TMPS: Ticket-Mediated Password Strengthening

Abstract

We introduce the notion of TMPS: Ticket-Mediated Password Strengthening, a technique for allowing users to derive keys from passwords while imposing a strict limit on the number of guesses of their password any attacker can make, and strongly protecting the users’ privacy. We describe the security requirements of TMPS, and then a set of efficient and practical protocols to implement a TMPS scheme, requiring only hash functions, CCA2-secure encryption, and blind signatures. We provide several variant protocols, including an offline symmetric-only protocol that uses a local trusted computing environment, and online variants that use group signatures or stronger trust assumptions instead of blind signatures. We formalize the security of our scheme by defining an ideal functionality in the Universal Composability (UC) framework, and by providing game-based definitions of security. We prove that our protocol realizes the ideal functionality in the random oracle model (ROM) under adaptive corruptions with erasures, and prove that security with respect to the ideal/real definition implies security with respect to the game-based definitions.

This work was supported in part by NSF grants #CNS-1933033, #CNS-1840893, #CNS-1453045 (CAREER), by a research partnership award from Cisco and by financial assistance award 70NANB15H328 from the U.S. Department of Commerce, National Institute of Standards and Technology.

Appendices

Appendix

A Definitions

In this section, we mention the key definitions used in the security analysis of our protocol to facilitate better understanding. Our exposition closely follows [3, 14, 17, 26].

Definition 1

[Encryption System]. An encryption system can be defined as a tuple of probabilistic polynomial-time algorithms \(\varPi _{{\mathtt{{ENC}}}}(\mathtt{{GEN}}, {\mathtt{{ENC}}}, {\mathtt{{DEC}}})\) such that:

1. 1.

   The key-generation algorithm \(\mathtt{{GEN}}\) takes as input the security parameter \(1^{n}\) and outputs a key K.

2. 2.

   The encryption algorithm \({\mathtt{{ENC}}}\) takes as input a key K and a plaintext message \(M \in \{0,1\}^*\), and outputs a ciphertext C where \(C \leftarrow {{\mathtt{{ENC}}}}_K(M)\).

3. 3.

   The decryption algorithm \({\mathtt{{DEC}}}\) takes as input a key and a ciphertext, and outputs a message. We assume without loss of generality that the decryption algorithm corresponding \({{\mathtt{{ENC}}}}_K\) is \({{\mathtt{{DEC}}}}_K\) such that \(M = {{\mathtt{{DEC}}}}_K(C)\) and for every n, every key K output by \(\mathtt{{GEN}}\)(\(1^{n}\)), and every \(M \in \{0,1\}^*\), it holds that \({\mathtt{{DEC}}}_K({{\mathtt{{ENC}}}}_K(M)) = M.\)

The Chosen-Ciphertext Attack (CCA) Security Experiment \({PrivK}^{cca}_{\mathcal {A}, \varPi _{{\mathtt{{ENC}}}}}({n})\): Consider the following experiment for an encryption system \(\varPi _{{\mathtt{{ENC}}}} = (\mathtt{{GEN}}, {\mathtt{{ENC}}}, {\mathtt{{DEC}}})\), adversary \(\mathcal {A}\), and value n for the security parameter.

1. 1.

   A random key K is generated by running \(\mathtt{{GEN}}\)(\(1^{n}\)).

2. 2.

   The adversary \(\mathcal {A}\) is given input \(1^{n}\) and oracle access to \({{\mathtt{{ENC}}}}_K\)(\(\cdot \)) and \({{\mathtt{{DEC}}}}_K\)(\(\cdot \)). It outputs a pair of messages \(M_0\), \(M_1\) of the same length.

3. 3.

   A random bit \(b \leftarrow \{0,1\}\) is chosen, and then a ciphertext \(C \leftarrow {{\mathtt{{ENC}}}}_K(M_b)\) is computed and given to \(\mathcal {A}\). We call C the challenge ciphertext.

4. 4.

   The adversary \(\mathcal {A}\) continues to have oracle access to \({{\mathtt{{ENC}}}}_K\)(\(\cdot \)) and \({{\mathtt{{DEC}}}}_K\)(\(\cdot \)), but is not allowed to query the latter on the challenge ciphertext itself. Eventually, \(\mathcal {A}\) outputs a bit \(b'\)

5. 5.

   The output of the experiment is defined to be 1 if \(b'=b\), and 0 otherwise.

Definition 2

[CCA Security]. An encryption system \(\varPi _{{\mathtt{{ENC}}}}\) has indistinguishable encryptions under a chosen-ciphertext attack (or is CCA-secure) if for all probabilistic polynomial-time adversaries \(\mathcal {A}\) there exists a negligible function negl such that:

$$Pr[{PrivK}^{cca}_{\mathcal {A}, \varPi _{{\mathtt{{ENC}}}}}({n}) = 1] \le \frac{1}{2} + negl({n}),$$

where the probability is taken over all random coins used in the experiment.

Other variants of the CCA Security definition are defined below.

Definition 3

[Chosen Plaintext Attack (CPA) Security]. Similar to the security experiment of CCA except that the Adversary \(\mathcal {A}\) is not given access to decryption oracle at step 2 and step 4.

Definition 4

[Non-adaptive CCA or CCA1 Security]. Similar to the security experiment of CCA except that the Adversary \(\mathcal {A}\) is not given access to decryption oracle at step 4.

Definition 5

[Adaptive CCA or CCA2 Security]. Similar to the security experiment of CCA where the Adversary \(\mathcal {A}\) is allowed to perform a polynomially bounded number of encryptions, decryptions or other calculations over inputs of its choice except on the challenge ciphertext.

Definition 6

[Signature Scheme]. A signature scheme is a tuple of probabilistic polynomial-time algorithms \(\varPi _{SIG}(\mathtt{{GEN}}, \mathtt{{SIGN}}, \mathtt{{VERIFY}})\) such that:

1. 1.

   The key-generation algorithm \(\mathtt{{GEN}}\) takes as input a security parameter \(1^{n}\) and outputs a pair of keys (PK, SK). These are called the public key and the private key, respectively.

2. 2.

   The signing algorithm \(\mathtt{{SIGN}}\) takes as input a private key SK and a message M from some underlying message space. It outputs a signature F represented as \(F \leftarrow {\mathtt{{SIGN}}}_{SK}(M)\).

3. 3.

   The deterministic verification algorithm \(\mathtt{{VERIFY}}\) takes as input a public key PK, a message M, and a signature F. It outputs a bit b represented as \(b =\) \(\mathtt{{VERIFY}}_{PK}(M, F)\) where \(b = 1\) means valid and \(b = 0\) means invalid.

We require that for every n, every (PK, SK) output by \(\mathtt{{GEN}}\)(\(1^{n}\)), and every message M in the appropriate underlying plaintext space, it holds that

$${\mathtt{{VERIFY}}}_{PK}(M, {\mathtt{{SIGN}}}_{SK}(M)) = 1.$$

We say F is a valid signature on a message M if \({\mathtt{{VERIFY}}}_{PK}(M, F) = 1.\)

Definition 7

[Blind Signature]. A 2-move blind signature scheme is an interactive signature scheme with signer \(\mathcal {S}\) and user \(\mathcal {U}\) and can be defined as a tuple of probabilistic polynomial-time algorithms \(\varPi _{BSIG} = (\mathtt{{GEN}}, \mathtt{{BLIND}}, \mathtt{{UBLIND}}, \mathtt{{SIGN}}, \mathtt{{BVERIFY}})\) such that:

1. 1.

   The key-generation algorithm Gen takes as input a security parameter \(1^{n}\) and outputs a pair of keys (PK, SK). These are called the public key and the private key, respectively.

2. 2.

   Signature Issuing. The parties execute the following protocol, denoted \(\langle \mathcal {U}(PK, M), \mathcal {S}(SK) \rangle \):

   1. (a)

      \(M^* \leftarrow \mathtt{{BLIND}}(M)\): The user blinds the message M to obtain \(M^*\) and sends to the signer.

   2. (b)

      \(F^* \leftarrow \mathtt{{SIGN}}_{SK}(M^*)\): The signer outputs a signature \(F^*\) on input of message \(M^*\) and private key SK and sends to the user.

   3. (c)

      \(F \leftarrow \mathtt{{UBLIND}}(F^*)\): The user unblinds the signature \(F^*\) to obtain F. Note that the user inputs additional private state to the \(\mathtt{{UBLIND}}\) algorithm, which we leave implicit.

3. 3.

   The deterministic verification algorithm \(\mathtt{{BVERIFY}}\) takes as input a public key PK, a message M, and a signature F. It outputs a bit b where \(b = 1\) means valid and \(b = 0\) means invalid.

We require that for every n, every (PK, SK) output by \(\mathtt{{GEN}}\)(\(1^{n}\)), and every message \(M \in \{0, 1\}^n\) and any F output by \(\mathcal {U}\) in the joint execution of \(\langle \mathcal {U}(PK, M), \mathcal {S}(SK) \rangle \), it holds that

$${\mathtt{{BVERIFY}}}_{PK}(M, F)=1.$$

The security of blind signature schemes requires two properties, namely unforgeability and blindness.

Definition 8

[Unforgeability]. A 2-move blind signature scheme \(\varPi _{BSIG} = (\mathtt{{GEN}}, \mathtt{{BLIND}}, \mathtt{{UBLIND}}, \mathtt{{SIGN}}, \mathtt{{BVERIFY}})\) is called unforgeable if for any efficient algorithm \(\mathcal {A}\) the probability that experiment \({\text{ Unforge }}^{\varPi _{BSIG}}_{\mathcal {A}}(n)\) evaluates to 1 is negligible (as a function of n) where

Experiment Forge \(_{\varPi _{BSIG}}^{\mathcal {A}}\)

1. 1.

   \((SK, PK) \leftarrow \mathtt{{GEN}}(1^{n})\)

2. 2.

   ((\(M_1, F_1\)), \(\cdots \), \((M_{k+1}, {F}_{k+1})\)) \(\leftarrow \mathcal {A}^{{\langle \cdot , \mathcal {S}(SK) \rangle }^{\infty }}(PK)\) Return 1 iff

   1. (a)

      \(M_i \ne M_j\) for \(1 \le i < j \le k+1\) and

   2. (b)

      \({\mathtt{{BVERIFY}}}_{PK}(M_i, F_i) = 1\) for all \(i= 1, 2, \cdots , k+1,\) and

   3. (c)

      at most k interactions with \({\langle \cdot , \mathcal {S}(SK) \rangle }^{\infty }\) were completed.

Definition 9

[Blindness]. A 2-move blind signature scheme \(\varPi _{BSIG} = (\mathtt{{GEN}}, \mathtt{{BLIND}}, \mathtt{{UBLIND}}, \mathtt{{SIGN}}, \mathtt{{BVERIFY}})\) is called blind if for any efficient algorithm \(\mathcal {A}\) the probability that experiment \({Blind}^{\varPi _{BSIG}}_{{\mathtt{{BSIGN}}^*}}(n)\) evaluates to 1 is negligibly close to \(\frac{1}{2}\) where

Experiment Blind \(^{\varPi _{BSIG}}_{\mathtt{{BSIGN}}^*}\)

1. 1.

   \((PK, M_0, M_1, {st}_{find}) \leftarrow {\mathcal {A}}(find, 1^{n})\)

2. 2.

   \(b \leftarrow \{0, 1\}\)

3. 3.

   \({st}_{issue}\leftarrow {\mathcal {A}}^{{\langle \mathcal {U}(PK, M_b), \cdot \rangle }^{1}, {\langle \mathcal {U}(PK, M_{1-b}), \cdot \rangle }^{1}}(issue, {st}_{find})\) and let \(F_b, F_{1-b}\) denote the (possibly undefined) local outputs of \(\mathcal {U}(PK, M_b)\) resp. \(\mathcal {U}(PK, M_{1-b})\)

4. 4.

   set \((F_0, F_1) = (\bot , \bot )\) if \(F_0 = \bot \) or \(F_1 = \bot \)

5. 5.

   \(b^* = {\mathcal {A}}(guess, F_0, F_1, st_{issue})\)

6. 6.

   return 1 iff \(b = b^*\).

Definition 10

[Group Signature]. A group signature scheme \(\varPi _{GSIG}\) = \((GK_g, \mathtt{{GSIGN}}, \mathtt{{GVERIFY}}, \mathtt{{OPEN}})\) consists of four polynomial-time algorithms:

1. 1.

   The randomized group key generation algorithm \(GK_g\) takes input a security parameter \(1^{n}\) and \(1^m\) where \(m \in \mathbb {N}\) is the group size and outputs a tuple (gPK, gmSK, gSK), where gPK is the group public key, gmSK is the group manager’s secret key, and gSK is an n-vector of keys with gSK[i] being a secret signing key for player \(i \in [m]\).

2. 2.

   The randomized group signing algorithm \(\mathtt{{GSIGN}}\) takes as input a secret signing key gSK[i] and a message M to return a signature of M under gSK[i] \(i \in [m]\).

3. 3.

   The deterministic group signature verification algorithm \(\mathtt{{GVERIFY}}\) takes as input the group public key gPK, a message M, and a candidate signature F for M to return either 1 or 0.

4. 4.

   The deterministic opening algorithm \(\mathtt{{OPEN}}\) takes as input the group manager secret key gmSK, a message M, and a signature F of M to return an identity i or the symbol \(\bot \) to indicate failure.

Correctness: The scheme must satisfy the following correctness requirement. For all \(n, m \in \mathbb {N}\), all \((gPK, gmSK, gSK) \in [GK_g (1^{n}, 1^m)]\), all \(i \in [n]\) and all \(M \in \{0, 1\}^*\)

$${\mathtt{{GVERIFY}}}(gPK, M, {\mathtt{{GSIGN}}}(gSK[i], M))=1 \text{ and } $$

$$ {\mathtt{{OPEN}}}(gmSK, M, {\mathtt{{GSIGN}}}(gSK[i], M))=i$$

Definitions of security in the Universal Composability (UC) framework. We refer to previous work [9, 10, 21] for definitions of UC secure computation in the adaptive-corruption setting.