The notion of PAKE was introduced by Bellovin and Merritt [27] and corresponding security models were initially developed by Bellare et al. [24], Boyko et al. [44], and Goldreich and Lindell [107]. The first and maybe best known PAKE protocols include SPEKE by Jablon [120] and EKE by Bellovin and Merritt [27], proven secure by Bellare et al. [24]. Until now, numerous subsequent work explored the notion of PAKE in depth. PAKE allows two parties, holding low-entropy keys, to negotiate a common authenticated session key. Despite the key exchange functionality it authenticates the two parties explicitly or implicitly. They aim to protect against offline dictionary attacks but require restrictions on the number of failed password trials as all password-based protocols in order to preserve security against online dictionary attacks. In particular, security models aim at Authenticated Key Exchange (AKE)-security introduced by Bellare and Rogaway [25] and Bellare and Rogaway [26]. One of the most promising applications of PAKE protocols is the online authentication of users. It is considered a more secure alternative to the nowadays mainly deployed approach of password-over- HTML, i. e. transmitting the password over a secure channel (HTTPS) and let the server perform a check against a stored credential. The standard model of PAKE does not require any PKI, which is necessary for the secure TLS channel, and assumes that only a low-entropy secret, i. e. a human memorable password, is shared between both parties. Thereby, PAKE protocols solve the problem of potential password leakage, inherent to the approach based on secure channels.
4 Cryptographic Password Authentication 13
In general, all PAKE models (see Pointcheval [170] for a recent overview) take into account unavoidable online dictionary attacks and aim to guarantee security against offline dictionary attacks. While many PAKE constructions require a constant number of communication rounds (Abdalla et al. [3, 14], Gennaro [100], Gennaro and Lindell [101], Katz et al. [128, 129], Katz and Vaikuntanathan [130]); recent frameworks by Katz and Vaikuntanathan [130] and Benhamouda et al. [30] offer optimal one-round PAKE.
In addition to the aforementioned approaches that are tailored to the password-based setting there exist several more general authentication and key exchange frameworks such as the ones proposed by Camenisch et al. [53] and Blazy et al. [34] that also lend themselves to the constructions of (somewhat less practical) PAKE protocols.
Like key exchange protocols with high entropy secrets, PAKE protocols can be modelled in one of the following general settings.
4.1.1 Game-Based PAKE-Security
The original game-based PAKE models in Bellare et al. [24] (denoted Bellare-Pointcheval- Rogaway (BPR-M) here) and Boyko et al. [44] specify the Find-then-Guess (FtG) approach where the semantic security of the session key is considered with respect to one particular session, referred to as a test session, determined by the adversary through one call to a Test oracle. (Semantic security states that no PPT adversary exists that has non-negligible probability of winning the experiment, in this case the PAKE experiment.) The adversary has furthermore access to oracles that allow him to eavesdrop on protocol executions, take active part in executions and corrupt protocol participants to retrieve private information from a party. Abdalla et al. [14] proposed the stronger notion in the Real-or-Random (RoR) setting to model semantic security of PAKE protocols by allowing polynomially-many queries to the Test oracle. They showed not only that their RoR approach leads to stronger security but were also able to simplify the model by removing the reveal oracle. The models in Bellare et al. [24] and Abdalla et al. [14] remain the most popular game-based PAKE models, adopted in the analysis of many protocols, including the random oracle-based protocols by Abdalla et al. [8] and Abdalla et al. [13] and protocols requiring a Common Reference String (CRS) (Gennaro [100], Gennaro and Lindell [101], Katz et al. [128, 129]).
Find-then-Guess The term Find-then-Guess goes back to Bellare et al. [23] whose
definition of FtG-security for symmetric encryption is based on work by Goldwasser and Micali [110] and Micali et al. [151]. In this thesis we focus on password-based
cryptography where one of the first formal models for PAKE, proposed by Bellare et al. [24], employs the FtG approach. The security requirement there is that an adversary must not be able to decide whether a given bit-string is the real key computed by honest parties performing the protocol, or a random element of the same length. The adversary has only one approach to retrieve such a test key.
Real-or-Random The term Real-or-Random has been introduced by Bellare et al.
[23] in a different context and a different meaning. The notion of RoR in the context of Authenticated Key Exchange protocols has been introduced by Abdalla et al. [14] to strengthen and simplify the FtG approach used in the original BPR-M model towards the RoR approach. In the AKE context RoR allows the adversary to query
multiple keys before deciding whether all of them have been computed by honest parties
performing the protocol, or all of them have been randomly chosen from the key space.
4.1.2 Simulation-Based PAKE-Security
Simultaneously with the first game-based models by Bellare et al. [24] and Boyko et al. [44], the first simulation-based PAKE model has been proposed by Goldreich and Lindell [107]. Their work also comprises the first (and until now the only, but fairly inefficient) PAKE protocol that is built from general secure multi-party computation techniques but does not require any setup assumptions nor random oracles.3 The
protocol has been subsequently simplified at the cost of weakened security by Nguyen and Vadhan [159]. While the model from Goldreich and Lindell [107] is hardly used in the analysis of PAKE protocols, a stronger simulation-based model in the framework of Universally Composability by Canetti [59] has later been proposed by Canetti et al. [62]. In contrast to game-based PAKE protocols, UC-secure protocols require setup assumptions [62], with CRS being the most popular one [130], albeit ideal ciphers / random oracles [9] and stronger hardware-based assumptions [74] have also been used. The most recent and most efficient PAKE protocols are proven secure in the UC-framework [2–4, 30].