Quantum-safe multi-server password-based authenticated key exchange protocol

Abstract

Password-based authentication is one of the most prevailing access control mechanism. Typical password-authenticated key exchange (PAKE) protocols are single-server settings and are therefore vulnerable to server compromise attack. To defend against such attack, multi-server PAKE schemes have been advanced, but most of which are built on non-quantum-secure hardness assumptions. Lattice-based cryptosystems are regarded as the most promising one for post-quantum eara by NIST, while the known multi-server password-based authentication solution over lattices achieves merely key transport and is public key infrastructure (PKI)-based, resulting in low efficiency and poor deployability. In this work, we resort to distributed smooth projective hash function (SPHF) to bridge the gap between multi-server PAKE protocol and quantum-security. We first design an exact SPHF and derive the first distributed SPHF over lattices by leveraging the additive homomorphic property of the strong learning with errors (LWE) problem. In particular, the relevant parameters of the public key encryption (PKE) scheme it predicates on are identified, thus eliminating the influence of incomplete lattice homomorphism on the correctness of our SPHFs. Pertinent lattice-based multi-server PAKE protocols are further proposed on both transparent and non-transparent transmission modes by integrating our distributed SPHF into the multi-server framework of Raimondo and Gennaro (EUROCRYPT’03). Our PAKE constructions are able to resist both quantum and sever compromise attacks as well as avoid the expensive cryptographic primitives, including non-interactive zero knowledge (NIZK) proofs, signature/verification, secret sharing and fully homomorphic encryption. Experimental results demonstrate that our SPHFs and PAKE protocols offer better efficiency.

Data Availability Statement

The extra data used to support the findings of this study are available from the corresponding author. Email: chenlin20230522@126.com

Appendices

Appendix A: Correctness and smoothness proofs for WI-eSPHF

Correctness proof. According to the definition of SPHF in Section 2.3, to prove the correctness of WI-eSPHF, we need to prove that for \(\forall \text { }{} {\textbf {W}}\in \mathbb {L}\), Eq. 13 holds.

$$\begin{aligned} \textrm{Pr}(h=ph)\gg 1-\textrm{negl}(\kappa ) \end{aligned}$$

(13)

And according to the definition of WI-eSPHF in Section 4, we only need to prove \(\textrm{Pr}({h}_{i}={ph}_{i})\gg 1-\textrm{negl}(\kappa )\). Further, according to Eqs. 8, 9 and the definition of \(\textrm{ECC}\) in Section 2.3, we need to prove

$$\begin{aligned} \textrm{Pr}({h}_{i}^{1}={ph}_{i}^{1})\gg 1-\textrm{negl}(\kappa ). \end{aligned}$$

(14)

Below, we prove that Eq. 14 holds.

$$\begin{aligned} \begin{array}{ll} {h}_{i}^{1}&{}=~{({{\textbf {c}}}_{1}+{{\textbf {c}}}_{2}||{\textbf {0}})}^{T } \cdot {kh}_{i}(\textrm{mod }q)\\ &{}=~(({{\textbf {A}}}^{T }\cdot \tilde{{\textbf {s}}}+{{\textbf {e}}}_{1})+({({\textbf {B}}+\textrm{FRD}(tag)\cdot {{\textbf {G}}}_{b})}^{T }\cdot \tilde{{\textbf {s}}}\\ &{}~{+{{\textbf {e}}}_{2})||{\textbf {0}})}^{T } \cdot {kh}_{i}(\textrm{mod }q)\\ &{}=~{({({\textbf {A}}+({\textbf {B}}+\textrm{FRD}(tag)\cdot {{\textbf {G}}}_{b})|{\textbf {0}})}^{T }\cdot \tilde{{\textbf {s}}})}^{T }\\ &{}~\cdot {kh}_{i}(\textrm{mod }q)+{({{\textbf {e}}}_{1}+{{\textbf {e}}}_{2}||{\textbf {0}})}^{T } \cdot {kh}_{i}(\textrm{mod }q)\\ &{}\approx ~~{\tilde{{\textbf {s}}}}^{T }\cdot ({({\textbf {A}}+({\textbf {B}}+\textrm{FRD}(tag)\cdot {{\textbf {G}}}_{b})|{\textbf {0}})}^{T }\\ &{}~\cdot {kh}_{i})(\textrm{mod }q)\\ &{}=~{\tilde{{\textbf {s}}}}^{T }\cdot {kp}_{i}(\textrm{mod }q) = {kp}_{i}^{T }\cdot \tilde{{\textbf {s}}}(\textrm{mod }q)\\ &{}=~{ph}_{i}^{1}\\ \end{array} \end{aligned}$$

(15)

In accordance with the parameter settings of \(\textrm{ZYF}\) scheme [48], \(\bar{m}<m\) and \(nk<m\). Then, we have \(|{({{\textbf {e}}}_{1}+{{\textbf {e}}}_{2}||{\textbf {0}})}^{T }\cdot {kh}_{i}|\le s\cdot (\alpha q+ \gamma )\cdot m\). And according to the parameter settings of the strong LWE problem in Definition 3, \(s=q/{2}^{\Omega (\sqrt{n})}\), \(m=O(n \textrm{log }q)\). Finally, since Eqs. 10 and 12 holds, we have \(4\cdot |{({{\textbf {e}}}_{1}+{{\textbf {e}}}_{2}||{\textbf {0}})}^{T }\cdot {hk}_{i}|/q \le \textrm{negl}(\kappa )\).

Consequently, we prove that \(\textrm{WI}\)-\(\textrm{eSPHF}\) is corret.

Proof of smoothness. For the property of smoothness, we need to proof that for \(\forall ~{\textbf {W}}\in \mathbb {X}/\mathbb {L}\), the two distributions (i.e., \((HP, \textrm{HASH}({\textbf {W}}, KH))\) and \((HP, {\textbf {v}}\overset{r }{\leftarrow }{\{0,1\}}^{l})\)) are statistically close. And according to Eq. 15, we have \({h}_{i}^{1}={({({\textbf {A}}+({\textbf {B}}+\textrm{FRD}(tag)\cdot {{\textbf {G}}}_{b})|{\textbf {0}})}^{T }\cdot \tilde{{\textbf {s}}})}^{T }\cdot {kh}_{i}+\) \({({{\textbf {e}}}_{1}+{{\textbf {e}}}_{2}||{\textbf {0}})}^{T }\cdot {kh}_{i}\). Since the projection key \({kp}_{i}\) is \(({\textbf {A}}+({\textbf {B}}+\textrm{FRD}(tag)\cdot {{\textbf {G}}}_{b})|{\textbf {0}})\) and the witness \(\tilde{{\textbf {s}}}\) is random, the adversary can learn no information about \({h}_{i}^{1}\) even if the projection key is public. Then, \(h=({h}_{1}, \cdots , {h}_{l})\) is a random distribution on \({\{0, 1\}}^{l}\). Thus, \(\textrm{WI}\)-\(\textrm{eSPHF}\) has the property of smoothness.

In summary, \(\textrm{WI}\)-\(\textrm{eSPHF}\) is a SPHF.

Appendix B: Correctness and smoothness proofs for \(\mathrm {{\textbf {dist}}}\)-\(\mathrm {{\textbf {SPHF}}}\)

 Correctness proof. For distributed SPHF, the correctness means that the hash value computed by one participate with the hash key can also be computed cooperatively by multiple other participates with their respective projection hash values. Our correctness proof for \(\textrm{dist}\)-\(\textrm{SPHF}\) is based on that of \(\textrm{WI}\)-\(\textrm{eSPHF}\) in Appendix A. Under the parameter settings of \(\textrm{dist}\)-\(\textrm{SPHF}\) (i.e., \(N=\textrm{ploy}(\kappa )\), where N is the number of authentication servers and \(\kappa \) is the security parameter), for \(\textrm{dist}\)-\(\textrm{SPHF}\) we can prove that

$$\begin{aligned} \begin{array}{ll} {h}_{i}^{1}&{}=\sum \nolimits _{k=1}^{N}{{h}_{i}^{k,1}}\\ &{}=\sum \nolimits _{k=1}^{N}{{({(({\textbf {A}}+({\textbf {B}}+\textrm{FRD}(tag)\cdot {{\textbf {G}}}_{b})|{\textbf {0}})}^{T }\cdot \tilde{{\textbf {s}}})}^{T }}\\ &{}~~~~~~~~~\cdot {kh}_{i}^{k}+{({{\textbf {e}}}_{1}+{{\textbf {e}}}_{2}||{\textbf {0}})}^{T }\cdot {kh}_{i}^{k})(\textrm{mod }q)\\ &{}\approx \sum \nolimits _{k=1}^{N}{{\tilde{{\textbf {s}}}}^{T }\cdot ({({\textbf {A}}+({\textbf {B}}+\textrm{FRD}(tag )\cdot {{\textbf {G}}}_{b})|{\textbf {0}})}^{T }}\\ &{}~~~~~~~~~\cdot {kh}_{i}^{k})(\textrm{mod }q)\\ &{}=\sum \nolimits _{k=1}^{N}{{\tilde{{\textbf {s}}}}_{k}^{T }\cdot {kp}_{i}^{k}}(\textrm{mod }q)\\ &{}=\sum \nolimits _{k=1}^{N}{{({kp}_{i}^{k})}^{T }\cdot {\tilde{{\textbf {s}}}}_{k}}(\textrm{mod }q)\\ &{}=\sum \nolimits _{k=1}^{N}{{ph}_{i}^{k,1}}(\textrm{mod }q)={ph}_{i}^{1}\\ \end{array}. \end{aligned}$$

(16)

Therefore, \(\textrm{dist}\)-\(\textrm{SPHF}\) is correct.

Proof of smoothness. According to Eq. 16, we have

$$\begin{aligned} \begin{array}{ll} {h}_{i}^{1}&{}=\sum \nolimits _{k=1}^{N}{{({(({\textbf {A}}+({\textbf {B}}+\textrm{FRD}(tag)\cdot {{\textbf {G}}}_{b})|{\textbf {0}})}^{T }\cdot \tilde{{\textbf {s}}})}^{T }}\\ &{}~~~~~~~~~\cdot {kh}_{i}^{k}+{({{\textbf {e}}}_{1}+{{\textbf {e}}}_{2}||{\textbf {0}})}^{T }\cdot {kh}_{i}^{k})(\textrm{mod }q)\\ \end{array}. \end{aligned}$$

(17)

Based on the security proof of \(\textrm{WI}\)-\(\textrm{eSPHF}\) in Appendix A, for \(k\in [1, N]\), \({h}_{i}^{k,1}\) is secure even if \({kp}_{i}^{k}\) is public, and \({kp}_{i}^{k}\) (\(k\in [1, N]\)) are independent of each other. It is easy to conclude that dist-SPHF has the property of smoothness.

In conclusion, \(\textrm{dist}\)-\(\textrm{SPHF}\) is a distributed SPHF.

Appendix C: Correctness and security proofs for \(\mathrm {{\textbf {t}}}\)-\(\mathrm {{\textbf {Multi}}}\)-\(\mathrm {{\textbf {PAKE}}}\)

 Correctness proof. For correctness, we need to prove that the session keys computed by the user side and by the server side are equal, i.e., \({sk}_{U}={sk}_{S}\). First, according to the correctness of \(\textrm{dist}\)-\(\textrm{SPHF}\), Eq. 18 holds statistically.

$$\begin{aligned} \left\{ \begin{array}{ll} &{}{h}_{U}={ph}_{S}=\sum \nolimits _{k=1}^{N}{{ph}_{S}^{k}}\\ &{}{ph}_{U}={h}_{S}=\sum \nolimits _{k=1}^{N}{{h}_{S}^{k}}\\ \end{array}\right. \end{aligned}$$

(18)

And in line with the definitions of \({sk}_{U}\) and \({sk}_{S}\) in Algorithm 2, we have

$$\begin{aligned} \begin{array}{ll} {sk}_{U}&{}={h}_{U}\oplus {ph}_{U}={ph}_{S}\oplus {h}_{S}\\ &{}=\sum \nolimits _{k=1}^{N}{{ph}_{S}^{k}} \oplus \sum \nolimits _{k=1}^{N}{{h}_{S}^{k}}\\ &{}=\sum \nolimits _{k=1}^{N}{({h}_{S}^{k} \oplus {ph}_{S})}\\ &{}=\sum \nolimits _{k=1}^{N}{{sk}_{S}^{k}}\\ &{}={sk}_{S} \end{array}. \end{aligned}$$

(19)

Thus, \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) is correct.

Security proof. Our security proof for \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) follows the approaches of Raimondo and Gennaro [45] (i.e., Proof of security for Dist-KOY1 in Appendix C in [45]). Our main work for this proof is to show that the cryptographic primitives we employ, including \(\textrm{ZYF}\) scheme and \(\textrm{dist}\)-\(\textrm{SPHF}\), satisfy the same properties as the corresponding primitives of \(\textrm{Dist}\)-\(\textrm{KOY1}\) in [45]. In Appendix B, we have given the correctness and security proofs of \(\textrm{dist}\)-\(\textrm{SPHF}\), below we concentrate on the formal security proof of \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\). According to the definition of transparently secure PAKE protocol in Section 3, we need to prove:

1. 1.

   if there is no server compromised, then both the user’s password and session key are secure;

2. 2.

   if the number of the compromised servers is at most \((N-1)\), where N is the number of the authentication servers, the user’s password remains secure.

Case (1) is easily argued: if an adversary in a multi-server PAKE protocol, called a distributed adversary, never breaks into any server, the security proof of the multi-server PAKE protocol will follow that of the corresponding single-server protocol. Thus, if \(\textrm{ePAKE}\) is secure then \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) is secure. The reason is that a distributed adversary has the same abilities in this case as a centralized adversary (i.e., an adversary in a single-server protocol).

We prove the security of \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) in case (2) by an indistinguishability argument. Before giving the formal argument, we first sketch the main idea. Assume that \(\mathcal {A}\) is a PPT adversary attacking \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\), and let \(\textrm{Sim}\) denote a simulator that simulates the whole \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) for \(\mathcal {A}\). We need to prove that if \(\mathcal {A}\) can distinguish between \(\textrm{view}\)(pw) and \(\textrm{view}\)(\(pw'\)), the meanings of which are given in Definition 2, then \(\textrm{Sim}\) can distinguish pw from \(pw'\), indicating that \(\textrm{Sim}\) can break \(\textrm{ZYF}\) scheme in [48]. Since the strong LWE assumption holds (The strong LWE assumption is stronger than the LWE assumption, thus if the latter assumption holds then the formal holds.), \(\textrm{ZYF}\) scheme [48] is IND-CCA2 secure. Thus, \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) is a transparently secure PAKE protocol. In addition, according to the security model in Section 3, if \(\mathcal {A}\) sees less than \((N-1)\) shares of a user’s password, then the password remains secret, thus the following argument ignores this. Below, we discuss two cases in which the user is honest and dishonest, respectively.

1) Honest user

In this case, if \(\textrm{Sim}\) utilizes a valid password pw, then the view of \(\mathcal {A}\) (i.e., \(\textrm{view}(pw)\)) includes the session key of the authentication serves (i.e., \({sk}_{S}\)), the message sent by the user (i.e., \((U, {{\textbf {C}}}_{U}=({{\textbf {c}}}_{1U}, {{\textbf {c}}}_{2U}, {c}_{3U}, {c}_{4U}), {kp}_{U})\)) and the message sent by the authentication servers (i.e., \((S, {{\textbf {C}}}_{S}=({{\textbf {c}}}_{1S}, {{\textbf {c}}}_{2S}, {c}_{3S}, {c}_{4S}), {kp}_{S})\)). Below, we show that if \(\textrm{ZYF}\) scheme [48] is IND-CCA2 secure then \(\textrm{view}(pw)\) and \(\textrm{view}(pw')\) are indistinguishable.

Given the public key \(({\textbf {A}}, {\textbf {B}})\), public primitive matrix \({{\textbf {G}}}_{b}\) and ciphertext \({\textbf {C}}=({{\textbf {c}}}_{1}, {{\textbf {c}}}_{2}, {c}_{3}, {c}_{4})\) of \(\textrm{ZYF}\) scheme [48] as well as a projection key KP, where \({\textbf {C}}\) may be generated by a valid password pw or an invalid password \(pw'\), \(\textrm{Sim}\) simulates \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) for \(\mathcal {A}\) as follows:

1. 1.

   \(\textrm{Sim}\) runs the adversary \(\mathcal {A}\) and simulates the honest user according to the definition of \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\), i.e., \(\textrm{Sim}\) computes \({{\textbf {C}}}_{U}=({{\textbf {c}}}_{1U}, {{\textbf {c}}}_{2U}, {c}_{3U}, {c}_{4U})\) and \({KP}_{U}\) according to Algorithm 2;

2. 2.

   On the server side, assume that \(\mathcal {A}\) has broken into the first \((N-1)\) authentication servers. In this case, \(\textrm{Sim}\) can simulate the execution of the Nth authentication server by setting \({{\textbf {c}}}_{1S}^{N}={{\textbf {c}}}_{1}, {{\textbf {c}}}_{2S}^{N}={{\textbf {c}}}_{2}, {c}_{3S}^{N}={c}_{3}, {c}_{4S}^{N}={c}_{4}\) and \({kp}_{S}^{N}=kp\).

3. 3.

   \(\textrm{Sim}\) computes \({h}_{U}, {ph}_{U}\) for the user and \({h}_{S}^{N}, {ph}_{S}^{N}, {sk}_{S}^{N}\) for the Nth server according to the definition of \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\).

4. 4.

   \(\textrm{Sim}\) computes \({sk}_{U}={h}_{u} \oplus {ph}_{U}\) for the user and cooperates with other authentication servers (i.e., the first \((N-1)\) servers) to compute \({sk}_{S}^{N}\) for the Nth authentication server.

Thus, if the adversary \(\mathcal {A}\) can distinguish \(\textrm{view}(pw)\) and \(\textrm{view}(pw')\) then \(\textrm{Sim}\) is feasible to distinguish pw and \(pw'\), which means that \(\textrm{ZYF}\) scheme [48] is broken. However, since the strong LWE assumption holds, \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) is a transparently secure PAKE protocol.

2) Dishonest user

Now, assume that the user is dishonest, i.e., the adversary \(\mathcal {A}\) impersonates a real user. Below, let \({msg}_{1}\) denote the first message of \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\), i.e., \({msg}_{1}=(U, {\textbf{C}}_{U}=({{\textbf {c}}}_{1U}, {{\textbf {c}}}_{2U}, {c}_{3U}, {c}_{4U}), {KP}_{U}))\), which may be generated by \(\mathcal {A}\) or a previous oracle. \({msg}_{1}\) is valid if it was constructed according to \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\). We assume that \({msg}_{1}\) is always valid if it was constructed by a previous oracle. Besides \(\textrm{Sim}\) is able to tell whether \({msg}_{1}\) is generated by a previous oracle as all such messages are stored. Furthermore, to simulate the execution of the whole \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) for \(\mathcal {A}\), \(\textrm{Sim}\) first generates the public/private key pair \(({pk}_{\textrm{ZYF}}, {sk}_{\textrm{ZYF}})\) according to \(\textrm{ZYF}\) scheme [48], where \({sk}_{\textrm{ZYF}}\) will be utilized to check the validity of \({msg}_{1}\) generated by \(\mathcal {A}\). We emphasize that \({sk}_{\textrm{ZYF}}\) is only required in the security proof, but not in a real-world protocol execution. To start with, we prove the following three lemmas.

Lemma 1

If \(\textrm{dist}\)-\(\textrm{SPHF}\) is a SPHF and the first message (i.e., \({msg}_{1}\)) of \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) is invalid , then \({sk}_{S}\) is indistinguishable from a random session key.

Proof. Since \({msg}_{1}\) is invalid for a valid password \({pw}_{U}\), we have \({{\textbf {W}}}_{U}\!=\!({label}_{U}, {{\textbf {C}}}_{U}, \) \( {pw}_{U}) \in \mathbb {X}/\mathbb {L}\). Then, according to the smoothness of \(\textrm{dist}\)-\(\textrm{SPHF}\), the value of each \({ph}_{S}^{k} (1 \le k \le N)\) is uniformly distributed from the view of \(\mathcal {A}\). Thus, according to the definition of \({sk}_{S}\) (\({sk}_{S}=\sum _{t=1}^{N}{{h}_{S,t}^{k}\oplus {ph}_{S,t}^{k}}\)) in Algorithm 2, this value is uniformly distributed.

Below, we try to bound the probability that \(\mathcal {A}\) can generate a new valid \({msg}_{1}\). To bound this probability more precisely, we assume that the password distribution obeys the CDF-Zipf law according to the study by Wang et al. [60]. Since \(\textrm{ZYF}\) scheme [48] is IND-CCA2 secure, all the valid \({msg}_{1}\)s that \(\mathcal {A}\) sees do not help her to construct a new valid \({msg}_{1}\).

Lemma 2

Assume that the password distribution obeys the CDF-Zipf law [60]. If \(\textrm{ZYF}\) scheme [48] is IND-CCA2 secure, then the probability that \(\mathcal {A}\) can generate a new valid \({msg}_{1}\) is at most \(C'\cdot {Q(\kappa )}^{s'}+\textrm{negl}(\kappa )\).

Proof. We first assume that the maximum probability that \(\mathcal {A}\) can generate a new valid \({msg}_{1}\) is \(C'\cdot {Q(\kappa )}^{s'}+{\textrm{poly}}^{-1}\). Then, we prove that \(\textrm{Sim}\) can use \(\mathcal {A}\) to break \(\textrm{ZYF}\) scheme [48] in this case. More specifically, we will show that how can \(\mathcal {A}\) generate a new valid encryption of a password pw after attacks of polynomial times on \(\textrm{ZYF}\) scheme [48].

1. 1.

   \(\textrm{Sim}\) runs the adversary \(\mathcal {A}\). And if \(\mathcal {A}\) queries the \(\textrm{Execute}\) oracle (of \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\)), \(\textrm{Sim}\) will query the \(\textrm{Execute}\) oracle of \(\textrm{ZYF}\) scheme [48] twice and subsequently be returned two encryptions, denoted by \({{\textbf {C}}}_{1}\) and \({{\textbf {C}}}_{2}\), resepectively. Then, \(\textrm{Sim}\) can compute \({KP}_{U}\) and \({KP}_{S}\) according to \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) as well as return \(\mathcal {A}\) the transcript of this execution (i.e., \({msg}_{1}=(U, {{\textbf {C}}}_{1}, {KP}_{U})\), \({msg}_{2}=(S, {{\textbf {C}}}_{2}, {KP}_{S})\)).

2. 2.

   \(\textrm{Sim}\) cooperates with other authentication servers (i.e., \({S}_{k} (1 \le k \le N-1)\)) to compute \({sk}_{S}\) according to the definition of the protocol.

3. 3.

   \(\textrm{Sim}\) computes \({sk}_{U}\) and \({sk}_{S}\) for the user and servers in the honest case, respectively.

4. 4.

   \(\textrm{Sim}\) records each \({msg}_{1}\) sent by \(\mathcal {A}\) (at most \(Q(\kappa )\)) and randomly chooses one to output.

If the upper bound of the probability that \(\mathcal {A}\) can generate a new valid \({msg}_{1}\) is \(C'\cdot {Q(\kappa )}^{s'}+{\textrm{poly}}^{-1}\), then after attacks of polynomial times by \(\mathcal {A}\), the probability that \(\textrm{Sim}\) can generate a new valid encryption of \(\textrm{ZYF}\) scheme [48] is \(C'\cdot {Q(\kappa )}^{s'}+{\textrm{poly}}^{-1}\). However, since \(\textrm{ZYF}\) scheme is IND-CCA2 secure, this probability of \(\textrm{Sim}\) is at most \(C'\cdot {Q(\kappa )}^{s'}+\textrm{negl}(\kappa )\).

In summary, Lemma 2 holds.

We now prove that the advantage of \(\mathcal {A}\) will not change if she sends a valid but not new \({msg}_{1}\) (i.e., a \({msg}_{1}\) generated by a previous oracle).

Lemma 3

If \({msg}_{1}\) is generated by a previous oracle and there is an instance \({\Pi }_{S}^{N,j}\) on the server side that is partnered with \({\Pi }_{U}^{i}\), then the advantage of \(\mathcal {A}\) remains unchanged.

This proof is straightforward. If \({msg}_{1}\) is generated by a previous oracle and there is an instance \({\Pi }_{S}^{N,j}\) on the server side that is partnered with \({\Pi }_{U}^{i}\), then there is a valid \({sk}_{S}^{N,j}\). In this case, \(\textrm{Sim}\) can directly set \({sk}_{S}={sk}_{S}^{N,j}\) and this just changes the way \({sk}_{S}\) is defined, but the view of \(\mathcal {A}\) remains the same. Thus if \(\mathcal {A}\) sends a valid but not new \({msg}_{1}\), her advantage will remain the same.

We are only left with the case where \(\mathcal {A}\) generates an invalid \({msg}_{1}\). We now prove that \(\mathcal {A}\) cannot distinguish whether \(\textrm{Sim}\) uses a valid password pw in this case. Let \(\textrm{Sim}\) simulate the user’s execution in an honest way (except \(\textrm{Sim}\) may use an invalid password \(pw'\)) and randomly choose a session key \({sk}_{S}\) for the server side. According to Lemma 1, this does not change the view of \(\mathcal {A}\). Below, we show that \(\textrm{Sim}\) can use \(\mathcal {A}\) to break \(\textrm{ZYF}\) scheme [48] if \(\mathcal {A}\) sends an invalid \({msg}_{1}\) and can distinguish between \(\textrm{view}(pw)\) and \(\textrm{view}(pw')\).

Given \({pk}_{\textrm{ZYF}}\) and \({{\textbf {G}}}_{b}\) as well as the ciphertext \({\textbf {C}}\) generated by the encryption oracle of \(\textrm{ZYF}\) scheme [48].

1. 1.

   \(\textrm{Sim}\) runs \(\mathcal {A}\) and records each \({msg}_{1}\) sent by \(\mathcal {A}\).

2. 2.

   Assume that \(\mathcal {A}\) breaks into the first \((N-1)\) authentication servers. \(\textrm{Sim}\) computes \({KP}_{S}^{N}\) according to \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) and constructs the output message \(({\textbf {C}}, {KP}_{S}^{N})\) of \({S}_{N}\).

In this case, if C is a new valid encryption  then \(\mathcal {A}\) sees \(\textrm{veiw}(pw)\); otherwise, \(\mathcal {A}\) sees \(\textrm{view}(pw')\). Therefore, if \(\mathcal {A}\) can distinguish between \(\textrm{veiw}(pw)\) and \(\textrm{view}(pw')\), then \(\textrm{Sim}\) can distinguish between pw and \(pw'\). However, since \(\textrm{ZYF}\) scheme is IND-CCA2 secure, \(\mathcal {A}\) cannot distinguish whether \(\textrm{Sim}\) uses a valid password pw.

In summary, Theorem 3 holds and \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) is transparently secure.

Appendix D: Correctness and security proofs for \(\mathrm {{\textbf {nt}}}\)-\(\mathrm {{\textbf {Multi}}}\)-\(\mathrm {{\textbf {PAKE}}}\)

Correctness proof. For the value of the session key, \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) is consistent with \(\textrm{t}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\). Therefore, \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) is also correct according to the correctness proof in Appendix C.

Security proof. We now prove that \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) in Algorithm 3 will be non-transparently secure if \(\textrm{ePAKE}\) derived from the framework of Li and Wang [2] is secure. We prove this by contradiction below. We still assume that the password distribution obeys the CDF-Zipf law [60] for bounding the adversary’s advantage more precisely. Let \(\mathcal {B}\) and \(\mathcal {A}\) be the PPT adversaries attacking \(\textrm{ePAKE}\) and \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\), respectively. Assume that \(\mathcal {A}\) corrupt the first (\(N-1\)) servers without loss of generality, we show that \(\mathcal {B}\) is able to simulate \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) for \(\mathcal {A}\) with an invalid password \(pw'\) and the probability that \(\mathcal {A}\) can distinguish \(\textrm{view}(pw)\) from \(\textrm{view}(pw')\) is at most \((C'\cdot {Q(\kappa )}^{s'}+\textrm{negl}(\kappa ))\).

Every time \(\mathcal {A}\) wants to see the execution of \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) (by querying the \(\textrm{Execute}\) or \(\textrm{Send}\) oracle), \(\mathcal {B}\) queries the corresponding oracle of \(\textrm{ePAKE} N\) times and subsequently uses what is returned to respond \(\mathcal {A}\).

(1) Execute oracle

If \(\mathcal {A}\) queries the \(\textrm{Execute}\) oracle of \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\), \(\mathcal {B}\) will query this type of oracle of \(\textrm{ePAKE} N\) times and sends the N authentication servers message \({({msg}_{1}^{k}, {msg}_{2}^{k})}_{k=1}^{N}\).

The protocol that \(\mathcal {B}\) simulates for \(\mathcal {A}\) should satisfy that when the simulated protocol is executed in an honest way, the output message exactly the same as \({\{({msg}_{1}^{k}, {msg}_{2}^{k})\}}_{k=1}^{N}\) of a real-world protocol execution. Besides, since \(\mathcal {A}\) controls the user, we do not consider \({\{{msg}_{1}^{k}\}}_{k=1}^{N}\) generated by the user.

We now show that \(\mathcal {B}\) can simulate the whole \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) for \(\mathcal {A}\) with an invalid password \(pw'\) such that the output is exactly \({\{{msg}_{2}^{k}\}}_{k=1}^{N}\).

1. 1.

   \(\textrm{Sim}\) simulates the message of the user U with \({\{{msg}_{1}^{k}\}}_{k=1}^{N}\).

2. 2.

   \(\textrm{Sim}\) computes the hash key \({\{{KH}_{U}^{k}\}}_{k=1}^{N}\) and the projection key \({\{{KP}_{U}^{k}\}}_{k=1}^{N}\) for the user according to \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\).

3. 3.

   For \(k \in [1, N]\), according to the \((N-1)\) messages \(({S}_{t}, {{\textbf {C}}}_{S,N}^{t}, {KP}_{S,N}^{t})~ (1 \le t \le (N-1))\) of the first \((N-1)\) authentication servers and the known \({\{{msg}_{2}^{k}\}}_{k=1}^{N}\), \(\textrm{Sim}\) computes

   $$\begin{aligned} \left\{ \begin{array}{ll} &{}{{\textbf {C}}}_{S,k}^{N}={{\textbf {C}}}_{S}^{k}-\sum \nolimits _{t=1}^{N-1}{{{\textbf {C}}}_{S,k}^{t}}\\ &{}{KP}_{S,k}^{N}={KP}_{S,k}-\sum \nolimits _{t=1}^{N-1}{{KP}_{S,k}^{t}}\\ \end{array}\right. \end{aligned}$$

   (20)

(2) Send oracle

For convenience of description, \(\textrm{Send}\) oracle is divided into \(\textrm{Send0}\) and \(\textrm{Send1}\). \(\textrm{Send0}\) initiates an execution of the protocol and returns \({msg}_{1}\) to \(\mathcal {A}\). \(\textrm{Send1}\) models U sending \(\textrm{msg}_{1}\) to the server side. \(\textrm{Send1}\) returns no message to \(\mathcal {A}\), but it computes the session key in an honest way.

If \(\mathcal {A}\) queries \({\textrm{Send0}}_{\mathcal {A}}\), \(\mathcal {B}\) will query \({\textrm{Send0}}_{\mathcal {B}}\) of \(\textrm{ePAKE} N\) times. Then, \(\mathcal {B}\) uses the received \({\{{msg}_{1}^{k}\}}_{k=1}^{N}\) to construct \({msg}_{1}\) and returns it to \(\mathcal {A}\).

If \(\mathcal {A}\) queries \({\textrm{Send1}}_{\mathcal {A}}\), \(\mathcal {B}\) returns no message to \(\mathcal {A}\), but \(\mathcal {B}\) queries \({\textrm{Send1}}_{\mathcal {B}}\) of \(\textrm{ePAKE} N\) times and computes the session key as follows. ➀ If \({{\textbf {C}}}_{S,k}\) is invalid and generated by \(\mathcal {A}\), set the session key of \({S}_{k}\) to be random. ➁ If \({{\textbf {C}}}_{S,k}\) is valid and generated by \(\mathcal {A}\), then let \(\mathcal {A}\) succeed directly. ➂ If \({{\textbf {C}}}_{S,k}\) is generated by a previous oracle and there exists an instance \({\Pi }_{U}^{k,i}\) on the user side that is partnered with instance \({\Pi }_{S}^{k,{j}_{k}}\), then let \({sk}_{s}^{k,{j}_{k}}={sk}_{U}^{k,i}\). According to the smoothness of \(\textrm{dist}\)-\(\textrm{SPHF}\), the change in the advantage of \(\mathcal {A}\) brought by case ➀ is negligible. The change in case ➂ is only conceptual and will not change the advantage of \(\mathcal {A}\). Finally, since we assume that the password distribution obeys the CDF-Zipf law [60], the probability that case ➁ occurs is at most \(C'\cdot {Q(\kappa )}^{s'}+\textrm{negl}(\kappa )\).

(3) Reveal oracle

If \(\mathcal {A}\) query the \(\textrm{Reveal}\) oracle of \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\), \(\mathcal {B}\) will query the Reveal oracle of \(\textrm{ePAKE}\).

(4) \(\textrm{Test}\) oracle

If \(\mathcal {A}\) queries the \(\textrm{Test}\) oracle, then \(\mathcal {B}\) queries the \(\textrm{Test}\) oracle of \(\textrm{ePAKE}\) and returns the received random string to \(\mathcal {A}\). Finally, \(\mathcal {B}\) outputs what \(\mathcal {A}\) outputs.

It is clearly that the advantage of \(\mathcal {A}\) is equal to the advantage of \(\mathcal {B}\), and this maximum value is \((C'\cdot {Q(\kappa )}^{s'}+\textrm{negl}(\kappa ))\). Thus, if \(\mathcal {A}\) can break \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\), then \(\mathcal {B}\) can break \(\textrm{ePAKE}\). In summary, \(\textrm{nt}\)-\(\textrm{Multi}\)-\(\textrm{PAKE}\) is non-transparently secure.