VTBPEKE: Verifier-based Two-Basis Password Exponential Key Exchange

PAKE protocols, for Password-Authenticated Key Exchange, enable two parties to establish a shared cryptographically strong key over an insecure network using a short common secret as authentication means. After the seminal work by Bellovin and Merritt, with the famous EKE, for Encrypted Key Exchange, various settings and security notions have been defined, and many protocols have been proposed. In this paper, we revisit the promising SPEKE, for Simple Password Exponential Key Exchange, proposed by Jablon. The only known security analysis works in the random oracle model under the CDH assumption, but in the multiplicative groups of finite fields only (subgroups of Zp*), which means the use of large elements and so huge communications and computations. Our new instantiation (TBPEKE, for Two-Basis Password Exponential Key Exchange) applies to any group, and our security analysis requires a DLIN-like assumption to hold. In particular, one can use elliptic curves, which leads to a better efficiency, at both the communication and computation levels. We additionally consider server corruptions, which immediately leak all the passwords to the adversary with symmetric PAKE. We thus study an asymmetric variant, also known as VPAKE, for Verifier-based Password Authenticated Key Exchange. We then propose a verifier-based variant of TBPEKE, the so-called VTBPEKE, which is also quite efficient, and resistant to server-compromise.

[1]  Dan Boneh,et al.  Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups , 2008, Journal of Cryptology.

[2]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[3]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[4]  SeongHan Shin,et al.  Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2 , 2012, RFC.

[5]  Rafail Ostrovsky,et al.  Forward Secrecy in Password-Only Key Exchange Protocols , 2002, SCN.

[6]  Franziskus Kiefer,et al.  Zero-Knowledge Password Policy Checks and Verifier-Based PAKE , 2014, ESORICS.

[7]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[8]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[10]  David Cash,et al.  The Twin Diffie–Hellman Problem and Applications , 2009, Journal of Cryptology.

[11]  Jonathan Katz,et al.  A new framework for efficient password-based authenticated key exchange , 2010, CCS '10.

[12]  Craig Gentry,et al.  Password authenticated key exchange using hidden smooth subgroups , 2005, CCS '05.

[13]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[14]  Philip MacKenzie,et al.  On the Security of the SPEKE Password-Authenticated Key Exchange Protocol , 2001, IACR Cryptol. ePrint Arch..

[15]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[16]  David Pointcheval,et al.  Public-key encryption indistinguishable under plaintext-checkable attacks , 2016, IET Inf. Secur..

[17]  SeongHan Shin,et al.  Security Proof of AugPAKE , 2010, IACR Cryptol. ePrint Arch..

[18]  David Pointcheval,et al.  Efficient Two-Party Password-Based Key Exchange Protocols in the UC Framework , 2008, CT-RSA.

[19]  Emmanuel Bresson,et al.  New Security Results on Encrypted Key Exchange , 2003, Public Key Cryptography.

[20]  Rosario Gennaro,et al.  Faster and Shorter Password-Authenticated Key Exchange , 2008, TCC.

[21]  Claus-Peter Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1990, EUROCRYPT.

[22]  David Pointcheval,et al.  IPAKE: Isomorphisms for Password-Based Authenticated Key Exchange , 2004, CRYPTO.

[23]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[24]  Jonathan Katz,et al.  Round-Optimal Password-Based Authenticated Key Exchange , 2011, Journal of Cryptology.

[25]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[26]  Stefan Lucks,et al.  Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys , 1997, Security Protocols Workshop.

[27]  SeongHan Shin,et al.  Augmented Password-Authenticated Key Exchange for Transport Layer Security (TLS) , 2018 .

[28]  Craig Gentry,et al.  A Method for Making Password-Based Key Exchange Resilient to Server Compromise , 2006, CRYPTO.

[29]  Benjamin Kaduk,et al.  SPAKE2, a PAKE , 2000 .

[30]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[31]  Patrick Horster,et al.  Undetectable on-line password guessing attacks , 1995, OPSR.

[32]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[33]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[34]  Jonathan Katz,et al.  Smooth Projective Hashing and Password-Based Authenticated Key Exchange from Lattices , 2009, ASIACRYPT.

[35]  David Pointcheval,et al.  Smooth Projective Hashing for Conditionally Extractable Commitments , 2009, CRYPTO.

[36]  Rafail Ostrovsky,et al.  Efficient and secure authenticated key exchange using weak passwords , 2009, JACM.

[37]  Emmanuel Bresson,et al.  Security proofs for an efficient password-based key exchange , 2003, CCS '03.

[38]  SeongHan Shin,et al.  Augmented Password-Authenticated Key Exchange (AugPAKE) , 2018 .

[39]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[40]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[41]  D. Harkins,et al.  Simultaneous Authentication of Equals: A Secure, Password-Based Key Exchange for Mesh Networks , 2008, 2008 Second International Conference on Sensor Technologies and Applications (sensorcomm 2008).

[42]  David Pointcheval,et al.  Verifier-Based Password-Authenticated Key Exchange: New Models and Constructions , 2013, IACR Cryptol. ePrint Arch..

[43]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[44]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[45]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[46]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[47]  Sarvar Patel,et al.  Password-authenticated key exchange based on RSA , 2000, International Journal of Information Security.

[48]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.