TtPAKE: Typo tolerance password-authenticated key exchange

Abstract

Error tolerant password-authenticated key exchange (PAKE) allows a user to authenticate to a server using a password and agree on a session key with the server, provided that the password for authentication and the registered one are “close enough”. Recently, an ingenious error tolerant PAKE scheme (faPAKE) for generalized passwords (e.g., fingerprints) emerged. In this paper, inspired by the mechanism of faPAKE, we propose a typo tolerance password-authenticated key exchange scheme, dubbed ttPAKE, for ordinary passwords. In ttPAKE, we introduce double-layered secret sharing (DLSS) that splits a main secret into shares and further splits the shares into sub-shares. DLSS can be considered homomorphic to typo tolerance of a password and would be an effective approach to achieve typo tolerance of the password without direct operations on the password for security requirements. A table is built to associate DLSS with typo tolerance of the password. The password is converted into position information for DLSS to store the sub-shares in the table. The table is scrambled with random numbers, and hence the information of the password is concealed. Using DLSS, our scheme implicitly determines whether typos in a password for authentication is no more than a threshold, which accomplishes typo tolerance while protecting passwords. We demonstrate that ttPAKE is secure under the Universal Composability model with security proofs. The performance evaluation shows that ttPAKE is efficient in terms of computation, communication, and storage costs.