TY - GEN
T1 - A Universally Composable PAKE with Zero Communication Cost
T2 - 26th IACR International Conference on Practice and Theory of Public-Key Cryptography, PKC 2023
AU - Roy, Lawrence
AU - Xu, Jiayu
N1 - Publisher Copyright:
© 2023, International Association for Cryptologic Research.
PY - 2023/5
Y1 - 2023/5
N2 - A Password-Authenticated Key Exchange (PAKE) protocol allows two parties to agree upon a cryptographic key, when the only information shared in advance is a low-entropy password. The standard security notion for PAKE (Canetti et al., Eurocrypt 2005) is in the Universally Composable (UC) framework. We show that unlike most UC security notions, UC PAKE does not imply correctness. While Canetti et al. has briefly noticed this issue, we present the first comprehensive study of correctness in UC PAKE: 1.We show that TrivialPAKE, a no-message protocol that does not satisfy correctness, is a UC PAKE;2.We propose nine approaches to guaranteeing correctness in the UC security notion of PAKE, and show that seven of them are equivalent, whereas the other two are unachievable;3.We prove that a direct solution, namely changing the UC PAKE functionality to incorporate correctness, is impossible;4.Finally, we show how to naturally incorporate correctness by changing the model—we view PAKE as a three-party protocol, with the man-in-the-middle adversary as the third party. In this way, we hope to shed some light on the very nature of UC-security in the man-in-the-middle setting.
AB - A Password-Authenticated Key Exchange (PAKE) protocol allows two parties to agree upon a cryptographic key, when the only information shared in advance is a low-entropy password. The standard security notion for PAKE (Canetti et al., Eurocrypt 2005) is in the Universally Composable (UC) framework. We show that unlike most UC security notions, UC PAKE does not imply correctness. While Canetti et al. has briefly noticed this issue, we present the first comprehensive study of correctness in UC PAKE: 1.We show that TrivialPAKE, a no-message protocol that does not satisfy correctness, is a UC PAKE;2.We propose nine approaches to guaranteeing correctness in the UC security notion of PAKE, and show that seven of them are equivalent, whereas the other two are unachievable;3.We prove that a direct solution, namely changing the UC PAKE functionality to incorporate correctness, is impossible;4.Finally, we show how to naturally incorporate correctness by changing the model—we view PAKE as a three-party protocol, with the man-in-the-middle adversary as the third party. In this way, we hope to shed some light on the very nature of UC-security in the man-in-the-middle setting.
U2 - 10.1007/978-3-031-31368-4_25
DO - 10.1007/978-3-031-31368-4_25
M3 - Article in proceedings
AN - SCOPUS:85161436732
SN - 978-3-031-31367-7
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 714
EP - 743
BT - Public-Key Cryptography – PKC 2023
A2 - Boldyreva, Alexandra
A2 - Kolesnikov, Vladimir
PB - Springer
CY - Cham
Y2 - 7 May 2023 through 10 May 2023
ER -