Password-Authenticated Session-Key Generation on the Internet in the Plain Model

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6223)


The problem of password-authenticated key exchange (PAKE) has been extensively studied for the last two decades. Despite extensive studies, no construction was known for a PAKE protocol that is secure in the plain model in the setting of concurrent self-composition, where polynomially many protocol sessions with the same password may be executed on the distributed network (such as the Internet) in an arbitrarily interleaved manner, and where the adversary may corrupt any number of participating parties.

In this paper, we resolve this long-standing open problem. In particular, we give the first construction of a PAKE protocol that is secure (with respect to the standard definition of Goldreich and Lindell) in the fully concurrent setting and without requiring any trusted setup assumptions. We stress that we allow polynomially-many concurrent sessions, where polynomial is not fixed in advance and can be determined by an adversary an an adaptive manner. Interestingly, our proof, among other things, requires important ideas from Precise Zero Knowledge theory recently developed by Micali and Pass in their STOC’06 paper.


Security Parameter Ideal Functionality Oblivious Transfer Main Thread Honest Party 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: FOCS (1986)Google Scholar
  2. 2.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: STOC (1987)Google Scholar
  3. 3.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: IEEE Symposium on Security and Privacy (1992)Google Scholar
  4. 4.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient and secure authenticated key exchange using weak passwords. J. ACM 57(1) (2009)Google Scholar
  5. 5.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 139. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 156. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 475. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Gennaro, R., Lindell, Y.: A framework for password-based authenticated key exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 524–543. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Genarro, R.: Faster and shorter password-authenticated key exchange. In: ACM Conference on Computer and Communications Security (2008)Google Scholar
  10. 10.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.D.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS (2001)Google Scholar
  12. 12.
    Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 408. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Nguyen, M.H., Vadhan, S.P.: Simpler session-key generation from short random passwords. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 428–445. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Barak, B., Canetti, R., Lindell, Y., Pass, R., Rabin, T.: Secure computation without authentication. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 361–377. Springer, Heidelberg (2005)Google Scholar
  15. 15.
    Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: STOC (1990)Google Scholar
  16. 16.
    Katz, J., Ostrovsky, R., Yung, M.: Forward secrecy in password-only key exchange protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 29–44. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Barak, B., Prabhakaran, M., Sahai, A.: Concurrent non-malleable zero knowledge. In: FOCS (2006)Google Scholar
  18. 18.
    Micali, S., Pass, R.: Local zero knowledge. In: STOC (2006)Google Scholar
  19. 19.
    Lindell, Y.: Lower bounds for concurrent self composition. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 203–222. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. 20.
    Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. J. Cryptology 19(3) (2006)Google Scholar
  21. 21.
    Goyal, V., Sahai, A.: Resettably secure computation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 54–71. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  22. 22.
    Pandey, O., Pass, R., Sahai, A., Tseng, W.L.D., Venkitasubramaniam, M.: Precise concurrent zero knowledge. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 397–414. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic round-complexity. In: FOCS (2002)Google Scholar
  24. 24.
    Haitner, I.: Semi-honest to malicious oblivious transfer - the black-box way. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 412–426. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    Naor, M.: Bit commitment using pseudorandomness. J. Cryptology (1991)Google Scholar
  26. 26.
    Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. In: STOC (1998)Google Scholar
  27. 27.
    Kilian, J., Petrank, E.: Concurrent and resettable zero-knowledge in poly-loalgorithm rounds. In: STOC (2001)Google Scholar
  28. 28.
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2) (2000)Google Scholar
  29. 29.
    Blum, M.: How to prove a theorem so no one else can claim it. In: International Congress of Mathematicians (1987)Google Scholar
  30. 30.
    Naor, M., Ostrovsky, R., Venkatesan, R., Yung, M.: Perfect zero-knowledge arguments for np can be based on general complexity assumptions. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 196–214. Springer, Heidelberg (1993)Google Scholar
  31. 31.
    Ostrovsky, R., Venkatesan, R., Yung, M.: Fair games against an all-powerful adversary. DIMACS workshop presentation (1990); Extended abstract, In: Capocelli, R.M., De-Santis, A., Vaccaro, U. (eds.) Proceedings of Sequences II, Positano, Italy. Springer, Heidelberg (June 1991); Journal version in AMS DIMACS Series in Discrete Mathematics and Theoretical Computer Science 13 (1991) Google Scholar
  32. 32.
    Haitner, I., Nguyen, M.H., Ong, S.J., Reingold, O., Vadhan, S.P.: Statistically hiding commitments and statistical zero-knowledge arguments from any one-way function. SIAM J. Comput (2009)Google Scholar
  33. 33.
    Haitner, I., Reingold, O., Vadhan, S.P., Wee, H.: Inaccessible entropy. In: STOC (2009)Google Scholar
  34. 34.
    Kilian, J.: Founding cryptography on oblivious transfer. In: STOC (1988)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.Microsoft ResearchIndia
  2. 2.UCLA 

Personalised recommendations