Hardware Security without Secure Hardware: How to Decrypt with a Password and a Server

Olivier Blazy; Laura Brouilhet; Celine Chevalier; Patrick Towa; Ida Tucker; Damien Vergnaud

Paper 2020/1571

Hardware Security without Secure Hardware: How to Decrypt with a Password and a Server

Olivier Blazy, Laura Brouilhet, Celine Chevalier, Patrick Towa, Ida Tucker, and Damien Vergnaud

Abstract

Hardware security tokens have now been used for several decades to store cryptographic keys. When deployed, the security of the corresponding schemes fundamentally relies on the tamper-resistance of the tokens – a very strong assumption in practice. Moreover, even secure tokens, which are expensive and cumbersome, can often be subverted. We introduce a new cryptographic primitive called Encryption schemes with Password-protected Assisted Decryption (EPAD schemes), in which a user’s decryption key is shared between a user device (or token) on which no assumption is made, and an online server. The user shares a human-memorizable password with the server. To decrypt a ciphertext, the user launches, from a public computer, a distributed protocol with the device and the server, authenticating herself to the server with her password (unknown to the device); in such a way that her secret key is never reconstructed during the interaction. We propose a strong security model which guarantees that (1) for an efficient adversary to infer any information about a user’s plaintexts, it must know her password and have corrupted her device (secrecy is guaranteed if only one of the two conditions is fulfilled), (2) the device and the server are unable to infer any information about the ciphertexts they help to decrypt (even though they could together reconstruct the secret key), and (3) the user is able to verify that device and server both performed the expected computations. These EPAD schemes are in the password-only model, meaning that the user is not required to remember a trusted public key, and her password remains safe even if she is led to interact with a wrong server and a malicious device. We then give a practical pairing-based EPAD scheme. Our construction is provably secure under standard computational assumptions, using non-interactive proof systems which can be efficiently instantiated in the standard security model, i.e., without relying on the random oracle heuristic.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint. MINOR revision.
Keywords: Public-Key Encryption Passwords
Contact author(s): olivier blazy @ unilim fr
celine chevalier @ ens fr
patrick towa @ gmail com
damien vergnaud @ lip6 fr
History: 2020-12-17: received
Short URL: https://ia.cr/2020/1571
License: CC BY

BibTeX

@misc{cryptoeprint:2020/1571,
      author = {Olivier Blazy and Laura Brouilhet and Celine Chevalier and Patrick Towa and Ida Tucker and Damien Vergnaud},
      title = {Hardware Security without Secure Hardware: How to Decrypt with a Password and a Server},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/1571},
      year = {2020},
      url = {https://eprint.iacr.org/2020/1571}
}