We further strengthen the notion by introducing ``Strong iPAKE'' (siPAKE) that is additionally immune to pre-computation (analogous to ``Strong aPAKE'' (saPAKE) strengthening of aPAKE). To mount an (inevitable) offline dictionary attack, an adversary must first compromise a device and only then start an exhaustive search over the entire password dictionary. Rather than storing its password in the clear, each party derives a password file using its identity and a secret random salt (``salted hash''). The challenge is that although the random salts are independently selected, any pair of parties should be able to establish a cryptographically secure shared key from these files.
We formalize the iPAKE and siPAKE notions in the Universally Composable (UC) framework. We propose CHIP: a compiler from PAKE to iPAKE using IB-KA and prove its UC-security in the Random Oracle Model (ROM). We then present CRISP: a construction of siPAKE from any PAKE using bilinear groups with ``Hash2Curve''. We prove CRISP's UC-security in the Generic Group Model (GGM) and show that each offline password guess requires at least one pairing operation.
Category / Keywords: cryptographic protocols / Password authentication, Identity based key exchange, PAKE Date: received 6 May 2020, last revised 15 Oct 2020 Contact author: eyal ronen at cs tau ac il Available format(s): PDF | BibTeX Citation Version: 20201015:163249 (All versions of this report) Short URL: ia.cr/2020/529