On Composability of Game-based Password Authenticated Key Exchange

It is standard practice that the secret key derived from an execution of a Password Authenticated Key Exchange (PAKE) protocol is used to authenticate and encrypt some data payload using a Symmetric Key Protocol (SKP). Unfortunately, most PAKEs of practical interest are studied using so-called game-based models, which – unlike simulation models – do not guarantee secure composition per se. However, Brzuska et al. (CCS 2011) have shown that middle ground is possible in the case of authenticated key exchange that relies on Public- Key Infrastructure (PKI): the game-based models do provide secure composition guarantees when the class of higher-level applications is restricted to SKPs. The question that we pose in this paper is whether or not a similar result can be exhibited for PAKE. Our work answers this question positively. More specifically, we show that PAKE protocols secure according to the game-based Real-or-Random (RoR) definition with the weak forward secrecy of Abdalla et al. (S&P 2015) allow for safe composition with arbitrary, higher-level SKPs. Since there is evidence that most PAKEs secure in the Find-then-Guess (FtG) model are in fact secure according to RoR definition, we can conclude that nearly all provably secure PAKEs enjoy a certain degree of composition, one that at least covers the case of implementing secure channel

Efficient Two-Party Password-Based Key Exchange Protocols in the UC Framework

The original publication is available at www.springerlink.comInternational audienceMost of the existing password-based authenticated key exchange protocols have proofs either in the indistinguishability-based security model of Bellare, Pointcheval, and Rogaway (BPR) or in the simulation-based of Boyko, MacKenzie, and Patel (BMP). Though these models provide a security level that is sufficient for most applications, they fail to consider some realistic scenarios such as participants running the protocol with different but possibly related passwords. To overcome these deficiencies, Canetti et al. proposed a new security model in the universal composability (UC) framework which makes no assumption on the distribution on passwords used by the protocol participants. They also proposed a new protocol, but, unfortunately, the latter is not as efficient as some of the existing protocols in BPR and BMP models. In this paper, we investigate whether some of the existing protocols that were proven secure in BPR and BMP models can also be proven secure in the new UC model and we answer this question in the affirmative. More precisely, we show that the protocol by Bresson, Chevassut, and Pointcheval (BCP) in CCS 2003 is also secure in the new UC model. The proof of security relies in the random-oracle and ideal-cipher models and works even in the presence of adaptive adversaries, capable of corrupting players at any time and learning their internal states

Towards post-quantum secure PAKE - A tight security proof for OCAKE in the BPR model

We revisit OCAKE (ACNS 23), a generic recipe that constructs password-based authenticated key exchange (PAKE) from key encapsulation mechanisms (KEMs) in a black-box way. This allows to potentially achieve post-quantum security by instantiating the KEM with a post-quantum KEM like KYBER. It was left as an open problem to further adapt the proof such that it also holds against quantum attackers. The security proof is given in the universal composability (UC) framework, which is common for PAKE. So far, however, it is not known how to model or prove computational UC security against quantum adversaries, let alone if the proof uses idealized primitives like random oracles or ideal ciphers. To pave the way towards reasoning post-quantum security, we therefore resort to a (still classical) game-based security proof in the BPR model (EUROCRYPT 2000). We consider this a crucial stepping stone towards a full proof of post-quantum security. We prove security of (a minor variation of) OCAKE, assuming the underlying KEM satisfies notions of ciphertext indistinguishability, anonymity, and (computational) public-key uniformity. To achieve tight security bounds, we use multi-user variants of the aforementioned properties. We provide a full detailed proof – something often omitted in publications on game-based security of PAKE. As a side-contribution, we demonstrate in detail how to handle password guesses, which is something we were unable to find in the existing literature on game-based PAKE proofs

Provable Security Analysis of the Secure Remote Password Protocol

This paper analyses the Secure Remote Password Protocol (SRP) in the context of provable security. SRP is an asymmetric Password-Authenticated Key Exchange (aPAKE) protocol introduced in 1998. It allows a client to establish a shared cryptographic key with a server based on a password of potentially low entropy. Although the protocol was part of several standardization efforts, and is deployed in numerous commercial applications such as Apple Homekit, 1Password or Telegram, it still lacks a formal proof of security. This is mainly due to some of the protocol\u27s design choices which were implemented to circumvent patent issues. Our paper gives the first security analysis of SRP in the universal composability (UC) framework. We show that SRP is UC-secure against passive eavesdropping attacks under the standard CDH assumption in the random oracle model. We then highlight a major protocol change designed to thwart active attacks and propose a new assumption -- the additive Simultaneous Diffie Hellman (aSDH) assumption -- under which we can guarantee security in the presence of an active attacker. Using this new assumption as well as the Gap CDH assumption, we prove security of the SRP protocol against active attacks. Our proof is in the Angel-based UC framework , a relaxation of the UC framework which gives all parties access to an oracle with super-polynomial power. In our proof, we assume that all parties have access to a DDH oracle (limited to finite fields). We further discuss the plausibility of this assumption and which level of security can be shown without it

On the Relation Between SIM and IND-RoR Security Models for PAKEs with Forward Secrecy

Password-based Authenticated Key-Exchange (PAKE) protocols allow the establishment of secure communication entirely based on the knowledge of a shared password. Over the last two decades, we have witnessed the debut of a number of prominent security models for PAKE protocols, whose aim is to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. These models are usually classified into (i) indistinguishability-based (IND-based) or (ii) simulation-based (SIM-based). However, the relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that SIM-BMP security from Boyko et al. (EUROCRYPT 2000) implies IND-RoR security from Abdalla et al. (PKC 2005) and that IND-RoR security is equivalent to a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security. The results obtained also hold when forward secrecy is incorporated into the security models in question

GeT a CAKE: Generic Transformations from Key Encaspulation Mechanisms to Password Authenticated Key Exchanges

Password Authenticated Key Exchange (PAKE) have become a key building block in many security products as they provide interesting efficiency/security trade-offs. Indeed, a PAKE allows to dispense with the heavy public key infrastructures and its efficiency and portability make it well suited for applications such as Internet of Things or e-passports. With the emerging quantum threat and the effervescent development of post-quantum public key algorithms in the last five years, one would wonder how to modify existing password authenticated key exchange protocols that currently rely on Diffie-Hellman problems in order to include newly introduced and soon-to-be-standardized post-quantum key encapsulation mechanisms (KEM). A generic solution is desirable for maintaining modularity and adaptability with the many post-quantum KEM that have been introduced. In this paper, we propose two new generic and natural constructions proven in the Universal Composability (UC) model to transform, in a black-box manner, a KEM into a PAKE with very limited performance overhead: one or two extra symmetric encryptions. Behind the simplicity of the designs, establishing security proofs in the UC model is actually non-trivial and requires some additional properties on the underlying KEM like fuzziness and anonymity. Luckily, post-quantum KEM protocols often enjoy these two extra properties. As a demonstration, we prove that it is possible to apply our transformations to Crystals-Kyber, a lattice-based post-quantum KEM that will soon be standardized by the National Institute of Standards and Technology (NIST). In a nutshell, this work opens up the possibility to securely include post-quantum cryptography in PAKE-based real-world protocols

Oblivious Pseudo-Random Functions via Garbled Circuits

An Oblivious Pseudo-Random Function (OPRF) is a protocol that allows two parties – a server and a user – to jointly compute the output of a Pseudo-Random Function (PRF). The server holds the key for the PRF and the user holds an input on which the function shall be evaluated. The user learns the correct output while the inputs of both parties remain private. If the server can additionally prove to the user that several executions of the protocol were performed with the same key, we call the OPRF verifiable. One way to construct an OPRF protocol is by using generic tools from multi-party computation, like Yao’s seminal garbled circuits protocol. Garbled circuits allow two parties to evaluate any boolean circuit, while the input that each party provides to the circuit remains hidden from the respective other party. An approach to realizing OPRFs based on garbled circuits was e.g. mentioned by Pinkas et al. (ASIACRYPT ’09). But OPRFs are used as a building block in various cryptographic protocols. This frequent usage in conjunction with other building blocks calls for a security analysis that takes composition, i.e., the usage in a bigger context into account. In this work, we give the first construction of a garbled-circuit-based OPRF that is secure in the universal composability model by Canetti (FOCS ’01). This means the security of our protocol holds even if the protocol is used in arbitrary execution environments, even under parallel composition. We achieve a passively secure protocol that relies on authenticated channels, the random oracle model, and the security of oblivious transfer. We use a technique from Albrecht et al. (PKC ’21) to extend the protocol to a verifiable OPRF by employing a commitment scheme. The two parties compute a circuit that only outputs a PRF value if a commitment opens to the right server-key. Further, we implemented our construction and compared the concrete efficiency with two other OPRFs. We found that our construction is over a hundred times faster than a recent lattice-based construction by Albrecht et al. (PKC ’21), but not as efficient as the state-of-the-art protocol from Jarecki et al. (EUROCRYPT ’18), based on the hardness of the discrete logarithm problem in certain groups. Our efficiency-benchmark results imply that – under certain circumstances – generic techniques as garbled circuits can achieve substantially better performance in practice than some protocols specifically designed for the problem. Büscher et al. (ACNS ’20) showed that garbled circuits are secure in the presence of adversaries using quantum computers. This fact combined with our results indicates that garbled-circuit-based OPRFs are a promising way towards efficient OPRFs that are secure against those quantum adversaries