More Web Proxy on the site http://driver.im/

research-article

Practical yet universally composable two-server password-authenticated secret sharing

Authors:

Anna Lysyanskaya,

Gregory NevenAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 525 - 536

https://doi.org/10.1145/2382196.2382252

Published: 16 October 2012 Publication History

Abstract

Password-authenticated secret sharing (PASS) schemes, first introduced by Bagherzandi et al. at CCS 2011, allow users to distribute data among several servers so that the data can be recovered using a single human-memorizable password, but no single server (or even no collusion of servers up to a certain size) can mount an off-line dictionary attack on the password or learn anything about the data. We propose a new, universally composable (UC) security definition for the two-server case (2PASS) in the public-key setting that addresses a number of relevant limitations of the previous, non-UC definition. For example, our definition makes no prior assumptions on the distribution of passwords, preserves security when honest users mistype their passwords, and guarantees secure composition with other protocols in spite of the unavoidable non-negligible success rate of online dictionary attacks. We further present a concrete 2PASS protocol and prove that it meets our definition. Given the strong security guarantees, our protocol is surprisingly efficient: in its most efficient instantiation under the DDH assumption in the random-oracle model, it requires fewer than twenty elliptic-curve exponentiations on the user's device. We achieve our results by careful protocol design and by exclusively focusing on the two-server public-key setting.

References

[1]

A. Bagherzandi, S. Jarecki, N. Saxena, and Y. Lu. Password-protected secret sharing. In ACMCCS 2011.

Digital Library

[2]

B. Barak, Y. Lindell, and T. Rabin. Protocol initialization for the framework of universal composability. Cryptology ePrint Archive, Report 2004/006, 2004.

[3]

M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT 2000.

Digital Library

[4]

M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM CCS 93.

Digital Library

[5]

S. M. Bellovin and M. Merritt. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In IEEE Symposium on Security and Privacy 1992.

Digital Library

[6]

J. Brainard, A. Juels, B. S. Kaliski Jr., and M. Szydlo. A new two-server approach for authentication with short secrets. In USENIX SECURITY 2003.

Digital Library

[7]

W. E. Burr, D. F. Dodson, E. M. Newton, R. A. Perlner, W. T. Polk, S. Gupta, and E. A. Nabbus. Electronic authentication guideline. NIST Special Publication 800-63-1, 2011.

Digital Library

[8]

J. Camenisch, A. Kiayias, and M. Yung. On the portability of generalized Schnorr proofs. In EUROCRYPT 2009.

Digital Library

[9]

J. Camenisch, S. Krenn, and V. Shoup. A framework for practical universally composable zero-knowledge protocols. In ASIACRYPT 2011.

Digital Library

[10]

J. Camenisch, A. Lysyanskaya, and G. Neven. Practical yet universally composable two-server password-authenticated secret sharing. Cryptology ePrint Archive, 2012.

[11]

J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In CRYPTO '97.

Digital Library

[12]

R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. In FOCS 2001.

Digital Library

[13]

R. Canetti. Universally composable signature, certification, and authentication. In 17th Computer Security Foundations Workshop, page 219. IEEE Computer Society, 2004.

Digital Library

[14]

R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. D. MacKenzie. Universally composable password-based key exchange. In EUROCRYPT 2005.

Digital Library

[15]

R. Canetti and T. Rabin. Universal composition with joint state. In CRYPTO 2003.

[16]

R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1):167--226, 2003.

Digital Library

[17]

M. Di Raimondo and R. Gennaro. Provably secure threshold password-authenticated key exchange. In EUROCRYPT 2003.

Digital Library

[18]

T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In CRYPTO '84.

[19]

A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In CRYPTO '86.

Digital Library

[20]

W. Ford and B. S. Kaliski Jr. Server-assisted generation of a strong secret from a password. In IEEE WETICE 2000.

Digital Library

[21]

J. A. Garay, P. D. MacKenzie, and K. Yang. Strengthening zero-knowledge protocols using signatures. In EUROCRYPT 2003.

Digital Library

[22]

S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2), 1984.

[23]

S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281--308, 1988.

Digital Library

[24]

L. Gong, T. M. A. Lomas, R. M. Needham, and J. H. Saltzer. Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications, 11(5):648--656, 1993.

Digital Library

[25]

S. Halevi and H. Krawczyk. Public-key cryptography and password protocols. ACM TISSEC, 2(3):230--268, 1999.

Digital Library

[26]

C. Herley, P. C. van Oorschot, and A. S. Patrick. Passwords: If we're so smart, why are we still using them? In FC 2009.

Digital Library

[27]

D. P. Jablon. Password authentication using multiple servers. In CT-RSA 2001.

Digital Library

[28]

J. Katz, P. D. MacKenzie, G. Taban, and V. D. Gligor. Two-server password-only authenticated key exchange. In ACNS 05.

Digital Library

[29]

J. Katz, R. Ostrovsky, and M. Yung. Efficient and secure authenticated key exchange using weak passwords. Journal of the ACM, 57(1), 2009.

Digital Library

[30]

P. D. MacKenzie, T. Shrimpton, and M. Jakobsson. Threshold password-authenticated key exchange. In CRYPTO 2002.

Digital Library

[31]

P. D. MacKenzie and K. Yang. On simulation-sound trapdoor commitments. In EUROCRYPT 2004.

[32]

B. Pfitzmann and M. Waidner. Composition and integrity preservation of secure reactive systems. In ACM CCS 2000.

Digital Library

[33]

D. Pointcheval and J. Stern. Security proofs for signature schemes. In EUROCRYPT '96.

Digital Library

[34]

C. Rackoff and D. R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In CRYPTO '91.

Digital Library

[35]

C. P. Schnorr. Efficient signature generation for smart cards. Journal of Cryptology, 4(3):239--252, 1991.

Digital Library

[36]

A. Shamir. How to share a secret. Communications of the ACM, 22(11):612--613, Nov. 1979.

Digital Library

[37]

M. Szydlo and B. S. Kaliski Jr. Proofs for two-server password authentication. In CT-RSA 2005.

Digital Library

Cited By

Jiang JWang DZhang G(2024)QPause: Quantum-Resistant Password-Protected Data Outsourcing for Cloud StorageIEEE Transactions on Services Computing10.1109/TSC.2023.333100017:3(1140-1153)Online publication date: May-2024
https://doi.org/10.1109/TSC.2023.3331000
Jiang JWang D(2024)QPASE: Quantum-Resistant Password-Authenticated Searchable Encryption for Cloud StorageIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337280419(4231-4246)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3372804
Kılıç ABetin Onur COnur E(2024)PATSIET Information Security10.1049/2024/75575142024Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1049/2024/7557514
Show More Cited By

Index Terms

Practical yet universally composable two-server password-authenticated secret sharing
1. Security and privacy

Recommendations

Universally composable three-party password-authenticated key exchange with contributiveness

Three-party password-authenticated key exchange 3PAKE allows two clients, each sharing a password with a trusted server, to establish a session key with the help of the server. It is a quite practical mechanism for establishing secure channels in a large ...
Universally Composable Relaxed Asymmetric Password-Authenticated Key Exchange
Security and Cryptography for Networks
Abstract
Password-Authenticated Key Exchange (PAKE) establishes a secure channel between two parties who share a password. Asymmetric PAKE is a variant of PAKE, where one party stores a hash of the password to preserve security under the situation that the ...
Universally Composable Hierarchical Hybrid Authenticated Key Exchange

Password-based authenticated key exchange protocols are more convenient and practical, since users employ human-memorable passwords that are simpler to remember than cryptographic secret keys or public/private keys. Abdalla, Fouque, and Pointcheval ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

45
Total Citations
View Citations
706
Total Downloads

Downloads (Last 12 months)36
Downloads (Last 6 weeks)3

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jiang JWang DZhang G(2024)QPause: Quantum-Resistant Password-Protected Data Outsourcing for Cloud StorageIEEE Transactions on Services Computing10.1109/TSC.2023.333100017:3(1140-1153)Online publication date: May-2024
https://doi.org/10.1109/TSC.2023.3331000
Jiang JWang D(2024)QPASE: Quantum-Resistant Password-Authenticated Searchable Encryption for Cloud StorageIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337280419(4231-4246)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3372804
Kılıç ABetin Onur COnur E(2024)PATSIET Information Security10.1049/2024/75575142024Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1049/2024/7557514
Daudén-Esmel CCastellà-Roca JViejo AMiguel-Rodríguez I(2024)Multi-Platform Wallet for Privacy Protection and Key Recovery in Decentralized ApplicationsBlockchain: Research and Applications10.1016/j.bcra.2024.100243(100243)Online publication date: Dec-2024
https://doi.org/10.1016/j.bcra.2024.100243
Gu YJarecki SKedzior PNazarian PXu J(2024)Threshold PAKE with Security Against Compromise of All ServersAdvances in Cryptology – ASIACRYPT 202410.1007/978-981-96-0935-2_3(66-100)Online publication date: 9-Dec-2024
https://doi.org/10.1007/978-981-96-0935-2_3
Backendal MDavis HGünther FHaller MPaterson K(2024)A Formal Treatment of End-to-End Encrypted Cloud StorageAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68379-4_2(40-74)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68379-4_2
Davies GPijnenburg J(2024)$$\textsf{PERKS}$$: Persistent and Distributed Key Acquisition for Secure Storage from PasswordsSelected Areas in Cryptography10.1007/978-3-031-58411-4_8(159-189)Online publication date: 12-May-2024
https://doi.org/10.1007/978-3-031-58411-4_8
Mennink B(2023)Secure Distributed Modular Exponentiation: Systematic Analysis and New ResultsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.329339618(4188-4197)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3293396
Davies GFaller SGellert KHandirk THesse JHorváth MJager T(2023)Security Analysis of the WhatsApp End-to-End Encrypted Backup ProtocolAdvances in Cryptology – CRYPTO 202310.1007/978-3-031-38551-3_11(330-361)Online publication date: 9-Aug-2023
https://doi.org/10.1007/978-3-031-38551-3_11
Kohlweiss MLysyanskaya ANguyen A(2023)Privacy-Preserving BlueprintsAdvances in Cryptology – EUROCRYPT 202310.1007/978-3-031-30617-4_20(594-625)Online publication date: 15-Apr-2023
https://doi.org/10.1007/978-3-031-30617-4_20
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents