Paper 2023/1415
Generalized Fuzzy Password-Authenticated Key Exchange from Error Correcting Codes
Abstract
Fuzzy Password-Authenticated Key Exchange (fuzzy PAKE) allows cryptographic keys to be generated from authentication data that is both fuzzy and of low entropy. The strong protection against offline attacks offered by fuzzy PAKE opens an interesting avenue towards secure biometric authentication, typo-tolerant password authentication, and automated IoT device pairing. Previous constructions of fuzzy PAKE are either based on Error Correcting Codes (ECC) or generic multi-party computation techniques such as Garbled Circuits. While ECC-based constructions are significantly more efficient, they rely on multiple special properties of error correcting codes such as maximum distance separability and smoothness. We contribute to the line of research on fuzzy PAKE in two ways. First, we identify a subtle but devastating gap in the security analysis of the currently most efficient fuzzy PAKE construction (Dupont et al., Eurocrypt 2018), allowing a man-in-the-middle attacker to test individual password characters. Second, we provide a new fuzzy PAKE scheme based on ECC and PAKE that provides a built-in protection against individual password character guesses and requires fewer, more standard properties of the underlying ECC. Additionally, our construction offers better error correction capabilities than previous ECC-based fuzzy PAKEs.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- A major revision of an IACR publication in ASIACRYPT 2023
- Keywords
- Attacks on Public-Key ConstructionsKey Exchange ProtocolsPassword-Based CryptographyUC Framework
- Contact author(s)
-
JBT @ zurich ibm com
sebastian faller @ ibm com
JHS @ zurich ibm com
kristina hostakova @ inf ethz ch
johannes ottenhues @ posteo org - History
- 2023-11-15: revised
- 2023-09-19: received
- See all versions
- Short URL
- https://ia.cr/2023/1415
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1415, author = {Jonathan Bootle and Sebastian Faller and Julia Hesse and Kristina Hostáková and Johannes Ottenhues}, title = {Generalized Fuzzy Password-Authenticated Key Exchange from Error Correcting Codes}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/1415}, year = {2023}, url = {https://eprint.iacr.org/2023/1415} }