Password-Authenticated Public-Key Encryption

Abstract

We introduce password-authenticated public-key encryption (PAPKE), a new cryptographic primitive. PAPKE enables secure end-to-end encryption between two entities without relying on a trusted third party or other out-of-band mechanisms for authentication. Instead, resistance to man-in-the-middle attacks is ensured in a human-friendly way by authenticating the public key with a shared password, while preventing offline dictionary attacks given the authenticated public key and/or the ciphertexts produced using this key.

Our contributions are three-fold. First, we provide property-based and universally composable (UC) definitions for PAPKE, with the resulting primitive combining CCA security of public-key encryption (PKE) with password authentication. Second, we show that PAPKE implies Password-Authenticated Key Exchange (PAKE), but the reverse implication does not hold, indicating that PAPKE is a strictly stronger primitive than PAKE. Indeed, PAPKE implies a two-flow PAKE which remains secure if either party re-uses its state in multiple sessions, e.g. due to communication errors, thus strengthening existing notions of PAKE security. Third, we show two highly practical UC PAPKE schemes: a generic construction built from CCA-secure and anonymous PKE and an ideal cipher, and a direct construction based on the Decisional Diffie-Hellman assumption in the random oracle model.

Finally, applying our PAPKE-to-PAKE compiler to the above PAPKE schemes we exhibit the first 2-round UC PAKE’s with efficiency comparable to (unauthenticated) Diffie-Hellman Key Exchange.

Full version of this paper appears in [12].

A Concrete PAPKE and PAKE Instantiation Example

Here we show particular instantiations of some of our results, a PAPKE scheme \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) and a PAKE protocol \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\). \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) is a particular instantiation of the generic \(\mathsf {PAPKE}\text {-}\mathsf {IC}\) scheme of Sect. 4.1 based on the \(\mathsf {DHIES}^*\) PKE by Abdalla et al. [1], and protocol \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) is derived via the \(\mathsf {PAPKE}\text {-}2\text {-}\mathsf {PAKE}\) compiler of Sect. 3 applied to \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\).

Fig. 4.

Concrete PAPKE instantiation \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\).

Concrete Instantiation of \(\mathsf {PAPKE}\text {-}\mathsf {IC}\) Using \(\mathsf {DHIES} \). In Sect. 4.1 we show a generic UC-secure PAPKE scheme that relies on an ideal cipher and a public-key encryption scheme that is both \(\mathsf {AI\text {-}CCA}\) and \(\mathsf {SROB\text {-}CCA}\)-secure. Abdalla et al. [1] show that these properties can be realized by \(\mathsf {DHIES}^*\), a simple modification of \(\mathsf {DHIES}\) [2] which excludes zero randomness at encryption, i.e., samples r from \(\mathbb {Z}^*_p\) instead of \(\mathbb {Z}_p\), and rejects ciphertexts that have 1 as first component. We specify \(\mathsf {DHIES}^*\) below relying on authenticated encryption \(\mathsf {AE}\), a hash function \(\mathsf {H}\) and a cyclic group \((\mathbb {G},p,g)\) of prime order p. Scheme \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) in Fig. 4 is a (semi) concrete instantiation of \(\mathsf {PAPKE}\text {-}\mathsf {IC}\) using \(\mathsf {DHIES}^*\), which uses 2 exponentiations for encryption and 1 for decryption, as well as an ideal cipher over group \({\mathbb {G}}\) and hashing onto \({\mathbb {G}}\).

• \(\mathsf {DHIES}^*.\mathsf {KGen}(\kappa )\): \(x \leftarrow _\mathrm {\tiny {R}}\mathbb {Z}_p\), \(y \leftarrow g^x\), set \( pk \leftarrow y, sk \leftarrow x\) and return \(( pk , sk )\)

• \(\mathsf {DHIES}^*.\mathsf {Enc}(pk,m)\): parse \( pk =y\), get \(r \leftarrow _\mathrm {\tiny {R}}\mathbb {Z}^*_p\), \(k \leftarrow \mathsf {H}(y^r)\), \(c_1 \leftarrow g^r\), \(c_2 \leftarrow \mathsf {AE.Enc}(k, m)\) and return \(c = (c_1, c_2)\).

• \(\mathsf {DHIES}^*.\mathsf {Dec}(sk,c)\): parse \(c=(c_1,c_2)\) and \( sk =x\), get \(k \leftarrow \mathsf {H}(c_1^x)\). If \(c_1 =1\) output \(m \leftarrow \bot \) and \(m \leftarrow \mathsf {AE.Dec}(k, c_2)\) else.

Concrete PAKE Protocols. We specify an example of a concrete UC PAKE instantiation obtained by applying the generic \(\mathsf {PAPKE}\text {-}2\text {-}\mathsf {PAKE}\) compiler shown in Fig. 1 to the PAPKE scheme \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) shown in Fig. 4. In [12] we also specify PAKE protocol \(\mathsf {PAKE}\text {-}\mathsf {FO}\) implied by our second PAPKE construction, \(\mathsf {PAPKE}\text {-}\mathsf {FO}\) of Fig. 3. To the best of our knowledge, these are the first two-round UC-secure PAKE’s which rely on standard groups, i.e. no bilinear maps, but resort to the IC and/or ROM model to achieve practical efficiency. Concretely, \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) uses from 2 exponentiations per party and \(\mathsf {PAKE}\text {-}\mathsf {FO}\) uses 4 (multi-)exponentiations for one party and 2 for the other. This almost matches the efficiency and assumptions used by two-round PAKE’s which were shown secure under only game-based security notions, e.g. [4, 7, 11], and it reduces from 3 to 2 the rounds of previously known UC PAKE secure under comparable assumptions of Abdalla et al. [3].

Protocol \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) shown in Fig. 5 requires the same setup as the PAPKE scheme \(\mathsf {PAPKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) in Fig. 4, i.e. \({\mathbb {G}}\) is a cyclic group of prime order p with generator g, \(\mathsf {IC}=(\mathsf {IC.Enc},\mathsf {IC.Dec})\) is an ideal cipher over group \({\mathbb {G}}\) with key space \(\{0,1\}^*\), \(\mathsf {AE}=(\mathsf {AE.Enc},\mathsf {AE.Dec})\) is an authenticated encryption with key space \(\{0,1\}^\kappa \), and \(\mathsf {H}:\mathbb {G}\rightarrow \{0,1\}^\kappa \) is a collision-resistant hash. The following security statement for \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) follows from Theorems 1, 2, and the security properties of \(\mathsf {DHIES}^*\) [1]:

Corollary 1

The \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\) scheme described in Fig. 5 securely realizes \(\mathcal {F}_{\mathsf {PAKE}}\) in the \(\mathcal {F}_\mathsf {CRS},\mathcal {F}_\mathsf {IC}\)-hybrid model if the Oracle-Diffie-Hellman assumption is hard for \({\mathbb {G}}\), \(\mathsf {H}\) is a collision-resistant hash, and \(\mathsf {AE}\) is a secure, strongly unforgeable and collision-resistant authenticated encryption scheme.

Fig. 5.

Two-round PAKE protocol \(\mathsf {PAKE}\text {-}\mathsf {IC}\text {-}\mathsf {DHIES}\).