Designs, Codes and Cryptography

, Volume 87, Issue 12, pp 2885–2911 | Cite as

Strongly leakage resilient authenticated key exchange, revisited

  • Guomin Yang
  • Rongmao ChenEmail author
  • Yi Mu
  • Willy Susilo
  • Fuchun Guo
  • Jie Li


Authenticated Key Exchange (AKE) protocols allow two (or multiple) parties to authenticate each other and agree on a common secret key, which is essential for establishing a secure communication channel over a public network. AKE protocols form a central component in many network security standards such as IPSec, TLS/SSL, and SSH. However, it has been demonstrated that many standardized AKE protocols are vulnerable to side-channel and key leakage attacks. In order to defend against such attacks, leakage resilient (LR-) AKE protocols have been proposed in the literature. Nevertheless, most of the existing LR-AKE protocols only focused on the resistance to long-term key leakage, while in reality leakage of ephemeral secret key (or randomness) can also occur due to various reasons such as the use of poor randomness sources or insecure pseudo-random number generators (PRNGs). In this paper, we revisit the strongly leakage resilient AKE protocol (CT-RSA’16) that aimed to resist challenge-dependent leakage on both long-term and ephemeral secret keys. We show that there is a security issue in the design of the protocol and propose an improved version that can fix the problem. In addition, we extend the protocol to a more general framework that can be efficiently instantiated under various assumptions, including hybrid instantiations that can resist key leakage attacks while preserving session key security against future quantum machines.


Authenticated key exchange Key leakage Weak randomness 

Mathematics Subject Classification

94A60 14G50 



We would like to thank Janaka Alawatugoda for his comments on a preliminary version of this paper. The work of Guomin Yang is supported by the Australian Research Council Discovery Early Career Researcher Award (Grant No. DE150101116) and the National Natural Science Foundation of China (Grant No. 61472308). The work of Rongmao Chen is supported by the National Natural Science Foundation of China (Grant No. 61702541), the Young Elite Scientists Sponsorship Program by CAST (Grant No. 2017QNRC001), and the Science Research Plan Program by NUDT (Grant No. ZK17-03-46). The work of Yi Mu is supported by the National Natural Science Foundation of China (Grant No.61872087).


  1. 1.
    Akavia A., Goldwasser S., Vaikuntanathan V.: Simultaneous hardcore bits and cryptography against memory attacks. In: TCC, pp. 474–495 (2009).CrossRefGoogle Scholar
  2. 2.
    Akinyele J.A., Garman C., Miers I., Pagano M.W., Rushanan M., Green M., Rubin A.D.: Charm: a framework for rapidly prototyping cryptosystems. J. Cryptogr. Eng. 3(2), 111–128 (2013).CrossRefGoogle Scholar
  3. 3.
    Alawatugoda J., Stebila D., Boyd C.: Modelling after-the-fact leakage for key exchange. In: ASIACCS, pp. 207–216 (2014).Google Scholar
  4. 4.
    Alwen J., Dodis Y., Wichs D.: Leakage-resilient public-key cryptography in the bounded-retrieval model. In: CRYPTO, pp. 36–54 (2009).Google Scholar
  5. 5.
    Bellare M., Rogaway P.: Entity authentication and key distribution. In: CRYPTO, pp. 232–249 (1993).Google Scholar
  6. 6.
    Bellare M., Canetti R., Krawczyk H.: A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract). In: ACM Symposium on the Theory of Computing, pp. 419–428 (1998).Google Scholar
  7. 7.
    Biham E., Shamir A.: Differential fault analysis of secret key cryptosystems. In: CRYPTO, pp. 513–525 (1997).Google Scholar
  8. 8.
    Bos J.W., Costello C., Naehrig M., Stebila D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: IEEE Symposium on Security and Privacy, pp. 553–570 (2015).Google Scholar
  9. 9.
    Bos J.W., Costello C., Ducas L., Mironov I., Naehrig M., Nikolaenko V., Raghunathan A., Stebila D.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 Oct 2016, pp. 1006–1018 (2016).Google Scholar
  10. 10.
    Canetti R., Krawczyk H.: Analysis of key-exchange protocols and their use for building secure channels. In: EUROCRYPT, pp. 453–474 (2001).Google Scholar
  11. 11.
    Chen R., Mu Y., Yang G., Susilo W., Guo F.: Strongly leakage-resilient authenticated key exchange. In: CT-RSA, pp. 19–36 (2016).CrossRefGoogle Scholar
  12. 12.
    Chen R., Mu Y., Yang G., Susilo W., Guo F.: Strong authenticated key exchange with auxiliary inputs. Des. Codes Cryptogr. 85(1), 145–173 (2017).MathSciNetCrossRefGoogle Scholar
  13. 13.
    Choo K.R., Boyd C., Hitchcock Y.: Examining indistinguishability-based proof models for key establishment protocols. In: ASIACRYPT, pp. 585–604 (2005).Google Scholar
  14. 14.
    Cramer R., Shoup V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: EUROCRYPT, pp. 45–64 (2002).CrossRefGoogle Scholar
  15. 15.
    Cremers C.: Examining indistinguishability-based security models for key exchange protocols: the case of ck, ck-hmqv, and eck. In: ASIACCS 2011, pp. 80–91 (2011).Google Scholar
  16. 16.
    Diffie W., Hellman M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976).MathSciNetCrossRefGoogle Scholar
  17. 17.
    Dodis Y., Ostrovsky R., Reyzin L., Smith A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008).MathSciNetCrossRefGoogle Scholar
  18. 18.
    Dodis Y., Kalai Y.T., Lovett S.: On cryptography with auxiliary input. In: STOC, pp. 621–630 (2009).Google Scholar
  19. 19.
    Dodis Y., Haralambiev K., López-Alt A., Wichs D.: Efficient public-key cryptography in the presence of key leakage. In: ASIACRYPT, pp. 613–631 (2010).Google Scholar
  20. 20.
    Entity authentication mechanisms-part3: Entity authentication using asymmetric techniques. ISO/IEC IS 9789-3 (1993).Google Scholar
  21. 21.
    Faust S., Hazay C., Nielsen J.B., Nordholt P.S., Zottarel A.: Signature schemes secure against hard-to-invert leakage. In: ASIACRYPT, pp. 98–115 (2012).Google Scholar
  22. 22.
    Feltz M., Cremers C.: On the limits of authenticated key exchange security with an application to bad randomness. IACR Cryptol. ePrint Arch. 2014, 369 (2014).Google Scholar
  23. 23.
    Gandolfi K., Mourtel C., Olivier F.: Electromagnetic analysis: concrete results. In: Cryptographic Hardware and Embedded Systems, Generators, pp. 251–261 (2001).CrossRefGoogle Scholar
  24. 24.
    Halderman J.A., Schoen S.D., Heninger N., Clarkson W., Paul W., Calandrino J.A., Feldman A.J., Appelbaum J., Felten E.W.: Lest we remember: cold boot attacks on encryption keys. In: USENIX Security Symposium, pp. 45–60 (2008).Google Scholar
  25. 25.
    Halevi S., Lin H.: After-the-fact leakage in public-key encryption. In: TCC, pp. 107–124 (2011).Google Scholar
  26. 26.
    Kocher P.C., Jaffe J., Jun B.: Differential power analysis. In: CRYPTO, pp. 388–397 (1999).Google Scholar
  27. 27.
    Krawczyk H.: SIGMA: the ‘sign-and-mac’ approach to authenticated Diffie-Hellman and its use in the ike-protocols. In: CRYPTO, pp. 400–425 (2003).Google Scholar
  28. 28.
    LaMacchia B.A., Lauter K.E., Mityagin A.: Stronger security of authenticated key exchange. In: Provable Security, pp. 1–16 (2007).Google Scholar
  29. 29.
    Lyubashevsky V., Peikert C., Regev O.: On ideal lattices and learning with errors over rings. In: Advances in Cryptology—EUROCRYPT 2010, pp. 1–23 (2010).Google Scholar
  30. 30.
    Marvin R.: Google admits an android crypto prng flaw led to bitcoin heist (Aug 2013).
  31. 31.
    Micali S., Reyzin L.: Physically observable cryptography (extended abstract). In: TCC, pp. 278–296 (2004).CrossRefGoogle Scholar
  32. 32.
    Moriyama D., Okamoto T.: Leakage resilient eck-secure key exchange protocol without random oracles. In: ASIACCS, pp. 441–447 (2011).Google Scholar
  33. 33.
    Okamoto T.: Authenticated key exchange and key encapsulation in the standard model. In: ASIACRYPT, pp. 474–484 (2007).Google Scholar
  34. 34.
    Peikert C.: Lattice cryptography for the internet. In: PQCrypto, pp. 197–219 (2014).Google Scholar
  35. 35.
    Quisquater J., Samyde D.: Electromagnetic attack. In: Encyclopedia of Cryptography and Security, 2nd ed., pp. 382–385 (2011).Google Scholar
  36. 36.
    Regev O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pp. 84–93 (2005).Google Scholar
  37. 37.
    Shumow D., Ferguson, N.: On the possibility of a back door in the nist sp800-90 dual ec prng.
  38. 38.
    Yang G., Duan S., Wong D.S., Tan C.H., Wang H.: Authenticated key exchange under bad randomness. In: Financial Cryptography and Data Security, pp. 113–126 (2011).CrossRefGoogle Scholar
  39. 39.
    Yang G., Mu Y., Susilo W., Wong D.S.: Leakage resilient authenticated key exchange secure in the auxiliary input model. In: ISPEC, pp. 204–217 (2013).Google Scholar
  40. 40.
    Zetter K.: How a crypto ’backdoor’ pitted the tech world against the nsa.

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  • Guomin Yang
    • 2
  • Rongmao Chen
    • 1
    Email author
  • Yi Mu
    • 2
  • Willy Susilo
    • 2
  • Fuchun Guo
    • 2
  • Jie Li
    • 1
  1. 1.College of ComputerNational University of Defense TechnologyChangshaChina
  2. 2.School of Computing and Information TechnologyUniversity of WollongongWollongongAustralia

Personalised recommendations