Two-Round Password-Based Authenticated Key Exchange from Lattices

Yin, Anqi; Guo, Yuanbo; Song, Yuanming; Qu, Tongzhou; Fang, Chen

doi:https://doi.org/10.1155/2020/8893628

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Rethinking Authentication on Smart Mobile Devices 2020

View this Special Issue

Research Article | Open Access

Volume 2020 | Article ID 8893628 | https://doi.org/10.1155/2020/8893628

Two-Round Password-Based Authenticated Key Exchange from Lattices

Anqi Yin,¹Yuanbo Guo,¹Yuanming Song,²Tongzhou Qu,¹and Chen Fang¹

Academic Editor: Qi Jiang

Received07 Aug 2020

Revised07 Sept 2020

Accepted30 Sept 2020

Published14 Dec 2020

Abstract

Password-based authenticated key exchange (PAKE) allows participants sharing low-entropy passwords to agree on cryptographically strong session keys over insecure networks. In this paper, we present two PAKE protocols from lattices in the two-party and three-party settings, respectively, which can resist quantum attacks and achieve mutual authentication. The protocols in this paper achieve two rounds of communication by carefully utilizing the splittable properties of the underlying primitive, a CCA (Chosen-Ciphertext Attack)-secure public key encryption (PKE) scheme with associated nonadaptive approximate smooth projection hash (NA-ASPH) system. Compared with other related protocols, the proposed two-round PAKE protocols have relatively less communication and computation overhead. In particular, the two-round 3PAKE is more practical in large-scale communication systems.

1. Introduction

Password-based authentication key exchange (PAKE) is theoretically fascinating, since it allows participants sharing short, low-entropy passwords to agree on cryptographically strong session keys over insecure networks [1, 2]. PAKE protocols are very practical as passwords are probably the most common and widely used authentication method [3–6], and password-based authentication can avoid the dependence on public key infrastructure and secure hardware; thereby, it improves the convenience of the system.

However, the use of shared short, low-entropy passwords will expose PAKE to greater security threats. This is because it must be ensured that the protocol is immune to off-line dictionary attacks, in which the adversary can exhaust all possible passwords to determine the correct one [7, 8]. Another observation is that an adversary can always succeed by guessing the password as the password dictionary is relatively small (usually polynomial in the security parameter), referred to as an on-line attack. The aim of PAKE is thus to limit the adversary to such an attack only [9].

The first successful password-based authenticated key exchange agreement methods were Encrypted Key Exchange methods described by Steven M. Bellovin and Michael Merritt in 1992 [10]. Initial PAKE protocols are generally based on “hybrid” models [11, 12], in which the clients need to store the public key of the server besides sharing a password with the server. The requirement of securely storing long, high-entropy public key is not friendly in multiserver environment. This motivates the study towards password-only protocols [13–16] where clients need to remember only a short password. Most PAKE protocols above provide only informal security arguments. Thus, Bellare et al. [17] and Boyko et al. [18] gave formal models of security of the password-only setting and proved security in the ideal cipher model and random oracle model, respectively. And then, Goldreich and Lindell [19] presented a provably secure password-only key exchange under standard cryptographic assumptions. Their work shows the possibility for password-based authentication under very weak assumptions, but the protocol itself is far from practical.

Later, many provably secure PAKE protocols based on various hardness assumptions were proposed. The research is mainly divided into two directions. The former is PAKE in the random oracle/ideal cipher model, which aims to achieve the highest possible levels of performance [20–22]. The latter is dedicated to seeking more efficient PAKE in the standard model [5, 23–25].

The first efficient PAKE protocol under standard model was proposed by Katz et al. [7]. They utilized CCA2 (Adaptive Chosen-Ciphertext Attack)-secure encryption system and corresponding smooth projection hash (SPH) function for key exchange to construct their scheme. Then, Gennaro and Lindell [9] abstracted their work and presented a corresponding PAKE framework, referred to as KOY/GL framework without mutual authentication. Based on KOY/GL framework, Jiang and Gong [26] showed a three-round PAKE supporting mutual authentication. Groce and Katz [5] then generalized the protocol by Jiang and Gong and gave a new PAKE framework in the common reference string model (CRS), referred to as JG/GK framework. Subsequently, based on the above two framework, a series of PAKE protocols [27–29] with different security are proposed for different application scenarios.

Most above schemes are two-party PAKE (2PAKE), requiring every two participants to share a password, which is not adaptable to large communication systems. In contrast, three-party PAKE (3PAKE) enables each client to share a password with the server for authentication, thereby avoiding the limitation of 2PAKE. Abdalla et al. [30] gave a general structure of the 3PAKE protocol for the first time. Subsequently, cryptographers designed a series of 3PAKE protocols with different efficiency and security [31, 32].

The security of most protocols above relies on traditional difficult problems (such as large integer factorization and discrete logarithm problems), so they cannot resist quantum attacks. However, the public-key cryptosystem based on the lattice assumption can resist quantum attacks. In addition, the operation on the lattice is matrix-vector multiplication which can be practically implemented by parallel computing. Therefore, the public-key cryptosystem from lattices will be more secure and efficient.

In lattice-based cryptosystem, the research on PAKE is relatively insufficient. In 2009, Katz et al. [33] presented the first lattice-based 2PAKE protocol based on KOY/GL framework. They proposed their protocol by constructing the first lattice-based CCA-secure encryption system and its corresponding approximate smooth projected hash (ASPH) function. Ding et al. [34] then applied the encryption system and ASPH function from Katz et al. [33] to JG/GK framework, and a more efficient protocol is given in the standard model.

Ye et al. [35] proposed the first 3PAKE protocol based on the JG/GK framework from lattices, and they proved its security under the standard model. This is a three-round protocol that implements explicit mutual authentication between the client and the server. In 2017, Xu et al. [36] proposed a provably secure 3PAKE protocol based on the R-LWE (ring learning with error) problem according to the idea of DH, but this protocol suffers from low efficiency.

Zhang et al. [1] applied a splittable public key encryption system to the KOY/GL framework and proposed a lattice-based PAKE, requiring only two-round communication, so it is more efficient. However, Zhang’s 2PAKE cannot be directly applied to the 3PAKE protocol, because another function is needed to compute the client-side information.

In this paper, we present efficient new constructions of 2PAKE and 3PAKE based on the learning with error (LWE) problem based on ideas of [1, 34, 35]. We then prove the security of the proposed protocols in the random oracle model. Significant security (resistance to quantum attacks) and efficiency improvements would also be obtained when basing the protocol on lattice assumption. Compared with the general structure [30], the new protocols reduce the number of communications, thereby improving efficiency. Our protocols also achieve mutual authentication between participants, so they can resist unpredictable on-line attacks. And the proposed two-round 3PAKE is adaptable to large-scale communication systems.

2. Preliminaries

2.1. Notations

We denote the logarithm with base (resp., the natural logarithm) by (resp., ). Vectors are expressed in columns and bold lower-case letters (for example, x). A matrix is considered as a collection of column vectors and is represented by bold capital letter (such as X). We denote the concatenation of X and Y as . Let denote the random sampling of variable from the distribution . For any string , represents the Hamming distance between and . Table 1 summarizes the description of other symbols used in this paper.

2.2. Security Model

2.2.1. Participants

Participants include honest clients , malicious clients and trusted server . For simplicity, we assume that the server set contains only one element . For each distinct , assume that A and B share a long-term key called password . We simply assume that is independently and uniformly chosen at random from the password dictionary . But our proof of security extends to more general cases. In the following, we refer to honest clients directly as clients, and the malicious clients as adversaries.

Each participant can execute multiple protocols with different partners at the same time. We call the execution of a protocol an instance. Denote the instance of client A and the instance of server C by , and , respectively.

Each instance maintains a local state vector , where represents the session ID, recording all messages sent and received by in order; () represents the partner ID, the participant with which believes it is interacting; denotes the session key of ; and are Boolean variables, indicating whether the is accepted or terminated.

Before giving a formal definition of adversarial abilities, we first define partnering, correctness, and freshness as follows.

Partnering. If (1) and (2) and , instances and are partnered.

Correctness. We say that the protocol between partnered instances and is correct if they are both accepted and establish the same session key, that is, and .

Freshness. If none of the following cases happens, the instance is fresh: (1) adversary have sent a Reveal query to ; (2) and have become partners and adversary has sent a Reveal query to . The definition of Reveal query will be given below.

2.2.2. Adversarial Abilities

It is assumed that the protocol is executed over a generally insecure network. Adversary can eavesdrop, intercept, inject, and tamper with messages among different participants. can also obtain the session key of the accepted instances. The following oracle queries model the adversarial abilities, that is, the adversary’s interaction with various instances. (i)ExecuteQuery. The oracle models off-line attacks for passive adversaries. This oracle executes the protocol between the client instances and , and it updates the state vectors according to the specific protocol. And return the transcript of this execution to (ii)Send. This oracle sends the message M to the client instance to update the corresponding state vector appropriately. Finally, it returns the output message of to . This oracle models on-line attacks from active adversaries.(iii)Reveal. This oracle returns the session key of the accepted instance to , thereby modelling the leakage of the session key. This oracle corresponds to an on-line attack from active adversaries.(iv)Test. The oracle selects a random bit . And if , the real session key of is returned to . Otherwise, it returns a uniform string of appropriate length. Note that can only query this oracle once, and is only allowed to query a fresh instance. This oracle is used to define security and does not model any adversarial capability in the real world.

2.2.3. The Advantage of the Adversary

The security of the protocol is defined by a security experiment: the adversary is allowed to send a series of queries above, but the Test query can only be sent once; and the experiment ends with outputting bit , a guess of . Informally, succeeds if (1) , that is, ’s guess is correct, representing that the session key is insecure, (2) makes the instance accepted but there is no corresponding partner, indicating that the protocol cannot achieve mutual authentication. Formally, we use Success to indicate the success of . The advantage of the adversary in attacking the protocol is defined as .

2.2.4. Secure Protocol

Since the size of the password dictionary is usually small, a PPT (Probabilistic Polynomial Time) adversary can always succeed by exhausting in an on-line attack. Therefore, informally, if on-line attack is the best attack method for all PPT adversaries, the PAKE protocol is secure. Formally, we give the following definition of the secure protocol.

Definition 1. (secure protocol). A protocol is a secure PAKE with mutual authentication if for all password in dictionary and for any PPT adversary making at most on-line attacks, it holds that for some negligible function .

2.3. Splittable Labeled PKE System from Lattices

2.3.1. Splittable Labeled PKE

Let the splittable labeled CCA-secure PKE be . is a key generation algorithm outputting the public and secret key pair . Enc is an encryption algorithm that returns , , , and are two different subfunctions that constitute. is a decryption algorithm defined as . For any and , under the random selection of and , the probability that is negligible in .

The “splittable” attribute is also reflected in the security of the public-key cryptosystem. When proving the CCA security of the splittable cryptosystem, the challenge phase of the CCA game should be modified as follows: (1) the adversary first sends two plaintexts of equal length. (2) The challenger randomly chooses and . Then, computes and returns to . (3) Upon receiving , the adversary submits . (4) computes and returns to .

Definition 2. (CCA security of SPKE). is a secure CCA-secure public-key encryption scheme if for any PPT adversary, it holds that for some negligible function .

In this paper, we denote the splittable labeled CCA-secure PKE based on LWE problem [1] by , and we will use it to construct two-round PAKEs. The definitions of the cryptographic primitives (, , , , and ) on which is based can be found in [1]. is a trapdoor generation algorithm for generating public keys and corresponding trapdoors; is a common reference string generator, usually implemented by hardware; the / algorithm is similar to the signature/verification algorithm to ensure the integrity of ; Solve is a trapdoor solving algorithm corresponding to .

2.3.2. A Splittable Labeled PKE from Lattices [1]

Suppose and prime is polynomial with respect to the security parameter . Let , . are the parameters of the systems. The splittable labeled PKE from lattices is defined as follows:

: given security parameter , we have , , and . And return .

: given , , and plaintext , choose . Return the ciphertext , where and .

: given , , and the ciphertext , if , return . Otherwise, compute

Finally, return .

2.4. Nonadaptive Approximate Smooth Projective Hash (NA-ASPH) System

Based on the smooth projected Hash function [37], Katz et al. [33] proposed an Approximate Smooth Projective Hash (ASPH) function that can be used to construct a lattice-based PAKE protocol. In our application, we use a modified definition of ASPH [1] from Katz’s, referred to as nonadaptive approximate smooth projection hash (NA-ASPH) function.

Suppose that is a semantically secure PKE system from lattices. Assume that a valid ciphertext can be easily parsed as the output of the function pair . We use KeyGen to generate a key pair and we use to represent the valid ciphertext space corresponding to the public key . Define

Based on , we introduce the -NA-ASPH function defined by the sampling algorithm, which outputs given the public key pk of (where is the hash key space and , is the key projection function from to , and is the projection key space; the domain and value range of the -NA-ASPH are and , respectively), such that (1)There exist efficient algorithms for sampling a hash key , computing for all and computing for all (2)For all , and randomness , there are efficient algorithms for computing given and .

The -NA-ASPH has the following properties: (i)Correctness. For all and , it holds that for some negligible function .(ii)Smoothness. For any (even unbounded) function : , , , and , the distributions and are statistically indistinguishable in the security parameter

NA-ASPH has three modifications compared with ASPH in [33]: (1) the projection function depends only on the hash key ; (2) is determined by the hash key , the first part of the ciphertext and the plaintext ; (3) for all , the smoothness holds. The first modification here enables the protocol proposed to achieve two rounds of communication, and the latter two are prepared to prove the security of the proposed protocol.

3. A Two-Round 2PAKE Protocol

We now describe the proposed two-round 2PAKE, which is based on the protocol by Groce and Katz [9] and the splittable PKE scheme by Zhang and Yu [1].

3.1. Primitives

The primitives we use are the following: (1) a splittable labeled PKE scheme with an associated-NA-ASPH , where the scheme can be divided into function pair ; (2) error-correcting code and the corresponding decoding algorithm . can correct 2-fraction of errors. We assume that if is sampled uniformly from , is uniformly distributed in provided that .

3.2. Initialization

The proposed protocol requires the public key of the scheme, also known as the common reference string (CRS). We want to emphasize that during the execution of the entire protocol, no participant needs to know the private key corresponding to the public key.

3.3. Protocol Execution

A high-level depiction of the two-round 2PAKE protocol is given in Table 2. We assume that the execution of the protocol is between client A and server C. Client A and server C share a password . When client A wants to initialize an authentication with the server C, A chooses a random tape for encryption and a hash key for the NA-ASPH. Then, client A computes the projection key , sets . And A computes , where and . Finally, client A sends the message to server C.

After receiving from client A, server C checks whether is a valid ciphertext with respect to and . If not, C rejects and the protocol aborts. Otherwise, C chooses hash keys and , and it computes projection keys , , , , , and . Server C then sets

and computes . Finally, server C sends to client A the message and outputs .

Upon receiving from server C, client A checks whether is a valid ciphertext with respect to and. If not, client A rejects and the protocol aborts. Otherwise, client A computes , . Then it checks whether the Hamming distance between and is less than . If not, client A rejects and the protocol aborts. Otherwise, client A sets and outputs .

3.4. Correctness

After honestly executing the protocol, participants can obtain different session keys with negligible probability. First, according to the smoothness of NA-ASPH, we can conclude that both and have at most -fraction of nonzeros. Therefore, has at most -fraction of nonzeros. Then, we can obtain that as we assume that can correct -fraction of errors. Second, we verify the validity of by checking whether the Hamming distance between and is less than . If it is the case, it holds that . This completes the correctness argument.

3.5. Security

We now show that the above two-round 2PAKE is secure through the proof of the following theorem.

Theorem 1. If is a splittable CCA-secure PKE scheme associated with an -NA-ASPH and is an error-correcting code which can correct 2-fraction of errors, then the protocol in Table 2 is a secure PAKE protocol.

Proof. Suppose is a PPT attacker targeting this protocol. We estimate the advantage of adversary through a series of experiments , where represents the experiment in the real protocol. By analyzing the difference of adversary’s advantage between two adjacent experiments and defining the adversary’s advantage in the final experiment, we can finally get the adversary’s advantage in experiment , that is, the adversary’s advantage when attacking the real protocol. In experiment , the event indicates that adversary succeeds, and the adversary’s advantage is defined as .

Experiment . This experiment corresponds to the security experiment of the real protocol. Attackers can send all queries according to the regulations of the secure model, and the instance being queried will respond according to the actual protocol specifications.

Experiment . We change the simulation method of Execute query. The only difference from the experiment is that the calculation method of is changed to .

Lemma 1. If is an -NA-ASPH, and is an error-correcting code which can correct 2-fraction of errors, then.

Proof. Since the simulator knows and , it is easy to know that Lemma 1 holds according to the approximate correctness of NA-ASPH and the correctness of ECC.

Experiment . Compared with experiment , we modify the response to the Execute query as shown below. The ciphertext is replaced by the encryption of the illegal password , and calculated by the client A is forced to be equal to the calculated by the server and other calculations remain unchanged.

Lemma 2. If is a CCA-secure PKE scheme, then.

Proof. We use standard hybrid argument to analyze the impact of replacing with on the adversary’s advantage. We set the number of queries to and define a series of intermediate experiments. The first queries in the experiment are same as those in , the remaining queries are same as those in . The Send query conforms to the security model. It can be seen that experiments and are completely consistent with the experiments and , respectively. If the lemma is not true, that is, the difference of ’s advantage between experiments and is not negligible, there must be some such that the difference of ’s advantage between and cannot be ignored. Then, we can construct an attacker for the security of the encryption system so that it can successfully attack with nonnegligible probability.

We now construct an adversary who attacks the CCA-secure PKE scheme in the following way: given the public key , the adversary simulates the entire experiment for according to the experiment , including selecting random passwords for the participants and selecting the random bit b for in the Test query. When answering the Execute query, sends as its challenge plaintext pair to ’s own challenger. After receiving the challenge ciphertext , replaces with in the Execute query. Finally, checks whether guesses the random bit in the Test query. If succeeds, outputs 1; otherwise, outputs 0.

Let denote that obtains the challenge ciphertext of the real password and outputs 1 at the end of the experiment. Let indicate that obtains the challenge ciphertext of the invalid password and outputs 1 at the end of the experiment. For the η^th query, that is, gets the challenge ciphertext of the real password , the environment provided by for the protocol attacker is the same as experiment . Therefore, in experiment , the probability that outputs 1 is exactly the same as ’s success probability (), i.e., . Similarly, when gets the challenge ciphertext of the invalid password , the probability that outputs 1 is the probability that succeeds () in attacking the protocol in experiment , namely . Let be ’s advantage in attacking the encryption system , then

According to the CCA security of encryption system , the lemma holds. We emphasize that only the CPA security of is actually used here.

Experiment . We change the response to the Execute query: (1) change the calculation method of to . (2) Replace the ciphertext with the encryption of an illegal password .

Lemma 3. If is a splittable CCA-secure PKE scheme associated with and -NA-ASPH, and is an error-correcting code which can correct 2-fraction of errors, then.

Proof. This lemma is shown through a series of experiments similar to , , and . In addition, this experiment utilizes the modified CCA security experiment shown in Section 2.3 instead of the standard CCA security experiment.

Experiment . We continue to modify the response to the Execute query as follows. We set to a random string of the appropriate length and the calculated by client A to be equal to the calculated by server C.

Lemma 4. If is an -NA-ASPH, then .

Proof. This comes from the smoothness of NA-ASPH, because when responding to an Execute query in , the hash function is always applied to , so even if is given, the output is statistically close to uniform. In addition, in and the string used by the client is equal to the string computed by the server.

Note that the Execute query in will generate a random session key and random transcripts, which have nothing to do with the actual password of any participant. In the following experiment, we begin to modify the responses to the Send queries. Let represent the “start” message, which enables the client instance to initiate authentication with the server S. Note that when calculating the number of communication rounds, we ignore the “start” message like other related research. Let represent the first message of the protocol sent to the server instance . Let denote the second message of the protocol sent to the client instance . We also record the secret key , corresponding to the public key in the generated CRS.

Now, we make some explanations for msg1 and msg2. The output of oracle or the input of oracle are msg1. Similarly, msg2 may be the output of oracle or the output of oracle. If msg1/msg2 is output by a previous oracle, then we call msg1/msg2 oracle-generated.

Experiment . In experiment , we change the response to queries. If msg1 is oracle-generated, the experiment is the same as . Otherwise, we set . We check the validity of according to and . (i)If is invalid, the experiment just aborts as the real protocol(ii)Else, we can get by decrypting , because we have . If , we just declare that adversary succeeds, and the experiment is terminated. If , we set and computed by the server as random tapes of the appropriate length

Lemma 5. If is an -NA-ASPH, then .

Proof. In the actual protocol, server C simply refuses, and the protocol terminates when is invalid. Therefore, if msg1 is oracle-generated, or msg1 is not oracle-generated and is invalid, then experiment is consistent with experiment . Now, we only need to consider the case where msg1 is not oracle-generated and is valid. (i)If , adversary succeeds. Note that this only improves the adversary’s advantage(ii)If , and computed by the server are both set to random tapes. From the view of adversary , there is no difference between these changes. First, as , in the view of , both

and are statistically indistinguishable from random uniform distribution. This can be derived directly from the smoothness of NA-ASPH. Similarly, from the view of , is also statistically indistinguishable from random uniform distribution. Therefore, only introduces a negligible difference in experiment .

Finally, we obtain that .

Experiment . In experiment , let msg1 be the output from a previous query (note that such a query must exist). query is handled as follows: If msg2 is oracle-generated by a previous query, the experiment is similar to except for (1) computing as and (2) setting . Otherwise, we set . We check the validity of according to and . (i)If is invalid, the experiment just aborts as the real protocol(ii)Else, we can obtain similar to . If , we declare that succeeds and the experiment terminates. Otherwise, if is accepted, let to be a random tape of appropriate length

Lemma 6. If is an -NA-ASPH, and ECC: is an error-correcting code which can correct 2-fraction of errors, then .

Proof. We prove different situations separately. First, if both msg1 and msg2 are oracle-generated, the simulator will know the hash keys and . According to the smoothness of the NA-ASPH, the changes in computing and are just conceptual (in this case, it holds that in both and ). Second, if msg2 is not oracle-generated, the simulator sets and then uses and to check whether is valid. If not, and are the same as the real protocol. Otherwise, the simulator uses to decrypt and obtains . (i)If , adversary succeeds. Note that this just improves the adversary advantage(ii)If , according to section 2.4, does not belong to . Then, by the smoothness of NA-ASPH, and thus are both statistically close to uniform over . Furthermore, we have is statistically close to uniform over . Therefore, the modifications of bring a negligible statistical difference. Note that the output of may be . In this case, client A rejects

Experiment . Compared with experiment , we modify the response to a query. The only difference is that we use to compute .

Lemma 7. If is a CCA-secure PKE scheme, then .

Proof. We analyze the impact of replacing with on the adversary’s advantage similar to . But for the sake of simplicity, we consider that only executes a single query. The correctness still holds according to standard hybrid argument. If the lemma is not true, that is, the difference of ’s advantage between experiments and is not negligible, then an attacker can be constructed for the security experiment of the encryption system, which can successfully attack with nonnegligible probability.

We now construct an adversary who attacks the CCA-secure PKE scheme in the following way: given the public key, the adversary simulates the entire experiment for according to experiment , including selecting random passwords for the participants and selecting the random bit b for in the Test query. When answering the query, will send as its challenge plaintext pair to ’s own challenger. After receiving the challenge ciphertext , replaces with in the query. Finally, checks whether guesses the random bit in the Test query. If succeeds, outputs 1; otherwise, outputs 0.

Let denote that gets the challenge ciphertext of the real password and outputs 1 at the end of the experiment. Let represent that gets the challenge ciphertext of the invalid password and outputs 1 at the end of the experiment. If gets the challenge ciphertext of the real password , the environment provided by for the protocol adversary is the same as experiment . Therefore, the probability that outputs 1 is exactly the same as ’s success probability () in experiment , i.e., . Similarly, . Let be ’s advantage in attacking the encryption system , then

According to the CCA security of the encryption system , the lemma holds.

Experiment . Experiment is similar to except that if msg1 is oracle-generated: (1) computed by the server is set to be ; (2) a random string of appropriate length is set for .

Lemma 8. If is a splittable CCA-secure PKE scheme associated with an -NA-ASPH , and is an error-correcting code which can correct 2-fraction of errors, then .

Proof. First, if msg1 is oracle-generated, the simulator has hash keys and ; thus, it can compute .Secondly, since the ciphertext is the encryption of , and are statistically close to uniform. Similarly, () is also statistically close to uniform. Thus, we have that the modifications here introduce only a statistically negligible difference. Therefore, .

Experiment . For the final experiment, we again modify the response to the queries. If msg1 is oracle-generated, the ciphertext is now computed as the encryption of .

Lemma 9. If is a splittable CCA-secure PKE scheme, then .

Proof. We analyze the impact of replacing with on the adversary’s advantage. We consider that only executes a single query similar to . Now, we show that if any PPT adversary can distinguish these two experiments, then we can construct an attacker breaking the CCA security experiment (in Section 2.3) of the CCA encryption system with a nonnegligible probability.

We now construct an adversary interacting with in to attack the CCA-secure PKE scheme in the following way: given the public key, the adversary simulates the entire experiment, including selecting random passwords for the participants and selecting the random bit b for in the Test query. When answering the query, will send as its challenge plaintext pair to ’s own challenger. After receiving the challenge ciphertext , replaces with in the query. When needs to decrypt some valid ciphertext , it will send to its own challenger to obtain the corresponding . Finally, checks whether guesses the random bit correctly in the Test query. If succeeds, outputs 1; otherwise, outputs 0.

Let / denote that gets the challenge ciphertext of the password / and outputs 1. If gets the challenge ciphertext of , the environment provided by for the protocol adversary is the same as experiment /. Therefore, we have and . Let be ’s advantage in attacking the encryption system , then

According to the CCA security of encryption system , the lemma holds.

So far, we have completed the modification of Send query. We now analyze the adversary’s advantage in the final experiment . If adversary cannot guess the correct password, can only rely on guessing the random bit in the Test query to succeed. Note that all session keys are replaced with random tapes, so the probability of guessing is only 1/2. At the same time, as described in experiments and , the adversary can succeed by guessing the password, and the probability of each correct guess is at most , so the ultimate advantage of adversary is at most . Combining the conclusions of Lemma 1 to Lemma 9, we can see that , that is, the conclusion of Theorem 1 is established.

4. A Two-Round 3PAKE Protocol

In this section, we propose a two-round 3PAKE protocol based on the two-round 2PAKE protocol in Section 3. Client A and server C share the password , and client B and server C share the password . The primitives and the initialization process here are the same as the two-round 2PAKE protocol above. The clients and server implement the honest 3PAKE protocol on lattice, as shown in Table 3.

4.1. Protocol Execution

Clients A and B, respectively, choose random tapes and for encryption hash keys . Then, A/B computes the projection key and sets . A/B continues to compute . Finally, client A/B sends to server C a message .

After receiving and from clients A and B, the server C checks whether and are valid ciphertexts with respect to , and . If not, C refuses and the protocol is terminated. Otherwise, C chooses hash keys and . It computes , , , , , , , , , , , , , and . Then, C sets and and computes , . Finally, C sends to A/B the message and outputs .

Received from server C , client checks whether is a valid ciphertext with respect to and. If not, rejects and the protocol aborts. Otherwise, computes , . Client A/B then checks whether the Hamming distance between and / is less than . If not, Client A/B rejects and the protocol aborts. Otherwise, A/B sets and outputs .

4.2. Correctness

After the protocol is executed honestly, the probability of a mismatch between the session keys obtained by the two clients A and B is negligible. From the approximate correctness of the NA-ASPH, the probability that the Hamming distance between calculated by client A (B) and calculated by the clients is greater than can be neglected. Then, from the definition of error correction code ECC, client A (B) and server C can obtain the same (), so A and B can get the same session key,

4.3. Security

Since the protocol here is symmetrical with respect to the clients, the proof usually can only take one client as an example. The security proof of the protocol follows Section 3 closely. We outline the main ideas. First, based on the CCA security of the underlying primitive , the adversary cannot obtain any useful information about the real password through Execute query. In the Execute query, if the simulator replaces the valid password with an illegal one, guaranteed by the smoothness of NA-ASPH, the adversary cannot distinguish the corresponding two experiments computationally. Second, if the adversary simply replays the messages between participants, the proof is the same as the Execute query. Third, if the adversary modifies the output message of some instances (that is, it modifies (label, c)), the simulator can obtain the corresponding plaintext through the decryption oracle provided by CCA security. If holds, the corresponding attack is successful, which will increase the adversary’s advantage. Using the CCA security of , is uniformly sampled from the password dictionary , so . Assuming that the adversary can perform at most () on-line attacks, then the adversary’s advantage is at most . And if holds, then from the adversary’s view, the session key obtained is indistinguishable from the uniform distribution (according to the smoothness of NA-ASPH).

5. Protocol Performance Analysis

In this section, we will compare the performance of the two proposed protocols with other related protocols in terms of safety and efficiency. The comparison results are shown in Table 4, where Type represents the protocol type, M-Auth indicates whether the protocol can provide mutual authentication, Round denotes the number of communication rounds required by the protocol, Anti-Qu represents whether the protocol can resist quantum attacks, C-method indicates the operation method of the protocol, C-cost represents the communication cost of the protocol, V-mul denotes vector multiplication, Exp indicates exponentiation, and .

In terms of security, we mainly compare with other protocols in (1) whether it can resist quantum attacks; (2) whether it can achieve mutual authentication. In terms of efficiency, we mainly compare from the following three aspects: (1) the selection of cryptographic primitives, (2) the calculation method, and (3) the communication overhead. Note that the calculation method adopted is used to roughly measure the computational cost of the corresponding protocol. Moreover, the computational cost of modular exponential operations is much greater than linear operations on matrices and vectors.

Compared with the K-PAKE [33] and D-PAKE [34], the advantage of the 2PAKE is that mutual authentication and key exchange can be achieved within two rounds of transmission. And the size of the ciphertext of K-PAKE and D-PAKE are O () larger than 2PAKE. The size of the projection key of K-PAKE and D-PAKE is determined by the ciphertext and the hash key, larger than that of 2PAKE.

Compared with the typical three-party PAKE, A-3PAKE [30], the 3PAKE in this paper is lattice-based and can resist quantum attacks. The proposed 3PAKE can achieve mutual authentication within two rounds of transmission. In addition, A-3PAKE uses exponential operation, while the 3PAKE protocol uses vector multiplication, which has higher computational efficiency.

Compared with Y-3PAKE [35] and X-3PAKE [36] protocols, 3PAKE only requires 2 rounds of transmission. The communication cost of Y-3PAKE protocol mainly depends on the size of the ciphertext, the projection key, and the message authentication code. The size of the ciphertext is O () larger than 3PAKE. The size of the projection key of Y-3PAKE is determined by the ciphertext and the hash key, larger than that of 3PAKE. In addition, the Y-PAKE protocol needs to calculate and send a message authentication code for mutual authentication, while 3PAKE performs mutual authentication by verifying the validity of the ciphertext. The amount of messages that needs to be transmitted in X-PAKE is large, resulting in increased communication overhead. Therefore, the communication overhead of the Y-3PAKE and X-PAKE protocols is greater than 3PAKE in this paper.

Z-PAKE [1] is also a two-round protocol, but it is designed for two parties. Compared with the Z-PAKE protocol, 2PAKE adds a projection key to the communication overhead. However, if the three-party PAKE based on Z-PAKE is implemented in a traditional way, at least 4 rounds of communication, that is, 8 message transmissions, are required. But the 3PAKE in this paper only needs 2 rounds of communication, namely 4 message transmissions.

The protocols in this paper have advantages of efficiency and security over traditional protocols based on finite fields, since lattice operations (vector multiplication) are more efficient than exponentiation and lattice problems remain hard for quantum attacks and subexponential-time adversaries. Both protocols in this article can achieve mutual authentication; thus, they can resist imperceptible on-line dictionary attacks. Besides, they are both two-round protocols with less number of transmissions. And the underlying primitive is an improved lattice-based CCA-secure PKE, which can reduce encryption parameters and further reduce computational overhead. In particular, compared with other three-party protocols, the two-round 3PAKE protocol proposed has smaller communication and computation overhead, so it is adaptable to large-scale communication systems.

6. Conclusions

This paper proposes two password-based authenticated key exchange protocols based on the LWE problem from lattices, which can resist quantum attacks and have high efficiency. In the random oracle model, this paper gives a strict security proof of the proposed protocols. In addition, the proposed PAKE protocols can achieve mutual authentication in two rounds of transmission. And the 3PAKE protocol is practical for large-scale communication systems. Compared with the existing related protocols, the protocols in this paper have higher security and lower communication and computing overhead. In our protocols, the client’s password is stored on a single server, so the proposed protocols are not resistant to hacker attacks. In the future, we will study the multiserver PAKE protocol that can resist hacker attacks.

Data Availability

The extra data used to support the findings of this study are available from the corresponding author. Email: [email protected].

Conflicts of Interest

The authors declare no competing financial interest.

Acknowledgments

This work has been supported by the National Natural Science Foundation of China (Grant No. 61501515) and Foundation of Science and Technology on Information Assurance Laboratory (No. KJ-15-108).

References

J. Zhang and Y. Yu, “Two-Round PAKE from Approximate SPH and Instantiations from Lattices,” in International Conference on the Theory and Application of Cryptology and Information Security, pp. 37–67, Hong Kong, China, 2017.
View at: Google Scholar
D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
View at: Publisher Site | Google Scholar
J. Zhao and D. Gu, “Provably secure three-party password-based authenticated key exchange protocol,” Information Sciences, vol. 184, no. 1, pp. 310–323, 2012.
View at: Publisher Site | Google Scholar
M. S. Farash, S. H. Islam, and M. S. Obaidat, “A provably secure and efficient two-party password-based explicit authenticated key exchange protocol resistance to password guessing attacks,” Concurrency & Computation Practice & Experience, vol. 27, no. 17, pp. 4897–4913, 2017.
View at: Google Scholar
A. Groce and J. Katz, “A new framework for efficient password-based authenticated key exchange,” in Proceedings of the ACM Conference on Computer and Communications, pp. 516–525, Chicago, Illinois, 2010.
View at: Google Scholar
D. Wang, W. Li, and P. Wang, “Measuring two-factor authentication schemes for real-time data access in industrial wireless sensor networks,” IEEE Transactions on Industrial Informatics, vol. 14, no. 9, pp. 4081–4092, 2018.
View at: Publisher Site | Google Scholar
J. Katz, R. Ostrovsky, and M. Yung, “Efficient and secure authenticated key exchange using weak passwords,” Journal of the Association for Computing Machinery, vol. 57, no. 1, pp. 79–117, 2010.
View at: Google Scholar
Z. Li and D. Wang, “Achieving one-round password-based authenticated key exchange over lattices,” IEEE Transactions on Services Computing, vol. 2019, no. 8, pp. 1–14, 2019.
View at: Google Scholar
R. Gennaro and Y. Lindell, “A framework for password-based authenticated key exchange1,” ACM Transactions on Information & System Security, vol. 9, no. 2, pp. 181–234, 2006.
View at: Publisher Site | Google Scholar
S. Bellovin and M. Merritt, “Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks,” in 2012 IEEE Symposium on Security and Privacy, p. 72, Oakland, California, 1992.
View at: Google Scholar
T. Lomas, L. Gong, J. Saltzer, and R. Needhamn, “Reducing risks from poorly chosen keys,” in Proceedings of the twelfth ACM symposium on Operating systems principle (SOSP '89), pp. 14–18, New York, NY, 1989.
View at: Google Scholar
L. Gong, M. A. Lomas, R. M. Needham, and J. H. Saltzer, “Protecting poorly chosen secrets from guessing attacks,” IEEE Journal on Selected Areas in Communications, vol. 11, no. 5, pp. 648–656, 1993.
View at: Publisher Site | Google Scholar
S. M. Bellovin and M. Merritt, “Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise,” in Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 244–250, New York, NY, 1989.
View at: Google Scholar
L. Gong, “Optimal authentication protocols resistant to password guessing attacks,” in Proceedings of the 8th IEEE Computer Security Foundations Workshop, pp. 24–29, Los Alamitos, California, 1995.
View at: Google Scholar
M. Steiner, G. Tsudik, and M. Waidner, “Refinement and extension of encrypted key exchange,” Acm Sigops Operating Systems Review, vol. 29, no. 3, pp. 22–30, 1995.
View at: Publisher Site | Google Scholar
W. Thomas, “The Secure Remote Password Protocol,” in Proceedings of the Network and Distributed System Security Symposium (NDSS’98), pp. 97–111, San Diego, California, 2000.
View at: Google Scholar
M. Bwllare, D. Pointcheval, and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” in Proceedings of the Advances in Cryptology (Eurocrypt’00), pp. 139–155, Berlin, Germany, 2000.
View at: Google Scholar
V. Boyko, P. D. Mackenzie, and S. Patel, “Provably secure password-authenticated key exchange using Diffie-Hellman,” in Proceedings of Advances in Cryptology (Eurocrypt’00), pp. 156–171, Berlin, Germany, 2000.
View at: Google Scholar
O. A. Goldreich and Y. Lindell, “Session-Key generation using human passwords only,” Journal of Cryptology, vol. 19, no. 3, pp. 241–340, 2006.
View at: Publisher Site | Google Scholar
M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” in EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques, pp. 139–155, Bruges, Belgium, 2000.
View at: Google Scholar
V. Boyko, P. Mac Kenzie, and S. Patel, “Provably secure password-authenticated key exchange using Diffie-Hellman,” in EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques, pp. 156–171, Bruges, Belgium, 2000.
View at: Google Scholar
E. Bresson, O. Chevassut, and D. Pointcheval, “Security proofs for an efficient password-based key exchange,” in Proceedings of the 10th ACM conference on Computer and communications security, pp. 241–250, Washington DC, 2003.
View at: Google Scholar
M. Abdalla, F. Benhamouda, and D. Pointcheval, “Disjunctions for hash proof systems: new constructions and applications,” in EUROCRYPT 2015: 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 69–100, Sofia, Bulgaria, 2015.
View at: Google Scholar
F. Benhamouda, O. Blazy, C. Chevalier, D. Pointcheval, and D. Vergnaud, “New techniques for SPHFs and efficient one-round PAKE protocols,” in Advances in Cryptology–CRYPTO 2013, pp. 449–475, Santa Barbara, CA, 2013.
View at: Google Scholar
J. Katz and V. Vaikuntanathan, “Round-optimal password-based authenticated key exchange,” in 8th Theory of Cryptography Conference, pp. 293–310, Providence, RI, 2011.
View at: Google Scholar
S. Jiang and G. Gong, “Password Based Key Exchange with Mutual Authentication,” in Selected Areas in Cryptography (SAC 2004), pp. 267–279, Waterloo, Canada, 2004.
View at: Google Scholar
Y. Mao, Research on Password-Based Authenticated Key Exchange Protocols and Associated Encryption Algorithms from Lattices, PLA Information Engineering University, 2012.
J. Katz, P. MacKenzie, G. Taban, and V. Gligor, “Two-server password-only authenticated key exchange,” Journal of Computer & System ences, vol. 78, no. 2, pp. 651–669, 2005.
View at: Google Scholar
R. Mario and G. Raimondo, “Provably secure threshold password-authenticated key exchange,” Journal of Computer and System Sciences, vol. 72, no. 6, pp. 507–523, 2006.
View at: Google Scholar
M. Abdalla, P. A. Fouque, and D. Pointcheval, “Password-Based Authenticated Key Exchange in the Three-Party Setting,” in 8th International Workshop on Theory and Practice in Public Key Cryptography, pp. 65–84, Les Diablerets, Switzerland, 2005.
View at: Google Scholar
W. Minghui and W. Jiandong, “Three-party authentication key exchange protocol based on password,” Computer Engineering, vol. 38, no. 2, pp. 146–150, 2012.
View at: Google Scholar
W. Guocai, K. Fusong, and W. Fang, “ECDSA-based password authenticated key exchange protocol for threeparty,” Computer Engineering, vol. 38, no. 6, pp. 153–155, 2012.
View at: Google Scholar
K. Jonathan and V. Vaikuntanathan, “Smooth Projective Hashing and Password-Based Authenticated Key Exchange from Lattices,” in Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, pp. 636–652, Tokyo, Japan, 2009.
View at: Google Scholar
Y. Ding and L. Fan, “Efficient password-based authenticated key exchange from lattices,” International Journal of Advancements in Computing Technology, vol. 1, no. 22, pp. 934–938, 2011.
View at: Google Scholar
M. Ye, X. Hu, and W. Liu, “Password authenticated key exchange protocol in the three party setting based on lattices,” Journal of Electronics & Information Technology, vol. 35, no. 6, pp. 1376–1381, 2013.
View at: Google Scholar
D. Xu, “Provably Secure Three-party Password Authenticated Key Exchange Protocol Based on Ring Learning with Error,” IACR Cryptol. ePrint Arch, vol. 2017, p. 360, 2017.
View at: Google Scholar
R. Cramer and V. Shoup, “Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption,” in EUROCRYPT 2002: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 45–64, Amsterdam, The Netherlands, 2002.
View at: Google Scholar

Copyright

Copyright © 2020 Anqi Yin et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

777

Downloads

731

Citations