论文信息 - The "quantum annoying" property of password-authenticated key exchange protocols

The "quantum annoying" property of password-authenticated key exchange protocols

During the Crypto Forum Research Group (CFRG)’s standardization of password-authenticated key exchange (PAKE) protocols, a novel property emerged: a PAKE scheme is said to be “quantum-annoying” if a quantum computer can compromise the security of the scheme, but only by solving one discrete logarithm for each guess of a password. Considering that early quantum computers will likely take quite long to solve even a single discrete logarithm, a quantum-annoying PAKE, combined with a large password space, could delay the need for a post-quantum replacement by years, or even decades. In this paper, we make the first steps towards formalizing the quantumannoying property. We consider a classical adversary in an extension of the generic group model in which the adversary has access to an oracle that solves discrete logarithms. While this idealized model does not fully capture the range of operations available to an adversary with a generalpurpose quantum computer, this model does allow us to quantify security in terms of the number of discrete logarithms solved. We apply this approach to the CPace protocol, a balanced PAKE advancing through the CFRG standardization process, and show that the CPacebase variant is secure in the generic group model with a discrete logarithm oracle.

Douglas Stebila | Edward Eaton | D. Stebila | Edward Eaton

[1] Aaram Yun. Generic Hardness of the Multiple Discrete Logarithm Problem , 2015, EUROCRYPT.

[2] Victor Shoup,et al. Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[3] Mark Zhandry,et al. Random Oracles in a Quantum World , 2010, ASIACRYPT.

[4] Peter W. Shor,et al. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[5] Michel Abdalla,et al. Security Analysis of CPace , 2021, IACR Cryptol. ePrint Arch..

[6] David P. Jablon. Strong password-only authenticated key exchange , 1996, CCRV.

[7] Marc Fischlin,et al. Security Analysis of the PACE Key-Agreement Protocol , 2009, ISC.

[8] Michele Mosca,et al. Benchmarking the quantum cryptanalysis of symmetric, public-key and hash-based cryptographic schemes , 2019, 1902.02332.

[9] Ueli Maurer,et al. Lower Bounds on Generic Algorithms in Groups , 1998, EUROCRYPT.

[10] Mihir Bellare,et al. Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[11] Bjoern Haase,et al. CPace, a balanced composable PAKE , 2020 .

[12] Björn Haase,et al. AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT , 2019, IACR Cryptol. ePrint Arch..