Round-Optimal Password-Based Authenticated Key Exchange

Abstract

We show a general framework for constructing password-based authenticated key-exchange protocols with optimal round complexity—one message per party, sent simultaneously—in the standard model, assuming the existence of a common reference string. When our framework is instantiated using bilinear-map-based cryptosystems, the resulting protocol is also (reasonably) efficient. Somewhat surprisingly, our framework can be adapted to give protocols in the standard model that are universally composable while still using only one (simultaneous) round.

1 Password-Based Authenticated Key Exchange

Protocols for authenticated key exchange enable two parties to generate a shared, cryptographically strong key while communicating over an insecure network under the complete control of an adversary. Such protocols are among the most widely used and fundamental cryptographic primitives; indeed, agreement on a shared key is necessary before “higher-level” tasks such as encryption and message authentication become possible.

Parties must share some information in order for authenticated key exchange to be possible. It is well known that shared cryptographic keys—either in the form of public keys or a long, uniformly random symmetric key—suffice, and several protocols in this model, building on the classic Diffie–Hellman protocol [19] (which protects only against an eavesdropping adversary and provides no authentication at all) are known; see, e.g., [4, 7].

Password-based protocols allow users to bootstrap a weak (e.g., short) shared secret into a (much longer) cryptographic key. The canonical application here is authentication using passwords, though protocols developed in this context can be useful even when the shared secret has high min-entropy (but is not uniform) [11]. The security guaranteed by password-based protocols (roughly speaking) is that if the password is chosen uniformly¹ from a dictionary of size D then an adversary who initiates Q on-line attacks—i.e., who actively interferes in Q sessions—has “advantage” at most Q/D. (This is inherent, as an adversary can always carry out Q impersonation attempts and succeed with this probability.) In particular, off-line dictionary attacks in which an adversary enumerates passwords from the dictionary of potential passwords, and tries to match observed protocol transcripts to each one, are of no use.

Early work on password-based protocols [24, 29] considered a “hybrid” setting where users share public keys in addition to a password. In the setting where only a password is shared, Bellovin and Merritt [6] proposed the first protocols for password-based authenticated key exchange (PAKE) with heuristic arguments for their security. Several years later, provably secure PAKE protocols were constructed [3, 12, 36] in the random-oracle/ideal-cipher models, and many improvements and generalizations of these protocols are known. In contrast, only a handful of PAKE protocols are known in the standard model (i.e., without random oracles):

• General assumptions: Goldreich and Lindell [23] gave the first PAKE protocol in the standard model (and without requiring any additional setup). Their work does not handle concurrent executions of the protocol by the same party. Work of Barak et al. [2] shows a general feasibility result for computation over unauthenticated networks which implies a solution for PAKE as a special case, assuming a common reference string (CRS) is available to the parties.² All these protocols are impractical in terms of communication, computation, and round complexity. Nguyen and Vadhan [38] showed some efficiency improvements, but achieved a weaker notion of security. Their protocol is still far from practical.

• Efficient protocols: Katz, Ostrovsky, and Yung [34] demonstrated the first efficient PAKE protocol with a proof of security based on standard assumptions; extensions and improvements of their protocol were given in Refs. [16, 21, 22, 33, 35]. Different constructions of efficient PAKE protocols were given in Refs. [27, 32]. These works all require a CRS.

Other relevant work, done subsequent to the present work, includes Refs. [15, 25, 26].

Round/message complexity of existing protocols

We distinguish between rounds and messages. Differing somewhat from the usual convention in the two-party setting (but matching the usual convention in the multi-party setting), we let a round consist of one message sent by each party simultaneously; note that in a one-round protocol each honest party’s message cannot depend on the other party’s message. We stress, however, that the adversary is assumed to be rushing; i.e., it may wait to receive an honest party’s first-round message before sending its own.

Determining the optimal round complexity of key-exchange protocols is of both theoretical and practical interest, and has been studied in various settings. The original Diffie–Hellman protocol [19], which provides security against a passive eavesdropper, can be run in one round; one-round authenticated key exchange based on shared public/symmetric keys is also possible [31, 39]. One-round PAKE protocols are also known (e.g., [3]) in the random oracle model. All prior PAKE protocols based on standard assumptions, though, require three or more rounds. We remark that the protocols in Refs. [27, 32] achieve explicit authentication in three rounds (whereas the protocols of Refs. [21, 22, 34, 35] achieve only implicit authentication in three rounds, and require an additional round for explicit authentication), but the round complexity of these protocols cannot be further reduced even if only implicit authentication is desired.

1.1 Our Results

We show a new framework for constructing one-round PAKE protocols in the standard model (assuming a CRS), where each party may send their message simultaneously. (Once again, we stress that our security model allows for a “rushing” adversary who waits to see the message sent by a party before sending its response.) Our protocols achieve implicit authentication but can be extended to give explicit authentication using one additional round; explicit authentication is impossible in one round without stronger setup assumptions (e.g., a global clock).

Our framework relies on non-interactive zero-knowledge (NIZK) proofs and so, in general, is computationally inefficient. When instantiating our framework using bilinear maps, however, we obtain a reasonably efficient solution communicating a constant number of group elements.

Somewhat surprisingly, we can extend our framework to give a universally composable PAKE protocol [14]—secure against static corruptions—without increasing the round complexity at all (and still without relying on random oracles). In contrast, the work of Canetti et al. [16] shows a method for obtaining universal composability (used also in Ref. [27]) that requires additional messages/rounds. Abdalla et al. [1] show a universally composable PAKE protocol, proven secure in the random oracle model, that requires three rounds. To the best of our knowledge, no prior universally composable PAKE protocol (whether in the random oracle model or not) can be run in only one round.

1.2 Our Techniques

At a basic level we rely on smooth projective hash functions [17], as used for PAKE in Ref. [22] (and implicitly in Ref. [34]). Roughly speaking, and adapted to the present context, a smooth projective hash function is a keyed function H that can be computed in two ways: either using the hash key k or using a projected key s. If C is an encryption of some value pw using randomness r (with respect to some fixed public key), then H _k (C,pw)=H _s (C,pw,r). On the other hand, if C is not an encryption of pw then the value of H _k (C,pw) is independent of the projected key s. We refer the reader to Sect. 2.2 for formal definitions.

The basic structure of previous protocols [22, 34], omitting various details, is as follows:

First round::

The client sends an encryption C of the password pw.

Second round::

The server sends an encryption C′ of pw, and a projected key s′=α(k′,C,pw) corresponding to a hash key k′.

Third round::

The client sends a projected key s=α(k,C′,pw) corresponding to a hash key k.

The client computes the session key as H _k (C′,pw)⋅H _s′(C,pw,r), and the server computes the session key as H _s (C′,pw,r′)⋅H _k′(C,pw). (Here, r,r′ is the randomness used to compute C,C′, respectively.) Properties of the smooth projective hash function ensure that these are equal.

Two difficulties must be overcome in order to collapse a protocol of the above form to one round:

• In the smooth projective hash functions used in prior work, the “projection function” α was adaptive, and depended on both the hash key k and the element being hashed (i.e., (C,pw) in the above example). This leads to protocols requiring three rounds just to ensure correctness.

  Here we show a construction of CCA-secure encryption schemes with associated smooth projective hash functions whose projection function is non-adaptive, and depends only on the hash key k. This allows us to obtain the functionality of PAKE in a single round, by having the client send (α(k),C) and the server send (α(k′),C′) simultaneously.

• The above addresses correctness, but says nothing about security. The main technical difficulty is that an honestly generated client message (s,C) might be forwarded by an adversary to multiple server instances (and similarly for server messages), and the session keys computed in all these instances should look random and independent to the adversary. (This issue does not arise in prior work because, roughly speaking, messages are bound to a single session by virtue of a signature verification key sent in the first round [22, 34] or a MAC derived from the shared session key [21]. Neither approach is viable if we want the entire protocol to take place in a single round.)

  To address the above difficulty, we rely on a technical lemma (which may be of independent interest) regarding the re-use of both the hash keys and the inputs to the smooth projective hash function.

Additional ideas are needed to obtain a universally composable protocol without increasing the number of rounds. We refer the reader to Sect. 5.1 for an overview of the techniques used there.

1.3 Outline of the Paper

In Sect. 2 we present a standard definition of security for PAKE due to Bellare et al. [3]. We also review there the notion of smooth projective hashing, and prove a technical lemma regarding its usage. In Sect. 3 we describe our basic framework for constructing one-round PAKE protocols, and prove security of this approach according to the definition of Bellare et al. [3]. We discuss in Sect. 4 two instantiations of our framework: one based on the decisional Diffie–Hellman assumption, and a second, more efficient instantiation, based on bilinear maps. In Sect. 5 we describe an extension of our framework that yields one-round, universally composable PAKE protocols.

2 Definitions and Background

Throughout, we denote the security parameter by n.

2.1 Password-Based Authenticated Key Exchange

We present a definition of security for PAKE due to Bellare, Pointcheval, and Rogaway [3], based on prior work of Bellare and Rogaway [4, 5]. The text here is taken almost verbatim from Katz et al. [34].

Participants, passwords, and initialization

Prior to any execution of the protocol there is an initialization phase during which public parameters and a CRS are established. We assume a fixed set \({\sf User}\) of protocol participants (also called principals or users). For every distinct \(U, U' \in {\sf User}\), users U and U′ share a password \(\emph{pw}_{U,U'}\). We assume that each \(\emph{pw}_{U,U'}\) is chosen independently and uniformly from the set \([D] \stackrel{{\rm def}}{=}\{1, \ldots, D\}\) for some integer D. (Our proof of security extends to more general cases, and we implicitly consider arbitrary password distributions in the setting of universal composability.)

Execution of the protocol

In the real world, a protocol determines how principals behave in response to input from their environment. In the formal model, these inputs are provided by the adversary. Each principal can execute the protocol multiple times (possibly concurrently) with different partners; this is modeled by allowing each principal to have an unlimited number of instances with which to execute the protocol. We denote instance i of user U as \(\varPi_{U}^{i}\). Each instance may be used only once. The adversary is given oracle access to these different instances; furthermore, each instance maintains (local) state which is updated during the course of the experiment. In particular, each instance \(\varPi_{U}^{i}\) is associated with the following variables:

• \({\sf sid}_{U}^{i}\), \({\sf pid}_{U}^{i}\), and \({\sf sk}_{U}^{i}\) denote the session id, partner id, and session key for an instance, respectively. The session id is simply a way to keep track of different executions; we let \({\sf sid}_{U}^{i}\) be the (ordered) concatenation of all messages sent and received by \(\varPi_{U}^{i}\). The partner id denotes the user with whom \(\varPi_{U}^{i}\) believes it is interacting. (Note that \({\sf pid}_{U}^{i}\) can never equal U.)

• \({\sf acc}_{U}^{i}\) and \({\sf term}_{U}^{i}\) are boolean variables denoting whether a given instance has accepted or terminated, respectively.

The adversary’s interaction with the principals (more specifically, with the various instances) is modeled via access to oracles that we describe now:

• \({\sf Send}(U, i, {\sf msg})\)—This sends message \({\sf msg}\) to instance \(\varPi_{U}^{i}\). This instance runs according to the protocol specification, updating state as appropriate. The message output by \(\varPi_{U}^{i}\) is given to the adversary.

  The adversary can prompt the unused instance \(\varPi_{U}^{i}\) to initiate the protocol with partner U′ by querying \({\sf Send}(U,i,U')\). In response, instance \(\varPi_{U}^{i}\) outputs the first message of the protocol.

• \({\sf Execute}(U, i, U', j)\)—If \(\varPi_{U}^{i}\) and \(\varPi_{U'}^{j}\) have not yet been used, this oracle executes the protocol between these instances and gives the transcript of this execution to the adversary. This oracle call represents passive eavesdropping of a protocol execution.

• \({\sf Reveal}(U, i)\)—This outputs the session key \({\sf sk}_{U}^{i}\), modeling leakage of session keys due to, e.g., improper erasure of session keys after use, compromise of a host computer, or cryptanalysis.

• \({\sf Test}(U, i)\)—This oracle does not model any real-world capability of the adversary, but is instead used to define security. A random bit b is chosen; if b=1 the adversary is given \({\sf sk}_{U}^{i}\), and if b=0 the adversary is given a session key chosen uniformly from the appropriate space.

Partnering

Let \(U, U' \in {\sf User}\). Instances \(\varPi_{U}^{i}\) and \(\varPi_{U'}^{j}\) are partnered if (1) \({\sf sid}_{U}^{i} = {\sf sid}_{U'}^{j} \neq \mbox{{\sc null}}\), and (2) \({\sf pid}_{U}^{i} = U'\) and \({\sf pid}_{U'}^{j} = U\).

Correctness

To be viable, a key-exchange protocol must satisfy the following notion of correctness: if \(\varPi_{U}^{i}\) and \(\varPi_{U'}^{j}\) are partnered then \({\sf acc}_{U}^{i} = {\sf acc}_{U'}^{j} = \mbox{{\sc true}}\) and \({\sf sk}_{U}^{i} = {\sf sk}_{U'}^{j}\), i.e., they both accept and conclude with the same session key.

Advantage of the adversary

Informally, the adversary succeeds if it can guess the bit b used by the Test oracle. To formally define the adversary’s success, we first define a notion of freshness. An instance \(\varPi_{U}^{i}\) is fresh unless one of the following is true at the conclusion of the experiment: (1) at some point, the adversary queried \({\sf Reveal}(U, i)\); or (2) at some point, the adversary queried \({\sf Reveal}(U', j)\), where \(\varPi_{U'}^{j}\) and \(\varPi_{U}^{i}\) are partnered. We allow the adversary to succeed only if its Test query is made to a fresh instance; this is necessary for any reasonable definition of security.

An adversary \(\mathcal{A}\) succeeds if it makes a single query \({\sf Test}(U, i)\) to a fresh instance \(\varPi_{U}^{i}\), and outputs a bit b′ with b′=b (recall that b is the bit chosen by the Test oracle). We denote this event by Succ. The advantage of \(\mathcal{A}\) in attacking protocol Π is given by \({\sf Adv}_{\mathcal{A},\varPi}(k) \stackrel{{\rm def}}{=}2 \cdot \Pr[{\sf Succ}] - 1\), where the probability is taken over the random coins used by the adversary and the random coins used during the course of the experiment (including the initialization phase).

It remains to define a secure protocol. A probabilistic polynomial-time (ppt) adversary can always succeed with probability 1 by trying all passwords one-by-one; this is possible since the size of the password dictionary is small. Informally, a protocol is secure if this is the best an adversary can do. Formally, an instance \(\varPi_{U}^{i}\) represents an on-line attack if both the following are true at the time of the \({\sf Test}\) query: (1) at some point, the adversary queried \({\sf Send}(U, i, *)\); and (2) at some point, the adversary queried \({\sf Reveal}(U, i)\) or \({\sf Test}(U, i)\). The number of on-line attacks represents a bound on the number of passwords the adversary could have tested in an on-line fashion.

Definition 1

Protocol Π is a secure protocol for password-based authenticated key exchange if, for all dictionary sizes D and for all ppt adversaries \(\mathcal{A}\) making at most Q(n) on-line attacks, it holds that \({\sf Adv}_{\mathcal{A},\varPi}(n) \leq Q(n)/D + {\sf negl}(n)\).

2.2 Smooth Projective Hash Functions

We provide a self-contained definitional treatment of smooth projective hash functions. These were introduced by Cramer and Shoup [17], and our discussion here is based on that of Gennaro and Lindell [22]. Rather than aiming for utmost generality, we tailor the definitions to our application.

A hard subset-membership problem

Fix some integer D. Let \(({\sf Gen}, {\sf Enc}, {\sf Dec})\) be a CCA-secure labeled encryption scheme (cf. Sect. A.1). We let C _pk denote the set of pairs of valid labels and ciphertexts with respect to some public key pk, and require that this set be efficiently recognizable for all pk. For a given public key pk, define sets X and {L _pw } _pw∈[D] as follows:

1. 1.

   \(X \stackrel{{\rm def}}{=}\{({\sf label}, C, pw)\}\), where \(({\sf label}, C) \in C_{pk}\) and pw∈{1,…,D}.

2. 2.

   \(L_{pw} \stackrel{{\rm def}}{=}\{({\sf label}, {\sf Enc}_{pk}({\sf label}, pw), pw)\}\), where \({\sf label}\in \{0,1\}^{*}\).

That is, X consists of all tuples of valid labels, valid ciphertexts, and passwords, while L _pw consists of all tuples where the third component is pw, the first component is \({\sf label}\), and the second component is an encryption of pw using \({\sf label}\). Let \(L = \bigcup_{pw=1}^{D} L_{pw}\), and note that L⊂X. It follows from CCA security of \(({\sf Gen}, {\sf Enc}, {\sf Dec})\) that the following is negligible for any probabilistic polynomial-time \(\mathcal{A}\):

where \(\mathcal{A}\) is disallowed from querying \(({\sf label}, C)\) to its decryption oracle.

Smooth projective hash functions

Fix pk and sets X,L as above. A smooth projective hash function \(\mathcal{H} = \{H_{k}\}_{k \in K}\) is a keyed function mapping elements in X to elements in some group \({\mathbb{G}}\), along with a projection function α:K→S. Informally, if x∈L then the value of H _k (x) is uniquely determined by s=α(k) and x, whereas if x∈X∖L then the value of H _k (x) is statistically close to uniform given α(k) and x (assuming k was chosen uniformly in K). A smooth projective hash function is formally defined by a sampling algorithm that, given pk, outputs \((K, {\mathbb{G}}, \mathcal{H}= \{H_{k}: X \rightarrow {\mathbb{G}}\}_{k \in K}, S, \alpha: K \rightarrow S)\) such that:

1. 1.

   There are efficient algorithms for (1) sampling a uniform k∈K, (2) computing H _k (x) for any k∈K and x∈X, and (3) computing α(k) for k∈K.

2. 2.

   For all \(({\sf label}, C, pw) \in L\), the value of \(H_{k}({\sf label}, C, pw)\) is uniquely determined by α(k). Moreover, there is an efficient algorithm that takes as input s=α(k) and \(({\sf label}, C, pw, r)\) for which \(C = {\sf Enc}_{pk}({\sf label}, pw; r)\), and outputs \(H_{k}({\sf label}, C, pw)\). (In other words, when \(({\sf label}, C, pw) \in L\) then \(H_{k}({\sf label}, C,\allowbreak pw)\) can be computed in two ways: either using k itself, or using α(k) and the randomness used to generate C.)

3. 3.

   For any (even unbounded) function f:S→X∖L, the following distributions have statistical difference negligible in n:

   

   (1)

Above we have modified the definition from Gennaro and Lindell [22] in two ways: first, α is non-adaptive and depends on k only (rather than both k and x); second, we require Eq. (1) to hold even for adaptive choice of \(f(s) \not \in L\). The first modification allows us to achieve the functionality of password-based authenticated key exchange in one round, whereas the second is used for proving security of the resulting protocol.

A technical lemma

We now prove a technical lemma regarding smooth projective hash functions. Somewhat informally, Gennaro and Lindell [22] showed that, for randomly generated pk and any \(({\sf label}, pw)\), the distribution

$$\bigl\{ k \leftarrow K ; s := \alpha(k); C \leftarrow {\sf Enc}_{pk}({\sf label}, pw) : \bigl(s, C, H_k({\sf label}, C, pw) \bigr) \bigr\} $$

is computationally indistinguishable from the distribution

$$\bigl\{ k \leftarrow K; s := \alpha(k); C \leftarrow {\sf Enc}_{pk}({\sf label}, pw); g \leftarrow {\mathbb{G}}: (s, C, g) \bigr\}. $$

(Note that this holds even though \(H_{k}({\sf label}, C, pw)\) is uniquely determined by s and C.) Here we show that this continues to hold even if hash keys and ciphertexts are re-used multiple times. That is, at a high level (ignoring labels and technical details), we show that the distribution

$$\left \{ \begin{array}{c} k_1, \ldots, k_\ell \leftarrow K ; \forall i: s_i := \alpha(k_i); \\ C_1, \ldots, C_\ell \leftarrow {\sf Enc}_{pk}(pw) \end{array} : \bigl(\{s_i\}, \{C_i\}, \bigl\{H_{k_i}(C_j, pw)\bigr\}_{i,j=1}^\ell \bigr) \right \} $$

is computationally indistinguishable from the distribution

$$\left \{ \begin{array}{c} k_1, \ldots, k_\ell \leftarrow K ; \forall i: s_i := \alpha(k_i);\\ C_1, \ldots, C_\ell \leftarrow {\sf Enc}_{pk}(pw); \forall i, j: g_{i,j} \leftarrow {\mathbb{G}}\end{array} : \bigl(\{s_i\}, \{C_i\}, \{g_{i,j}\}_{i,j=1}^\ell \bigr) \right \}. $$

Formally, fix a function ℓ=ℓ(n), let \(\mathcal{A}\) be an adversary, and let b∈{0,1}. Consider the following experiment \({\sf Expt}_{b}\):

1. 1.

   Compute \((pk, sk) \leftarrow {\sf Gen}(1^{n})\) and let (\(K, {\mathbb{G}}, \mathcal{H}= \{H_{k}: X \rightarrow {\mathbb{G}}\}_{k \in K}, S, \alpha: K \rightarrow S\)) be a smooth projective hash function for pk. Give pk to \(\mathcal{A}\).

2. 2.

   Sample k ₁,…,k _ℓ ←K, and let s _i :=α(k _i ) for all i. Give s ₁,…,s _ℓ to \(\mathcal{A}\).

3. 3.

   \(\mathcal{A}\) may adaptively query a (modified) encryption oracle that takes as input \(({\sf label}, pw)\) for pw∈[D], and outputs a ciphertext \(C \leftarrow {\sf Enc}_{pk}({\sf label}, pw)\) along with:

   1. (a)

      If b=0, the values \(H_{k_{i}}({\sf label}, C, pw)\) for i=1 to ℓ.

   2. (b)

      If b=1, random values \(g_{1}, \ldots, g_{\ell}\leftarrow {\mathbb{G}}\).

4. 4.

   \(\mathcal{A}\) can also query a decryption oracle \({\sf Dec}_{sk}(\cdot, \cdot)\) at any point, except that it may not query any pair \(({\sf label}, C)\) where C was obtained from the encryption oracle on query \(({\sf label}, pw)\).

5. 5.

   At the end of the experiment, \(\mathcal{A}\) outputs a bit b′. We say \(\mathcal{A}\) succeeds if b′=b.

Lemma 1

Let \(({\sf Gen},{\sf Enc},{\sf Dec})\) be a CCA-secure labeled encryption scheme, and \((K, {\mathbb{G}}, \mathcal{H}= \{H_{k}: X \rightarrow {\mathbb{G}}\}_{k \in K}, S, \alpha: K \rightarrow S)\) a smooth projective hash function. For any polynomial ℓ and probabilistic polynomial-time  \(\mathcal{A}\), we have \(\Pr[ \mathcal{A}~\mathrm{succeeds} ] \leq \frac{1}{2} + {\sf negl}(n)\).

Proof

Let ℓ′ be a (polynomial) bound on the number of encryption queries asked by \(\mathcal{A}\), and let \(C_{i} \leftarrow {\sf Enc}_{pk}({\sf label}_{i}, pw_{i})\) be the ciphertext returned in response to the ith query of \(\mathcal{A}\). When b=0, the values given to \(\mathcal{A}\) include pk, s ₁,…,s _ℓ , the ciphertexts C ₁,…,C _ℓ′, and the values

$$\left ( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c} H_{k_1}({\sf label}_1, C_1, pw_1) & \cdots & \cdots & H_{k_1}({\sf label}_{\ell'}, C_{\ell'}, pw_{\ell'}) \\ \vdots & \ddots & \ddots & \vdots \\ H_{k_\ell}({\sf label}_1, C_1, pw_1) & \cdots & \cdots & H_{k_\ell}({\sf label}_{\ell'}, C_{\ell'}, pw_{\ell'}) \end{array} \right ). $$

We show that this is computationally indistinguishable from the experiment where \(\mathcal{A}\) gets pk, s ₁,…,s _ℓ , ciphertexts C ₁,…,C _ℓ′, and a matrix of ℓ⋅ℓ′ uniform and independent elements of \({\mathbb{G}}\).

To prove this we show that, for arbitrary i,j, the experiment in which \(\mathcal{A}\) is given

$$\left (\begin{array}{c@{\quad }c@{\quad }c@{\quad }c@{\quad }c} g_{1,1} & & \vdots & & \vdots \\ \vdots & & g_{i-1,j} & & \vdots \\ \vdots & \vdots & H_{k_i}({\sf label}_j, C_j, pw_j) & \vdots & \vdots \\ \vdots & & H_{k_{i+1}}({\sf label}_j, C_j, pw_j) & & \vdots \\ g_{\ell,1} & & \vdots & & H_{k_\ell}({\sf label}_{\ell'}, C_{\ell'}, pw_{\ell'}) \end{array} \right ) $$

is computationally indistinguishable from the experiment in which \(\mathcal{A}\) is given

$$\left (\begin{array}{c@{\quad }c@{\quad }c@{\quad }c@{\quad }c} g_{1,1} & & \vdots & & \vdots \\ \vdots & & g_{i-1,j} & & \vdots \\ \vdots & \vdots & g_{i,j} & \vdots & \vdots \\ \vdots & & H_{k_{i+1}}({\sf label}_j, C_j, pw_j) & & \vdots \\ g_{\ell,1} & & \vdots & & H_{k_\ell}({\sf label}_{\ell'}, C_{\ell'}, pw_{\ell'}) \end{array} \right ), $$

where the g _a,b denote uniform and independent elements of \({\mathbb{G}}\). (In both cases, \(\mathcal{A}\) is also given pk, s ₁,…,s _ℓ , and C ₁,…,C _ℓ′, and may access the decryption oracle as in the original experiment. Note that only the distribution of the (i,j)th element has changed.) Once we show this, the lemma follows by a standard hybrid argument.

We denote the first experiment, in which the (i,j)th entry of the matrix is computed as \(H_{k_{i}}({\sf label}_{j}, C_{j}, pw_{j})\), by real _i,j ; we denote the second experiment, in which the (i,j)th entry of the matrix is a random g _i,j , by rand _i,j . To prove that these two experiments are indistinguishable, we introduce two additional experiments. Experiment \({\textsf{real}}'_{i,j}\) (resp., \({\textsf{rand}}'_{i,j}\)) is identical to real _i,j (resp., rand _i,j ) except that now the jth ciphertext C _j returned by the encryption oracle is computed as an encryption of 0 (i.e., \(C_{j} \leftarrow {\sf Enc}_{pk}({\sf label}_{j}, 0)\)). It follows from the CCA-security of the encryption scheme that real _i,j and \({\textsf{real}}'_{i,j}\) (resp., rand _i,j and \({\textsf{rand}}'_{i,j}\)) are computationally indistinguishable.

To complete the proof that real _i,j and rand _i,j are computationally indistinguishable, we show that \({\textsf{real}}'_{i,j}\) and \({\textsf{rand}}'_{i,j}\) are statistically close. To see this, consider the following experiment involving an algorithm B who is given s _i =α(k _i ) for unknown (random) k _i , outputs \(({\sf label}, C, pw) \in X \setminus L\), and is given in response an element \(h_{i,j} \in {\mathbb{G}}\):

1. 1.

   Choose random k _i ←K and give s _i =α(k _i ) to B.

2. 2.

   B computes \((pk, sk) \leftarrow {\sf Gen}(1^{n})\) and internally runs \(\mathcal{A}\) on initial input pk. Then B samples k ₁,…,k _i−1, k _i+1,…,k _ℓ ←K, sets s _m =α(k _m ) for all m≠i, and gives s ₁, …, s _ℓ to \(\mathcal{A}\).

3. 3.

   When \(\mathcal{A}\) queries its encryption oracle with \(({\sf label}, pw)\), then B does:

   1. (a)

      For the kth such query where k<j, we have B compute \(C_{k} \leftarrow {\sf Enc}_{pk}({\sf label},\allowbreak pw)\) and give to \(\mathcal{A}\) the ciphertext C _k along with random \(g_{1,k}, \ldots, g_{\ell,k} \leftarrow {\mathbb{G}}\).

   2. (b)

      For the jth such query (so \(({\sf label}_{j}, pw_{j})=({\sf label}, pw)\)), B computes \(C_{j} \leftarrow {\sf Enc}_{pk}({\sf label}_{j}, 0)\), outputs \(({\sf label}_{j},C_{j},pw_{j})\), and receives h _i,j . It then chooses \(g_{1,j}, \ldots, g_{i-1,j} \leftarrow {\mathbb{G}}\), and gives to \(\mathcal{A}\) the values \(g_{1,j}, \ldots, g_{i-1,j}, h_{i,j},\allowbreak H_{k_{i+1}}({\sf label}_{j}, C_{j}, pw_{j}), \ldots,H_{k_{\ell}}({\sf label}_{j}, C_{j}, pw_{j})\). Note that B can compute these latter values since it knows k _i+1,…,k _ℓ .

   3. (c)

      For the kth such query where k>j, we have B compute \(C_{k} \leftarrow {\sf Enc}_{pk}({\sf label},\allowbreak pw)\) and give to \(\mathcal{A}\) the ciphertext C _k along with \(H_{k_{1}}({\sf label}, C_{k}, pw), \ldots,\allowbreak H_{k_{\ell}}({\sf label}, C_{k}, pw)\). Note that B can compute \(H_{k_{i}}({\sf label}, C_{k}, pw)\), even though it does not know k _i , because of the fact that \(({\sf label}, C_{k}, pw) \in L_{pw}\) and B knows the randomness used to compute C _k .

   B answers any decryption queries of \(\mathcal{A}\) using sk.

Note that pw _j ≠0 (since \(0 \not \in [D]\)), and so \(({\sf label}_{j}, C_{j}, pw_{j}) \in X \setminus L\). The view of \(\mathcal{A}\) is distributed according to \({\textsf{real}}'_{i,j}\) if \(h_{i,j} = H_{k_{i}}({\sf label}_{j}, C_{j}, pw_{j})\), and according to \({\textsf{rand}}'_{i,j}\) if h _i,j is chosen uniformly from \({\mathbb{G}}\). It follows from Equation (1) that \({\textsf{real}}'_{i,j}\) and \({\textsf{rand}}'_{i,j}\) are statistically close. □

3 A Framework for One-Round PAKE Protocols

Our protocol uses a CCA-secure labeled public-key encryption scheme \(({\sf Gen}, {\sf Enc}, {\sf Dec})\), and a smooth projective hash function as described in Sect. 2.2.

Public parameters

The public parameters consist of a public key pk generated by \({\sf Gen}(1^{n})\). No one need know or store the associated secret key. (For the specific instantiations given in Sect. 4, a public key can be derived from a common random string.) Let \((K, {\mathbb{G}}, \mathcal{H}= \{H_{k}: X \rightarrow {\mathbb{G}}\}_{k \in K}, S, \alpha: K \rightarrow S)\) be a smooth projective hash function for pk.

Protocol execution

Consider an execution of the protocol between users U and U′≠U holding a shared password pw. Our protocol is symmetric, and so we describe the execution from the point of view of U; see also Fig. 1.

Fig. 1.

A one-round protocol for password-based authenticated key exchange.

First, U chooses random hash key k←K and computes s:=α(k). It then sets \({\sf label}:= (U, U', s)\) and computes the ciphertext \(C \leftarrow {\sf Enc}_{pk}({\sf label}, pw)\). It sends the message (s,C).

Upon receiving the message (s′,C′), user U does the following. If C′ is not a valid ciphertext or \(s' \not \in S\), then U simply rejects. Otherwise, U sets \({\sf label}':= (U', U, s')\) and computes

$${\sf sk}_U := H_k\bigl({\sf label}', C', pw\bigr) \cdot H_{k'}({\sf label}, C, pw). $$

U computes \(H_{k}({\sf label}', C', pw)\) using k, and can compute \(H_{k'}({\sf label}, C, pw)\) using s′=α(k′) and the randomness it used to generate C. Correctness follows immediately from the definition of smooth projective hashing.

Theorem 1

If \(({\sf Gen},{\sf Enc},{\sf Dec})\) is a CCA-secure labeled encryption scheme and \((K, {\mathbb{G}}, \mathcal{H}= \{H_{k}: X \rightarrow {\mathbb{G}}\}_{k \in K}, S, \alpha: K \rightarrow S)\) is a smooth projective hash function, then the protocol in Fig. 1 is a secure protocol for password-based authenticated key exchange.

Proof

Let Π denote the protocol in Fig. 1, and fix a polynomial-time adversary \(\mathcal{A}\) attacking Π. We construct a sequence of experiments \({\sf Expt}_{0}, \ldots, {\sf Expt}_{5}\), with the original experiment corresponding to \({\sf Expt}_{0}\). Let \({\sf Adv}_{\mathcal{A},i}(n)\) denote the advantage of \(\mathcal{A}\) in experiment \({\sf Expt}_{i}\). To prove the desired bound on \({\sf Adv}_{\mathcal{A},\varPi}(n) = {\sf Adv}_{\mathcal{A},0}(n)\), we bound the effect of each change in the experiment on the advantage of \(\mathcal{A}\), and then show that \({\sf Adv}_{\mathcal{A},5}(n) \leq Q(n)/D\) (where, recall, Q(n) denotes the number of on-line attacks made by \(\mathcal{A}\), and D denotes the dictionary size).

Experiment Expt ₁

Here we change the way Execute queries are answered. Specifically, the ciphertexts C,C′ sent by the two parties U,U′ are computed as encryptions of 0 instead of being computed as encryptions of the correct password pw _U,U′. (Recall that the space of legal passwords is {1,…,D}, and so 0 is never a valid password.) The (common) session key is computed as

$${\textsf{sk}}_U := {\textsf{sk}}_{U'} := H_k\bigl( {\sf label}', C', pw\bigr) \cdot H_{k'}({\sf label}, C, pw), $$

where both values are computed using the (known) keys k,k′. A proof of the following is immediate from semantic security of \(({\sf Gen}, {\sf Enc}, {\sf Dec})\):

Claim 1

\(\vert {\textsf {Adv}}_{\mathcal{A},{0}}(n) - {\textsf {Adv}}_{\mathcal{A},{1}}(n)\vert \) is negligible.

Experiment Expt ₂

Here, we again change the way Execute queries are answered. Now, the (common) session key sk _U =sk _U′ is chosen uniformly from \({\mathbb{G}}\).

Claim 2

\(\vert {\textsf {Adv}}_{\mathcal{A},{1}}(n) - {\textsf {Adv}}_{\mathcal{A},{2}}(n)\vert \) is negligible.

Proof

The claim follows from the properties of the smooth projective hash function. Consider a single call to the Execute oracle (in either \({\sf Expt}_{1}\) or \({\sf Expt}_{2}\)), where the transcript given to the adversary is (s,C,s′,C′) with \(C \leftarrow {\sf Enc}_{pk}({\sf label}, 0)\) and \(C' \leftarrow {\sf Enc}_{pk}({\sf label}', 0)\). In \({\sf Expt}_{1}\) the session keys are computed as

$${\textsf{sk}}_U := {\textsf{sk}}_{U'} := H_k\bigl( {\sf label}', C', pw\bigr) \cdot H_{k'}({\sf label}, C, pw), $$

where pw=pw _U,U′ is the password shared by U and U′. Since \(({\sf label}', C', pw)\) is not in L, it follows (cf. Eq. (1)) that \((s, H_{k}({\sf label}', C', pw))\) is statistically close to (s,g), where g is uniform in \({\mathbb{G}}\). This means that, in \({\sf Expt}_{1}\), sk _U =sk _U′ is statistically close to uniform in \({\mathbb{G}}\), even conditioned on the given transcript. Since this is how sk _U ,sk _U′ are chosen in \({\sf Expt}_{2}\), the claim follows. □

Before continuing, we distinguish between two possible types of Send oracle queries. We let Send ₀(U,i,U′) denote a “prompt” query that causes instance \(\varPi_{U}^{i}\) of user U to initiate the protocol with user U′. In response to a Send ₀ query, the adversary is given the message sent by U to U′. This query also has the effect of setting \(\mathsf {pid}_{U}^{i}=U'\).

The second type of Send query, \(\mathsf {Send}_{1}(U,i,{\sf msg})\), represents \(\mathcal{A}\) sending the message \({\sf msg}\) to instance \(\varPi_{U}^{i}\). In response, a session key \({\textsf{sk}}_{U}^{i}\) is computed. (Nothing is output in response to this query, but the value of the computed session key affects a subsequent Reveal or Test query for instance \(\varPi_{U}^{i}\).) For a query \(\mathsf {Send}_{1}(U,i,{\sf msg})\) with \(\mathsf {pid}_{U}^{i}=U'\), we say a valid \({\sf msg}\) is previously used if it was output by a previous oracle query Send ₀(U′,⋆,U). In any other case, we say a valid \({\sf msg}\) is adversarially generated. (An invalid message is always ignored by the instance that receives it, and so we assume from now on that \(\mathcal{A}\) does not send such messages.)

Experiment Expt ₃

We first modify the experiment so that when the public parameters pk are generated the simulator stores the associated secret key sk. (This is just a syntactic change.) We then modify the way queries to the Send ₁ oracle are handled. Specifically, in response to the query \(\mathsf {Send}_{1}(U, i, {\sf msg})\) where \({\sf msg}= (s', C')\), we distinguish the following three cases (in all the following, let \(\mathsf {pid}_{U}^{i} = U'\), let \({\sf label}' = (U', U, s')\), and let pw=pw _U,U′):

1. 1.

   If \({\sf msg}\) is adversarially generated, then compute \(pw' := {\sf Dec}_{sk}({\sf label}', C')\). Then:

   1. (a)

      If pw′=pw, the simulator declares that \(\mathcal{A}\) succeeds and terminates the experiment.

   2. (b)

      If pw′≠pw, the simulator chooses \({\textsf{sk}}_{U}^{i}\) uniformly from \({\mathbb{G}}\).

2. 2.

   If \({\sf msg}\) is previously used, then in particular the simulator knows a value k′ such that s′=α(k′). The simulator computes \({\textsf{sk}}_{U}^{i} := H_{k}({\sf label}', C', pw) \cdot H_{k'}({\sf label}, C, pw)\), but using k′ to compute \(H_{k'}({\sf label}, C, pw)\) (rather than using the randomness used to generate C, as done in \({\sf Expt}_{2}\)).

Invalid messages are treated as before, and no session key is computed.

Claim 3

\({\textsf {Adv}}_{\mathcal{A},{2}}(n) \leq {\textsf {Adv}}_{\mathcal{A},{3}}(n) + {\sf negl}(n)\).

Proof

Consider the three possible cases described above. The change in Case 1(a) can only increase the advantage of \(\mathcal{A}\). The change in Case 1(b) introduces a negligible statistical difference; the analysis is as in Claim 2, except that we now specifically use the fact that Equation (1) holds even under adaptive choice of \(({\sf label}', C', pw) \not \in L\). The change in Case 2 does not affect the computed value \({\textsf{sk}}_{U}^{i}\) since \(({\sf label}, C, pw) \in L\). □

Experiment Expt ₄

Once again we change how Send ₁ queries are handled. In response to query \(\mathsf {Send}_{1}(U, i, {\sf msg})\) where \({\sf msg}=(s',C')\) is previously used, let \(\mathsf {pid}_{U}^{i}=U'\) and proceed as follows:

• If there exists an instance \(\varPi_{U'}^{j}\) partnered with \(\varPi_{U}^{i}\) (i.e., such that \(\mathsf {sid}_{U'}^{j}\), the transcript of the protocol for instance \(\varPi_{U'}^{j}\), is equal to \(\mathsf {sid}_{U}^{i}\)), then set \({\textsf{sk}}_{U}^{i} := {\textsf{sk}}_{U'}^{j}\).

• Otherwise, choose \({\textsf{sk}}_{U}^{i}\) uniformly from \({\mathbb{G}}\).

Claim 4

\(\vert {\textsf {Adv}}_{\mathcal{A},{3}}(n) - {\textsf {Adv}}_{\mathcal{A},{4}}(n)\vert \) is negligible.

Proof

The proof relies on Lemma 1 (cf. Sect. 2.2) and CCA-security of \(({\sf Gen}, {\sf Enc},\allowbreak {\sf Dec})\). Let ℓ be a polynomial upper bound on the number of Send queries issued by \(\mathcal{A}\), and consider the following adversary \(\mathcal{S}\) interacting in the experiment defined in Lemma 1:

1. 1.

   \(\mathcal{S}\) is given pk and s ₁,…,s _ℓ .

2. 2.

   \(\mathcal{S}\) chooses random passwords pw _U,U′ for all pairs of parties U,U′, and runs \(\mathcal{A}\) on input pk.

3. 3.

   \(\mathcal{S}\) responds to Execute queries as in \({\sf Expt}_{2}\) by generating a transcript where C,C′ are encryptions of 0, and where the (matching) session keys are chosen uniformly at random.

4. 4.

   \(\mathcal{S}\) responds to the ith Send ₀ query Send ₀(U,⋆,U′) as follows: Set \({\sf label}:= (U, U', s_{i})\). Submit \(({\sf label}, pw_{U,U'})\) to the encryption oracle, and receive in return a ciphertext C _i along with values h _1,i ,…,h _ℓ,i . Give to \(\mathcal{A}\) the message (s _i ,C _i ).

5. 5.

   \(\mathcal{S}\) responds to a query \(\mathsf {Send}_{1}(U, j, {\sf msg})\), where \({\sf msg}= (s', C')\), as follows: If there exists an instance \(\varPi_{U'}^{k}\) partnered with \(\varPi_{U}^{j}\), then set \({\textsf{sk}}_{U}^{j} := {\textsf{sk}}_{U'}^{k}\). Otherwise, let \(\mathsf {pid}_{U}^{j}=U'\) and \({\sf label}'=(U',U,s')\), and say the query Send ₀(U,j,U′) (i.e., the Send query that initiated instance \(\varPi_{U}^{j}\)) was the ith Send ₀ query made by \(\mathcal{A}\), and resulted in the response (s _i ,C _i ). We now distinguish several cases based on \({\sf msg}=(s', C')\):

   1. (a)

      If \({\sf msg}\) is previously used, then (by definition) it was output by some previous query Send ₀(U′,⋆,U). Say this was the rth Send ₀ query made by \(\mathcal{A}\), and so \({\sf msg}=(s_{r}, C_{r})\). Then \(\mathcal{S}\) computes \({\textsf{sk}}_{U}^{j}:= h_{i,r} \cdot h_{r,i}\).

   2. (b)

      If \({\sf msg}\) is adversarially generated, then \(\mathcal{S}\) submits \(({\sf label}', C')\) to its decryption oracle and receives in return a value pw. If pw≠pw _U,U′ then \({\textsf{sk}}_{U}^{j}\) is chosen uniformly from \({\mathbb{G}}\). If pw=pw _U,U′ then \(\mathcal{S}\) declares that \(\mathcal{A}\) succeeds and terminates the experiment.

6. 6.

   At the end of the experiment, \(\mathcal{S}\) outputs 1 if and only if \(\mathcal{A}\) succeeds.

Let b be as in the experiment defined in Sect. 2.2. If b=0 then the view of \(\mathcal{A}\) in the above execution with \(\mathcal{S}\) is identical to the view of \(\mathcal{A}\) in \({\sf Expt}_{3}\). This is true since when b=0 it holds in step 5(b), above, that \(h_{i,r} = H_{k_{i}}({\sf label}', C_{r}, pw_{U,U'})\) and \(h_{r,i}=H_{k_{r}}({\sf label}, C_{i}, pw_{U,U'})\), where s _i =α(k _i ), s _r =α(k _r ), and C _i ,C _r are encryptions of pw _U,U′.

On the other hand, when b=1 the view of \(\mathcal{A}\) in the above execution with \(\mathcal{S}\) is identical to the view of \(\mathcal{A}\) in \({\sf Expt}_{4}\). To see this, recall that when b=1 all the values {h _i,j } received by \(\mathcal{S}\) are chosen uniformly and independently from \({\mathbb{G}}\). We need to show that this yields a uniform and independent distribution on all the session keys computed in step 5(b). Consider a particular session key \(sk_{U}^{j}\) computed as in step 5(b). The only other time the value h _i,r could be used in the experiment is if \(\mathcal{A}\) queries Send ₁(U′,⋆,(s _i ,C _i )) to the instance \(\varPi_{U'}^{\star}\) which sent (s _r ,C _r ). But then \(\varPi_{U'}^{\star}\) and \(\varPi_{U}^{j}\) are partnered, and so the session key \({\textsf{sk}}^{\star}_{U'}\) will be set equal to \({\textsf{sk}}_{U}^{j}\) (as in \({\sf Expt}_{4}\)). Since h _i,r is random and used only once to compute a session key in step 5(b), we conclude that (when b=1) any session keys computed in that step are independently uniform in \({\mathbb{G}}\).

The claim follows from Lemma 1. □

Experiment Expt ₅

Here, we change how Send ₀ queries are handled. Now, in response to a query Send ₀(U,i,U′), we compute s as usual but let C be an encryption of 0. The following claim is immediate from CCA-security of \(({\sf Gen}, {\sf Enc}, {\sf Dec})\).

Claim 5

\(\vert {\textsf {Adv}}_{\mathcal{A},{4}}(n) - {\textsf {Adv}}_{\mathcal{A},{5}}(n)\vert \) is negligible.

In \({\sf Expt}_{5}\), the view of \(\mathcal{A}\) is independent of any of the user’s passwords until it sends an adversarially generated message that corresponds to an encryption of the correct password (at which point \(\mathcal{A}\) succeeds). It therefore holds that \({\textsf {Adv}}_{\mathcal{A},{5}}(n) \leq Q(n)/D\). Claims 1–5 thus imply that \({\textsf {Adv}}_{\mathcal{A},{0}}(n) \leq Q(n)/D + {\sf negl}(n)\), completing the proof of the theorem. □

4 Instantiating the Building Blocks

We now discuss two possible instantiations of the building blocks required by the protocol of Sect. 3.

• Our first instantiation is based on the decisional Diffie–Hellman (DDH) assumption and (generic) simulation-sound NIZK proofs [40]; see Sect. A.2 for a definition. (This instantiation could also be based on the quadratic residuosity assumption or the Paillier assumption, as in Ref. [22]. We omit further details.)

• Our second, more efficient instantiation is based on the decisional linear assumption [10] in groups with a bilinear map, and a specific simulation-sound NIZK proof system.

4.1 A Construction Based on the DDH Assumption

We first describe an encryption scheme and then the associated smooth projective hash function.

A CCA-secure encryption scheme

We construct a CCA-secure encryption scheme by applying the Naor–Yung/Sahai paradigm [37, 40] to the El Gamal encryption scheme. Briefly, the public key defines a group \({\mathbb{G}}\) of prime order p along with generators \(g_{1}, h_{1}, g_{2}, h_{2} \in {\mathbb{G}}\). The public key also contains a common random string crs for a (one-time) simulation-sound NIZK proof system [40].

Fixing \({\mathbb{G}}\), let ElGamal _g,h (m) denote an El Gamal encryption of \(m \in {\mathbb{G}}\) with respect to (g,h); namely, ElGamal _g,h (m) outputs (g ^r,h ^r⋅m), where r∈ℤ _p is chosen uniformly at random. (We assume passwords can be represented as elements of \({\mathbb{G}}\).) To encrypt a message \(m \in {\mathbb{G}}\) in our CCA-secure scheme, the sender outputs the ciphertext

$$\bigl({\textsf{ElGamal}}_{g_1, h_1}(m), {\textsf{ElGamal}}_{g_2, h_2}(m), \pi \bigr), $$

where π is a simulation-sound NIZK proof that the same m is encrypted in both cases. Labels can be incorporated by including the label in the proof π; we omit the standard details.

Decryption of the ciphertext (c ₁,d ₁,c ₂,d ₂,π) rejects if \(c_{1}, d_{1}, c_{2}, d_{2} \not \in {\mathbb{G}}\) or if the proof π is invalid. (Note that the space of valid label/ciphertext pairs is efficiently recognizable without the secret key.) If the ciphertext is valid, then one of the two component ciphertexts is decrypted and the resulting message is output. The results of Sahai [40] show that this yields a CCA-secure (labeled) encryption scheme based on the DDH assumption and simulation-sound NIZK.

A smooth projective hash function

Fix a group \({\mathbb{G}}\) and a public key pk=(g ₁,h ₁,g ₂,h ₂,crs) as above, and define sets X and {L _pw } as in Sect. 2.2. Define a smooth projective hash function as follows. The set of keys K consists of all four-tuples of elements in ℤ _p . Given a valid label/ciphertext pair (\({\sf label}\), C=(c ₁,d ₁,c ₂,d ₂,π)) and key k=(x ₁,y ₁,x ₂,y ₂), the hash function is defined as

$$H_{(x_1,y_1,x_2,y_2)} \bigl({\sf label}, (c_1,d_1,c_2,d_2, \pi), pw \bigr) = c_1^{x_1}\cdot (d_1/pw )^{y_1} \cdot c_2^{x_2}\cdot (d_2/pw )^{y_2}. $$

(Thus, the range of H is the group \({\mathbb{G}}\).) The projection function α is defined as

$$\alpha(x_1, y_1, x_2, y_2) = \bigl(g_1^{x_1} \cdot h_1^{y_1},\; g_2^{x_2} \cdot h_2^{y_2} \bigr). $$

Lemma 2

\((K,{\mathbb{G}},\mathcal{H}= \{H_{k}\}_{k \in K}, S, \alpha)\) as defined above is a smooth projective hash function for the hard subset-membership problem (X,{L _pw }).

Proof

Sampling a uniform k∈K, computing H _k (x) given k∈K and x∈X, and computing α(k) for k∈K are all easy.

We now show that if \(({\sf label}, C, pw) \in L\), then \(H_{k}({\sf label}, C, pw)\) can be computed efficiently given α(k) and the randomness used to generate C. Since \(({\sf label},C,pw) \in L\), we have that

$$C = (c_1,d_1,c_2,d_2,\pi) = \bigl(g_1^{r_1}, \;\; h_1^{r_1} \cdot pw, \;\; g_2^{r_2}, \;\; h_2^{r_2} \cdot pw, \;\; \pi\bigr) $$

for some r ₁,r ₂∈ℤ _p . For k=(x ₁,y ₁,x ₂,y ₂) we have

This can be computed easily given r ₁,r ₂ and \(\alpha(k) = (g_{1}^{x_{1}}h_{1}^{y_{1}}, \allowbreak g_{2}^{x_{2}}h_{2}^{y_{2}} )\).

Next, we show that if \(({\sf label}, C, pw) \in X \setminus L\), then the value of \(H_{k}({\sf label}, C, pw)\) is uniform conditioned on α(k). (This holds even if \(({\sf label}, C, pw)\) are chosen adaptively depending on α(k).) Fix any α(k)=(s ₁,s ₂). This constrains k=(x ₁,y ₁,x ₂,y ₂) to satisfy

(2)

(3)

where the above are modulo the group order p. For any \(({\sf label},C,pw) \in X \setminus L\), we can write \(C = (g_{1}^{r_{1}}, h_{1}^{r_{1}} \cdot pw', g_{2}^{r_{2}}, h_{2}^{r_{2}} \cdot pw', \pi)\) for some pw′≠pw. (We assume for simplicity that the same pw′ is encrypted twice; since π is valid, this is the case with all but negligible probability.) Then:

for some \(r'_{1} \neq r_{1}\) and \(r'_{2} \neq r_{2}\). So, for any \(g \in {\mathbb{G}}\), we have \(H_{k}({\sf label},C,pw)=g\) iff

$$r_1 \cdot x_1 + \bigl(r'_1 \cdot \log_{g_1} h_1\bigr) \cdot y_1 + (r_2 \cdot \log_{g_1} g_2) \cdot x_2 + \bigl(r'_2 \cdot \log_{g_1} h_2\bigr) \cdot y_2 = \log_{g_1} g. $$

Since this equation in the unknowns x ₁,y ₁,x ₂,y ₂ is linearly independent of Equations (2) and (3), we see that the probability that \(H_{k}({\sf label},C,pw)=g\) is exactly \(1/|{\mathbb{G}}|\), and so the distribution of \(H_{k}({\sf label},C,pw)\) is uniform in \({\mathbb{G}}\). □

4.2 A Construction Based on the Decisional Linear Assumption

We now present a more efficient construction based on bilinear maps. The efficiency advantage is obtained by using a specific simulation-sound NIZK proof system, constructed using techniques adapted from Refs. [13, 28]. Our construction here relies on the decisional linear assumption as introduced by Boneh et al. [10]; we refer the reader there for a precise statement of the assumption.

A CPA-secure encryption scheme

We start by describing a semantically secure encryption scheme, due to Boneh et al. [10], based on the decisional linear assumption; we then convert this into a CCA-secure encryption scheme via the same paradigm as above, but using an efficient simulation-sound NIZK proof system. The bilinear map is used only in the construction of the simulation-sound NIZK.

Fix groups \({\mathbb{G}}, {\mathbb{G}}_{T}\) of prime order p, and a bilinear map \(e: {\mathbb{G}}\times {\mathbb{G}}\rightarrow {\mathbb{G}}_{T}\). The public key is \(pk = (f, g,h) \in {\mathbb{G}}^{3}\), and the secret key is (α,β) such that f=h ^1/α and g=h ^1/β. A message \(m \in {\mathbb{G}}\) is encrypted by choosing random r,s∈ℤ _p and computing the ciphertext (f ^r,g ^s,h ^r+s⋅m). Given a ciphertext (c ₁,c ₂,c ₃), we can recover m as \(c_{3}/c_{1}^{\alpha}c_{2}^{\beta}\).

A simulation-sound NIZK proof of plaintext equality

We can construct a (one-time) simulation-sound NIZK proof of plaintext equality for the encryption scheme described above using the techniques of Refs. [13, 28]. Details of the construction (which, while not entirely straightforward, are not the focus of this work) are given in Appendix B.

A CCA-secure encryption scheme

We obtain a CCA-secure encryption scheme by using the Naor–Yung/Sahai paradigm, as described previously. (The following discussion relies on the results of Appendix B.) The public key consists of group elements (f ₁,g ₁,f ₂,g ₂,h) used for encryption, in addition to any group elements needed for the CRS of the simulation-sound NIZK proof. Encryption of m, as described in Appendix B, is done by choosing r ₁,s ₁,r ₂,s ₂∈ℤ _p and computing the ciphertext

$$\bigl(f_1^{r_1}, \; g_1^{s_1}, \; h^{r_1+s_1} \cdot m, \; f_2^{r_2}, \; g_2^{s_2}, \; h^{r_2+s_2} \cdot m, \; \pi\bigr), $$

where π denotes a simulation-sound NIZK proof that the same m was encrypted both times. (Once again, the space of valid label/ciphertext pairs is efficiently recognizable without the secret key.) It follows from Refs. [37, 40] that this yields a CCA-secure scheme under the decisional linear assumption. Ciphertexts consist of 66 group elements altogether (see Appendix B).

A smooth projective hash function

(Similar constructions were given in Refs. [30, 41].) Fix \({\mathbb{G}}, {\mathbb{G}}_{T}\), and a public-key pk=(f ₁,g ₁,f ₂,g ₂,h) as above, and define sets X and {L _pw } as in Sect. 2.2. We define a smooth projective hash function as follows. The set of keys K is the set of six-tuples of elements in ℤ _p . Given a valid label/ciphertext pair \(({\sf label}, C = (c_{1},d_{1},e_{1},c_{2},d_{2},e_{2},\pi))\) and a key \(k=(x_{1},y_{1},z_{1},x_{2},y_{2},z_{2}) \in {\mathbb{Z}}_{p}^{6}\), the hash function is defined as

$$H_{(x_1,y_1,z_1,x_2,y_2,z_2)}({\sf label}, C, pw) = c_1^{x_1}\cdot d_1^{y_1} \cdot (e_1/pw )^{z_1} \cdot c_2^{x_2}\cdot d_2^{y_2} \cdot (e_2/pw )^{z_2}. $$

(The range of H is \({\mathbb{G}}\) itself.) The projection function \(\alpha: K \rightarrow {\mathbb{G}}^{4}\) is defined as

$$\alpha(x_1,y_1,z_1,x_2,y_2,z_2) = \bigl(f_1^{x_1}h^{z_1}, \; g_1^{y_1}h^{z_1}, \; f_2^{x_2}h^{z_2}, \; g_2^{y_2}h^{z_2} \bigr). $$

Lemma 3

\((K,{\mathbb{G}},\mathcal{H}= \{H_{k}\}_{k \in K}, S, \alpha)\) as defined above is a smooth projective hash function for the hard subset-membership problem (X,{L _pw }).

Proof

Sampling a uniform k∈K, computing H _k (x) given k∈K and x∈X, and computing α(k) for k∈K are all easy.

We show that if \(({\sf label}, C, pw) \in L\), then \(H_{k}({\sf label}, C, pw)\) can be computed efficiently given α(k) and the randomness used to generate C. Since \(({\sf label},C,pw) \in L\), we have

$$C = (c_1,d_1,e_1,c_2,d_2,e_2, \pi) = \bigl(f_1^{r_1}, \; g_1^{s_1}, \; h^{r_1+s_1} \cdot pw, \; f_2^{r_2}, \; g_2^{s_2}, \; h^{r_2+s_2} \cdot pw, \; \pi \bigr) $$

for some r ₁,s ₁,r ₂,s ₂∈ℤ _p . For a hash key k=(x ₁,y ₁,z ₁,x ₂,y ₂,z ₂) we have

This can be computed easily given r ₁,s ₁,r ₂,s ₂ and \(\alpha(k) = (f_{1}^{x_{1}}h^{z_{1}}, \; g_{1}^{y_{1}}h^{z_{1}}, \; f_{2}^{x_{2}}h^{z_{2}}, \allowbreak g_{2}^{y_{2}}h^{z_{2}} )\).

Next, we show that if \(({\sf label}, C, pw) \in X \setminus L\), then the value of \(H_{k}({\sf label}, C, pw)\) is uniform conditioned on α(k). (This holds even if \(({\sf label}, C, pw)\) are chosen adaptively depending on α(k).) Fix any α(k)=(S ₁,S ₂,S ₃,S ₄). Letting α _i =log _h f _i and β _i =log _h g _i , this value of α(k) constrains k=(x ₁,y ₁,z ₁,x ₂,y ₂,z ₂) to satisfy

(4)

where γ _i =log _h S _i . For any \(({\sf label}, C, pw) \in X \setminus L\), we can write

$$C=\bigl(f_1^{r_1}, g_1^{s_1}, h^{r_1+s_1} \cdot pw', f_2^{r_2}, g_2^{s_2}, h^{r_2+s_2} \cdot pw', \pi \bigr) $$

for some pw′≠pw. (We assume for simplicity that the same pw′ is encrypted twice; since π is valid, this is the case with all but negligible probability. The proof holds even when this is not the case.) We then have

(5)

where pw′/pw≠1. For any \(g \in {\mathbb{G}}\), we have \((pw'/pw)^{z_{1}+z_{2}} = g\) iff

(6)

Since Eq. (6) is linearly independent of the system of equations given by (4), the probability that \((pw'/pw)^{z_{1}+z_{2}} = g\) is exactly \(1/|{\mathbb{G}}|\) even conditioned on the value α(k). Looking at Eq. (5), and noting that \(S_{1}^{r_{1}} S_{2}^{s_{1}} S_{3}^{r_{2}} S_{4}^{s_{2}}\) is entirely determined by α(k) and C, we conclude that the distribution of \(H_{k}({\sf label},C,pw)\) is uniform in \({\mathbb{G}}\). □

5 A One-Round, Universally Composable PAKE Protocol

Canetti et al. [16] gave a definition of security for password-based authenticated key exchange in the universal composability (UC) framework [14]. Their definition guarantees a strong, simulation-based notion of security that, in particular, guarantees that security is maintained even when the protocol is run concurrently with arbitrary other protocols. For the specific case of password-based key exchange, the definition also has the advantage of automatically handling arbitrary (efficiently sampleable) distributions on passwords, and even correlations between passwords of different users. We refer to Canetti et al. [16] for a more complete discussion.

A brief review of the UC framework and the password-based key-exchange functionality \({\mathcal {F}}_{\mathsf {pwKE}}\) are given in Appendix C. We let \({\hat{{\mathcal{F}}}_{\mathsf{pwKE}}}\) denote the multi-session extension of \({\mathcal {F}}_{\mathsf {pwKE}}\).

5.1 Overview of the Construction

We do not know how to prove that the protocol from Sect. 3 is universally composable. The main difficulty is that the definition of PAKE in the UC framework requires simulation even if the adversary guesses the correct password. (In contrast, in the proof of security in Sect. 3 we simply “give up” in case this ever occurs.) To see the problem more clearly, consider what happens in the UC setting when the simulator sends the first message of the protocol to the adversary, before the simulator knows the correct password. The simulator must send some ciphertext C as part of the first message, and this commits the simulator to some password pw. When the adversary sends the reply, the simulator can extract the adversary’s “password guess” pw′ and submit this guess to the ideal functionality. If this turns out to be the correct password, however, the simulator is stuck: it needs to compute a session key that matches the session key the adversary would compute, but the simulator is (information-theoretically!)unable to do so because it sent an incorrect ciphertext in the first message.

In prior work [16], the issue above was resolved by having one party send a “pre-commitment” to the password, and then run a regular PAKE protocol and give a proof that the password being used in the protocol is the same as the password to which it “pre-committed.” (The proof is set up in such a way that the simulator can equivocate this proof, but the adversary cannot.) This requires at least one additional round.

We take a different approach that does not affect the round complexity at all. Roughly, we modify the protocol from Fig. 1 by having each party include as part of its message an encryption C ₁ of its hash key k, along with a proof that C ₁ encrypts a value k for which α(k)=s. Now, even if the simulator is wrong in its guess of the password it will still be able to compute a session key by extracting this hash key from the adversary’s message. A full description of the protocol is given in the following section.

While we do not describe in detail any instantiation of the components, we remark that it should be possible to use the same techniques as in Appendix B to construct (reasonably) efficient realizations of the necessary components using bilinear maps. We leave this for future work.

5.2 Description of the Protocol

In addition to the building blocks used in Sect. 3, here we also rely on an unbounded simulation-sound [18] NIZK proof system \((\mathsf {CRSGen}, \mathcal{P}, \mathcal{V})\) for a language L ^∗ defined below; refer to Sect. A.2 for definitions.

Public parameters

The public parameters consist of two public keys pk ₁,pk ₂ generated by \({\sf Gen}(1^{n})\) and a common random string crs for the simulation-sound NIZK proof system. Let \((K, {\mathbb{G}}, \mathcal{H}= \{H_{k}\}_{k \in K}, S, \alpha: K \rightarrow S)\) be a smooth projective hash function for pk ₂.

Protocol execution

Consider an execution of the protocol between users U and U′≠U holding a shared password pw and a common session identifier sid. (The sid is an artifact of the UC framework, and it is guaranteed that (1) parties communicating with each other begin holding matching sids, and (2) each sid is used only once. Existence of these sids is not essential to our proof of security, though it does make the proof somewhat simpler.) Our protocol is symmetric, and so we describe the execution from the point of view of U; see Fig. 2.

Fig. 2.

A universally composable protocol for password-based authenticated key exchange.

First, U chooses a random hash key k←K and computes s:=α(k). It then computes an encryption of k, namely \(C_{1} \gets {\sf Enc}_{pk_{1}}(k)\). Define a language L ^∗ as follows:

$$L^* \stackrel{{\rm def}}{=}\bigl\{(s, C_1): \exists k \in K \mbox{ and } \omega \ \mbox{s.t.}\ s = \alpha(k) \mbox{ and } C_1 = {\sf Enc}_{pk_1}(k; \omega) \bigr\}. $$

U computes an NIZK proof π that (C ₁,s)∈L ^∗, using crs. It then sets \({\sf label}:= (\mathsf {sid}, U, U', s, C_{1}, \pi)\) and computes the ciphertext \(C_{2} \leftarrow {\sf Enc}_{pk_{2}}({\sf label}, pw)\). The message it sends is (s,C ₁,π,C ₂).

Upon receiving the message \((s', C_{1}', \pi', C'_{2})\), user U does the following. If the message is invalid (i.e., if verification of π′ fails, or \(C'_{2}\) is not a valid ciphertext, or \(s' \not \in S\)), then U simply rejects. Otherwise, U sets \({\sf label}':= (\mathsf {sid}, U', U, s', C'_{1}, \pi')\) and computes \({\sf sk}_{U} := H_{k}({\sf label}', C'_{2}, pw) \cdot H_{k'}({\sf label}, C_{2}, pw)\). Note that U can compute \(H_{k}({\sf label}', C'_{2}, pw)\) since it knows k, and can compute \(H_{k'}({\sf label}, C_{2}, pw)\) using s′=α(k′) and the randomness used to generate C ₂. Correctness follows from the definition of smooth projective hashing.

Theorem 2

If \(({\sf Gen},{\sf Enc},{\sf Dec})\) is CCA-secure, \((\mathsf {CRSGen}, \mathcal{P}, \mathcal{V})\) is an unbounded simulation-sound NIZK proof system, and \((K, {\mathbb{G}}, \mathcal{H}= \{H_{k}\}_{k \in K}, S, \alpha)\) is a smooth projective hash function, then the protocol in Fig. 2 securely realizes \({\hat{{\mathcal{F}}}_{\mathsf{pwKE}}}\) under static corruptions in the \(\mathcal{F}_{{\textsf{crs}}}\)-hybrid model.

Proof

Let \(\mathcal{A}\) be an adversary that interacts with the parties running the protocol. We construct an ideal-world adversary (i.e., simulator) \(\mathcal{S}\) interacting with the ideal functionality \({\hat{{\mathcal{F}}}_{\mathsf{pwKE}}}\), such that no ppt environment \(\mathcal{Z}\) can distinguish an interaction with \(\mathcal{A}\) in the real world from an interaction with \(\mathcal{S}\) in the ideal world.

\(\mathcal{S}\) starts by invoking a copy of \(\mathcal{A}\) and running a simulated interaction of \(\mathcal{A}\) with \(\mathcal{Z}\) and the parties in the network. \(\mathcal{S}\) forwards all messages to/from \(\mathcal{A}\) and \(\mathcal{Z}\) in the usual way.

Generating the public parameters

\(\mathcal{S}\) generates pk ₁ and pk ₂ along with their corresponding secret keys sk ₁ and sk ₂. It also runs \(({\textsf{crs}}, \tau) \gets \mathcal{S}_{1}(1^{k})\), where \(\mathcal{S}_{1}\) is the initial simulator for the simulation-sound NIZK proof system. The public parameters (pk ₁,pk ₂,crs) are given to \(\mathcal{A}\), and then \(\mathcal{S}\) responds to the messages of \(\mathcal{A}\) as described below.

Receiving a (NewSession,sid,P _i ,P _j ) message from \(\hat{\mathcal{F}}_{\mathsf{pwKE}}\)

Upon receiving such a message (indicating that P _i should initiate the protocol with P _j ), \(\mathcal{S}\) proceeds as follows. Choose a random hash key k←K and compute s:=α(k). Compute the ciphertext \(C_{1} \gets {\sf Enc}_{pk_{1}}(0)\) and a simulated NIZK proof π for the statement (C ₁,s)∈L ^∗. Set \({\sf label}:= (\mathsf {sid}, P_{i}, P_{j}, s, C_{1}, \pi)\) and compute \(C_{2} \gets {\sf Enc}_{pk_{2}}({\sf label}, 0)\). Give the message (s,C ₁,π,C ₂) to \(\mathcal{A}\).

Receiving a message \({\sf msg}'=(s',C_{1}',\pi',C_{2}')\) from \(\mathcal{A}\)

Let P _i denote the (uncorrupted) user to whom \(\mathcal{A}\) sends this message, and let sid denote the session ID with which this message is associated. Let P _j denote the partner of P _i for this session.

If \({\sf msg}'\) is invalid then \(\mathcal{S}\) does nothing. Otherwise, we say \({\sf msg}'\) is previously used if it was sent by \(\mathcal{S}\) (on behalf of P _j ) upon receiving the message (NewSession,sid,P _j ,P _i ) from \({\hat{{\mathcal{F}}}_{\mathsf{pwKE}}}\). In any other case we say \({\sf msg}'\) is adversarially generated. To respond to this message, \(\mathcal{S}\) does:

1. 1.

   If \({\sf msg}'\) is previously used, then \(\mathcal{S}\) sends (NewKey,sid,P _i ,⊥) to the functionality \({\hat{{\mathcal{F}}}_{\mathsf{pwKE}}}\). (This has the effect of choosing a random session key for this instance of P _i if it terminates before the partnered session at P _j , or if the passwords used by these instances of P _i and P _j differ, and otherwise setting the session key for this instance of P _i equal to the session key already computed for the partnered instance of P _j ; cf. Sect. C.1.1.)

2. 2.

   If \({\sf msg}'\) is adversarially generated, then \(\mathcal{S}\) decrypts the ciphertext \(C_{2}'\) using the secret key sk ₂ to obtain a password pw′. Then \(\mathcal{S}\) queries the functionality \({\hat{{\mathcal{F}}}_{\mathsf{pwKE}}}\) on input (TestPwd,sid,P _i ,pw′), which replies with either “correct guess” or “wrong guess.”

   1. (a)

      If the reply is “correct guess,” then \(\mathcal{S}\) decrypts \(C'_{1}\) using sk ₁ to obtain k′. It then computes \({\textsf{sk}}:= H_{k}({\sf label}', C'_{2},pw') \cdot H_{k'}({\sf label}, C_{2}, pw')\), where \(H_{k'}({\sf label}, C_{2}, pw')\) is computed using k′. Finally, \(\mathcal{S}\) sends (NewKey,sid,P _i ,sk) to \({\hat{{\mathcal{F}}}_{\mathsf{pwKE}}}\).

   2. (b)

      If the reply is “wrong guess,” then \(\mathcal{S}\) sends (NewKey,sid,P _i ,⊥) to \({\hat{{\mathcal{F}}}_{\mathsf{pwKE}}}\).

Let \(\mbox{\textsc{ideal}}_{{\hat{{\mathcal{F}}}_{\mathsf{pwKE}}},\mathcal{S},\mathcal{Z}}\) denote the view of the environment \(\mathcal{Z}\) in the ideal world when interacting with \(\mathcal{S}\), and let \(\mbox{\textsc{exec}}_{\varPi,\mathcal{A},\mathcal{Z}}\) denote the view of \(\mathcal{Z}\) in the real world when the protocol from Fig. 2 is being run. Our aim is to show that these distributions are computationally indistinguishable. We do this by considering a sequence of experiments \({\sf Expt}_{1}, \ldots, {\sf Expt}_{5}\) (where \({\sf Expt}_{0}\) corresponds to the real-world execution). Let \(\mbox{\sc exec}_{i,\mathcal{A},\mathcal{Z}}\) denote the view of \(\mathcal{Z}\) in \({\sf Expt}_{i}\). We show that \(\mbox{\sc exec}_{i,\mathcal{A},\mathcal{Z}}\approx _{c}\mbox{\sc exec}_{i+1,\mathcal{A},\mathcal{Z}}\) for all i (where this denotes computational indistinguishability), and then argue that \(\mbox{\sc exec}_{5,\mathcal{A},\mathcal{Z}}\) is identical to \(\mbox{\textsc{ideal}}_{{\hat{{\mathcal{F}}}_{\mathsf{pwKE}}},\mathcal{S},\mathcal{Z}}\). This completes the proof.

Experiment Expt ₀

Recall, this experiment involves the environment \(\mathcal{Z}\) interacting with the adversary \(\mathcal{A}\), who in turn interacts with parties running the real protocol as specified in Fig. 2. The view of \(\mathcal{Z}\) consists of the public parameters and all the protocol messages (forwarded to it by \(\mathcal{A}\)) as well as all the session keys produced by parties during the course of the experiment.

Experiment Expt ₁

We change the distribution of the public parameters and the messages generated by the parties in the protocol. Specifically, the common random string crs is replaced with a simulated one, and the proof π in every outgoing message is replaced with a simulated proof. It follows from the zero-knowledge properties of the proof system that \(\mbox{\textsc{exec}}_{1,\mathcal{A},\mathcal{Z}}\approx _{c}\mbox{\textsc{exec}}_{0,\mathcal{A},\mathcal{Z}}\).

Experiment Expt ₂

Here, we again change the distribution of the outgoing messages by always computing the ciphertext C ₁ as an encryption of 0 (rather than an encryption of the hash key k). It follows immediately from semantic security of \(({\sf Gen},{\sf Enc},{\sf Dec})\) that \(\mbox{\textsc{exec}}_{2,\mathcal{A},\mathcal{Z}}\approx _{c}\mbox{\textsc{exec}}_{1,\mathcal{A},\mathcal{Z}}\).

Before continuing, we define the notion of a previously used message. Note that the definition here is slightly different from the definition used in the proof of Theorem 1.

Consider a valid \({\sf msg}'=(s', C'_{1}, \pi', C'_{2})\) sent to an instance of (uncorrupted user) P _i who is using session ID sid and is partnered with P _j . We say \({\sf msg}'\) is previously used if it was sent by an instance of the (uncorrupted user) P _j that is using the same session ID sid, and is partnered with P _i . We say a previously used \({\sf msg}'\) is associated with pw if pw is the password that was used by the instance of P _j that sent \({\sf msg}'\). If \({\sf msg}'\) is not previously used, we say it is adversarially generated.

Experiment Expt ₃

We change the way session keys are computed. Specifically, consider an instance of user P _i , with session ID sid and partner P _j , who receives an incoming message \({\sf msg}'=(s', C'_{1}, \pi', C'_{2})\). If \({\sf msg}'\) is invalid, then it is handled as before (and no session key is computed). Otherwise, set \({\sf label}'=(\mathsf {sid}, P_{j}, P_{i}, s', C'_{1}, \pi')\) and let pw be the password being used by the current instance of P _i . There are several sub-cases:

1. 1.

   If \({\sf msg}'\) is adversarially generated, compute \(pw' := {\sf Dec}_{sk_{2}}({\sf label}', C'_{2})\). Then:

   1. (a)

      If pw′=pw, compute \(k' := {\sf Dec}_{sk_{1}}(C_{1})\). Then compute \({\textsf{sk}}:= H_{k}({\sf label}', C'_{2},\allowbreak pw) \cdot H_{k'}({\sf label}, C_{2}, pw)\), using k′ to compute the second hash value.

   2. (a)

      If pw′≠pw, choose sk uniformly from \({\mathbb{G}}\).

2. 2.

   If \({\sf msg}'\) is previously used, then the simulator knows the password pw′ associated with \({\sf msg}'\), and also knows a value k′ such that s′=α(k′). Then:

   1. (a)

      If pw′=pw, compute \({\textsf{sk}}:= H_{k}({\sf label}', C'_{2}, pw) \cdot H_{k'}({\sf label}, C_{2}, pw)\), using k′ to compute the second hash value (rather than using the randomness used to generate C ₂, as in \({\sf Expt}_{2}\)).

   2. (b)

      If pw′≠pw, choose sk uniformly from \({\mathbb{G}}\).

Claim 6

\(\mbox{\textsc{exec}}_{3,\mathcal{A},\mathcal{Z}}\approx _{c}\mbox{\textsc{exec}}_{2,\mathcal{A},\mathcal{Z}}\).

Proof

This follows from simulation soundness of \((\mathsf {CRSGen}, \mathcal{P}, \mathcal{V})\). The proof is similar to that of Claim 3, though there are some differences due to the particularities of the UC setting. Imagine first that only the changes in Case 1(b) and 2(b) are made. These changes introduce a negligible statistical difference between \({\sf Expt}_{3}\) and \({\sf Expt}_{2}\), exactly as in Claim 3 (though note that Case 2(b) cannot occur in the context of the previous claim since parties are assumed to always use matching passwords there).

Consider next the change in Case 1(a). Since the proof system is simulation-sound, with all but negligible probability \(\mathcal{S}\) extracts a value k′ such that α(k′)=s′; assuming this occurs, the session key computed in \({\sf Expt}_{3}\) is identical to the session key that would have been computed in \({\sf Expt}_{2}\). The same holds (always) in Case 2(a). □

Experiment Expt ₄

Here, in every outgoing message the ciphertext C ₂ is generated as an encryption of 0, rather than as an encryption of pw. It follows readily from the CCA-security of the encryption scheme used that \(\mbox{\textsc{exec}}_{4,\mathcal{A},\mathcal{Z}}\approx _{c}\mbox{\textsc{exec}}_{3,\mathcal{A},\mathcal{Z}}\).

Experiment Expt ₅

We once again change the way session keys are computed. Consider an instance of user P _i , with session ID sid, partner P _j , and using password pw, who receives an incoming message \({\sf msg}'=(s', C'_{1}, \pi', C'_{2})\) that is previously used and is associated with pw. Then:

• If the corresponding partnered instance of P _j has already computed a session key sk, then set the session key of the current instance of P _i equal to sk.

• Otherwise, choose the session key for the current instance of P _i uniformly from \({\mathbb{G}}\).

Claim 7

\(\mbox{\textsc{exec}}_{5,\mathcal{A},\mathcal{Z}}\approx _{c}\mbox{\textsc{exec}}_{4,\mathcal{A},\mathcal{Z}}\).

Proof

Since \({\sf msg}'\) is previously used, the ciphertext \(C_{2}'\) is an encryption of 0. Thus \(({\sf label}', C_{2}', pw)\) is not in L, and it follows (cf. Equation (1)) that \((s, H_{k}({\sf label}', C_{2}', pw))\) is statistically close to (s,g), where s=α(k) and g is a uniform element in \({\mathbb{G}}\). This means that the secret key is statistically close to a uniform element in \({\mathbb{G}}\), even conditioned on the given transcript. The claim follows. □

The distribution \(\mbox{\textsc{exec}}_{5,\mathcal{A},\mathcal{Z}}\) is identical to the distribution produced by the simulator, namely \(\mbox{\textsc{ideal}}_{{\hat{{\mathcal{F}}}_{\mathsf{pwKE}}},\mathcal{S},\mathcal{Z}}\). This follows by inspection. Indeed, the only difference is a syntactic one: in experiment \({\sf Expt}_{5}\) the session keys are computed and stored locally by the simulator, whereas in the ideal world the functionality computes the session keys and sends them to the (dummy) parties.

The above shows that \(\mbox{\textsc{exec}}_{\varPi,\mathcal{A},\mathcal{Z}}\equiv \mbox{\textsc{exec}}_{0,\mathcal{A},\mathcal{Z}}\approx _{c}\mbox{\textsc{exec}}_{5,\mathcal{A},\mathcal{Z}}\equiv \mbox{\textsc{ideal}}_{{\hat{{\mathcal{F}}}_{\mathsf{pwKE}}},\mathcal{S},\mathcal{Z}}\), completing the proof of the theorem. □

Appendices

Appendix A. Additional Definitions

1.1 A.1 Labeled CCA-Secure Encryption

We use the standard notion of chosen-ciphertext security for public-key encryption, though adapted to support the inclusion of labels when generating ciphertexts.

Definition 2

A public-key encryption scheme supporting labels is a tuple of ppt algorithms (\({\sf Gen}\), \({\sf Enc}\), \({\sf Dec}\)) such that:

• The key-generation algorithm \({\sf Gen}\) takes as input a security parameter 1ⁿ and returns a public key pk and a secret key sk.

• The encryption algorithm \({\sf Enc}\) takes as input a public key pk, a label \({\sf label}\), and a message m. It returns a ciphertext \(C \leftarrow {\sf Enc}_{pk}({\sf label}, m)\).

• The decryption algorithm \({\sf Dec}\) takes as input a secret key sk, a label \({\sf label}\), and a ciphertext C. It returns a message m or a distinguished symbol ⊥. We write this as \(m = \mathcal{D}_{sk}({\sf label}, C)\).

We require that for all pk,sk output by gen(1ⁿ), any \({\sf label}\in \{0,1\}^{*}\), all m in the (implicit) message space, and any C output by \({\sf Enc}_{pk}({\sf label}, m)\) we have \({\sf Dec}_{sk}({\sf label}, C) = m\).

Our definition of security against chosen-ciphertext attacks is standard except for our inclusion of labels. Define a left-or-right encryption oracle \({\sf Enc}_{pk, b}(\cdot, \cdot, \cdot)\) (where b∈{0,1}) as follows:

$${\sf Enc}_{pk, b}({\sf label}, m_0, m_1) \stackrel{{\rm def}}{=}{\sf Enc}_{pk}({\sf label}, m_b). $$

Definition 3

A public-key encryption scheme \(({\sf Gen}, {\sf Enc}, {\sf Dec})\) is secure against adaptive chosen-ciphertext attacks (CCA-secure) if the following is negligible for all ppt algorithms \(\mathcal{A}\):

$$\bigl \vert 2 \cdot \Pr\bigl[(pk, sk) \leftarrow {\sf Gen}\bigl(1^n \bigr) ; b \leftarrow \{0,1\}: \mathcal{A}^{{\sf Enc}_{pk,b}(\cdot, \cdot, \cdot), {\sf Dec}_{sk}(\cdot, \cdot)}\bigl(1^n, pk\bigr) = b \bigr] - 1 \bigr \vert , $$

where \(\mathcal{A}\)’s queries are restricted as follows: if \(\mathcal{A}\) makes a query \({\sf Enc}_{pk,b}({\sf label}, m_{0}, m_{1})\) then |m ₀|=|m ₁|; furthermore, if \(\mathcal{A}\) receives ciphertext C in response to this query, then \(\mathcal{A}\) cannot later query \({\sf Dec}_{sk}({\sf label}, C)\) (but it is allowed to query (\({\sf Dec}_{sk}({\sf label}', C)\) with \({\sf label}' \neq {\sf label}\)).

1.2 A.2 Simulation-Sound Non-Interactive Zero Knowledge (NIZK)

Simulation-sound NIZK was introduced in Refs. [18, 40]. Intuitively, a simulation-sound NIZK proof system is a NIZK proof system with the extra property that a polynomially bounded cheating prover is incapable of convincing the verifier of a false statement, even after seeing any number of simulated proofs of her choosing. We first recall the notion of (adaptive) NIZK:

Definition 4

[8, 9, 20]

A tuple of ppt algorithms \(\varPi=(\mathsf {CRSGen},\mathcal{P},\mathcal{V},\mathcal{S}_{1},\mathcal{S}_{2})\) is an efficient NIZK proof system for a language \(L\in {\mathcal {NP}}\) with witness relation R if the following hold:

• Completeness: For all n, all x∈L∩{0,1}ⁿ, all w such that R(x,w)=1, and all strings σ←CRSGen(1ⁿ), it holds that \(\mathcal{V}_{\sigma}(x,\mathcal{P}_{\sigma}(x,w))=1\).

• Adaptive Soundness: For all adversaries \(\mathcal{A}\), the following is negligible (in n):

  $$\Pr\bigl[\sigma \leftarrow \mathsf {CRSGen}\bigl(1^n\bigr) ; (x,\pi) \leftarrow \mathcal{A}(\sigma) : V_\sigma(x,\pi)=1 \wedge \pi \not \in L\bigr]. $$

• Adaptive Zero Knowledge: For all ppt adversaries \(\mathcal{A}\), the following is negligible:

  $$\bigl|\Pr\bigl[{\sf Expt}_{\mathcal{A}}(n)=1\bigr]-\Pr\bigl[{\sf Expt}^{Sim}_{\mathcal{A}}(n)=1\bigr] \bigr|, $$

  where experiment \({\sf Expt}_{\mathcal{A}}(n)\) is defined as:

  

  and experiment \({\sf Expt}^{Sim}_{\mathcal{A}}(n)\) is defined as:

  

  where \(S'_{\sigma,\tau}(x,w)= \left\{ \begin{array}{l@{\quad }l} \mathcal{S}_{2}(x,\sigma,\tau) & R(x,w)=1 \wedge x \in \{0,1\}^{n} \\ \perp & \mbox{otherwise} \end{array}\right. \).

We next define the notion of simulation-sound NIZK. (Note that although one-time simulation soundness would suffice for our applications in Sect. 4, we only define the stronger notion of unbounded simulation-sound NIZK. See [40] for a definition of the former.)

Definition 5

Let \(\varPi=(\mathsf {CRSGen},\mathcal{P},\mathcal{V},\mathcal{S}_{1},\mathcal{S}_{2})\) be an efficient NIZK proof system for a language \(L\in {\mathcal {NP}}\). We say Π is simulation sound if for all ppt adversaries \(\mathcal{A}\) it holds that \(\Pr[{\sf Expt}_{\mathcal{A},\varPi}(n)=1]\) is negligible, where \({\sf Expt}_{\mathcal{A},\varPi}(n)\) denotes the following experiment:

Assuming the existence of doubly enhanced trapdoor permutations, every language in \({\mathcal {NP}}\) has a simulation-sound NIZK proof system [18].

Appendix B. A Simulation-Sound NIZK Proof of Plaintext Equality

Fix groups \({\mathbb{G}}, {\mathbb{G}}_{T}\) of prime order p, and a bilinear map \(e: {\mathbb{G}}\times {\mathbb{G}}\rightarrow {\mathbb{G}}_{T}\) as in Sect. 4.2. Fix also two public keys pk ₁=(f ₁,g ₁,h) and pk ₂=(f ₂,g ₂,h). We encrypt a message m with respect to pk ₁ by choosing random r,s and computing the ciphertext \((f_{1}^{r}, g_{1}^{s}, h^{r+s} \cdot m)\). We encrypt a message m with respect to pk ₂ by choosing random r,s∈ℤ _p and computing the ciphertext \((f_{2}^{r}, g_{2}^{s}, h^{r+s} \cdot m)\). We stress that the public keys use the same value h.

We first describe a (potentially malleable) NIZK proof of plaintext equality. That is, given two ciphertexts (F ₁,G ₁,H ₁) and (F ₂,G ₂,H ₂) encrypted with respect to pk ₁,pk ₂, respectively, we describe a proof that these ciphertexts encrypt the same message. The observation is that plaintext equality is equivalent to the existence of r ₁,s ₁,r ₂,s ₂∈ℤ _p such that:

(B.1)

(B.2)

(B.3)

(B.4)

(B.5)

As shown in Ref. [28] (see also [13, Sect. 4.4] for a self-contained description), NIZK proofs of satisfiability (with a CRS) can be constructed for a system of equations as above; since, in our case, we have 5 linear equations in 4 variables, proofs would contain 22 group elements.³

Camenisch et al. [13] show a construction of an unbounded simulation-sound NIZK proof system. For our purposes in Sect. 3, a simpler construction that is one-time simulation sound [40] suffices. Let \(({\sf Gen}, \mathsf {Sign}, {\textsf{Vrfy}})\) be a one-time signature scheme, where for simplicity we assume verification keys are elements of \({\mathbb{G}}\) (this can always be achieved using an extra step of hashing). To make the above (one-time) simulation-sound, we add to the CRS group elements (f,g,h,F,G,H). Roughly, proofs of plaintext equality now contain:

1. 1.

   A fresh signature verification key vk.

2. 2.

   A proof that either there exists a satisfying assignment to Eqs. (B.1)–(B.5), or that the given tuple (f,g,h,F,G,H) is an encryption of vk, i.e., that there exist r,s such that:

   

   (B.6)
3. 3.

   A signature σ (with respect to vk) on the proof from the previous step.

Equation (B.6) describes a system of 3 linear equations in 2 variables. Using the techniques from Ref. [13, Appendix A.2], an NIZK proof as required in step 2 can be obtained using 58 group elements. (In detail: Applying the OR-transformation from Ref. [13, Appendix A.2.2] to the two systems of equations given by Eqs. (B.1)–(B.5) and Eq. (B.6), respectively, we obtain one system of 8 linear equations and one quadratic equation in 7 variables. Applying the transformation from Ref. [13, Appendix A.2.1], we get a system of 11 linear equations in 11 variables, plus 3 extra group elements that need to be sent. From Ref. [13, Sect. 4.4] we see that an NIZK proof for the former can be done using 55 group elements.) This gives a total of 60 group elements for the entire simulation-sound NIZK proof (assuming signatures are one group element for simplicity). See also footnote 3.

Appendix C. Universally Composable Password-Based Key Exchange

3.1 C.1 The Universal Composability Framework

We provide a brief review of the universally composable security framework [14]. The framework allows for defining the security properties of cryptographic tasks so that security is maintained under general composition with an unbounded number of instances of arbitrary protocols running concurrently. In the UC framework, the security requirements of a given task are captured by specifying an ideal functionality run by a “trusted party” that obtains the inputs of the participants and provides them with the desired outputs. Informally, then, a protocol securely carries out a given task if running the protocol in the presence of a real-world adversary amounts to “emulating” the desired ideal functionality.

The notion of emulation in the UC framework is considerably stronger than that considered in previous models. As usual, the real-world model includes the parties running the protocol and an adversary \(\mathcal{A}\) who controls their communication and potentially corrupts parties, while the ideal-world includes a simulator \(\mathcal{S}\) who interacts with an ideal functionality \(\mathcal{F}\) and also with dummy players who simply send input to/receive output from \(\mathcal{F}\); “emulating an ideal process” requires that for any adversary \(\mathcal{A}\) there should exist a simulator \(\mathcal{S}\) that causes the outputs of the parties in the ideal process to have a “similar” (i.e., computationally-indistinguishable) distribution to the outputs of the parties in a real-world execution of the protocol. In the UC framework, the requirement on \(\mathcal{S}\) is more stringent than this. Specifically, there is also an additional entity called the environment \(\mathcal{Z}\). This environment generates the inputs to all parties, observes all their outputs, and interacts with the adversary in an arbitrary way throughout the computation. A protocol π is said to securely realize an ideal functionality \(\mathcal{F}\) if for any real-world adversary \(\mathcal{A}\) that interacts with \(\mathcal{Z}\) and real players running π, there exists an ideal-world simulator \(\mathcal{S}\) that interacts with \(\mathcal{Z}\), the ideal functionality \(\mathcal{F}\), and the “dummy” players communicating with \(\mathcal{F}\), such that no poly-time environment \(\mathcal{Z}\) can distinguish whether it is interacting with \(\mathcal{A}\) (in the real world) or \(\mathcal{S}\) (in the ideal world). \(\mathcal{Z}\) thus serves as an “interactive distinguisher” between a real-world execution of the protocol π and an ideal execution of functionality \(\mathcal{F}\). A key point is that \(\mathcal{Z}\) cannot be re-wound by \(\mathcal{S}\); in other words, \(\mathcal{S}\) must provide a so-called “straight-line” simulation.

The following universal composition theorem is proven in Ref. [14]. Consider a protocol π that operates in the \(\mathcal{F}\)-hybrid model, where parties can communicate as usual and in addition have ideal access to an unbounded number of copies of the functionality \(\mathcal{F}\). Let ρ be a protocol that securely realizes \(\mathcal{F}\) as sketched above, and let π ^ρ be identical to π with the exception that the interaction with each copy of \(\mathcal{F}\) is replaced with an interaction with a separate instance of ρ. Then, π and π ^ρ have essentially the same input/output behavior. In particular, if π securely realizes some functionality \(\mathcal{G}\) in the \(\mathcal{F}\)-hybrid model then π ^ρ securely realizes \(\mathcal{G}\) in the standard model (i.e., without access to any functionality).

3.1.1 C.1.1 Universally-Composable Password-Based Key Exchange

In Fig. C.1 we present the functionality \({\mathcal {F}}_{\mathsf {pwKE}}\) for password-based key exchange, taken directly from Canetti et al. [16]. We refer the reader to their work for extensive discussion regarding the particular choices made regarding this formulation of this functionality.

Fig. C.1.

The password-based key-exchange functionality \({\mathcal {F}}_{\mathsf {pwKE}}\).