Analysis And Design Of Password Authenticated Key Exchange Protocols In The Standard Model

Password authenticated key exchange (PAKE) protocols allow parties sharing only a low-entropy, human-memorable password to authenticate themselves and establish a common session key over an insecure channel in a secure manner. Since PAKE protocols do not require complex public-key infrastructure or trusted hardware of storing high entropy secrets, they have attracted many attentions since being introduced. In order to guarantee PAKE protocols resisting off-line dictionary attacks and securely realizing their designed goals, a popular measure is to resort protocol design and analysis to the theory of provable security. Among all security models, the standard model is more nature and, as it named, more standard than the ideal model, such as random oracle model and ideal cipher model. However, due to various reasons, protocols with security proof in the standard model are far less than those in the ideal model, and the computational and communication efficiency of these protocols is also lower.In this thesis, we address with the problem of analyzing and designing PAKE protocols provably secure in the standard model, particularly the PAKE protocols in the two-party setting and in the three-party setting. We have designed several novel and secure PAKE protocols based on different security models and different computational difficult assumptions, such that they are more efficient in term of computation complexity or communication cost. Based on this start point, we did in-depth research on the analysis and design of PAKE protocols, and got the following results.1. Several existed PAKE protocols designed in the standard model are analyzed. Firstly, cryptanalysis of a protocol proposed by Yin et al. in the paper of"Provable Secure Encrypted Key Exchange Protocol under Standard Model"is presented. A concrete attack in which an outside adversary impersonates a valid server is also given. Secondly, a protocol proposed by Shu et al. in the paper of"Provable Secure Encrypted Key Exchange Protocol under Standard Model"is analyzed. An off-line dictionary attack conducted by an active outside adversary is also introduced. Thirdly, a protocol proposed by Li et al. in the paper of"Verifier-Based Password Authenticated Key Exchange for Three-party"is pointed out to be vulnerable to off-line dictionary attack by any passive outside adversary. Further, the errors in the original protocols design and security proofs are also analyzed, which might be instructive to future PAKE protocols design.2. Two-party PAKE protocols with provable security in the well-known Real-or-Random model are researched. Firstly, by utilizing non-interactive, perfect-biding and non-malleable commitment and smooth projective hashing function family, we proposed a two-party PAKE protocol in standard model, which is the first PAKE protocol achieving optimal two rounds. Since general building blocks are used, this protocol can be efficiently instantiated with primitives based on either the DDH, Quadratic Residuosity or N-Residuosity assumptions. Secondly, through using CCA2 secure public key encryption schemes based on LWE assumption, approximate smooth projective hash function family, and error-correcting codes, we constructed a two-party PAKE protocol based on Lattice and proved its security strictly. Note that the protocol introduced by Katz and Vaikuntanathan is in fact a key transport protocol, ours is the first truly key exchange protocol in this setting.3. Two-party PAKE protocols designed in the UC framework and based on standard assumptions are presented. Firstly, based on Canetti's protocol we proposed a new protocol which is also proven secure in the UC framework but with improved communication and computation performance. Secondly, we adopted a designing approach totally different from that used in Canetti's protocol and designed an efficient protocol with provable security in the UC framework. To this end, we first defined a new definition for commitment, called weak simulation-sound trapdoor commitment. Then, we presented a concrete construction of non-malleable, extractable and weak simulation-sound commitment scheme, and also the corresponding smooth projective hash function family. By means of these newly constructed building blocks, our protocol avoids the usage of zero-knowledge protocols and achieves high performance in terms of communication efficiency, which is the first two round PAKE protocol in the UC framework.4. We introduced a new PAKE protocol which is optimized for the special three-party setting; the resulting protocol is more efficient than the general construction in terms of round numbers as well as computational complexity. The protocol also enjoys provable security in the Real-or-Random model for three-party PAKE protocols, which provides semantic security for the session keys, guarantees key privacy against honest-but-curious server as well as resistance to undetectable on-line dictionary attacks.