Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords
There has been much interest in password-authenticated keyexchange protocols which remain secure even when users choose passwords from a very small space of possible passwords (say, a dictionary of English words). Under this assumption, one must be careful to design protocols which cannot be broken using off-line dictionary attacks in which an adversary enumerates all possible passwords in an attempt to determine the correct one. Many heuristic protocols have been proposed to solve this important problem. Only recently have formal validations of security (namely, proofs in the idealized random oracle and ideal cipher models) been given for specific constructions [3,10,22].
Very recently, a construction based on general assumptions, secure in the standard model with human-memorable passwords, has been proposed by Goldreich and Lindell . Their protocol requires no public parameters; unfortunately, it requires techniques from general multi-party computation which make it impractical. Thus,  only proves that solutions are possible “in principal”. The main question left open by their work was finding an efficient solution to this fundamental problem.
We showan efficient, 3-round, password-authenticated key exchange protocol with human-memorable passwords which is provably secure under the Decisional Diffie-Hellman assumption, yet requires only (roughly) 8 times more computation than “standard” Diffie-Hellman key exchange  (which provides no authentication at all). We assume public parameters available to all parties. We stress that we work in the standard model only, and do not require a “random oracle” assumption.
KeywordsSignature Scheme Random Oracle Mutual Authentication Dictionary Attack Decryption Oracle
- 1.M. Bellare, A. Boldyreva, and S. Micali. Public-Key Encryption in a Multi-User Setting: Security Proofs and Improvements. Eurocrypt 2000.Google Scholar
- 2.M. Bellare, R. Canetti, and H. Krawczyk. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. STOC '98.Google Scholar
- 3.M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. Eurocrypt 2000.Google Scholar
- 4.M. Bellare and P. Rogaway. Entity Authentication and Key Distribution. Crypto '93.Google Scholar
- 5.M. Bellare and P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. ACM CCCS '93.Google Scholar
- 6.M. Bellare and P. Rogaway. Provably Secure Session Key Distribution: the Three Party Case. STOC '95.Google Scholar
- 7.S. Bellovin and M. Merritt. Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks. IEEE Symposium on Security and Privacy, 1992.Google Scholar
- 8.D. Boneh. The Decision Diffie-Hellman Problem. Proceedings of the Third Algorithmic Number Theory Symposium, 1998.Google Scholar
- 9.M. Boyarsky. Public-Key Cryptography and Password Protocols: The Multi-User Case. ACM CCCS '99.Google Scholar
- 10.V. Boyko, P. MacKenzie, and S. Patel. Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. Eurocrypt 2000.Google Scholar
- 11.V. Boyko. On All-or-Nothing Transforms and Password-Authenticated Key Exchange Protocols. PhD Thesis, MIT, Department of Electrical Engineering and Computer Science, Cambridge, MA, 2000.Google Scholar
- 12.R. Canetti, O. Goldreich, and S. Halevi. The Random Oracle Methodology, Revisited. STOC '98.Google Scholar
- 13.R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure Against Chosen Ciphertext Attack. Crypto '98.Google Scholar
- 15.S. Even, O. Goldreich, and S. Micali. On-Line/Off-Line Digital Signatures. Crypto '89.Google Scholar
- 16.O. Goldreich. On the Foundations of Modern Cryptography. Crypto '97.Google Scholar
- 17.O. Goldreich and Y. Lindell. Personal Communication and Crypto 2000 Rump Session. Session-Key Generation using Human Passwords Only. Available at http://eprint.iacr.org/2000/057
- 18.O. Goldreich, S. Micali, and A. Wigderson. How to Play Any Mental Game, or a Completeness Theorem for Protocols with an Honest Majority. STOC '87.Google Scholar
- 21.S. Lucks. Open Key Exchange: Howto Defeat Dictionary Attacks Without Encrypting Public Keys. Proceedings of the Workshop on Security Protocols, 1997.Google Scholar
- 22.P. MacKenzie, S. Patel, and R. Swaminathan. Password-Authenticated Key Exchange Based on RSA. Asiacrypt 2000.Google Scholar
- 23.M. Naor and M. Yung. Universal One-Way Hash Functions and Their Cryptographic Applications. STOC '89.Google Scholar
- 24.G. Poupard and J. Stern. Security Analysis of a Practical Ȝon the flyȝ Authentication and Signature Generation. Eurocrypt ’98.Google Scholar
- 25.G. Poupard and J. Stern. On the Fly Signatures Based on Factoring. ACM CCCS '99.Google Scholar
- 26.J. Rompel. One-Way Functions are Necessary and Sufficient for Secure Signatures. STOC '90Google Scholar
- 28.V. Shoup. On Formal Models for Secure Key Exchange. Available at http://philby.ucsd.edu/cryptolib.