Provably leakage-resilient three-party password-based authenticated key exchange

Abstract

Three-party password-based authenticated key exchange (3PAKE) protocol is an important practical cryptographic primitive in the client-client communication environments, where two clients could generate a shared secure session key using their human-memorable passwords with a server’s help. Many 3PAKE protocols were proposed, but these protocols were only secure in the traditional model where no leakage attacks exist. In Mobile Internet, Wireless Networks and Sensor Networks environments, 3PAKE systems are very vulnerable to side-channel attacks. Therefore, it is very necessary to design 3PAKE protocols that are secure in the leakage environments. However, there is no previous works for formalizing the security model for leakage-resilient (LR) 3PAKE and designing the LR 3PAKE protocols. In the paper, we first define a continuous after-the-fact LR eCK-security model for 3PAKE and propose a LR 3PAKE protocol, then present a formal security proof in the standard model.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2

References

  1. Alawatugoda J, Boyd C, Stebila D (2014a) Continuous after-the-fact leakage-resilient key exchange. In: australasian conference on information security and privacy, pp 258–273

  2. Alawatugoda J, Stebila D, Boyd C (2014b) Modelling after-the-fact leakage for key exchange. In: ACM symposium on information, computer and communications security, pp 207–216

  3. Alawatugoda J, Stebila D, Boyd C (2015) Continuous after-the-fact leakage-resilient eck-secure key exchange. In: IMA international conference on cryptography and coding, pp 277–294

  4. Bellare M, Pointcheval D, Rogaway P (2000) Authenticated key exchange secure against dictionary attacks. In: international conference on the theory and applications of cryptographic techniques, pp 139–155

  5. Bellovin SM, Merritt M (1992) Encrypted key exchange: Password-based protocols secureagainst dictionary attacks. In: IEEE symposium on research in security and privacy, pp 72–84

  6. Canetti R, Krawczyk H (2001) Analysis of key-exchange protocols and their use for building secure channels. Adva Cryptol EUROCRYPT 2045:453–474

    MathSciNet  MATH  Google Scholar 

  7. Chasaki D, Mansour C (2015) Security challenges in the internet of things. Int J Space Based Situat Comput 5(3):141–149

    Article  Google Scholar 

  8. Chen HC, Mao CH, Lin YT, Kung TL, Weng CE (2016a) A secure group-based mobile chat protocol. J Ambient Intell Hum Comput 7(5):693–703

    Article  Google Scholar 

  9. Chen R, Mu Y, Yang G, Susilo W, Guo F (2016b) Strongly leakage-resilient authenticated key exchange. In: Cryptographers track at the RSA conference, pp 19–36

  10. Davì F, Dziembowski S, Venturi D (2010) Leakage-resilient storage. SCN, vol 6280. Lecture Notes in Computer Science. Springer, Berlin, pp 121–137

    Google Scholar 

  11. Dziembowski S, Faust S (2011) Leakage-resilient cryptography from the inner-product extractor. In: Advances in cryptology - ASIACRYPT 2011 - international conference on the theory and application of cryptology and information security, Seoul, Proceedings, pp 702–721

  12. Farash MS, Attari MA (2014a) An efficient and provably secure three-party password-based authenticated key exchange protocol based on chebyshev chaotic maps. Nonlinear Dyn 77(1–2):399–411

    MathSciNet  MATH  Article  Google Scholar 

  13. Farash MS, Attari MA (2014b) An efficient client–client password-based authentication scheme with provable security. J Supercomput 70(2):1002–1022

    Article  Google Scholar 

  14. Goldreich O, Lindell Y (2006) Session-key generation using human passwords only. J Cryptol 19(3):241–340

    MathSciNet  MATH  Article  Google Scholar 

  15. Goyal V (2012) Positive results for concurrently secure computation in the plain model. In: foundations of computer science, pp 41–50

  16. Hu C, Liu P, Guo S (2016) Public key encryption secure against related-key attacks and key-leakage attacks from extractable hash proofs. J Ambient Intell Hum Comput 7(5):1–12

    Article  Google Scholar 

  17. Jin WB, Dong HL, Lim JI (2007) Ec2c-paka: An efficient client-to-client password-authenticated key agreement. Inf Sci 177(19):3995–4013

    MathSciNet  MATH  Article  Google Scholar 

  18. Katz J, Ostrovsky R, Yung M (2009) Efficient and secure authenticated key exchange using weak passwords. J ACM 57(1):78–116

    MathSciNet  MATH  Article  Google Scholar 

  19. Katz J, Mackenzie P, Taban G, Gligor V (2012) Two-server password-only authenticated key exchange. J Comput Syst Sci 78(2):651–669

    MathSciNet  MATH  Article  Google Scholar 

  20. Krawczyk H (2008) On extract-then-expand key derivation functions and an hmac-based kdf. http://webee.technion.ac.il/~hugo/kdf/kdf.pdf

  21. Lamacchia B, Lauter K, Mityagin A (2007) Stronger security of authenticated key exchange. In: International conference on provable security, pp 1–16

  22. Li S, Zhang F (2013) Leakage-resilient identity-based encryption scheme. Int J Grid Utility Comput 4(2/3):187–196

    Article  Google Scholar 

  23. Mackenzie PD, Patel S, Swaminathan R (2000) Password-authenticated key exchange based on RSA. In: International conference on the theory and application of cryptology and information security, pp 599–613

  24. Moriyama D, Okamoto T (2011) Leakage resilient ECK-secure key exchange protocol without random oracles. In: ACM symposium on information, computer and communications security, pp 441–447

  25. Ou R, Kumar N, He D, Lee JH (2015) Efficient provably secure password-based explicit authenticated key agreement. Pervas Mob Comput 24(12):50–60

    Google Scholar 

  26. Ou R, Zhang Y, Zhang M, Zhou J, Harn L (2017) After-the-fact leakage-resilient identity-based authenticated key exchange. IEEE Syst J (99):1–10

  27. Pu Q, Wang J, Wu S, Fu J (2013) Secure verifier-based three-party password-authenticated key exchange. Peer–Peer Netw Appl 6(1):15–25

    Article  Google Scholar 

  28. Ran C, Dachman-Soled D, Vaikuntanathan V, Wee H (2012) Efficient password authenticated key exchange via oblivious transfer. Int Conf Pract Theory Public Key Cryptogr 7293:449–466

    MATH  Google Scholar 

  29. Tso R (2013) Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol. J Supercomput 66(2):863–874

    Article  Google Scholar 

  30. Wang Q, Ou R, Wang Z (2018) Security analysis and improvements of three-party password-based authenticated key exchange protocol. Springer, Cham, pp 497–508

    Google Scholar 

  31. Wang Y, Ma J, Lu X, Lu D, Zhang L (2016) Efficiency optimisation signature scheme for time-critical multicast data origin authentication. Int J Grid Utility Comput 7(1):1–11

    Article  Google Scholar 

  32. Wu S, Pu Q, Wang S, He D (2012) Cryptanalysis of a communication-efficient three-party password authenticated key exchange protocol. Inf Sci 215(1):83–96

    MathSciNet  MATH  Article  Google Scholar 

  33. Xie Q, Dong N, Tan X, Wong DS, Wang G (2013) Improvement of a three-party password-based key exchange protocol with formal verification. Inf Technol Control 42(3):231–237

    Google Scholar 

  34. Xiong H, Chen Y, Guan Z, Chen Z (2013) Finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys. Inf Sci 235(1):329–340

    MathSciNet  MATH  Article  Google Scholar 

  35. Yamamoto N (2016) An improved group discussion system for active learning using smartphone and its experimental evaluation. Int J Space Based Situat Comput 6(4):221–227

    Article  Google Scholar 

  36. Yang JH, Cao TJ (2012) Provably secure three-party password authenticated key exchange protocol in the standard model. J Syst Softw 85(2):340–350

    Article  Google Scholar 

  37. Zhao J, Gu D (2012) Provably secure three-party password-based authenticated key exchange protocol. Inf Sci 184(1):310–323

    MathSciNet  MATH  Article  Google Scholar 

Download references

Acknowledgements

The work was supported by the Natural Science Foundation of Hubei Province of China (No. 2017CFB596) and the Green Industry Technology Leading Project of Hubei University of Technology (No. ZZTS2017006).

Author information

Affiliations

Authors

Corresponding author

Correspondence to Ou Ruan.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Ruan, O., Wang, Q. & Wang, Z. Provably leakage-resilient three-party password-based authenticated key exchange. J Ambient Intell Human Comput 10, 163–173 (2019). https://doi.org/10.1007/s12652-017-0628-8

Download citation

Keywords

  • Leakage-resilience
  • Password-based authenticated key exchange
  • Three-party setting
  • Provable security