Abstract
We introduce password-authenticated public-key encryption (PAPKE), a new cryptographic primitive. PAPKE enables secure end-to-end encryption between two entities without relying on a trusted third party or other out-of-band mechanisms for authentication. Instead, resistance to man-in-the-middle attacks is ensured in a human-friendly way by authenticating the public key with a shared password, while preventing offline dictionary attacks given the authenticated public key and/or the ciphertexts produced using this key.
Our contributions are three-fold. First, we provide property-based and universally composable (UC) definitions for PAPKE, with the resulting primitive combining CCA security of public-key encryption (PKE) with password authentication. Second, we show that PAPKE implies Password-Authenticated Key Exchange (PAKE), but the reverse implication does not hold, indicating that PAPKE is a strictly stronger primitive than PAKE. Indeed, PAPKE implies a two-flow PAKE which remains secure if either party re-uses its state in multiple sessions, e.g. due to communication errors, thus strengthening existing notions of PAKE security. Third, we show two highly practical UC PAPKE schemes: a generic construction built from CCA-secure and anonymous PKE and an ideal cipher, and a direct construction based on the Decisional Diffie-Hellman assumption in the random oracle model.
Finally, applying our PAPKE-to-PAKE compiler to the above PAPKE schemes we exhibit the first 2-round UC PAKE’s with efficiency comparable to (unauthenticated) Diffie-Hellman Key Exchange.
Full version of this paper appears in [12].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Users also struggle with the notion of key fingerprints, e.g. all Telegram users in one study [5] believed the fingerprint to be either the encryption key or a ciphertext.
- 2.
However, our local computation cost also includes Ideal Cipher operations.
References
Abdalla, M., Bellare, M., Neven, G.: Robust encryption. Cryptology ePrint Archive, Report 2008/440 (2008). http://eprint.iacr.org/2008/440
Abdalla, M., Bellare, M., Rogaway, P.: The oracle diffie-hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_12
Abdalla, M., Catalano, D., Chevalier, C., Pointcheval, D.: Efficient two-party password-based key exchange protocols in the UC framework. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 335–351. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79263-5_22
Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_14
Abu-Salma, R., Sasse, M.A., Bonneau, J., Danilova, A., Naiakshina, A., Smith, M.: Obstacles to the adoption of secure communication tools. In: 2017 IEEE Symposium on Security and Privacy, pp. 137–153. IEEE Computer Society Press, May 2017
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Symposium on Security and Privacy, pp. 72–84. IEEE Computer Society Press, May 1992
Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 967–980. ACM Press, November 2013
Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_9
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_12
Bradley, T., Camenisch, J., Jarecki, S., Lehmann, A., Neven, G., Xu, J.: Password-authenticated public key encryption. Cryptology ePrint Archive, Report 2019/199 (2019). http://eprint.iacr.org/2019/199
Burr, W.E., et al.: Electronic Authentication Guideline. NIST Special Publication, Gaithersburg (2011)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001
Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_24
Dai, Y., Steinberger, J.: Indifferentiability of 8-round Feistel networks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 95–120. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_4
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Guardian: Whatsapp design feature means some encrypted messages could be read by third party (2017). https://www.theguardian.com/technology/2017/jan/13/whatsapp-design-feature-encrypted-messages/
Holenstein, T., Künzler, R., Tessaro, S.: The equivalence of the random oracle model and the ideal cipher model, revisited. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd ACM STOC, pp. 89–98. ACM Press, June 2011
Huima, A.: The Bubble Babble binary data encoding (2000). http://web.mit.edu/kenta/www/one/bubblebabble/spec/jrtrjwzi/draft-huima-01.txt/
Jutla, C.S., Roy, A.: Dual-system simulation-soundness with applications to UC-PAKE and more. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 630–655. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_26
Katz, J., Vaikuntanathan, V.: Round-optimal password-based authenticated key exchange. J. Cryptology 26(4), 714–743 (2013)
OpenSSH 5.1 release announcement (2008). https://www.openssh.com/txt/release-5.1/
Rivest, R.L., Lampson, B.: SDSI - a simple distributed security infrastructure (1996). http://people.csail.mit.edu/rivest/sdsi10.html/
Tan, J., Bauer, L., Bonneau, J., Cranor, L.F., Thomas, J., Ur, B.: Can unicorns help users compare crypto key fingerprints? In: Mark, G., et al. (eds.) CHI Conference on Human Factors in Computing Systems, pp. 3787–3798. ACM (2017)
Tufekci, Z.: In response to guardian’s irresponsible reporting on whatsapp: a plea for responsible and contextualized reporting on user security (2017). http://technosociology.org/?page_id=1687/
Unger, N., et al.: SoK: secure messaging. In: 2015 IEEE Symposium on Security and Privacy, pp. 232–249. IEEE Computer Society Press, May 2015
WhatsApp encryption overview: technical white paper (2016). https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf/
Acknowledgments
Anja Lehmann was supported by the European Union’s Horizon 2020 research and innovation program under Grant Agreement No. 786725 (OLYMPUS). Tatiana Bradley, Stanislaw Jarecki, and Jiayu Xu were supported by the NSF Cybersecurity Innovation for Cyberinfrastructure (CICI) Grant Award No. ACI-1547435.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Concrete PAPKE and PAKE Instantiation Example
A Concrete PAPKE and PAKE Instantiation Example
Here we show particular instantiations of some of our results, a PAPKE scheme \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) and a PAKE protocol \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\). \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) is a particular instantiation of the generic \(\mathsf {PAPKE}\text {-}\mathsf {IC}\) scheme of Sect. 4.1 based on the \(\mathsf {DHIES}^*\) PKE by Abdalla et al. [1], and protocol \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) is derived via the \(\mathsf {PAPKE}\text {-}2\text {-}\mathsf {PAKE}\) compiler of Sect. 3 applied to \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\).
Concrete Instantiation of \(\mathsf {PAPKE}\text {-}\mathsf {IC}\) Using \(\mathsf {DHIES} \). In Sect. 4.1 we show a generic UC-secure PAPKE scheme that relies on an ideal cipher and a public-key encryption scheme that is both \(\mathsf {AI\text {-}CCA}\) and \(\mathsf {SROB\text {-}CCA}\)-secure. Abdalla et al. [1] show that these properties can be realized by \(\mathsf {DHIES}^*\), a simple modification of \(\mathsf {DHIES}\) [2] which excludes zero randomness at encryption, i.e., samples r from \(\mathbb {Z}^*_p\) instead of \(\mathbb {Z}_p\), and rejects ciphertexts that have 1 as first component. We specify \(\mathsf {DHIES}^*\) below relying on authenticated encryption \(\mathsf {AE}\), a hash function \(\mathsf {H}\) and a cyclic group \((\mathbb {G},p,g)\) of prime order p. Scheme \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) in Fig. 4 is a (semi) concrete instantiation of \(\mathsf {PAPKE}\text {-}\mathsf {IC}\) using \(\mathsf {DHIES}^*\), which uses 2 exponentiations for encryption and 1 for decryption, as well as an ideal cipher over group \({\mathbb {G}}\) and hashing onto \({\mathbb {G}}\).
-
\(\mathsf {DHIES}^*.\mathsf {KGen}(\kappa )\): \(x \leftarrow _\mathrm {\tiny {R}}\mathbb {Z}_p\), \(y \leftarrow g^x\), set \( pk \leftarrow y, sk \leftarrow x\) and return \(( pk , sk )\)
-
\(\mathsf {DHIES}^*.\mathsf {Enc}(pk,m)\): parse \( pk =y\), get \(r \leftarrow _\mathrm {\tiny {R}}\mathbb {Z}^*_p\), \(k \leftarrow \mathsf {H}(y^r)\), \(c_1 \leftarrow g^r\), \(c_2 \leftarrow \mathsf {AE.Enc}(k, m)\) and return \(c = (c_1, c_2)\).
-
\(\mathsf {DHIES}^*.\mathsf {Dec}(sk,c)\): parse \(c=(c_1,c_2)\) and \( sk =x\), get \(k \leftarrow \mathsf {H}(c_1^x)\). If \(c_1 =1\) output \(m \leftarrow \bot \) and \(m \leftarrow \mathsf {AE.Dec}(k, c_2)\) else.
Concrete PAKE Protocols. We specify an example of a concrete UC PAKE instantiation obtained by applying the generic \(\mathsf {PAPKE}\text {-}2\text {-}\mathsf {PAKE}\) compiler shown in Fig. 1 to the PAPKE scheme \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) shown in Fig. 4. In [12] we also specify PAKE protocol \(\mathsf {PAKE}\text {-}\mathsf {FO}\) implied by our second PAPKE construction, \(\mathsf {PAPKE}\text {-}\mathsf {FO}\) of Fig. 3. To the best of our knowledge, these are the first two-round UC-secure PAKE’s which rely on standard groups, i.e. no bilinear maps, but resort to the IC and/or ROM model to achieve practical efficiency. Concretely, \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) uses from 2 exponentiations per party and \(\mathsf {PAKE}\text {-}\mathsf {FO}\) uses 4 (multi-)exponentiations for one party and 2 for the other. This almost matches the efficiency and assumptions used by two-round PAKE’s which were shown secure under only game-based security notions, e.g. [4, 7, 11], and it reduces from 3 to 2 the rounds of previously known UC PAKE secure under comparable assumptions of Abdalla et al. [3].
Protocol \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) shown in Fig. 5 requires the same setup as the PAPKE scheme \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) in Fig. 4, i.e. \({\mathbb {G}}\) is a cyclic group of prime order p with generator g, \(\mathsf {IC}=(\mathsf {IC.Enc},\mathsf {IC.Dec})\) is an ideal cipher over group \({\mathbb {G}}\) with key space \(\{0,1\}^*\), \(\mathsf {AE}=(\mathsf {AE.Enc},\mathsf {AE.Dec})\) is an authenticated encryption with key space \(\{0,1\}^\kappa \), and \(\mathsf {H}:\mathbb {G}\rightarrow \{0,1\}^\kappa \) is a collision-resistant hash. The following security statement for \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) follows from Theorems 1, 2, and the security properties of \(\mathsf {DHIES}^*\) [1]:
Corollary 1
The \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) scheme described in Fig. 5 securely realizes \(\mathcal {F}_{\mathsf {PAKE}}\) in the \(\mathcal {F}_\mathsf {CRS},\mathcal {F}_\mathsf {IC}\)-hybrid model if the Oracle-Diffie-Hellman assumption is hard for \({\mathbb {G}}\), \(\mathsf {H}\) is a collision-resistant hash, and \(\mathsf {AE}\) is a secure, strongly unforgeable and collision-resistant authenticated encryption scheme.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Bradley, T., Camenisch, J., Jarecki, S., Lehmann, A., Neven, G., Xu, J. (2019). Password-Authenticated Public-Key Encryption. In: Deng, R., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2019. Lecture Notes in Computer Science(), vol 11464. Springer, Cham. https://doi.org/10.1007/978-3-030-21568-2_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-21568-2_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21567-5
Online ISBN: 978-3-030-21568-2
eBook Packages: Computer ScienceComputer Science (R0)