1 Introduction

Threshold password-authenticated secret sharing (TPASS) protocols consider a scenario [5], inspired by the movie “Memento” in which the main character suffers from short-term memory loss, leads to an interesting cryptographic problem, can a user securely recover his secrets from a set of servers, if all the user can or wants to remember is a single password and all of the servers may be adversarial? In particular, can he protect his previous password when accidentally trying to run the recovery with all-malicious servers? A solution for this problem can act as a natural bridge from human-memorisable passwords to strong keys for cryptographic tasks. Practical applications include secure password managers (where the shared secret is a list of strongly random website passwords) and encrypting data in the cloud (where the shared secret is the encryption key) based on a single master password.

The first TPASS protocol was given by Bagherzandi et al. [1]. It is built on the PKI model, secure under the decisional Diffie-Hellman assumption, using non-interactive zero-knowledge proofs. The basic idea is: The client initially generates an ElGamal public and private key pairs (\(sk,pk=g^{sk}\)) [7] and secret-shares sk among servers using an t-out-of-n secret sharing [15] and outputs public parameters including the public key pk and the encryptions \(E(g^\mathsf {pw},pk)\) and E(spk) of password \(\mathsf {pw}\) and secret s, respectively, under the public key pk. When retrieving the secret from the servers, the client encrypts the password \(\mathsf {pw}'\) he remembers and sends the encryption \(E(g^{\mathsf {pw}'},pk)\) to the servers, each of which computes and returns \(A_i=[E(g^\mathsf {pw},pk)/E(g^{\mathsf {pw}'},pk)]^{t_i}=E(g^{t_i(\mathsf {pw}-\mathsf {pw}')},pk)\). The client then computes \(A=\prod _{i=1}^n A_i\) and sends it to the servers. In the end, t servers cooperate to decrypt \(B=E(s,pk)A=E(sg^{\sum t_i(\mathsf {pw}-\mathsf {pw}')},pk)\) and sends partial decryptions to the client through secure channels, respectively. When \(\mathsf {pw}'=\mathsf {pw}\), the client is able to retrieve the secret s by combining t partial decryptions. This protocol is secure against honest-but-curious adversaries but not malicious adversaries. A protocol against malicious adversaries was also given by Bagherzandi et al. [1] using non-interactive zero-knowledge proofs.

In Bagherzandi et al. protocol, it is easy to see that the client must correctly remember the public key pk and the exact set of servers, as he sends out an encryption of his password attempt \(\mathsf {pw}'\) he remembers. If pk can be tampered with and changed so that the adversary knows the decryption key, then the adversary can decrypt \(\mathsf {pw}'\). Although the protocol actually encrypt \(g^{\mathsf {pw}'}\), the malicious servers can perform an offline dictionary attack on \(g^{\mathsf {pw}'}\) to obtain the password \(\mathsf {pw}'\).

Authenticating to the wrong servers is a common scenario when users are tricked in phishing attacks. To overcome this shortcoming, Camenisch et al. [5] proposed the first t-out-of-n TPASS protocol for any \(n>t\) that does not require trusted, user-specific state information to be carried over from the setup phase. The protocol requires the client to only remember a username and a password, assuming that a PKI is available. If the client misremember his list of servers and tries to retrieve his secret from corrupt servers, the protocol prevents the servers from learning anything about the password or secret, as well as from planting a different secret into the user’s mind than the secret that he stored earlier.

The construction of Camenisch et al. protocol is inspired by Bagherzandi et al. protocol based on a homomorphic threshold encryption scheme, but the crucial difference is that in the retrieval protocol of Camenisch et al., the client never sends out an encryption of his password attempt. Instead, the client derives an encryption of the (randomised) quotient of the password used at setup and the password attempt. The servers then jointly decrypt the quotient and verify whether it yields “1”, indicating that both passwords matched. In case the passwords were not the same, all the servers learn is a random value.

Camenisch et al. protocol, proved to be secure in the UC framework, requires the client to involve in many communication rounds so that it becomes impractical for the client. The client has to do \(5n+15\) exponentiations in \(\mathbb {G}\) for the setup protocol and \(14t+24\) exponentiations in the retrieval protocol. Each server has to perform \(n+18\) and \(7t+28\) exponentiations in these respective protocols.

Our Contribution. We provide a practical t-out-of-n TPASS protocol for any \(n>t\). The basic idea is: The client initially secret-shares a password, a secret and the digest of the secret with n servers, such as t out of the n servers can recover the secret. When retrieving the secret from the servers, the client submits to the servers \(A=g_1^rg_2^{\mathsf {pw}_C}\), where r is randomly chosen and \(\mathsf {pw}_C\) is the password, and then t servers cooperate to generate and return an ElGamal encryption of the secret and an ElGamal encryption of the digest of the secret, both under the public key \(g_1^r\). In the end, the client then decrypts the two ciphertexts and accepts the secret if one decrypted value is another’s digest.

Our protocol is significantly more efficient than Camenisch et al. protocol [5] in terms of communication rounds for the client and computation and communication complexities as well. In our protocol, the client only needs to send a request and receive a response. In addition, the client needs to do 3n evaluations of polynomials of degree \(t-1\) in \(\mathbb {Z}_q\) for the initialization and 7 exponentiations for the retrieval protocol. Each server only needs to do \(t+10\) exponentiations in the retrieval protocol. The computation and communication complexities for the client are independent of the number of the servers n and the threshold t.

We have provided a rigorous proof of security for our protocol in the standard model. Like Camenisch et al. protocol [5], our protocol can protect the password of the client even if he communicates with all-malicious servers by mistake. In addition, it prevents the servers from planting a different secret into the user’s mind than the secret that he stored earlier.

Related Work. A close work related to TPASS is threshold password - authenticated key exchange (TPAKE), which lets the client agree on a fresh session key with each of the servers, but does not allow the client to store and recover a secret. Depending on the desired security properties, one can build a TPASS scheme from a TPAKE scheme by using the agreed-upon session keys to transmit the stored secret shares over secure channels [1].

The first TPAKE protocols, due to Ford and Kaliski [8] and Jablon [9], were not proved secure. The first provably secure TPAKE protocol, a t-out-of-n protocol in a PKI setting, was proposed by MacKenzie et al. [12]. The 1-out-of-2 protocol of Brainard et al. [3] is implemented in EMC’s RSA Distributed Credential Protection [14]. Both protocols either leak the password or allow an offline dictionary attack when the retrieval is performed with corrupt servers. The t-out-of-n TPAKE protocols by Di Raimondo and Gennaro [13] and the 1-out-of-2 protocol by Katz et al. [11] are proved secure in a hybrid password-only/PKI setting, where the user does not know any public keys, but the servers and an intermediate gateway do have a PKI. These protocols actually remain secure when executed with all-corrupt servers, but are restricted to the cases that \(n > 3t\) and \((t, n) = (1, 2)\). Based on identity-based encryption (IBE), an 1-out-of-2 protocol where the client is required to remember the identities of the two servers besides his password, was proposed by Yi et al. [17]. In case that the public parameters for IBE can be tampered and changed by the adversary, the protocol leaks the password.

In addition, the 1-out-of-2 TPASS by Camenisch et al. [4] leaks the password when the client tries to retrieve his secret from a set of all-malicious servers.

2 Definition of Security

In this section, we define the security for TPASS protocol on the basis of the security models for PAKE [2, 10].

Participants, Initialization, Passwords, Secrets. A TPASS protocol involves three kinds of protocol participants: (1) A group of clients (denoted as \(\mathsf {Client}\)), each of which requests TPASS services from t servers on the network; (2) A group of n servers \(\mathsf {S}_1,\mathsf {S}_2,\cdots ,\mathsf {S}_n\) (denoted as \(\mathsf {Server}=\{\mathsf {S}_1,\mathsf {S}_2,\cdots ,\mathsf {S}_n\}\)), which cooperate to provide TPASS services to clients on the network; (3) A gateway (\(\mathsf {GW}\)), which coordinates TPASS. We assume that \(\mathsf {User}=\mathsf {Client}\bigcup \mathsf {Server}\) and \(\mathsf {Client}\bigcap \mathsf {Server}=\emptyset \). When the gateway \(\mathsf {GW}\) coordinates TPASS, it simply forwards messages between a client and t servers.

Prior to any execution of the protocol, we assume that an initialization phase occurs. During initialization, the n servers cooperate to generate public parameters for the protocol, which are available to all participants.

We assume that the client C chooses its password \(\mathsf {pw}_{C}\) independently and uniformly at random from a “dictionary” \(\mathsf {D}=\{\mathsf {pw}_1,\mathsf {pw}_2,\cdots ,\mathsf {pw}_N\}\) of size N, where N is a fixed constant which is independent of any security parameter. The client then secretly shares the password with the n servers such that any t servers can restore the password.

In addition, we assume that the client C chooses its secret \(s_C\) independently and uniformly at random from \(\mathbb {Z}_q^*\), where q is a public parameter. The client then secretly shares the secret with the n servers such that any t servers can recover the secret.

We assume that at least \(n-t+1\) servers are trusted not to collude to determine the password and the secret of the client. The client C needs to remember \(\mathsf {pw}_C\) only to retrieve its secret \(s_C\).

Execution of the Protocol. In the real world, a protocol determines how users behave in response to input from their environments. In the formal model, these inputs are provided by the adversary. Each user is assumed to be able to execute the protocol multiple times (possibly concurrently) with different partners. This is modeled by allowing each user to have unlimited number of instances with which to execute the protocol. We denote instance i of user U as \(U^i\). A given instance may be used only once. The adversary is given oracle access to these different instances. Furthermore, each instance maintains (local) state which is updated during the course of the experiment. In particular, each instance \(U^i\) is associated with the following variables, initialized as \(\mathsf {NULL}\) or \(\mathsf {FALSE}\) (as appropriate) during the initialization phase.

  • \(\mathsf {sid}_U^i\) is a variable containing the session identity for an instance \(U^i\). The session identity is simply a way to keep track of the different executions of a particular user U. Without loss of generality, we simply let this be the (ordered) concatenation of all messages sent and received by instance \(U^i\).

  • \(\mathsf {s}_C^i\) is a variable containing the secret \(s_C\) for a client instance \(C^i\). Retrieval of the secret is, of course, the ultimate goal of the protocol.

  • \(\mathsf {acc}_U^i\) and \(\mathsf {term}_U^i\) are boolean variables denoting whether a given instance \(U^i\) has been accepted or terminated, respectively. Termination means that the given instance has done receiving and sending messages, acceptance indicates successful termination. When an instance \(U^i\) has been accepted, \(\mathsf {sid}_U^i\) is no longer \(\mathsf {NULL}\). When a client instance \(C^i\) has been accepted, \(\mathsf {s}_C^i\) is no longer \(\mathsf {NULL}\).

  • \(\mathsf {state}_U^i\) records any state necessary for execution of the protocol by \(U^i\).

  • \(\mathsf {used}_U^i\) is a boolean variable denoting whether an instance \(U^i\) has begun executing the protocol. This is a formalism which will ensure each instance is used only once.

The adversary \(\mathcal {A}\) is assumed to have complete control over all communications in the network (between the clients and servers, and between servers and servers) and the adversary’s interaction with the users (more specifically, with various instances) is modelled via access to oracles. The state of an instance may be updated during an oracle call, and the oracle’s output may depend upon the relevant instance. The oracle types include:

  • \(\mathsf {Send}(C,i,M)\) – This sends message M to a client instance \(C^i\). Assuming \(\mathsf {term}_C^i=\mathsf {FALSE}\), this instance runs according to the protocol specification, updating state as appropriate. The output of \(C^i\) (i.e., the message sent by the instance) is given to the adversary, who receives the updated values of \(\mathsf {sid}_C^i, \mathsf {acc}_C^i\), and \(\mathsf {term}_C^i\). This oracle call models an active attack to the protocol. If M is empty, this query represents a prompt for C to initiate the protocol.

  • \(\mathsf {Send}(S,j,U,M)\) – This sends message M to a server instance \(S^j\), supposedly from a user U (either a client or a server) or even a set of servers. Assuming \(\mathsf {term}_S^j=\mathsf {FALSE}\), this instance runs according to the protocol specification, updating state as appropriate. The output of \(S^j\) (i.e., the message sent by the instance) is given to the adversary, who receives the updated values of \(\mathsf {sid}_S^j, \mathsf {acc}_S^j\), and \(\mathsf {term}_S^j\). If S is corrupted, the adversary also receives the entire internal state of S. This oracle call also models an active attack to the protocol.

  • \(\mathsf {Execute}(C,i,\mathbb {S})\) – If the client instance \(C^i\) and t server instances, denoted as \(\mathbb {S}\), have not yet been used, this oracle executes the protocol between these instances and outputs the transcript of this execution. This oracle call represents passive eavesdropping of a protocol execution. In addition to the transcript, the adversary receives the values of \(\mathsf {sid}\), \(\mathsf {acc}\), and \(\mathsf {term}\) for client and server instances, at each step of protocol execution. In addition, if any server in \(\mathbb {S}\) is corrupted, the adversary is given the entire internal state of the server.

  • \(\mathsf {Corrupt}(S)\) – This sends the password and secret shares of all clients stored in the server S to the adversary. This oracle models possible compromising of a server due to, for example, hacking into the server.

  • \(\mathsf {Corrupt}(C)\) – This query allows the adversary to learn the password of the client C and then the secret of the client, which models the possibility of subverting a client by, for example, witnessing a user typing in his password, or installing a “Trojan horse” on his machine.

  • \(\mathsf {Test}(C,i)\) – This oracle does not model any real-world capability of the adversary, but is instead used to define security. If \(\mathsf {acc}_C^i=\mathsf {TRUE}\), a random bit b is generated. If \(b=0\), the adversary is given \(s_C^i\), and if \(b=1\) the adversary is given a random number. The adversary is allowed only a single \(\mathsf {Test}\) query, at any time during its execution.

Correctness. To be viable, a TPASS protocol must satisfy the following notion of correctness: If a client instance \(C^i\) and t server instances \(\mathbb {S}\) runs an honest execution of the protocol with no interference from the adversary, then \(\mathsf {acc}_C^i=\mathsf {acc}_S^j=\mathsf {TRUE}\) for any server instance \(S^j\) in \(\mathbb {S}\).

Freshness. To formally define the adversary’s success we need to define a notion of freshness for a secret of a client, where freshness of the secret is meant to indicate that the adversary does not trivially know the value of the secret. We say a secret \(\mathsf {s}_{C}^i\) is fresh if (1) C is not corrupted and (2) at least \(n-t+1\) out of n servers are not corrupted.

Advantage of the Adversary. Informally, the adversary succeeds if it can guess the bit b used by the \(\mathsf {Test}\) oracle. We say an adversary \(\mathcal {A}\) succeeds if it makes a single query \(\mathsf {Test}(C,i)\) to a fresh client instance \(C^i\), with \(\mathsf {acc}_C^i=\mathsf {TRUE}\) at the time of this query, and outputs a single bit \(b'\) with \(b'=b\) (recall that b is the bit chosen by the \(\mathsf {Test}\) oracle). We denote this event by \(\mathsf {Succ}\). The advantage of adversary \(\mathcal {A}\) in attacking protocol P is then given by

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A}}^P(k)=2\cdot \mathsf {Pr}[\mathsf {Succ}]-1 \end{aligned}$$

where the probability is taken over the random coins used by the adversary and the random coins used during the course of the experiment (including the initialization phase).

An adversary can always succeed by trying all passwords one-by-one in an on-line impersonation attack. A protocol is secure if this is the best an adversary can do. The on-line attacks correspond to \(\mathsf {Send}\) queries. Formally, each instance for which the adversary has made a \(\mathsf {Send}\) query counts as one on-line attack. Instances with which the adversary interacts via \(\mathsf {Execute}\) are not counted as on-line attacks. The number of on-line attacks represents a bound on the number of passwords the adversary could have tested in an on-line fashion.

Definition 1

Protocol P is a secure TPASS protocol if, for all dictionary size N and for all PPT adversaries \(\mathcal {A}\) making at most Q(k) on-line attacks, there exists a negligible function \(\varepsilon (\cdot )\) such that for a security parameter k,

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A}}^P(k)\le Q(k)/N+\varepsilon (k) \end{aligned}$$

3 Our TPASS Protocol

3.1 Description of Our Protocol

Initialization. Given a security parameter \(k\in \mathbb {Z^*}\), the initialization includes:

Parameter Generation: On input k, the n servers agree on a cyclic group \(\mathbb {G}\) of large prime order q with a generators \(g_1\) and a hash function \(H:\{0,1\}^*\rightarrow \mathbb {Z}_q\). Then the n servers cooperate to generate \(g_2\), like [16], such that none knows the discrete logarithm of \(g_2\) based on \(g_1\) if one out of the n server is honest. The public parameters for the protocol is \(\mathsf {params}=\{\mathbb {G},q,g_1,g_2,H\}\).

Password Generation: On input \(\mathsf {params}\), each client \(C\in \mathsf {Client}\) with identity \(ID_C\) uniformly draws a string \(\mathsf {pw}_C\), the password, from the dictionary \(\mathsf {D}=\{\mathsf {pw}_1,\mathsf {pw}_2,\cdots ,\) \(\mathsf {pw}_N\}\). The client then randomly chooses a polynomial \(f_1(x)\) of degree \(t-1\) over \(\mathbb {Z}_q\) such that \(\mathsf {pw}_C=f_1(0)\), and distributes \(\{ID_C, i,f_1(i)\}\) to the server \(\mathsf {S}_i\) via a secure channel, where \(i=1,2,\cdots ,n\).

Secret Sharing: On input \(\mathsf {params}\), each client \(C\in \mathsf {Client}\) randomly chooses s from \(\mathbb {Z}_q^*\). The client then randomly chooses two polynomials \(f_2(x)\) and \(f_3(x)\) of degree \(t-1\) over \(\mathbb {Z}_q\) such that \(s=f_2(0)\) and \(H(g_2^s)=f_3(0)\), and distributes \(\{ID_C, i,f_2(i),f_3(i)\}\) to the server \(\mathsf {S}_i\) via a secure channel, where \(i=1,2,\cdots ,n\). We define the secret \(s_C\) as \(g_2^s\).

Protocol Execution. Given the public \(\mathsf {params}=\{\mathbb {G},q,g_1,g_2,H\}\), the client C (knowing its identity \(ID_C\) and password \(\mathsf {pw}_{C}\)) runs TPASS protocol P with t servers (each server knowing \(\{ID,i, f_1(i),f_2(i),f_3(i)\}\)) to retrieve the secret \(s_C\) as shown in Fig. 1.

Fig. 1.
figure 1

Our TPASS protocol P

Full size image

In Fig. 1, TPASS protocol is executed in three phases as follows.

Retrieval Request. Given the public parameters \(\{\mathbb {G}, g_1,g_2,q,H\}\), the client C with the identity \(ID_C\) validates if q is a large prime and \(g_1^q=g_2^q=1\). If so, the client, who remembers the password \(\mathsf {pw}_C\), randomly chooses r from \(\mathbb {Z}_q^*\) and computes

$$\begin{aligned} A=g_1^{r}g_2^{-\mathsf {pw}_C}. \end{aligned}$$

Then the client submits \(\mathsf {msg}_C=\langle ID_C,A\rangle \) to the gateway \(\mathsf {GW}\) for the n servers.

Remark. The purpose for the client to validate the public parameters is to ensure that the discrete logarithm over \(\{\mathbb {G},q,g_1,g_2\}\) is hard in case that the adversary can change the public parameters.

Retrieval Response. After receiving the request \(\mathsf {msg}_C\) from the client C, the gateway \(\mathsf {GW}\) forwards it to t available servers to response the request. Without loss of generality, we assume that the first t servers, denoted as \(\mathbb {S}=\{\mathsf {S}_1,\mathsf {S}_2,\cdots ,\mathsf {S}_t\}\), cooperate to generate a response as follows.

Based on the identity \(ID_C\) of the client, each server \(\mathsf {S}_i\) (\(i=1,2,\cdots ,t\)) randomly chooses \(r_i,c_i,d_i\) from \(\mathbb {Z}_q^*\) and computes

$$\begin{aligned} B_i=g_1^{r_i}g_2^{a_if_1(i)},C_i=g_1^{c_i},D_i=g_1^{d_i},\delta _i=g_1^{H(ID_C,A,B_i,C_i,D_i)} \end{aligned}$$

where \(a_i=\prod _{1\le j\le t,j\not =i}\frac{j}{j-i}\).

Then \(\mathsf {S}_i\) broadcasts \(\mathsf {msg}_i=\langle ID_C,\delta _i,B_i,C_i,D_i\rangle \) in \(\mathbb {S}\) in two phases. In the commit phase, \(\mathsf {S}_i\) broadcasts its commitment \(\langle ID_C,\delta _i\rangle \). After receiving all commitments \(\langle ID_C,\delta _j\rangle \) (\(1\le j\le t\)), \(\mathsf {S}_i\) broadcasts its opening \(\langle ID_C,B_i,C_i,D_i\rangle \) in the reveal phase.

Each server \(\mathsf {S}_i\) verifies if \(\delta _j=g_1^{H(ID_C,A,B_j,C_j,D_j)}\) for all \(j\not =i\). If so, based on the identity \(ID_C\) of the client, \(\mathsf {S}_i\) computes

$$\begin{aligned} C=\prod _{j=1}^tC_j, D=\prod _{j=1}^tD_j,h_i=H(ID_C,A, C,D) \end{aligned}$$
$$\begin{aligned} E_i=g_2^{a_if_2(i)h_i}C^{-r_i}(A\prod _{j=1}^tB_j)^{c_i}, F_i=g_2^{a_if_3(i)h_i}D^{-r_i}(A\prod _{j=1}^tB_j)^{d_i} \end{aligned}$$

and sets \(\mathsf {acc}_{\mathsf {S}_i}=\mathsf {TRUE}.\)

Then \(\mathsf {S}_i\) sends \(\mathsf {msg}_i^*=\{ID_C,C,D,E_i,F_i\}\) to the gateway \(\mathsf {GW}\).

The gateway \(\mathsf {GW}\) computes

$$\begin{aligned} E=\prod _{i=1}^tE_i, F=\prod _{i=1}^tF_i \end{aligned}$$

and returns to the client with \(\mathsf {msg}_S=\{ID_C,C,D,E,F\}\).

Secret Retrieval. After receiving the response \(\mathsf {msg}_S=\{ID_C,C,D,E,F\}\) from the gateway, the client computes

$$\begin{aligned} h=H(ID_C,A,C,D), S=(E/C^r)^{h^{-1}}, T=(F/D^r)^{h^{-1}} \end{aligned}$$

and verifies if \(T=g_2^{H(S)}\). If so, the client sets \(\mathsf {acc}_C=\mathsf {TRUE}\) and \(\bot \) otherwise.

3.2 Correctness and Efficiency

Correctness. Assume that a client instance \(C^i\) and t server instances \(\mathbb {S}\) run an honest execution of our TPASS protocol P with no interference from the adversary. With reference to Fig. 1, it is obvious that \(\mathsf {acc}_{\mathsf {S}_j}=\mathsf {TRUE}\) for \(1\le j\le t\). In addition, we have

$$\begin{aligned} C= & {} \prod _{j=1}^tC_j=g_1^{\sum _{j=1}^tc_j}\\ D= & {} \prod _{j=1}^tD_j=g_1^{\sum _{j=1}^td_j}\\ E_i= & {} g_2^{a_if_2(i)h_i}C^{-r_i}(A\prod _{j=1}^tB_j)^{c_i}\\= & {} g_2^{a_if_2(i)h_i}g_1^{-r_i\sum _{j=1}^t c_j}(g_1^rg_2^{-\mathsf {pw}_C}g_1^{\sum _{j=1}^tr_j}g_2^{\mathsf {pw}_C})^{c_i}\\= & {} g_2^{a_if_2(i)h_i}g_1^{-r_i\sum _{j=1}^t c_j}g_1^{c_i\sum _{j=1}^tr_j}g_1^{c_ir}\\ F_i= & {} g_2^{a_if_3(i)h_i}D^{-r_i}(A\prod _{j=1}^tB_j)^{d_i}\\= & {} g_2^{a_if_3(i)h_i}g_1^{-r_i\sum _{j=1}^t d_j}(g_1^rg_2^{-\mathsf {pw}_C}g_1^{\sum _{j=1}^tr_j}g_2^{\mathsf {pw}_C})^{d_i}\\= & {} g_2^{a_if_3(i)h_i}g_1^{-r_i\sum _{j=1}^t d_j}g_1^{d_i\sum _{j=1}^tr_j}g_1^{d_ir}\\ h= & {} h_1=h_2=\cdots =h_t\\= & {} H(ID_C,A,C,D)\\ E= & {} \prod _{i=1}^tE_i=\prod _{i=1}^tg_2^{a_if_3(i)h}g_1^{-r_i\sum _{j=1}^t d_j}g_1^{d_i\sum _{j=1}^tr_j}g_1^{d_ir}\\= & {} g_2^{sh}g_1^{-\sum _{i=1}^tr_i\sum _{j=1}^t c_j}g_1^{\sum _{i=1}^t c_i\sum _{j=1}^tr_j}g_1^{r\sum _{i=1}^tc_i}\\= & {} g_2^{sh}C^r\\ F= & {} \prod _{i=1}^tF_i=\prod _{i=1}^tg_2^{a_if_3(i)h}g_1^{-r_i\sum _{j=1}^t d_j}g_1^{d_i\sum _{j=1}^tr_j}g_1^{d_ir}\\= & {} g_2^{H(g_2^s)h}g_1^{-\sum _{i=1}^tr_i\sum _{j=1}^t d_j}g_1^{\sum _{i=1}^t d_i\sum _{j=1}^tr_j}g_1^{r\sum _{i=1}^td_i}\\= & {} g_2^{H(g_2^s)h}D^r \end{aligned}$$

We can see that (CE) and (DF) are in fact the EGamal encryptions of \(g_2^{sh}\) and \(g_2^{H(g^s)h}\) under the public key \(g_1^r\), respectively. Therefore, we have \(\mathsf {acc}_C=\mathsf {TRUE}\) because

$$\begin{aligned} h= & {} H(ID_C,A,C,D)\\ S= & {} (E/C^r)^{h^{-1}}=(g_2^{sh})^{h^{-1}}=g_2^s\\ T= & {} (F/D^r)^{h^{-1}}=(g_2^{H(g_2^s)h})^{h^{-1}}=g_2^{H(g_2^s)}\\ T= & {} g_2^{H(S)}.\nonumber \ \end{aligned}$$

In summary, our TPASS protocol has correctness.

Efficiency. In our TPASS protocol, the client needs to compute 7 exponentiations in \(\mathbb {G}\) and send or receive 5 group elements in \(\mathbb {G}\). Each server needs to compute \(t+10\) exponentiations in \(\mathbb {G}\) and send or receive \(4t+5\) group elements in \(\mathbb {G}\).

The client involves only two communication rounds with the gateway, i.e., sending \(\mathsf {msg}_C\) to the gateway and receiving \(\mathsf {msg}_S\) from the gateway. Each server \(\mathsf {S}_i\) participates in six communication rounds with other servers and the gateway, i.e., receiving \(\mathsf {msg}_C\) from the gateway, broadcasting the commitment \(\langle ID_C, \delta _ i\rangle \) to other servers, receiving \(\langle ID_C,\delta _j\rangle \) for all \(j\not =i\) from other servers, broadcasting \(\langle ID_C, B_i,C_i,D_i\rangle \), receiving \(\langle ID_C,B_j,C_j,D_j\rangle \) for all \(j\not =i\), and finally sending \(\mathsf {msg}_i^*\) to the gateway.

The performance comparison of Camenisch et al. protocol [5] and our protocol can be shown in Table 1.

Table 1. Performance comparison of Camenisch et al. protocol and our protocol
Full size table

In Table 1, exp. represent the computation complexity of a modular exponentiation, |g| is the size of a group element in \(\mathbb {G}\) and |q| is the size of a group element in \(\mathbb {Z}_q\). In Camenisch et al. protocol [5], a hash value is counted as half a group element.

In our initialization, the client secret-shares the password, secret and the digest of the secret with the n servers via n secure channels which may be established with PKI. In the setup protocol of Camenisch et al., the client setups the shares with the n servers based on PKI. Our retrieval protocol does not rely on PKI, but the retrieval protocol of Camenisch et al. still requires PKI. In view of this, our retrieval protocol can be implemented easier than Camenisch et al. retrieval protocol.

From Table 1, we can see that our retrieval protocol is significantly more efficient than the retrieval protocol of Camenisch et al. not only in communication rounds for client but also in computation and communication complexities. In particular, the performance of the client in our retrieval protocol is independent of the number of the servers and the threshold.

4 Security Analysis

Based on the security model defined in Sect. 2, we have the following theorem:

Theorem 1

Assuming that the decisional Diffie-Hellman (DDH) problem [6] is hard over \(\{\mathbb {G}, q,g_1\}\) and H is a collision-resistant hash function, then our TPASS protocol P illustrated in Fig. 1 is secure according to Definition 1.

Proof

In the security analysis, we consider the worst case where \(t-1\) servers have been corrupted and only one server is honest in our protocol as shown in Fig. 1. Without loss of generality, we assume that the first server \(\mathsf {S}_1\) is honest and the rest have been corrupted.

Given an adversary \(\mathcal {A}\) attacking the protocol, we imagine a simulator \(\mathcal {S}\) that runs the protocol for \(\mathcal {A}\).

First of all, the simulator \(\mathcal {S}\) initializes the system by generating public parameters \(\mathsf {params}=\{\mathbb {G},q,g_1,g_2,H\}\). Next, \(\mathsf {Server}=\{\mathsf {S}_1,\mathsf {S}_2,\cdots ,\mathsf {S}_n\}\) and \(\mathsf {Client}\) sets are determined. For each \(C\in \mathsf {Client}\), a password \(\mathsf {pw}_C\) and a secret \(s_C\) are chosen at random and then secret-shared with the n servers. In addition, the digest of the secret \(H(s_C)\) is also secret-shared with the n servers.

The public parameters \(\mathsf {params}\) and the shares \(\{ID_C,i,f_1(i),f_2(i),f_3(i)\}\) for \(i=2,3,\cdots ,t\) are provided to the adversary. When answering to any oracle query, the simulator \(\mathcal {S}\) provides the adversary \(\mathcal {A}\) with the internal state of the corrupted servers \(\mathsf {S}_i\) (\(i=2,3,\cdots ,t\)).

We view the adversary’s queries to its \(\mathsf {Send}\) oracles as queries to four different oracles as follows:

  • \(\mathsf {Send}(C,i)\) represents a request for instance \(C^i\) of client C to initiate the protocol. The output of this query is \(\mathsf {msg}_C=\langle ID_C, A \rangle \).

  • \(\mathsf {Send}(\mathsf {S}_1,j,C,\mathsf {msg}_C)\) represents sending message \(\mathsf {msg}_C\) to instance \(\mathsf {S}_1^j\) of the server \(\mathsf {S}_1\), supposedly from the client C. The input of this query is \(\mathsf {msg}_C=\langle ID_C, A \rangle \) and the output of this query is \(\mathsf {msg}_1=\langle ID_C,\delta _1,B_1,C_1,D_1\rangle \).

  • \(\mathsf {Send}(\mathsf {S}_1,j,\mathsf {S}_2,\mathsf {S}_3,\cdots ,\mathsf {S}_t, M)\) represents sending message M to instance \(\mathsf {S}_1^j\) of the server \(\mathsf {S}_1\), supposedly from the servers \(\mathsf {S}_2, \mathsf {S}_3, \cdots , \mathsf {S}_t\). The input of this query is \(M=\mathsf {msg}_2\Vert \mathsf {msg}_3\Vert \cdots \Vert \mathsf {msg}_t\) and the output of this query is \(\mathsf {msg}_1^*=\langle ID_C, C,D, E_1,F_1 \rangle \) or \(\bot \).

  • \(\mathsf {Send}(C,i,\mathsf {msg}_S)\) represents sending the message \(\mathsf {msg}_S\) to instance \(C^i\) of the client C. The input of this query is \(\mathsf {msg}_S=\langle ID_C, C,D,E,F\rangle \) and the output of this query is either \(\mathsf {acc}_C^i=\mathsf {TRUE}\) or \(\bot \).

When \(\mathcal {A}\) queries the \(\mathsf {Test}\) oracle, the simulator \(\mathcal {S}\) chooses a random bit b. When the adversary completes its execution and output a bit \(b'\), the simulator can tell whether the adversary succeeds by checking if (1) a single \(\mathsf {Test}\) query was made regarding some fresh client session, and (2) \(b'=b\). Success of the adversary is denoted by event \(\mathsf {Succ}\). For any experiment P, we denote \(\mathsf {Adv}_{\mathcal {A}}^P=2\cdot \mathsf {Pr}[\mathsf {Succ}]-1\), where \(\mathsf {Pr}[\cdot ]\) denotes the probability of an event when the simulator interacts with the adversary in accordance with experiment P.

We will use some terminology throughout the proof. A given message is called oracle-generated if it was output by the simulator in response to some oracle query. The message is said to be adversarially-generated otherwise. An adversarially-generated message must not be the same as any oracle-generated message.

We refer to the real execution of the experiment, as described above, as \(P_0\). We introduce a sequence of transformations to the experiment \(P_0\) and bound the effect of each transformation on the adversary’s advantage. We then bound the adversary’s advantage in the final experiment. This immediately yields a bound on the adversary’s advantage in the original experiment.

As shown in the appendix, we have \(\mathsf {Adv}_{\mathcal {A}}^{P_0}(k)\le Q(k)/N+\varepsilon (k)\) for some negligible function \(\varepsilon (\cdot )\). This completes the proof of the theorem. \(\triangle \)

In our retrieval protocol, the client sends out one message \(A=g_1^rg_2^{\mathsf {pw}_C}\) only after validating the public parameters \(\{\mathbb {G},q,g_1,g_2\}\). Even if the client communicates with all malicious servers by mistake and the adversary can change the public parameters, our retrieval protocol does not leak the password because r in A is randomly chosen from \(\mathbb {Z}_q^*\) by the client.

In addition, in the appendix, we have modified the definition of the security in order to take into account the attack where the adversary attempts to plant a different secret into the user’s mind than the secret that he stored earlier. This attack is restricted to online dictionary attack.

5 Conclusion

In this paper, we have presented a practical t-out-of-n TPASS protocol for any \(n>t\) that protects the password of the client when he tries to retrieve his secret from all corrupt servers as well as prevents the adversary from planting a different secret into the user’s mind than the secret that he stored earlier. Our protocol is significantly more efficient than existing TPASS protocols. Furthermore, we have provide a rigorous proof of security for our protocol in the standard model.

Our future work will study how efficiently to detect the corrupted servers and implement our protocol in light-weight mobile devices to support cloud-based services/management.