Abstract. At Indocrypt 2005, Viet et al., [22] have proposed an anonymous password-authenticated key exchange (PAKE) protocol and its threshold construction both of which are designed for client's password-based authentication and anonymity against a passive server, who does not deviate the protocol. In this paper, we first point out that their threshold construction is completely insecure against off-line dictionary attacks. For the threshold t > 1, we propose a secure threshold anonymous PAKE (for short, TAP) protocol with the number of clients n upper-bounded, such that n ≤ 2 √ N − 1 − 1, where N is a dictionary size of passwords. We rigorously prove that the TAP protocol has semantic security of session keys in the random oracle model by showing the reduction to the computational Diffie-Hellman problem. In addition, the TAP protocol provides unconditional anonymity against a passive server. For the threshold t = 1, we propose an efficient anonymous PAKE protocol that significantly improves efficiency in terms of computation costs and communication bandwidth compared to the original (not threshold) anonymous PAKE protocol [22].Key words: password authentication, key exchange, PAKE, anonymity, provable security At Indocrypt 2008, Yang and Zhang [25] have shown two attacks on the TAP (threshold t ≥ 2) protocol, and then proposed the NAPAKE (i.e., t = 1) and D-NAPAKE (i.e., t ≥ 2) protocols. Here, we add some comments on their paper [25].
PrefaceAbout two attacks on the TAP (t ≥ 2) protocol. In [25], they showed two insider attacks on legitimate clients in the TAP (t ≥ 2) protocol. However, we proved AKE security and unilateral authentication of the TAP (t ≥ 2) protocol against an adversary A / ∈ {C 1 , · · · , C n , S} where C = {C 1 , · · · , C n } is a set of all clients and S is the server (see the security model in Section 4). Of course, we agree that considering insider attacks and finding a solution are one of the research directions in cryptography. In Appendix B, we give a simple countermeasure for the TAP (t ≥ 2) protocol against the two attacks (i.e., impersonation attack and off-line dictionary attack). In fact, we considered keyword search as an application of the TAP (t ≥ 2) protocol and, in such applications, the off-line dictionary attack of legitimate clients is not possible because each share doesn't need to be transmitted to other parties.The D-NAPAKE protocol is not threshold anonymous PAKE! In Appendix C, we show an attack on the D-NAPAKE (i.e., t ≥ 2) protocol of [25] where only one legitimate client can impersonate any subgroup of clients to the server. That actually means that the D-NAPAKE (t ≥ 2) protocol is NOT a threshold anonymous PAKE protocol unlike the author's claim. This is the full version of [20].
