions 𝐟=(f1⁢j,f2⁢j,…,fn~⁢j) leaks information from the secret key of each of the underlying primitives or each split of the secret keys at occurrence j. There exists a leakage parameter 𝝀=(λ1,…,λn~), where each λi bounds the leakage for the corresponding primitive as key split.

Adversarial powers.

The adversary 𝒜 is a probabilistic polynomial time (PPT) algorithm that controls the whole network. Note that 𝒜 interacts with a set of sessions which represent protocol instances. The following query allows the adversary 𝒜 to run the protocol:

1. 𝚂𝚎𝚗𝚍⁢(U,V,s,m,𝐟) query: The session ΠU,Vs, computes the next protocol message according to the protocol specification and sends it to the adversary 𝒜, along with the leakage 𝐟⁢(skU). The adversary 𝒜 can also use this query to activate a new protocol instance as an initiator with blank m.

The following set of queries allow the adversary 𝒜 to compromise certain session specific ephemeral secrets and long-term secrets from the protocol principals:

1. 𝚂𝚎𝚜𝚜𝚒𝚘𝚗𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(U,V,s) query: 𝒜 is given the session key of the session ΠU,Vs.

2. 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕⁢(U,V,s) query: 𝒜 is given the ephemeral keys (per-session randomness) of ΠU,Vs.

3. 𝙲𝚘𝚛𝚛𝚞𝚙𝚝⁢(U) query: 𝒜 is given the long-term secrets of the principal U. This query does not reveal any session keys or ephemeral keys to 𝒜.

Once the session ΠU,Vs has accepted a session key, the adversary 𝒜 attempt to distinguish it from a random session key by asking the following query. The 𝚃𝚎𝚜𝚝 query is used to formalize the notion of the semantic security of a key exchange protocol:

1. 𝚃𝚎𝚜𝚝⁢(U,s) query: When 𝒜 asks the Test query, the challenger first chooses a random bit b←${0,1} and if b=1, then the actual session key is returned to 𝒜, otherwise a random string chosen from the same session key space is returned to 𝒜. This query is only allowed to be asked once across all sessions.

Bounded after-the-fact leakage-eCK model.

In the BAFL⁢-⁢eCK model the total amount of leakage of each secret key of the underlying cryptographic primitives or each split of the secret key of the underlying stateful cryptographic primitives are bounded by leakage parameters. The leakage parameters are primitive-specific.

If the total leakage bound of the ith cryptographic primitive (or the total leakage bound of the ith state of the stateful cryptographic primitive) is λi and the leakage function fi⁢j outputs leakage bits of the secret key of the ith cryptographic primitive (or leakage bits of the ith split of the secret key), then for leakage resilience of ith cryptographic primitive (or the stateful cryptographic primitive), we need that ∑j|fi⁢j⁢(si)|≤λi.

Continuous after-the-fact leakage-eCK model.

In the CAFL⁢-⁢eCK model, continuous leakage of each secret key of the underlying cryptographic primitives or each split of the secret key of the underlying stateful cryptographic primitives is allowed. The only restriction is that the amount of leakage per occurrence is bounded by leakage parameters. The leakage parameters are primitive-specific.

If the leakage bound of the ith cryptographic primitive is λi per leakage occurrence and the leakage function fi⁢j outputs leakage bits of the secret key of the ith cryptographic primitive, then for leakage resilience of the ith cryptographic primitive we need that |fi⁢j⁢(ski)|≤λi, per leakage occurrence. If the leakage bound of the ith state of the stateful cryptographic primitive is λi per leakage occurrence and the leakage function fi⁢j outputs leakage bits of the ith split of the secret key, then for leakage resilience of the stateful cryptographic primitive we need that |fi⁢j⁢(ski)|≤λi, per leakage occurrence.

Defining security.

In this part we give formal definitions for partner sessions and security in the (⋅)⁢AFL⁢-⁢eCK model.

Security of a key exchange protocol in the 𝝀-BAFL⁢-⁢eCK model is defined using the a security game (similar to the security game in the eCK model). If we consider 𝝀-BAFL⁢-⁢eCK-freshness, the security game is BAFL⁢-⁢eCK, otherwise if we consider 𝝀-CAFL⁢-⁢eCK-freshness, it is CAFL⁢-⁢eCK security game.

Let Succ𝒜 be the event that the adversary 𝒜 wins the security game. The security is defined as follows:

Practical interpretation of security of AFL⁢-⁢eCK model.

The (⋅)⁢AFL⁢-⁢eCK model addresses the real world attack scenarios which were discussed in Section 3.1, with the following differences.

1. Cold boot attacks: The (⋅)⁢AFL⁢-⁢eCK model allows the adversary to reveal either the long-term secret key (𝙲𝚘𝚛𝚛𝚞𝚙𝚝 query) or the ephemeral secret key (𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query) of the target session. The bounded leakage instantiation of the (⋅)⁢AFL⁢-⁢eCK model, the BAFL⁢-⁢eCK model, allows bounded amount of leakage of the long-term secret key with the ephemeral key reveal. Thus these queries address the cold boot attacks to some extent, where the cold boot attacks reveal either (i) the long-term secret key, (ii) the ephemeral secret key, or (iii) the ephemeral secret key and part of the long-term secret key of a protocol principal, which is same as in the Moriyama–Okamoto model. The improvement of the BAFL⁢-⁢eCK model is that it allows the adversary to obtain the partial leakage of long-term secret key even after the test session is established, which is not allowed in the Moriyama–Okamoto model.

2. Weak forward secrecy:(⋅)⁢AFL⁢-⁢eCK-freshness allows the adversary to corrupt both of the protocol principals of the target session, after the test session is activated, as long as the adversary is passive. Hence, the (⋅)⁢AFL⁢-⁢eCK model addresses weak forward secrecy, as for the eCK model and the Moriyama–Okamoto model.

3. eCK security: The (⋅)⁢AFL⁢-⁢eCK model is a leakage-resilient version of the eCK model [31], hence the (⋅)⁢AFL⁢-⁢eCK model captures all possible attacks from ephemeral and long-term key compromises. More precisely, in sessions where the adversary does not modify the communication between parties (passive sessions), the adversary is allowed to reveal both ephemeral secrets, both long-term secrets, or one of each from two different parties, whereas in sessions where the adversary may forge the communication of one of the parties (active sessions), the adversary is allowed to reveal the long-term or ephemeral key of the other party.

The main reason to introduce a generic-style security model, the (⋅)⁢AFL⁢-⁢eCK model, and then present two instantiations (BAFL⁢-⁢eCK model and CAFL⁢-⁢eCK model) is to offer more flexibility to construct leakage-resilient key exchange protocols. The (⋅)⁢AFL⁢-⁢eCK model gives a reasonable security framework for key exchange protocols capturing a wide range of practical attacks including side-channel attacks. The only difference between the two instantiations is the leakage allowance (bounded or continuous). If we need to implement a key exchange protocol which is resilient to cold boot attacks, we use the BAFL⁢-⁢eCK model as the security framework, whereas if we need to implement a key exchange protocol which is secure against continuous-leakage side-channel attacks such as timing, power analysis and EM radiation, we use the CAFL⁢-⁢eCK model as the security framework.

Leakage-resilient NAXOS trick [6].

Moving to the leakage-resilient setting requires rethinking the NAXOS trick. In the model “only computation leaks information”, we must consider leakage at any place the long-term secret key is used. Thus, some kind of leakage-resilient NAXOS trick is needed. As noted above, the initiator must not store the pseudo-ephemeral value, esk~, and instead must apply the NAXOS trick twice for each session. The hash function H is replaced with a new leakage-resilient NAXOS trick to compute the pseudo-ephemeral value. The requirement is, given the long-term secret key and a particular ephemeral key, the NAXOS trick should always compute the same pseudo-ephemeral value such that without knowing both the long-term and ephemeral keys the adversary is unable to compute the pseudo-ephemeral value. Moreover, the NAXOS trick computation should be resilient to the leakage of the long-term secret key, which happens even after the test session is activated.

A leakage-resilient NAXOS trick is achieved by using the decryption function of a CPLA2-secure public-key cryptosystem [22]. Since decryption is deterministic, given the long-term secret key and a randomly chosen ciphertext, it will output the corresponding plaintext. So one can randomly choose an ephemeral key and use it as the ciphertext to the decryption function, and obtain the corresponding plaintext (output of the decryption function) as the pseudo-ephemeral value. Without knowing both the long-term and ephemeral keys, it is infeasible to compute the pseudo-ephemeral value. Thus, a leakage-resilient NAXOS trick can be achieved and the pseudo-ephemeral value can be computed. Further, bounded or continuous leakage-resilient key exchange protocol can be constructed, if the underlying public-key cryptosystem is bounded or continuous leakage-resilient.

Pair generation indistinguishability [6].

Using a decryption algorithm of a CPLA2-secure public-key cryptosystem does not work for our requirement unless the public-key cryptosystem has a special property: any randomly chosen ciphertext should be decrypted without rejection. A randomly chosen ciphertext can be rejected with a significant probability if NIZK proofs have been used for CPLA2-secure public-key cryptosystems. In NIZK proofs, the party which creates a ciphertext should provide a proof of knowledge of the plaintext, and the party which decrypts the ciphertext first verifies the proof, then only if the proof is correct it decrypts the ciphertext, otherwise rejects. Use of a CPLA2-secure public-key cryptosystem without the special property would allow the adversary to break the protocol with a significant probability whenever a randomly chosen ciphertext is rejected. The special property is defined as pair generation indistinguishability.

Recall that the statistical distance, SD, between two distributions X and Y over a domain U is defined as

The notion of pair generation indistinguishability shares some resemblance with the pseudo-random decapsulation notion introduced by Abdalla, Catalano and Fiore [2], where the notion was needed for the construction of verifiable random functions from identity-based key encapsulation schemes. They presented a methodology to construct verifiable random functions (VRFs) from a class of identity based key encapsulation mechanisms (IB-KEM) that is called VRF suitable. An IB-KEM is VRF suitable if it provides a unique decryption (i.e. given a ciphertext C produced with respect to an identity ID, all the secret keys corresponding to identity ID′, decrypt to the same value, even if ID=ID′) and it satisfies an additional property called pseudo-random decapsulation. Pseudo-random decapsulation means that if one decrypts a ciphertext C, produced with respect to an identity ID, using the decryption key corresponding to any other identity ID′ the resulting value looks random to a polynomially bounded observer. Both the pair generation indistinguishability and the pseudo-random decapsulation notions are similar, except that the pseudo-random decapsulation is in the identity-based setting whereas the pair generation indistinguishability is in the public key setting.

We show a 0-PG-IND public-key cryptosystem available in the literature. Naor and Segev [38] described the framework of a hash proof system [14] as a key-encapsulation mechanism using the notion of Kiltz, Pietrzak, Stam and Yung [27]. Let K be the symmetric key space, let C be the valid ciphertext space and let M be the message space. Both K and C are of the same size and elements of M are μ-bit strings. The leakage-resilient public-key cryptosystem of Naor and Segev encrypts an arbitrary message m←$M as (Ψ,c,seed), where c←$C with the corresponding witness ω (of the fact that c is indeed a valid ciphertext from C), seed←${0,1}t is a random seed and Ψ=Ext⁡(Pub⁡(p,c,ω),seed)⊕m. Here Ext:K×{0,1}t→{0,1}μ is a public average-case strong extractor function [18], p is the public key and Pub is the deterministic public evaluation function of the underlying key-encapsulation mechanism. Pub receives as input a public key p, a valid ciphertext c∈C and the corresponding witness ω, and outputs an encapsulated key in K. Whenever a random (Ψ,c,seed) is sampled, the decryption, m←Ψ⊕Ext⁡(Priv⁡(s,c),seed) corresponds to a random m∈M. Priv is a private evaluation algorithm of the underlying key-encapsulation mechanism, receives as input the secret key s (of the public key p) and a valid ciphertext c, and outputs an encapsulated key in K. Thus, the leakage-resilient public-key cryptosystem of Naor and Segev is 0-PG-IND. The generic CPLA2-secure public-key cryptosystem of Halevi and Lin [22] can be instantiated using the leakage-resilient public-key cryptosystem of Naor and Segev. Hence, instantiation of the generic CPLA2-secure public-key cryptosystem of Halevi and Lin is also 0-PG-IND.

Authenticating protocol messages.

After computing the pseudo-ephemeral value by the NAXOS trick, a principal computes a Diffie–Hellman exponentiation and sends it to the other protocol principal. If that value is sent alone, the protocol is not secure because there is no authentication for the protocol messages, and hence an attacker can simply replace the original protocol message with its own value. In order to prevent this, it is necessary to provide authenticity to the protocol messages. There are unforgeable against chosen message leakage (UFCMLA) secure signature schemes available in the literature [26, 21, 33, 12], which can be used to sign the protocol messages and provide authenticity. Further, the key exchange protocol is bounded or continuous leakage-resilient if the underlying signature scheme is bounded or continuous leakage-resilient.

Weakening the (⋅)⁢AFL⁢-⁢eCK model.

The 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query of the (⋅)⁢AFL⁢-⁢eCK model allows the adversary to learn the randomness used in the session, including the randomness used in signing. Full leakage of the randomness is not allowed in leakage-resilient signature schemes. We notice that Alawatugoda, Stebila and Boyd [6] missed this fact. In order to use available leakage-resilient signature schemes in the protocol instantiation, we will assume that the 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query will not reveal the randomness used to compute the signature. Therefore, in this generic protocol construction, the security model we consider is slightly weaker than the actual (⋅)⁢AFL⁢-⁢eCK model, as it does not reveal the randomness used for signing with the 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query. We name the weaker model as w⁢(⋅)⁢AFL⁢-⁢eCK model.

We found that the generic protocol construction of [6] is vulnerable against active adversary. In the following we explain the reason: In that protocol construction, the inputs to the key derivation function contain the Diffie–Hellman shared secret, and the identities of the initiator and the responder, A and B, respectively: KDF(grA~⁢rB~,⊥,k,A∥B). Assume that the target session is in B. If the adversary corrupts B and gets the signing key of B, re-sign the protocol message XB computing the new signature σB′, that makes a different signature from σB, due to probabilistic signing algorithm. Then if the adversary sends B,A,XB,σB′ to B, instead of B,A,XB,σB, and executes the rest of the protocol, it results that A’s session and B’s session are not matching, because the message B,A,XB,σB computed by B is different from the message B,A,XB,σB′ received by A, but compute the same session key. Thus, the adversary can issue 𝚂𝚎𝚜𝚜𝚒𝚘𝚗𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query to the session at A and thus trivially learn the session key of the target session. Cremers [15] showed that such attacks can be avoided by using the session identifier in the key derivation step together with other shared secrets. Thus, in this paper we re-design the protocol accordingly to ensure that mismatching sessions do not compute same session keys. Thus, the session key is derived using a pseudo-random function as K←PRF(ms,A∥XA∥σA∥B∥XB∥σB) such that it contains the session identifier A∥XA∥σA∥B∥XB∥σB as an input to the pseudo-random function. The shared secret ms is derived as ms←KDF⁢(XBrA~,⊥,k,⊥). The σ input to the KDF is the Diffie–Hellman shared secret value XBrA~, and it is a uniformly random element of the group, and therefore we can use KDF in the simulation without any problem.

Protocol construction.

In Table 3, we show the construction of protocol π with the fixture to the mentioned problem. Here KeyGen, Enc and Dec are the key generation, encryption and decryption algorithms of the underlying CPLA2-secure (Section C.3.3), ϵ-PG-IND-public-key cryptosystem PKE with ciphertext space C^. Moreover, we choose the message space M of the underlying public-key encryption scheme PKE to be equal to ℤq*. Furthermore, KG, Sign and Vfy are the key generation, signature generation and signature verification algorithms of the underlying leakage-resilient signature scheme SIG (Section C.3.4). The protocol π is a Diffie–Hellman-type [16] key agreement protocol, where 𝔾 is a group of prime order q with generator g. After exchanging the public values both principals compute a Diffie–Hellman-type shared secret value, KDF is a secure key derivation function (Section C.2.1) which generates a shared secret key (ms) using the Diffie–Hellman-type shared secret key, and PRF is a pseudo-random function (Section C.2.2) that is used to compute the session key using that shared key, ms, and the protocol message sequence. The computations which leak information are underlined.

Security proof of Protocol π in the w⁢(⋅)⁢AFL⁢-⁢eCK model.

We prove the security of the generic protocol π in the w⁢(⋅)⁢AFL⁢-⁢eCK model. If the underlying primitives are secure in the bounded or continuous leakage model, the protocol π is BAFL⁢-⁢eCK-secure or CAFL⁢-⁢eCK-secure, respectively (with the restriction that 𝙴𝚙𝚑𝚎𝚖𝚎𝚛𝚊𝚕𝙺𝚎𝚢𝚁𝚎𝚟𝚎𝚊𝚕 query does not reveal the randomness used in the signature computation).