Zero-Knowledge Password Policy Check from Lattices

Passwords are ubiquitous and most commonly used to authenticate users when logging into online services. Using high entropy passwords is critical to prevent unauthorized access and password policies emerged to enforce this requirement on passwords. However, with current methods of password storage, poor practices and server breaches have leaked many passwords to the public. To protect one's sensitive information in case of such events, passwords should be hidden from servers. Verifier-based password authenticated key exchange, proposed by Bellovin and Merrit (IEEE S\&P, 1992), allows authenticated secure channels to be established with a hash of a password (verifier). Unfortunately, this restricts password policies as passwords cannot be checked from their verifier. To address this issue, Kiefer and Manulis (ESORICS 2014) proposed zero-knowledge password policy check (ZKPPC). A ZKPPC protocol allows users to prove in zero knowledge that a hash of the user's password satisfies the password policy required by the server. Unfortunately, their proposal is not quantum resistant with the use of discrete logarithm-based cryptographic tools and there are currently no other viable alternatives. In this work, we construct the first post-quantum ZKPPC using lattice-based tools. To this end, we introduce a new randomised password hashing scheme for ASCII-based passwords and design an accompanying zero-knowledge protocol for policy compliance. Interestingly, our proposal does not follow the framework established by Kiefer and Manulis and offers an alternate construction without homomorphic commitments. Although our protocol is not ready to be used in practice, we think it is an important first step towards a quantum-resistant privacy-preserving password-based authentication and key exchange system.

[1]  Benoît Libert,et al.  A Lattice-Based Group Signature Scheme with Message-Dependent Opening , 2016, ACNS.

[2]  Stephan Krenn,et al.  Commitments and Efficient Zero-Knowledge Proofs from Learning Parity with Noise , 2012, ASIACRYPT.

[3]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[4]  Jens Groth Evaluating Security of Voting Schemes in the Universal Composability Framework , 2004, ACNS.

[5]  Ivan Damgård,et al.  How to Prove Knowledge of Small Secrets , 2016, CRYPTO.

[6]  Ivan Damgård,et al.  Amortized Complexity of Zero-Knowledge Proofs Revisited: Achieving Linear Soundness Slack , 2016, EUROCRYPT.

[7]  Oded Goldreich,et al.  On the limits of non-approximability of lattice problems , 1998, STOC '98.

[8]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[9]  Stephan Krenn,et al.  Efficient Zero-Knowledge Proofs for Commitments from Learning with Errors over Rings , 2015, ESORICS.

[10]  Jonathan Katz,et al.  Smooth Projective Hashing and Password-Based Authenticated Key Exchange from Lattices , 2009, ASIACRYPT.

[11]  Franziskus Kiefer,et al.  Blind Password Registration for Verifier-based PAKE , 2016, AsiaPKC '16.

[12]  Changyu Dong,et al.  When private set intersection meets big data: an efficient and scalable protocol , 2013, CCS.

[13]  Vinod Vaikuntanathan,et al.  Noninteractive Statistical Zero-Knowledge Proofs for Lattice Problems , 2008, CRYPTO.

[14]  Huaxiong Wang,et al.  Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based , 2015, Public Key Cryptography.

[15]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[16]  Damien Stehlé,et al.  Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications , 2013, Public Key Cryptography.

[17]  Jacques Stern,et al.  A new paradigm for public key identification , 1996, IEEE Trans. Inf. Theory.

[18]  Vadim Lyubashevsky,et al.  Lattice-Based Identification Schemes Secure Under Active Attacks , 2008, Public Key Cryptography.

[19]  David Pointcheval,et al.  Verifier-Based Password-Authenticated Key Exchange: New Models and Constructions , 2013, IACR Cryptol. ePrint Arch..

[20]  Huaxiong Wang,et al.  Lattice-Based Group Signatures: Achieving Full Dynamicity with Ease , 2017, ACNS.

[21]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors , 2016, Journal of Cryptology.

[22]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[23]  Huaxiong Wang,et al.  Zero-knowledge arguments for matrix-vector relations and lattice-based group encryption , 2019, Theor. Comput. Sci..

[24]  Ivan Damgård,et al.  Efficient Commitments and Zero-Knowledge Protocols from Ring-SIS with Applications to Lattice-based Threshold Cryptosystems , 2016, IACR Cryptol. ePrint Arch..

[25]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[26]  David Pointcheval,et al.  New Techniques for SPHFs and Efficient One-Round PAKE Protocols , 2013, IACR Cryptol. ePrint Arch..

[27]  Franziskus Kiefer,et al.  Advancements in password-based cryptography. , 2016 .

[28]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[29]  Yi Ding,et al.  Efficient Password-Based Authenticated Key Exchange from Lattices , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[30]  Franziskus Kiefer,et al.  Blind Password Registration for Two-Server Password Authenticated Key Exchange and Secret Sharing Protocols , 2016, ISC.

[31]  Franziskus Kiefer,et al.  Secure Set-Based Policy Checking and Its Application to Password Registration , 2015, CANS.

[32]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[33]  Jan Camenisch,et al.  Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures , 2014, ASIACRYPT.

[34]  Huaxiong Wang,et al.  Policy-based signature scheme from lattices , 2016, Des. Codes Cryptogr..

[35]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[36]  Huaxiong Wang,et al.  Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions , 2016, ASIACRYPT.

[37]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[38]  Jun Furukawa Efficient and Verifiable Shuffling and Shuffle-Decryption , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[39]  Zhiqiang Lin,et al.  Half a Century of Practice: Who Is Still Storing Plaintext Passwords? , 2015, ISPEC.

[40]  Daniele Micciancio,et al.  Statistical Zero-Knowledge Proofs with Efficient Provers: Lattice Problems and More , 2003, CRYPTO.

[41]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[42]  Keisuke Tanaka,et al.  Concurrently Secure Identification Schemes Based on the Worst-Case Hardness of Lattice Problems , 2008, ASIACRYPT.

[43]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[44]  Franziskus Kiefer,et al.  Zero-Knowledge Password Policy Checks and Verifier-Based PAKE , 2014, ESORICS.

[45]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[46]  Craig Gentry,et al.  A Method for Making Password-Based Key Exchange Resilient to Server Compromise , 2006, CRYPTO.

[47]  Vadim Lyubashevsky,et al.  Amortization with Fewer Equations for Proving Knowledge of Small Secrets , 2017, CRYPTO.

[48]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.