Cryptology ePrint Archive: Report 2020/060

Auditable Asymmetric Password Authenticated Public Key Establishment

Antonio Faonio and Maria Isabel Gonzalez Vasco and Claudio Soriente and Hien Thi Thu Truong

Abstract: Non-repudiation of messages generated by users is a desirable feature in a number of applications ranging from online banking to IoT scenarios. However, it requires certified public keys and usually results in poor usability as a user must carry around his certificate (e.g., in a smart-card) or must install it in all of his devices. A user-friendly alternative, adopted by several companies and national administrations, is to have a ``cloud-based'' PKI. In a nutshell, each user has a PKI certificate stored at a server in the cloud; users authenticate to the server---via passwords or one-time codes---and ask it to sign messages on their behalf. As such, there is no way for the server to prove to a third party that a signature on a given message was authorized by a user. As the server holds the user's certified key, it might as well have signed arbitrary messages in an attempt to impersonate that user. In other words, a user could deny having signed a message, by claiming that the signature was produced by the server without his consent. The same holds in case the secret key is derived deterministically from the user's password, for the server, by knowing the password, may still frame the user.

In this paper we provide a "password-only" solution to non-repudiation of user messages by introducing Auditable Asymmetric Password Authenticated Public Key Establishment (A2PAKE). This is a PAKE-like protocol that generates an asymmetric key-pair where the public key is output to every participant, but the secret key is private output to just one of the parties (e.g., the user). Further, the protocol can be audited, i.e., given the public key output by a protocol run with a user, the server can prove to a third party that the corresponding secret key is held by that specific user. Thus, if the user signs messages with that secret key, then signatures are non-repudiable. We provide a universally composable definition of A2PAKE and an instantiation based on a distributed oblivious pseudo-random function. We also develop a prototype implementation of our instantiation and use it to evaluate its performance in realistic settings.

Category / Keywords: public-key cryptography /

Date: received 20 Jan 2020, last revised 17 Feb 2020

Contact author: antonio faonio at imdea org, mariaisabel vasco@urjc es, claudio soriente@neclab eu, hien truong@neclab eu

Available format(s): PDF | BibTeX Citation

Version: 20200217:131300 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]