Abstract
In this paper, we present a general framework for password-based authenticated key exchange protocols, in the common reference string model. Our protocol is actually an abstraction of the key exchange protocol of Katz et al. and is based on the recently introduced notion of smooth projective hashing by Cramer and Shoup. We gain a number of benefits from this abstraction. First, we obtain a modular protocol that can be described using just three high-level cryptographic tools. This allows a simple and intuitive understanding of its security. Second, our proof of security is significantly simpler and more modular. Third, we are able to derive analogs to the Katz et al. protocol under additional cryptographic assumptions. Specifically, in addition to the DDH assumption used by Katz et al., we obtain protocols under both the quadratic and N-residuosity assumptions. In order to achieve this, we construct new smooth projective hash functions.
- Bellare, M. and Rogaway, P. 1993. Random oracles are practical: A paradigm for designing efficient protocols. In 1st Conf. on Computer and Communications Security, ACM, New York. 62--73.]] Google ScholarDigital Library
- Bellare, M. and Rogaway, P. 1994. Entity authentication and key distribution. In CRYPTO' 93, Springer-Verlag (LNCS 773), New York. 232--249.]] Google ScholarDigital Library
- Bellare, M., Pointcheval, D., and Rogaway, P. 2000. Authenticated key exchange secure against dictionary attacks. In Eurocrypt 2000, Springer-Verlag (LNCS 1807), New York. 139--155.]]Google Scholar
- Bellovin, S. M. and Merritt, M. 1992. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings 1992 IEEE Symposium on Research in Security and Privacy. IEEE Computer Society, New York. 72--84.]] Google ScholarDigital Library
- Bellovin, S. M. and Merritt, M. 1993. Augmented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise. In Proceedings of the 1st ACM Conference on Computer and Communication Security, 244--250.]] Google ScholarDigital Library
- Boyko, V., MacKenzie, P., and Patel, S. 2000. Provably secure password-authenticated key exchange using Diffie--Hellman. In Eurocrypt 2000, Springer-Verlag (LNCS 1807), New York. 156--171.]]Google Scholar
- Canetti, R., Goldreich, O., and Halevi, S. 2004. The random oracle methodology, revisited. Journal of the ACM 51, 4, 557--594.]] Google ScholarDigital Library
- Canetti, R. and Krawczyk, H. 2001. Analysis of key-exchange protocols and their use for building secure channels. In Eurocrypt 2001, Springer-Verlag (LNCS 2045), New York. 453--474.]] Google ScholarDigital Library
- Camenisch, J. and Shoup, V. 2003. Practical verifiable encryption and decryption of discrete logarithms. In CRYPTO'03, Springer-Verlag (LNCS 2729), New York. 126--144.]]Google Scholar
- Cramer, R. and Shoup, V. 1998. A practical public-key cryptosystem secure against adaptive chosen ciphertexts attacks. In CRYPTO'98, Springer-Verlag (LNCS 1462), New York. 13--25. (Full version in {Cramer and Shoup 2003}).]] Google ScholarDigital Library
- Cramer, R. and Shoup, V. 2002. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In Eurocrypt 2002, Springer-Verlag (LNCS 2332), New York. 45--64. (Full version in {Cramer and Shoup 2003}).]] Google ScholarDigital Library
- Cramer, R. and Shoup, V. 2003. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal of Computing 33, 167-226.]] Google ScholarDigital Library
- Damgård, I. and Groth, J. 2003. Non-interactive and reusable nonmalleable commitment schemes. Proc. of 35th ACM Symp. on Theory of Computing (STOC'03). 426--437.]] Google ScholarDigital Library
- Di Crescenzo, G., Ishai, Y., and Ostrovsky, R. 1998. Non-interactive and non-malleable commitment. In 30th STOC. 141--150.]] Google ScholarDigital Library
- Di Crescenzo, G., Katz, J., Ostrovsky, R., and Smith, A. 2001. Efficient and non-interactive non-malleable commitment. In Eurocrypt 2001, Springer-Verlag (LNCS 2045), New York. 40--59.]] Google ScholarDigital Library
- Diffie, W. and Hellman, M. E. 1976. New directions in cryptography. IEEE Trans. on Inf. Theory, IT-22. 644--654.]]Google ScholarDigital Library
- Dolev, D., Dwork, C., and Naor, M. 2000. Non-malleable cryptography. SIAM Journal of Computing 30, 2, 391--437.]] Google ScholarDigital Library
- Dwork, C. 1999. The Non-malleability lectures. Course notes for CS 359, Stanford University, Spring. Available at: theory.stanford.edu/~gdurf/cs359-s99.]]Google Scholar
- Goldreich, O. 2001. Foundations of cryptography---Basic tools. Cambridge University Press, Cambridge.]] Google ScholarDigital Library
- Goldreich, O. and Lindell, Y. 2001. Session key generation using human passwords only. In CRYPTO 2001, Springer-Verlag (LNCS 2139), New York. 408--432.]] Google ScholarDigital Library
- Halevi, S. and Krawczyk, H. 1999. Public-key cryptography and password protocols. ACM Transactions on Information and System Security (TISSEC) 2, 3, 230--268.]] Google ScholarDigital Library
- Jablon, D. P. 1996. Strong password-only authenticated key exchange. SIGCOMM Computer Communication Review 26, 5, 5--26.]] Google ScholarDigital Library
- Katz, J. 2002. Efficient Cryptographic Protocols Preventing “Man-in-the-Middle” Attacks. Ph.D. Thesis, Columbia University, New York.]] Google ScholarDigital Library
- Katz, J., Ostrovsky, R., and Yung, M. 2001. Practical password-authenticated key exchange provably secure under standard assumptions. In Eurocrypt 2001, Springer-Verlag (LNCS 2045), New York. 475--494.]] Google ScholarDigital Library
- Lucks, S. 1997. Open key exchange: How to defeat dictionary attacks without encrypting public keys. In Proceedings of the Workshop on Security Protocols, Springer-Verlag (LNCS 1361), New York. 79--90. (Ecole Normale Superieure).]] Google ScholarDigital Library
- MacKenzie, P. and Yang, K. 2004. On Simulation-Sound Commitments. Proc. of EUROCRYPT'04, Springer LNCS 3027, New York. 382--400.]]Google Scholar
- Naor, M. and Yung, M. 1989. Universal one-way hash functions and their cryptographic applications. In 21st STOC, 33--43.]] Google ScholarDigital Library
- Paillier, P. 1999. Public-key cryptosystems based on composite degree residue classes. In EUROCRYPT'99, Springer-Verlag (LNCS 1592), New York. 223--228.]] Google ScholarDigital Library
- Patel, S. 1997. Number theoretic attacks on secure password schemes. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. 236--247.]] Google ScholarDigital Library
- Steiner, M., Tsudik, G., and Waidner, M. 1995. Refinement and extension of encrypted key exchange. ACM SIGOPS Oper. Syst. Rev. 29, 3, 22--30.]] Google ScholarDigital Library
- Wu, T. 1998. The secure remote password protocol. In 1998 Internet Society Symposium on Network and Distributed System Security. 97--111.]]Google Scholar
Index Terms
- A framework for password-based authenticated key exchange1
Recommendations
Efficient and secure authenticated key exchange using weak passwords
Mutual authentication and authenticated key exchange are fundamental techniques for enabling secure communication over public, insecure networks. It is well known how to design secure protocols for achieving these goals when parties share high-entropy ...
Cryptanalysis of a communication-efficient three-party password authenticated key exchange protocol
We revisit the communication-efficient three-party password authenticated key exchange protocol recently proposed by Chang et al. We show it is insecure against partition attacks, whereby the adversary can guess the correct password off-line. Thereafter ...
Simple password-based three-party authenticated key exchange without server public keys
Password-based three-party authenticated key exchange protocols are extremely important to secure communications and are now extensively adopted in network communications. These protocols allow users to communicate securely over public networks simply ...
Comments