Universally Composable Relaxed Password Authenticated Key Exchange

Protocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree on a cryptographic key. We revisit the notion of PAKE in the universal composability (UC) framework, and propose a relaxation of the PAKE functionality of Canetti et al. that we call lazy-extraction PAKE (lePAKE). Our relaxation allows the ideal-world adversary to postpone its password guess until after a session is complete. We argue that this relaxed notion still provides meaningful security in the password-only setting. As our main result, we show that several PAKE protocols that were previously only proven secure with respect to a “game-based” definition of security can be shown to UC-realize the lePAKE functionality in the random-oracle model. These include SPEKE, SPAKE2, and TBPEKE, the most efficient PAKE schemes currently known.

[1]  Victor Shoup,et al.  Security analysis of SPAKE2+ , 2020, IACR Cryptol. ePrint Arch..

[2]  Mihir Bellare,et al.  Code-Based Game-Playing Proofs and the Security of Triple Encryption , 2004, IACR Cryptol. ePrint Arch..

[3]  Jan Camenisch,et al.  Password-Authenticated Public-Key Encryption , 2019, IACR Cryptol. ePrint Arch..

[4]  Craig Gentry,et al.  A Method for Making Password-Based Key Exchange Resilient to Server Compromise , 2006, CRYPTO.

[5]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[6]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange , 2012, Public Key Cryptography.

[7]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[8]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[9]  Julian Loss,et al.  New techniques for the modular analysis of digital signature schemes , 2019 .

[10]  Philip MacKenzie,et al.  On the Security of the SPEKE Password-Authenticated Key Exchange Protocol , 2001, IACR Cryptol. ePrint Arch..

[11]  Hugo Krawczyk,et al.  OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks , 2018, IACR Cryptol. ePrint Arch..

[12]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[13]  David P. Jablon Extended password key exchange protocols immune to dictionary attack , 1997, Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[14]  David Pointcheval,et al.  VTBPEKE: Verifier-based Two-Basis Password Exponential Key Exchange , 2017, AsiaCCS.

[15]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[16]  Ted Taekyoung Kwon,et al.  Round-Reduced Modular Construction of Asymmetric Password-Authenticated Key Exchange , 2018, SCN.

[17]  Charanjit S. Jutla,et al.  Dual-System Simulation-Soundness with Applications to UC-PAKE and More , 2015, ASIACRYPT.

[18]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[19]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[20]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[21]  Feng Hao,et al.  The SPEKE Protocol Revisited , 2014, SSR.

[22]  Rafail Ostrovsky,et al.  Efficient and secure authenticated key exchange using weak passwords , 2009, JACM.

[23]  Jonathan Katz,et al.  Round-Optimal Password-Based Authenticated Key Exchange , 2011, TCC.

[24]  Jonathan Katz,et al.  A new framework for efficient password-based authenticated key exchange , 2010, CCS '10.

[25]  David Pointcheval,et al.  Efficient Two-Party Password-Based Key Exchange Protocols in the UC Framework , 2008, CT-RSA.

[26]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[27]  Rafail Ostrovsky,et al.  Forward Secrecy in Password-Only Key Exchange Protocols , 2002, SCN.

[28]  Hugo Krawczyk,et al.  The OPAQUE Asymmetric PAKE Protocol , 2019 .

[29]  Eike Kiltz,et al.  The Algebraic Group Model and its Applications , 2018, IACR Cryptol. ePrint Arch..

[30]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[31]  Manuel Barbosa,et al.  Perfect Forward Security of SPAKE2 , 2019, IACR Cryptol. ePrint Arch..

[32]  Rosario Gennaro,et al.  Faster and Shorter Password-Authenticated Key Exchange , 2008, TCC.

[33]  Björn Haase,et al.  AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT , 2019, IACR Cryptol. ePrint Arch..

[34]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[35]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[36]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[37]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[38]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[39]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.