An Efficient Password-Only Authenticated Three-Party Key Exchange Protocol

Transcription

1 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons. An Effcent Password-Only Authentcated Three-Party Key Exchange Protocol Youngsook Lee #1, Juryon Pak *2 and Younsung Cho #3 # Department of Cyber Securty, Howon Unversty, 64, 3-gl, Gunsan, Jeollabuk-do, 54058, Republc of Korea. * Department of Dgtal Informaton & Statstcs, Pyeongtaek Unversty, 3825, Seodong-daero, Pyeongtaek-s, Gyeongg-do, 17869, Republc of Korea. Abstract Password-only authentcated key exchange (PAKE) protocols allow to generate cryptographcally strong keys from humanmemorable passwords. The desgn of an effcent PAKE protocol s dffcult, especally n the three-party settng where dctonary attacks by malcous nsders are a major concern. The dffculty s well llustrated by the fact that after twenty years of research, only a handful of three-party PAKE protocols are known to be provably secure n a model that captures nsder attacks. Ths paper proposes a new, effcent three-party PAKE protocol whch ncorporates the desgn prncple of Bresson et al. s two-party PAKE protocol called OMDHKE. A cost comparson n terms of communcaton and computaton complextes shows that the overall performance of our protocol s superor to those of prevously publshed three-party PAKE protocols. Moreover, our protocol has an advantage over ts compettors n that t can be easly transformed nto a smpler and more effcent protocol n an envronment where undetectable onlne dctonary attacks do not pose a sgnfcant threat. We provde a proof of securty for the protocol n the wdely accepted model of Bellare et al. whch captures nsder attack. Keyword: Cryptography, Authentcated key exchange, Dctonary attack, Three-party settng INTRODUCTION Human-memorable passwords have ganed mmense popularty as an almost unversal means of authentcaton n today s dstrbuted and heterogeneous computng envronments. It s ncredble to see how passwords, despte ts many securty shortcomngs, have been persstently and wdely used n gettng access to numerous Internet servces n our daly lves. The wdespread and persstent popularty of passwords has attracted a great deal of attenton on the desgn of password-only authentcated key exchange (PAKE) protocols n the areas of cryptography and network securty [2], [4]-[7], [14], [17], [18], [41], [43]. As a class of key exchange protocols, PAKE protocols allow two or more partes to generate a shared, cryptographcally strong key (commonly called a sesson key) from ther weak, easy-toremember passwords, and thereby to establsh a secure communcaton channel over a publc network whch mght be controlled by an adversary. Back n 1992, Bellovn and Merrtt [5] proposed the frst PAKE protocols, known as encrypted key exchange, wth heurstc arguments for ther securty. Encrypted key exchange has been followed by many mprovements and generalzatons over the past two decades, ncludng both practcal and provably secure protocols; see, e.g., [4], [6], [7], [18], [27]. PAKE protocols should be desgned to protect passwords of partes from a dctonary attack (also known as a password guessng attack), n whch an attacker enumerates all possble passwords whle testng each one aganst known password verfers n order to determne the correct one. Dctonary attacks have been used by both crmnals as well as law enforcement offcers and dgtal forenscs practtoners to gan access to password-protected data (e.g., on smartphones and portable devces based on RIM BlackBerry and Apple OS platforms - see Elcomsoft Phone Password Breaker Dctonary attacks can be classfed nto two types, onlne and offlne. Unlke offlne dctonary attacks where password guesses can be verfed offlne, onlne dctonary attacks are the ones where the attacker verfes each password guess va an onlne transacton wth the password holder(s). In the two-party settng where the sesson key s usually establshed between a clent and a server sharng the same password, onlne dctonary attacks do not pose a sgnfcant threat as they are lkely to be detected and the server may lock out the problematc clent after a certan number of nvald transactons. However, such attacks can go completely undetected n the three-party settng, where the sesson key s establshed between two clents who do not share the same password but hold ther ndvdual password shared only wth a trusted server. Therefore, three-party 4329

2 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons. PAKE protocols should be able to resst undetectable onlne dctonary (UDOD) attacks as well as offlne dctonary attacks [11], [28], [34], [37], [44]. Indeed, a three-party PAKE protocol s sad to be secure f detectable onlne dctonary attacks are the best possble attacks that an adversary can mount aganst the protocol. Effcency, n addton to securty, s an mportant consderaton when desgnng three-party PAKE protocols. In general, the effcency of a protocol s evaluated n terms of both the communcaton cost and the computaton cost ncurred by the protocol. Two common ndcators for measurng the communcaton cost of a protocol are: (1) the round complexty, the number of communcaton rounds untl the protocol termnates, and (2) the message complexty, the number of messages exchanged n the protocol. A communcaton round conssts of all messages that can be sent by protocol partcpants ndependently n parallel. The computaton cost of a protocol s typcally measured by the number of cryptographc operatons such as modular exponentatons (or scalar-pont multplcatons), symmetrc /asymmetrc encryptons/decryptons, hash functon evaluatons, and so on. Symmetrc-key operatons and hash functon evaluatons are often gnored n cost estmates snce they are much faster than modular exponentatons and asymmetrc-key operatons. In the password-only three-party settng, preventng UDOD attacks usually entals a sgnfcant ncrease n both communcaton and computaton costs. For ths reason, securty aganst UDOD attacks has occasonally been sacrfced n the nterest of effcency [2], [21], [38]. Despte all the work conducted over the past two decades, t stll remans a challengng task to desgn a secure yet effcent three-party PAKE protocol. The key research challenge n ths doman s to prevent nsder dctonary attacks, as evdenced by the flaws dscovered n publshed protocols [15], [19], [28]-[30], [37]. Note that n the three-party settng, clents do not share any password between them but hold ther own prvate password and thus, a malcous clent may attempt to dscover the password of ts partner clent by mountng a dctonary attack. However, some protocols [1], [12], [37], [38] acheve provable securty only n a restrcted model where the adversary s not allowed to corrupt partes. A protocol proven secure n such a restrcted model cannot guarantee ts securty aganst nsder dctonary attacks. (Readers who are unfamlar wth formal securty models are referred to Secton 2.) Somewhat surprsngly, the majorty of exstng three-party PAKE protocols have never been proven secure n any model [10], [15], [16], [19], [25], [26], [33], [35] and/or have been found to be susceptble to ether nsder or outsder attacks [9], [10], [19], [21], [23], [24], [28]-[30], [32]-[34], [36], [37], [40], [44]. Indeed, there are only a very lmted number of three-party PAKE protocols proven secure n a model that allows party corrupton [24], [31], [40]. We remark that the recent protocol of Yang and Cao [42] acheves stronger notons of securty but works only n a hybrd three-party settng where a server s publc key s requred n addton to passwords (see [20], [23], [36], [39], [45] for other recent protocols desgned to work n a hybrd settng). Table 1: Comparatve Effcency and Securty for Three-Party PAKE Protocols Protocol Rounds Messages Clent Exponentatons Server Resstance to UDOD attacks Securty Proof e3pake (our protocol) Yes Yes LH [24] Yes Yes Parallel verson of LH [24] Yes Yes WPWH [40] Yes Yes Parallel verson of WPWH [40] Yes Yes 2R3PAKE [31] Yes Yes NWPAKE-1 [38] Yes Restrcted model 3PAKE-RSA [12] Yes Restrcted model NGPAKE [37] Yes Restrcted model LHL [22] ` Yes No 4330

3 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons. Parallel verson of LHL [22] Yes No LSSH-3PEKE [25] Yes No GLMZ [15] Yes Broken[28] CHY [8] Yes Broken[40] Parallel verson of CHY [8] Yes Broken[40] S-EA-3PAKE [21] Yes Broken[29] GPAKE [1] No[37] Restrcted model NWPAKE-2 [38] No Broken[31 S-IA-3PAKE [21] No Broken[29] Huang [16] No[44],[24] Broken[44 S-3PAKE [26] No[15],[34], [19] Broken[10],[15], [34],33] 3PAKE [2] No[37] Broken[30 the numbers of scalar-pont multplcatons. the numbers of exponentatons modulo an RSA modulus. In ths paper, we present an effcent three-party PAKE protocol that not only provdes resstance to UDOD attacks but also acheves provable securty aganst an actve adversary wth the corrupton capablty. Our protocol named e3pake ( e for effcent ) s based on Bresson et al. s two-party PAKE protocol [6], called OMDHKE, whch n turn orgnates from the AuthA protocol of Bellare and Rogaway [4]. We prove the securty of e3pake n the wdely accepted ndstngushablty-based model of Bellare et al. [3] ths model s, probably, one of the most popular models n the provable securty paradgm for key exchange protocols. The overall performance of e3pake s superor to those of prevously publshed three-party PAKE protocols. It runs n 3 communcaton rounds wth 6 messages n total and requres each clent and the sever to perform 3 and 4 modular exponentatons, respectvely. Table 1 compares e3pake wth other three-party PAKE protocols both n terms of effcency and securty. Although the 2R3PAKE protocol [31] runs only n 2 rounds, t ncurs sgnfcantly hgher message complexty and computaton cost n comparson to e3pake. From the standpont of the computatonal load of the server, the 3PAKE-RSA protocol [12] s the most effcent among all protocols that provde resstance to UDOD attacks. However, ths protocol has a hdden computaton cost not reflected n Table 1. In each sesson of 3PAKE-RSA, each clent must generate an RSA modulus n and a prme encrypton key e anew n order to acheve perfect forward secrecy. The generaton of n and e, though ts cost s hdden n the table, s the most expensve operaton requred for the 3PAKE-RSA protocol. It s also worthwhle to menton that n our protocol, the thrd round conssts of 2 messages and s dedcated to preventng UDOD attacks. Ths means that our protocol can be easly smplfed nto a 2-round 4-message protocol f securty aganst UDOD attacks s not desred (see Secton 4). In contrast, the protocols of [24], [40], [31] cannot further reduce ther round complexty even f resstance to UDOD attacks s not requred. The remander of ths paper s structured as follows. Secton 2 presents a standard defnton of securty for three-party PAKE protocols. Secton 3 revews Bresson et al. s OMDHKE protocol and prove the securty of ts slght varant. We then present our proposed three-party PAKE protocol, e3pake, and prove ts securty n Secton 4. Secton 5 concludes the paper. THE SECURITY MODEL Here we descrbe a securty model adapted from Bellare et al. s ndstngushablty-based model [3] for analyss of PAKE protocols. Ths wll be the model that s used to prove the securty of our proposed three-party PAKE protocol. Partcpants. Let C be the set of all clents regstered wth a trusted server S. Any two clents C, C C may run a threeparty PAKE protocol P wth S at any pont n tme to establsh a sesson key. Let U = C {S}. A user U U may execute 4331

4 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons. the protocol multple tmes (ncludng concurrent executons) wth the same or dfferent partcpants. Thus, at a gven tme, there could be many nstances of a sngle user. We use U to denote nstance of user U. We say that a clent nstance U accepts when t successfully computes ts sesson key sk C n an executon of the protocol. Long-term keys. Each clent C C chooses a password pw C from a fxed dctonary, and shares t wth the server S va a secure channel. Accordngly, S holds all the passwords { pw C C C }. Each password pw C s used as the long-term secret key of C and S. Partnerng. Informally, two nstances are sad to be partners f they partcpate n a protocol executon and establsh a (shared) sesson key. Formally, the partnershp relatons between nstances s defned usng the notons of sesson dentfers and partner dentfers. Sesson dentfer ( sd ) s a unque dentfer of a protocol sesson and s usually defned as a functon of the messages transmtted n the sesson. Let sd U denotes the sd of nstance U. A partner dentfer ( pd ) s a sequence of denttes of partcpants of a specfc protocol sesson. Instances are gven as nput a pd before they can run the protocol. pd U denotes the pd gven to nstance U. In a typcal sesson, there wll be three partcpants, namely two clents C and C and the server S. We say that j two nstances C and C are partners f all of the followng condtons are satsfed: (1) both C and j C have accepted, j. (2) sd C = sd C, and (3) pd C = pd C Adversary capabltes. Durng the executons of the protocol, the probablstc polynomal-tme ( PPT ) adversary A has the complete control of all message exchanges and may ask users to open up access to sesson keys and passwords. The capabltes of A are captured va a pre-defned set of oracle queres as descrbed below. Excute ( C, j k C, S ) : Ths query models passve attacks aganst the protocol. It prompts an executon of the protocol between the nstances C, j k C, and S and returns the transcrpt of the protocol executon to A. Send ( U, m ) : Ths query sends message m to nstance U, modellng actve attacks aganst the protocol. Upon recevng m, the nstance U proceeds accordng to the protocol specfcaton. The message output by U, f any, s returned to A. A query of the form Send ( C, start: (C, C, S) ) prompts C to ntate the protocol wth pd C = (C, C,S). Reveal ( C ) : Ths query captures the noton of known key securty, and f C has accepted, returns the sesson key sk C back to A. However, ths sesson (key) wll be rendered unfresh (see Defnton 1). Corrupt ( U ): Ths query returns U s password pw U to A. If U = S (.e., the server s corrupted), all clents passwords stored by the server are returned. Ths query captures not only the noton of forward secrecy but also attacks by malcous clents. Test ( C ): Ths query can be asked only f C has accepted, and s used to defne the ndstngushablty-based securty of the protocol. Dependng on the hdden bt b chosen by the Test oracle unformly at random from {0,1}, the query outputs the real sesson key sk C held by C f b = 1, or outputs a random key drawn from the sesson-key space f b = 0. A s allowed to ask as many Test queres as t wshes. All Test queres are answered usng the same value of the hdden bt b. Namely, the keys output by the Test oracle are ether all real or all random. But, we requre that for each dfferent set of partners, A should access the Test oracle only once. We represent the amount of queres used by an adversary as an ordered sequence of fve non-negatve ntegers, Q = ( q exec, q send, q reve, q corr, q test ), where the fve elements refer to the numbers of queres that the adversary made respectvely to ts Execute, Send, Reveal, Corrupt, and Test oracles. We call ths usage of queres by an adversary the query complexty of the adversary. AKE Securty. The typcal ndstngushablty-based securty of a three-party PAKE protocol s defned va the noton of freshness. Intutvely, an nstance s consdered to be fresh f t holds a sesson key whch should not be known to the adversary, and s consdered to be unfresh f ts sesson key (or some nformaton about the key) can be known by trval means. Formally, freshness s defned as follows: Defnton 1. An nstance C s fresh f none of the followng occurs: (1) A queres Reveal( C ) or Reveal( j C ), where j C s the partner of C, and (2) A queres Corrupt(U), for some U pd C, before C or ts partner j C accepts. Gven the defnton of freshness, the securty of a three-party PAKE protocol P aganst A s defned n terms of the probablty that A can correctly guess the hdden bt b chosen by the Test oracle n the followng two-stage experment: Experment Exp 0: Stage 1. A makes any oracle queres at wll as many tmes as t wshes, except that: A s not allowed to ask the Test (Π C ) query f the nstance Π C s unfresh. A s not allowed to ask the Reveal (Π C ) query f t has already made a Test query to Π C or Π C, where Π C s the partner of Π C. Stage 2. Once A decdes that Stage 1 s over, t outputs a bt b as a guess on the hdden bt b chosen by the Test oracle. A s sad to succeed f b = b 4332

5 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons. Let Succ 0 be the event that A succeeds n the experment Exp 0. The advantage of A n breakng the securty of the authentcated key exchange protocol P s Adv P AKE (A) = 2 Pr P,A [Succ o ] 1. Defnton 2. A three-party PAKE protocol P s AKE-secure f, for any PPT adversary A askng at most q send Send queres, Adv P AKE (A) s only neglgbly larger than c q send / D, where c s a very small constant (usually around 2 or 4) when compared wth D. To quantfy the securty of protocol P n terms of the amount of resources expended by adversares, we let Adv P AKE (t, Q) denote the maxmum value of Adv P AKE ( A) over all PPT adversares A wth tme complexty at most t and query complexty at most Q. THE OMDHKE PROTOCOL The OMDHKE protocol, Bresson et al. s two-party PAKE protocol [6], orgnates from the AuthA protocol [4] whch was submtted for standardzaton by the IEEE P Standard workng group. Snce AuthA s open-ended n how the Dffe-Hellman values can be encrypted, OMDHKE was proposed to prove that AuthA s secure n the random oracle model when the encrypton prmtve s nstantated va a mask generaton functon computed as the product of the Dffe-Hellman value and a hash of the password. The arthmetc s n a fnte cyclc group G of prme order q. Let g be a generator of G. The protocol uses three hash functons: G : {0, 1} * G, F : {0, 1} * {0, 1} K where K s the bt-length of the authentcator Auth SA (see the protocol descrpton below), and H : {0, 1} * {0, 1 } l where l s the bt length of sesson keys. As llustrated n Fg. 1, OMDHKE s a two-round twomessage protocol and runs between a clent A and a server S. A and S are assumed to have pre-establshed a shared password pw A. The protocol starts when A chooses a random x Z q, computes X = g x, PW A = G(pw A ) and X = X PW A, and sends A, X to S. Upon recevng the message A, X from A, S computes PW A = G(pw A ) and X = X / PW A, chooses a random z Z q, and computes Z = g z, K = X z and Auth SA = F(A S X Z PW A K). Then S sends S, Z, Auth SA to A and computes the sesson key, sk = H(A S X Z PW A K). A computes K = Z x, verfes Auth SA n the straghtforward way, and computes the sesson key sk = H(A S X Z PW A K) f the verfcaton succeeds. Fgure 1. OMDHKE: Bresson et al. s two-party PAKE protocol [6]. OMDHKE provdes server-to-clent authentcaton va the authentcator Auth SA and was proven secure n Bellare et al. s model [3] under the assumpton that the hash functons G, F and H are random oracles. Our proposed three-party PAKE protocol s bult upon a slght varant of OMDHKE, whch we denote by OMDHKE. The only dfference between 4333

6 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons. OMDHKE and OMDHKE s that the latter defnes sesson key sk as sk = H(A S X Z K). That s, the OMDHKE protocol excludes the passwordderved group element PW A from the nput to the key dervaton functon H. We make ths modfcaton to prevent a malcous clent from mountng an nsder dctonary attack aganst ts partner clent n our three-party protocol. OMDHKE can be proven secure under the securty of OMDHKE, as clamed by Theorem 1. Theorem 1. The OMDHKE protocol s AKE-secure as long as the OMDHKE protocol s AKE-secure. Proof. Assume an adversary A who breaks the AKE securty of OMDHKE. Then we prove the theorem by showng that an adversary A who breaks the AKE securty of OMDHKE can be constructed from the adversary A. The proof dea s to convert an ablty of breakng the AKE securty of OMDHKE nto an ablty of mountng an offlne dctonary attack aganst OMDHKE. A runs A as a subroutne whle smulatng all the oracles on ts own. A outputs a random l -bt strng n response to each dstnct H query whle storng the nput-output pars of H nto a lst, whch we denote as HLst. For Execute / Send / Corrupt / G / F queres of A, A answers them by askng the same queres to ts own correspondng oracles. Let U C {S}. When A asks a Reveal query on an nstance U whose sesson key s expected to be set to H (C S X Z K), A checks f HLst contans an entry of the form (C S X Z K, h) for some K Z. If not, A answers the Reveal query wth a random l -bt strng. Otherwse, A mounts the followng dctonary attack n an attempt to fnd out the password pw C : An offlne dctonary attack aganst OMDHKE: STEP 1. A asks the Reveal( U ) query and receves n return the sesson key sk U computed as sk U = H(C S X Z PW C K). STEP 2. A makes a guess pw C on the password pw C and computes PW C = G(pw C ) and sk U = H(C S X Z PW C K ). STEP 3. A verfes the correctness of pw C by comparng sk U aganst sk U. Wth an overwhelmng probablty, sk U s equal to sk U f and only f pw C and pw C are equal. STEP 4. A repeats Steps 2 & 3 for all guesses pw C and for all entres (C S X Z K, h) untl a match s found. If A fals to dscover the password pw C, t returns a random l - bt strng n response to the Reveal query. Otherwse, A can perfectly mpersonate clent C aganst server S, or vce versa, usng the dscovered password pw C and therefore, can break the AKE securty of OMDHKE wth advantage 1. When A asks a Test query, A responds wth a random l -bt strng. Let U denote any nstance whose sesson key s expected to be set to H(C S X Z K). Let Ask be the event that A makes the H(C S X Z K) query when U s one of the nstances asked a Test query. Snce H s a random oracle, A cannot gan any advantage n attackng OMDHKE f Ask does not occur. When A termnates and outputs ts guess b, A mounts the above-descrbed offlne dctonary attack assumng the occurrence of Ask and thereby, breaks the AKE securty of OMDHKE wth advantage 1. Ths concludes the proof of Theorem 1. THE PROPOSED PROTOCOL We now present an effcent three-party PAKE protocol (e3pake) whch s bult upon the two-party OMDHKE protocol. The e3pake protocol s not only AKE-secure but also provdes resstance to UDOD attacks. Compared wth OMDHKE, e3pake requres only 1 addtonal communcaton round where two clent messages are sent n parallel solely to acheve securty aganst UDOD attacks. A. Prelmnares We begn wth the cryptographc prmtves whch underle the securty of e3pake. Decsonal Dffe-Hellman (DDH) assumpton. Consder a cyclc group G havng prme order q. Informally stated, the DDH problem for G s to dstngush between two dstrbutons ( g x, g y, g xy ) and ( g x, g y, g z ), where g s a random generator of G and x, y, z are chosen at random from Z q. We say that the DDH assumpton holds n G f t s computatonally nfeasble to solve the DDH problem for G. More formally, we defne the advantage of an algorthm D n DDH solvng the DDH problem for G as Adv G (D) = Pr [D (G, g, g x, g y, g xy ) = 1] Pr [D (G, g, g x, g y, g z ) = 1]. We say DDH that the DDH assumpton holds n G f Adv G ( D ) s DDH neglgble for all PPT algorthms D. Adv G (t) denotes the DDH maxmum value of Adv G ( D ) over all algorthms D runnng n tme at most t. A standard way of generatng G where the DDH assumpton s assumed to hold s to choose two prmes p, q such that p = rq + 1 for some small r N (e.g., r = 2 ) and let G be the subgroup of order q n Z p. Message authentcaton codes. A message authentcaton code (MAC) scheme Σ s a trple of effcent algorthms ( Gen, Mac, Ver ) where: (1) the key generaton algorthm Gen takes 4334

7 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons. as nput a securty parameter 1 l and outputs a key k chosen unformly at random from {0,1} l ; (2) the MAC generaton algorthm Mac takes as nput a key k and a message m, and outputs a MAC (also known as a tag) o ; and (3) the MAC verfcaton algorthm Ver takes as nput a key k, a message m, and a MAC o, and outputs 1f o s vald for m under k or outputs 0 f o s nvald. Let Adv Σ SUF CMA ( A ) be the advantage of an adversary A n volatng the strong exstental unforgeablty of Σ under an adaptve chosen message attack. More precsely, Adv Σ SUF CMA (A ) s the probablty that an adversary A, who mounts an adaptve chosen message attack aganst Σ wth oracle access to Mac k ( ) and Ver k ( ), outputs a message/tag par (m, o) such that: (1) Ver k (m, o) = 1 and (2) σ was not prevously output by the oracle Mac k ( ) as a MAC on the message m. We say that the MAC scheme Σ s secure f Adv Σ SUF CMA (A ) s neglgble for every PPT adversary. Let Adv Σ SUF CMA (t, q mac, q ver ) denotes the maxmum value of Adv Σ SUF CMA (A ) over all adversares A runnng n tme at most t and askng at most q mac and q ver queres to Mac k ( ) and Ver k ( ) respectvely. Symmetrc encrypton schemes. A symmetrc encrypton scheme Ω s a trple of effcent algorthms ( Gen, Enc, Dec ) where: (1) the key generaton algorthm Gen takes as nput a securty parameter 1 l and outputs a key k chosen unformly at random from {0,1} l ; (2) the encrypton algorthm Enc takes as nput a key k and a plantext message m, and outputs a cphertext c ; and (3) the decrypton algorthm Dec takes as nput a key k and a cphertext c, and outputs a message m. We requre that Dec k (Enc k (m)) = m holds for all k {0,1} l and all m M, where M s the plantext space. For an eavesdroppng adversary A aganst Ω and for a random bt b R {0,1}, consder the followng ndstngushablty experment: We say that the encrypton scheme Ω s secure (wth respect to a sngle encrypton) f Adv Ω (A) s neglgble for every PPT adversary. We use Adv Ω (t) to denote the maxmum value of Adv Ω (A) over all adversares A runnng n tme at most t. We now clam that f a symmetrc encrypton scheme s secure wth respect to a sngle encrypton, then t s also secure wth respect to multple encryptons under dfferent keys. For an nteger n 1, consder the ndstngushablty experment below: ExpermentExp Ω (A, b, n) For =1 to n k Gen(1 l ) (m 0, m 1) A(Ω), where m 0, = m 1, c Enc k(m b,) A(c ), b A, where b {0,1} return b Then we defne Adv Ω ( A ) and Adv Ω (t ) respectvely as And Adv Ω (A) = Pr[Exp Ω (A, 0, n) = 1] Pr[Exp Ω (A, 1, n) = 1] ExpermentExp Ω (A, b) k Gen(1 l ) (m 0, m 1) A(Ω), where m 0 = m 1 c Enc k(m b) b A(c), where b {0,1} return b For smplcty, we assume, n ths experment, that the securty parameter 1 l s mplct n the descrpton of Ω. Let Adv Ω (A) be the advantage of a sngle eavesdropper A n breakng the ndstngushablty of Ω, and let t be defned as Adv Ω (A) = Pr[Exp Ω (A, 0) = 1] - Pr[Exp Ω (A, 1) = 1] Adv Ω (t) = max A {Adv Ω (A)} where the maxmum s over all A runnng n tme at most t. Lemma 1. For any symmetrc encrypton scheme Ω Adv Ω (t) n Adv Ω (t) where n s as defned for experment Exp Ω (A, b, n). Cryptographc hash functons. Addtonally, e3pake uses three cryptographc hash functons F : {0,1} {0,1} l, G : {0,1} G, and H : {0,1} {0,1} l These hash functons are modelled as random oracles n our proof of securty for e3pake. 4335

8 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons. B. Descrpton of e3pake Let A and B be two clents who wsh to establsh a sesson key, and S be the trusted server wth whch A and B have regstered ther passwords pw A and pw B respectvely. We assume that the followng nformaton has been preestablshed and s known to all partes n the network: (1) a cyclc group G of prme order q, and a generator g of G, (2) a MAC scheme Σ = (Gen, Mac, Ver), (3) a symmetrc encrypton scheme Ω = (Gen, Enc, Dec), and (4) three hash functons F, G and H. These publc parameters can be determned by the server S and broadcast to all regstered clents. The e3pake protocol s depcted n Fg. 2 and ts descrpton s as follows: ROUND 1. A sets pd A = (A, B, S), selects a random x Z q, computes X = X PW A, where X = g x and PW A = G(pw A ), and then sends A, X, pd A to S. Meanwhle, B sets pd B = (A, B, S), selects a random y Z q, computes Y = Y PW B, where Y = g y and PW B = G(PW B), and sends B, Y, pd B to S. ROUND 2. S verfes that pd A s equal to pd B. If the verfcaton fals, S aborts the protocol. Otherwse, S sets pd S = pd A, selects two random z Z q, and z {0,1} q /2, computes Z = g z, PW A = G(pw A ), PW B = G(pw B ), X = X /PW A, Y = Y /PW A, K A = X Z, K B = Y Z k A mac = H(A S X Z K A ), k B mac = H(B S Y Z K B ) k A enc = F(k A mac ), k B enc = F(k B mac ) K A = K A z, K B = K B z Fgure 2. e3pake: Our proposed three-party PAKE protocol. 4336

9 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons. α A = Enc ka mac(k B), α B = Enc kb mac(k A) σ A = Mac ka mac(s pd S Z α A α B ), σ B = Mac kb mac(s pd S Z α A α B ) and sends S, Z, α A, α B, σ A and S, Z, α A, α B, σ B to A and B, respectvely. ROUND 3. A sets sd A = a A a B, computes K A = X Z, k A mac = H(A S X Z K A ), k A enc = F(k A mac ), and verfes that Verk A mac (S pd A Z sd A, o A ) = 1. If the verfcaton fals, A aborts the protocol. Otherwse, A computes the sesson key sk A = K B x, where K B = Deck A enc (α A ), and sends the authentcator δ A = Mack A mac (A pd A X ) to S. B proceeds correspondngly; t sets sd B = a A a B, computes K B = Z y, k B mac = H(B S X Z K B ), k B enc = F(k B mac ), and checks f Verk B mac (S pd B Z sd B, o B ) = 1. B aborts f the check fals. Otherwse, B computes sk B = K A y, where K A = Deck B enc (α B ), and sends δ B = Mack A mac (B pd B Y ) to S. Upon recevng δ A = and δ B, S aborts f ether of these authentcators s nvald. In the presence of a passve adversary, A and B wll compute sesson keys of the same value g xyzz, as shown below: sk A = K Bx = K B xz = g xyzz requre two addtonal messages to be exchanged (between A and B ) n the thrd round. Exponentatng K A and K B to the power z prevents a malcous nsder from learnng mmedately the MAC key of ts partner clent and thereby from mountng an offlne dctonary attack smlar to the one presented by Nam et al. [30]. We note that the exponent z s of length q /2 and thus, both the computatons K A = K A z and K B = K B z count as a half exponentaton (.e., half the number of modular multplcatons compared wth a full exponentaton). The hash functon G : {0,1} G can be constructed from a typcal hash functon n several ways, as ndcated n [27]. For the sake of effcency, we suggest to construct G by: (1) defnng G as a subgroup of order q n Z p where p s a safe prme (.e., p = 2q + 1 ), (2) choosng a hash functon G that outputs elements of Z p (.e., G : {0,1} Z p ), and then (3) settng G( ) = G ( ) 2. Wth ths method, computng G(pw) would only requre about one hash functon evaluaton and one modular multplcaton. CONCLUSION Ths work has presented an effcent protocol for passwordonly authentcated key exchange (PAKE) n the three-party settng. It s far to say that n lght of the overall cost of communcaton and computaton, our protocol (e3pake) performs best among all competng protocols. The thrd communcaton round of e3pake can be omtted f securty aganst undetectable onlne dctonary attacks s not desred (see the protocol descrpton n Secton 4.2). Ths smplfed protocol would acheve better effcency and stll be AKEsecure n the sense of Defnton 2 (.e., Theorem 2 also holds for the smplfed protocol). Moreover, e3pake can be easly extended to ncorporate the well-known key confrmaton technque of Bellare et al. [3] wthout ncreasng the number of communcaton rounds. The proof model we used s the one of Bellare et al. [3] whch allows the adversary to ask Corrupt queres. Therefore, our securty proof mples that e3pake not only acheves forward secrecy but also s secure aganst dctonary attacks by malcous nsders. Future work ncludes desgnng a three-party PAKE protocol that acheves the same (or even better) level of effcency as e3pake but does not rely ts securty proof on the exstence of randomoracles = X yzz = K A yz = K Ay = sk B e3pake acheves resstance to UDOD attacks va the MAC values δ A and δ B sent n the thrd round. If key confrmaton s requred, e3pake can be extended to ncorporate the wellknown technque of Bellare et al. [3]. Ths extenson would ACKNOWLEDGMENT Ths work s supported by NRF-2017R1A2B REFERENCES [1] M. Abdalla, P. Fouque, and D. Pontcheval, Passwordbased authentcated key exchange n the three-party settng, IEEProceedngs-Informaton Securty, vol. 4337

10 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons , no. 1, pp , An earler verson was presented n PKC [2] M. Abdalla and D. Pontcheval, Interactve Dffe- Hellman assumptons wth applcatons to passwordbased authentca-ton, Proc. FC 2005, LNCS vol. 3570, pp , [3] M. Bellare, D. Pontcheval, and P. Rogaway, Authentcated key exchange secure aganst dctonary attacks, Proc.EUROCRYPT 2000, LNCS vol. 1807, pp , [4] M. Bellare and P. Rogaway, The AuthA protocol for password-based authentcated key exchange, Contrbutons to IEEE P1363, [5] S. Bellovn and M. Merrtt, Encrypted key exchange: password-based protocols secure aganst dctonary attacks, Proc.1992 IEEE Symposum on Research n Securty and Prvacy, pp , [6] E. Bresson, O. Chevassut, and D. Pontcheval, New securty results on encrypted key exchange, Proc. PKC 2004, LNCS vol. 2947, pp , The full verson s avalable at [7] R. Canett, D. Dachman-Soled, V. Vakuntanathan, and H. Wee, Effcent password authentcated key exchange va oblvous transfer, Proc. PKC 2012, LNCS vol. 7293, pp , [8] T. Chang, M. Hwang, and W. Yang, A communcaton-effcent three-party password authentcated key exchange protocol, Informaton Scences, vol. 181, no. 1, pp , [9] KKR. Choo, C. Boyd, and Y. Htchcock, Examnng ndstngushablty-based proof models for key establshment protocols, Proc. ASIACRYPT 2005, LNCS vol. 3788, pp , [10] H. Chung and W. Ku, Three weaknesses n a smple three-party key exchange protocol, Informaton Scences, vol. 178, no. 1, pp , [11] Y. Dng and P. Horster, Undetectable on-lne password guessng attacks, ACM Operatng Systems Revew, vol. 29, no. 4, pp , [12] E. Dongna, Q. Cheng, and C. Ma, Password authentcated key exchange based on RSA n the threeparty settngs, Proc. ProvSec 2009, LNCS vol. 5848, pp , [13] S. Goldwasser and S. Mcal, Probablstc encrypton, Journal of Computer and System Scences, vol. 28, no. 2, pp , [14] V. Goyal, A. Jan, and R. Ostrovsky, Passwordauthentcated sesson-key generaton on the Internet n the plan model, Proc. CRYPTO 2010, LNCS vol. 6223, pp , [15] H. Guo, Z. L, Y. Mu, and X. Zhang, Cryptanalyss of smple three-party key exchange protocol, Computers & Securty, vol. 27, no. 1, pp , [16] H. Huang, A smple three-party password-based key exchange protocol, Internatonal Journal of Communcaton Systems, vol. 22, no. 7, pp , [17] J. Katz, R. Ostrovsky, and M. Yung, Effcent and secure authentcated key exchange usng weak passwords, Journal of the ACM, vol. 57, no. 1, artcle 3, An earler verson was presented n EUROCRYPT [18] J. Katz and V. Vakuntanathan, Round-optmal password-based authentcated key exchange, Journal of Cryptology, vol. 26, no. 4, pp , An earler verson was presented n TCC [19] H. Km and J. Cho, Enhanced password-based smple three-party key exchange protocol, Computers and Electrcal Engneerng, vol. 35, no. 1, pp , [20] C. Lee, S. Chen, and C. Chen, A computaton-effcent three-party encrypted key exchange protocol, Appled Mathematcs & Informaton Scences, vol. 6, no. 3, pp , [21] T. Lee and T. Hwang, Smple password-based threeparty authentcated key exchange wthout server publc keys, Informaton Scences, vol. 180, no. 9, pp , [22] T. Lee, T. Hwang, and C. Ln, Enhanced three-party encrypted key exchange wthout server publc keys, Computers & Securty, vol. 23, no. 7, pp , [23] H. Lang, J. Hu, and S. Wu, Re-attack on a three-party password-based authentcated key exchange protocol, Mathematcal and Computer Modellng, vol. 57, no. 5 6, pp , [24] C. Ln and T. Hwang, On a smple three-party password-based key exchange protocol, Internatonal Journal of Communcaton Systems, vol. 24, no. 11, pp , [25] C. Ln, H. Sun, M. Stener, and T. Hwang, Threeparty encrypted key exchange wthout server publckeys, IEEE Communcatons Letters, vol. 5, no. 12, pp , [26] R. Lu and Z. Cao, Smple three-party key exchange protocol, Computers & Securty, vol. 26, no. 1. pp ,

11 Internatonal Journal of Appled Engneerng Research ISSN Volume 12, Number 14 (2017) pp Research Inda Publcatons. [27] P. MacKenze, The PAK sute: Protocols for password-authentcated key exchange, Contrbutons to IEEE P1363.2, [28] J. Nam, KKR. Choo, M. Km, J. Pak, and D. Won, Dctonary attacks aganst password-based authentcated three-party key exchange protocols, KSII Transactons on Internet and Informaton Systems, vol. 7, no. 12, pp , [29] J. Nam, KKR. Choo, J. Pak, and D. Won, On the securty of a password-only authentcated three-party key exchange protocol, Cryptology eprnt Archve, Report 2013/540, [30] J. Nam, KKR. Choo, J. Pak, and D. Won, An offlne dctonary attack aganst a three-party key exchange protocol, Cryptology eprnt Archve, Report 2013/666, [31] J. Nam, KKR. Choo, J. Pak, and D. Won, Two-round password-only authentcated key exchange n the threeparty settng, Cryptology eprnt Archve, Report 2014/017, [32] J. Nam, Y. Lee, S. Km, and D. Won, Securty weakness n a three-party parng-based protocol for password authentcated key exchange, Informaton Scences, vol. 177, no. 6, pp , [33] J. Nam, J. Pak, H. Kang, U. Km, and D. Won, An off-lne dctonary attack on a smple three-party key exchange protocol, IEEE Communcatons Letters, vol. 13, no. 3, pp , [34] R. Phan, W. Yau, and B. Go, Cryptanalyss of smple three-party key exchange protocol (S-3PAKE), Informaton Scences, vol. 178, no. 13, pp , [35] M. Stener, G. Tsudk, and M. Wadner, Refnement and extenson of encrypted key exchange, ACM SIGOPS Operatng Systems Revew, vol. 29, no. 3, pp , [36] H. Tsa and C. Chang, Provably secure three party encrypted key exchange scheme wth explct authentcaton, Informaton Scences, vol. 238, pp , [37] W. Wang and L. Hu, Effcent and provably secure generc constructon of three-party password-based authentcated key exchange protocols, Proc. INDOCRYPT 2006, LNCS vol. 4329, pp , [38] W. Wang, L. Hu, and Y. L, How to construct secure and effcent three-party password-based authentcated key exchange protocols, Proc. INSCRYPT 2010, LNCS vol. 6584, pp , [39] S. Wu, K. Chen, Q. Pu, and Y. Zhu, Cryptanalyss and enhancements of effcent three-party password-based key exchange scheme, Internatonal Journal of Communcaton Systems, vol. 26, no. 5, pp , [40] S. Wu, Q. Pu, S. Wang, and D. He, Cryptanalyss of a communcaton-effcent three-party password authentcated key exchange protocol, Informaton Scences, vol. 215, pp , [41] H. Xong, Y. Chen, Z. Guan, and Z. Chen, Fndng and fxng vulnerabltes n several three-party password authentcated key exchange protocols wthout server publc keys, Informaton Scences, vol. 235, pp , 2013 [42] J. Yang and T. Cao, Provably secure three-party password authentcated key exchange protocol n the standard model, Journal of Systems and Software, vol. 85, no. 2, pp , [43] X. Y, S. Lng, and H. Wang, Effcent two-server password-only authentcated key exchange, IEEE Transactons on Parallel and Dstrbuted Systems, vol. 24, no. 9, pp , [44] E. Yoon and K. Yoo, Cryptanalyss of a smple threeparty password-based key exchange protocol, Internatonal Journal of Communcaton Systems, vol. 24, no. 4, pp , [45] J. Zhao and D. Gu, Provably secure three-party password-based authentcated key exchange protocol, Informaton scences, vol. 184, no. 1, pp ,