One-Round Password-Based Authenticated Key Exchange

We show a general framework for constructing password-based authenticated key exchange protocols with optimal round complexity — one message per party, sent simultaneously — in the standard model, assuming the existence of a common reference string. When our framework is instantiated using bilinear-map cryptosystems, the resulting protocol is also (reasonably) efficient. Somewhat surprisingly, our framework can be adapted to give protocols (still in the standard model) that are universally composable while still using only one (simultaneous) round. ∗Dept. of Computer Science, University of Maryland. Work done while visiting IBM. Email: jkatz@cs.umd.edu. Research supported by NSF grant #0627306 and NSF CAREER award #0447075. †IBM Research. vinodv@alum.mit.edu. 1 Password-Based Authenticated Key Exchange Protocols for authenticated key exchange enable two parties to generate a shared, cryptographically strong key while communicating over an insecure network under the complete control of an adversary. Such protocols are among the most widely used and fundamental cryptographic primitives; indeed, agreement on a shared key is necessary before “higher-level” tasks such as encryption and message authentication become possible. Parties must share some information in order for authenticated key exchange to be possible. It is well known that shared cryptographic keys — either in the form of public keys or a long, uniformly random symmetric key — suffice, and several protocols in this model (building on the classic Diffie-Hellman protocol [22], which protects only against an eavesdropping adversary and provides no authentication at all) are known [8, 5, 6, 3, 43, 18, 19, 36, 37]. Password-based protocols allow users to “bootstrap” even a very weak (e.g., short) shared secret into a (much longer) cryptographic key. The canonical application here is authentication using passwords, though protocols developed in this context can be useful even when the shared secret has high min-entropy (but is not uniform) [13]. The security guaranteed by password-based protocols (roughly speaking) is that if the password is chosen uniformly1 from a dictionary of size D then an adversary who initiates Q “on-line” attacks — i.e., who actively interferes in Q sessions — has “advantage” at most Q/D. (This is inherent, as an adversary can always carry out Q impersonation attempts and succeed with this probability.) In particular, “off-line” dictionary attacks where an adversary enumerates all passwords from the (presumably small) dictionary of potential passwords, and tries to match observed protocol executions to each one, are of no use. Early work [27, 30] considered a “hybrid” setting where users share public keys in addition to a password. In the setting where only a password is shared, Bellovin and Merritt [7] proposed the first protocols for password-based authenticated key exchange (PAK) with heuristic arguments for their security. Several years later, provably secure PAK protocols were constructed [4, 14, 38] in the random oracle/ideal cipher models, and many improvements and generalizations of these protocols are known. In contrast, only a handful of PAK protocols are known in the so-called “standard model” (i.e., without random oracles): General assumptions: Goldreich and Lindell [26] gave the first PAK protocol in the standard model. Subsequent work of Barak et al. [2] shows a general feasibility result for computation over unauthenticated networks which implies a solution for PAK as a special case. These approaches gives the only PAK protocols for the plain model where there is no setup. (Nguyen and Vadhan [40] show efficiency improvements to the Goldreich-Lindell protocol, but achieve a weaker notion of security.) Unfortunately, all these approaches are completely impractical in terms of communication, computation, and round complexity. Moreover, they do not tolerate concurrent executions by the same party (unless additional setup is assumed). Efficient protocols: Katz, Ostrovsky, and Yung [34] demonstrated the first efficient PAK protocol with a proof of security based on standard assumptions; extensions and improvements of their protocol were given in [25, 17, 33, 24, 35]. Different constructions of efficient PAK protocols in the CRS model are given in [32, 28]. In contrast to the work of Goldreich and Lindell, these approaches are secure even under concurrent executions by the same party. On the Although the usual presentation of PAK assumes a uniform password, all known protocols work with passwords chosen from an arbitrary (efficiently sampleable) distribution.

[1]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[2]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[3]  Jan Camenisch,et al.  A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks , 2009, IACR Cryptol. ePrint Arch..

[4]  Jonathan Katz,et al.  Smooth Projective Hashing and Password-Based Authenticated Key Exchange from Lattices , 2009, ASIACRYPT.

[5]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[6]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[7]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[8]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[9]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[10]  Dong Hoon Lee,et al.  One-Round Protocols for Two-Party Authenticated Key Exchange , 2004, ACNS.

[11]  David Pointcheval,et al.  Efficient Two-Party Password-Based Key Exchange Protocols in the UC Framework , 2008, CT-RSA.

[12]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[13]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[14]  Guang Gong,et al.  Password Based Key Exchange with Mutual Authentication , 2004, IACR Cryptol. ePrint Arch..

[15]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[16]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[17]  Manuel Blum,et al.  Proving Security Against Chosen Cyphertext Attacks , 1988, CRYPTO.

[18]  Sarvar Patel,et al.  Password-authenticated key exchange based on RSA , 2000, International Journal of Information Security.

[19]  Tatsuaki Okamoto,et al.  Authenticated Key Exchange and Key Encapsulation in the Standard Model , 2007, ASIACRYPT.

[20]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[21]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[22]  Jonathan Katz,et al.  Two-server password-only authenticated key exchange , 2005, J. Comput. Syst. Sci..

[23]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[24]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[25]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[26]  Rosario Gennaro,et al.  Faster and Shorter Password-Authenticated Key Exchange , 2008, TCC.

[27]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[28]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[29]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[30]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[31]  Rafail Ostrovsky,et al.  Secure Remote Authentication Using Biometric Data , 2005, EUROCRYPT.

[32]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[33]  Salil P. Vadhan,et al.  Simpler Session-Key Generation from Short Random Passwords , 2004, Journal of Cryptology.

[34]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[35]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[36]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[37]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[38]  Jonathan Katz,et al.  A new framework for efficient password-based authenticated key exchange , 2010, CCS '10.

[39]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[40]  Yehuda Lindell,et al.  Secure Computation Without Authentication , 2005, Journal of Cryptology.

[41]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[42]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[43]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..