New Techniques for SPHFs and Efficient One-Round PAKE Protocols

Benhamouda, Fabrice; Blazy, Olivier; Chevalier, Céline; Pointcheval, David; Vergnaud, Damien

doi:10.1007/978-3-642-40041-4_25

Cited by 88 publications

(52 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Smooth projective hash function (SPHF) is originally introduced by Cramer and Shoup [19] and extended for constructions of many cryptographic primitives [20,23,24,3,1,5,10,2,11,6]. We start with the original definition.…”

Section: Smooth Projective Hash Functionsmentioning

confidence: 99%

One-Round Strong Oblivious Signature-Based Envelope

Chen

Susilo

et al. 2016

Information Security and Privacy

View full text Add to dashboard Cite

Oblivious Signature-Based Envelope (OSBE) has been widely employed for anonymity-orient and privacypreserving applications. The conventional OSBE execution relies on a secure communication channel to protect against eavesdroppers. In TCC 2012, Blazy, Pointcheval and Vergnaud proposed a framework of OSBE (BPV-OSBE) without requiring any secure channel by clarifying and enhancing the OSBE security notions. They showed how to generically build an OSBE scheme satisfying the new strong security in the standard model with a common-reference string. Their framework requires 2-round interactions and relies on the smooth projective hash function (SPHF) over special languages, i.e., languages from encryption of signatures. In this work, we investigate the study on the strong OSBE and make the following contributions. First, we propose a generic construction of one-round yet strong OSBE system. Compared to the 2-round BPV-OSBE, our one-round construction is more appealing, as its noninteractive setting accommodates more application scenarios in the real word. Moreover, our framework relies on the regular (identity-based) SPHF, which can be instantiated from extensive languages and hence is more general. Second, we also present an efficient instantiation, which is secure under the standard model from classical assumptions, DDH and DBDH, to illustrate the feasibility of our one-round framework. We remark that our construction is the first one-round OSBE with strong security Abstract. Oblivious Signature-Based Envelope (OSBE) has been widely employed for anonymity-orient and privacy-preserving applications. The conventional OSBE execution relies on a secure communication channel to protect against eavesdroppers. In TCC 2012, Blazy, Pointcheval and Vergnaud proposed a framework of OSBE (BPV-OSBE) without requiring any secure channel by clarifying and enhancing the OSBE security notions. They showed how to generically build an OSBE scheme satisfying the new strong security in the standard model with a common-reference string. Their framework requires 2-round interactions and relies on the smooth projective hash function (SPHF) over special languages, i.e., languages from encryption of signatures. In this work, we investigate the study on the strong OSBE and make the following contributions. First, we propose a generic construction of one-round yet strong OSBE system. Compared to the 2-round BPV-OSBE, our one-round construction is more appealing, as its noninteractive setting accommodates more application scenarios in the real word. Moreover, our framework relies on the regular (identity-based) SPHF, which can be instantiated from extensive languages and hence is more general. Second, we also present an efficient instantiation, which is secure under the standard model from classical assumptions, DDH and DBDH, to illustrate the feasibility of our one-round framework. We remark that our construction is the first one-round OSBE with strong security.

show abstract

Section: Smooth Projective Hash Functionsmentioning

confidence: 99%

One-Round Strong Oblivious Signature-Based Envelope

Chen

Susilo

et al. 2016

Information Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Appendix 3.6). In the following we use a DDH-based KV-PAKE instantiation from [16] on a group G of prime order q, with generator g, using labelled Cramer-Shoup encryption [25]. Note that the DDH-based construction from [41, Section 4.1] is not usable in our compiler (cf.…”

Section: Fig 3: Oblivious Kv-pake (O-kv-pake) Using Cs Encryptionmentioning

confidence: 99%

“…The design of the KV-PAKE protocol originates from the KOY protocol [38] and is used in many PAKE construction, e.g., [5,16,32,33,36]. It is therefore safe to assume that some of these protocols, instantiated with an encryption scheme that yields ciphertexts with pseudorandom elements and SPHFs with pseudorandom projection keys, can be used with our compiler.…”

Section: Generalisations and Limitationsmentioning

confidence: 99%

“…In general, all PAKE models (see [45] for a recent overview) take into account unavoidable online dictionary attacks and aim to guarantee security against offline dictionary attacks. While many PAKE constructions require a constant number of communication rounds [8,32,33,39,40]; recent frameworks by Katz and Vaikuntanathan [40] and Benhamouda et al [16] offer optimal one-round PAKE.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Oblivious PAKE: Efficient Handling of Password Trials

Kiefer

Manulis

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this work we introduce the notion of Oblivious Password based Authenticated Key Exchange (O-PAKE) and a compiler to transform a large class of PAKE into O-PAKE protocols. O-PAKE allows a client that shares one password with a server to use a subset of passwords within one PAKE session. It succeeds if and only if one of those input passwords matches the one stored on the server side. The term oblivious is used to emphasise that no information about any password, input by the client, is made available to the server. O-PAKE protocols can be used to improve the overall efficiency of login attempts using PAKE protocols in scenarios where users are not sure (e.g. no longer remember) which of their passwords has been used at a particular web server. Using special processing techniques, our O-PAKE compiler reaches nearly constant run time on the server side, independent of the size of the client's password set; in contrast, a naive approach to run a new PAKE session for each login attempt would require linear run time for both parties. We prove security of the O-PAKE compiler under standard assumptions using the latest game-based PAKE model by Abdalla, Fouque and Pointcheval (PKC 2005), tailored to our needs. We identify the requirements that PAKE protocols must satisfy in order to suit the compiler and give two concrete O-PAKE instantiation.

show abstract

“…Blind registration can be coupled with a verifier-based password-based authenticated key exchange (VPAKE) protocol to achieve a complete system for privacy-preserving password-based registration, authentication and key exchange. Password-based authenticated key exchange (PAKE) [6,5,21,28,15,8] is a protocol that allows users to simultaneously authenticate themselves using passwords and perform key exchange. However, these protocols store passwords on the server and thus, users have to trust the security of the server's password storage and may be vulnerable to password leakages in the event of server compromise.…”

Section: Introductionmentioning

confidence: 99%

Zero-Knowledge Password Policy Check from Lattices

Nguyen

Tan

Wang

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Passwords are ubiquitous and most commonly used to authenticate users when logging into online services. Using high entropy passwords is critical to prevent unauthorized access and password policies emerged to enforce this requirement on passwords. However, with current methods of password storage, poor practices and server breaches have leaked many passwords to the public. To protect one's sensitive information in case of such events, passwords should be hidden from servers. Verifier-based password authenticated key exchange, proposed by Bellovin and Merrit (IEEE S&P, 1992), allows authenticated secure channels to be established with a hash of a password (verifier). Unfortunately, this restricts password policies as passwords cannot be checked from their verifier. To address this issue, Kiefer and Manulis (ESORICS 2014) proposed zero-knowledge password policy check (ZKPPC). A ZKPPC protocol allows users to prove in zero knowledge that a hash of the user's password satisfies the password policy required by the server. Unfortunately, their proposal is not quantum resistant with the use of discrete logarithm-based cryptographic tools and there are currently no other viable alternatives. In this work, we construct the first post-quantum ZKPPC using lattice-based tools. To this end, we introduce a new randomised password hashing scheme for ASCII-based passwords and design an accompanying zero-knowledge protocol for policy compliance. Interestingly, our proposal does not follow the framework established by Kiefer and Manulis and offers an alternate construction without homomorphic commitments. Although our protocol is not ready to be used in practice, we think it is an important first step towards a quantum-resistant privacy-preserving password-based authentication and key exchange system.

show abstract

New Techniques for SPHFs and Efficient One-Round PAKE Protocols

Cited by 88 publications

References 25 publications

One-Round Strong Oblivious Signature-Based Envelope

One-Round Strong Oblivious Signature-Based Envelope

Oblivious PAKE: Efficient Handling of Password Trials

Zero-Knowledge Password Policy Check from Lattices

Contact Info

Product

Resources

About