SweetPAKE: Key exchange with decoy passwords

Afonso Arriaga; Peter Y.A. Ryan; Marjan Skrobot

Paper 2024/307

SweetPAKE: Key exchange with decoy passwords

Afonso Arriaga

, University of Luxembourg

Peter Y.A. Ryan

, University of Luxembourg

Marjan Skrobot

, University of Luxembourg

Abstract

Decoy accounts are often used as an indicator of the compromise of sensitive data, such as password files. An attacker targeting only specific known-to-be-real accounts might, however, remain undetected. A more effective method proposed by Juels and Rivest at CCS'13 is to maintain additional fake passwords associated with each account. An attacker who gains access to the password file is unable to tell apart real passwords from fake passwords, and the attempted usage of a false password immediately sets off an alarm indicating a password file compromise. Password-Authenticated Key Exchange (PAKE) has long been recognised for its strong security guarantees when it comes to low-entropy password authentication and secure channel establishment, without having to rely on the setup of a PKI. In this paper, we introduce SweetPAKE, a new cryptographic primitive that offers the same security guarantees as PAKE for key exchange, while allowing clients with a single password to authenticate against servers with candidate passwords for that account and establish a secure channel. Additional security properties are identified and formalized to ensure that (a) high-entropy session keys are indistinguishable from random, even if later on the long-term secret password becomes corrupted (forward secrecy); (b) upon password file leakage, an adversary cannot tell apart real from fake passwords; and (c) a malicious client cannot trigger a false alarm. We capture these properties by extending well-established game-based definitions of PAKE. Furthermore, we propose a new UC formulation that comprehensively unifies both SweetPAKE (session key indistinguishability and sugarword indistinguishability) and a related notion known as Oblivious-PAKE. Finally, we propose efficient SweetPAKE and Oblivious-PAKE protocols constructed from Password-Authenticated Public-Key Encryption (PAPKE) that satisfy all the proposed notions.

Note: This is the full version of the paper to appear in the proceedings of AsiaCCS'24, with comprehensive proofs of all theorems presented.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. Minor revision. AsiaCCS'24
Keywords: SweetPAKE Honeywords PAKE PAPKE Oblivious PAKE
Contact author(s): afonso arriaga @ gmail com
peter ryan @ uni lu
marjan skrobot @ uni lu
History: 2024-02-26: approved; 2024-02-23: received; See all versions
Short URL: https://ia.cr/2024/307
License: CC BY

BibTeX

@misc{cryptoeprint:2024/307,
      author = {Afonso Arriaga and Peter Y.A. Ryan and Marjan Skrobot},
      title = {{SweetPAKE}: Key exchange with decoy passwords},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/307},
      year = {2024},
      url = {https://eprint.iacr.org/2024/307}
}