Separating Symmetric and Asymmetric Password-Authenticated Key Exchange
- 236 Downloads
Separating symmetric and asymmetric PAKE. We prove that a strong assumption like a programmable random oracle is necessary to achieve security of asymmetric PAKE in the Universal Composability (UC) framework. For symmetric PAKE, programmability is not required. Our results also rule out the existence of UC-secure asymmetric PAKE in the CRS model.
Revising the security definition. We identify and close some gaps in the UC security definition of 2-party asymmetric PAKE given by Gentry, MacKenzie and Ramzan (Crypto 2006). For this, we specify a natural corruption model for server compromise attacks. We further remove an undesirable weakness that lets parties wrongly believe in security of compromised session keys. We demonstrate usefulness by proving that the \(\varOmega \)-method proposed by Gentry et al. satisfies our new security notion for asymmetric PAKE. To our knowledge, this is the first formal security proof of the \(\varOmega \)-method in the literature.
Composable multi-party asymmetric PAKE. We showcase how our revisited security notion for 2-party asymmetric PAKE can be used to obtain asymmetric PAKE protocols in the multi-user setting and discuss important aspects for implementing such a protocol.
KeywordsAsymmetric password-authenticated key exchange Universal Composability
The author would like to thank Jiayu Xu, Dennis Hofheinz, David Pointcheval and Victor Shoup for helpful discussions. Discussion with Victor on how to resolve issues with session identifiers for the multi-user setting were particularly instructing.
- 2.Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Symposium on Security and Privacy, pp. 72–84. IEEE Computer Society Press, May 1992Google Scholar
- 3.Benhamouda, F., Pointcheval, D.: Verifier-based password-authenticated key exchange: new models and constructions. IACR Cryptology ePrint Archive 2013/833 (2013)Google Scholar
- 6.Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001Google Scholar
- 7.Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067, revised version 2020–02-11 (2020). https://eprint.iacr.org/2000/067
- 8.Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: 30th ACM STOC, pp. 209–218. ACM Press, May 1998Google Scholar
- 13.Haase, B., Labrique, B.: AuCPace: efficient verifier-based PAKE protocol tailored for the IIoT. IACR Cryptology ePrint Archive 2018/286 (2018)Google Scholar
- 14.Hesse, J.: Separating standard and asymmetric password-authenticated key exchange. IACR Cryptology ePrint Archive 2019/1064 (2019)Google Scholar
- 16.Jutla, C.S., Roy, A.: Smooth NIZK arguments with applications to asymmetric UC-PAKE. IACR Cryptology ePrint Archive 2016/233 (2016)Google Scholar
- 20.Pointcheval, D., Wang, G.: VTBPEKE: verifier-based two-basis password exponential key exchange. In: Karri, R., Sinanoglu, O., Sadeghi, A.-R., Yi, X. (eds.) Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, United Arab Emirates, 2–6 April 2017, pp. 301–312. ACM (2017)Google Scholar
- 21.Shoup, V.: Security analysis of SPAKE2+. IACR Cryptology ePrint Archive 2020/313 (2020)Google Scholar