Quantum-Safe Round-Optimal Password Authentication for Mobile Devices

Abstract

Password authentication is the dominant form of access control for the Web and mobile devices, and its practicality and ubiquity is unlikely to be replaced by other authentication approaches in the foreseeable future. To guarantee the security of data communication and mitigate the problem of password-cracking, a <i>Password Authenticated Key Exchange</i> (<inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq1-3040776.gif"/></alternatives></inline-formula>) system can be deployed between two peer participants. The main drawback of traditional <inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq2-3040776.gif"/></alternatives></inline-formula> is that passwords are exposed in plaintext when the remote server is compromised. To overcome this limitation, it is recommended by industry standards (such as SRP family RFC 5054, RFC6628, RFC7914, OPAQUE, <i>etc</i>) to use <i>asymmetric</i>-<inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq3-3040776.gif"/></alternatives></inline-formula> protocols, which enable the server to store a hash of the user&#x0027;s password with a random salt, providing guarantees that the user&#x0027;s password is never transmitted in plain-text to the server when login. However, most of the existing <i>asymmetric</i>-<inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq4-3040776.gif"/></alternatives></inline-formula> protocols either are based on traditional hash functions under random oracles, or depend on non-quantum-secure hardness assumptions and become insecure in the quantum era. To bridge the gap between <i>asymmetric</i>-<inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq5-3040776.gif"/></alternatives></inline-formula> and quantum-security, in this article, we resort to <i>smooth projective hash functions</i> (<inline-formula><tex-math notation="LaTeX">$\mathsf {SPHF}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">SPHF</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq6-3040776.gif"/></alternatives></inline-formula>) and <i>commitment</i>-based <i>password-hashing schemes</i> (<inline-formula><tex-math notation="LaTeX">$\mathsf {PHS}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PHS</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq7-3040776.gif"/></alternatives></inline-formula>) over lattice-based cryptography, and construct an asymmetric <inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq8-3040776.gif"/></alternatives></inline-formula> protocol secure against quantum attacks. Our construction eliminates the costly non-interactive zero-knowledge (NIZK) method, bypasses assumptions of the random oracle model, and achieves quantum resistance. We also show that our asymmetric-<inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq9-3040776.gif"/></alternatives></inline-formula> protocol can achieve security and efficiency under the Bellare-Pointcheval-Rogaway (BPR) model. Finally, we develop a prototype implementation of our instantiation and use it to evaluate its performance in realistic settings.