Understanding Strong Asymmetric PAKE Protocols

Slide Note
Embed
Share

Explore the intricacies of strong asymmetric PAKE (Password-Authenticated Key Exchange) protocols, including their security notions, possible attacks, and implementations. Learn about the challenges in constructing such protocols, the significance of universally composable security, and the limitations in a post-quantum setting.

yamil
yamil Follow

Uploaded on Sep 22, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. An Efficient Strong Asymmetric PAKE Compiler Instantiable from Group Actions Ian McQuoid Jiayu Xu

  2. Password-Authenticated Key Exchange (PAKE) pw pw ?? ?? Password-only: no PKI Only online guessing attack possible (guess pw and impersonate one party) Unfit for client-server setting

  3. Strong asymmetric PAKE (saPAKE) [JKX18] 3 possible attacks: 1. Online guessing attack 2. Offline dictionary attack after compromising server (get ?(pw), brute-force over dictionary to find pw) Asymmetric PAKE (aPAKE) if part of attack can be done before server compromise 3. Impersonating server after compromising server pw ?(pw) ?? ??

  4. Security notions for (sa)PAKE game-based Universally Composable [CHK+05] PAKE [BPR00] aPAKE [BP13] [GMR06] saPAKE [JKX18] UC has become standard Support arbitrary composition Model password reuse across different accounts

  5. Strong asymmetric PAKE (saPAKE) E: group exponentiation H: hash into group P: pairing operation Difficult to construct Only 5 saPAKE protocols to this date, all UC-secure client server round security assumption model [BJX19] 13E 8E 2 full 2-SDH, DDH ROM offline GGM OPAQUE [JKX18] 5E, 1H 4E 3 relaxed OMGDH ROM OPAQUE [JKX18] 2E, 1H aPAKE 1E 3 relaxed OMGDH ROM aPAKE CRISP [CNP+22] 6E, 3P, 3H PAKE 3E, 3P, 1H PAKE 3 full CDH ROM bilinear GGM AuCPace [HL19] 6E, 2H 5E, 1H 3 relaxed sSDH, OMGDH ROM All 5 have significant issues

  6. OPAQUE, OPAQUE [JKX18], AuCPace [HL19] Only realizes a contrived relaxed UC functionality Very strong assumption (one-more gap Diffie-Hellman) [BJX19] Inefficient Offline security analysis sketchy ( adversary can test constant number of passwords per GGM operation ) CRISP [CNP+22] Uses bilinear map inefficient Uses GGM in a pairing group

  7. saPAKE under post-quantum assumptions Even PAKE under post-quantum assumptions poorly studied No such saPAKE ever proposed

  8. Our contributions 2 new saPAKE constructions (PAKE-to-saPAKE compilers) One based on DH-type assumptions One based on group-action assumptions (post-quantum) Realizes full UC saPAKE functionality Based on mild assumptions (CDH; GACDH) Precise offline security analysis ( adversary can test 2 passwords per GGM operation ) Efficient Conceptually simple Online security relies on the Algebraic Group Model (AGM)

  9. E: group exponentiation H: hash into group P: pairing operation A: group action client server round security assumption model [BJX19] 13E 8E 2 full 2-SDH, DDH ROM offline GGM OPAQUE [JKX18] 5E, 1H 4E 3 relaxed OMGDH ROM OPAQUE [JKX18] 2E, 1H aPAKE 1E 3 relaxed OMGDH ROM aPAKE CRISP [CNP+22] 6E, 3P, 3H PAKE 3E, 3P, 1H PAKE 3 full CDH ROM bilinear GGM AuCPace [HL18] 6E, 2H 5E, 1H 3 relaxed sSDH, OMGDH ROM Our protocol 1 1E 2E 2 full CDH ROM PAKE PAKE offline GGM online AGM Our protocol 2 1A PAKE 2A PAKE 2 full GACDH ROM offline GGAM online AGAM

  10. Our protocol (DH-based): first attempt = ?(pw) pw ? ? ? ? ?? ? (? )? ? low-entropy to eavesdropper who sees ?

  11. = ?(pw) pw ? ? ? ? ?? ? (? )? PAKE ?? ?? Adversary can pre-compute (?,??(?)) for all possible passwords ? after server compromise, recover ? fast This is an aPAKE but not an saPAKE

  12. = ? pw ? = ??(? ?) (?,? ) pw ? ? ? ?? ? (? )? PAKE ?? ?? After server compromise, adversary can effectively impersonate server by running server s algorithm on (?? ,(? )? ) Simulator cannot detect if DDH hard have to work in AGM

  13. Offline security analysis Given (?,? ) where has low entropy (drawn from a random polynomial-size subset of ?), how long does it take to recover ? Discrete logarithm over sparse set Highly non-trivial, first studied in [Sch01] Can test 2 values per GGM operation [BJX19] uses a similar idea, but says can test ?(1) values per GGM operation

  14. Summary 2 new saPAKE protocols DH-based: under CDH, in ROM+offline GGM+online AGM Group action-based: under GACDH, in ROM+offline GGAM+online AGAM Conceptually simple, more efficient than existing protocols

  15. An Efficient Strong Asymmetric PAKE Compiler Instantiable from Group Actions THANK YOU! Ian McQuoid, Jiayu Xu https://eprint.iacr.org/2023/1434

Related


Fundamentals of Asymmetric Catalysis: Energetics and Principles

Fundamentals of Asymmetric Catalysis: Energetics and Principles

gage
Understanding Security Threats and Public-Key Cryptosystems

Understanding Security Threats and Public-Key Cryptosystems

ainhoa
Innovative Hybrid Asymmetric Linear Higgs Factory (HALHF) Proposal

Innovative Hybrid Asymmetric Linear Higgs Factory (HALHF) Proposal

clover
Understanding Consistency Protocols in Distributed Systems

Understanding Consistency Protocols in Distributed Systems

rune
Update on SWAG Protocols and New NICE TA Progress Report

Update on SWAG Protocols and New NICE TA Progress Report

lowie
Secure Composition of Key Exchange Protocols

Secure Composition of Key Exchange Protocols

forb_470
Taming Adaptivity in YOSO Protocols: The Modular Way

Taming Adaptivity in YOSO Protocols: The Modular Way

pkhy
Overview of Identification Protocols in CS255 by Dan Boneh

Overview of Identification Protocols in CS255 by Dan Boneh

dvanc
Towards Practical Generic Zero-Knowledge Protocols

Towards Practical Generic Zero-Knowledge Protocols

bonn_ne
Cryptography Concepts and Encryption Methods Overview

Cryptography Concepts and Encryption Methods Overview

tming
Understanding Emergency Conditions in ERCOT Protocols

Understanding Emergency Conditions in ERCOT Protocols

galilee
Understanding Lock-Based Protocols in Database Concurrency Control

Understanding Lock-Based Protocols in Database Concurrency Control

seb
Laboratory Safety Protocols and Pathogen Classification

Laboratory Safety Protocols and Pathogen Classification

harlan
Network Routing Algorithms and Protocols Overview

Network Routing Algorithms and Protocols Overview

kyerk
Understanding Reliable Transport and User Datagram Protocol in Computer Networking

Understanding Reliable Transport and User Datagram Protocol in Computer Networking

ldar
Understanding Internet Transport Layer Services and Protocols

Understanding Internet Transport Layer Services and Protocols

daless
Securing Protocols with Fully Encrypted Protocols (FEPs)

Securing Protocols with Fully Encrypted Protocols (FEPs)

perreira_n
Start Strong Fall 2022 Administration District Test Coordinator Training

Start Strong Fall 2022 Administration District Test Coordinator Training

ashmitael
Good Laboratory Practices Study Protocols for Effective Research Management

Good Laboratory Practices Study Protocols for Effective Research Management

lowie
Oklahoma School Safety Protocols Overview

Oklahoma School Safety Protocols Overview

bibi
Work Protocols and Safety Measures for Employees Returning to Work

Work Protocols and Safety Measures for Employees Returning to Work

wilhelmina
SRYA Clinic Soccer Fall 2021 Updates and Protocols

SRYA Clinic Soccer Fall 2021 Updates and Protocols

ari
State Transportation Department's Stormwater Monitoring Program Overview

State Transportation Department's Stormwater Monitoring Program Overview

shiv
Animal Use Protocols: Finding the Right Balance

Animal Use Protocols: Finding the Right Balance

sereia

More Related Content

Comprehensive Overview of Computer Networks and Protocols for GCSE Level
Comprehensive Overview of Computer Networks and Protocols for GCSE Level
Enhanced Cleaning Protocols for Classrooms and Common Areas
Enhanced Cleaning Protocols for Classrooms and Common Areas
Communication Lower Bounds of Key-Agreement Protocols
Communication Lower Bounds of Key-Agreement Protocols
The Physics of Supernovae and Neutron Stars
The Physics of Supernovae and Neutron Stars
Understanding Computer System Architectures
Understanding Computer System Architectures
Overview of Cryptography Techniques and Algorithms
Overview of Cryptography Techniques and Algorithms
Understanding Security Goals and Cryptographic Algorithms
Understanding Security Goals and Cryptographic Algorithms
Understanding Silicon Detector Technology
Understanding Silicon Detector Technology
Understanding Public Key Cryptosystems in RSA Encryption
Understanding Public Key Cryptosystems in RSA Encryption
Understanding the Role of Financial Institutions in the Global Economy
Understanding the Role of Financial Institutions in the Global Economy
Understanding Cryptography Basics and Toolbox
Understanding Cryptography Basics and Toolbox
Understanding Polarity in Covalent Bonds
Understanding Polarity in Covalent Bonds
Understanding the Traveling Salesman Problem and Its Formulation
Understanding the Traveling Salesman Problem and Its Formulation
Rational Expectations and the Efficient Market Hypothesis
Rational Expectations and the Efficient Market Hypothesis
Public key encryption, Digital signature and authentication
Public key encryption, Digital signature and authentication
Key Management and Distribution Techniques in Cryptography
Key Management and Distribution Techniques in Cryptography
Overview of Basic Security Properties and Cryptography Fundamentals
Overview of Basic Security Properties and Cryptography Fundamentals
Key Distribution and Management in Cryptography
Key Distribution and Management in Cryptography
Exploring Nuclear Symmetry Energy with QCD Sum Rule
Exploring Nuclear Symmetry Energy with QCD Sum Rule
Dynamic Core Boosting for Heterogeneous Computing
Dynamic Core Boosting for Heterogeneous Computing
Bank Loan Markups and Adverse Selection: Market Concentration Analysis
Bank Loan Markups and Adverse Selection: Market Concentration Analysis
Understanding Device Settings and Strong Passwords for Digital Citizenship
Understanding Device Settings and Strong Passwords for Digital Citizenship
Understanding Strong and Weak Forms in English Pronunciation
Understanding Strong and Weak Forms in English Pronunciation
Mastering Strong Passwords: A Practical Guide
Mastering Strong Passwords: A Practical Guide