Strong Asymmetric Password-Authenticated Key Exchange (saPAKE) enables a client, holding only a low-entropy password, to repeatedly establish shared high-entropy session keys with a server holding a digest of the expected password. Integrally, the only online attacks afforded to the adversary are the inevitable: impersonation and dictionary attacks. In contrast with the modeling of weaker PAKE variants, saPAKE additionally requires that an offline password search against the server’s storage can only occur after an adaptive server compromise. We present OneTwoPAKE, the first saPAKE protocol to simultaneously: Similar to prior work we instantiate our saPAKE from an OPRF over insecure channels that is additionally secure against adaptive server compromise. In contrast to prior work our OPRF is online-extractable and input-committing, enabling our protocol to realize the full saPAKE functionality. Of independent interest are our OPRF functionality and construction. We introduce the first formal model of such an OPRF, and our OPRF protocol is the first Dodis-Yampolskiy-based OPRF proven UC-secure against malicious adversaries without authenticated channels. Our framework demonstrates the feasibility of achieving all of the above properties simultaneously. Though our constructions are not as concretely efficient as those of prior work our saPAKE achieves minimal round complexity, full security, and, in terms of idealized models, relies exclusively on the random oracle model. As future work may further close the efficiency gap, our framework may lead to practically deployable solutions.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

OneTwoPAKE: Two-Round Strong Asymmetric PAKE with Ideal Security

  • Yashvanth Kondi,
  • Ian McQuoid,
  • Kelsey Melissaris,
  • Claudio Orlandi,
  • Lawrence Roy,
  • LaKyah Tyner

摘要

Strong Asymmetric Password-Authenticated Key Exchange (saPAKE) enables a client, holding only a low-entropy password, to repeatedly establish shared high-entropy session keys with a server holding a digest of the expected password. Integrally, the only online attacks afforded to the adversary are the inevitable: impersonation and dictionary attacks. In contrast with the modeling of weaker PAKE variants, saPAKE additionally requires that an offline password search against the server’s storage can only occur after an adaptive server compromise. We present OneTwoPAKE, the first saPAKE protocol to simultaneously: Similar to prior work we instantiate our saPAKE from an OPRF over insecure channels that is additionally secure against adaptive server compromise. In contrast to prior work our OPRF is online-extractable and input-committing, enabling our protocol to realize the full saPAKE functionality. Of independent interest are our OPRF functionality and construction. We introduce the first formal model of such an OPRF, and our OPRF protocol is the first Dodis-Yampolskiy-based OPRF proven UC-secure against malicious adversaries without authenticated channels. Our framework demonstrates the feasibility of achieving all of the above properties simultaneously. Though our constructions are not as concretely efficient as those of prior work our saPAKE achieves minimal round complexity, full security, and, in terms of idealized models, relies exclusively on the random oracle model. As future work may further close the efficiency gap, our framework may lead to practically deployable solutions.