Advertisement

TOPPSS: Cost-Minimal Password-Protected Secret Sharing Based on Threshold OPRF

  • Stanisław JareckiEmail author
  • Aggelos Kiayias
  • Hugo Krawczyk
  • Jiayu Xu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)

Abstract

We present TOPPSS, the most efficient Password-Protected Secret Sharing (PPSS) scheme to date. A (tn)-threshold PPSS, introduced by Bagherzandi et al. [4], allows a user to share a secret among n servers so that the secret can later be reconstructed by the user from any subset of \(t+1\) servers with the sole knowledge of a password. It is guaranteed that any coalition of up to t corrupt servers learns nothing about the secret (or the password). In addition to providing strong protection to secrets stored online, PPSS schemes give rise to efficient Threshold PAKE (T-PAKE) protocols that armor single-server password authentication against the inherent vulnerability to offline dictionary attacks in case of server compromise.

TOPPSS is password-only, i.e. it does not rely on public keys in reconstruction, and enjoys remarkable efficiency: A single communication round, a single exponentiation per server and just two exponentiations per client regardless of the number of servers. TOPPSS satisfies threshold security under the (Gap) One-More Diffie-Hellman (OMDH) assumption in the random-oracle model as in prior efficient realizations of PPSS/T-PAKE [18, 19]. Moreover, we show that TOPPSS realizes the Universally Composable PPSS notion of [19] under a generalization of OMDH, the Threshold One-More Diffie-Hellman (T-OMDH) assumption. We show that the T-OMDH and OMDH assumptions are both hard in the generic group model.

The key technical tool we introduce is a universally composable Threshold Oblivious PRF which is of independent interest and applicability.

References

  1. 1.
    Russian hackers amass over a billion internet passwords. New York Times, 08 June 2014. http://goo.gl/aXzqj8
  2. 2.
    Abdalla, M., Chevassut, O., Fouque, P.-A., Pointcheval, D.: A simple threshold authenticated key exchange from short secrets. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 566–584. Springer, Heidelberg (2005). doi: 10.1007/11593447_31 CrossRefGoogle Scholar
  3. 3.
    Abdalla, M., Cornejo, M., Nitulescu, A., Pointcheval, D.: Robust password-protected secret sharing. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 61–79. Springer, Cham (2016). doi: 10.1007/978-3-319-45741-3_4 CrossRefGoogle Scholar
  4. 4.
    Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 433–444. ACM (2011)Google Scholar
  5. 5.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M., et al.: The one-more-rsa-inversion problems and the security of chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_11 CrossRefGoogle Scholar
  7. 7.
    Blazy, O., Chevalier, C., Vergnaud, D.: Mitigating server breaches in password-based authentication: secure and efficient solutions. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 3–18. Springer, Cham (2016). doi: 10.1007/978-3-319-29485-8_1 CrossRefGoogle Scholar
  8. 8.
    Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_12 CrossRefGoogle Scholar
  9. 9.
    Brainard, J., Juels, A., Kaliski, B., Szydlo, M.: Nightingale: a new two-server approach for authentication with short secrets. In: 12th USENIX Security Symposium, pp. 201–213. IEEE Computer Society (2003)Google Scholar
  10. 10.
    Camenisch, J., Lehmann, A., Lysyanskaya, A., Neven, G.: Memento: how to reconstruct your secrets from a single password in a hostile environment. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 256–275. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44381-1_15 CrossRefGoogle Scholar
  11. 11.
    Camenisch, J., Lehmann, A., Neven, G.: Optimal distributed password verification. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 182–194. ACM (2015)Google Scholar
  12. 12.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science, 2001, pp. 136–145. IEEE (2001)Google Scholar
  13. 13.
    Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Roşu, M.-C., Steiner, M.: Highly-scalable searchable symmetric encryption with support for boolean queries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 353–373. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_20 CrossRefGoogle Scholar
  14. 14.
    Raimondo, M., Gennaro, R.: Provably secure threshold password-authenticated key exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 507–523. Springer, Heidelberg (2003). doi: 10.1007/3-540-39200-9_32 CrossRefGoogle Scholar
  15. 15.
    Ford, W., Kaliski, B.S.: Server-assisted generation of a strong secret from a password. In: Proeedings of the IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises 2000, (WET ICE 2000), pp. 176–180. IEEE (2000)Google Scholar
  16. 16.
    Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. J. Cryptol. 20(1), 51–83 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Jarecki, S., Jutla, C., Krawczyk, H., Rosu, M., Steiner, M.: Outsourced symmetric private information retrieval. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 875–888. ACM (2013)Google Scholar
  18. 18.
    Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45608-8_13 Google Scholar
  19. 19.
    Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: Highly-efficient and composable password-protected secret sharing (or: how to protect your bitcoin wallet online). In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 276–291. IEEE (2016)Google Scholar
  20. 20.
    Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: Threshold oblivious PRF and minimal-cost password-protected secret sharing. Cryptology ePrint Archive (2017). http://eprint.iacr.org/2017/[TBD]Google Scholar
  21. 21.
    Jarecki, S., Krawczyk, H., Shirvanian, M., Saxena, N.: Device-enhanced password protocols with optimal online-offline protection. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 177–188. ACM (2016)Google Scholar
  22. 22.
    Jarecki, S., Liu, X.: Fast secure computation of set intersection. In: Garay, J.A., Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 418–435. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15317-4_26 CrossRefGoogle Scholar
  23. 23.
    Katz, J., MacKenzie, P., Taban, G., Gligor, V.: Two-server password-only authenticated key exchange. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 1–16. Springer, Heidelberg (2005). doi: 10.1007/11496137_1 CrossRefGoogle Scholar
  24. 24.
    Kiefer, F., Manulis, M.: Distributed smooth projective hashing and its application to two-server password authenticated key exchange. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 199–216. Springer, Cham (2014). doi: 10.1007/978-3-319-07536-5_13 Google Scholar
  25. 25.
    Kiefer, F., Manulis, M.: Universally composable two-server PAKE. In: Bishop, M., Nascimento, A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 147–166. Springer, Cham (2016). doi: 10.1007/978-3-319-45871-7_10 CrossRefGoogle Scholar
  26. 26.
    MacKenzie, P., Shrimpton, T., Jakobsson, M.: Threshold password-authenticated key exchange. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 385–400. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_25 CrossRefGoogle Scholar
  27. 27.
    Naor, M., Pinkas, B., Reingold, O.: Distributed pseudo-random functions and KDCs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 327–346. Springer, Heidelberg (1999). doi: 10.1007/3-540-48910-X_23 Google Scholar
  28. 28.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). doi: 10.1007/3-540-69053-0_18 Google Scholar
  29. 29.
    Szydlo, M., Kaliski, B.: Proofs for two-server password authentication. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 227–244. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-30574-3_16 CrossRefGoogle Scholar
  30. 30.
    Wikström, D.: Universally composable DKG with linear number of exponentiations. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 263–277. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-30598-9_19 CrossRefGoogle Scholar
  31. 31.
    Yi, X., Hao, F., Chen, L., Liu, J.K.: Practical threshold password-authenticated secret sharing protocol. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 347–365. Springer, Cham (2015). doi: 10.1007/978-3-319-24174-6_18 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Stanisław Jarecki
    • 1
    Email author
  • Aggelos Kiayias
    • 2
  • Hugo Krawczyk
    • 3
  • Jiayu Xu
    • 1
  1. 1.University of CaliforniaIrvineUSA
  2. 2.University of EdinburghEdinburghUK
  3. 3.IBM ResearchNew York CityUSA

Personalised recommendations