Abstract
The KHAPE-HMQV protocol is a state-of-the-art highly efficient asymmetric password-authenticated key exchange protocol that provides several desirable security properties, but has the drawback of being vulnerable to quantum adversaries due to its reliance on discrete logarithm-based building blocks: solving a single discrete logarithm allows the attacker to perform an offline dictionary attack and recover the password. We show how to modify KHAPE-HMQV to make the protocol quantum-annoying: a classical adversary who has the additional ability to solve discrete logarithms can only break the protocol by solving a discrete logarithm for each guess of the password. While not fully resistant to attacks by quantum computers, a quantum-annoying protocol could offer some resistance to quantum adversaries for whom discrete logarithms are relatively expensive. Our modification to the protocol is small: encryption (using an ideal cipher) is added to one message. Our analysis uses the same ideal cipher model assumption as the original analysis of KHAPE, and quantum annoyingness is modelled using an extension of the generic group model which gives a classical adversary a discrete logarithm oracle.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
IEEE standard specification for password-based public-key cryptographic techniques. IEEE Std 1363.2-2008 (2009). https://doi.org/10.1109/IEEESTD.2009.4773330
Information technology - personal identification - ISO-compliant driving licence. ISO/IEC 18013–3:2027 (2017)
Abdalla, M., Haase, B., Hesse, J.: Security analysis of CPace. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 711–741. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_24
Beguinet, H., Chevalier, C., Pointcheval, D., Ricosset, T., Rossi, M.: Get a CAKE: generic transformations from key encaspulation mechanisms to password authenticated key exchanges. In: Tibouchi, M., Wang, X. (eds.) Applied Cryptography and Network Security. ACNS 2023. LNCS, vol. 13906, pp. 516–538. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-33491-7_19
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11
Bourdrez, D., Krawczyk, D.H., Lewi, K., Wood, C.A.: The OPAQUE Asymmetric PAKE Protocol. Internet-Draft draft-irtf-cfrg-opaque-10, Internet Engineering Task Force, MarCH 2023. https://datatracker.ietf.org/doc/draft-irtf-cfrg-opaque/10/
Eaton, E., Stebila, D.: The quantum annoying property of password-authenticated key exchange protocols. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 154–173. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_9
Gheorghiu, V., Mosca, M.: Benchmarking the quantum cryptanalysis of symmetric, public-key and hash-based cryptographic schemes. arXiv:1902.02332 (2019)
Gidney, C., Ekerå, M.: How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. Quantum 5, 433 (2021). https://doi.org/10.22331/q-2021-04-15-433
Gu, Y., Jarecki, S., Krawczyk, H.: KHAPE: asymmetric PAKE from key-hiding key exchange. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 701–730. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_24
Hao, F., van Oorschot, P.C.: SoK: password-authenticated key exchange - theory, practice, standardization and real-world lessons. In: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, pp. 697–711. ASIA CCS ’22, Association for Computing Machinery, New York, NY, USA (2022). https://doi.org/10.1145/3488932.3523256
Hhan, M., Yamakawa, T., Yun, A.: Quantum complexity for discrete logarithms and related problems. Cryptology ePrint Archive, Paper 2023/1054 (2023). https://eprint.iacr.org/2023/1054
Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
NIST: Nist: Selected algorithm 2022 (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022
Parker, E., Vermeer, M.J.D.: Estimating the energy requirements to operate a cryptanalytically relevant quantum computer. arXiv:2304.14344 (2023)
Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 241–270. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_9
Schmidt, J.M.: Requirements for Password-Authenticated Key Agreement (PAKE) Schemes. RFC 8125, April 2017. https://doi.org/10.17487/RFC8125, https://www.rfc-editor.org/info/rfc8125
Taubert, T., Wood, C.A.: SPAKE2+, an Augmented PAKE. Internet-Draft draft-bar-cfrg-spake2plus-08, Internet Engineering Task Force, May 2022. https://datatracker.ietf.org/doc/draft-bar-cfrg-spake2plus/08/, work in Progress
Thomas, S.: Re: [CFRG] proposed PAKE selection process. CFRG Mailing List, June 2019. https://mailarchive.ietf.org/arch/msg/cfrg/dtf91cmavpzT47U3AVxrVGNB5UM/#
Acknowledgements
M.T. was supported by funding from the topic Engineering Secure Systems of the Helmholtz Association (HGF) and by KASTEL Security Research Labs. D.S. was supported by Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2022-03187 and NSERC Alliance grant ALLRP 578463-22.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A1 Oracles for Proof of Theorem 2
Algorithms 6 to 8 are detailed oracles for the proof of Theorem 2 in Sect. 3.2.
A2 Full Proof of Theorem 1
We offer the complete proof of Theorem 1 as a sequence of game hops. First, the function CoreMap(\(C\), \(S\), sid) uses the counter \(\bar{l}\) mapping to the static variables indexed with l, and \(\textit{ctr}_{\bar{l}}\), \(\textit{ctr}_{C, S}\), \(\textit{ctr}_{C, S, \text {sid}}\) corresponding to the instances using these static variables. All variables are initialized to zero. The CoreMap works as follows: if the \(\textit{ctr}_{C, S, \text {sid}} > 0\), the respective transcript \(e_{\textit{ctr}_{C, S}}, Y_{\textit{ctr}_{C, S}, \textit{ctr}_{C, S, \text {sid}}}, c{}_{\textit{ctr}_{C, S}, \textit{ctr}_{C, S, \text {sid}}}\) has been generated before and is returned. Otherwise, if \(\textit{ctr}{}_{C, S} = 0\), then this is the first interaction with registrant l. The reduction sets \(\textit{ctr}_{C, S} \leftarrow \bar{l}\), \(\textit{ctr}_{\bar{l}} \leftarrow 1\), increments \(\bar{l}\), corresponding to \(\textit{ctr}_l\) in the \(\text {KHAPE} _{\text {CORE}}\), and sets \(\textit{ctr}_{C, S, \text {sid}} \leftarrow 1\). The oracle \(\text {KHAPE} _{\text {CORE}}{}.\textsc {PassiveExec}{}(\textit{ctr}_{C, S})\) is queried; the output stored and returned. If \(\textit{ctr}{}_{C, S} > 0\), The reduction sets \(\textit{ctr}{}_{C, S, \text {sid}} \leftarrow \textit{ctr}_{\bar{l}}\), increments \(\textit{ctr}_{\bar{l}}\) and queries \(\text {KHAPE} _{\text {CORE}}{}.\textsc {PassiveExec}{}(\textit{ctr}_{C, S})\). The output is stored in \(e_{\textit{ctr}_{C, S}}, Y_{\textit{ctr}_{C, S}, \textit{ctr}_{C, S, \text {sid}}}, c{}_{\textit{ctr}_{C, S}, \textit{ctr}_{C, S, \text {sid}}}\) and returned.
\(G_{0}\) (Figure 1). This is the real protocol.
\(G_{1}\) (Passive Sessions). On input \(\textsc {Execute}{}(C, S, \text {sid})\), we set \(k_1 = k_2 \leftarrow \{0,1\}{}^{\kappa {}}\) and compute the key confirmation values \(\tau , \gamma \) and sessions keys using the prf. The adversaries oracle calls to all instances l for which Execute has been called are simulated as follows: First, the simulation invokes \(\textit{CoreMap}{}(C, S, \text {sid})\) to obtain \(k_{1}, c{}_X'\) from \(\text {KHAPE} _{\text {CORE}}{}.\textsc {Active}{}_{C}(\textit{ctr}_{C, S, \text {sid}}, e, Y)\), is used to compute the confirmation values \(\tau , \gamma \). On a \(\textsc {Corrupt}{}(C{}, S)\) query, the extraction calls \(\text {KHAPE} _{\text {CORE}}{}.\textsc {Get}\textsc {Static}{}(\textit{ctr}_{C, S})\) returning \(\pi _l, \text {sk}_l\), which programs the key \(k_{1}\) returned by a \(\text {KHAPE} _{\text {CORE}}\).Active oracle into the correct position of the random oracle \(\mathcal {H}{}_2\). The extraction receives \(a, B, \text {sk}\) from the ideal cipher on query \(\text {IC}_1.D(\text {sk}_1, e)\) as well as the discrete logarithm b from \(\text {KHAPE} _{\text {CORE}}{}.\textsc {Dlog}{}(B)\). It then computes \(A \leftarrow g{}^a\). Let \(\mathcal {P}\) be a table corresponding to all \(N\) passwords. The extraction sets \(\pi {} \leftarrow \mathcal {P}[\text {sk}{}_1]\), i.e., the \(\text {sk}_1\)’th entry of the table and returns \(\pi , (e, A, b, \text {sk})\), which is a perfect simulation. For the queries \(\mathcal {H}{}_1(\text {sid}, C, S, *)\), if the entry \(\textit{ctr}_{C, S, \text {sid}}\) is defined, the query is forwarded to the \(\text {KHAPE} _{\text {CORE}}\)-challenger, and the result is returned. Otherwise, a random value is sampled uniformly at random from the range of \(\mathcal {H}_{1}\), and a table is maintained for consistent responses. \(\mathcal {H}{}_2(\text {sid}, C, S, *)\) is simulated analogous to \(\mathcal {H}{}_1\). All queries to \(\text {IC}_1\) and \(\text {IC}_2\) are forwarded to the \(\text {KHAPE} _{\text {CORE}}\)-challenger. In Sect. 4 the divergence \(q_{\scriptscriptstyle {\mathcal {H}{}_2}}/p{}\) from this simulation, i.e., the random oracle and ideal cipher queries, has already been discussed.
Finally, the adversary may query a Test or Reveal query, receiving the session key from the \(\text {KHAPE} _{\text {CORE}}\) is returned. In the first case, In the second case, extraction either simulates either \(G_{0}\), if the \(\text {KHAPE} _{\text {CORE}}\) challenge bit is zero, or \(G_{1}\), if the \(\text {KHAPE} _{\text {CORE}}\) challenge bit s is one. When \(s=0\), the values of \(e, c{}_X\) as well as \(\tau , \gamma \) are distributed as expected (i.e., as in \(G_{0}\)), since the keys \(k_1 = k{}_2\) are identical and thus \(\gamma \) can also be computed from \(k{}_1\). On the other hand, if \(s=1\), the key \(k_{1}\) is chosen uniformly random as expected, and thus the key confirmation values also have the expected distribution.
In the second case, key \(k_1\) returned from the simulation is real-or-random, but would be expected to always be real. However, from an adversary detecting this change an extraction of a winning query to the \(\text {KHAPE} _{\text {CORE}}\) can be provided: In order to notice the change, the adversary \(\mathcal {A}\) has to query the random oracle on \(\mathcal {H}_2(\text {sid}, C, S, X, Y, \sigma _{C})\) or \(\mathcal {H}_2(\text {sid}, C, S, X, Y, \sigma _{S})\), both of which allow to instantly win the \(\text {KHAPE} _{\text {CORE}}\)-game. Note that the key confirmation values returned by the aPAKE impact the advantage to win the \(\text {KHAPE} _{\text {CORE}}\), since even a passive execution allows to verify if a derived session key is correct. Therefore, the term \(\min (q_{\scriptscriptstyle {\textsc {AE}_{C}}} + q_{\scriptscriptstyle {\textsc {AE}_{S}}}, 1)\) is 1. Further, the inputs to \(\textit{CoreMap}{}.\textsc {Active}{}_{*}\) are sampled in \(\text {KHAPE} _{\text {CORE}}{}.\textsc {PassiveExec}{}\) such that no new group elements, the discrete logarithm of which is knowable to the adversary, have to be considered in the probability to win the \(\text {KHAPE} _{\text {CORE}}\)-game. Consequently, the number of these queries is exactly the number of Execute queries. The probability to detect the difference between game \(G_{0}\) and \(G_{1}\) is then bounded by \(q_{\scriptscriptstyle {\textsc {Dlog}{}}}/N + \epsilon _{\textit{passiv}} + q_{\scriptscriptstyle {\mathcal {H}{}_2}}/p{}\) with \(\epsilon _{\textit{passiv}} := (q_{\scriptscriptstyle {\text {IC}_1}} + q_{\scriptscriptstyle {\text {IC}_2}} + q_{\scriptscriptstyle {\circ {}}})^2 + (q_{\scriptscriptstyle {\textsc {Dlog}{}}} q_{\scriptscriptstyle {\circ {}}}^2)/p{} + q_{\scriptscriptstyle {\text {IC}_1}}^2 + q_{\scriptscriptstyle {\textsc {Execute}{}}}/2^{n_1} + q_{\scriptscriptstyle {\text {IC}_2}}^2 + q_{\scriptscriptstyle {\textsc {Execute}{}}}/2^{n_2}\).
\(G_{2}\) (Active Sessions). In \(G_{2}\), the modifications are extended to active sessions: On input \(\textsc {Send}{}(C, l, M = (S, \text {sid}))\) the simulation responds with the values e, Y retrieved from \(\text {KHAPE} _{\text {CORE}}\).PassiveExec. On input \(\textsc {Send}{}(C, l, M = (S, \text {sid}, c_X, \tau ))\) we sample the \(k{}_2 \leftarrow \{0,1\}^{\kappa {}}\) uniformly at random and computes \(\tau ' \leftarrow \textit{prf}(k_2, 1)\). The session key and the key confirmation value are generated from \(k_1, k_2\) based on \(\tau = \tau '\) as in an genuine execution of the protocol. On input \(\textsc {Send}{}(C, l, M = (S, \text {sid}, e, Y))\) the simulation samples a uniformly random value for \(k{}_1 \leftarrow \{0,1\}^{\kappa {}}\) and computes the key confirmation value \(\tau \) using the prf. On input \(\textsc {Send}{}(C, l, M = (S, \text {sid}, \gamma ))\) we compute \(\gamma ' \leftarrow \textit{prf}(k_1, 2)\) and set the session key conditionally on the outcome of \(\gamma = \gamma '\) (i.e., as in the real protocol). On queries to the random oracle, ideal cipher, \(\textsc {Reveal}{}\) and \(\textsc {Corrupt}{}\) the reduction behaves identical to \(G_{1}\), and thus the divergence is identical.
Eventually, the adversary may query a Test or Reveal query receiving a session key from the \(\text {KHAPE} _{\text {CORE}}\). To bound the adversaries chance to detect the modification, a similar extractor of a winning query to the \(\text {KHAPE} _{\text {CORE}}\)-game is provided. Similarly to Appendix A2, the reduction calls CoreMap to map instances of the QA-BPR -game to instances of the \(\text {KHAPE} _{\text {CORE}}\)-game.
Impersonation of Clients: On \(\textsc {Send}{}(C, l, M = (S, \text {sid}))\) the extraction calls \(\textit{CoreMap}(C, S, \text {sid})\), which causes \(\textit{ctr}_{C, S}\) to become defined if it previously was not, and the retrieved values e, Y are returned. On \(\textsc {Send}{}(C, i, M = (S, \text {sid}, c{}_X, \tau ))\) the reduction calls \(\textit{CoreMap}(C, S, \text {sid})\) to subsequently obtain \(k_2 \leftarrow \text {KHAPE} _{\text {CORE}}{}.\textsc {Active}{}(\textit{ctr}_{C, S}, c_X)\). The key confirmation value \(\tau '\) is computed from the obtained key using the prf. The session key and key confirmation value are set conditioned on \(\tau = \tau '\) as in the real protocol.
Impersonation of Server: On \(\textsc {Send}{}(S, i, M = (C, \text {sid}, j, e, Y))\), the reduction calls \(\textit{CoreMap}(C, S, \text {sid})\), which causes \(\textit{ctr}_{C, S}\) to become defined it it previously was not. Then the reduction calls \(k_1 \leftarrow \text {KHAPE} _{\text {CORE}}{}.\textsc {Active}{}(\textit{ctr}_{C, S}, e, Y)\) and computes the key confirmation value \(\tau \) genuinely using the prf, and returns \(c_X, \tau \). On \(\textsc {Send}{}(S, i, M = (C, j, \gamma , \text {sid}))\), the reduction computes \(\gamma '\) from the key \(k_{2}\) using the prf and compares this to \(\gamma \). If they match, the session key is set to \(\text {K}{}_1 \leftarrow \textit{prf}(k_1, 0)\), and otherwise, to \(\bot \).
For Send the arguments are analogous to \(G_{1}\): If Test was queried, the reduction simulates \(G_{1}\) (and thus \(G_{0}\)) perfectly if the \(\text {KHAPE} _{\text {CORE}}\) challenge bit \(s=0\), and simulates \(G_{2}\) if \(s=1\). Otherwise, the adversary can detect the change only by querying the random oracle on either of the two inputs \(\mathcal {H}_2(\text {sid}, C, S, X, Y, \sigma _{C})\) or \(\mathcal {H}_2(\text {sid}, C, S, X, Y, \sigma _{S})\), both of which are winning queries for the reduction in \(\text {KHAPE} _{\text {CORE}}\). The number of Active queries for which the adversary may choose the input is bounded by the number of Send queries, bounding the difference between game \(G_{1}\) and \(G_{2}\) by \((q_{\scriptscriptstyle {\textsc {Dlog}{}}} + q_{\scriptscriptstyle {\textsc {Send}{}}})/N + \epsilon _{\tiny \textit{activ}} + q_{\scriptscriptstyle {\mathcal {H}{}_2}}/p{}\) with \(\epsilon _{\textit{activ}} := (q_{\scriptscriptstyle {\text {IC}_1}} + q_{\scriptscriptstyle {\text {IC}_2}} + q_{\scriptscriptstyle {\circ {}}})^2 + (q_{\scriptscriptstyle {\textsc {Dlog}{}}} q_{\scriptscriptstyle {\circ {}}}^2)/p{} + q_{\scriptscriptstyle {\text {IC}_1}}^2 + q_{\scriptscriptstyle {\textsc {Send}{}}}/2^{n_1} + q_{\scriptscriptstyle {\text {IC}_2}}^2 + q_{\scriptscriptstyle {\textsc {Send}{}}}/2^{n_2}\).
\(G_{3}\) (Random Sessions Keys). The final modification in \(G_{3}\) was discussed in Sect. 4, resulting in the term \((q_{\scriptscriptstyle {\textsc {Exec}{}}} + q_{\scriptscriptstyle {\textsc {Send}{}}}) \epsilon _{\textit{prf}}\). The sessions keys are now uniformly random and independent of the password and credentials leaving adversary to a guessing attack. The probability that the adversary can distinguish \(G_{0}\) from \(G_{3}\) is bounded by \((q_{\scriptscriptstyle {\textsc {Dlog}{}}} + q_{\scriptscriptstyle {\textsc {Send}{}}})/N + q_{\scriptscriptstyle {\mathcal {H}{}_2}}/p{} + (q_{\scriptscriptstyle {\textsc {Exec}{}}} + q_{\scriptscriptstyle {\textsc {Send}{}}}) \epsilon _{\textit{prf}} + \epsilon \), with \(\epsilon \le (q_{\scriptscriptstyle {\text {IC}_1}} + q_{\scriptscriptstyle {\text {IC}_2}} + q_{\scriptscriptstyle {\circ {}}})^2 + (q_{\scriptscriptstyle {\textsc {Dlog}{}}} q_{\scriptscriptstyle {\circ {}}}^2)/p{} + (q_{\scriptscriptstyle {\text {IC}_1}}^2 + q_{\scriptscriptstyle {\textsc {Send}{}}} + q_{\scriptscriptstyle {\textsc {Exec}{}}})/2^{n_1} + (q_{\scriptscriptstyle {\text {IC}_2}}^2 + q_{\scriptscriptstyle {\textsc {Send}{}}} + q_{\scriptscriptstyle {\textsc {Exec}{}}})/2^{n_2}\). This conclude the proof. \(\square \)
Rights and permissions
Copyright information
© 2024 Crown
About this paper
Cite this paper
Tiepelt, M., Eaton, E., Stebila, D. (2024). Making an Asymmetric PAKE Quantum-Annoying by Hiding Group Elements. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14344. Springer, Cham. https://doi.org/10.1007/978-3-031-50594-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-50594-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-50593-5
Online ISBN: 978-3-031-50594-2
eBook Packages: Computer ScienceComputer Science (R0)