We further strengthen the notion by introducing ``Strong iPAKE'' (siPAKE), similar to ``Strong aPAKE'' (saPAKE), which is additionally immune to pre-computation. To mount an (inevitable) offline dictionary attack, an adversary must first compromise a device and only then start an exhaustive search over the entire password dictionary. Rather than storing its password in the clear, each party derives a password file using its identity and a secret random salt (``salted hash''). Although the random salts are independently selected, any pair of parties is able to establish a cryptographically secure shared key from these files.
We formalize iPAKE and siPAKE notions in the Universally Composable (UC) framework. We propose a compiler from PAKE to iPAKE using Identity-Based Key-Agreement and prove its UC-security in the Random Oracle Model (ROM). We then present CRISP: a construction of siPAKE from any PAKE using bilinear groups with ``Hash2Curve''. We prove CRISP's UC-security in the Generic Group Model (GGM) and show that each offline password guess requires at least one pairing operation.
Category / Keywords: cryptographic protocols / Password authentication, Identity based key exchange, PAKE Date: received 6 May 2020, last revised 12 Jul 2020 Contact author: eyal ronen at cs tau ac il Available format(s): PDF | BibTeX Citation Version: 20200712:185515 (All versions of this report) Short URL: ia.cr/2020/529