A new framework for efficient password-based authenticated key exchange

Groce, Adam; Katz, Jonathan

doi:10.1145/1866307.1866365

Cited by 84 publications

(62 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this class of protocols, we find e.g. the protocol of Groce and Katz [19], the OEKE protocol from [10], and the F + PaKE protocol from [17]. The GroceKatz protocol achieves mutual authentication, as in Figure 2.…”

Section: Examples Of How It Functionsmentioning

confidence: 93%

“…We also assume a partnering definition that does not mention uniqueness, e.g. that of [17,22,19,25,26]. This serves Client C Server S compute m C, m compute µ, κ1, κ2, sid, sk accept set sidS ← sid S, µ compute k1, k2, sid, sk accept set sidC ← sid C, k1 abort if k1 = κ1 terminate set skS ← sk S, κ2 abort if κ2 = k2 terminate set skC ← sk as further evidence that partnering and partner uniqueness must be carefully treated, and probably separately.…”

Section: The Quality Of Partner Uniquenessmentioning

confidence: 99%

See 1 more Smart Citation

On Password-Authenticated Key Exchange Security Modeling

Lancrenon

2016

Technology and Practice of Passwords

View full text Add to dashboard Cite

Abstract. Deciding which security model is the right one for Authenticated Key Exchange (AKE) is well-known to be a difficult problem. In this paper, we examine definitions of security for Password-AKE (PAKE) in the style proposed by Bellare et al. [5] at Eurocrypt 2000. Indeed, there does not seem to be any consensus, even when narrowing the study down to this particular authentication method and model style, on how to precisely define fundamental notions such as accepting, terminating, and partnering. The aim of this paper is to begin addressing this problem. We first show how definitions vary from paper to paper. We then propose and thoroughly motivate a definition of our own, and use the opportunity to correct a minor flaw in a more recent and more PAKE-appropriate model proposed by Abdalla et al. [3] at Public Key Cryptography 2005. Finally, we argue that the uniqueness of partners holding with overwhelming probability ought to be an explicitly required and proven property for AKE in general, but even more so in the password case, where the optimal security bound one aims to achieve is no longer a negligible value. To drive this last point, we exhibit a protocol that is provably secure following the Abdalla et al. definition, and at the same time fails to satisfy this property.

show abstract

Section: Examples Of How It Functionsmentioning

confidence: 93%

Section: The Quality Of Partner Uniquenessmentioning

confidence: 99%

On Password-Authenticated Key Exchange Security Modeling

Lancrenon

2016

Technology and Practice of Passwords

View full text Add to dashboard Cite

show abstract

“…The design of the KV-PAKE protocol originates from the KOY protocol [38] and is used in many PAKE construction, e.g., [5,16,32,33,36]. It is therefore safe to assume that some of these protocols, instantiated with an encryption scheme that yields ciphertexts with pseudorandom elements and SPHFs with pseudorandom projection keys, can be used with our compiler.…”

Section: Generalisations and Limitationsmentioning

confidence: 99%

Oblivious PAKE: Efficient Handling of Password Trials

Kiefer

Manulis

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this work we introduce the notion of Oblivious Password based Authenticated Key Exchange (O-PAKE) and a compiler to transform a large class of PAKE into O-PAKE protocols. O-PAKE allows a client that shares one password with a server to use a subset of passwords within one PAKE session. It succeeds if and only if one of those input passwords matches the one stored on the server side. The term oblivious is used to emphasise that no information about any password, input by the client, is made available to the server. O-PAKE protocols can be used to improve the overall efficiency of login attempts using PAKE protocols in scenarios where users are not sure (e.g. no longer remember) which of their passwords has been used at a particular web server. Using special processing techniques, our O-PAKE compiler reaches nearly constant run time on the server side, independent of the size of the client's password set; in contrast, a naive approach to run a new PAKE session for each login attempt would require linear run time for both parties. We prove security of the O-PAKE compiler under standard assumptions using the latest game-based PAKE model by Abdalla, Fouque and Pointcheval (PKC 2005), tailored to our needs. We identify the requirements that PAKE protocols must satisfy in order to suit the compiler and give two concrete O-PAKE instantiation.

show abstract

“…Different constructions of efficient PAKE protocols were given in [32,27]. These works all require a CRS.…”

Section: Password-based Authenticated Key Exchangementioning

confidence: 99%

“…All prior PAKE protocols based on standard assumptions, though, require three or more rounds. We remark that the protocols in [32,27] achieve explicit authentication in three rounds (whereas the protocols of [34,22,21,35] achieve only implicit authentication in three rounds, and require an additional round for explicit authentication), but the round complexity of these protocols cannot be further reduced even if only implicit authentication is desired.…”

Section: Password-based Authenticated Key Exchangementioning

confidence: 99%

Round-Optimal Password-Based Authenticated Key Exchange

Katz

Vaikuntanathan

2011

Theory of Cryptography

Self Cite

113

127

View full text Add to dashboard Cite

We show a general framework for constructing password-based authenticated key-exchange protocols with optimal round complexity -one message per party, sent simultaneously -in the standard model, assuming the existence of a common reference string. When our framework is instantiated using bilinear-map-based cryptosystems, the resulting protocol is also (reasonably) efficient. Somewhat surprisingly, our framework can be adapted to give protocols in the standard model that are universally composable while still using only one (simultaneous) round. Password-Based Authenticated Key ExchangeProtocols for authenticated key exchange enable two parties to generate a shared, cryptographically strong key while communicating over an insecure network under the complete control of an adversary. Such protocols are among the most widely used and fundamental cryptographic primitives; indeed, agreement on a shared key is necessary before "higher-level" tasks such as encryption and message authentication become possible.Parties must share some information in order for authenticated key exchange to be possible. It is well known that shared cryptographic keys -either in the form of public keys or a long, uniformly random symmetric key -suffice, and several protocols in this model, building on the classic Diffie-Hellman protocol [19] (which protects only against an eavesdropping adversary and provides no authentication at all) are known; see, e.g., [7,4].Password-based protocols allow users to bootstrap a weak (e.g., short) shared secret into a (much longer) cryptographic key. The canonical application here is authentication using passwords, though protocols developed in this context can be useful even when the shared secret has high min-entropy (but is not uniform) [11]. The security guaranteed by password-based protocols (roughly speaking) is that if the password is chosen uniformly 1 from a dictionary of size D then an adversary who initiates Q on-line attacks -i.e., who actively interferes in Q sessions -has "advantage" at most Q/D. (This is inherent, as an adversary can always carry out Q impersonation attempts and succeed with this probability.) In particular, off-line dictionary attacks in which an adversary *

show abstract

A new framework for efficient password-based authenticated key exchange

Cited by 84 publications

References 30 publications

On Password-Authenticated Key Exchange Security Modeling

On Password-Authenticated Key Exchange Security Modeling

Oblivious PAKE: Efficient Handling of Password Trials

Round-Optimal Password-Based Authenticated Key Exchange

Contact Info

Product

Resources

About