7,102 research outputs found
A new framework for efficient password-based authenticated key exchange
Protocols for password-based authenticated key exchange (PAKE) allow two users who share only a short, low-entropy password to agree on a cryptographically strong session key. The challenge in designing such protocols is that they must be immune to off-line dictionary attacks in which an eavesdropping adversary exhaustively enumerates the dictionary of likely passwords in an attempt to match a password to the set of observed transcripts. To date, few general frameworks for constructing PAKE protocols in the standard model are known. Here, we abstract and generalize a protocol by Jiang and Gong to give a new methodology for realizing PAKE without random oracles, in the common reference string model. In addition to giving a new approach to the problem, the resulting construction offers several advantages over prior work. We also describe an extension of our protocol that is secure within the universal composability (UC) framework and, when instantiated using El Gamal encryption, is more efficient than a previous protocol of Canetti et al.
Distributed Smooth Projective Hashing and its Application to Two-Server PAKE
Smooth projective hash functions have been used as building block for various cryptographic applications, in particular for password-based authentication.
In this work we propose the extended concept of distributed smooth projective hash functions where the computation of the hash value is distributed across parties and show how to instantiate the underlying approach for languages consisting of Cramer-Shoup ciphertexts.
As an application of distributed smooth projective hashing we build a new framework for the design of two-server password authenticated key exchange protocols, which we believe can help to explain the design of earlier two-server password authenticated key exchange protocols
New Anonymity Notions for Identity-Based Encryption
The original publication is available at www.springerlink.comInternational audienceIdentity-based encryption is a very convenient tool to avoid key management. Recipient-privacy is also a major concern nowadays. To combine both, anonymous identity-based encryption has been proposed. This paper extends this notion to stronger adversaries (the authority itself). We discuss this new notion, together with a new kind of non-malleability with respect to the identity, for several existing schemes. Inter- estingly enough, such a new anonymity property has an independent application to password-authenticated key exchange. We thus come up with a new generic framework for password-authenticated key exchange, and a concrete construction based on pairings
Zero-Knowledge Password Policy Check from Lattices
Passwords are ubiquitous and most commonly used to authenticate users when
logging into online services. Using high entropy passwords is critical to
prevent unauthorized access and password policies emerged to enforce this
requirement on passwords. However, with current methods of password storage,
poor practices and server breaches have leaked many passwords to the public. To
protect one's sensitive information in case of such events, passwords should be
hidden from servers. Verifier-based password authenticated key exchange,
proposed by Bellovin and Merrit (IEEE S\&P, 1992), allows authenticated secure
channels to be established with a hash of a password (verifier). Unfortunately,
this restricts password policies as passwords cannot be checked from their
verifier. To address this issue, Kiefer and Manulis (ESORICS 2014) proposed
zero-knowledge password policy check (ZKPPC). A ZKPPC protocol allows users to
prove in zero knowledge that a hash of the user's password satisfies the
password policy required by the server. Unfortunately, their proposal is not
quantum resistant with the use of discrete logarithm-based cryptographic tools
and there are currently no other viable alternatives. In this work, we
construct the first post-quantum ZKPPC using lattice-based tools. To this end,
we introduce a new randomised password hashing scheme for ASCII-based passwords
and design an accompanying zero-knowledge protocol for policy compliance.
Interestingly, our proposal does not follow the framework established by Kiefer
and Manulis and offers an alternate construction without homomorphic
commitments. Although our protocol is not ready to be used in practice, we
think it is an important first step towards a quantum-resistant
privacy-preserving password-based authentication and key exchange system
Universally Composable Relaxed Password Authenticated Key Exchange
International audienceProtocols for password authenticated key exchange (PAKE) allow two parties who share only a weak password to agree on a cryptographic key. We revisit the notion of PAKE in the universal composabil-ity (UC) framework, and propose a relaxation of the PAKE functionality of Canetti et al. that we call lazy-extraction PAKE (lePAKE). Our relaxation allows the ideal-world adversary to postpone its password guess until after a session is complete. We argue that this relaxed notion still provides meaningful security in the password-only setting. As our main result, we show that several PAKE protocols that were previously only proven secure with respect to a "game-based" definition of security can be shown to UC-realize the lePAKE functionality in the random-oracle model. These include SPEKE, SPAKE2, and TBPEKE, the most efficient PAKE schemes currently known
EKE Meets Tight Security in the Universally Composable Framework
(Asymmetric) Password-based Authenticated Key Exchange ((a)PAKE) protocols allow two parties establish a session key with a pre-shared low-entropy password. In this paper, we show how Encrypted Key Exchange (EKE) compiler [Bellovin and Merritt, S&P 1992] meets tight security in the Universally Composable (UC) framework. We propose a strong 2DH variant of EKE, denoted by 2DH-EKE, and prove its tight security in the UC framework based on the CDH assumption. The efficiency of 2DH-EKE is comparable to the original EKE, with only bits growth in communication ( the security parameter), and two (resp., one) extra exponentiation in computation for client (resp., server).
We also develop an asymmetric PAKE scheme 2DH-aEKE from 2DH-EKE. The security reduction loss of 2DH-aEKE is , the total number of client-server pairs. With a meta-reduction, we formally prove that such a factor is inevitable in aPAKE. Namely, our 2DH-aEKE meets the optimal security loss. As a byproduct, we further apply our technique to PAKE protocols like SPAKE2 and PPK in the relaxed UC framework, resulting in their 2DH variants with tight security from the CDH assumption
- …