Smooth Projective Hash Function From Codes and its Applications

<i>Password-based authenticated key exchange</i> (<inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq1-2939836.gif"/></alternatives></inline-formula>) protocol, a widely used authentication mechanism to realize secure communication, allows protocol participants to establish a high-entropy session key by pre-sharing a low-entropy password. An open challenge in <inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq2-2939836.gif"/></alternatives></inline-formula> is how to design a quantum-resistant round-optimal <inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq3-2939836.gif"/></alternatives></inline-formula>. To solve this challenge, lattice-based cryptography is a promising candidate for post-quantum cryptography. In addition, Katz and Vaikuntanathan (ASIACRYPT&#x2019;09) design the first <i>three-round</i> <inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq4-2939836.gif"/></alternatives></inline-formula> protocol by leveraging the smooth projective hash function (<inline-formula><tex-math notation="LaTeX">$\mathsf {SPHF}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">SPHF</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq5-2939836.gif"/></alternatives></inline-formula>) over lattices. Subsequently, Zhang and Yu (AISACRYPT&#x2019;17) optimized Katz-Vaikuntanathan&#x2019;s approximate <inline-formula><tex-math notation="LaTeX">$\mathsf {SPHF}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">SPHF</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq6-2939836.gif"/></alternatives></inline-formula> via a splittable public key encryption. They then constructed a <i>two-round</i> <inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq7-2939836.gif"/></alternatives></inline-formula> by using the simulation-sound non-interactive zero-knowledge (NIZK) proofs, but how to construct a lattice-based simulation-sound NIZK remains an open research question. In other words, how to design a one-round <inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq8-2939836.gif"/></alternatives></inline-formula> via an efficient lattice-based <inline-formula><tex-math notation="LaTeX">$\mathsf {SPHF}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">SPHF</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq9-2939836.gif"/></alternatives></inline-formula> still remains a challenge. In this work, we attempt to fill this gap by proposing a lattice-based <inline-formula><tex-math notation="LaTeX">$\mathsf {SPHF}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">SPHF</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq10-2939836.gif"/></alternatives></inline-formula> with adaptive smoothness. We then obtain a <i>one-round</i> <inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq11-2939836.gif"/></alternatives></inline-formula> protocol over lattices with rigorous security analysis by integrating the proposed <inline-formula><tex-math notation="LaTeX">$\mathsf {SPHF}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">SPHF</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq12-2939836.gif"/></alternatives></inline-formula> into the one-round framework proposed by Katz and Vaikuntananthan (TCC&#x2019;11). Furthermore, we explore the possibilities of achieving two-round <inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq13-2939836.gif"/></alternatives></inline-formula> and universal composable (UC) security from our <inline-formula><tex-math notation="LaTeX">$\mathsf {SPHF}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">SPHF</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq14-2939836.gif"/></alternatives></inline-formula>, and show the potential application of our <inline-formula><tex-math notation="LaTeX">$\mathsf {PAKE}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">PAKE</mml:mi></mml:math><inline-graphic xlink:href="wang-ieq15-2939836.gif"/></alternatives></inline-formula> in Internet of Things (IoTs) where communication cost is the main consideration.

Password-based authenticated key exchange (PAKE) protocols are among the most practically cryptographic primitives, where no additional device is required, but just a short human-memorable password. There are lots of works for PAKE protocols. All these protocols were proven secure in the traditional model, but could be completely insecure in the presence of side-channel attacks. In many practical applications such as Internet of Things, PAKE systems are very vulnerable to side-channel attacks, where a very small leakage may be completely exposed the whole password. Therefore, it is very important to model and design the leakage-resilient (LR) PAKE protocols. However, there is no prior work for modelling and constructing LR PAKE protocols. In this paper, we first formalize the LR eCK security model for PAKE, and then propose a continuous after-the-fact LR eCK-secure PAKE protocol based on key derivation function, leakage-resilient storage (LRS) and leakage-resilient refreshing of LRS, and show a formal security proof in the standard model.

Password-based authenticated key exchange (PAKE) allows two parties with a shared password to agree on a session key. In the last decade, the design of PAKE protocols from lattice assumptions has attracted lots of attention. However, existing solutions in the standard model do not have appealing efficiency. In this work, we first introduce a new PAKE framework. We then provide two realizations in the standard model, under the Learning With Errors (LWE) and Ring-LWE assumptions, respectively. Our protocols are much more efficient than previous proposals, thanks to three novel technical ingredients that may be of independent interests. The first ingredient consists of two approximate smooth projective hash (ASPH) functions from LWE, as well as two ASPHs from Ring-LWE. The latter are the first ring-based constructions in the literature, one of which only has a quasi-linear runtime while its function value contains \(\varTheta (n)\) field elements (where n is the degree of the polynomial defining the ring). The second ingredient is a new key conciliation scheme that is approximately rate-optimal and that leads to a very efficient key derivation for PAKE protocols. The third one is a new authentication code that allows to verify a MAC with a noisy key.

The password-based authenticated key exchange (PAKE) protocol is one of most practical cryptographic primitives for trusted computing, which is used to securely authenticate devices’ identities and generate shared session keys among devices in insecure environments by using a short, human-memorable password. With the fast development of the Internet of Things (IoT), new challenges regarding PAKE have emerged. The traditional PAKE protocols are completely insecure in IoT environments, since there are many kinds of side-channel attacks. Therefore, it is very important to model and design leakage-resilient (LR) PAKE protocols. However, there has been no prior work on modeling and constructing LR PAKE protocols. In this paper, we first formalize an LR eCK security model for PAKE based on the eCK-secure PAKE model and the only computation leakage model. Then, we propose the first LR PAKE protocol by using Diffie-Hellman key exchange, LR storage (LRS) and LR refreshing of LRS appropriately and formally present a security proof in the standard model.

Password-based authenticated key exchange (PAKE) protocols allow two users who share only a short, low-entropy password to establish a consistent cryptographically strong session key. In 2009, Katz and Vaikuntanathan gave the first lattice-base PAKE from approximate smooth projective hash function (ASPHF) which is a variant of smooth projective hash function (SHPF). In 2017, Zhang and Yu introduced a two-round PAKE based on splittable PKEs. An error-correcting code (ECC) was used in these protocols to deal with the errors intrinsically in learning with errors (LWE) assumption, and the protocol is asymmetric as the session key is decided be just one user. In this paper, an error correcting technique called reconciliation mechanism, which was first introduced to construct a key exchange protocol from lattice, is adopted to construct more efficient lattice-based PAKEs with reduced computation complexity and communication complexity. Moreover, the new PAKEs are symmetric.

Password-based authenticated key exchange (PAKE) protocols are cryptographic primitives which enable two entities, who only share a memorable password, to identify each other and to communicate over a public unreliable network with a secure session key. In this paper, we propose a simple, efficient and provably secure PAKE protocol based on Diffie-Hellman key exchange and cryptographic hash function. Our protocol is secure against dictionary attacks. Its security is proved based on the hardness of the computational Diffie-Hellman problem in the random oracle model.

Secure Remote Password (SRP) protocol is an augmented Password-based Authenticated Key Exchange (PAKE) protocol based on discrete logarithm problem (DLP) with various attractive security features. Compared with basic PAKE protocols, SRP does not require server to store user’s password and user does not send password to server to authenticate. These features are desirable for secure client-server applications. SRP has gained extensive real-world deployment, including Apple iCloud, 1Password etc. However, with the advent of quantum computer and Shor’s algorithm, classic DLP-based public key cryptography algorithms are no longer secure, including SRP. Motivated by importance of SRP and threat from quantum attacks, we propose a RLWE-based SRP protocol (RLWE-SRP) which inherit advantages from SRP and elegant design from RLWE key exchange. We also present parameter choice and efficient portable C++ implementation of RLWE-SRP. Implementation of our 209-bit secure RLWE-SRP is more than 3x faster than 112-bit secure original SRP protocol, 5.5x faster than 80-bit secure J-PAKE and 14x faster than two 184-bit secure RLWE-based PAKE protocols with more desired properties.

A three-party password-based authenticated key exchange (PAKE) protocol allows two clients registered with a trusted server to generate a common cryptographic key from their individual passwords shared only with the server. A key requirement for three-party PAKE protocols is to prevent an adversary from mounting a dictionary attack. This requirement must be met even when the adversary is a malicious (registered) client who can set up normal protocol sessions with other clients. This work revisits three existing three-party PAKE protocols, namely, Guo et al.’s (2008) protocol, Huang’s (2009) protocol, and Lee and Hwang’s (2010) protocol, and demonstrates that these protocols are not secure against offline and/or (undetectable) online dictionary attacks in the presence of a malicious client. The offline dictionary attack we present against Guo et al.’s protocol also applies to other similar protocols including Lee and Hwang’s protocol. We conclude with some suggestions on how to design a three-party PAKE protocol that is resistant against dictionary attacks.

International audience

In cyber security, authenticated key exchange (AKE) can be used to achieve the privacy and authentication of data. As a relevant cryptographic protocol, password-based authenticated key exchange (PAKE) has been studied for its convenience. Recently, Katz and Vaikuntanathan proposed a round-optimal PAKE from smooth projective hash functions (SPHFs). However, the instantiation of smooth projective hash functions depends on the underlying NP-relation which is a CCA-secure encryption relation in their construction. In this paper, we apply a new cryptographic primitive named witness PRFs to construct PAKE. In our settings, the concrete construction of witness PRFs is independent of the underlying NP-relation. At this point, our construction is more general, and furthermore, we have a discussion on some possible NP-relations, which could be used to construct secure PAKE in our settings.

In this paper, we propose a new password-based authenticated key exchange (PAKE) protocol and prove its security within the universal composability (UC) framework. The security proof of this protocol is based on standard number-theoretic assumptions, i.e., without random oracle or ideal cipher assumption. Comparisons show that, our protocol is more efficient than Canetti et al.’s protocol, which is the most efficient two party PAKE protocol proven secure in the UC framework and based on standard number-theoretic assumptions. More specifically, our protocol saves 1 round of communication and 5 modular exponentiations when the underlying cryptosystem is instantiated with Cramer-Shoup public key cryptosystem. Moreover, our protocol avoids the usage of the one-time signature, which saves the bandwidth for transmitting the message and saves the computation for signature and verification.KeywordsHash FunctionRandom OracleMutual AuthenticationHash FamilyDictionary AttackThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

The password-based authenticated key exchange (PAKE) protocol in the three-party setting allows two clients communicating over a public network to establish a common session key with the help of a server. The fundamental security goal of PAKE is security against dictionary attacks. The protocols for verifier-based PAKE are additionally required to be secure against server compromise. In this paper, we propose a new provably verifier-based three-party PAKE protocol to solve the server compromise problem and off-line dictionary attack problem. The security of the proposed scheme has been proven in the random oracle model under the gap Diffie-Hellman intractability assumption. The proposed protocol is efficient both in computational cost and in communication cost when compared with previous solutions.

Password-based authentication key exchange (PAKE) protocols in the literature typically assume a password that is shared between a client and a server. PAKE has been applied in various environments, especially in the “client-server” applications of remotely accessed systems, such as e-banking. With the rapid developments in modern communication environments, such as ad-hoc networks and ubiquitous computing, it is customary to construct a secure peer-to-peer channel, which is quite a different paradigm from existing paradigms. In such a peer-to-peer channel, it would be much more common for users to not share a password with others. In this paper, we consider password-based authentication key exchange in the three-party setting, where two users do not share a password between themselves but only with one server. The users make a session-key by using their different passwords with the help of the server. We propose an efficient password-based authentication key exchange protocol with different passwords that achieves forward secrecy in the standard model. The protocol requires parties to only memorize human-memorable passwords; all other information that is necessary to run the protocol is made public. The protocol is also light-weighted, i.e., it requires only three rounds and four modular exponentiations per user. In fact, this amount of computation and the number of rounds are comparable to the most efficient password-based authentication key exchange protocol in the random-oracle model. The dispensation of random oracles in the protocol does not require the security of any expensive signature schemes or zero-knowlegde proofs.

Password-authenticated key exchange (PAKE) protocols allow users sharing a password to agree upon a high entropy secret. Thus, they can be implemented without complex infrastructures that typically involve public keys and certificates. In this paper, a provably secure password-authenticated protocol for group key establishment in the common reference string (CRS) model is presented. While prior constructions of the group (PAKE) can be found in the literature, most of them rely on idealized assumptions, which we do not make here. Furthermore, our protocol is quite efficient, as regardless of the number of involved participants it can be implemented with only three communication rounds. We use a (by now classical) trick of Burmester and Desmedt for deriving group key exchange protocols using a two-party construction as the main building block. In our case, the two-party PAKE used as a base is a one-round protocol by Katz and Vaikuntanathan, which in turn builds upon a special kind of smooth projective hash functions (KV-SPHFs). Smooth projective hash functions (SPHFs) were first introduced by Cramer and Shoup (2002) as a valuable cryptographic primitive for deriving provable secure encryption schemes. These functions and their variants proved useful in many other scenarios. We use here as a main tool a very strong type of SPHF, introduced by Katz and Vaikuntanathan for building a one-round password based two party key exchange protocol. As evidenced by Ben Hamouda et al. (2013), KV-SPHFs can be instantiated on Cramer–Shoup ciphertexts, thus yielding very efficient (and pairing free) constructions.

The notion of smooth projective hash functions was proposed by Cramer and Shoup and can be seen as special type of zero-knowledge proof system for a language. Though originally used as a means to build efficient chosen-ciphertext secure public-key encryption schemes, some variations of the Cramer-Shoup smooth projective hash functions also found applications in several other contexts, such as password-based authenticated key exchange and oblivious transfer. In this paper, we first address the problem of building smooth projective hash functions for more complex languages. More precisely, we show how to build such functions for languages that can be described in terms of disjunctions and conjunctions of simpler languages for which smooth projective hash functions are known to exist. Next, we illustrate how the use of smooth projective hash functions with more complex languages can be efficiently associated to extractable commitment schemes and avoid the need for zero-knowledge proofs. Finally, we explain how to apply these results to provide more efficient solutions to two well-known cryptographic problems: a public-key certification which guarantees the knowledge of the private key by the user without random oracles or zero-knowledge proofs and adaptive security for password-based authenticated key exchange protocols in the universal composability framework with erasures.