Paper 2019/647
Strong Asymmetric PAKE based on Trapdoor CKEM
Tatiana Bradley, Stanislaw Jarecki, and Jiayu Xu
Abstract
Password-Authenticated Key Exchange (PAKE) protocols allow two parties that share a password to establish a shared key in a way that is immune to oine attacks. Asymmetric PAKE (aPAKE) [21] adapts this notion to the common client-server setting, where the server stores a one-way hash of the password instead of the password itself, and server compromise allows the adversary to recover the password only via the (inevitable) offline dictionary attack. Most aPAKE protocols, however, allow an attacker to pre-compute a dictionary of hashed passwords, thus instantly learning the password on server compromise. Recently, Jarecki, Krawczyk, and Xu formalized a Universally Composable strong aPAKE (saPAKE) [24], which requires the password hash to be salted so that the dictionary attack can only start after the server compromise leaks the salt and the salted hash. The UC saPAKE protocol shown in [24], called OPAQUE, uses 3 protocol ows, 3-4 exponentiations per party, and relies on the One-More Diffie-Hellman assumption in ROM. We propose an alternative UC saPAKE construction based on a novel use of the encryption+SPHF paradigm for UC PAKE design [27, 20]. Compared to OPAQUE, our protocol uses only 2 flows, has comparable costs, avoids hashing onto a group, and relies on different assumptions, namely Decisional Diffie-Hellman (DDH), Strong Diffie-Hellman (SDH), and an assumption that the Boneh-Boyen function is a Salted Tight One-Way Function (STOWF). We formalize a UC model for STOWF and analyze the Boneh-Boyen function as UC STOWF in the generic group model and ROM. Our saPAKE protocol employs a new form of Conditional Key Encapsulation Mechanism (CKEM), a generalization of SPHF, which we call an implicit-statement CKEM. This strengthening of SPHF allows for a UC (sa)PAKE design where only the client commits to its password, and only the server performs an SPHF, compared to the standard UC PAKE design paradigm where the encrypt+SPHF subroutine is used symmetrically by both parties.
Metadata
- Available format(s)
- Publication info
- Published by the IACR in CRYPTO 2019
- Contact author(s)
-
tatianaebradley @ gmail com
jiayux @ uci edu
stanislawjarecki @ gmail com - History
- 2019-06-04: received
- Short URL
- https://ia.cr/2019/647
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2019/647, author = {Tatiana Bradley and Stanislaw Jarecki and Jiayu Xu}, title = {Strong Asymmetric {PAKE} based on Trapdoor {CKEM}}, howpublished = {Cryptology {ePrint} Archive, Paper 2019/647}, year = {2019}, url = {https://eprint.iacr.org/2019/647} }