Modelling After-the-fact Leakage for Key Exchange (full Version)

Security models for two-party authenticated key exchange (AKE) protocols have developed over timeto prove the security of AKE protocols even when the adversary learns certain secret values. In this work,we address more granular leakage: partial leakage of long-term secrets of protocol principals, even after thesession key is established. We introduce a generic key exchange security model, which can be instantiatedallowing bounded or continuous leakage, even when the adversary learns certain ephemeral secrets orsession keys. Our model is the strongest known partial-leakage-based security model for key exchangeprotocols. We propose a generic construction of a two-pass leakage-resilient key exchange protocol thatis secure in the proposed model, by introducing a new concept: the leakage-resilient NAXOS trick. Weidentify a special property for public-key cryptosystems: pair generation indistinguishability, and showhow to obtain the leakage-resilient NAXOS trick from a pair generation indistinguishable leakage-resilientpublic-key cryptosystem.