Public-Key Cryptography – PKC 2013

Volume 7778 of the series Lecture Notes in Computer Science pp 497-515

On the Connection between Leakage Tolerance and Adaptive Security

  • Jesper Buus NielsenAffiliated withAarhus University
  • , Daniele VenturiAffiliated withAarhus University
  • , Angela ZottarelAffiliated withAarhus University

* Final gross prices may vary according to local VAT.

Get Access


We revisit the context of leakage-tolerant interactive protocols as defined by Bitanski, Canetti and Halevi (TCC 2012). Our contributions can be summarized as follows:

  1. 1

    For the purpose of secure message transmission, any encryption protocol with message space \(\mathcal{M}\) and secret key space \(\mathcal{SK}\) tolerating poly-logarithmic leakage on the secret state of the receiver must satisfy \(|\mathcal{SK}| \ge (1-\epsilon)|\mathcal{M}|\), for every 0 < ε ≤ 1, and if \(|\mathcal{SK}| = |\mathcal{M}|\), then the scheme must use a fresh key pair to encrypt each message.

  2. 2

    More generally, we show that any n party protocol tolerates leakage of ≈ poly(logκ) bits from one party at the end of the protocol execution, if and only if the protocol has passive adaptive security against an adaptive corruption of one party at the end of the protocol execution. This shows that as soon as a little leakage is tolerated, one needs full adaptive security.

  3. 3

    In case more than one party can be corrupted, we get that leakage tolerance is equivalent to a weaker form of adaptivity, which we call semi-adaptivity. Roughly, a protocol has semi-adaptive security if there exist a simulator which can simulate the internal state of corrupted parties, however, such a state is not required to be indistinguishable from a real state, only that it would have lead to the simulated communication.


All our results can be based on the solely assumption that collision-resistant function ensembles exist.


simulation-based security leakage tolerance adaptive security arguments of knowledge