Identity-based Password-Authenticated Key Exchange for Client/Server
Model
Xun Yi
1
, Raylin Tso
2
and Eiji Okamoto
3
1
School of Engineering and Science, Victoria University, Melbourne, Victoria 8001, Australia
2
Department of Computer Science, National Chengchi University, Taipei 11605, Taiwan
3
Department of Risk Engineering, University of Tsukuba, Tsukuba, Ibaraki, 305-8573, Japan
Keywords:
PAKE, Client/Server Model, Identity-based Encryption, Decisional Diffie-Hellman Problem.
Abstract:
Password-Authenticated Key Exchange for Client/Server model (PAKE-CS) is where a client and a server,
based only on their knowledge of a password, establish a cryptographic key for secure communication. In
this paper, we propose a PAKE-CS protocol on the basis of identity-based encryption, where the client needs
to remember a password only while the server keeps the password in addition to a private key related to his
identity, where the private key is generated by multiple private key generators. Our protocol takes advantage of
the features of client/server model and is more efficient than other PAKE-CS protocols in terms that it achieves
explicit authentication with two-round communications only. In order to analyze the security of our protocol,
we construct an ID-based formal model of security for PAKE-CS by embedding ID-based model into PAKE
model. If the underlying identity-based encryption scheme has provable security without random oracle, we
can provide a rigorous proof of security for our protocol without random oracles.
1 INTRODUCTION
Nowadays, the client/server model has become one of
the core ideas of network computing. The Internet’s
main application protocols, such as HTTP, SMTP,
Telnet, DNS, etc, are all built on the client/server
model. Most business applications use this model as
well.
In the client/server model, a client and a server
communicate to exchange information. It is essential
for the server to identify the client before providing
the client with services, such as access to resources.
In order to authenticate the client, it is common for
the client to choose a password from a known small
space, such as a dictionary of English words, in or-
der to remember it, and shares it with the server in
advance. After that, each time when the client sends
the password to the server, the server can identify the
client. Such a password authentication protocol can
go back to 1981 (Lamport, 1981) and even earlier.
After password authentication, the client and the
server need to exchange information securely. Before
encrypting messages, the client and the server have
to share a cryptographic key. The password, chosen
from a small space, cannot be used as the key for en-
cryption. A solution for this problem is password-
authenticated key exchange for client/server (PAKE-
CS).
PAKE-CS is where a client and a server, based
only on their knowledge of a password, establish a
cryptographic key, such that an attacker who controls
the communication channel but does not possess the
password cannot impersonate the client or the server
in the communication and is constrained as much as
possible from guessing the password. Since the pass-
word is chosen from a small space, PAKE-CS has
to be immune to the dictionary attack, in which an
adversary exhaustively tries all possible passwords
from a dictionary in order to determine the correct
one. Dictionary attacks are either off-line attacks or
online attacks. In an off-line attack, an adversary
eavesdrops messages exchanged between the client
and server, and tries all possible passwords to deter-
mine one matching with these messages. In an online
attack, an adversary impersonates a client or a server
by trying possible passwords one-by-one. Online dic-
tionary attack can be discouraged by restricting the
number of password authentication failures.
Initial solutions for PAKE-CS is built on a “hy-
brid” model in which the client stores the server’s
public key in addition to share a password with the
server. Under this model, Gong, Lomas, Needham,
45
Yi X., Tso R. and Okamoto E..
Identity-based Password-Authenticated Key Exchange for Client/Server Model.
DOI: 10.5220/0004015900450054
In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 45-54
ISBN: 978-989-8565-24-2
Copyright
c
2012 SCITEPRESS (Science and Technology Publications, Lda.)
and Saltzer (Gong et al., 1993) were the first to pro-
pose password-based authentication protocols with
heuristic resistance to off-line dictionary attacks, and
Halevi and Krawczyk (Halevi and Krawczyk, 1999)
were the first to give formal definitions and rigorous
proofs of security for them. The “hybrid” model re-
lies on the Public Key Infrastructure (PKI), where the
public key of the server is certified within a certifi-
cate issued by a trusted third party. Exchanging and
verifying the public key certificate bring extra com-
putation and communication costs to PAKE-CS.
Bellovin and Merritt (Bellovin and Merritt, 1992)
were the first to consider authenticated key exchange
based on password only. They introduced a set of
so-called “encrypted key exchange” (EKE) protocols,
where any two parties, who share a password, ex-
change messages encrypted by the password, and es-
tablish a cryptographic key from them. Although
several of the first protocols were flawed, the sur-
vived and enhanced EKE protocols effectively am-
plify a shared password into a shared cryptographic
key. Based on EKE, some further works (Gong et al.,
1993; Huang, 1996; Wu, 1998) have been done.
However, only heuristic and informal security argu-
ments for these protocols were provided. In fact,
attacks against many of these protocols have been
found (MacKenzie et al., 2000; Patel, 1997). This
demonstrates the great importance of rigorous secu-
rity proofs in a formal, well-defined model.
In 2000, formal models of security for PAKE were
firstly given independently by Bellare, Pointcheval
and Rogaway (Bellare et al., 2000), and Boyko,
MacKenzie, Patel and Swaminathan (Boyko et al.,
2000). In the ideal cipher model, Bellare et al. (Bel-
lare et al., 2000) provided a proof of security for the
two-flow protocol at the core of Bellovin-Merritt EKE
protocol (Bellovin and Merritt, 1992). In the ran-
dom oracle model, Boyko et al. (Boyko et al., 2000)
proved the security of their new Diffie-Hellman-based
PAKE while MacKenzie et al. (MacKenzie et al.,
2000) provided the security proof of their new RSA-
based PAKE. Later, some efficient PAKE protocols
(e.g.,(Abdalla and Pointcheval, 2005; Bresson et al.,
2003)) were constructed. In 2001, Goldreich and
Lindell (Goldreich and Lindell, 2001) introduced an-
other model of security for PAKE and gave the first
PAKE protocol which is provably secure under stan-
dard cryptographic assumptions. Their protocol does
not require any additional setup beyond the password
shared by the parties. However, their protocol re-
quires techniques from generic two-party secure com-
putation and concurrent zero-knowledge. This makes
their protocol computationally inefficient. A simple
version of Goldreich-Lindell protocol was given by
Nguyen and Vadhan in (Nguyen and Vadhan, 2004),
but it is still not efficient enough to be used in prac-
tice.
Katz, Ostrovsky, and Yung (Katz et al., 2001)
were the first to give a PAKE protocol which is both
practical and provably-secure under standard crypto-
graphic assumption. Katz-Ostrovsky-Yung protocol
(simply called KOY protocol) has been proved to be
secure in the model of Bellare et al. (Bellare et al.,
2000) under the decisional Diffie-Hellman assump-
tion. In KOY protocol, the client and the server ex-
change the encryptions of the password (on the ba-
sis of a common public key), from which a common
cryptographic key is agreed and authenticated by one-
time digital signature scheme. KOY protocol assumes
that a set of common parameters (including the com-
mon public key) are available to everyone in the sys-
tem. This is known as the common reference model,
which avoids problems associated with the PKI. This
assumption is significantly weaker (in both a theoret-
ical and practical sense) than the “hybrid” model in
which clients are required to authenticate the public
key for each server with whom they wish to commu-
nicate. The public parameters can be “hard-coded”
into the implementation of their protocol. Therefore,
the requirement of public parameters does not repre-
sents a serious barrier to using their protocol in prac-
tice.
Afterward, an efficient protocol for PAKE with
proof of security based on a pseudorandom function
family was given by Jiang and Gong in (Jiang and
Gong, 2004), and a protocol satisfying a strong defi-
nition of security for PAKE built on (Katz et al., 2001;
Gennaro and Lindell, 2003) was proposed in (Canetti
et al., 2005).
Our Contribution. The “hybrid” model for PAKE-
CS can be used efficiently to establish a cryptographic
key between the client and the server who share a
password. However, this model needs the PKI and
the client has to authenticate the public key of the
server before the execution of PAKE-CS. The com-
mon reference model for PAKE-CS avoids the PKI,
but protocols built on this model, in particular with
proofs of security under standard cryptographic as-
sumptions, are usually less efficient than those based
on the “hybrid” model.
In the client/server model, the client is usually a
human user who can remember the password from a
small space only. However, the server is a machine
which can keep secret keys from a large space. Based
on this feature, identity-based group and three-party
PAKE protocols, in which a group of clients, each of
them shares his password with an “honest but curi-
ous” server, establish a group key with the help of
SECRYPT2012-InternationalConferenceonSecurityandCryptography
46
the server, have been proposed in (Yi et al., 2009; Yi
et al., 2011). In that setting, the key established is
known to the clients only and no one else, including
the server.
In this paper, we consider a two-party setting,
where a client and a server, who share a password,
establish a cryptography key on the basis of identity-
based encryption. The essential difference between
this setting and the group or three-party PAKE (Yi
et al., 2009; Yi et al., 2011) is that the established
key in this setting is known to the server. We pro-
pose an identity-based model for this setting, where
the client needs to remember a password only while
the server keeps the password in addition to a private
key related to its identity. This model is constructed
by embedding the model for identity-based encryp-
tion (IBE) (Boneh and Franklin, 2001) into the model
for PAKE (Bellare et al., 2000). In this model, we as-
sume that n private key generators cooperate to gen-
erate public parameters and private keys for servers.
Based on the identity-based model, we construct
an efficient PAKE-CS protocol. Our protocol can be
built on any IBE scheme, such as Waters’s scheme
(Waters, 2005), which allows multiple private key
generators to generate private keys for users.
The basic structure of our protocol is Diffie-
Hellman key exchange between the client and the
server. But we use the password to authenticate the
request message from the client and confirm the es-
tablished cryptographic key. In order to deter from
offline dictionary attack, the client encrypts the pass-
word with an IBE scheme on the basis of the identity
of the server.
Our protocol has an advantage over the KOY pro-
tocol (Katz et al., 2001). The KOY protocol does not
achieve explicit authentication (that is, a party does
not know whether its intended partner has success-
fully computed a matching session key). The ex-
plicit authentication has to be added later on using
standard techniques as described in (Bellare et al.,
2000). Thus, the KOY protocol needs four-round
communications to achieve explicit authentication.
But our protocol uses only two-round communica-
tions to achieve explicit authentication.
In terms of the number of communication rounds,
an identity-based PAKE-CS protocol is more efficient
than other PAKE-CS protocols. Different from a pure
identity-based key agreement protocol, such as RFC
6539 (Cakulev et al., 2012), which requires each party
to have a (random) private key related to his identity,
the client in our protocol needs to remember pass-
words only (no cryptographic key of any kinds), and
the server keeps passwords in addition to a private key
related to his identity.
2 MODEL AND DEFINITIONS
A formal model of security for PAKE was given by
Bellare, Pointcheval and Rogaway in (Bellare et al.,
2000), and improved by Katz, Ostrovsky, and Yung in
(Katz et al., 2001). Boneh and Franklin defined cho-
sen ciphertext security for IBE systems under a cho-
sen identity attack in (Boneh and Franklin, 2001). In
this section, we give the ID-based model for PAKE-
CS, a combination of definitions given in (Bellare
et al., 2000; Katz et al., 2001; Boneh and Franklin,
2001).
Participants, Initialization and Passwords. An
ID-based PAKE-CS protocol involves three kinds of
protocol participants: (1) A set of clients (denoted
as Client), each of which requests services from
servers on the network; (2) A set of servers (de-
noted as Server), each of which provides services
to clients on the network; (3) n private key gen-
erators PKG
1
,PKG
2
,··· ,PKG
n
(denoted as PKG),
which cooperate to generate public parameters and
private keys for servers. Private key generators are
not servers.
We assume that a honest private key generator fol-
lows the exact protocol, but a dishonest private key
generator may perform attacks on the protocol to re-
trieve the cryptographic key established between the
client and the server. In addition, let ClientServerPair
be the set of pairs of the client and the server, who
share a password, and let User = Client
S
Server. We
assume that Client
T
Server =
/
0.
Prior to any execution of the protocol, we assume
that an initialization phase occurs. During initializa-
tion, PKG cooperate to generate public parameters for
the protocol, which are available to all participants,
and private key for each server, which is given to the
appropriate server.
For any pair (C, S) ∈ ClientServerPair, the clientC
and the server S are assumed to share the same pass-
word pw
S
C
, which is what C remembers to log into
S. We assume that the client C chooses pw
S
C
inde-
pendently and uniformly at random from a “dictio-
nary” D = {pw
1
,pw
2
,··· ,pw
N
} of size N, where N
is a fixed constant which is independent of the secu-
rity parameter. It is then stored at the server S for
authentication.
In this model, not every pair of client and server
share passwords. A client may share different pass-
words with different servers.
Execution of the Protocol. In the real world, a proto-
col determines how users behave in response to input
from their environments. In the formal model, these
inputs are provided by the adversary. Each user is
assumed to be able to execute the protocol multiple
Identity-basedPassword-AuthenticatedKeyExchangeforClient/ServerModel
47
times (possibly concurrently) with different partners.
This is modeled by allowing each user to have unlim-
ited number of instances with which to execute the
protocol. We denote instance i of user U as U
i
. A
given instance may be used only once. The adversary
is given oracle access to these different instances. Fur-
thermore, each instance maintains (local) state which
is updated during the course of the experiment. In
particular, each instance U
i
has associated with it the
following variables, initialized as NULL or FALSE (as
appropriate) during the initialization phase.
• sid
i
U
,pid
i
U
and sk
i
U
(initialized as NULL) are vari-
ables containing the session identity, partner iden-
tity, and session key for an instance U
i
, respec-
tively. The session identity is simply a way to
keep track of the different executions of a par-
ticular user U. The partner identity denotes the
identity of the user with whom U
i
believes it is
interacting (including U
i
itself).
• acc
i
U
and term
i
U
(initialized as FALSE) are
boolean variables denoting whether a given in-
stance U
i
has been accepted, terminated, or au-
thenticated, respectively. Termination means that
the given instance has done receiving and sending
messages, acceptance indicates successful termi-
nation. In our case, acceptance means that the in-
stance is sure that it has established a session key
with its intended partner, thus, when an instance
U
i
accepts, sid
i
U
, pid
i
U
and sk
i
U
are no longer
NULL.
• state
i
U
(initialized as NULL) records any state
necessary for execution of the protocol by U
i
.
• used
i
U
(initialized as FALSE) is a boolean variable
denoting whether an instance U
i
has begun exe-
cuting the protocol. This is a formalism which
will ensure each instance is used only once.
The adversary A is assumed to have complete con-
trol over all communications in the network and the
adversary’s interaction with the users (more specifi-
cally, with various instances) or the PKG is modeled
via access to oracles which we describe now. The
state of an instance may be updated during an ora-
cle call, and the oracle’s output may depend upon the
relevant instance. The oracle calls include:
• Send(U
i
,M) – This sends message M to instance
U
i
. Assuming term
i
U
= FALSE, this instance
runs according to the protocol specification, up-
dating state as appropriate. The output of U
i
(i.e., the message sent by the instance) is given
to the adversary, who receives the updated values
of sid
i
U
,pid
i
U
,acc
i
U
, and term
i
U
. This oracle call
models the active attack to a protocol.
• Execute(C
i
,S
j
) – If C
i
and S
j
have not yet been
used (where (C, S) ∈ ClientServerPair), this ora-
cle execute the protocol between these instances
and outputs the transcript of this execution. This
oracle call represents passive eavesdropping of a
protocol execution. In addition to the transcript,
the adversary receives the values of sid, pid, acc,
and term for both instances, at each step of proto-
col execution.
• Corrupt(C) – This query allows the adversary to
learn the passwords of the client C, which models
the possibility of subverting a client by, for ex-
ample, witnessing a user type in his password, or
installing a “Trojan horse” on his machine. This
implies that all passwords held by C are disclosed.
• Corrupt(S) – This query allows the adversary to
learn the private key of the server S, which mod-
els the possibility of compromising a server by,
for example, hacking into the server. This implies
that all passwords held by S are disclosed as well.
• KeyGen(PKG
i
,S) – This sends the identity of the
server S to the PKG
i
, which generates one compo-
nent of the private key corresponding to the iden-
tity of S and forwards it to the adversary. This
oracle models the possibility of a private key gen-
erator being an adversary.
• Reveal(U
i
) – This outputs the current value of ses-
sion key sk
i
U
if acc
i
U
= TRUE. This oracle call
models possible leakage of session keys due to,
for example, improper erasure of session keys af-
ter use, compromise of a host computer, or crypt-
analysis.
• Test(U
i
) – This oracle does not model any real-
world capability of the adversary, but is instead
used to define security. If acc
i
U
= TRUE, a ran-
dom bit b is generated. If b = 0, the adversary
is given sk
i
U
, and if b = 1 the adversary is given
a random session key. The adversary is allowed
only a single Test query, at any time during its
execution.
Partnering. We say that a client instance C
i
and a
server instance S
j
are partnered if (1) pid
i
C
= pid
j
S
6=
NULL; and (2) sid
i
C
= sid
j
S
6= NULL; and (3) sk
i
C
=
sk
j
S
6= NULL; and (4) acc
i
C
= acc
i
S
= TRUE. The
notion of partnering will be fundamental in defining
both correctness and security.
Correctness. To be viable, an authenticated key ex-
change protocol must satisfy the following notion of
correctness: At the presence of both passive and ac-
tive adversaries, for any pair of client and server in-
stances C
i
and S
j
, if sid
i
C
= sid
j
S
6= NULL and acc
i
C
=
SECRYPT2012-InternationalConferenceonSecurityandCryptography
48
acc
j
S
= TRUE, then it must be the case that sk
i
C
=
sk
j
S
6= NULL (i.e., both conclude with the same ses-
sion key) and pid
i
C
= pid
j
S
6= NULL (i.e., both con-
clude with the same pair). The notion of correctness
has no restriction on the adversary’s oracle accesses.
Advantage of the Adversary. Informally, the adver-
sary succeeds if it can guess the bit b used by the Test
oracle. Before formally defining the adversary’s suc-
cess, we must first define a notion of freshness. A
user instance A
i
(either a client or a server) is fresh if
none of the following is true at the conclusion of the
experiment, namely, at some point,
• The adversary queried Reveal(A
i
) or Reveal(B
j
)
with the instances A
i
and B
j
being partnered;
• The adversary queried KeyGen(PKG
i
,S) (i =
1,2,··· ,n) where there exists a server in-
stance S
j
∈ pid
i
A
, before a query of the form
Send(U
ℓ
,M), where U
ℓ
∈ pid
i
A
, has taken place,
for some message M (or identities);
• The adversary queried Corrupt(A) or Corrupt(B)
where there exists a instance B
j
∈ pid
i
A
, before a
query of the form Send(U
ℓ
,M), where U
ℓ
∈ pid
i
A
,
has taken place, for some message M (or identi-
ties).
Note that passive adversaries have no access to
any Send oracles. Therefore, a user instance is fresh
to a passive adversary as long as the first event did not
happen.
The adversary is thought to succeed only if its
Test query is made to a fresh instance. We say
an adversary A succeeds if it makes a single query
Test(U
i
) to a fresh instance U
i
, with acc
i
U
= TRUE
at the time of this query, and outputs a single bit b
′
with b
′
= b (recall that b is the bit chosen by the Test
oracle). We denote this event by Succ. The advantage
of adversary A in attacking protocol P is then given
by
Adv
P
A
(k) = 2· Pr[Succ] − 1
where the probability is taken over the random coins
used by the adversary and the random coins used dur-
ing the course of the experiment (including the initial-
ization phase) and k is a security parameter.
Formally, an instance U
i
represents an on-line at-
tack if both the following are true at the time of
the Test query: (1) at some point, the adversary
queried Send(U
i
,∗), and (2) at some point, the ad-
versary queried Reveal(U
i
) or Test(U
i
). In particu-
lar, instances with which the adversary interacts via
Execute, KeyGen, Corrupt and Reveal queries are not
counted as on-line attacks. The number of on-line at-
tacks represents a bound on the number of passwords
the adversary could have tested in an on-line fashion.
Definition 1. Protocol P is a secure protocol for
password-authenticated key exchange if, for all dic-
tionary size N and for all PPT adversaries A making
at most Q(k) on-line attacks, there exists a negligible
function ε(·) such that
Adv
P
A
(k) ≤ Q(k)/N + ε(k)
where k is a security parameter.
The above definition ensures that the adversary
can (essentially) do no better than guess a single pass-
word during each on-line attack. Calls to the Execute,
KeyGen, Corrupt and Reveal oracles, which are not
included in Q(k), are of no help to the adversary in
breaking the security of the protocol.
Forward Secrecy. We follow the definition of for-
ward secrecy from (Katz et al., 2003) and consider
the weak corrupt model of (Bellare et al., 2000), in
which corrupting a client means retrieving his pass-
words, while corrupting a server means retrieving its
private key and all passwords stored in it. Forward
secrecy is then achieved if such queries do not give
the adversary any information about previous agreed
session keys.
3 IDENTITY-BASED PAKE-CS
PROTOCOL
The high-level depiction of the protocol is illustrated
in Fig. 1, and a more detailed description follows. A
completely formal specification of the protocol will
appear in Section 5, where we give a proof of secu-
rity for the protocol in the security model described
in Section 2.
We present the protocol by describing initializa-
tion and execution. We let k be the security parameter
given to the setup algorithm.
Initialization. Given a security parameter k ∈ Z
∗
, the
initialization works as follows:
Parameter Generation:
On input k, (1) PKG coop-
erate to run Setup
E
of the IBE scheme to gener-
ate public system parameters for the IBE scheme,
denoted as params
E
, and the secret master-key
E
=
{mk
1
,mk
2
,··· ,mk
n
}, where
E
stands for encryption
and mk
i
is known only to PKG
i
; (2) PKG choose a
large Mersenne prime q = 2
p
− 1, where p is a prime
and construct a finite field F
2
p
, where each element α
is corresponding to a binary vector (α
1
,α
2
,··· ,α
p
),
and F
∗
2
p
is a large cyclic multiplicative group (denoted
as G) with a prime order q. Assume g is a generator
of G; (3) PKG select two hash functions h : {0,1}
∗
→
Z
q
and H : {0, 1}
∗
→ M (where M is the plaintext
space of IBE) from a collision-resistant hash family.
Identity-basedPassword-AuthenticatedKeyExchangeforClient/ServerModel
49
Public: params
E
,G,q,g,h : {0,1}
∗
→ Z
q
,H : {0,1}
∗
→ M
Client (pw
S
C
) Server (pw
S
C
,d
ID
S
)
α
R
← Z
q
,pid
C
← {C
i
,S
j
}
Auth
C
← E
ID
S
[H(g
α
|pid
C
|pw
S
C
)] C
i
|g
α
|Auth
C
-
msg
C
pid
S
← {C
i
,S
j
}
If D
d
ID
S
[Auth
C
] 6= H(g
α
|pid
S
|pw
S
C
)], return ⊥
Else β
R
← Z
q
,k
S
← (g
α
)
β
Auth
S
← g
h(g
α
|g
β
|pid
S
|pw
S
C
)+k
S
sk
S
← g
k
S
2
,sid
S
← g
α
|g
β
|pid
S
acc
S
← TRUE
S
j
|g
β
|Auth
S
msg
S
k
C
← (g
β
)
α
If Auth
S
6= g
h(g
α
|g
β
|pid
C
|pw
S
C
)+k
C
, return ⊥
Else sk
C
← g
k
C
2
,sid
C
← g
α
|g
β
|pid
C
acc
C
← TRUE
Figure 1: ID-based PAKE-CS protocol P.
The public system parameters for the protocol P are
params = params
E
S
{h,H, G,q,g} and the secret pa-
rameter is master-key
E
.
Key Generation:
On input the identity ID
S
of a server
S ∈ Server, params, and master-key
E
, PKE runs
Extract
E
of the IBE scheme and sets the decryption
key of S to be d
ID
S
= {d
S,1
,d
S,2
,··· ,d
S,n
} where d
S,i
is generated by PKG
i
with params and mk
i
.
Password Generation:
On input (C, S) ∈
ClientServerPair, a string pw
S
C
, the password, is
uniformly drawn by the client C from the dictionary
Password = {pw
1
,pw
2
, ··· ,pw
N
}, and then store it
in the server S.
Protocol Execution. A client and a server, where
(C, S) ∈ ClientServerPair (i.e., they share a password
pw
S
C
), execute the protocol as follows. The client
C firstly randomly chooses α ∈ Z
q
, and computes
Auth
C
, which is an encryption of H(g
α
|pid
C
|pw
S
C
) on
the basis of the identity of the server ID
S
, denoted
as E
ID
S
[H(g
α
|pid
C
|pw
S
C
)], where pid
C
= {C
i
,S
j
} .
Please note that the identity of the server, like an e-
mail address, is meaningful and easy to remember and
keep. Then the client C sends msg
C
= C
i
|g
α
|Auth
C
to
the server S as the first message of the protocol.
Upon receiving the message msg
C
, S firstly de-
crypts the ciphertext with its private key d
ID
S
and then
verifies the password. The password is correct if
D
d
ID
S
[Auth
C
] = H(g
α
|pid
S
|pw
S
C
) (1)
where pid
S
= {C
i
,S
j
}.
If (1) holds, the server S randomly chooses
β ∈ Z
q
and computes k
S
= g
αβ
. Let Auth
S
=
g
h(g
α
|g
β
|pid
S
|pw
S
C
)+k
S
, the server S replies to the client
C with msg
S
= S
j
|g
β
|Auth
S
, and finally computes the
session key sk
S
= g
k
S
2
and keeps the session identifier
sid
S
= g
α
|g
β
|pid
S
.
Upon receivingmsg
S
, the clientC firstly computes
k
C
= g
αβ
and then verifies if
Auth
S
= g
h(g
α
|g
β
|pid
C
|pw
S
C
)+k
C
(2)
If (2) holds, the client C computes the final session
key sk
C
= g
k
C
2
and keeps the session identifier sid
C
=
g
α
|g
β
|pid
C
.
Remark: Due to the special structure of G, the group
element k
S
(or k
C
) is corresponding to a binary vector
(k
1
,k
2
,··· ,k
p
), which is treated as an integer from Z
∗
q
.
Correctness. In an execution of the protocol, if
sid
C
= g
α
C
|g
β
C
|pid
C
= sid
S
= g
α
S
|g
β
S
|pid
S
6= NULL,
then α
C
= α
S
, β
C
= β
S
, and pid
C
= pid
S
= {C,S}.
If acc
C
= acc
S
= TRUE, then sk
C
= g
k
C
2
where
k
C
= g
α
C
β
C
, and sk
S
= g
k
S
2
where k
S
= g
α
S
β
S
. If
sid
C
= sid
S
6= NULL and acc
C
= acc
S
= TRUE, then
sk
C
= sk
S
.
Explicit Authentication. Generally speaking, a key
exchange protocol achieves explicit authentication if
a party knows that its intended partner has success-
fully computed a matching session key. By verify-
ing equation (1), the server knows that g
α
does come
from the client. Therefore, the server makes sure
that as long as the client receives msg
S
= S|g
β
|Auth
S
,
he must compute a matching session key sk
C
= sk
S
.
By verifying equation (2), the client is sure that
g
β
does come from the server and knows that the
server has successfully computed the matching ses-
sion key sk
S
= sk
C
. In the settings where the client
needs to remember passwords only, previous PAKE
protocols achieve implicit authentication only (e.g.,
(Katz et al., 2001)) or explicit authentication with
three-round communications (e.g., (Jiang and Gong,
2004)). Our protocol achieves explicit authentication
with only two-round communications.
Efficiency Consideration. The efficiency of our pro-
tocol depends on performance of the underlying IBE
SECRYPT2012-InternationalConferenceonSecurityandCryptography
50
system. If we employ Waters’ IBE scheme (Waters,
2005), where e(g
1
,g
2
) are included in the public pa-
rameters, the client needs to compute 7 exponentia-
tions without pairing. In addition, the client needs to
send and receive 6 group elements. In the KOY pro-
tocol, the client needs to compute 15 exponentiations
plus signature generation and exchange 10 group ele-
ments plus a signature and a verification key. There-
fore, on the side of the client, our protocol is more
efficient than the KOY protocol.
Example. According to RFC 5091 (Boyen and Mar-
tin, 2007), if a security parameter k is 1024, the ci-
phertext size of the Waters’ IBE scheme is about
1024 + 160 × 2 = 1344 bits. In addition, we use a
large Mersenne prime q = 2
1279
− 1, where 1279 is
a prime as well, to construct the group G. With ref-
erence to Fig. 1 in this setting, the size of the mes-
sage msg
C
sent to the server from the client is about
1344 + 1279 = 2623 bits, while the size of the mes-
sage msg
S
replied to the client from the server is about
1279× 2 = 2558 bits.
4 PROOF OF SECURITY
First of all, we provide a formal specification of the
protocol by specifying the initialization phase and the
oracles to which the adversary has access. A for-
mal specification of the Initialize, Execute, KeyGen,
Reveal, Test, and Send oracles appears in Fig. 2−4.
The description of the Execute oracle matches the
high-level protocol described in Fig. 1, but additional
details (for example, the updating of state informa-
tion) are included. We let status
i
U
denote the vector
of values (sid
i
U
,pid
i
U
,acc
i
U
,term
i
U
) associated with in-
stance U
i
.
Theorem 1. Assume that (1) the IBE scheme, where
there exist n private key generators and at least one
of them is honest, is secure against the chosen-
ciphertext attack; (2) the decisional Diffie-Hellman
(DDH) problem and the squaring decisional Diffie-
Hellman (SDDH) problem are hard over a cyclic
group G with a prime order q and a generator g; (3)
CRHF is a collision-resistant hash family; then the
protocol described in Fig. 1 is a secure protocol for
PAKE-CS.
Remark. The SDDH problem here is to distinguish
between two distributions (g,g
a
,g
a
2
) and (g,g
a
,z),
where a is randomly chosen from Z
∗
q
and z is ran-
domly chosen from G.
Proof. We follow the methodology of the security
proof given by Katz et al. in (Katz et al., 2001).
Given an adversary A , we imagine a simulator that
Initialize(1
k
)
(params
E
,master-key
E
)
R
← Setup
E
(1
k
)
(Client,Server,ClientServerPair)
R
← UserGen(1
k
)
(G,q,g)
R
← GGen(1
k
),{h,H}
R
← CRHF(1
k
)
For each i ∈ {1,2,· ·· } and each U ∈ User = Client ∪ Server
acc
i
U
← term
i
U
← used
i
U
← FALSE
sid
i
U
← pid
i
U
← sk
i
U
← NULL
For ∀S ∈ Server, d
ID
S
← Extract
E
(ID
S
,params
E
,master-key
E
)
For ∀(C, S) ∈ ClientServerPair,pw
S
C
R
← {pw
1
,pw
2
,·· · ,pw
N
}
Return Client,Server,ClientServerPair,h,H,G,q,g,params
E
Figure 2: Specification of the initialize.
Execute(C
i
,S
j
)
If (C,S) 6∈ ClientServerPair ∨ used
i
C
∨ used
j
S
, return ⊥
used
i
C
← used
j
S
← TRUE, pid
i
C
← pid
j
S
← {C
i
,S
j
}
α
R
← Z
q
,Auth
C
← IBE
ID
S
[H(g
α
|pid
i
C
|pw
S
C
)]
msg
C
← C
i
|g
α
|Auth
C
β
R
← Z
q
,K ← g
αβ
,Auth
S
← g
h(g
α
|g
β
|pid
j
S
|pw
S
C
)+K
msg
S
← S
j
|g
β
|Auth
S
acc
i
C
← term
i
C
← acc
j
S
← term
j
S
← TRUE
sid
i
C
← sid
j
S
← g
α
|g
β
|{C
i
,S
j
}
sk
i
C
← sk
j
S
← g
K
2
Return status
i
C
,status
j
S
KeyGen(PKG
i
,S)
Return d
S,i
Corrupt(S)
Return d
ID
S
and pw
S
C
for any C
Corrupt(C)
Return pw
S
C
for any S
Reveal(U
i
)
Return sk
i
U
Test(U,i)
b
R
← {0,1},sk
′
R
← G; If b = 1 return sk
′
else return sk
i
U
Figure 3: Specification of Execute, KeyGen, Reveal and
Test.
runs the protocol for A . Preciously, the simulator be-
gins by running algorithm Initialize(1
k
) as shown in
Fig. 2 and giving the public output of the algorithm to
A . When A queries an oracle, the simulator responds
to A by executing the appropriate algorithm as shown
in Fig. 3−4.
In particular, when the adversary queries the Test
oracle, the simulator chooses (and records) the ran-
dom bit b.
When the adversary completes its execution and
outputs a bit b
′
, the simulator can tell whether the
adversary succeeds by checking whether (1) a single
Test query was made, for some instance U
i
; (2) acc
i
U
was true at the time of Test query; (3) instance U
i
is
fresh; and (4) b
′
= b. Success of the adversary is de-
noted by event Succ. For any experiment P, we define
Adv
P
A
(k) = 2Pr
P
A
[Succ] − 1, where Pr
P
A
[·] denotes the
probability of an event when the simulator interacts
with A in accordance with experiment P.
Identity-basedPassword-AuthenticatedKeyExchangeforClient/ServerModel
51
Send
0
(C
i
,S
j
)
If (C, S) 6∈ ClientServerPair ∨ used
i
C
, return ⊥
used
i
C
← TRUE, pid
i
C
← {C
i
,S
j
}
α
R
← Z
q
,Auth
C
← IBE
ID
S
[H(g
α
|pid
i
C
|pw
S
C
)]
MsgOut ← C
i
|g
α
|Auth
C
,state
i
C
← (α,pid
i
C
,MsgOut)
Return MsgOut,status
i
C
Send
1
(S
j
,C
i
|g
α
|Auth
C
)
If (C, S) 6∈ ClientServerPair ∨ used
j
S
, return ⊥
used
j
S
← TRUE,pid
j
S
← {C
i
,S
j
}
If D
d
ID
S
[Auth
C
] 6= H(g
α
|pid
S
|pw
S
C
), return status
j
S
Else β
R
← Z
q
,K ← g
αβ
,Auth
S
← g
h(g
α
|g
β
|pid
j
S
|pw
S
C
)+K
MsgOut ← S
j
|g
β
|Auth
S
acc
j
S
← term
j
S
← TRUE, sk
j
S
← g
K
2
,sid
j
S
← g
α
|g
β
|pid
j
S
Return MsgOut,status
j
S
Send
2
(C
i
,S
j
|g
β
|Auth
S
)
state
i
C
← (α,pid
i
C
,FirstMsgOut)
If ¬used
i
C
∨ term
i
C
∨ (S
j
6∈ pid
i
C
), return ⊥
K ← g
αβ
. If Auth
S
6= g
h(g
α
|g
β
|pid
i
C
|pw
S
C
)+K
, return status
i
C
Else acc
i
C
← term
i
C
← TRUE,sk
i
C
← g
K
2
,sid
i
C
← g
α
|g
β
|pid
i
C
Return status
i
C
Figure 4: Specification of the Send oracles.
We refer to the real execution of the experiment,
as described above, as P
0
. We will introduce a se-
quence of transformations to the original experiment
and bound the effect of each transformation on the
adversary’s advantage.
We begin with some terminology that will be
used throughout the proof. A given msg is called
oracle-generated if it was output by the simulator
in response to some oracle query (whether a Send
or Execute query). The message is said to be
adversarially-generated otherwise. An adversarially-
generated message must not be the same as any
oracle-generated message.
Experiment P
1
. In this experiment, the simulator in-
teracts with the adversary as before except that any of
the following never occurs:
1. At any point during the experiment, an oracle-
generated message (e.g., msg
C
or msg
S
) is re-
peated.
2. At any point during the experiment, a collision
occurs in the hash functions h,H (regardless of
whether this is due to a direct action of the adver-
sary, or whether this occurs during the course of
the simulator’s response to an oracle query).
It is immediate that events 1 and 2 occur with only
negligible probability assuming the security of CRHF
as a collision-resistant hash family. Therefore,
Claim 1. If CRHF is a collision-resistant hash family,
then |Adv
P
0
A
(k) − Adv
P
1
A
(k)| is negligible.
Experiment P
2
. In this experiment, the simulator in-
teracts with the adversary A as in experiment P
1
ex-
cept that the adversary’s queries to Execute oracles
are handled differently: for any Execute(C
i
,S
j
) ora-
cle, the value of K is replaced with a random value
from G.
The difference between experiments P
2
and P
1
is
bounded by the probability that an adversary solves
the DDH problem. More precisely, we have
Claim 2. If the DDH problem is hard over (G,q,g),
then |Adv
P
1
A
(k) − Adv
P
2
A
(k)| is negligible.
Experiment P
3
. In this experiment, the simulator in-
teracts with the adversary A as in experiment P
2
ex-
cept that the adversary’s queries to Execute oracles
are handled differently: for any Execute(C
i
,S
j
) ora-
cle, the session key sk
i
C
and sk
j
S
are replaced with a
random element from G.
The difference between experiments P
3
and P
2
is
bounded by the probability to solve the SDDH prob-
lem. More precisely, we have
Claim 3. If the SDDH problem is hard over (G, q,g),
then |Adv
P
2
A
(k) − Adv
P
3
A
(k)| is negligible.
In experiment P
3
, the adversary’s probability of
correctly guessing the bit b used by the Test oracle
is exactly 1/2 if the Test query is made to a fresh in-
stance invoked by an Execute oracle. Therefore, all
passive adversaries (including the PKG) cannot win
the game, even if they can query KeyGen(PKG
i
,∗)
for i = 1,2,··· ,n and Corrupt oracles. The remain-
der of the proof discusses instances invoked by Send
oracles.
Experiment P
4
. In this experiment, we modify the
simulator’s responses to Send
1
and Send
2
queries.
At first, we introduce some terminology. For a
query Send
1
(S
j
,msg
C
) (or Send
2
(C
i
,msg
S
)), where
msg
C
(or msg
S
) is adversarially-generated, if equa-
tion (1) (or (2)) holds, then msg
C
(or msg
S
) is said
to be valid. Otherwise, msg
C
(or msg
S
) is said to be
invalid. Informally, valid messages use correct pass-
words while invalid messages do not.
When the adversary makes an oracle query
Send
1
(S
j
,msg
C
) to a fresh sever instance S
j
, the sim-
ulator examines msg
C
. If it is adversarially-generated
and valid, the simulator halts and acc
j
S
is assigned
the special value ∇. In any other case, (i.e., msg
C
is oracle-generated, or adversarially-generated but in-
valid), the query is answered exactly as in experi-
ment P
3
. When the adversary makes an oracle query
Send
2
(C
i
,msg
S
) to a fresh client instance C
i
, the
simulator examines msg
S
. If msg
S
is adversarially-
generated and valid, the simulator halts and acc
i
C
is
assigned the special value ∇. In any other case, the
SECRYPT2012-InternationalConferenceonSecurityandCryptography
52
query is answered exactly as in experiment P
3
. Now,
we change the definition of the adversary’s success
in P
4
. If the adversary ever queries Send
1
(S
j
,∗) to a
fresh server instance S
j
with acc
j
S
= ∇ or Send
2
(C
i
,∗)
to a fresh client instance C
i
with acc
i
C
= ∇, the simu-
lator halts and the adversary succeeds. Otherwise the
adversary’s success is determinedas in experiment P
3
.
The distribution on the adversary’s view in exper-
iments P
3
and P
4
are identical up to the point when
the adversary queries Send
1
or Send
2
to a fresh user
instance with acc
j
S
= ∇ or acc
i
C
= ∇. If such a query
is never made, the distributions on the view are iden-
tical. Therefore, we have
Claim 4. Adv
P
3
A
(k) ≤ Adv
P
4
A
(k).
In experiment P
4
, the adversary A succeeds if one
of the following occurs: (1) acc
j
S
= ∇ (let Succ
1
de-
note this event); (2) acc
i
C
= ∇ (let Succ
2
denote this
event); (3) neither Succ
1
nor Succ
2
happens, the ad-
versary wins the game by a Test query to a fresh user
instance A
i
. To evaluate Pr
P
4
A
[Succ
1
∨ Succ
2
], we do
the following experiments.
Experiment P
5
. In this experiment, the simulator in-
teracts with the adversary A as in experiment P
4
ex-
cept that the adversary’s queries to Execute and Send
0
oracles are handled differently: for Execute(C
i
,S
j
)
(after which there exist any query of the form
Send(U
ℓ
,∗) where U ∈ {C,S}) or Send
0
(C
i
,S
j
)
queries to the fresh instances C
i
and S
j
, Auth
C
is
computed as E
ID
S
[H(g
α
|pid
i
C
|pw
′
)] where pw
′
is ran-
domly chosen from D .
Claim 5. If the IBE scheme where there are n pri-
vate key generators and at least one of them is hon-
est is secure against the chosen-ciphertext attack, then
|Adv
P
4
A
(k) − Adv
P
5
A
(k)| is negligible.
Experiment P
6
. In this experiment, the simulator in-
teracts with A as in experiment P
5
except that the
adversary’s queries to Send
1
and Send
2
oracles are
handled differently: for Send
1
(S
j
,∗) or Send
2
(C
i
,∗)
queries, Auth
S
is replaced by a random element from
G.
Claim 6. If the DDH problem is hard over (G, q,g),
then |Adv
P
5
A
(k) − Adv
P
6
A
(k)| is negligible.
For any adversarially-generated Send
1
(S
j
,∗) or
Send
2
(C
i
,∗) queries to the fresh instances C
i
and S
j
in experiment P
6
, all Execute and Send queries are in-
dependent of the password pw
S
C
in the view of the ad-
versary. In order to win the game by Succ
1
or Succ
2
,
the adversary has to try all passwords one-by-one in
an online impersonation attack. The probability that
Succ
1
or Succ
2
occurs is at most Q(k)/N, where Q(k)
is the number of online attacks made by A .
When neither Succ
1
nor Succ
2
occurs, the adver-
sary’s probability of success is 1/2. The preceding
discussion implies that
Pr
P
6
A
[Succ] ≤ Q(k)/N + 1/2· (1− Q(k)/N)
and therefore Adv
P
0
A
(k) ≤ Adv
P
6
A
(k) + ε(k) for some
negligible function ε(·). This completes the proof of
the theorem.
5 CONCLUSIONS
In this paper, we have presented an identity-based
PAKE protocol for client/service model. Our protocol
is based on identity-based encryption and needs only
two-round communication between the client and the
server to achieve explicit authentication. Our future
work is to machine-validate our security proofs using
a cryptographic proof-assistant, such as EasyCrypt
(Barthe et al., 2011).
REFERENCES
Abdalla, M. and Pointcheval, D. (2005). Simple password-
based encrypted key exchange protocols. In Proc. CT-
RSA 2005, pages 191–208.
Barthe, G., Grgoire, B., Heraud, S., and Bguelin, S. Z.
(2011). Computer-aided security proofs for the work-
ing cryptographer. In Proc. Crypto'11, pages 71–90.
Bellare, M., Pointcheval, D., and Rogaway, P. (2000). Au-
thenticated key exchange secure against dictionary at-
tacks. In Proc. Eurocrypt'00, pages 139–155.
Bellovin, S. M. and Merritt, M. (1992). Encrypted key ex-
change: Password-based protocol secure against dic-
tionary attack. In Proc. 1992 IEEE Symposium on Re-
search in Security and Privacy, pages 72–84.
Boneh, D. and Franklin, M. (2001). Identity based encryp-
tion from the weil pairing. In Proc. Crypto'01, pages
213–229.
Boyen, X. and Martin, L. (2007). Identity-based cryptog-
raphy standard (ibcs) 1: Supersingular curve imple-
mentations of the bf and bb1 cryptosystems. In RFC
5091.
Boyko, V., Mackenzie, P., and Patel, S. (2000). Prov-
ably secure password-authenticated key exchange us-
ing diffie-hellman. In Proc. Eurocrypt'00, pages 156–
171.
Bresson, E., Chevassut, O., and Pointcheval, D. (2003). Se-
curity proofs for an efficient password-based key ex-
change. In Proc. CCS'03.
Cakulev, V., Sundaram, G., and Broustis, I. (2012). Ibake:
Identity-based authenticated key exchange. In RFC
6539.
Canetti, R., Halevi, S., Katz, J., Lindell, Y., and MacKenzie,
P. (2005). Universally composable password-based
key exchange. In Proc. Eurocrypt'05, pages 404–421.
Identity-basedPassword-AuthenticatedKeyExchangeforClient/ServerModel
53
Gennaro, R. and Lindell, Y. (2003). A framework for
password-based authenticated key exchange. In Proc.
Eurocrypt'03, pages 524 –543.
Goldreich, O. and Lindell, Y. (2001). Session-key genera-
tion using human passwords only. In Proc. Crypto'01,
pages 408–432.
Gong, L., Lomas, T. M. A., Needham, R. M., and Saltzer,
J. H. (1993). Protecting poorly-chosen secret from
guessing attacks. IEEE J. on Selected Areas in Com-
munications, 11(5):648–656.
Halevi, S. and Krawczyk, H. (1999). Public-key cryptog-
raphy and password protocols. ACM Transactions on
Information and System Security, 2(3):230–268.
Huang, H. F. (1996). Strong password-only authenticated
key exchange. ACM Computer Communication Re-
view, 26(5):5–20.
Jiang, S. and Gong, G. (2004). Password based key ex-
change with mutual authentication. In Proc. SAC'04,
pages 267–279.
Katz, J., Ostrovsky, R., and Yung, M. (2001). Efficient
password-authenticated key exchange using human-
memorable passwords. In Proc. Eurocrypt'01, pages
457–494.
Katz, J., Ostrovsky, R., and Yung, M. (2003). Forward se-
crecy in password-only key exchange protocols. In
Proc. SCN'03, pages 29–44.
Lamport, L. (1981). Password authentication with insecure
communication. Comm. of the ACM, 24(11):770–772.
MacKenzie, P., Patel, S., and Swaminathan, R. (2000).
Password-authenticated key exchange based on rsa. In
Proc. Asiacrypt'00, pages 599–613.
Nguyen, M. H. and Vadhan, S. P. (2004). Simpler session-
key generation from short random passwords. In Proc.
Theory of Cryptography'04, pages 428–445.
Patel, S. (1997). Number-theoretic attack on secure pass-
word scheme. In Proc. IEEE Symposium on Research
in Security and Privacy, pages 236–247.
Waters, B. (2005). Efficient identity-based encryption with-
out random oracles. In Proc. Eurocrypt'05, pages
114–127.
Wu, T. (1998). The secure remote password protocol. In
Proc. Internet Society Symp. on Network and Dis-
tributed System Security, pages 97–111.
Yi, X., Tso, R., and Okamoto, E. (2009). Id-based
group password-authenticated key exchange. In Proc.
IWSEC'09, pages 192–211.
Yi, X., Tso, R., and Okamoto, E. (2011). Three-party
password-authenticated key exchange without random
oracles. In Proc. SECRYPT'11, pages 15–24.
SECRYPT2012-InternationalConferenceonSecurityandCryptography
54
