On the Relation Between SIM and IND-RoR Security Models for PAKEs with Forward Secrecy

Password-based Authenticated Key-Exchange (PAKE) protocols allow the establishment of secure communication entirely based on the knowledge of a shared password. Over the last two decades, we have witnessed the debut of a number of prominent security models for PAKE protocols, whose aim is to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. These models are usually classified into (i) indistinguishability-based (IND-based) or (ii) simulation-based (SIM-based). However, the relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that SIM-BMP security from Boyko et al. (EUROCRYPT 2000) implies IND-RoR security from Abdalla et al. (PKC 2005) and that IND-RoR security is equivalent to a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security. The results obtained also hold when forward secrecy is incorporated into the security models in question

PROVABLE SECURITY ANALYSIS FOR THE PASSWORD AUTHENTICATED KEY EXCHANGE PROBLEM

Password-based Authenticated Key-Exchange (PAKE) protocols allow the establishment of secure communications despite a human-memorable password being the only secret that is previously shared between the participants. After more than 25 years since the initial proposal, the PAKE problem remains an active area of research, probably due to the vast amount of passwords deployed on the internet as password-based still constitutes the most extensively used method for user authentication. In this thesis, we consider the computational complexity approach to improve the current understanding of the security provided by previously proposed PAKE protocols and their corresponding security models. We expect that this work contributes to the standardization, adoption and more efficient implementation of the considered protocols. Our first contribution is concerning forward secrecy for the SPAKE2 protocol of Abdalla and Pointcheval (CT-RSA 2005). We prove that the SPAKE2 protocol satisfies the so-called notion of weak forward secrecy. Furthermore, we demonstrate that the incorporation of key-confirmation codes in the original SPAKE2 results in a protocol that provably satisfies the stronger notion of perfect forward secrecy. As forward secrecy is an explicit requirement for cipher suites supported in the TLS handshake, we believe our results fill the gap in the literature and facilitate the adoption of SPAKE2 in the recently approved TLS 1.3. Our second contribution is regarding tight security reductions for EKE-based protocols. We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman groups that is tighter than previously known reductions. We discuss the implications of our results for concrete security. Our proof is the first to show that the PAK protocol can provide meaningful security guarantees for values of the parameters typical in today's world. Finally, we study the relation between two well-known security models for PAKE protocols. Security models for PAKEs aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an adversary. They are usually classified into i) indistinguishability-based (IND-based) or ii) simulation-based (SIM-based), however, controversy remains within the research community regarding what is the most appropriate security model that better reflects the capabilities that an adversary is supposed to have in real-world scenarios. Furthermore, the relation between these two security notions is unclear and mentioned as a gap in the literature. We prove that SIM-BMP security from Boyko et al. (EUROCRYPT 2000) implies IND-RoR security from Abdalla et al. (PKC 2005) and that IND-RoR security is equivalent to a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security

On Composability of Game-based Password Authenticated Key Exchange

It is standard practice that the secret key derived from an execution of a Password Authenticated Key Exchange (PAKE) protocol is used to authenticate and encrypt some data payload using a Symmetric Key Protocol (SKP). Unfortunately, most PAKEs of practical interest are studied using so-called game-based models, which – unlike simulation models – do not guarantee secure composition per se. However, Brzuska et al. (CCS 2011) have shown that middle ground is possible in the case of authenticated key exchange that relies on Public- Key Infrastructure (PKI): the game-based models do provide secure composition guarantees when the class of higher-level applications is restricted to SKPs. The question that we pose in this paper is whether or not a similar result can be exhibited for PAKE. Our work answers this question positively. More specifically, we show that PAKE protocols secure according to the game-based Real-or-Random (RoR) definition with the weak forward secrecy of Abdalla et al. (S&P 2015) allow for safe composition with arbitrary, higher-level SKPs. Since there is evidence that most PAKEs secure in the Find-then-Guess (FtG) model are in fact secure according to RoR definition, we can conclude that nearly all provably secure PAKEs enjoy a certain degree of composition, one that at least covers the case of implementing secure channel

Tightly-Secure PAK(E)

We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman Groups that is tighter than previously known reductions. We discuss the implications of our results for concrete security. Our proof is the first to show that the PAK protocol can provide meaningful security guarantees for values of the parameters typical in today’s world

Bowdoin Orient v.62, no.1-27 (1932-1933)

https://digitalcommons.bowdoin.edu/bowdoinorient-1930s/1002/thumbnail.jp

The Calcutta Christian Observer, Volume IV

https://place.asburyseminary.edu/ecommonsatsdigitalresources/1147/thumbnail.jp