2001
DOI: 10.1007/3-540-44987-6_29
|View full text |Cite
|
Sign up to set email alerts
|

Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords

Abstract: Abstract. There has been much interest in password-authenticated keyexchange protocols which remain secure even when users choose passwords from a very small space of possible passwords (say, a dictionary of English words). Under this assumption, one must be careful to design protocols which cannot be broken using off-line dictionary attacks in which an adversary enumerates all possible passwords in an attempt to determine the correct one. Many heuristic protocols have been proposed to solve this important pro… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

1
250
0
2

Year Published

2005
2005
2022
2022

Publication Types

Select...
4
3
2

Relationship

0
9

Authors

Journals

citations
Cited by 316 publications
(253 citation statements)
references
References 23 publications
(82 reference statements)
1
250
0
2
Order By: Relevance
“…The communication cost of each client is O(2n) bits, where n is the number of clients. If Abdalla et al's compiler employs KOY 2-PAKE protocol [46] and constructs the commitment scheme with Cramer-Shoup public key encryption scheme [35], their group PAKE protocol has 5 rounds. The communication cost of each user is O(6n) bits.…”
Section: Correctness Explicit Authentication Trust Model and Efficimentioning
confidence: 99%
See 1 more Smart Citation
“…The communication cost of each client is O(2n) bits, where n is the number of clients. If Abdalla et al's compiler employs KOY 2-PAKE protocol [46] and constructs the commitment scheme with Cramer-Shoup public key encryption scheme [35], their group PAKE protocol has 5 rounds. The communication cost of each user is O(6n) bits.…”
Section: Correctness Explicit Authentication Trust Model and Efficimentioning
confidence: 99%
“…We follow the methods of the security proofs given in [48,46] to prove the security of our compiler without random oracles. First of all, we provide a formal specification of the group PAKE protocol by specifying the initialization phase and the oracles to which the adversary has access, as shown in Fig.…”
Section: Proof Of Securitymentioning
confidence: 99%
“…Recently, Abdalla et al proposed an original mask-generation function computed as the product of the message with a constant value raised to the power of the password [4]; this new mask generation function alleviates the need of a full-domain hash function in the group. Security researchers also provided constructions secured in the standard model based on general computational assumptions, the Decisional Diffie-Hellman assumption (using a variant of the Cramer-Shoup encryption scheme), or even strong computational assumptions; however, these construction are not efficient enough for practical use [20,22]. Engineers are now given a suite of secure protocols to choose from depending on their security requirements (ideal-cipher model vs. ideal-hash model) and the constraints of their software (one-flow or two-flows of the Diffie-Hellman key exchange are encrypted).…”
Section: Related Workmentioning
confidence: 99%
“…Specific instances of the Bellovin-Merritt protocols with security based on the random oracle model were provided in [3,4,7,10,18] starting in 2000. Finally, another protocol without random oracles were proposed in 2001 by Katz, Ostrovsky, and Yung [16]. All those protocols are however at least as expensive as the Diffie-Hellman protocol.…”
Section: Setting Up Secure Communicationsmentioning
confidence: 99%