Threshold Password-Authenticated Key Exchange

Extended Abstract
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)


In most password-authenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a one-way function of the password (and possibly a salt, or other public values), rather than the password itself. However, if the server is compromised, this password verification data can be used to perform an offline dictionary attack on the user’s password. In this paper we propose an efficient password-authenticated key exchange system involving a set of servers, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that threshold of servers does not allow an attacker to perform an offline dictionary attack. We prove our system is secure in the random oracle model under the Decision Diffie-Hellman assumption against an attacker that may eavesdrop on, insert, delete, or modify messages between the user and servers, and that compromises fewer than that threshold of servers.


Random Oracle Random Oracle Model Public Share Test Query Dictionary Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT 2000 (LNCS 1807), pp. 139–155, 2000.CrossRefGoogle Scholar
  2. 2.
    M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In 1st ACM Conference on Computer and Communications Security, pages 62–73, November 1993.Google Scholar
  3. 3.
    M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO’ 93 (LNCS 773), pp. 232–249, 1993.Google Scholar
  4. 4.
    M. Bellare and P. Rogaway. Provably secure session key distribution-the three party case. In 27th ACM Symposium on the Theory of Computing, pp. 57–66, 1995.Google Scholar
  5. 5.
    M. Blum, P. Feldman and S. Micali. Non-interactive zero-knowledge and its applications. In 20th ACM Symposium on the Theory of Computing, pp. 103–112, 1988.Google Scholar
  6. 6.
    D. Boneh. The decision Diffie-Hellman problem. In Proceedings of the Third Algorithmic Number Theory Symposium (LNCS 1423), pp. 48–63, 1998.Google Scholar
  7. 7.
    C. Boyd. Digital multisignatures. In H. J. Beker and F. C. Piper, editors, Cryptography and Coding, pages 241–246. Clarendon Press, 1986.Google Scholar
  8. 8.
    V. Boyko, P. MacKenzie, and S. Patel. Provably secure password authentication and key exchange using Diffie-Hellman. In EUROCRYPT 2000 (LNCS 1807), pp. 156–171, 2000.CrossRefGoogle Scholar
  9. 9.
    R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. In 30th ACM Symposium on the Theory of Computing, pp. 209–218, 1998.Google Scholar
  10. 10.
    R. Canetti, Y. Lindell, R. Ostrovsky, and A. Sahai. Universally Composable Twoparty Computation. In 34th ACM Symposium on the Theory of Computing, 2002.Google Scholar
  11. 11.
    Y. Desmedt and Y. Frankel. Threshold cryptosystems. In CRYPTO’ 89 (LNCS 435), pages 307–315, 1989.Google Scholar
  12. 12.
    A. De Santis, G. Di Crescenzo, R. Ostrovsky, G. Persiano and A. Sahai. Robust non-interactive zero knowledge. In CRYPTO 2001 (LNCS 2139), pp. 566–598, 2001.CrossRefGoogle Scholar
  13. 13.
    T. Dierks and C. Allen. The TLS protocol, version 1.0, IETF RFC 2246, January 1999.Google Scholar
  14. 14.
    W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Info. Theory, 22(6):644–654, 1976.zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithm. IEEE Trans. Info. Theory, 31:469–472, 1985.zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    P. Feldman. A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In 28th IEEE Symp. on Foundations of Computer Science, pp. 427–437, 1987Google Scholar
  17. 17.
    W. Ford and B. S. Kaliski, Jr. Server-assisted generation of a strong secret from a password. In Proceedings of the 5 th IEEE International Workshop on Enterprise Security, 2000.Google Scholar
  18. 18.
    Y. Frankel, P. MacKenzie, and M. Yung. Adaptively-secure distributed threshold public key systems. In European Symposium on Algorithms (LNCS 1643), pp. 4–27, 1999.Google Scholar
  19. 19.
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. The (in)security of distributed key generation in dlog-based cryptosystems. In EUROCRYPT’ 99 (LNCS 1592), pp. 295–310, 1999.Google Scholar
  20. 20.
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signatures. In EUROCRYPT’ 96 (LNCS 1070), pages 354–371, 1996.Google Scholar
  21. 21.
    O. Goldreich and Y. Lindell. Session-key generation using human passwords only. In CRYPTO 2001 (LNCS 2139), pp. 408–432, 2001.CrossRefGoogle Scholar
  22. 22.
    O. Goldreich, S. Micali, and A. Wigderson. How to Play any Mental Game — A Completeness Theorem for Protocols with Honest Majority. In 19th ACM Symposium on the Theory of Computing, pp. 218–229, 1987.Google Scholar
  23. 23.
    D. Jablon. Strong password-only authenticated key exchange. ACM Computer Communication Review, ACM SIGCOMM, 26(5):5–20, 1996.CrossRefGoogle Scholar
  24. 24.
    D. Jablon. Password authentication using multiple servers. In em RSA Conference 2001, Cryptographers’ Track (LNCS 2020), pp. 344–360, 2001.Google Scholar
  25. 25.
    J. Katz, R. Ostrovsky, and M. Yung. Efficient password-authenticated key exchange using human-memorable passwords. In EUROCRYPT 2001 (LNCS 2045), pp. 475–494, 2001.CrossRefGoogle Scholar
  26. 26.
    P. MacKenzie, S. Patel, and R. Swaminathan. Password authenticated key exchange based on RSA. In ASIACRYPT 2000, (LNCS 1976), pp. 599–613, 2000.CrossRefGoogle Scholar
  27. 27.
    M. Naor and M. Yung. Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In 22nd ACM Symposium on the Theory of Computing, pp. 427–437, 1990.Google Scholar
  28. 29.
    T. Wu. The secure remote password protocol. In Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, pp. 97–111, 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  1. 1.Bell LaboratoriesLucent TechnologiesMurray HillUSA
  2. 2.Dept. of Electrical and Computer EngineeringUC DavisDavisUSA
  3. 3.RSA LaboratoriesRSA Security, Inc.BedfordUSA

Personalised recommendations