Jean Lancrenon

Provably Secure Password Authenticated Key Exchange Based on RLWE for the Post-Quantum World

Authenticated Key Exchange (AKE) is a cryptographic scheme with the aim to establish a high-entropy and secret session key over a insecure communications network. Password-Authenticated Key Exchange (PAKE) assumes that the parties in play share a simple password, which is cheap and human-memorable and is used to achieve the authentication. PAKEs are practically relevant as these features are extremely appealing in an age where most people access sensitive personal data remotely from more-and-more pervasive hand-held devices. Theoretically, PAKEs allow the secure computation and authentication of a high-entropy piece of data using a low-entropy string as a starting point. In this paper, we apply the recently proposed technique introduced in [19] to construct two lattice-based PAKE protocols enjoying a very simple and elegant design that is an parallel extension of the class of Random Oracle Model (ROM)-based protocols \(\mathsf {PAK}\) and \(\mathsf {PPK}\) [13, 41], but in the lattice-based setting. The new protocol resembling \(\mathsf {PAK}\) is three-pass, and provides mutual explicit authentication, while the protocol following the structure of \(\mathsf {PPK}\) is two-pass, and provides implicit authentication. Our protocols rely on the Ring-Learning-with-Errors (RLWE) assumption, and exploit the additive structure of the underlying ring. They have a comparable level of efficiency to \(\mathsf {PAK}\) and \(\mathsf {PPK}\), which makes them highly attractive. We present a preliminary implementation of our protocols to demonstrate that they are both efficient and practical. We believe they are suitable quantum safe replacements for \(\mathsf {PAK}\) and \(\mathsf {PPK}\).

Two More Efficient Variants of the J-PAKE Protocol

Recently, the password-authenticated key exchange protocol J-PAKE of Hao and Ryan (Workshop on Security Protocols 2008) was formally proven secure in the algebraic adversary model by Abdalla et al. (IEEE S&P 2015). In this paper, we propose and examine two variants of J-PAKE - which we call RO-J-PAKE and CRS-J-PAKE - that each makes the use of two less zero-knowledge proofs than the original protocol. We show that they are provably secure following a similar strategy to that of Abdalla et al. We also study their efficiency as compared to J-PAKE’s, also taking into account how the groups are chosen. Namely, we treat the cases of subgroups of finite fields and elliptic curves. Our work reveals that, for subgroups of finite fields, CRS-J-PAKE is indeed more efficient than J-PAKE, while RO-J-PAKE is much less efficient. On the other hand, when instantiated with elliptic curves, both RO-J-PAKE and CRS-J-PAKE are more efficient than J-PAKE, with CRS-J-PAKE being the best of the three. Regardless of implementation, we note that RO-J-PAKE enjoys a looser security reduction than both J-PAKE and CRS-J-PAKE. CRS-J-PAKE has the tightest security proof, but relies on an additional trust assumption at setup time.

Attribute-Based Signatures with Controllable Linkability

We introduce Attribute-Based Signatures with Controllable Linkability ABS-CL. In general, Attribute-Based Signatures allow a signer who possesses enough attributes to satisfy a predicate to sign a message without revealing either the attributes utilized for signing or the identity of the signer. These signatures are an alternative to Identity-Based Signatures for more fine-grained policies or enhanced privacy. On the other hand, the Controllable Linkability notion introduced by Hwang et al.i¾?[14] allows an entity in possession of the linking key to determine if two signatures were created by the same signer without breaking anonymity. This functionality is useful in applications where a lower level of anonymity to enable linkability is acceptable, such as some cases of vehicular ad-hoc networks, data mining, and voting schemes. The ABS-CL scheme we present allows a signer with enough attributes satisfying a predicate to sign a message, while an entity with the linking key may test if two such signatures were created by the same signer, all without revealing the satisfying attributes or the identity of the signer.

On the Provable Security of the Dragonfly Protocol

Dragonfly is a password-authenticated key exchange protocol that was proposed by Harkinsi¾ź[11] in 2008. It is currently a candidate for standardization by the Internet Engineering Task Force, and would greatly benefit from a security proof. In this paper, we prove the security of a very close variant of Dragonfly in the random oracle model. It shows in particular that Dragonflys main flows - a kind of Diffie-Hellman variation with a password-derived base - are sound. We employ the standard Bellare et al.i¾ź[2] security model, which incorporates forward secrecy.

On Password-Authenticated Key Exchange Security Modeling

Deciding which security model is the right one for Authenticated Key Exchange (AKE) is well-known to be a difficult problem. In this paper, we examine definitions of security for Password-AKE (PAKE) in the style proposed by Bellare et al. [5] at Eurocrypt 2000. Indeed, there does not seem to be any consensus, even when narrowing the study down to this particular authentication method and model style, on how to precisely define fundamental notions such as accepting, terminating, and partnering. The aim of this paper is to begin addressing this problem. We first show how definitions vary from paper to paper. We then propose and thoroughly motivate a definition of our own, and use the opportunity to correct a minor flaw in a more recent and more PAKE-appropriate model proposed by Abdalla et al. [3] at Public Key Cryptography 2005. Finally, we argue that the uniqueness of partners holding with overwhelming probability ought to be an explicitly required and proven property for AKE in general, but even more so in the password case, where the optimal security bound one aims to achieve is no longer a negligible value. To drive this last point, we exhibit a protocol that is provably secure following the Abdalla et al. definition, and at the same time fails to satisfy this property.

Chapter e49 – Password-Based Authenticated Key Establishment Protocols

If two parties wish to safely communicate over an insecure channel, one method they may use is to first run an authenticated key exchange protocol over this channel so as to jointly and secretly construct a cryptographically strong session key that can serve to subsequently secure further bulk communication. This chapter is an introduction to the design of such key exchange protocols when the only secret information shared a priori by both parties is a simple, short password. After a brief description of authenticated key exchange in general, we explain the security challenges faced in the password-based case and illustrate our exposition with three concrete password-authenticated key exchange protocols.

Password-Based Authenticated Key Establishment Protocols

If two parties wish to safely communicate over an insecure channel, one method they may use is to first run an authenticated key exchange protocol over this channel so as to jointly and secretly construct a cryptographically strong session key that can serve to subsequently secure further bulk communication. This chapter is an introduction to the design of such key exchange protocols when the only secret information shared a priori by both parties is a simple, short password. After a brief description of authenticated key exchange in general, we explain the security challenges faced in the password-based case and illustrate our exposition with three concrete password-authenticated key exchange protocols.