Highly-Efficient and Composable Password-Protected Secret Sharing (Or: How to Protect Your Bitcoin Wallet Online)

PPSS is a central primitive introduced by Bagherzandi et al. [2] which allows a user to store a secret among n servers such that the user can later reconstruct the secret with the sole possession of a single password by contacting t + 1 (t <; n) servers. At the same time, an attacker breaking into t of these servers - and controlling all communication channels - learns nothing about the secret (or the password). Thus, PPSS schemes are ideal for on-line storing of valuable secrets when retrieval solely relies on a memorizable password. We show the most efficient Password-Protected Secret Sharing (PPSS) to date (and its implied Threshold-PAKE scheme), which is optimal in round communication as in Jarecki et al. [10] but which improves computation and communication complexity over that scheme requiring a single per-server exponentiation for the client and a single exponentiation for the server. As with the schemes from [10] and Camenisch et al. [4] we do not require secure channels or PKI other than in the initialization stage. We prove the security of our PPSS scheme in the Universally Composable (UC) model. For this we present a UC definition of PPSS that relaxes the UC formalism of [4] in a way that enables more efficient PPSS schemes (by dispensing with the need to extract the user's password in the simulation) and present a UC-based definition of Oblivious PRF (OPRF) that is more general than the (Verifiable) OPRF definition from [10] and is also crucial for enabling our performance optimization.

[1]  Hugo Krawczyk,et al.  Highly-Scalable Searchable Symmetric Encryption with Support for Boolean Queries , 2013, IACR Cryptol. ePrint Arch..

[2]  Xiaomin Liu,et al.  Efficient Oblivious Pseudorandom Function with Applications to Adaptive OT and Secure Computation of Set Intersection , 2009, TCC.

[3]  Masayuki Abe,et al.  A Framework for Universally Composable Non-committing Blind Signatures , 2009, ASIACRYPT.

[4]  Nitesh Saxena,et al.  Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices , 2014, NDSS.

[5]  Xiaomin Liu,et al.  Fast Secure Computation of Set Intersection , 2010, SCN.

[6]  Yehuda Lindell,et al.  Efficient Protocols for Set Intersection and Pattern Matching with Security Against Malicious and Covert Adversaries , 2008, Journal of Cryptology.

[7]  Hugo Krawczyk,et al.  Device-Enhanced Password Protocols with Optimal Online-Offline Protection , 2016, AsiaCCS.

[8]  Benny Pinkas,et al.  Keyword Search and Oblivious Pseudorandom Functions , 2005, TCC.

[9]  Nitesh Saxena,et al.  Password-protected secret sharing , 2011, CCS '11.

[10]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[11]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[12]  Markus Jakobsson,et al.  Threshold Password-Authenticated Key Exchange , 2002, Journal of Cryptology.

[13]  Jan Camenisch,et al.  Optimal Distributed Password Verification , 2015, CCS.

[14]  Thomas Ristenpart,et al.  The Pythia PRF Service , 2015, USENIX Security Symposium.

[15]  Masayuki Abe,et al.  A framework for universally composable non-committing blind signatures , 2009, Int. J. Appl. Cryptogr..

[16]  Jan Camenisch,et al.  Memento: How to Reconstruct Your Secrets from a Single Password in a Hostile Environment , 2014, CRYPTO.

[17]  Aggelos Kiayias,et al.  Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model , 2014, ASIACRYPT.