Abstract
We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman Groups that is tighter than previously known reductions. We discuss the implications of our results for concrete security. Our proof is the first to show that the PAK protocol can provide meaningful security guarantees for values of the parameters typical in today’s world.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For the relation between the indistinguishability-based and simulation-based models, see the recent work [23].
- 2.
- 3.
The advantage is twice the success probability minus one.
- 4.
By success we mean guessing the password of any user.
- 5.
A detailed description of the protocol is in Sect. 3.
- 6.
More details on Gap Diffie-Hellman groups and the relevant computational problems and assumptions are given in Sect. 2.
- 7.
We refer to [34, Fig. 4] for an estimation of the advantage of online dictionary attacks as a function of the number of guesses for two real-world password datasets.
- 8.
This is the weak-corruption model of [5].
References
Abdalla, M., Chevassut, O., Pointcheval, D.: One-time verifier-based encrypted key exchange. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 47–64. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_5
Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_6
Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_14
Bellare, M.: Practice-oriented provable-security. In: Damgård, I.B. (ed.) EEF School 1998. LNCS, vol. 1561, pp. 1–15. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48969-X_1
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Symposium on Research in Security and Privacy, SP 1992, pp. 72–84 (1992)
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_12
Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_24
Dacosta, I., Ahamad, M., Traynor, P.: Trust No One Else: detecting MITM attacks against SSL/TLS without third-parties. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 199–216. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_12
Ding, J., Alsayigh, S., Lancrenon, J., RV, S., Snook, M.: Provably secure password authenticated key exchange based on RLWE for the post-quantum world. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 183–204. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_11
Ecrypt, I.: ECRYPT II yearly report on algorithms and keysizes. Technical report, European Network of Excellence in Cryptology II (2012)
Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discret. Appl. Math. 156(16), 3113–3121 (2008)
Hao, F., Ryan, P.: J-PAKE: authenticated key exchange without PKI. Trans. Comput. Sci. 11, 192–206 (2010)
Harkins, D.: Simultaneous authentication of equals: a secure, password-based key exchange for mesh networks. In: Proceedings of the 2008 Second International Conference on Sensor Technologies and Applications, SENSORCOMM 2008, pp. 839–844. IEEE Computer Society (2008)
Standard Specifications for Password-Based Public Key Cryptographic Techniques: Standard. IEEE Standards Association, Piscataway, NJ, USA (2002)
Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev. 26(5), 5–26 (1996)
Joux, A., Nguyen, K.: Deparating decision Diffie-Hellman from computational Diffie-Hellman in cryptographic groups. J. Cryptol. 16(4), 239–247 (2003)
Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_29
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
Lancrenon, J., Škrobot, M.: On the provable security of the dragonfly protocol. In: Lopez, J., Mitchell, C.J. (eds.) ISC 2015. LNCS, vol. 9290, pp. 244–261. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23318-5_14
Lenstra, A.K.: Key lengths. Technical report, Wiley (2006)
Lopez Becerra, J.M., Iovino, V., Ostrev, D., Škrobot, M.: On the relation between SIM and IND-RoR security models for PAKEs. In: SECRYPT 2017. SCITEPRESS (2017)
MacKenzie, P.: On the security of the speke password authenticated key exchange protocol. Cryptology ePrint Archive, Report 2001/057 (2001). http://eprint.iacr.org/2001/057
MacKenzie, P.: The PAK suite: protocols for password-authenticated key exchange. DIMACS Technical report 2002–46 (2002)
MacKenzie, P.: More efficient password-authenticated key exchange. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 361–377. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_27
MacKenzie, P.: Methods and apparatus for providing efficient password authenticated key exchange (2002). Publication number US20020194478 A1. https://www.google.com/patents/US20020194478
Mrabet, N.E., Joye, M.: Guide to Pairing-Based Cryptography. Chapman & Hall/CRC, Boca Raton (2016)
Okamoto, T., Pointcheval, D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_8
Silverman, J.H.: The Arithmetic of Elliptic Curves. GTM, vol. 106. Springer, New York (2009). https://doi.org/10.1007/978-0-387-09494-6
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. IACR Cryptology ePrint Archive 2017, 190 (2017). http://eprint.iacr.org/2017/190
Thread-Group: Thread Protocol (2015). http://threadgroup.org/
Wang, D., Cheng, H., Wang, P., Huang, X., Jian, G.: Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 12, 2776–2791 (2017)
Wang, D., Wang, P.: On the implications of Zipf’s law in passwords. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 111–131. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_6
Warner, B.: Magic Wormhole (2016). https://github.com/warner/magic-wormhole
Wu, T.D.: The secure remote password protocol. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 1998. The Internet Society (1998)
Acknowledgements
We would like to thank the anonymous referees for their comments. This work was supported by the Luxembourg National Research Fund (CORE project AToMS and CORE Junior grant no. 11299247).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Terminology from the Original Proof of PAK
First, we introduce the terminology from [25] that deals with adversary’s actions and partnering.
We say “in a CLIENT ACTION \(\kappa \) query to \(\varPi _{i}^{C}\)”, to refer to “in a Send query to \(\varPi _{i}^{C}\) that results in execution of CLIENT ACTION \(\kappa \) procedure” and “in a SERVER ACTION \(\kappa \) query to \(\varPi _{j}^{S}\)”, to refer to “in a Send query to \(\varPi _{j}^{S}\) that results in execution of SERVER ACTION \(\kappa \) procedure”. A client instance \(\varPi _{i}^{C}\) is paired with a server instance \(\varPi _{j}^{S}\) if there is a CLIENT ACTION 0 query to \(\varPi _{i}^{C}\) with input S and output \(\langle C,m \rangle \), there is a SERVER ACTION 1 query to \(\varPi _{j}^{S}\) with input \(\langle C,m \rangle \) and output \(\langle \mu ,k \rangle \) and there is a CLIENT ACTION 1 query to \(\varPi _{i}^{C}\) with input \(\langle \mu ,k \rangle \). A server instance \(\varPi _{j}^{S}\) is paired with client instance \(\varPi _{i}^{C}\) whenever there is a CLIENT ACTION 0 query to \(\varPi _{i}^{C}\) with input S and output \(\langle C,m \rangle \), there is a SERVER ACTION 1 query to \(\varPi _{j}^{S}\) with input \(\langle C,m \rangle \) and output \(\langle \mu ,k \rangle \), and if there is a SERVER ACTION 2 query to \(\varPi _{j}^{S}\) with input \(k'\), then there was previously a CLIENT ACTION 1 query to \(\varPi _{i}^{C}\) with input \(\langle \mu ,k \rangle \) and output \(k'\).
Next we describe those events taken from [25] which are required in our proof of security.
-
testpw(\(C,i,S,\pi ,l\)): for some \(m, \mu \) and \(\gamma '\), \(\mathcal {A}\) makes (i) an \(H_l(C,S,m,\mu ,\sigma , \gamma ')\) query, (ii) a CLIENT ACTION 0 query to a client instance \(\varPi _{i}^{C}\) with input S and output \(\langle C,m \rangle \), (iii) a CLIENT ACTION 1 query to \(\varPi _{i}^{C}\) with input \(\langle \mu , k \rangle \) and (iv) an \(H_1(\pi )\) query returning \((\gamma ')^{-1}\), where the last query is either the \(H_l(\cdot )\) query or the CLIENT ACTION 1 query, \(\sigma = DH(\alpha ,\mu )\), \(m = \alpha \cdot (\gamma ')^{-1}\) and \(l \in \{2,3,4\}\).
-
testpw!(\(C,i,S,\pi \)): for some k, a CLIENT ACTION 1 query with input \(\langle \mu , k \rangle \) causes a testpw(\(C,i,S,\pi ,2\)) event to occur, with associated value k.
-
textpw(\(S,j,C,\pi ,l\)): for some \(m, \mu , \gamma '\) and k, \(\mathcal {A}\) makes an \(H_l(C,S,m,\mu ,\sigma , \gamma ')\) query, and previously made (i) a SERVER ACTION 1 query to a server instance \(\varPi _{j}^{S}\) with input \(\langle C,m \rangle \) and output \(\langle \mu ,k \rangle \), and (ii) an \(H_1(\pi )\) query returning \((\gamma ')^{-1}\), where \(\sigma = DH (\alpha , \mu )\), \(m = \alpha \cdot (\gamma ')^{-1}\) and ACCEPTABLE(m). The associated value of this event is \(k, k''\) or \(sk_s^j\).
-
testpw!(\(S,j,C,\pi \)): SERVER ACTION 2 query to \(\varPi _{j}^{S}\) is made with input \(k'\), and previously a testpw(\(S,j,C,\pi ,3\)) event occurs with associated value \(k'\).
-
testpw\(^*\)(\(S,j,C,\pi \)): testpw(\(S,j,C,\pi ,l\)) event occurs for some \(l\in \{2,3,4\}\).
-
testpw(\(C,i,S,j,\pi \)) : for some \(l\in \{2,3,4\}\), both a testpw(\(C,i,S,\pi ,l\)) and testpw(\(S,j,C,\pi ,l\)) event occur, where \(\varPi _{i}^{C}\) is paired with \(\varPi _{j}^{S}\), and \(\varPi _{j}^{S}\) is paired with \(\varPi _{i}^{C}\) after its SERVER ACTION 1 query.
-
testexecpw(\(C,i,S,j,\pi \)): for some \(m, \mu \) and \(\gamma '\), \(\mathcal {A}\) makes an \(H_l(C,S,m,\) \(\mu ,\) \(\sigma ,\) \(\gamma ')\) query, for \(l\in \{2,3,4\}\), and previously made (i) an Execute(C, i, S, j) query that generates \(m,\mu \), and (ii) an \(H_1(\pi )\) query returning \((\gamma ')^{-1}\), where \(\sigma = DH(\alpha , \mu )\) and \(m=\alpha \cdot (\gamma ')^{-1}\).
-
correctpw: before any Corrupt query, either a testpw!(\(C,i,S,\pi _C\)) event occurs for some C,i and S, or a \(\text {testpw}^*(S,j,C,\pi _C)\) event occurs for some S, j, and C.
-
doublepwserver: before any Corrupt query, both \(\text {testpw}^*(S,j,C,\pi )\) event and a \(\text {testpw}^*(S,j,C,\hat{\pi })\), for some S, j, C and \(\pi \ne \hat{\pi }\).
-
pairedpwguess: a testpw(\(C,i,S,j,\pi _C\)) event occurs, for some C, i, S and j.
B Hash Function Simulation
Simulation of the hash function \(H_1\)
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Becerra, J., Iovino, V., Ostrev, D., Šala, P., Škrobot, M. (2018). Tightly-Secure PAK(E). In: Capkun, S., Chow, S. (eds) Cryptology and Network Security. CANS 2017. Lecture Notes in Computer Science(), vol 11261. Springer, Cham. https://doi.org/10.1007/978-3-030-02641-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-02641-7_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02640-0
Online ISBN: 978-3-030-02641-7
eBook Packages: Computer ScienceComputer Science (R0)