Hardware Security without Secure Hardware: How to Decrypt with a Password and a Server

Hardware security tokens have now been used for several decades to store cryptographic keys. When deployed, the security of the corresponding schemes fundamentally relies on the tamper-resistance of the tokens – a very strong assumption in practice. Moreover, even secure tokens, which are expensive and cumbersome, can often be subverted. We introduce a new cryptographic primitive called Encryption schemes with Password-protected Assisted Decryption (EPAD schemes), in which a user’s decryption key is shared between a user device (or token) on which no assumption is made, and an online server. The user shares a human-memorizable password with the server. To decrypt a ciphertext, the user launches, from a public computer, a distributed protocol with the device and the server, authenticating herself to the server with her password (unknown to the device); in such a way that her secret key is never reconstructed during the interaction. We propose a strong security model which guarantees that (1) for an efficient adversary to infer any information about a user’s plaintexts, it must know her password and have corrupted her device (secrecy is guaranteed if only one of the two conditions is fulfilled), (2) the device and the server are unable to infer any information about the ciphertexts they help to decrypt (even though they could together reconstruct the secret key), and (3) the user is able to verify that device and server both performed the expected computations. These EPAD schemes are in the password-only model, meaning that the user is not required to remember a trusted public key, and her password remains safe even if she is led to interact with a wrong server and a malicious device. We then give a practical pairing-based EPAD scheme. Our construction is provably secure under standard computational assumptions, using non-interactive proof systems which can be efficiently instantiated in the standard security model, i.e., without relying on the random oracle heuristic.

[1]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[2]  Jonathan Katz,et al.  Round-Optimal Password-Based Authenticated Key Exchange , 2011, Journal of Cryptology.

[3]  Olivier Blazy,et al.  Mitigating Server Breaches in Password-Based Authentication: Secure and Efficient Solutions , 2016, IACR Cryptol. ePrint Arch..

[4]  Jan Camenisch,et al.  Virtual Smart Cards: How to Sign with a Password and a Server , 2016, SCN.

[5]  Jorge Luis Villar,et al.  An Algebraic Framework for Diffie–Hellman Assumptions , 2015, Journal of Cryptology.

[6]  Eike Kiltz,et al.  Quasi-Adaptive NIZK for Linear Subspaces Revisited , 2015, IACR Cryptol. ePrint Arch..

[7]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[8]  Markulf Kohlweiss,et al.  Malleable Proof Systems and Applications , 2012, EUROCRYPT.

[9]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[10]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[11]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[12]  Nitesh Saxena,et al.  Password-protected secret sharing , 2011, CCS '11.

[13]  Joseph Bonneau Statistical Metrics for Individual Password Strength , 2012, Security Protocols Workshop.

[14]  David Pointcheval,et al.  New Techniques for SPHFs and Efficient One-Round PAKE Protocols , 2013, IACR Cryptol. ePrint Arch..

[15]  Ivan Damgård,et al.  Multiparty Computation from Threshold Homomorphic Encryption , 2000, EUROCRYPT.

[16]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[17]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[18]  Thomas Peters,et al.  Structure-Preserving Chosen-Ciphertext Security with Shorter Verifiable Ciphertexts , 2017, Public Key Cryptography.

[19]  David Pointcheval,et al.  Smooth Projective Hashing for Conditionally Extractable Commitments , 2009, CRYPTO.

[20]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[21]  Javier Herranz,et al.  Structure-Preserving and Re-randomizable RCCA-secure Public Key Encryption and its Applications , 2019, IACR Cryptol. ePrint Arch..

[22]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[23]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[24]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[25]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[26]  Olivier Blazy,et al.  Structure-Preserving Smooth Projective Hashing , 2016, ASIACRYPT.

[27]  David Pointcheval,et al.  Public-key encryption indistinguishable under plaintext-checkable attacks , 2016, IET Inf. Secur..

[28]  Jan Camenisch,et al.  Memento: How to Reconstruct Your Secrets from a Single Password in a Hostile Environment , 2014, CRYPTO.

[29]  David Pointcheval,et al.  Round-Optimal Privacy-Preserving Protocols with Smooth Projective Hash Functions , 2012, TCC.

[30]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[31]  Charanjit S. Jutla,et al.  Improved Structure Preserving Signatures Under Standard Bilinear Assumptions , 2017, Public Key Cryptography.

[32]  Manoj Prabhakaran,et al.  Rerandomizable RCCA Encryption , 2007, CRYPTO.

[33]  Aggelos Kiayias,et al.  TOPPSS: Cost-Minimal Password-Protected Secret Sharing Based on Threshold OPRF , 2017, ACNS.

[34]  Matthew Green,et al.  Secure Blind Decryption , 2011, IACR Cryptol. ePrint Arch..

[35]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[36]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..