Verifier-based anonymous password-authenticated key exchange
 protocol in the standard model

Qihui Zhang; Pradeep Chaudhary; Saru Kumari; Zhiyin Kong; Wenfen Liu; Qihui Zhang; Pradeep Chaudhary; Saru Kumari; Zhiyin Kong; Wenfen Liu

doi:10.3934/mbe.2019180

Mathematical Biosciences and Engineering

2019, Volume 16, Issue 5: 3623-3640. doi: 10.3934/mbe.2019180

Previous Article Next Article

Research article Special Issues

Verifier-based anonymous password-authenticated key exchange protocol in the standard model

1.
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou, Henan 450001, China
2.
Department of Statistics, Chaudhary Charan Singh University, Meerut 250004, India
3.
Department of Mathematics, Chaudhary Charan Singh University, Meerut 250004, India
4.
Science and Technology on Information Assurance Laboratory, Beijing 100072, China
5.
Guangxi Key Laboratory of Cryptography and Information Security, Guilin University of Electronic Technology, Guilin, Guangxi 541004, China

Received: 21 February 2019 Accepted: 10 April 2019 Published: 23 April 2019

Anonymous password-authenticated key exchange (APAKE) allows a client to authenticate herself and to establish a secure session key with a remote server via only a low-entropy password, while keeping her actual identity anonymous to the third party as well as to the server. Since that APAKE protocol enjoys both the convenience of password authentication and the advantage of privacy protection, researchers have paid much attention to them. However, most of the existing APAKE protocols are designed in the symmetric setting which does not take into consideration the threat of password file leakage. To mitigate the damage of server compromise, we propose a verifier-based anonymous password-authenticated key exchange protocol, in which the server holds a verifier corresponding to each client instead of the clear password. The construction of our protocol is built on standard cryptographic primitives such public key encryption, smooth projective hash functions and password hashing schemes. The resulting protocol is proved secure in the standard model, i.e., without resorting to random oracles. Comparisons with other similar schemes show that our protocol guarantees stronger security while enjoys considerable efficiency in terms of computational cost.
- password authentication,
- anonymous protocol,
- key exchange,
- server compromise,
- standard model
Citation: Qihui Zhang, Pradeep Chaudhary, Saru Kumari, Zhiyin Kong, Wenfen Liu. Verifier-based anonymous password-authenticated key exchange protocol in the standard model[J]. Mathematical Biosciences and Engineering, 2019, 16(5): 3623-3640. doi: 10.3934/mbe.2019180

Related Papers:

Abstract

Anonymous password-authenticated key exchange (APAKE) allows a client to authenticate herself and to establish a secure session key with a remote server via only a low-entropy password, while keeping her actual identity anonymous to the third party as well as to the server. Since that APAKE protocol enjoys both the convenience of password authentication and the advantage of privacy protection, researchers have paid much attention to them. However, most of the existing APAKE protocols are designed in the symmetric setting which does not take into consideration the threat of password file leakage. To mitigate the damage of server compromise, we propose a verifier-based anonymous password-authenticated key exchange protocol, in which the server holds a verifier corresponding to each client instead of the clear password. The construction of our protocol is built on standard cryptographic primitives such public key encryption, smooth projective hash functions and password hashing schemes. The resulting protocol is proved secure in the standard model, i.e., without resorting to random oracles. Comparisons with other similar schemes show that our protocol guarantees stronger security while enjoys considerable efficiency in terms of computational cost.

References

[1]	D. Wang, H. Cheng, P. Wang, et al., Zipf's law in passwords. IEEE T. Inf. Foren. Sec., 12 (2017), 2776–2791.
[2]	S. M. Bellovin and M. Merritt, Encrypted key exchange: Password-based protocols secure against dictionary attacks, in Proceedings of IEEE Computer Society Symposium on Research in Security and Privacy, IEEE, (1992), 72–84.
[3]	E. Bresson, O. Chevassut and D. Pointcheval, Security proofs for an efficient password-based key exchange, in Proceedings of ACM CCS 2003, ACM Press, (2003), 241–250.
[4]	M. Abdalla and D. Pointcheval, Simple password-based encrypted key exchange protocols, in Proceedings of CT-RSA 2005, Springer, (2005), 191–208.
[5]	J. Katz, R. Ostrovsky and M. Yung, Efficient password-authenticated key exchange using human- memorable passwords, in Proceedings of EUROCRYPT 2001, Springer, (2001), 475–494.
[6]	F. Benhamouda, O. Blazy, C. Chevalier, et al., New techniques for SPHFs and efficient one-round PAKE protocols, in Proceedings of CRYPTO 2013, Springer, (2013), 449–475.
[7]	X. Yi, F. Y. Rao, Z. Tari, et al., ID2S password-authenticated key exchange protocols, IEEE T. Comput., 65 (2016), 3687–3701.
[8]	Y. Zhang, Y. Xiang, W. Wu, et al., A variant of password authenticated key exchange protocol, Future Gener. Comput. Sy., 78 (2018), 699–711.
[9]	Z. Li and D. Wang, Two-round PAKE protocol over lattices without NIZK, in Proceedings of ICISC 2018, Springer, (2018), 138–159.
[10]	M. Abdalla, P. A. Fouque and D. Pointcheval, Password-based authenticated key exchange in the three-party setting, in Proceedings of PKC 2005, Springer, (2005), 65–84.
[11]	F. Wei, N. Kumar, D. He, et al., A general compiler for password-authenticated group key exchange protocol in the standard model, Discrete Appl. Math., 241 (2018), 78–86.
[12]	M. Bellare, D. Pointcheval and P. Rogaway, Authenticated key exchange secure against dictionary attacks, in Proceedings of EUROCRYPT 2000, Springer, (2000), 139–155.
[13]	R. Canetti, S. Halevi, J. Katz, et al., Universally composable password-based key exchange, in Proceedings of EUROCRYPT 2005, Springer, (2005), 404–421.
[14]	D. Q. Viet, A. Yamamura and H. Tanaka, Anonymous password-based authenticated key exchange, in Proceedings of INDOCRYPT 2005, Springer, (2005), 244–257.
[15]	J. Yang and Z. Zhang, A new anonymous password-based authenticated key exchange protocol, in Proceedings of INDOCRYPT 2008, Springer, (2008), 200–212.
[16]	S. H. Shin, K. Kobar and H. Imai, Very-efficient anonymous password-authenticated key exchange and its extensions, in Proceedings of AAECC 2009, Springer, (2009), 149–158.
[17]	X. Hu, J. Zhan, Z. Zhang, et al., Anonymous Password Authenticated Key Exchange Protocol in the Standard Model, Wirel. Pers. Commun., 96 (2017), 1451–1474.
[18]	Y. Yang, J. Zhou, J. Weng, et al., A new approach for anonymous password authentication, in Proceedings of ACSAC 09, IEEE, (2009), 199–208.
[19]	S. H. Shin and K. Kobara, Simple anonymous password-based authenticated key exchange (SAPAKE), reconsidered, IEICE T. Fundam. Electron. Commun. Comput. Sci., 100 (2017), 639–652.
[20]	Z. Zhang, K. Yang, X. Hu, et al., Practical anonymous password authentication and TLS with anonymous client authentication, in Proceedings of ACM CCS 2016, ACM Press, (2016), 1179–1191.
[21]	Information technology-Security techniques-Anonymous entity authentication-Part 4: Mechanisms based on weak secrets, ISO/IEC standard 20009-4, 2017. Available from: https:// www. iso. org/ standard/64288.html.
[22]	K. Thomas, F. Li, A. Zand, et al., Data breaches, phishing, or malware? Understanding the risks of stolen credentials, in Proceedings of ACM CCS 2017, ACM Press, (2017), 1421–1434.
[23]	J. Li, L. Stecker, E. Zeigler, et al., Scramble the password before you type it, in Proceedings of World Conference on Information Systems and Technologies, Springer, (2018), 1097–1107.
[24]	Facebook Security Breach Exposes Accounts of 50 Million Users, 2018. Available from: https://www.nytimes.com/ 2018/09/28/ technology/facebook-hack-data-breach.html.
[25]	F. Benhamouda and D. Pointcheval, Verifier-based password-authenticated key exchange: new models and constructions. IACR Crypt. ePrint Archive, 2013: 833.
[26]	D. Pointcheval and G. Wang, VTBPEKE: verifier-based two-basis password exponential key exchange, in Proceedings of Asia CCS 2017, ACM Press, (2017), 301–312.v 27. X. Yang, H. Jiang, Q. Xu, et al., A provably-secure and efficient verifier-based anonymous password-authenticated key exchange protocol, in Proceedings of Trustcom/BigDataSE/ISPA, 2016, IEEE, (2016), 670–677.
[27]	28. C. M. Chen, G. J. Wang, W. C. Fang, et al., A new verifier-based anonymous password- authenticated key exchange protocol, J. Info. Hiding Multimedia Signal Process., 9 (2018), 1595–1602.
[28]	29. D. Wang and P. Wang, Two birds with one stone: Two-factor authentication with security beyond conventional bound, IEEE T. Depend. Secure Comput., 15 (2018), 708–722.
[29]	30. F. Wei, P. Vijayakumar, Q. Jiang, et al., A mobile intelligent terminal based anonymous authenticated key exchange protocol for roaming service in global mobility networks, IEEE T. Sustain. Comput., 2018.
[30]	31. M. Abdalla, F. Benhamouda and D. Pointcheval, Public-key encryption indistinguishable under plaintext-checkable attacks, in Proceedings of PKC 2015, Springer, (2015), 332–352.
[31]	32. R. Cramer and V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption, in Proceedings of EUROCRYPT 2002, Springer, (2002), 45–64.
[32]	33. R. Gennaro and Y. Lindell, A framework for password-based authenticated key exchange, in Proceedings of EUROCRYPT 2003, Springer, (2003), 524–543.
[33]	34. J. Katz and V. Vaikuntanatha, Round-optimal password-based authenticated key exchange, in Proceedings of TCC 2011, Springer, (2011), 293–310.
[34]	35. M. Abdalla, F. Benhamouda and D. Pointcheval, Disjunctions for hash proof systems: New constructions and applications, in Proceedings of EUROCRYPT 2015, Springer, (2015), 69–100.
[35]	36. S. Even, O. Goldreich and S. Mical, On-line/off-line digital signatures, in Proceedings of CRYPTO 89, Springer, (1989), 263–275.
[36]	37. F. Kiefer and M. Manulis, Zero-knowledge password policy checks and verifier-based PAKE, in Proceedings of ESORICS 2014, Springer, (2014), 295–312.
[37]	38. A. Groce and J. Katz, A new framework for efficient password-based authenticated key exchange, in Proceedings of ACM CCS 2010, ACM Press, (2010), 516–525.

Reader Comments

Your name:*

Email:*
© 2019 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)