Cryptology ePrint Archive: Report 2020/1443

DPaSE: Distributed Password-Authenticated Symmetric Encryption

Poulami Das and Julia Hesse and Anja Lehmann

Abstract: Cloud storage is becoming increasingly popular among end users that outsource their personal data to services such as Dropbox or Google Drive. For security, uploaded data should ideally be encrypted under a key that is controlled and only known by the user. Current solutions that support user-centric encryption either require the user to manage strong cryptographic keys, or derive keys from weak passwords. While the former has massive usability issues and requires secure storage by the user, the latter approach is more convenient but offers only little security. The recent concept of password-authenticated secret-sharing (PASS) enables users to securely derive strong keys from weak passwords by leveraging a distributed server setup, and has been considered a promising step towards secure and usable encryption. However, using PASS for encryption is not as suitable as originally thought: it only considers the (re)construction of a \emph{single}, static key -- whereas practical encryption will require the management of \emph{many}, object-specific keys. Using a dedicated PASS instance for every key makes the solution vulnerable against online attacks, inherently leaks access patterns to the servers and poses the risk of permanent data loss when an incorrect password is used at encryption. We therefore propose a new protocol that directly targets the problem of boostrapping encryption from a single password: distributed password-authenticated symmetric key encryption DPASE.

DPASE offers strong security and usability, such as protecting the user's password against online and offline attacks, and ensuring message privacy and ciphertext integrity as long as at least one server is honest. We formally define the desired security properties in the UC framework and propose a provably secure instantiation. The core of our protocol is a new type of OPRF that allows to extend a previous partially-blind-query with a follow-up request and will be used to blindly carry over passwords across evaluations and avoid online attacks. Our (proof-of-concept) implementation of DPASE uses $10$ exponentiations at the user, $4$ exponentiations and $2$ pairings at each server, takes $105.58$ ms to run with $2$ servers and has a server throughput of $40$ encryptions per second.

Category / Keywords: cryptographic protocols / password-based authentication, distributed protocol, symmetric encryption, Oblivious PRF

Date: received 16 Nov 2020, last revised 20 Nov 2020

Contact author: poulami das at tu-darmstadt de,jhs@zurich ibm com,anja lehmann@hpi de

Available format(s): PDF | BibTeX Citation

Version: 20201120:120852 (All versions of this report)

Short URL: ia.cr/2020/1443


[ Cryptology ePrint archive ]