Anonymous Password-authenticated Key Exchange Research Articles

Further Analysis and Improvements of a Lattice-Based Anonymous PAKE Scheme

To improve the security of mobile networks in the postquantum era, Dabra <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> recently proposed a lattice-based anonymous password-authenticated key exchange (LBA-PAKE) protocol for mobile devices. Especially, LBA-PAKE is claimed to support the key reuse. However, we find that LBA-PAKE is still vulnerable to the signal leakage attack when the master key is reused. We propose two strategies to reduce the needed number of queries in our attack. Compared to the method of Bindel <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> , our method reduces the required queries by more than 75%. Our experiments show that breaking LBA-PAKE needs less than 2 min. Through analysis of why LBA-PAKE fails in their security proof, we further propose an improved protocol without incurring extra computation costs. The formal security analysis shows that our improved scheme supports all features of LBA-PAKE while thwarting the signal leakage attack. Moreover, the implementation of our improved protocol demonstrates its efficiency in mobile networks.

A key for John Doe: modeling and designing Anonymous Password-Authenticated Key Exchange protocols

Anonymous Password-Authenticated Key Exchange ( $\sf{ APAKE}$ APAKE ) can be seen as the hybrid offspring of standard key exchange and anonymous password authentication protocols. $\sf{ APAKE}$ APAKE allows a client holding a low-entropy password to establish a session key with a server, provided that the client’s password is in the server’s set. Moreover, no information about the password input by the client or the set of valid passwords held by the server should leak to the other party–beyond whether the client’s password lies or not in the server’s password database. To the best of our knowledge, all $\sf{ APAKE}$ APAKE proposals to date either assume client storage or force the client to remember the index assigned to its password in the server’s database. Furthermore, earlier works either provide only informal definitions or fail in some sense to properly model the primitive. In this paper, we provide a formal security model for $\sf{ APAKE}$ APAKE , capturing security and anonymity provisions for both clients and servers. In addition, we present two $\sf{ APAKE}$ APAKE protocols that only require clients to remember a password and that attain our sought key secrecy and anonymity guarantees. Our first protocol leverages oblivious pseudo-random functions, while the second one builds upon a special type of identity-based encryption scheme.

Verifier-based anonymous password-authenticated key exchange protocol in the standard model.

Anonymous password-authenticated key exchange (APAKE) allows a client to authenticate herself and to establish a secure session key with a remote server via only a low-entropy password, while keeping her actual identity anonymous to the third party as well as to the server. Since that APAKE protocol enjoys both the convenience of password authentication and the advantage of privacy protection, researchers have paid much attention to them. However, most of the existing APAKE protocols are designed in the symmetric setting which does not take into consideration the threat of password file leakage. To mitigate the damage of server compromise, we propose a verifier-based anonymous password-authenticated key exchange protocol, in which the server holds a verifier corresponding to each client instead of the clear password. The construction of our protocol is built on standard cryptographic primitives such public key encryption, smooth projective hash functions and password hashing schemes. The resulting protocol is proved secure in the standard model, i.e., without resorting to random oracles. Comparisons with other similar schemes show that our protocol guarantees stronger security while enjoys considerable efficiency in terms of computational cost.

Efficient Anonymous Password-Authenticated Key Exchange Protocol to Read Isolated Smart Meters by Utilization of Extended Chebyshev Chaotic Maps

In smart grid, key exchange protocols play a vital role in providing secure channels to read consumption reports from the smart meters. Thus far, several key exchange schemes have been proposed for the networked smart meters. However, for the first time, quite recently, Sha et al . have presented an interesting two-phase authentication and key agreement scheme that exclusively aims at the isolated smart meters. In their scheme, they have properly addressed the computationally constrained smart meters by offering a lightweight key exchange protocol. Nevertheless, after meticulous observation, we found that their proposed scheme cannot resist the desynchronization attack and cannot provide the perfect forward secrecy. Moreover, there are some other weaknesses in their scheme. As a result, to tackle the existing security challenges, in this paper, by utilization of the extended Chebyshev chaotic maps, we propose an efficient anonymous password-authenticated key exchange protocol that not only is free from the limitations of Sha et al .'s scheme, but also provides the anonymity. The security analysis in the random oracle model and using the widely accepted ProVerif tool besides the computational and communication costs comparison demonstrate that the proposed scheme has reached a proper level of efficiency without sacrificing the desired security properties.

Threshold Anonymous Password-Authenticated Key Exchange Secure against Insider Attacks

An anonymous password-authenticated key exchange (PAKE) protocol is designed to provide both password-only authentication and client anonymity against a semi-honest server, who honestly follows the protocol. In INDOCRYPT2008, Yang and Zhang [26] proposed a new anonymous PAKE (NAPAKE) protocol and its threshold (D-NAPAKE) which they claimed to be secure against insider attacks. In this paper, we first show that the D-NAPAKE protocol [26]is completely insecure against insider attacks unlike their claim. Specifically, only one legitimate client can freely impersonate any subgroup of clients (the threshold t>1) to the server. After giving a security model that captures insider attacks, we propose a threshold anonymous PAKE (called, TAP++) protocol which provides security against insider attacks. Moreover, we prove that the TAP++ protocol has semantic security of session keys against active attacks as well as insider attacks under the computational Diffie-Hellman problem, and provides client anonymity against a semi-honest server, who honestly follows the protocol. Finally, several discussions are followed: 1) We also show another threshold anonymous PAKE protocol by applying our RATIONALE to the non-threshold anonymous PAKE (VEAP) protocol [23]; and 2) We give the efficiency comparison, security consideration and implementation issue of the TAP++ protocol.

Anonymous Password-Authenticated Key Exchange: New Construction and Its Extensions

An anonymous password-authenticated key exchange (anonymous PAKE) protocol is designed to provide both password-only authentication and user anonymity against a semi-honest server, who follows the protocol honestly. Very recently, Yang and Zhang [25] have proposed a new anonymous PAKE (NAPAKE) protocol that is claimed efficient compared to the previous constructions. In this paper, we propose a very-efficient anonymous PAKE (called, VEAP) protocol that provides the most efficiency among their kinds in terms of computation and communication costs. The VEAP protocol guarantees semantic security of session keys in the random oracle model under the chosen target CDH problem, and unconditional user anonymity against a semi-honest server. If the pre-computation is allowed, both the user and the server are required to compute only one modular exponentiation, respectively. Surprisingly, this is the same computation cost of the well-known Diffie-Hellman protocol that does not provide authentication at all. In addition, we extend the VEAP protocol in two ways: the first is designed to reduce the communication costs of the VEAP protocol and the second shows that stripping off anonymity parts from the VEAP protocol results in a new PAKE protocol.

A Secure Construction for Threshold Anonymous Password-Authenticated Key Exchange

At Indocrypt 2005, Viet et al., [21] have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for client's password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n ≤ 2 √N-1-1, where N is a dictionary size of passwords. We rigorously prove that the TAP protocol has semantic security of session keys in the random oracle model by showing the reduction to the computational Diffie-Hellman problem. In addition, the TAP protocol provides unconditional anonymity against a passive server. For the threshold t = 1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [21].