Provably Secure Threshold Password-Authenticated Key Exchange

Extended Abstract
  • Mario Di Raimondo
  • Rosario Gennaro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2656)


We present two protocols for threshold password authenticated key exchange. In this model, the password is not stored in a single authenticating server but rather shared among a set of n servers so that an adversary can learn the password only by breaking into t+1 of them. The protocols require n > 3t servers to work.

The goal is to protect the password against hackers attacks that can break into the authenticating server and steal password information. All known centralized password authentication schemes are susceptible to such an attack.

Ours are the first protocols which are provably secure in the standard model (i.e. no random oracles are used for the proof of security). Moreover our protocols are reasonably efficient and implementable in practice. In particular a goal of the design was to avoid costly zero-knowledge proofs to keep interaction to a minimum.


Secret Sharing Random Oracle Dictionary Attack Password Authentication Malicious Adversary 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Abe, Robust distributed multiplication without interaction. In CRYPTO’ 99, Springer LNCS 1666, pp. 130–147, 1999.Google Scholar
  2. 2.
    M. Bellare, D. Pointcheval and P. Rogaway, Authenticated key exchange secure against dictionary attacks. In EUROCRYPT 2000, Springer LNCS 1807, pp. 139–155, 2000.CrossRefGoogle Scholar
  3. 3.
    S. M. Bellovin and M. Merritt, Encrypted Key Exchange: Password based protocols secure against dictionary attacks. In 1992 IEEE Symposium on Research in Security and Privacy, IEEE Press, pp. 72–84, 1992.Google Scholar
  4. 4.
    M. Ben-Or, S. Goldwasser, and A. Wigderson, Completeness Theorems for Noncryptographic Fault-Tolerant Distributed Computations. In 20th Annual Symposium on the Theory of Computing, ACM Press, pp. 1–10, 1988.Google Scholar
  5. 5.
    D. Boneh, The Decision Diffie-Hellman Problem. In Third Algorithmic Number Theory Symposium, Springer LNCS 1423, pp. 48–63, 1998.CrossRefGoogle Scholar
  6. 6.
    V. Boyko, P. D. MacKenzie, and S. Patel, Provably secure password-authenticated key exchange using Diffie-Hellman. In EUROCRYPT 2000, Springer LNCS 1807, pp. 156–171, 2000.CrossRefGoogle Scholar
  7. 7.
    R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk and T. Rabin, Adaptive Security for Threshold Cryptosystems. In CRYPTO’ 99, Springer LNCS 1666, pp. 98–115, 1999.Google Scholar
  8. 8.
    Y. G. Desmedt, Threshold cryptography. European Transactions on Telecommunications, 5(4):449–457, July 1994.MathSciNetCrossRefGoogle Scholar
  9. 9.
    P. Feldman, A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In 28th IEEE Symposium on Foundation of Computer Science (FOCS), IEEE, pp. 427–437, 1987.Google Scholar
  10. 10.
    W. Ford and B. Kaliski, Server-assisted generation of a strong secret from a password. In 5th IEEE International Workshop on Enterprise Security, 2000.Google Scholar
  11. 11.
    Y. Frankel, P. MacKenzie and M. Yung, Adaptively-Secure Distributed Public-Key Systems. In European Symposium on Algorithms (ESA’ 99), Springer LNCS 1643, pp. 4–27, 1999.Google Scholar
  12. 12.
    P. Gemmell, An Introduction to Threshold Cryptography. RSA Laboratories’ CRYPTOBYTES, vol. 2, n. 3, Winter 1997.Google Scholar
  13. 13.
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, The (in)security of distributed key generation in dlog-based cryptosystems. In EUROCRYPT’ 99, Springer LNCS 1592, pp. 295–310, 1999.Google Scholar
  14. 14.
    O. Goldreich and Y. Lindell, Session Key Generation using Human Passwords Only. In CRYPTO 2001, Springer LNCS 2139, pp. 408–432, 2001.CrossRefGoogle Scholar
  15. 15.
    L. Gong, T. M. A. Lomas, R. M. Needham and J. H. Saltzer, Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications, 11(5):648–656, 1993.CrossRefGoogle Scholar
  16. 16.
    S. Halevi and H. Krawczyk, Public-key cryptography and password protocols. ACM Transactions on Information and System Security, 2(3):230–268, 1999.CrossRefGoogle Scholar
  17. 17.
    A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung. Proactive public key and signature systems. In 4th ACM Conference on Computers and Communication Security, ACM Press, pp. 100–110, 1997.Google Scholar
  18. 18.
    A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, Proactive secret sharing, or: How to cope with perpetual leakage. In CRYPTO’ 95, Springer LNCS 963, pp. 339–352, 1995.Google Scholar
  19. 19.
    D. P. Jablon, Strong password-only authenticated key exchange. ACM Computer Communication Review, ACM SIGCOMM, 26(5):5–26, October 1996.CrossRefGoogle Scholar
  20. 20.
    D. P. Jablon, Password authentication using multiple servers. In RSA Security Conference 2001, Springer LNCS 2020, pp. 344–360, 2001.Google Scholar
  21. 21.
    M. Jakobsson, P. MacKenzie and T. Shrimpton, Threshold Password-Authenticated Key Exchange. In CRYPTO 2002, Springer LNCS 2442, pp. 385–400, 2002.Google Scholar
  22. 22.
    S. Jarecki and A. Lysyanskaya, Adaptively Secure Threshold Cryptography: Introducing Concurrency, Removing Erasures. In EUROCRYPT 2000, Springer LNCS 1807, pp. 221–242, 2000.CrossRefGoogle Scholar
  23. 23.
    J. Katz, R. Ostrovsky and M. Yung, Efficient password-authenticated key exchange using human-memorable passwords. In EUROCRYPT 2001, Springer LNCS 2045, pp. 475–494, 2001.CrossRefGoogle Scholar
  24. 24.
    R. Ostrovsky and M. Yung, How to Withstand Mobile Virus Attacks. In 10th ACM Conference on Principles of Distributed Systems, ACM Press, pages 51–59, 1991.Google Scholar
  25. 25.
    T. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing. In CRYPTO’ 91, Springer LNCS 576, pp. 129–140, 1991.Google Scholar
  26. 26.
    T. Rabin, A simplified Approach to Threshold and Proactive RSA. In CRYPTO’ 98, Springer LNCS 1462, pp. 89–104, 1998.Google Scholar
  27. 27.
    A. Shamir, How to Share a Secret. Communications of the ACM, 22(11):612–613, 1979.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2003

Authors and Affiliations

  • Mario Di Raimondo
    • 1
  • Rosario Gennaro
    • 2
  1. 1.Dipartimento di Matematica e InformaticaUniversità di CataniaItaly
  2. 2.IBM T.J.Watson Research CenterUSA

Personalised recommendations