Two-Server Password-Authenticated Secret Sharing UC-Secure Against Transient Corruptions

Protecting user data entails providing authenticated users access to their data. The most prevalent and probably also the most feasible approach to the latter is by username and password. With password breaches through server compromise now reaching billions of affected passwords, distributing the password files and user data over multiple servers is not just a good idea, it is a dearly needed solution to a topical problem. Threshold password-authenticated secret sharing (TPASS) protocols enable users to share secret data among a set of servers so that they can later recover that data using a single password. No coalition of servers up to a certain threshold can learn anything about the data or perform an offline dictionary attack on the password. Several TPASS protocols have appeared in the literature and one is even available commercially. Although designed to tolerate server corruptions, unfortunately none of these protocols provide details, let alone security proofs, about how to proceed when a compromise actually occurs. Indeed, they consider static corruptions only, which for instance does not model real-world adaptive attacks by hackers. We provide the first TPASS protocol that is provably secure against adaptive server corruptions. Moreover, our protocol contains an efficient recovery procedure allowing one to re-initialize servers to recover from corruption. We prove our protocol secure in the universal-composability model where servers can be corrupted adaptively at any time; the users’ passwords and secrets remain safe as long as both servers are not corrupted at the same time. Our protocol does not require random oracles but does assume that servers have certified public keys.

[1]  David Mazières,et al.  A future-adaptive password scheme , 1999 .

[2]  Nitesh Saxena,et al.  Password-protected secret sharing , 2011, CCS '11.

[3]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[4]  Dennis Hofheinz,et al.  Possibility and Impossibility Results for Selective Decommitments , 2011, Journal of Cryptology.

[5]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[6]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[7]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[8]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[9]  Ray A. Perlner,et al.  Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Technology (Special Publication 800-63-1) , 2012 .

[10]  Jan Camenisch,et al.  A Framework for Practical Universally Composable Zero-Knowledge Protocols , 2011, IACR Cryptol. ePrint Arch..

[11]  Markus Jakobsson,et al.  Threshold Password-Authenticated Key Exchange , 2002, Journal of Cryptology.

[12]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[13]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[14]  Ari Juels,et al.  A New Two-Server Approach for Authentication with Short Secrets , 2003, USENIX Security Symposium.

[15]  David P. Jablon Password Authentication Using Multiple Servers , 2001, CT-RSA.

[16]  Jonathan Katz,et al.  Two-server password-only authenticated key exchange , 2005, J. Comput. Syst. Sci..

[17]  David Mazières,et al.  The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme , 2022 .

[18]  Michael Szydlo,et al.  Proofs for Two-Server Password Authentication , 2005, CT-RSA.

[19]  Burton S. Kaliski,et al.  Server-assisted generation of a strong secret from a password , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[20]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[21]  Ralf Küsters,et al.  Simulation-based security with inexhaustible interactive Turing machines , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[22]  Aggelos Kiayias,et al.  Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model , 2014, ASIACRYPT.

[23]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[24]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[25]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[26]  Donald Beaver,et al.  Cryptographic Protocols Provably Secure Against Dynamic Adversaries , 1992, EUROCRYPT.

[27]  Ueli Maurer,et al.  Abstract Cryptography , 2011, ICS.

[28]  Yehuda Lindell,et al.  Secure Computation Without Authentication , 2005, Journal of Cryptology.

[29]  Dennis Hofheinz,et al.  GNUC: A New Universal Composability Framework , 2015, Journal of Cryptology.

[30]  Stephan Krenn Bringing Zero-Knowledge Proofs of Knowledge to Practice , 2009, Security Protocols Workshop.

[31]  Rosario Gennaro,et al.  Provably secure threshold password-authenticated key exchange , 2003, J. Comput. Syst. Sci..

[32]  Jan Camenisch,et al.  Memento: How to Reconstruct Your Secrets from a Single Password in a Hostile Environment , 2014, CRYPTO.

[33]  Jan Camenisch,et al.  Practical yet universally composable two-server password-authenticated secret sharing , 2012, CCS.

[34]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[35]  Jan Camenisch,et al.  Practical and Employable Protocols for UC-Secure Circuit Evaluation over ℤn , 2013, ESORICS.

[36]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[37]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[38]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.