Paper 2023/1415

Generalized Fuzzy Password-Authenticated Key Exchange from Error Correcting Codes

Jonathan Bootle, IBM Research Europe – Zurich
Sebastian Faller, IBM Research Europe – Zurich, ETH Zurich
Julia Hesse, IBM Research Europe – Zurich
Kristina Hostáková, ETH Zurich
Johannes Ottenhues, University of St. Gallen
Abstract

Fuzzy Password-Authenticated Key Exchange (fuzzy PAKE) allows cryptographic keys to be generated from authentication data that is both fuzzy and of low entropy. The strong protection against offline attacks offered by fuzzy PAKE opens an interesting avenue towards secure biometric authentication, typo-tolerant password authentication, and automated IoT device pairing. Previous constructions of fuzzy PAKE are either based on Error Correcting Codes (ECC) or generic multi-party computation techniques such as Garbled Circuits. While ECC-based constructions are significantly more efficient, they rely on multiple special properties of error correcting codes such as maximum distance separability and smoothness. We contribute to the line of research on fuzzy PAKE in two ways. First, we identify a subtle but devastating gap in the security analysis of the currently most efficient fuzzy PAKE construction (Dupont et al., Eurocrypt 2018), allowing a man-in-the-middle attacker to test individual password characters. Second, we provide a new fuzzy PAKE scheme based on ECC and PAKE that provides a built-in protection against individual password character guesses and requires fewer, more standard properties of the underlying ECC. Additionally, our construction offers better error correction capabilities than previous ECC-based fuzzy PAKEs.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in ASIACRYPT 2023
Keywords
Attacks on Public-Key ConstructionsKey Exchange ProtocolsPassword-Based CryptographyUC Framework
Contact author(s)
JBT @ zurich ibm com
sebastian faller @ ibm com
JHS @ zurich ibm com
kristina hostakova @ inf ethz ch
johannes ottenhues @ posteo org
History
2023-11-15: revised
2023-09-19: received
See all versions
Short URL
https://ia.cr/2023/1415
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1415,
      author = {Jonathan Bootle and Sebastian Faller and Julia Hesse and Kristina Hostáková and Johannes Ottenhues},
      title = {Generalized Fuzzy Password-Authenticated Key Exchange from Error Correcting Codes},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1415},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1415}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.