Abstract
The speed of secret sharing (SS)-based multiparty computation (MPC) has recently increased greatly, and several efforts to implement and use it have been put into practice. Authentication of clients is one critical mechanism for implementing SS-based MPC successfully in practice. We propose a password-based authentication protocol for SS-based MPC. Our protocol is secure in the presence of secure channels, and it is optimized for practical use with SS-based MPC in the following ways.
-
Threshold security: Our protocol is secure in the honest majority, which is necessary and sufficient since most practical results on SS-based MPC are secure in the same environment.
-
Establishing distinct channels: After our protocol, a client has distinct secure and two-way authenticated channels to each server, which is necessary for SS-based MPC and different from the usual setting.
-
Ease of implementation: Our protocol consists of SS and operations involving SS, which can be reused from an implementation of SS-based MPC.
Furthermore, we implemented our protocol with an optimization for the realistic network and confirm that the protocol is practical. A client received the result within 2 s even when the network delay was 200 ms, which is almost the delay that occurs between Japan and Europe.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This “authentication” means the capability to detect an instance of tampering.
References
Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005)
Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: ACM Conference on Computer and Communications Security, pp. 433–444 (2011)
Beerliová-Trubíniová, Z., Hirt, M.: Perfectly-secure MPC with linear communication complexity. In: TCC, pp. 213–230 (2008)
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84. Oakland, CA, USA, 4–6 May 1992
Bellovin, S.M., Merritt, M.: Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 1993, pp. 244–250. Fairfax, Virginia, USA, 3–5 November 1993
Bogdanov, D., Laur, S., Willemson, J.: Sharemind: a framework for fast privacy-preserving computations. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 192–206. Springer, Heidelberg (2008)
Bogdanov, D., Niitsoo, M., Toft, T., Willemson, J.: High-performance secure multi-party computation for data mining applications. Int. J. Inf. Sec. 11(6), 403–418 (2012)
Bogdanov, D., Talviste, R., Willemson, J.: Deploying secure multi-party computation for financial data analysis. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 57–64. Springer, Heidelberg (2012)
Brainard, J.G., Juels, A., Kaliski, B., Szydlo, M.: A new two-server approach for authentication with short secrets. In: Proceedings of the 12th USENIX Security Symposium, Washington, D.C., USA, 4–8 August 2003
Burkhart, M., Strasser, M., Many, D., Dimitropoulos, X.A.: SEPIA: privacy-preserving aggregation of multi-domain network events and statistics. In: USENIX Security Symposium, pp. 223–240 (2010)
Camenisch, J., Lysyanskaya, A., Neven, G.: Practical yet universally composable two-server password-authenticated secret sharing. In: ACM Conference on Computer and Communications Security, pp. 525–536 (2012)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS, pp. 136–145 (2001)
Coretti, S., Maurer, U., Tackmann, B.: Constructing confidential channels from authenticated channels—public-key encryption revisited. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 134–153. Springer, Heidelberg (2013)
Cramer, R., Damgård, I.B., Ishai, Y.: Share conversion, pseudorandom secret-sharing and applications to secure computation. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 342–362. Springer, Heidelberg (2005)
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2004)
Damgård, I.B., Nielsen, J.B.: Scalable and unconditionally secure multiparty computation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 572–590. Springer, Heidelberg (2007)
Ford, W., Kaliski Jr., B.S.: Server-assisted generation of a strong secret from a password. In: WETICE, pp. 176–180 (2000)
Genkin, D., Ishai, Y., Prabhakaran, M., Sahai, A., Tromer, E.: Circuits resilient to additive attacks with applications to secure computation. In: STOC, pp. 495–504 (2014)
Gennaro, R.: Faster and shorter password-authenticated key exchange. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 589–606. Springer, Heidelberg (2008)
Gennaro, R., Lindell, Y.: A framework for password-based authenticated key exchange. ACM Trans. Inf. Syst. Secur. 9(2), 181–234 (2006)
Halevi, S., Krawczyk, H.: Public-key cryptography and password protocols. ACM Trans. Inf. Syst. Secur. 2(3), 230–268 (1999)
Ikarashi, D., Kikuchi, R., Hamada, K., Chida, K.: Actively private and correct MPC scheme in \(t < {n/2}\) from passively secure schemes with small overhead. IACR Cryptology ePrintArchive, p. 304 (2014)
Jablon, D.P.: Strong password-only authenticated key exchange. Comput. Commun. Rev. 26(5), 5–26 (1996)
Kamm, L., Bogdanov, D., Laur, S., Vilo, J.: A new way to protect privacy in large-scale genome-wide association studies. Bioinformatics 29(7), 886–893 (2013)
Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-server password-only authenticated key exchange. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 1–16. Springer, Heidelberg (2005)
Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)
Katz, J., Vaikuntanathan, V.: Round-optimal password-based authenticated key exchange. J. Cryptol. 26(4), 714–743 (2013)
Kiefer, F., Manulis, M.: Distributed smooth projective hashing and its application to two-server password authenticated key exchange. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 199–216. Springer, Heidelberg (2014)
Kurosawa, K., Desmedt, Y.G.: A new paradigm of hybrid encryption scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004)
MacKenzie, P.D., Shrimpton, T., Jakobsson, M.: Threshold password-authenticated key exchange. J. Cryptol. 19(1), 27–66 (2006)
Patel, S.: Number theoretic attacks on secure password schemes. In: 1997 IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 236–247, 4–7 May 1997
Raimondo, M.D., Gennaro, R.: Provably secure threshold password-authenticated key exchange. J. Comput. Syst. Sci. 72(6), 978–1001 (2006)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Steiner, M., Tsudik, G., Waidner, M.: Refinement and extension of encrypted key exchange. Oper. Syst. Rev. 29(3), 22–30 (1995)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Other Methods to Generate Random and Zero Shares
A Other Methods to Generate Random and Zero Shares
We give several methods to generate random shares and zero shares.
The first method is just relying on \(\mathcal{C}\), which generates the random and zero shares in \(\textsc {Setup}\) and sends them to all \(\mathcal S_i\) at the same time a share of a password is sent. This does not compromise security since the password, and the random and zero shares are sent by the same client. If the random or zero shares are short, \(\mathcal S_i\) requests \(\mathcal{C}\) to generate them after \(\textsc {Auth}\) is correctly finished with the acceptance.
The second method is that \(\mathcal S_i\) generates random and zero shares in the idle state. Damgård and Nielsen [18] and Beerliová-Trubíniová and Hirt [3] proposed a random share generation protocol called “DN-Rand” and “BH-Rand,” respectively. We can prepare random shares by using these protocols straightforwardly. A zero share is generated in almost the same way to generate random shares. First, generate random shares whose degree is \(2k-2\) and then multiply \(\mathcal S_i\)’s “coordinate” of Shamir’s SS. The zero share generation protocol is as follows.
-
1.
Each \(\mathcal S_i\) generates a \((2k-2, n)\)-random share \(\left\langle {r_i}\right\rangle _j\).
-
2.
Each \(\mathcal S_i\) locally computes \([\![{0}]\!]_i = i \times \left\langle {r_j}\right\rangle _i \).
The third method is that \(\mathcal S_i\) also generates random and zero shares in the idle state. This way is more efficient than using DN-Rand and HB-Rand instead of using pseudo-randomness. Cramer et al. [16] showed that if all \(\mathcal S_i\) share seeds among themselves before the protocol, they can produce replicated random shares by themselves and locally convert them to Shamir’s random shares. Let \(\mathbb {B}=\left\{ {\beta _1, \ldots , \beta _{\left|{\mathbb {B}}\right|}}\right\} \) be a set of \(n-k+1\) combinations of \(\mathcal S_i\) from n servers where \(\left|{\mathbb {B}}\right| = \left( {\begin{array}{c}n\\ n-k+1\end{array}}\right) \), \(\upsilon _{\beta _1}, \ldots , \upsilon _{\beta _{\left|{\mathbb {B}}\right|}}\) be independently and uniformly chosen seeds, \(f_{\beta _j}\) be the function satisfying \(f_{\beta _j}(0)=1\), \(f_{\beta _j}(\ell )=0\) for \(\mathcal S_\ell \notin \beta _j\), and its degree be \(k-1\). In the initial setup, make each \(\mathcal S_i\) have \(\upsilon _{\beta _j}\), where \(\mathcal S_i \in \beta _j\). To generate a random share, each \(\mathcal S_i\) computes pseudo-randomness \(\varUpsilon _{\beta _j}\) from \(\upsilon _{\beta _j}\) for \(\mathcal S_i \in \beta _j\). Then, each \(\mathcal S_i\) computes \( [r]_i = \sum _\mathcal{S_i\in \beta _j} f_{\beta _j}(i) \varUpsilon _{\beta _j}. \) A zero share is generated with the same technique described in the previous paragraph. First, generate a \((2k-2, n)\) random share \(\left\langle {r}\right\rangle _i\) and multiply \(\mathcal S_i\)’s coordinate.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kikuchi, R., Chida, K., Ikarashi, D., Hamada, K. (2015). Practical Password-Based Authentication Protocol for Secret Sharing Based Multiparty Computation. In: Reiter, M., Naccache, D. (eds) Cryptology and Network Security. CANS 2015. Lecture Notes in Computer Science(), vol 9476. Springer, Cham. https://doi.org/10.1007/978-3-319-26823-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-26823-1_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26822-4
Online ISBN: 978-3-319-26823-1
eBook Packages: Computer ScienceComputer Science (R0)