Paper 2017/854

Zero-Knowledge Password Policy Check from Lattices

Khoa Nguyen, Benjamin Hong Meng Tan, and Huaxiong Wang

Abstract

Passwords are ubiquitous and most commonly used to authenticate users when logging into online services. Using high entropy passwords is critical to prevent unauthorized access and password policies emerged to enforce this requirement on passwords. However, with current methods of password storage, poor practices and server breaches have leaked many passwords to the public. To protect one's sensitive information in case of such events, passwords should be hidden from servers. Verifier-based password authenticated key exchange, proposed by Bellovin and Merrit (IEEE S\&P, 1992), allows authenticated secure channels to be established with a hash of a password (verifier). Unfortunately, this restricts password policies as passwords cannot be checked from their verifier. To address this issue, Kiefer and Manulis (ESORICS 2014) proposed zero-knowledge password policy check (ZKPPC). A ZKPPC protocol allows users to prove in zero knowledge that a hash of the user's password satisfies the password policy required by the server. Unfortunately, their proposal is not quantum resistant with the use of discrete logarithm-based cryptographic tools and there are currently no other viable alternatives. In this work, we construct the first post-quantum ZKPPC using lattice-based tools. To this end, we introduce a new randomised password hashing scheme for ASCII-based passwords and design an accompanying zero-knowledge protocol for policy compliance. Interestingly, our proposal does not follow the framework established by Kiefer and Manulis and offers an alternate construction without homomorphic commitments. Although our protocol is not ready to be used in practice, we think it is an important first step towards a quantum-resistant privacy-preserving password-based authentication and key exchange system.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. MINOR revision.ISC 2017
Keywords
zero-knowledge password policy checkset membership prooflattice-based cryptographyzero-knowledge protocols
Contact author(s)
tanh0199 @ e ntu edu sg
History
2017-09-09: received
Short URL
https://ia.cr/2017/854
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/854,
      author = {Khoa Nguyen and Benjamin Hong Meng Tan and Huaxiong Wang},
      title = {Zero-Knowledge Password Policy Check from Lattices},
      howpublished = {Cryptology ePrint Archive, Paper 2017/854},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/854}},
      url = {https://eprint.iacr.org/2017/854}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.