Abstract
With the development of sidechannel attacks, a necessity arises to invent authenticated key exchange protocols in a leakageresilient manner. Constructing authenticated key exchange protocols using existing cryptographic schemes is an effective method, as such construction can be instantiated with any appropriate scheme in a way that the formal security argument remains valid. In parallel, constructing authenticated key exchange protocols that are proven to be secure in the standard model is more preferred as they rely on realworld assumptions. In this paper, we present a Diffie–Hellmanstyle construction of a leakageresilient authenticated key exchange protocol, that can be instantiated with any \(\text {CCLA2}\)secure publickey encryption scheme and a function from the pseudorandom function family. Our protocol is proven to be secure in the standard model assuming the hardness of the decisional Diffie–Hellman problem. Furthermore, it is resilient to continuous partial leakage of longterm secret keys, that happens even after the session key is established, while satisfying the security features defined by the \(\text {eCK}\) security model.
This is a preview of subscription content, access via your institution.
Data availability
Not applicable.
Code availability
Not applicable.
Change history
17 February 2023
Incorrect ORCID number of the author Dr. Janaka Alawatugoda has been corrected.
References
Alawatugoda J.: Generic construction of an ecksecure key exchange protocol in the standard model. Int. J. Inf. Secur. 16(5), 541–557 (2017).
Alawatugoda J.: On the leakageresilient key exchange. J. Math. Cryptol. 11(4), 215–269 (2017).
Alawatugoda J.: Publickey encryption in the standard model against strong leakage adversary. Comput. J. 63(12), 1904–1914 (2020).
Alawatugoda J., Boyd C., Stebila D.: Continuous afterthefact leakageresilient key exchange. In: Information Security and Privacy—19th Australasian Conference, ACISP 2014, Wollongong, NSW, Australia, July 7–9, 2014. Proceedings, pp. 258–273 (2014).
Alawatugoda J., Jayasinghe D., Ragel R.: Countermeasures against Bernstein’s remote cache timing attack. In: 6th IEEE International Conference on Industrial and Information Systems (ICIIS), pp. 43 –48 (2011).
Alawatugoda J., Stebila D., Boyd C.: Modelling afterthefact leakage for key exchange. In: 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’14, Kyoto, Japan—June 03–06, 2014, pp. 207–216 (2014).
Alawatugoda J., Stebila D., Boyd C.: Continuous afterthefact leakageresilient ecksecure key exchange. In: Cryptography and Coding—15th IMA International Conference, IMACC 2015, Oxford, UK, December 1517, 2015. Proceedings, pp. 277–294 (2015).
Bellare M., Rogaway P.: Entity authentication and key distribution. In: CRYPTO, pp. 232–249 (1993).
Bellare M., Rogaway P.: Provably secure session key distribution—the three party case. In: 27th ACM STOC, pp. 57–66. ACM Press (1995).
Boneh D., Canetti R., Halevi S., Katz J.: Chosenciphertext security from identitybased encryption. SIAM J. Comput. 36(5), 1301–1328 (2007).
Boyd C., Cliff Y., Nieto J.M.G., Paterson K.G.: Oneround key exchange in the standard model. Int. J. Adv. Comput. Technol. 1, 181–199 (2009).
Brumley D., Boneh D.: Remote timing attacks are practical. Presented at the (2003).
Canetti R., Krawczyk H.: Analysis of keyexchange protocols and their use for building secure channels. In: EUROCRYPT, pp. 453–474 (2001).
Chakraborty S., Alawatugoda J., Rangan C.P.: Leakageresilient noninteractive key exchange in the continuousmemory leakage setting. In: Okamoto, T., Yu Y., Au M.H., Li Y. (eds.) Provable Security—11th International Conference, ProvSec 2017, Xi’an, China, October 2325, 2017, Proceedings, vol. 10592 of Lecture Notes in Computer Science, pp. 167–187. Springer (2017).
Chen R., Mu Y., Yang G., Susilo W., Guo F.: Strongly leakageresilient authenticated key exchange. In: Sako K. (ed.) Topics in Cryptology—CTRSA 2016—The Cryptographers’ Track at the RSA Conference 2016, San Francisco, CA, USA, February 29–March 4, 2016, Proceedings, vol. 9610 of Lecture Notes in Computer Science, pp. 19–36. Springer (2016).
Chen R., Mu Y., Yang G., Susilo W., Guo F.: Strong authenticated key exchange with auxiliary inputs. Des. Codes Cryptogr. 85(1), 145–173 (2017).
Diffie W., Hellman M.: New directions in cryptography. IEEE Trans. Inf. Theory 644–654 (1976).
Dziembowski S., Faust S.: Leakageresilient cryptography from the innerproduct extractor. In: ASIACRYPT, pp. 702–721 (2011).
Herath I., Ragel R.: Side channel attacks: measures and countermeasures. Presented at the (2007).
Herath U., Alawatugoda J., Ragel R.: Software implementation level countermeasures against the cache timing attack on advanced encryption standard. Presented at the (2013).
Hutter M., Mangard S., Feldhofer M.: Power and EM attacks on passive 13.56MHz RFID devices. In: CHES, pp. 320–333 (2007).
Katz J., Lindell Y.: Introduction to Modern Cryptography. Chapman and Hall/CRC Press, London (2007).
Kocher P.C.: Timing attacks on implementations of DiffieHellman, RSA, DSS, and other systems. In: CRYPTO, pp. 104–113 (1996).
LaMacchia B., Lauter K., Mityagin A.: Stronger security of authenticated key exchange. In: ProvSec, pp. 1–16 (2007).
Messerges T., Dabbish E., Sloan R.: Examining smartcard security under the threat of power analysis attacks. IEEE Trans. Comput. 51, 541–552 (2002).
Moriyama D., Okamoto T.: Leakage resilient eCKsecure key exchange protocol without random oracles. In: ASIACCS, pp. 441–447 (2011).
Yang G., Chen R., Mu Y., Susilo W., Guo F., Li J.: Strongly leakage resilient authenticated key exchange, revisited. Des. Codes Cryptogr. 87(12), 2885–2911 (2019).
Yang G., Mu Y., Susilo W., Wong D.S.: Leakage resilient authenticated key exchange secure in the auxiliary input model. In: ISPEC, pp. 204–217 (2013).
Acknowledgements
This work was carried out with the aid of a grant from UNECSOTWAS (21021 RG/MATHS/AS_IFR3240319461) and the Swedish International Development Cooperation Agency (Sida). The views expressed herein do not necessarily represent those of UNESCOTWAS, Sida or its Board of Governors.
Funding
UNECSOTWAS Research Grant (21021 RG/MATHS/AS_IFR3240319461)
Author information
Authors and Affiliations
Contributions
Equally contributed.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interests.
Ethical approval
No animals or humans are used.
Consent to participate
Not applicable.
Consent for publication
Not applicable.
Additional information
Communicated by C. Blundo.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A: Preliminaries
1.1 A.1 Leakage model
We frequently borrow notions for the leakage model from Dziembowski and Faust [18].
Leakage game Assume that secret key is stored in the memory as two encoded parts, say L and \(R \in \{ 0, 1\}^s\), and an adversary \({\mathcal {A}}\) wants to learn information from L and R. For a positive integer \(\lambda \), we define \(\lambda \)leakage game between an adaptive adversary \({\mathcal {A}}\), called \(\lambda \)limited adversary, and a leakage oracle \(\varLambda (L, R)\) as follows: the adversary queries two adaptivelychosen leakage functions \((f_1, f_2)\) to the oracle \(\varLambda (L, R)\). Then the oracle replies with \(f_1(L)\) and \(f_2(R)\) with restriction that the adversary cannot learn more than \(\lambda \)bits from each L and R at the end of the game. We denote \(Out( {\mathcal {A}}, \varLambda (L, R) )\) by the output of this game. Moreover, the information from L and R are leaked independently from each other.
Leakage from computations We follow the axiom “only computations leak information" and assume that only computations involving L or R leak their information to the adversary. This can be described in the following setting.
Consider a twoparty protocol between the parties \(P_L\) and \(P_R\). Initially, the party \(P_L\) (respectively, \(P_R\)) is given the input L (resp. R) and at the end of the protocol each party have the results \(L'\) and \(R'\), respectively. The execution of the protocol proceeds in rounds. In each round, one party (owner) computes a message and send it to the other. The message may be computed from owner’s input (eg. L or R), randomness chosen by the owner, and the received message from the earlier rounds. In the setting that only computation leaks information, the computations carried out by \(P_L\) (resp. \(P_R\)) with the initial state L (resp. R) in each round may leak information on L (resp. R) independently from R (resp. L). Precisely, the adversary \({\mathcal {A}}\) adaptively chooses two leakage functions \((f_1^j,f_2^j)\) and obtains \(f_1^j(L)\) and \(f_2^j(R)\) from each jth round in the execution of the protocol. At this time, the adversary is allowed to play the \(\lambda \)leakage game with access to the leakage oracle \(\varLambda ( (L, \rho _L, M_L ) ; ( R, \rho _R, M_R ) )\), where \(\rho _x\) is the randomness used by \(x \in \{L, R \}\) and \(M_x\) is the previously received message by user \(x \in \{ L, R \}\) in the execution of the protocol. We sometimes omit \(\rho _x\) or \(M_x\) when they are obviously null from the context.
1.2 A.2 Leakageresilient storage scheme and it’s refreshing protocol
In Dziembowski and Faust [18], they used a leakageresilient storage scheme to encode the secret key into two parts and a refreshing protocol to construct publickey cryptosystems secure against continuous partial leakage attacks.
1.2.1 A.2.1 Leakageresilient storage
A leakageresilient storage (LRS) \(\varPhi = (\text {Encode}, \text {Decode})\) is a scheme to encode a message in \({\mathcal {M}}\), where \(\text {Encode}: {\mathcal {M}} \rightarrow {\mathcal {L}} \times {\mathcal {R}}\) is a probabilistic polynomialtime function and \(\text {Decode}: {\mathcal {L}} \times {\mathcal {R}} \rightarrow {\mathcal {M}} \) is a deterministic, polynomialtime function satisfying \(\text {Decode}( \text {Encode}(S) ) = S\) for any \(S \in {\mathcal {M}}\).
An LRS \(\varPhi \) is called \((\lambda , \epsilon )\)secure if for any \(S, S' \in {\mathcal {M}}\) and any \(\lambda \)limited adversary \({\mathcal {A}}\), we have
where \((L, R) {:= } \text {Encode}(S)\) and \((L', R') {:= } \text {Encode}(S')\). Here, \(\varDelta \) denotes the statistical distance.
In Dziembowski and Faust [18], they use the fact that the LRS from inner product is \((\lambda , \epsilon )\)secure for some \(\lambda \) and \(\epsilon >0\). Precisely, for a field \({\mathbb {F}}\), an LRS \(\varPhi _{{\mathbb {F}}}^{n, m} = (\text {Encode}_{{\mathbb {F}} }^{n, m} , \text {Decode}_{{\mathbb {F}} }^{n, m} ) \) is defined as follows:

\(\text {Encode}_{{\mathbb {F}} }^{n, m}(S)\) chooses \(L \leftarrow {\mathbb {F}}^n \backslash \{0^n\}\) and samples \(R \leftarrow {\mathbb {F}}^{n \times m}\) such that \(L \cdot R = S\).

\(\text {Decode}_{{\mathbb {F}} }^{n, m}(L, R)\) computes \(L \cdot R = S\).
Corollary 1
[18] Suppose \( {\mathbb {F}}  = \varOmega (n) \) and \(m < n/20\), then the LRS \(\varPhi _{{\mathbb {F}}}^{n, m}\) is a \(( 0.3  {\mathbb {F}}^n  , \epsilon )\)secure LRS, where \(\epsilon \) is negligible in the statistical security parameter \(n \in {\mathbb {N}}\).
1.2.2 A.2.2 Refreshing protocol
It is obvious that the above LRS scheme is not secure, if we allow an adversary to obtain leakage information continuously from L and R. To prevent this obstacle, Dziembowski and Faust [18] introduced a refreshing protocol \(\text {Refresh}\) of an LRS \(\varPhi \). The main idea is to refresh the encoded secret (L, R) securely to a newly encoded value \((L', R')\) so that it does not reveal enough information to recover the secret key even when an \(\lambda \)limited adversary can observe the leakage continuously from the refreshing protocol.
Precisely, a refreshing protocol \((L', R') \leftarrow \text {Refresh}(L , R)\) is a twoparty protocol between \(P_L\) and \(P_R\) holding L and R respectively. At the end of the protocol, each party outputs \(L'\) and \(R'\) respectively satisfying \(\text {Decode}(L, R) = \text {Decode}(L', R')\).
Let \(\text {Refresh}\) a refreshing protocol, \(\varPhi = (\text {Encode}, \text {Decode})\) an LRS, \({\mathcal {A}}\) an \(\lambda \)limited adversary, \(\ell \in {\mathbb {N}}\) and \(S \in {\mathcal {M}}\). We consider the following experiments \(\text {Exp}_{(\text {Refresh}, \varPhi )} ({\mathcal {A}}, S, \ell )\):

For a secret S, encode it by \((L^0, R^0) \leftarrow \text {Encode}(S)\).

For \(i=1\) to \(\ell \), run \({\mathcal {A}}\) against the refreshing protocol: \( {\mathcal {A}} \leftrightarrows ( \text {Refresh}(L_{i1}, R_{i1}) \rightarrow (L_i, R_i) )\).

Return \(b \in \{0, 1\}\) output by \({\mathcal {A}}\).
As described in the previous paragraph, the leakage from each execution of the protocol is obtained via the leakage oracle \(\varLambda ( (L_i , \rho _{L_i}, M_{L_i}) ; (R_i , \rho _{R_i} , M_{R_i} ) )\). Finally, the security of the refreshing protocol is defined by indistinguishability notion.
Definition 1
(\(A (\ell , \lambda , \epsilon _1)\)secure refreshing protocol [18]) For a LRS \(\varPhi \) with message space \({\mathcal {M}}\) and \(\ell \in {\mathbb {N}}\) number of leakage rounds, a refreshing protocol \(\text {Refresh}\) is \((\ell , \lambda , \epsilon _1)\)secure, if for any \(\lambda \)limited adversary \({\mathcal {A}}\) and any two secrets \(S, S' \in {\mathcal {M}}\), we have
Theorem 2
[18] Let \(m/3 \le n\), \(n \ge 16\) and \(\ell \in {\mathbb {N}}\). Let n, m and \({\mathbb {F}}\) be such that \(\varPhi _{{\mathbb {F}}}^{n, m}\) is \((\lambda , \epsilon )\)secure for some \(\lambda , \epsilon >0\). Then the protocol \(\text {Refresh}_{{\mathbb {F}}}^{n, m}\) is a \((\ell , \lambda /21, \epsilon ')\)secure refreshing protocol for \(\varPhi _{{\mathbb {F}}}^{n, m}\) with \(\epsilon ' = 2\ell  {\mathbb {F}} ^m ( 3 {\mathbb {F}}^m \epsilon + m {\mathbb {F}}^{n1} )\).
Definition 2
(\(A (\ell , \lambda , \epsilon _1)\)secure refreshing protocol with auxiliary information [18]) Let \(Z \subset {\mathcal {M}}^m\) be an \(m' < m\) dimensional affine subspace defined by W and Q. For a LRS \(\varPhi \) with message space \({\mathcal {M}}\) and \(\ell \in {\mathbb {N}}\), a refreshing protocol \(\text {Refresh}\) is \((\ell , \lambda , \epsilon _1)\)secure with auxiliary information (W, Q), if for any \(\lambda \)limited adversary \({\mathcal {A}}\) and any two secrets \(S, S' \in {\mathcal {M}}\), we have,
Theorem 3
(Generalization of Theorem 1 [18]) Let \(m/4 \le n\), \(n \ge 16\) and \(\ell \in {\mathbb {N}}\). Let (W, Q) be as above defining an \(m' < m\) dimensional affine subspace Z. Let \(n, m'\) and \({\mathbb {F}}\) be such that \(\varPhi _{{\mathbb {F}}}^{n, m'}\) is \((\lambda , \epsilon )\)secure for some \(\lambda , \epsilon >0\). Then the protocol \(\text {Refresh}_{{\mathbb {F}}}^{n, m}\) is a \((\ell , \lambda /21,\epsilon ')\)secure refreshing protocol with auxiliary information defined by (W, Q) for \(\varPhi _{{\mathbb {F}}}^{n, m}\) with \(\epsilon ' = 2\ell  {\mathbb {F}} ^m ( 3 {\mathbb {F}}^{2m} \epsilon + m {\mathbb {F}}^{n1} )\).
Corollary 2
[18] Suppose \( {\mathbb {F}}  = \varOmega (n) \) and \(m =o(n)\), then the \(\text {Refresh}_{{\mathbb {F}}}^{n, m}\) is a \((\ell , 0.15n\log {\mathbb {F}})1,\epsilon _1)\)secure refreshing protocol for \(\varPhi _{{\mathbb {F}}}^{n, m}\), where \(\ell \) is a polynomial and \(\epsilon _1\) is negligible in the statistical security parameter \(n \in {\mathbb {N}}\).
1.3 A.3 Leakageresilient CCA2secure publickey encryption scheme
For security parameter k, a publickey encryption scheme \(\text {PKE} = ( \text {KG}, \text {Enc}, \text {Dec})\) consists of the following algorithms.

\((pk , sk) \leftarrow \text {KG}(1^k)\): It outputs a public/secret key pair.

\(c \leftarrow \text {Enc}(pk, m)\): A probabilistic polynomialtime algorithm that outputs \(c = \text {Enc}(pk, m)\) with inputs a message m and the public key pk.

\(m = \text {Dec}(sk, c)\): A deterministic algorithm that decrypts the ciphertext c together with the secret key sk. We always have \(m = \text {Dec}(sk, \text {Enc}(pk , m) )\).
The strongest security notion for publickey encryption scheme is security against adaptivelychosenciphertext attacks (CCA2secure). In CCA2 attack against a publickey encryption scheme, the adversary who is given pk picks two messages \(m_0, m_1\) and guesses \(b \in \{ 0, 1 \} \) on input \(c^* = \text {Enc}(pk, m_b)\) while the adversary is allowed to ask for the decryption of chosenciphertexts prior and after to seeing \(c^*\).
In the setting that computation leaks information, it is natural to consider leakage information from the queries to the decryption oracle. This yields the following extension of CCA2security against leakage attacks.
Definition 3
([18], Security against Chosen Ciphertext Leakage Attacks (CCLA2)) Let k be the security parameter. A publickey encryption scheme \(\text {PKE} = (\text {KG}, \text {Enc}, \text {Dec})\) is \(\text {CCLA2}\)secure if for any \(\lambda '\)limited adversary \({\mathcal {A}}\) the probability that the experiment below outputs 1 is at most \(1/2 + \texttt {negl}(k)\).

1.
The challenger runs \((pk, sk) \leftarrow \text {KG}(1^k)\) and sends pk to \({\mathcal {A}}\).

2.
The adversary \({\mathcal {A}}\) asks for the decryption of a ciphertext c learning at most \(\lambda '\)bits of the current secret sk for each query: \({\mathcal {A}} \leftrightarrows ( \text {Dec}(sk, c) \rightarrow sk' )\). Set \(sk {:= } sk'\) for the next round.

3.
\({\mathcal {A}}\) outputs two messages, \(m_0, m_1\), and sends them to the challenger.

4.
The challenger computes \(c^* \leftarrow \text {Enc}(pk, m_b)\) for \(b \in \{0, 1\}\) and gives it to \({\mathcal {A}}\).

5.
Repeat \({\mathcal {A}} \leftrightarrows ( \text {Dec}(sk, c) \rightarrow sk' )\) for \(c \ne c^*\) learning at most \(\lambda '\)bits of the current secret sk. Set \(sk {:= } sk'\) for the next round.

6.
\({\mathcal {A}}\) outputs \(b' \in \{ 0, 1\}\). If \(b = b'\), then output 1, otherwise output 0.
1.4 A.4 Pseudorandom functions
We now describe the security definition of pseudorandom functions according to Katz and Lindell [22].
Definition 4
(PseudoRandom Functions) Let \(F: \{0,1\}^* \times \{0,1\}^* \rightarrow \{0,1\}^*\) be an efficient, length preserving, keyed function. We say F is a pseudorandom function if for all probabilistic polynomialtime adversaries \({\mathcal {A}}\), there exists a negligible function \(\epsilon _{\text {PRF}}\) in the security parameter k such that:
where \(key \in \{0,1\}^k\) is chosen uniformly at random an \(f_{\text {rnd}}\) is chosen uniformly at random from the set of functions mapping kbit strings to kbit strings.
Appendix B: Proof sketches of Lemmas 1 and 2
1.1 B.1 Proof sketch of Lemma 1
Proof
(Sketch) The proof is similar to that in Dziembowski and Faust [18]. The simulation is described as follows:

1.
The simulator \({\mathcal {S}}\) is given the auxiliary information \(\text {aux} = (R_1 + R_2)\), and given access to the leakage oracle \(\varLambda (L^*, R^*)\). She sets \(L = L^*\) and \(R_1 = R^*\).

2.
\({\mathcal {S}}\) simulates the leakage of L and \(R_1\) using the leakage oracle \(\varLambda (L^*, R^*)\).

3.
The leakage of \(R_2\) can be described from the relation \(R_2=\text {aux}  R^*\). Therefore, \({\mathcal {S}}\) can perfectly simulate the leakage of \(R_2\) using the leakage oracle \(\varLambda (L^*, R^*)\) and the auxiliary value \(\text {aux}\).
\(\square \)
1.2 B.2 Proof sketch of Lemma 2
Proof
(Sketch) Note that (W, A) defines a 1dimensional subspace \(Z \subset ({\mathbb {Z}}_q)^2\) that contains all the pairs \((a_1, a_2)\) that correspond to the public key A. For any \(S,S' \in Z\) and any \((\lambda /2 1 )\)limited adversary \({\mathcal {A}}\) we have by the Theorem 2 (Generalization of Theorem 1) of Dziembowski and Faust [18], for refreshing of \(\varPhi _{{\mathbb {Z}}_q}^{n, 2}\) that,
The above experiment addresses only the leakage from the refreshing operation of (L, R). In order to combine this with leakage from \(\texttt{exp}\), we use the leakage simulation from Lemma 1. We can apply this lemma since (1)–Eq. (18) is shown by reduction to the \((\lambda ,\epsilon )\)security of \(\varPhi _{{\mathbb {Z}}_q}^{n, 2}\) and (2)–\(\text {aux}\) is known to the leakage simulator. This completes the proof of Lemma 2, by proving that \(\epsilon _1\) is negligible in the statistical security parameter n. \(\square \)
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author selfarchiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Alawatugoda, J., Okamoto, T. Standard model leakageresilient authenticated key exchange using innerproduct extractors. Des. Codes Cryptogr. 90, 1059–1079 (2022). https://doi.org/10.1007/s10623022010280
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623022010280
Keywords
 Leakageresilient cryptography
 Authenticated key exchange
 \(\text {eCK}\) model
 \(\text {CAFLeCK}\) model
 Standard model