Session-Key Generation Using Human Passwords Only

  • Oded Goldreich
  • Yehuda Lindell
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2139)


We present session-key generation protocols in a model where the legitimate parties share only a human-memorizable password. The security guarantee holds with respect to probabilistic polynomial-time adversaries that control the communication channel (between the parties), and may omit, insert and modify messages at their choice. Loosely speaking, the effect of such an adversary that attacks an execution of our protocol is comparable to an attack in which an adversary is only allowed to make a constant number of queries of the form “is w the password of Party A”. We stress that the result holds also in case the passwords are selected at random from a small dictionary so that it is feasible (for the adversary) to scan the entire directory. We note that prior to our result, it was not clear whether or not such protocols were attainable without the use of random oracles or additional setup assumptions.


Random Oracle Message Authentication Code Polynomial Evaluation Concurrent Execution Protocol Execution 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    D. Beaver. Secure Multi-party Protocols and Zero-Knowledge Proof Systems Tolerating a Fault Minority. Journal of Cryptology, Vol. 4, pages 75–122, 1991.zbMATHCrossRefGoogle Scholar
  2. 2.
    M. Bellare, D. Pointcheval and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. In EuroCrypt 2000, Springer-Verlag (LNCS 1807), pages 139–155, 2000.CrossRefGoogle Scholar
  3. 3.
    M. Bellare and P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In 1st Conf. on Computer and Communications Security, ACM, pages 62–73, 1993.Google Scholar
  4. 4.
    M. Bellare and P. Rogaway. Entity Authentication and Key Distribution. In CRYPTO’93, Springer-Verlag (LNCS 773), pages 232–249, 1994.Google Scholar
  5. 5.
    S. M. Bellovin and M. Merritt. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of the ACM/IEEE Symposium on Research in Security and Privacy, pages 72–84, 1992.Google Scholar
  6. 6.
    S. M. Bellovin and M. Merritt. Augmented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise. In Proceedings of the 1st ACM Conference on Computer and Communication Security, pages 244–250, 1993.Google Scholar
  7. 7.
    M. Blum. Coin Flipping by Phone. IEEE Spring COMPCOM, pages 133–137, February 1982.Google Scholar
  8. 8.
    M. Blum and S. Goldwasser. An Efficient Probabilistic Public-Key Encryption Scheme which hides all partial information. In CRYPTO’84, Springer-Verlag (LNCS 196), pages 289–302.Google Scholar
  9. 9.
    M. Blum and S. Micali. How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits. SICOMP, Vol. 13, pages 850–864, 1984. Preliminary version in 23rd FOCS, 1982.zbMATHMathSciNetGoogle Scholar
  10. 10.
    M. Boyarsky. Public-key Cryptography and Password Protocols: The Multi-User Case. In Proceedings of the 6th ACM Conference on Computer and Communication Security, 1999.Google Scholar
  11. 11.
    V. Boyko, P. MacKenzie and S. Patel. Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In Euro Crypt 2000, Springer-Verlag (LNCS 1807), pages 156–171, 2000.CrossRefGoogle Scholar
  12. 12.
    R. Canetti. Security and Composition of Multi-party Cryptographic Protocols. Journal of Cryptology, Vol. 13, No. 1, pages 143–202, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    R. Canetti. A unified framework for analyzing security of protocols. Cryptology ePrint Archive, Report No. 2000/067, 2000. Available from
  14. 14.
    R. Canetti, O. Goldreich, and S. Halevi. The Random Oracle Methodology, Revisited. In Proc. of the 30th STOC, pages 209–218, 1998.Google Scholar
  15. 15.
    W. Diffie, and M.E. Hellman. New Directions in Cryptography. IEEE Trans, on Info. Theory, IT-22 (Nov. 1976), pages 644–654.Google Scholar
  16. 16.
    D. Dolev, C. Dwork, and M. Naor. Non-Malleable Cryptography. SIAM Journal on Computing, January 2000.Google Scholar
  17. 17.
    U. Feige and A. Shamir. Witness Indistinguishability and Witness Hiding Protocols. In 22nd STOC, pages 416–426, 1990.Google Scholar
  18. 18.
    O. Goldreich. Secure Multi-Party Computation. Manuscript. Preliminary version, 1998. Available from
  19. 19.
    O. Goldreich, S. Goldwasser, and S. Micali. How to Construct Random Functions. JACM, Vol. 33, No. 4, pages 792–807, 1986.CrossRefMathSciNetGoogle Scholar
  20. 20.
    O. Goldreich and A. Kahan. How To Construct Constant-Round Zero-Knowledge Proof Systems for NP. Journal of Cryptology, Vol. 9, pages 167–189, 1996.zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    O. Goldreich, S. Micali and A. Wigderson. How to Play any Mental Game-A Completeness Theorem for Protocols with Honest Majority. In 19th STOC, pages 218–229, 1987. For details see [18].Google Scholar
  22. 22.
    S. Goldwasser and S. Micali. Probabilistic Encryption. JCSS, Vol. 28, No. 2, pages 270–299, 1984.zbMATHMathSciNetGoogle Scholar
  23. 23.
    S. Halevi and H. Krawczyk. Public-Key Cryptography and Password Protocols. In ACM Conference on Computer and Communications Security, 1998.Google Scholar
  24. 24.
    D. P. Jablon. Strong password-only authenticated key exchange. SIGCOMM Comput. Commun. Rev., Vol 26, No. 5, pages 5–26, 1996.CrossRefGoogle Scholar
  25. 25.
    J. Katz, R. Ostrovsky and M. Yung. Practical Password-Authenticated Key Exchange Provably Secure under Standard Assumptions. In Eurocrypt 2001.Google Scholar
  26. 26.
    C. Kaufman, R. Perlman and M. Speciner. Network Security. Prentice Hall, 1997.Google Scholar
  27. 27.
    S. Lucks. Open key exchange: How to defeat dictionary attacks without encrypting public keys. In Proceedings of the Workshop on Security Protocols, Ecole Normale Superieure, 1997.Google Scholar
  28. 28.
    A. Menezes, P. Van Oorschot and S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.Google Scholar
  29. 29.
    S. Micali and P. Rogaway. Secure Computation. Unpublished manuscript, 1992. Preliminary version in Crypto’91, Springer-Verlag (LNCS 576), 1991.Google Scholar
  30. 30.
    M. Naor and B. Pinkas. Oblivious Transfer and Polynomial Evaluation. In 31st STOC, pages 245–254, 1999.Google Scholar
  31. 31.
    S. Patel. Number theoretic attacks on secure password schemes. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pages 236–247, 1997.Google Scholar
  32. 32.
    R. Richardson and J. Kilian. On the Concurrent Composition of Zero-Knowledge Proofs. In EuroCrypt99, pages 415–431.Google Scholar
  33. 33.
    R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. CACM, Vol. 21, Feb. 1978, pages 120–126.Google Scholar
  34. 34.
    M. Steiner, G. Tsudi and M. Waidner. Refinement and extension of encrypted key exchange. ACM SIGOPS Oper. Syst. Rev., Vol. 29, 3, pages 22–30, 1995.CrossRefGoogle Scholar
  35. 35.
    T. Wu. The secure remote password protocol. In 1998 Internet Society Symposium on Network and Distributed System Security, pages 97–111, 1998.Google Scholar
  36. 36.
    A.C. Yao. Theory and Application of Trapdoor Functions. In 23rd FOCS, pages 80–91, 1982.Google Scholar
  37. ss37.
    A.C. Yao. How to Generate and Exchange Secrets. In 27th FOCS, pages 162–167, 1986.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Oded Goldreich
    • 1
  • Yehuda Lindell
    • 1
  1. 1.Department of Computer Science and Applied MathWeizmann Institute of ScienceRehovotIsrael

Personalised recommendations