Paper 2019/647

Strong Asymmetric PAKE based on Trapdoor CKEM

Tatiana Bradley, Stanislaw Jarecki, and Jiayu Xu

Abstract

Password-Authenticated Key Exchange (PAKE) protocols allow two parties that share a password to establish a shared key in a way that is immune to oine attacks. Asymmetric PAKE (aPAKE) [21] adapts this notion to the common client-server setting, where the server stores a one-way hash of the password instead of the password itself, and server compromise allows the adversary to recover the password only via the (inevitable) offline dictionary attack. Most aPAKE protocols, however, allow an attacker to pre-compute a dictionary of hashed passwords, thus instantly learning the password on server compromise. Recently, Jarecki, Krawczyk, and Xu formalized a Universally Composable strong aPAKE (saPAKE) [24], which requires the password hash to be salted so that the dictionary attack can only start after the server compromise leaks the salt and the salted hash. The UC saPAKE protocol shown in [24], called OPAQUE, uses 3 protocol ows, 3-4 exponentiations per party, and relies on the One-More Diffie-Hellman assumption in ROM. We propose an alternative UC saPAKE construction based on a novel use of the encryption+SPHF paradigm for UC PAKE design [27, 20]. Compared to OPAQUE, our protocol uses only 2 flows, has comparable costs, avoids hashing onto a group, and relies on different assumptions, namely Decisional Diffie-Hellman (DDH), Strong Diffie-Hellman (SDH), and an assumption that the Boneh-Boyen function is a Salted Tight One-Way Function (STOWF). We formalize a UC model for STOWF and analyze the Boneh-Boyen function as UC STOWF in the generic group model and ROM. Our saPAKE protocol employs a new form of Conditional Key Encapsulation Mechanism (CKEM), a generalization of SPHF, which we call an implicit-statement CKEM. This strengthening of SPHF allows for a UC (sa)PAKE design where only the client commits to its password, and only the server performs an SPHF, compared to the standard UC PAKE design paradigm where the encrypt+SPHF subroutine is used symmetrically by both parties.

Metadata
Available format(s)
PDF
Publication info
Published by the IACR in CRYPTO 2019
Contact author(s)
tatianaebradley @ gmail com
jiayux @ uci edu
stanislawjarecki @ gmail com
History
2019-06-04: received
Short URL
https://ia.cr/2019/647
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2019/647,
      author = {Tatiana Bradley and Stanislaw Jarecki and Jiayu Xu},
      title = {Strong Asymmetric {PAKE} based on Trapdoor {CKEM}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2019/647},
      year = {2019},
      url = {https://eprint.iacr.org/2019/647}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.