Towards post-quantum secure PAKE - A tight security proof for OCAKE in the BPR model

. We revisit OCAKE (ACNS 23), a generic recipe that constructs password-based authenticated key exchange (PAKE) from key encapsulation mechanisms (KEMs) in a black-box way. This allows to potentially achieve post-quantum security by instantiating the KEM with a post-quantum KEM like KYBER. It was left as an open problem to further adapt the proof such that it also holds against quantum attackers. The security proof is given in the universal composability (UC) framework, which is common for PAKE. So far, however, it is not known how to model or prove computational UC security against quantum adversarieslet alone if the proof uses idealized primitives like random oracles or ideal ciphers. To pave the way towards reasoning post-quantum security, we therefore resort to a (still classical) game-based security proof in the BPR model (EUROCRYPT 2000). We consider this a crucial stepping stone towards a full proof of post-quantum security. We prove security of (a minor variation of) OCAKE, assuming the underlying KEM sat-isfies notions of ciphertext indistinguishability, anonymity, and (computational) public-key uniformity. To achieve tight security bounds, we use multi-user variants of the aforementioned properties. We provide a full detailed proof – something often omitted in publications on game-based security of PAKE. As a side-contribution, we demonstrate in detail how to handle password guesses, which is something we were unable to find in the existing literature on game-based PAKE proofs.

[1]  Feng Hao,et al.  SoK: Password-Authenticated Key Exchange -- Theory, Practice, Standardization and Real-World Lessons , 2022, IACR Cryptol. ePrint Arch..

[2]  Andreas Hülsing,et al.  Failing gracefully: Decryption failures and the Fujisaki-Okamoto transform , 2022, IACR Cryptol. ePrint Arch..

[3]  Eike Kiltz,et al.  Faster Lattice-Based KEMs via a Generic Fujisaki-Okamoto Transform Using Prefix Hashing , 2021, IACR Cryptol. ePrint Arch..

[4]  Serge Fehr,et al.  Online-Extractability in the Quantum Random-Oracle Model , 2021, IACR Cryptol. ePrint Arch..

[5]  Kathrin Hövelmanns,et al.  Tight adaptive reprogramming in the QROM , 2020, IACR Cryptol. ePrint Arch..

[6]  Kai-Min Chung,et al.  On the Compressed-Oracle Technique, and Post-Quantum Security of Proofs of Sequential Work , 2020, IACR Cryptol. ePrint Arch..

[7]  Bjoern Haase,et al.  CPace, a balanced composable PAKE , 2020 .

[8]  Peter Schwabe,et al.  The SPHINCS+ Signature Framework , 2019, IACR Cryptol. ePrint Arch..

[9]  Mark Zhandry,et al.  How to Record Quantum Queries, and Applications to Quantum Indifferentiability , 2019, IACR Cryptol. ePrint Arch..

[10]  Jan Camenisch,et al.  Password-Authenticated Public-Key Encryption , 2019, IACR Cryptol. ePrint Arch..

[11]  Kan Yasuda,et al.  Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions , 2018, IACR Cryptol. ePrint Arch..

[12]  Benjamin Smith,et al.  Towards practical key exchange from ordinary isogeny graphs , 2018, IACR Cryptol. ePrint Arch..

[13]  Hugo Krawczyk,et al.  OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks , 2018, IACR Cryptol. ePrint Arch..

[14]  Eike Kiltz,et al.  Hybrid Encryption in a Multi-user Setting, Revisited , 2018, Public Key Cryptography.

[15]  Damien Stehlé,et al.  CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[16]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[17]  Jean Lancrenon,et al.  On Password-Authenticated Key Exchange Security Modeling , 2015, PASSWORDS.

[18]  Fang Song,et al.  A Note on Quantum Security for Post-Quantum Cryptography , 2014, PQCrypto.

[19]  David Pointcheval,et al.  New Techniques for SPHFs and Efficient One-Round PAKE Protocols , 2013, IACR Cryptol. ePrint Arch..

[20]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[21]  Marc Fischlin,et al.  Security Analysis of the PACE Key-Agreement Protocol , 2009, ISC.

[22]  John Black,et al.  The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function , 2006, FSE.

[23]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[24]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[25]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[26]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[27]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[28]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[29]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[30]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[31]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[32]  Céline Chevalier,et al.  GeT a CAKE: Generic Transformations from Key Encaspulation Mechanisms to Password Authenticated Key Exchanges , 2023, International Conference on Applied Cryptography and Network Security.

[33]  Runzhi Zeng,et al.  A Generic Construction of Tightly Secure Password-based Authenticated Key Exchange , 2023, IACR Cryptol. ePrint Arch..

[34]  D. Bernstein Multi-ciphertext security degradation for lattices , 2022, IACR Cryptol. ePrint Arch..

[35]  S. Vaudenay,et al.  On IND-qCCA Security in the ROM and Its Applications - CPA Security Is Sufficient for TLS 1.3 , 2022, EUROCRYPT.

[36]  Peter Y. A. Ryan,et al.  Security Characterization of J-PAKE and its Variants , 2021, IACR Cryptol. ePrint Arch..

[37]  Kenneth G. Paterson,et al.  Anonymous, Robust Post-Quantum Public Key Encryption , 2021, IACR Cryptol. ePrint Arch..

[38]  Michel Abdalla,et al.  Security Analysis of CPace , 2021, IACR Cryptol. ePrint Arch..

[39]  Keita Xagawa,et al.  Anonymity of NIST PQC Round-3 KEMs , 2021, IACR Cryptol. ePrint Arch..

[40]  Victor Shoup,et al.  Security analysis of SPAKE2+ , 2020, IACR Cryptol. ePrint Arch..

[41]  Tanja Lange,et al.  CSIDH: An Efficient Post-Quantum Commutative Group Action , 2018, IACR Cryptol. ePrint Arch..

[42]  Alexander Rostovtsev,et al.  Public-Key Cryptosystem Based on Isogenies , 2006, IACR Cryptol. ePrint Arch..

[43]  Jean Marc Couveignes,et al.  Hard Homogeneous Spaces , 2006, IACR Cryptol. ePrint Arch..