nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

Security Analysis of \(\textit{SPAKE2}+\)

verfasst von : Victor Shoup

Erschienen in: Theory of Cryptography

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We show that a slight variant of Protocol \( SPAKE2 +\), which was presented but not analyzed in [17], is a secure asymmetric password-authenticated key exchange protocol (PAKE), meaning that the protocol still provides good security guarantees even if a server is compromised and the password file stored on the server is leaked to an adversary. The analysis is done in the UC framework (i.e., a simulation-based security model), under the computational Diffie-Hellman (CDH) assumption, and modeling certain hash functions as random oracles. The main difference between our variant and the original Protocol \( SPAKE2 +\) is that our variant includes standard key confirmation flows; also, adding these flows allows some slight simplification to the remainder of the protocol. Along the way, we also (i) provide the first proof (under the same assumptions) that a slight variant of Protocol \( SPAKE2 \) from [5] is a secure symmetric PAKE in the UC framework (previous security proofs were all in the weaker BPR framework [7]); (ii) provide a proof (under very similar assumptions) that a variant of Protocol \( SPAKE2 +\) that is currently being standardized is also a secure asymmetric PAKE; (iii) repair several problems in earlier UC formulations of secure symmetric and asymmetric PAKE.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Universal Composition with Global Subroutines: Capturing Global Setup Within Plain UC

Nächstes Kapitel Schrödinger’s Pirate: How to Trace a Quantum Decoder

The CDH assumption, in a group \(\mathbb {G}\) of prime order q generated by \(g\in \mathbb {G}\), asserts that given \(g^\alpha ,g^\beta \), for random \(\alpha ,\beta \in \mathbb {Z}_q\), it is hard to compute \(g^{\alpha \beta }\).

The paper [19] was certainly not the first to study asymmetric PAKE protocols, nor is it the first to propose a formal security definition for such protocols.

The security theorem in [1] only applies to so-called “weak” corruptions in the BPR framework, in which corrupting a party reveals to the adversary only its password, and not the internal state of any corresponding protocol instance.

The Gap CDH assumption asserts that the problem of computing \(g^{\alpha \beta }\), given \(g^\alpha ,g^\beta \) for random \(\alpha ,\beta \in \mathbb {Z}_q\), is hard even if the attacker has access to a DDH oracle. Such an oracle is given triples \((g^\mu , g^\nu , g^\kappa )\), and returns “yes” if \(\kappa = \mu \nu \) and “no” otherwise. This is not a falsifiable assumption (as defined in [24]). This is in contrast to the weaker interactive CDH assumption, in which it is required that \(g^\mu = g^\alpha \). This is the same assumption used to analyze the well-known DHIES and ECIES schemes (which are essentially just “hashed” ElGamal schemes) in the random oracle model. See [3], where is called the Strong Diffie-Hellman assumption.

As we describe it, the ideal functionality imposes various pre-conditions on the inputs it receives. The reader may assume that if these are not met, an “error message” back to whoever sent the input. However, see Remark 1 below.

Otherwise, if the corresponding server had not yet been initialized with a password \(\pi \) at the time this client instance had been initialized with a password \(\pi ^*\), the ideal functionality could not determine (or inform the simulator) whether or not \(\pi ^* = \pi \) at that time. This would lead to rather esoteric complications in the logic of the ideal functionality and the simulators in our proofs.

Actually, our framework does not model the notion in [7] that allows password information stored on the server to be changed. That said, we are ultimately interested asymmetric PAKE, and we are not aware of any asymmetric PAKE functionality in the literature that models this notion.

This type of corruption would correspond to the “strong corruption model” of the BPR framework [7]. Note that the protocol analyzed in [7] is itself only proven secure in the “weak corruption model”.

Note that in the specific UC framework of [12], the environment sends this message to the random oracle functionality via a special “dummy” party.

This allows the simulator to “program” the random oracle.

As in [21], we model this type of compromise simply by a message sent from the environment, rather than the more indirect mechanism in [12].

Abdalla, M., Barbosa, M.: Perfect forward security of SPAKE2. Cryptology ePrint Archive, Report 2019/1194 (2019). https://eprint.iacr.org/2019/1194

Abdalla, M., Barbosa, M., Bradley, T., Jarecki, S., Katz, J., Xu, J.: Universally composable relaxed password authenticated key exchange. Cryptology ePrint Archive, Report 2020/320 (2020). https://eprint.iacr.org/2020/320

Abdalla, M., Bellare, M., Rogaway, P.: The Oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_12CrossRef

Abdalla, M., Bresson, E., Chevassut, O., Möller, B., Pointcheval, D.: Provably secure password-based authentication in TLS. In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2006, pp. 35–45 (2006). https://doi.org/10.1145/1128817.1128827

Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. CT-RSA 2005, 191–208 (2005)MathSciNetMATH

Becerra, J., Ostrev, D., Skrobot, M.: Forward secrecy of spake2. Cryptology ePrint Archive, Report 2019/351 (2019). https://eprint.iacr.org/2019/351

Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. Cryptology ePrint Archive, Report 2000/014 (2000). https://eprint.iacr.org/2000/014

Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, 3–5 November 1993, pp. 62–73. ACM (1993). https://doi.org/10.1145/168588.168596

Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, USA, 4–6 May 1992, pp. 72–84 (1992)

10.

Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: the memory-hard function for password hashing and other applications (2017). https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf

11.

Camenisch, J., Drijvers, M., Gagliardoni, T., Lehmann, A., Neven, G.: The wonderful world of global random oracles. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 280–312. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_11CrossRef

12.

Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 (2000). https://eprint.iacr.org/2000/067

13.

Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)MathSciNetCrossRef

14.

Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. Cryptology ePrint Archive, Report 2005/196 (2005). https://eprint.iacr.org/2005/196

15.

Canetti, R., Jain, A., Scafuro, A.: Practical UC security with a global random oracle. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014, pp. 597–608 (2014)

16.

Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_16CrossRef

17.

Cash, D., Kiltz, E., Shoup, V.: The twin Diffie-Hellman problem and applications. Cryptology ePrint Archive, Report 2008/067 (2008). https://eprint.iacr.org/2008/067

18.

Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_26CrossRef

19.

Gentry, C., MacKenzie, P., Ramzan, Z.: A method for making password-based key exchange resilient to server compromise. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 142–159. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_9CrossRef

20.

Hesse, J.: Separating standard and asymmetric password-authenticated key exchange. Cryptology ePrint Archive, Report 2019/1064 (2019). https://eprint.iacr.org/2019/1064

21.

Hofheinz, D., Shoup, V.: GNUC: a new universal composability framework. J. Cryptol. 28(3), 423–508 (2015). https://doi.org/10.1007/s00145-013-9160-yMathSciNetCrossRefMATH

22.

Hofheinz, D., Unruh, D., Müller-Quade, J.: Polynomial runtime and composability. Cryptology ePrint Archive, Report 2009/023 (2009). https://eprint.iacr.org/2009/023

23.

Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15CrossRef

24.

Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_6CrossRef

25.

Shoup, V.: Security analysis of SPAKE2+. Cryptology ePrint Archive, Report 2020/313 (2020). https://eprint.iacr.org/2020/313

26.

Taubert, T., Wood, C.A.: SPAKE2\(+\), an Augmented PAKE. Internet-Draft draft-bar-cfrg-spake2plus-00, Internet Engineering Task Force, March 2020. https://datatracker.ietf.org/doc/draft-bar-cfrg-spake2plus/

Titel: Security Analysis of
verfasst von: Victor Shoup
Verlag: Springer International Publishing
Buch: Theory of Cryptography
Print ISBN: 978-3-030-64380-5

Electronic ISBN: 978-3-030-64381-2

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-64381-2_2

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner