Password authenticated key exchange using hidden smooth subgroups

Existing techniques for designing efficient password authenticated key exchange (PAKE) protocols all can be viewed as variations of a small number of fundamental paradigms, and all are based on either the Diffie-Hellman or RSA assumptions. In this paper we propose a new technique for the design of PAKE protocols that does not fall into any of those paradigms, and which is based on a different assumption. In our technique, the server uses the password to construct a multiplicative group with a (hidden) smooth order subgroup, where the group order depends on the password. The client uses its knowledge of the password to generate a root extraction problem instance in the server's group and a discrete logarithm problem instance in the (smooth order) subgroup. If the server constructed its group correctly based on the password, the server can use its knowledge of the group order to solve the root extraction problem, and can solve the discrete logarithm problem by leveraging the smoothness of the hidden subgroup.The resulting scheme is provably secure (in the random oracle model) under the "decision subgroup assumption." The scheme can be efficiently instantiated using composite modulus groups, in which case the client and server each perform the equivalent of a small number of modular exponentiations, and the security reduces to a simple variant of the "Φ-hiding" assumption. We provide preliminary implementation results of this instantiation.

[1]  Shu Lin,et al.  Error control coding : fundamentals and applications , 1983 .

[2]  Silvio Micali,et al.  Computationally Private Information Retrieval with Polylogarithmic Communication , 1999, EUROCRYPT.

[3]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[5]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[6]  HaleviShai,et al.  The random oracle methodology, revisited , 2004 .

[7]  Stefan Lucks,et al.  Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys , 1997, Security Protocols Workshop.

[8]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[9]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[10]  Taekyoung Kwon,et al.  Authentication and Key Agreement Via Memorable Passwords , 2001, NDSS.

[11]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[12]  Craig Gentry,et al.  Single-Database Private Information Retrieval with Constant Communication Rate , 2005, ICALP.

[13]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[14]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[15]  Dwijendra K. Ray-Chaudhuri,et al.  Binary mixture flow with free energy lattice Boltzmann methods , 2022, arXiv.org.

[16]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[17]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[18]  Sarvar Patel,et al.  Number theoretic attacks on secure password schemes , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[19]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[20]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[21]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[22]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[23]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[24]  Li Gong,et al.  Optimal authentification protocols resistant to password guessing attacks , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[25]  Radia J. Perlman,et al.  PDM: A New Strong Password-Based Protocol , 2001, USENIX Security Symposium.

[26]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[27]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[28]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[29]  David P. Jablon Extended password key exchange protocols immune to dictionary attack , 1997, Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[30]  Moni Naor,et al.  Oblivious transfer and polynomial evaluation , 1999, STOC '99.

[31]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[32]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[33]  Gene Tsudik,et al.  Refinement and extension of encrypted key exchange , 1995, OPSR.

[34]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[35]  Guang Gong,et al.  Password Based Key Exchange with Mutual Authentication , 2004, IACR Cryptol. ePrint Arch..

[36]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[37]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[38]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[39]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[40]  Muxiang Zhang New Approaches to Password Authenticated Key Exchange Based on RSA , 2004, ASIACRYPT.

[41]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[42]  Johannes Blömer,et al.  A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers , 2005, EUROCRYPT.

[43]  Ivan Damgård,et al.  Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups , 2002, EUROCRYPT.

[44]  Shirley Dex,et al.  JR 旅客販売総合システム(マルス)における運用及び管理について , 1991 .