On the connection between leakage tolerance and adaptive security

Abstract

We revisit the context of leakage-tolerant interactive protocols as defined by Bitanski, Canetti and Halevi (TCC 2012). Our contributions can be summarized as follows: 1 For the purpose of secure message transmission, any encryption protocol with message space and secret key space tolerating poly-logarithmic leakage on the secret state of the receiver must satisfy, |SK| ≥ (1-ε)|M|, for every 0 < ε ≤ 1, and if SK| = |M|, then the scheme must use a fresh key pair to encrypt each message. 2 More generally, we show that any n party protocol tolerates leakage of ≈ poly(logκ) bits from one party at the end of the protocol execution, if and only if the protocol has passive adaptive security against an adaptive corruption of one party at the end of the protocol execution. This shows that as soon as a little leakage is tolerated, one needs full adaptive security. 3 In case more than one party can be corrupted, we get that leakage tolerance is equivalent to a weaker form of adaptivity, which we call semi-adaptivity. Roughly, a protocol has semi-adaptive security if there exist a simulator which can simulate the internal state of corrupted parties, however, such a state is not required to be indistinguishable from a real state, only that it would have lead to the simulated communication. All our results can be based on the solely assumption that collision-resistant function ensembles exist. © 2013 International Association for Cryptologic Research.