Making an Asymmetric PAKE Quantum-Annoying by Hiding Group Elements

Abstract

The KHAPE-HMQV protocol is a state-of-the-art highly efficient asymmetric password-authenticated key exchange protocol that provides several desirable security properties, but has the drawback of being vulnerable to quantum adversaries due to its reliance on discrete logarithm-based building blocks: solving a single discrete logarithm allows the attacker to perform an offline dictionary attack and recover the password. We show how to modify KHAPE-HMQV to make the protocol quantum-annoying: a classical adversary who has the additional ability to solve discrete logarithms can only break the protocol by solving a discrete logarithm for each guess of the password. While not fully resistant to attacks by quantum computers, a quantum-annoying protocol could offer some resistance to quantum adversaries for whom discrete logarithms are relatively expensive. Our modification to the protocol is small: encryption (using an ideal cipher) is added to one message. Our analysis uses the same ideal cipher model assumption as the original analysis of KHAPE, and quantum annoyingness is modelled using an extension of the generic group model which gives a classical adversary a discrete logarithm oracle.

Appendices

A1 Oracles for Proof of Theorem 2

Algorithms 6 to 8 are detailed oracles for the proof of Theorem 2 in Sect. 3.2.

A2 Full Proof of Theorem 1

We offer the complete proof of Theorem 1 as a sequence of game hops. First, the function CoreMap(\(C\), \(S\), sid) uses the counter \(\bar{l}\) mapping to the static variables indexed with l, and \(\textit{ctr}_{\bar{l}}\), \(\textit{ctr}_{C, S}\), \(\textit{ctr}_{C, S, \text {sid}}\) corresponding to the instances using these static variables. All variables are initialized to zero. The CoreMap works as follows: if the \(\textit{ctr}_{C, S, \text {sid}} > 0\), the respective transcript \(e_{\textit{ctr}_{C, S}}, Y_{\textit{ctr}_{C, S}, \textit{ctr}_{C, S, \text {sid}}}, c{}_{\textit{ctr}_{C, S}, \textit{ctr}_{C, S, \text {sid}}}\) has been generated before and is returned. Otherwise, if \(\textit{ctr}{}_{C, S} = 0\), then this is the first interaction with registrant l. The reduction sets \(\textit{ctr}_{C, S} \leftarrow \bar{l}\), \(\textit{ctr}_{\bar{l}} \leftarrow 1\), increments \(\bar{l}\), corresponding to \(\textit{ctr}_l\) in the \(\text {KHAPE} _{\text {CORE}}\), and sets \(\textit{ctr}_{C, S, \text {sid}} \leftarrow 1\). The oracle \(\text {KHAPE} _{\text {CORE}}{}.\textsc {PassiveExec}{}(\textit{ctr}_{C, S})\) is queried; the output stored and returned. If \(\textit{ctr}{}_{C, S} > 0\), The reduction sets \(\textit{ctr}{}_{C, S, \text {sid}} \leftarrow \textit{ctr}_{\bar{l}}\), increments \(\textit{ctr}_{\bar{l}}\) and queries \(\text {KHAPE} _{\text {CORE}}{}.\textsc {PassiveExec}{}(\textit{ctr}_{C, S})\). The output is stored in \(e_{\textit{ctr}_{C, S}}, Y_{\textit{ctr}_{C, S}, \textit{ctr}_{C, S, \text {sid}}}, c{}_{\textit{ctr}_{C, S}, \textit{ctr}_{C, S, \text {sid}}}\) and returned.

\(G_{0}\) (Figure 1). This is the real protocol.

\(G_{1}\) (Passive Sessions). On input \(\textsc {Execute}{}(C, S, \text {sid})\), we set \(k_1 = k_2 \leftarrow \{0,1\}{}^{\kappa {}}\) and compute the key confirmation values \(\tau , \gamma \) and sessions keys using the prf. The adversaries oracle calls to all instances l for which Execute has been called are simulated as follows: First, the simulation invokes \(\textit{CoreMap}{}(C, S, \text {sid})\) to obtain \(k_{1}, c{}_X'\) from \(\text {KHAPE} _{\text {CORE}}{}.\textsc {Active}{}_{C}(\textit{ctr}_{C, S, \text {sid}}, e, Y)\), is used to compute the confirmation values \(\tau , \gamma \). On a \(\textsc {Corrupt}{}(C{}, S)\) query, the extraction calls \(\text {KHAPE} _{\text {CORE}}{}.\textsc {Get}\textsc {Static}{}(\textit{ctr}_{C, S})\) returning \(\pi _l, \text {sk}_l\), which programs the key \(k_{1}\) returned by a \(\text {KHAPE} _{\text {CORE}}\).Active oracle into the correct position of the random oracle \(\mathcal {H}{}_2\). The extraction receives \(a, B, \text {sk}\) from the ideal cipher on query \(\text {IC}_1.D(\text {sk}_1, e)\) as well as the discrete logarithm b from \(\text {KHAPE} _{\text {CORE}}{}.\textsc {Dlog}{}(B)\). It then computes \(A \leftarrow g{}^a\). Let \(\mathcal {P}\) be a table corresponding to all \(N\) passwords. The extraction sets \(\pi {} \leftarrow \mathcal {P}[\text {sk}{}_1]\), i.e., the \(\text {sk}_1\)’th entry of the table and returns \(\pi , (e, A, b, \text {sk})\), which is a perfect simulation. For the queries \(\mathcal {H}{}_1(\text {sid}, C, S, *)\), if the entry \(\textit{ctr}_{C, S, \text {sid}}\) is defined, the query is forwarded to the \(\text {KHAPE} _{\text {CORE}}\)-challenger, and the result is returned. Otherwise, a random value is sampled uniformly at random from the range of \(\mathcal {H}_{1}\), and a table is maintained for consistent responses. \(\mathcal {H}{}_2(\text {sid}, C, S, *)\) is simulated analogous to \(\mathcal {H}{}_1\). All queries to \(\text {IC}_1\) and \(\text {IC}_2\) are forwarded to the \(\text {KHAPE} _{\text {CORE}}\)-challenger. In Sect. 4 the divergence \(q_{\scriptscriptstyle {\mathcal {H}{}_2}}/p{}\) from this simulation, i.e., the random oracle and ideal cipher queries, has already been discussed.

Finally, the adversary may query a Test or Reveal query, receiving the session key from the \(\text {KHAPE} _{\text {CORE}}\) is returned. In the first case, In the second case, extraction either simulates either \(G_{0}\), if the \(\text {KHAPE} _{\text {CORE}}\) challenge bit is zero, or \(G_{1}\), if the \(\text {KHAPE} _{\text {CORE}}\) challenge bit s is one. When \(s=0\), the values of \(e, c{}_X\) as well as \(\tau , \gamma \) are distributed as expected (i.e., as in \(G_{0}\)), since the keys \(k_1 = k{}_2\) are identical and thus \(\gamma \) can also be computed from \(k{}_1\). On the other hand, if \(s=1\), the key \(k_{1}\) is chosen uniformly random as expected, and thus the key confirmation values also have the expected distribution.

In the second case, key \(k_1\) returned from the simulation is real-or-random, but would be expected to always be real. However, from an adversary detecting this change an extraction of a winning query to the \(\text {KHAPE} _{\text {CORE}}\) can be provided: In order to notice the change, the adversary \(\mathcal {A}\) has to query the random oracle on \(\mathcal {H}_2(\text {sid}, C, S, X, Y, \sigma _{C})\) or \(\mathcal {H}_2(\text {sid}, C, S, X, Y, \sigma _{S})\), both of which allow to instantly win the \(\text {KHAPE} _{\text {CORE}}\)-game. Note that the key confirmation values returned by the aPAKE impact the advantage to win the \(\text {KHAPE} _{\text {CORE}}\), since even a passive execution allows to verify if a derived session key is correct. Therefore, the term \(\min (q_{\scriptscriptstyle {\textsc {AE}_{C}}} + q_{\scriptscriptstyle {\textsc {AE}_{S}}}, 1)\) is 1. Further, the inputs to \(\textit{CoreMap}{}.\textsc {Active}{}_{*}\) are sampled in \(\text {KHAPE} _{\text {CORE}}{}.\textsc {PassiveExec}{}\) such that no new group elements, the discrete logarithm of which is knowable to the adversary, have to be considered in the probability to win the \(\text {KHAPE} _{\text {CORE}}\)-game. Consequently, the number of these queries is exactly the number of Execute queries. The probability to detect the difference between game \(G_{0}\) and \(G_{1}\) is then bounded by \(q_{\scriptscriptstyle {\textsc {Dlog}{}}}/N + \epsilon _{\textit{passiv}} + q_{\scriptscriptstyle {\mathcal {H}{}_2}}/p{}\) with \(\epsilon _{\textit{passiv}} := (q_{\scriptscriptstyle {\text {IC}_1}} + q_{\scriptscriptstyle {\text {IC}_2}} + q_{\scriptscriptstyle {\circ {}}})^2 + (q_{\scriptscriptstyle {\textsc {Dlog}{}}} q_{\scriptscriptstyle {\circ {}}}^2)/p{} + q_{\scriptscriptstyle {\text {IC}_1}}^2 + q_{\scriptscriptstyle {\textsc {Execute}{}}}/2^{n_1} + q_{\scriptscriptstyle {\text {IC}_2}}^2 + q_{\scriptscriptstyle {\textsc {Execute}{}}}/2^{n_2}\).

\(G_{2}\) (Active Sessions). In \(G_{2}\), the modifications are extended to active sessions: On input \(\textsc {Send}{}(C, l, M = (S, \text {sid}))\) the simulation responds with the values e, Y retrieved from \(\text {KHAPE} _{\text {CORE}}\).PassiveExec. On input \(\textsc {Send}{}(C, l, M = (S, \text {sid}, c_X, \tau ))\) we sample the \(k{}_2 \leftarrow \{0,1\}^{\kappa {}}\) uniformly at random and computes \(\tau ' \leftarrow \textit{prf}(k_2, 1)\). The session key and the key confirmation value are generated from \(k_1, k_2\) based on \(\tau = \tau '\) as in an genuine execution of the protocol. On input \(\textsc {Send}{}(C, l, M = (S, \text {sid}, e, Y))\) the simulation samples a uniformly random value for \(k{}_1 \leftarrow \{0,1\}^{\kappa {}}\) and computes the key confirmation value \(\tau \) using the prf. On input \(\textsc {Send}{}(C, l, M = (S, \text {sid}, \gamma ))\) we compute \(\gamma ' \leftarrow \textit{prf}(k_1, 2)\) and set the session key conditionally on the outcome of \(\gamma = \gamma '\) (i.e., as in the real protocol). On queries to the random oracle, ideal cipher, \(\textsc {Reveal}{}\) and \(\textsc {Corrupt}{}\) the reduction behaves identical to \(G_{1}\), and thus the divergence is identical.

Eventually, the adversary may query a Test or Reveal query receiving a session key from the \(\text {KHAPE} _{\text {CORE}}\). To bound the adversaries chance to detect the modification, a similar extractor of a winning query to the \(\text {KHAPE} _{\text {CORE}}\)-game is provided. Similarly to Appendix A2, the reduction calls CoreMap to map instances of the QA-BPR -game to instances of the \(\text {KHAPE} _{\text {CORE}}\)-game.

Impersonation of Clients: On \(\textsc {Send}{}(C, l, M = (S, \text {sid}))\) the extraction calls \(\textit{CoreMap}(C, S, \text {sid})\), which causes \(\textit{ctr}_{C, S}\) to become defined if it previously was not, and the retrieved values e, Y are returned. On \(\textsc {Send}{}(C, i, M = (S, \text {sid}, c{}_X, \tau ))\) the reduction calls \(\textit{CoreMap}(C, S, \text {sid})\) to subsequently obtain \(k_2 \leftarrow \text {KHAPE} _{\text {CORE}}{}.\textsc {Active}{}(\textit{ctr}_{C, S}, c_X)\). The key confirmation value \(\tau '\) is computed from the obtained key using the prf. The session key and key confirmation value are set conditioned on \(\tau = \tau '\) as in the real protocol.

Impersonation of Server: On \(\textsc {Send}{}(S, i, M = (C, \text {sid}, j, e, Y))\), the reduction calls \(\textit{CoreMap}(C, S, \text {sid})\), which causes \(\textit{ctr}_{C, S}\) to become defined it it previously was not. Then the reduction calls \(k_1 \leftarrow \text {KHAPE} _{\text {CORE}}{}.\textsc {Active}{}(\textit{ctr}_{C, S}, e, Y)\) and computes the key confirmation value \(\tau \) genuinely using the prf, and returns \(c_X, \tau \). On \(\textsc {Send}{}(S, i, M = (C, j, \gamma , \text {sid}))\), the reduction computes \(\gamma '\) from the key \(k_{2}\) using the prf and compares this to \(\gamma \). If they match, the session key is set to \(\text {K}{}_1 \leftarrow \textit{prf}(k_1, 0)\), and otherwise, to \(\bot \).

For Send the arguments are analogous to \(G_{1}\): If Test was queried, the reduction simulates \(G_{1}\) (and thus \(G_{0}\)) perfectly if the \(\text {KHAPE} _{\text {CORE}}\) challenge bit \(s=0\), and simulates \(G_{2}\) if \(s=1\). Otherwise, the adversary can detect the change only by querying the random oracle on either of the two inputs \(\mathcal {H}_2(\text {sid}, C, S, X, Y, \sigma _{C})\) or \(\mathcal {H}_2(\text {sid}, C, S, X, Y, \sigma _{S})\), both of which are winning queries for the reduction in \(\text {KHAPE} _{\text {CORE}}\). The number of Active queries for which the adversary may choose the input is bounded by the number of Send queries, bounding the difference between game \(G_{1}\) and \(G_{2}\) by \((q_{\scriptscriptstyle {\textsc {Dlog}{}}} + q_{\scriptscriptstyle {\textsc {Send}{}}})/N + \epsilon _{\tiny \textit{activ}} + q_{\scriptscriptstyle {\mathcal {H}{}_2}}/p{}\) with \(\epsilon _{\textit{activ}} := (q_{\scriptscriptstyle {\text {IC}_1}} + q_{\scriptscriptstyle {\text {IC}_2}} + q_{\scriptscriptstyle {\circ {}}})^2 + (q_{\scriptscriptstyle {\textsc {Dlog}{}}} q_{\scriptscriptstyle {\circ {}}}^2)/p{} + q_{\scriptscriptstyle {\text {IC}_1}}^2 + q_{\scriptscriptstyle {\textsc {Send}{}}}/2^{n_1} + q_{\scriptscriptstyle {\text {IC}_2}}^2 + q_{\scriptscriptstyle {\textsc {Send}{}}}/2^{n_2}\).

\(G_{3}\) (Random Sessions Keys). The final modification in \(G_{3}\) was discussed in Sect. 4, resulting in the term \((q_{\scriptscriptstyle {\textsc {Exec}{}}} + q_{\scriptscriptstyle {\textsc {Send}{}}}) \epsilon _{\textit{prf}}\). The sessions keys are now uniformly random and independent of the password and credentials leaving adversary to a guessing attack. The probability that the adversary can distinguish \(G_{0}\) from \(G_{3}\) is bounded by \((q_{\scriptscriptstyle {\textsc {Dlog}{}}} + q_{\scriptscriptstyle {\textsc {Send}{}}})/N + q_{\scriptscriptstyle {\mathcal {H}{}_2}}/p{} + (q_{\scriptscriptstyle {\textsc {Exec}{}}} + q_{\scriptscriptstyle {\textsc {Send}{}}}) \epsilon _{\textit{prf}} + \epsilon \), with \(\epsilon \le (q_{\scriptscriptstyle {\text {IC}_1}} + q_{\scriptscriptstyle {\text {IC}_2}} + q_{\scriptscriptstyle {\circ {}}})^2 + (q_{\scriptscriptstyle {\textsc {Dlog}{}}} q_{\scriptscriptstyle {\circ {}}}^2)/p{} + (q_{\scriptscriptstyle {\text {IC}_1}}^2 + q_{\scriptscriptstyle {\textsc {Send}{}}} + q_{\scriptscriptstyle {\textsc {Exec}{}}})/2^{n_1} + (q_{\scriptscriptstyle {\text {IC}_2}}^2 + q_{\scriptscriptstyle {\textsc {Send}{}}} + q_{\scriptscriptstyle {\textsc {Exec}{}}})/2^{n_2}\). This conclude the proof.    \(\square \)