• Aucun résultat trouvé

On the Relation Between SIM and IND-RoR Security Models for PAKEs

N/A
N/A
Info
Télécharger
Protected

Academic year: 2021

Partager "On the Relation Between SIM and IND-RoR Security Models for PAKEs"

Copied!
2
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

On the Relation Between SIM and IND-RoR Security Models for PAKEs

Jos´e Becerra, Marjan Skrobot, and Vincenzo Iovino

University of Luxembourg

{jose.becerra, marjan.skrobot, vincenzo.iovino}@uni.lu

Abstract. Security models for PAKE protocols aim to capture the de- sired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i) indistinguishability-based (IND-based) or ii) simulation-based (SIM- based). The relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that the SIM-based model of Boyko, Mackenzie and Patel [3] and the IND-based model of Abdalla, Fouque and Pointcheval [1] are equivalent, in the sense that a protocol proven secure in one model is also secure in the other model.

Keywords: Security Models, SIM-based security, IND-based security, Password Authenticated Key Exchange.

1 Introduction

The Password Authenticated Key Exchange (PAKE) problem asks for two enti- ties, who only share a password, to engage on a conversation so that they agree on a session key. The established session key can be used to protect their subse- quent communication. PAKE’s protocols play a key role in today’s world as they allow for authenticated key exchange to occur without the use of public-key in- frastructure, by using instead a human memorable password. Theoretically they are extremely interesting, because of their ability to use a weak secret to produce a strong one in a provably secure way over a hostile communications network.

The nature of passwords makes PAKE protocols vulnerable to dictionary at- tacks. In such attacks an adversary tries to break the security of the protocol by simply brute forcing all possible combinations of passwords. One must keep in mind that on-line dictionary attacks cannot be entirely prevented in PAKE pro- tocols. An attacker could enumerate (off-line) the words in the directory being likely to be passwords. Then simply take a password at random, interact with a legitimate party by running the protocol and check whether the key exchange succeeds for the candidate password or not. The cryptographic goal, when defin- ing security for PAKE protocols is to ensure that the attacker essentially cannot do better than this trivial strategy, which implies resistance to off-line dictionary attacks.

(2)

We consider the provable secure approach, where protocols are analyzed in a complexity-theoretic security model, the goal being that no reasonable algorithm can violate security under various hardness assumptions. These complexity- theoretic security models are classified into indistinguishability based (IND- based) and simulation-based (SIM-based). Roughly speaking, in the IND-based approach security means that no computationally bounded adversary can dis- tinguish an established session key sk from a random string. The SIM-based approach defines two worlds: an ideal world which is secure by definition and a real world which is the real protocol execution against some computationally bounded attacker. In the SIM-based setting, security asks for the computational indistinguishability between ideal world and real world executions.

The first IND-base security model for PAKEs was proposed by Bellare, Pointcheval and Rogaway in 2000 [2]. They consider that for a good PAKE protocol, the chances of an adversary defeating the protocol goal should depend on how much she interacts with the protocol participants rather on her off-line computing power. We will refer to this model as IND-FtG model. In 2005 Ab- dalla, Fouque and Pointcheval proposed a security model for PAKE [1] which is usually known as the IND-RoR model. It is built upon IND-FtG model. In [1]

the authors proved that model the IND-RoR model is strictly stronger than the IND-FtG model.

Boyko, Mackenzie and Patel proposed a SIM-based security model for PAKEs in 2000 [3]. Their work is an extension of Shoup’s security notion for Authenti- cated Key Exchange (AKE) protocols [5].

Contributions: While the equivalence between SIM and IND models for AKEs is shown in [5], there is no work on the relation between these security no- tions for PAKEs. In fact it is mentioned as a gap in [1] and [4]. In this work, we fill the gap by proving the equivalence between the SIM model of Boyko, MacKenzie and Patel [3] and the IND-RoR model of Abdalla, Fouque and Pointcheval [1].

References

1. M. Abdalla, P.-A. Fouque, and D. Pointcheval. Password-based authenticated key exchange in the three-party setting. volume 3386 of Lecture Notes in Computer Science, pages 65–84. Springer, 2005.

2. M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. EUROCRYPT’00, pages 139–155, Berlin, Heidelberg, 2000. Springer-Verlag.

3. V. Boyko, P. MacKenzie, and S. Patel. Provably secure password-authenticated key exchange using diffie-hellman. EUROCRYPT’00, pages 156–171, Berlin, Heidelberg, 2000. Springer-Verlag.

4. P. MacKenzie. The pak suite: Protocols for password-authenticated key exchange.

In IEEE P1363.2, 2002.

5. V. Shoup. On formal models for secure key exchange. IACR Cryptology ePrint Archive, 1999:12, 1999.

Références

Télécharger maintenant ( PDF - 2 Page - 134.92 KB )

Documents relatifs

We consider stabilized weights in the LS method for the viscoelastic model and prove that the LS approximation converges to the linearized solutions of the linear PTT model

Numerical Simulations of Viscoelastic Fluid Flows Past a Transverse Slot Using Least-Squares Finite Element Methods Hsueh-Chen Lee1.. Abstract This paper presents a least-squares

We prove that the Ricci curvature in the sense of Bakry and Emery is bounded below by−1 on locally finite graphs

We will use the idea of Bakry and Emery [1] to give a notion of a ”lower Ricci curvature bound” on graphs and to prove that Ricci curvature on Locally finite graphs is always

We prove that the equations, the Hamiltonians, and the bracket are weighted- homogeneous polynomials in the derivatives of the dependent vari- ables with respect to the space variable

Of course, we cannot say anything about weak quasi-Miura transfor- mations, since it is even not clear in which class of functions we have to look for its deformations, but we still

We prove that the restriction is independent of the parameterλ

First introduced by Faddeev and Kashaev [7, 9], the quantum dilogarithm G b (x) and its variants S b (x) and g b (x) play a crucial role in the study of positive representations

We prove that there exists a unique solution in the renormalization sense to the transport equation (1.1) associated to the initial datumf0

In other words, transport occurs with finite speed: that makes a great difference with the instantaneous positivity of solution (related of a “infinite speed” of propagation

We also prove that the mappings inHSp0(λ) are starlike with respect to the origin, and characterize the extremal points of the above classes

Changsha, Hunan 410081, People’s Republic of China jiaolongche n@sina.com Hunan Normal University, Department of Mathematics,.. Changsha, Hunan 410081, People’s Republic

Relation between the convergence function and the electromagnetic form factor in a composite model

cross section of the N - N elastic scattering is also found to be propor- tional to the fourth power of the electromagnetic form factor for any values of t = q2;

On the Relation Between SIM and IND-RoR Security Models for PAKEs with Forward Secrecy

– D “simulates” the challenger in the FS-IND-RoR experiment and initializes A on random tape rt A. Additionally, when a bad event occurs, e.g. whether FS-IND-RoR security also