Paper 2020/771

Leakage-Resilient Key Exchange and Two-Seed Extractors

Xin Li, Fermi Ma, Willy Quach, and Daniel Wichs

Abstract

Can Alice and Bob agree on a uniformly random secret key without having any truly secret randomness to begin with? Here we consider a setting where Eve can get partial leakage on the internal state of both Alice and Bob individually before the protocol starts. They then run a protocol using their states without any additional randomness and need to agree on a shared key that looks uniform to Eve, even after observing the leakage and the protocol transcript. We focus on non-interactive (one round) key exchange (NIKE), where Alice and Bob send one message each without waiting for one another. We first consider this problem in the symmetric-key setting, where the states of Alice and Bob include a shared secret as well as individual uniform randomness. However, since Eve gets leakage on these states, Alice and Bob need to perform privacy amplification to derive a fresh secret key from them. Prior solutions require Alice and Bob to sample fresh uniform randomness during the protocol, while in our setting all of their randomness was already part of their individual states a priori and was therefore subject to leakage. We show an information-theoretic solution to this problem using a novel primitive that we call a two-seed extractor, which we in turn construct by drawing a connection to communication-complexity lower-bounds in the number-on-forehead (NOF) model. We then turn to studying this problem in the public-key setting, where the states of Alice and Bob consist of independent uniform randomness. Unfortunately, we give a black-box separation showing that leakage-resilient NIKE in this setting cannot be proven secure via a black-box reduction under any game-based assumption when the leakage is super-logarithmic. This includes virtually all assumptions used in cryptography, and even very strong assumptions such as indistinguishability obfuscation (iO). Nevertheless, we also provide positive results that get around the above separation: - We show that every key exchange protocol (e.g., Diffie-Hellman) is secure when the leakage amount is logarithmic, or potentially even greater if we assume sub-exponential security without leakage. - We notice that the black-box separation does not extend to schemes in the common reference string (CRS) model, or to schemes with preprocessing, where Alice and Bob can individually pre-process their random coins to derive their secret state prior to leakage. We give a solution in the CRS model with preprocessing using bilinear maps. We also give solutions in just the CRS model alone (without preprocessing) or just with preprocessing (without a CRS), using iO and lossy functions.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A major revision of an IACR publication in CRYPTO 2020
Keywords
key exchangeleakage-resilience
Contact author(s)
lixints @ cs jhu edu
fermima @ alum mit edu
quach w @ husky neu edu
wichs @ ccs neu edu
History
2020-06-24: revised
2020-06-24: received
See all versions
Short URL
https://ia.cr/2020/771
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2020/771,
      author = {Xin Li and Fermi Ma and Willy Quach and Daniel Wichs},
      title = {Leakage-Resilient Key Exchange and Two-Seed Extractors},
      howpublished = {Cryptology ePrint Archive, Paper 2020/771},
      year = {2020},
      note = {\url{https://eprint.iacr.org/2020/771}},
      url = {https://eprint.iacr.org/2020/771}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.