Password Based Key Exchange With Mutual Authentication

Transcription

1 Password Based Key Exchange Wth Mutual Authentcaton Shaoquan Jang and Guang Gong Department of Electrcal and Computer Engneerng Unversty of Waterloo Waterloo, Ontaro N2L 3G1, CANADA August 14, 2004 Abstract. A reasonably effcent password based key exchange (KE) protocol wth provable securty wthout random oracle was recently proposed by Katz, et al. [18] and later by Gennaro and Lndell [13]. However, these protocols do not support mutual authentcaton (MA). The authors explaned that ths could be acheved by addng an addtonal flow. But then ths protocol turns out to be 4-round. As t s known that a hgh entropy secret based key exchange protocol wth MA 1 s optmally 3- round (otherwse, at least one entty s not authentcated snce a replay attack s applcable), t s qute nterestng to ask whether such a protocol n the password settng (wthout random oracle) s achevable or not. In ths paper 2, we provde an affrmatve answer wth an effcent constructon n the common reference strng (CRS) model. Our protocol s even smpler than that of Katz, et al. Furthermore, we show that our protocol s secure under the DDH assumpton (wthout random oracle). 1 Introducton In the area of secure communcatons, key exchange (KE) s one of the most mportant ssues. In ths scenaro, two nteractve partes are assumed to hold long-term secrets. Through an nteractve procedure, they establsh a temporary sesson key and then use t to encrypt and authentcate the subsequent communcaton. There are two types of KE protocols n the lterature. In the frst case, each party holds a hgh entropy secret (e.g., a sgnng key of a dgtal sgnature). Research along ths lne has been well studed, see [1, 6, 8, 12]. The other case s a password authentcated key exchange protocol (see [20] for a detaled descrpton), n whch t s assumed that the two partes only share a human-memorable (low entropy) password. Unlke a hgh entropy secret, t s beleved that an exhaustve search attack (or a dctonary attack) s feasble. In fact, t s ths attack that makes a constructon of a secure password based KE protocol more dffcult than the hgh entropy secret based one. 1.1 Related Work Password authentcated key exchange was frst studed by Bellovn and Merrtt [4]. Snce then, t has been extensvely studed n lterature [5, 16]. However, none of these solutons had provable securty. The frst effort to acheve provable securty was due to Lucks [19]. Halev and Krawczyk [15] proposed a password KE protocol n an asymmetrc settng: a user only holds a password whle the 1 we do not consder a protocol wth a tme stamp or a stateful protocol (e.g., a counter based protocol). In other words, we only consder protocols n whch a sesson executon wthn an entty s ndependent of ts hstory, and n whch the network s asynchronous. 2 An extended abstract appeared n [17]. Ths s the full verson.

2 server addtonally has a prvate key of a publc key cryptosystem. Password KE protocols wthout ths asymmetrc assumpton were proposed n [2, 7]. However, these protocols ncludng [19] were proved n the random oracle model. It s known [9] that a random oracle based cryptographc constructon could be nsecure when the oracle s replaced by any real functon. In the password settng, t s even worse snce a mnor weakness of the real functon mght open the door to a dctonary attack. The frst soluton wthout random oracle was due to Goldrech and Lndell [14]. Actually, ther protocol was based on a general assumpton only (.e., the exstence of trapdoor permutaton). But ths soluton s very neffcent. A reasonably effcent constructon n CRS model wthout random oracle was proposed by Katz, et al. [18]. We shall refer to ths as the KOY protocol. An abstract framework for ths protocol was proposed by Gennaro and Lndell [13]. Nevertheless, these protocols do not support mutual authentcaton (MA). Katz, et al. mentoned n ther paper that a mutual authentcaton can be made by addng an addtonal flow. Ths s ndeed true. However, the resultng protocol s then 4-round. It s known that a hgh entropy secret based KE protocol wth MA s optmally 3-round. Thus, t s qute nterestng to ask whether there exsts such a protocol n the password settng wthout random oracles. 1.2 Contrbuton In ths paper, we provde an affrmatve answer to the above problem wth an explct constructon. Our constructon s n the CRS model (as n [13, 18]), where all the partes have access to a set of publc parameters drawn from a predetermned dstrbuton, but nobody knows the correspondng secret key f any. Our constructon s optmally 3-round. Comparng wth work n [13, 18], t addtonally supports mutual authentcaton and s also smpler than KOY protocol n the sense of exponentaton cost. Nevertheless, ther work has been nstructve to us. In fact, one technque n ther constructon helps us n authentcatng the ntator. As our mportant contrbuton, we formally prove the securty under the Decsonal Dffe-Hellman (DDH) assumpton (wthout random oracles). 2 Securty Model In ths secton, we ntroduce a formal model of securty. Ths model s manly adopted from Bellare, et al. [2] and [3]. Our dfference s n the mutual authentcaton where we feel our defnton s more reasonable. Detals are provded later. The basc securty model wthout MA was prevously adopted by Katz, et al. [18] and Gennaro and Lndell [13]. We start wth the followng notatons, whch wll be used throughout the paper. D: a password dctonary wth a polynomal sze (otherwse, t becomes a KE problem wth hgh entropy secrets). WOLG, we assume that D = {1,, N} wth a unform dstrbuton for some N > 0. P : party, ether a clent or a server. If t s a server, then t could ndvdually share a password wth a set of clents. Π l : protocol nstance l wthn party P. We requre that l be unque wthn P n order to dstngush local nstances. However, we do not requre t s globally unque, whch reflects the practcal concern for possble ndependence of dfferent partes. F low : The th message exchanged between two partcular nstances. 2

3 sd l pd l : : the sesson dentfer of a partcular nstance Π l. the party wth whch nstance Π l beleves that he has been nteractng. Partnerng. We say two protocol nstances Π l pd l = P ; (2) sd l = sd l. and Π l are partnered f (1) pd l = P and Adversaral Model. Roughly speakng, the adversary s allowed to fully control the external network. He can nect, modfy, block and delete messages at wll. He can also request any sesson keys adaptvely. Formally, he can adaptvely query the followng oracles. Execute(, l,, l ): When ths oracle s called, t checks whether nstances Π l If ether of them s old, t outputs. Otherwse, a protocol executon between Π l and Π l are fresh. and Π l takes place. At the end of the executon, a complete transcrpt (messages exchanged between the two nstances) s returned. Ths oracle call models a threat from an eavesdroppng adversary. Send(d,, l, M) : When ths oracle s called, message M s sent to nstance Π l as F low d. If nstance Π l does not exst but d 2, or f oracle Send(d,, l, ) was called before, or f nstance Π l already exsts but ether Send(d 2,, l, ) was not prevously called or ts output was f called, then the oracle output s set to ; otherwse, the oracle output s whatever Π l returns. We stress that the oracle response needs to be consstent wth Send(d 2t,, l, ) for all t > 0. Furthermore, when Send(0,, l, null) s called, t frst checks whether nstance Π l s fresh. If t s old, then the output s set to ; otherwse, Π l s ntated wthn P, and the output s whatever Π l returns as F low 1. Smlarly, when Send(1,, l, M) s called, t frst checks whether nstance Π l s fresh. If t s old, then the output s set to ; otherwse, an nstance Π l s ntated wthn party P as a responsor wth nput M. The output s whatever Π l outputs as F low 2. The oracle call reflects a threat from man-n-the-mddle attack. Reveal(, l ) : When ths oracle s called, t outputs the sesson key of nstance Π l f t has accepted and completed wth a sesson key derved; otherwse, t outputs. Ths oracle reflects the threat from a sesson key loss. Test(, l ) : Ths oracle does not reflect any real concern. However, t provdes a securty test. The adversary s allowed to query t once. The quered sesson must be completed and accepted. Furthermore, ths sesson as well as ts partnered sesson (f t exsts) should not be ssued a Reveal query. When ths oracle s called, t flps a far con b. If b = 1, then the sesson key of Π l s provded to adversary; otherwse, a random number of the same length s provded. The adversary then tres to output a guess bt b. He s successful f b = b. Havng defned adversary behavor, we come to defne the protocol securty. It contans two condtons: correctness and prvacy. The mutual authentcaton s consdered n the prvacy condton. Correctness. If two partnered nstances both accept, then they conclude wth the same sesson key except for a neglgble probablty. Prvacy. We defne two types of adversary success: If at any moment, an nstance Π l wth pd l = P has accepted and completed wth a sesson key derved whle there does not exst an nstance Π l exchanged messages seen by Π l and Π l wth pd l = P such that the pror to ths moment (especally not ncludng the 3

4 currently generated message by Π l f any) are equal, then we announce the success of adversary. Furthermore, f such an nstance Π l ndeed exsts, then we requre t s unque except for a neglgble probablty. If the above event does not happen but the adversary succeeds n the test sesson, we also announce ts success. We use random varable Succ to denote the above success events. We defne the advantage of adversary A as Adv(A):= 2 Pr[Succ] 1. Now we are ready to provde a formal defnton of securty. Defnton 1. A password authentcated key exchange protocol wth mutual authentcaton s sad to be secure f t satsfes Correctness. Prvacy. If adversary A makes Q send queres to Send oracle, then Adv(A) < Q send D + negl(n), (1) where D s the password dctonary, n s the securty parameter. Remarks. Here we gve two comments on our defnton and that n [2]. 1. From our frst prvacy condton, whenever an nstance Π l wth pd l = P accepts and completes, there exsts an (essentally) unque nstance n P (say, Π l ) wth pdl wth t and also the exchanged messages pror to the moment Π l Ths s ndeed our ntuton about Π l s authentcated. = P nteractng accepts are not tampered. 2. In Bellare, et al. [2], MA s sad to be volated f one nstance termnates whle no partner nstance exsts. Ths defnton s not always satsfactory. Indeed, sesson dentfer sd l for nstance Π l s popularly [13, 18] defned as a complete transcrpt seen by Π l. Under ths SID, ther verson of MA s always volated snce once the adversary holds on the last message the partnershp s never establshed. However, ths problem does not occur for our verson of MA snce we only consder the messages exchanged before the consdered nstance (.e., Π l ) accepts and completes. We stress that a provable MA property of a partcular protocol n [2] does not contradct our remark here snce ther SID s defned as a partal transcrpt. 3. As ponted out n [11], our defnton of MA could overkll some secure protocols. Consder any (secure) protocol Σ. We append 0 to each message n the Σ protocol but the protocol acton remans unchanged (.e., the redundant bt s gnored). It s easy to see that the revsed protocol s no longer secure accordng to our defnton of MA. Thus, a more concse MA should be defned to be a match of the mnmal sub-transcrpt that unquely determnes the sesson key. However, we keep our defnton. The reasons are as follows. Frst, our defnton seems more natural and t s waved of a problem to determne the mn-sub-transcrpt. Second, the overklled protocol seems only due to the redundant bts whch thus can be removed. Thrd, a protocol secure under our defnton s also secure under the concse defnton (snce the frst prvacy condton (.e, MA) n the latter s volated then t s volated n the former too). 4

5 3 Our Protocol In ths secton, we ntroduce our 3-round constructon under the common reference strng (CRS) model, where all the partes have access to the publc parameters that are drawn from a predetermned dstrbuton. In realty, ths condton could be realzed by a trusted thrd party or a threshold scheme. Assume p, q are large prmes wth q (p 1); G q s the (unque) multplcatve subgroup of F p of order q; g, h are unformly random generators of G q ; H s a collson resstant hash functon; e GenP K(1 n ) s the publc key for a chosen cphertext attack (n the postprocessng model) (CCA2) secure publc key cryptosystem E (we stress that nobody knows the secret key of E e ); F s a pseudorandom functon famly and ts realzaton wth secret key σ s denoted by F σ (). Our protocol s presented as Fgure 1. Assume that password π s deally shared between party P and $ % & ' % ( ) $ ( & ' % ( ) * +,.- / 0 / 12/ 34/ 5 / 6 / 7 V ;=< > - U 0 U - E FG! " # C 0 U / H? U / J K PS 1? C " T " # L M N O P2Q J R /? L " T 8 9 / 8 : ;=< >? A B C - D E F G / B J K / L M N O P!Q J R PS 1?! C " T " # Fg. 1. Key Exchange Protocol Executon between P and P P. In order to establsh a sesson key, P and P nteract as follows. Assume P speaks frst. He 5

6 pcks x Z q unformly, computes a plan ElGalmal cphertext A C and sends t together wth d P to P as F low 1. When P receves F low 1, he chooses λ 1, λ 2 Z q, and computes µ, C, σ, r, ω, Σ properly, where r s used as the random nput n encrypton of Σ, and f t requres a longer strng, r can be defned as F σ (3) F σ (4) untl t s long enough. We prefer the smple case snce the securty proof under ths modfcaton s essentally dentcal. Then he sends µ ω P back to P (as F low 2 ). Usng µ, P s able to compute σ snce σ = µ x. Then he verfes whether ω s a cphertext of H(µ A C P P ) usng random bts r. If the verfcaton s successful, then he beleves P s authentc and therefore returns an authentcaton tag τ = F σ (2) as F low 3. Furthermore, he outputs a sesson key sk = F σ (1) and termnates. When P receves τ, he checks whether τ s correct. If the verfcaton succeeds, he beleves P s authentc. Therefore, he accepts and outputs a sesson key sk = F σ (1). If the verfcaton fals, t reects. Note n the above nteracton, mplementaton ssues (e.g., a valdty check whether approprate elements belong to G q ) are omtted for smplcty. 3.1 Comparson wth KOY Protocol Now we provde a more detaled comparson wth KOY protocol. As mentoned before, KOY protocol does not support MA, or t s 4-round f an addtonal flow s added. In contrast, our protocol s 3-round wth MA. Each party n ther constructon needs 15 exps whle ours needs at most 4 exps plus one cphertext of a CCA2-secure PKE(note t s easy to fnd such a PKE wth a cphertext cost less than 11 exps). Ther constructon employs a one-tme sgnature to bnd the whole transcrpt whle we do not use such a technque snce t requres the responsor to store the whole transcrpt, whch mght be more vulnerable to denal of servce (DoS) attack. However, we stress ther constructon s nstructve to us. Specfcally, n authentcaton of ntator, we use a technque that f A C s not an ElGamal cphertext of g π, then σ s unformly random n G q. Ths technque s essentally from KOY protocol wth a relaxaton of Cramer-Shoup cphertext [10] to ElGamal cphertext. 4 Securty In ths secton, we prove the securty of our protocol. Theorem 1. Let Γ be the password authentcated key exchange protocol n Fgure 1. Let a, b, c be polynomally related to the securty parameter n. Assume e GenP K(1 n ) s the publc key of a CCA2 secure publc key cryptosystem E; H : {0, 1} {0, 1} a s a collson resstant hash functon unformly taken from a famly H; p, q are large prmes wth q (p 1); F s a pseudorandom functon famly from {0, 1} b to {0, 1} c ; G q s the (unque) multplcatve subgroup of order q n F p ; g, h are random generators of G q. Then under DDH assumpton, protocol Γ s secure. Proof. Defne sd l partnered and both accept. Then, pd l to be the whole transcrpt seen by nstance Π l. Assume Πl and pd l and Π l are are consstent and the messages are fathfully exchanged. Thus, P and P derve the same σ: σ = µ x = A λ 1 C λ 2. Thus, the correctness follows. In the rest, we concentrate on the proof of the prvacy condton. We look the protocol executon as a game between a smulator and an adversary A. The smulator pcks large prme p, q wth q (p 1) and takes g G q, u Z q, (e, d) Gen(1 n )(= (GenP K, GenSK)(1 n )), F a pseudorandom functon famly from {0, 1} b to {0, 1} c and H unformly from a famly of a collson resstant hash 6

7 functon (CRHF). He lets h = g u. Then he sets the publc parameters as g, h, H, F, e, p, q and assgns passwords to partes as n the real protocol. He smulates the protocol executon wth adversary A. We construct a sequence of slghtly modfed protocols Γ 1, Γ 2, from Γ and show that the success probablty of A n Γ s no less than that n Γ 1 except for a neglgble gap for any 1, where Γ 0 := Γ. And then we bound the success probablty of A n the last varant. Before our actual proof, we assume that n response to any oracle query, the basc valdty check n ts defnton has already been successfully verfed thus the output s never. For gven two partes P and P wth common password π, we say A C s nconsstent f log g A log h Cg π. We frst ntroduce the followng smple fact, where the proof s manly due to the fact that λ 1, λ 2 are both unform n Z q (ndependent of anythng else). Fact 1 If A C s nconsstent, then σ s unformly random n G q, gven A C µ where σ and µ are derved accordng to the responsor s executon. Game Γ 1. Now we modfy Γ 0 to Γ 1 wth the only dfference n Execute query, where C n Γ 1 s chosen unformly random. Usng a hybrd argument or a better proof smlar to Lemma 2 n [18], both wth reducton to DDH assumpton, we have Lemma 1. Under DDH assumpton n G q, the success probabltes of A n Γ and Γ 1 are neglgbly close. Game Γ 2. We modfy Γ 1 to Γ 2 wth only dfference n Execute queres where r, τ and sk l (= sk l ) n any Execute(, l,, l ) are chosen unformly random from {0, 1} 3c. Note A C s nconsstent n Execute queres of Γ 1 (and Γ 2 ) except for a neglgble probablty. By Fact 1, one can conclude the followng lemma usng a standard hybrd argument wth reducton to the pseudorandomness of F. Lemma 2. The success probabltes of A n Γ 1 and Γ 2 are neglgbly close. Game Γ 3. Now we modfy Γ 2 to Γ 3 wth the only dfference n computng ω n Execute query, where Smulator pcks C G q randomly and defnes ω = E e (H(µ A C P P ); r) nstead of a cphertext of Σ = H(µ A C P P ). Here r s unformly random (as n Γ 2 ). By a standard hybrd argument wth reducton to the semantc securty 3 of cryptosystem E (note the challenge template should be set accordng to the above modfcaton), we have the followng lemma. Lemma 3. The success probabltes of A n Γ 2 and Γ 3 are neglgbly close. Game Γ 4. Tll now, we have fnshed modfyng Execute oracle. Next, let us consder Send oracle. Before that, we ntroduce some notatons. We say that a message s adversary-generated f t s not exactly equal to the output of a Send oracle or a F low n a response of an Execute oracle; otherwse, we say t s an oracle-generated message. Consder any query Send(2,, l, µ ω P ). If there exsts Send(1,, l, A C P ) such that t outputs µ ω P and that A C P s exactly the output of Send(0,, l, null), then we say that Send(2,, l, µ ω P ) matches wth Send(1,, l, A C P ); otherwse, we say that a none-match event happens to Send(2,, l, µ ω P ). Now we modfy Γ 3 to Γ 4 wth the only dfference: upon any query Send(2,, l, µ ω P ), f a none-match event happens to t (note Smulator can check ths snce t controls all the oracles), then decdng accept/reect only depends on whether ω can be decrypted to Σ = H(µ A C P P ) or not, where A C s n the output of Send(0,, l, null) and C = Cg π. If t accepts n ths case, t announces the success of A and halts. Note n case of a match event t responses as n Γ 3. 3 Here semantc securty suffces and CCA2 securty wll be requred later to deal wth Send oracle. 7

8 Lemma 4. The success probablty of A n Γ 4 s no less than that n Γ 3. Proof. Note n case of a none-match event, f Send(2,, l, µ ω P ) n Γ 4 reects, then t reects n Γ 3 too. Therefore, before a none-match event s accepted n Γ 4, adversary vew n Γ 4 s dentcally dstrbuted as that n Γ 3. On the other hand, an accepted none-match event n Γ 4 already announces the success of A. Thus, the concluson follows. Game Γ 5. Now we modfy Γ 4 to Γ 5 such that C n any send(0,, l, null) s taken unformly random from G q. In order of consstency (n vew of A), we need to take care of other oracle defntons. Send(1,, l, M) remans unchanged. Snce there does not exst x n A C such that the normal acton can be executed, Send(2,, l, A C P ) s modfed as follows. ) If there exsts a unque l such that Send(2,, l, µ ω P ) matches wth Send(1,, l, M), then t accepts (wthout verfcaton of ω) and computes τ = F σ (2) usng σ defned n Send(1,, l, M). Then, he outputs τ and defnes the sesson key sk l = F σ (1). If there are two or more l, l, such that the above match event holds smultaneously (n the future, we call t a mult-match event), then t chooses one match randomly and follows the same procedure. ) If a none-match event happens to Send(2,, l, µ ω P ), then t responses as n Γ 4 (.e. t decrypts ω, and decdes to announce the success of A or to reect). The Send(3,, l, M) answers normally. The rest oracles reman unchanged (note the valdty follows from the fact that ther actons do not depend on the above modfcaton). Lemma 5. The success probabltes of A n Γ 4 and Γ 5 are neglgbly close. Proof. To relate Γ 4 and Γ 5, we defne a slghtly modfed Γ 4 as Γ 4. The only dfference s that n case of a match event n Γ 4, Send(2,, l, µ ω P ) responses as ) n defnton of Γ 5. On the one hand, f l s always unque (whenever a match event happens), then adversary vews n Γ 4 and Γ 4 are dentcally dstrbuted snce a unque match event s always accepted n Γ 4. On the other hand, the probablty that a mult-match event happens throughout the smulaton s neglgble snce µ s unform n G q. Thus, the success probabltes of A n Γ 4 and Γ 4 are neglgbly close. Notce that executons of Games Γ 4 and Γ 5 are dfferent only n that C s real or random. Thus, f the concluson were wrong, a standard hybrd argument drectly would reduce to break DDH assumpton, a contradcton. Detals are omtted. Game Γ 6. Now we modfy Γ 5 to Γ 6 wth the only dfference n oracle Send(1,, l, A C P ). If A C s consstent: C = A u g π, t announces the success of adversary A and exts (recall Smulator knows u := log g h; recall normally C A u g π snce C s chosen unformly random n oracle Send(0,,, null)); otherwse, t answers normally (as n Γ 5 ). The rest oracle defntons reman unchanged as n Γ 5. Note ths modfcaton only ncreases the success probablty of A. Indeed, f A C s always nconsstent, then the adversary vew n Γ 6 s dentcally dstrbuted as n Γ 5 ; otherwse, A already succeeds n Γ 6. Thus, we have Lemma 6. The success probablty of A n Γ 6 s no less than that n Γ 5. Game Γ 7. Γ 7 s modfed from Γ 6 as follows. In order to answer oracle Send(1,, l, A C P ) n Γ 7, Smulator chooses σ unformly random from G q nstead of A λ 1 C λ 2. Other oracle defntons reman unchanged as n Γ 6 (here the valdty s due to the fact that the state nformaton λ 1, λ 2 s not requred n these oracle defntons). 8

9 Lemma 7. The success probabltes of A n Γ 6 and Γ 7 are equal. Proof. Whenever σ s defned n Γ 6 (and Γ 7 ), ths mples that A s not announced to succeed n Send(1,, l, A C P ) and thus A C s nconsstent. Thus, from Fact 1, the adversary vew n Γ 6 and Γ 7 s dentcally dstrbuted. The concluson follows mmedately. Game Γ 8. Now we modfy Γ 7 to Γ 8 wth the only dfference: (r, τ, sk l ) n Send oracles are chosen unformly random from {0, 1} 3c, whch s the range of F. Detals are as follows. Whenever any Send(1,, l, A C P ) s called, Smulator follows the oracle defnton n Γ 7 except r s random n {0, 1} c. When any Send(2,, l, µ ω P ) oracle s called, Smulator responses as n Γ 5 Γ 7 wth the followng excepton: n case of a match event, τ, sk l are taken unformly random n {0, 1} c and furthermore he saves tuple (µ, τ, sk l,, ) n hs memory. Whenever any Send(3,, l, τ ) s called, Smulator searches for (µ,,,, ) n hs memory. If a unque tuple s found, then t recovers (τ, sk l, ) from ths tuple and checks whether τ = τ. If t holds, Send(3,, l, τ ) accepts and concludes the sesson key sk l := sk l. If more than one such a tuple are found, then t chooses one randomly and follows the same procedure. Otherwse, f ether of the above two checks (.e., search and comparson) fals, t reects. The rest oracle defntons (Reveal, Test, Execute) reman unchanged (the valdty follows snce such defntons are ndependent of the way Send chooses (r, τ, sk l )). Lemma 8. The success probabltes of A n Γ 7 and Γ 8 are neglgbly close. Proof. Consder a slghtly modfed Γ 7, denoted as Γ 7. Oracle defntons n Game Γ 7 are dentcal to those n Γ 8 except that (r, τ, sk l (= skl )) s computed as F σ(3), F σ (2), F σ (1). We show that the success probabltes of A n Γ 7 and Γ 7 are neglgbly close. Indeed, for Send(1,,, ) and Send(2,,, ), adversary vews n Γ 7 and Γ 7 are dentcal snce ther outgong messages are computed from the same defntons. When Send(3,, l, τ ) n Γ 7 s called, there are two cases. Case 1: A tuple (µ,,,, ) s found: Suppose such a tuple s recorded by Send(2,, l, µ ω P ), based on the match wth Send(1,, l, M). Then snce µ s unform n G q, t follows l = l except for a neglgble probablty. Thus, the decson based on τ = τ(= F σ (2)) s well consstent wth that n Γ 7 except for a neglgble probablty. Case 2: The tuple (µ,,,, ) s not found: We show that the probablty of wrong decson (.e., τ = F σ (2)) s neglgble. If ths s ncorrect, we buld a dstngusher D 7 for F. Let η 7 be the upper bound of the number of Send(1,,, ) queres. D 7 smulates Γ 7 as done by Smulator except for lth query Send(1,,, l, M), where r s provded by hs functon oracle O wth nput 3. If at some moment, A makes a query Send(2,,, µ ω P ) that matches wth Send(1,, l, M), then D 7 termnates the smulaton and outputs 0, 1 randomly. When Send(3,, l, τ ) s called, D 7 frst looks up (µ,,,, ) n hs memory. If t s found, then t termnates the smulaton and outputs 0, 1 equally lkely; otherwse, t feeds 2 to O and gets back τ. In ths case, f τ = τ, then he outputs 1; otherwse, he outputs 0. If O = F, adversary vew n the smulaton by D 7 s dentcally dstrbuted as that n Γ 7 snce σ n Γ 7 (and Γ 7) s unformly random from G q (thus the functon oracle outputs are perfectly consstent wth Γ 7 ). An easy calculaton shows that the probablty A outputs 1 s p 0 2η , where p 0 s the probablty of the wrong reecton event. If O s purely random functon famly, then τ s unform n {0, 1} c (ndependent of anythng else). Thus, Send(3,, l, τ ) wrongly accepts wth probablty at most 2 c (suffcent to consder τ = τ). Thus, D 7 has a non-neglgble advantage, contradcton. 9

10 Other oracle defntons n Γ 7 and Γ 7 are dentcal. Thus, the success probabltes of A n Γ 7 and Γ 7 are neglgbly close. Furthermore, the success probabltes of A n Γ 7 and Γ 8 are neglgbly close, because ther executons are dentcal only except that (r, τ, sk l ) n Γ 8 are taken unformly random and thus a standard hybrd argument wth reducton to the pseudorandomness of F can be appled. Game Γ 9. Γ 8 s modfed to Γ 9 so that ω n Send(1,, l, A C P ) s defned as E e [Σ ; r], where r s unform n {0, 1} c and Σ = H(µ A C P P ) for C G q. The rest oracles are unchanged. We have the followng result. Lemma 9. The success probabltes of A n Γ 8 and Γ 9 are neglgbly close. Proof. We defne Γ (l) 8 to be the varant of Γ 8 such that the frst l Send(1,,, ) queres are answered accordng to Γ 9 and the rest queres are answered accordng to Γ 8. It follows Γ (0) 8 = Γ 8 and Γ (η 9) 8 = Γ 9, where η 9 s the upperbound of number of queres Send(1,,, ). If the success gap n Γ 8 and Γ 9 were non-neglgble, then there would exst z {1,, η 9 } such that the success gap between Γ (z 1) 8 and Γ (z) 8 would be non-neglgble. We buld a CCA2 breaker D 9 for E e as follows. He takes l randomly from {1,, η 9 } and ntalzes publc parameters as done by Smulator except e provded by hs challenger. Then, D 9 smulates Γ (l) 8 except for the lth Send(1,,, ) query, say Send(1,, l, A C P ). In ths case, he computes Σ and gves (Σ, µ A P G q ) to hs encrypton oracle, requestng that a random message has a pattern Σ = H(µ A C P P ) for C G q. Then, he wll receve ω, that s an encrypton of ether Σ or a random message Σ of that pattern. Send(1,, l, A C P ) outputs µ ω P. Dfferent from Smulator, D 9 does not have a prvate key d for E. Thus, we need to guarantee hs acton s consstent. Upon any Send(2, s, l s, µ ω P t ), 1. If a match event happens to ths oracle, t responses as n Γ 8, Γ If ω ω and a none-match event happens to Send(2, s, l s, µ ω P t ), then D 9 asks hs oracle to decrypt ω n order to make acceptance/reect decson. 3. If ω = ω and a none-match event happens to Send(2, s, l s, µ ω P t ), then D 9 smply reects. We show that the wrong decson probablty s neglgble only; otherwse, H s not collson resstant. Suppose that à C P s s the output by Send(0, s, l s, null) and that ω decrypts to H(µ A C P P ) where C s chosen by ts challenger and thus s Cg π or a random C n G q. If the decson s wrong, we have H(µ A C P P ) = H(µ à Cg π st P t P s ). By the collson resstant property of H, µ A C P P µ à Cg πst P t P only wth neglgble probablty (Otherwse, we can buld a breaker of H that smulate the game by playng the roles of both D 9 and the challenger of D 9 and watng for the collson to happen). Thus, µ = µ, A = Ã, C = Cg πst, t =, s =, except for a neglgble probablty. If C = Cg π, then C = C thus Send(2, s, l s, µ ω P t ) n fact matches wth Send(1,, l, A C P ), contradcton to the nonematch assumpton for the former. If C = C πst a random n G q, then Cg = C holds only wth neglgble probablty. Thus, as a summary, the decson s wrong only wth a neglgble probablty. The rest oracles are answered normally as n Γ 8 (or Γ 9 ) snce no decrypton s requred any more. Thus, n case ω s a cphertext of Σ, then adversary vew n the smulaton s neglgbly close to that n Γ (l 1) 8 ; otherwse t s neglgbly close to Γ (l) 8. Thus, a correct guess for z, whch s nonneglgble, mmedately mples non-neglgble advantage of D 9, a contradcton. 10

11 Boundng Success Probablty n Γ 9. Now let us consder protocol Γ 9. The adversary succeeds only possbly (1) at Send(1,, l, A C P ) where he nputs a consstent ElGamal cphertext A C, or (2) at oracle Send(2,, l, µ ω P ) where a none-match event occurs, but the oracle decrypts ω to Σ = H(µ A C P P ), or (3) at Send(3,, l, τ), where the oracle accepts but τ s not the output by a Send(2,, l, ) that s matched to Send(1,, l, ), or (4) at Test query. Here we stress that mutual authentcaton n Defnton 1 s fully covered by (2) and (3). For case (3), snce τ wll be compared wth the value n the memory, success here happens only when there are two Send(2,,, ) that match wth Send(1,, l, ). Ths mples that two Send(0,,, null) generate the same output. Ths happens wth only neglgble probablty snce A s unform n G q. We thus only consder cases (1), (2), and (4). We say the adversary attempt to succeed n cases (1) (2) s an mpersonaton tral, denoted by ITr. In case (1), no nput can be successful n two protocol executons wth dfferent password canddates (recall that D = {1,, N} wth N < q). In case (2), no nput can be accepted wth non-neglgble probablty n two password canddates (otherwse, we can break H n two steps: Step 1. Smulate the protocol executon and record all the events n case (2); Step 2. Check whether the collson n case (2) happens by tryng to fnd two passwords that accept some recorded event smultaneously) 4. Thus, we assume each nput at case (1) or (2) can be accepted by at most one password canddate. Notce that ust before ITr happens, the adversary vew n Γ 9 s completely ndependent of password. Thus, mmedately after the frst ITr s reected, the adversary vew s dstrbuted dentcally among a password dctonary of sze at least D 1. The reason s: t has the same reect event for at least D 1 password canddates. Furthermore, usng a smple nducton, we have the probablty that the frst l ITr 1 events are reected but t succeeds n l + 1th ITr event s l=1 1 D l (1 D ( 1) ) = 1 D. Thus, suppose the number of Send queres s upperbounded by Q send. Then the success n ITr happens wth probablty at most Q send D except for a neglgble gap. Now we consder case (4), ths success event happens only f the success event n ITr does not happen. In ths case, snce the sesson key s chosen unformly random ndependent of anythng else. Thus, the success probablty s exactly 1 2 except that the sesson key was seen at a prevous moment, whch s only possble by Reveal query. Note the test sesson s not allowed to ssue Reveal query. We show the revealed sesson must be ts partnered sesson, whch s not allowed by defnton. To ths end, let Π l be the test sesson wth pd l = P. Snce Send(2,, l, ) accepts wth sk l derved, there must exst a matched Send(1,, l, ) and a tuple (µ, τ, sk l,, ) s stored n the memory. And later only Send(3,, l, τ ) wth µ n the output of Send(1,, l, M) wll access ths tuple and defne skl = sk l. Note n ths case, l = l except for a neglgble probablty snce µ s unform n G q. The exchanged messages (unque except for neglgble probablty) are dentcal by defnton of match, seen by Π l and Π l and they see the same τ (as n the tuple). Thus, pd l they are partnered sessons. = P, pd l = P and sd l = sd l. That s, 4 Here n order for our attack to be polynomal tme, we use the fact that D s polynomally bounded. If D s super polynomal, although t s not the settng for password KE protocol, the concluson should be revsed as: no nput from A can be accepted by non-neglgble fracton of password canddates; otherwse, an adversary O for H can be bult as follows. He smulates Γ 9 and runs A aganst t. And he records the events n case (2). And for each event, he randomly pcks a password π D and tests whether ths event can also be accepted by π. If yes, he obtans a collson of H. An easy calculaton shows that f the concluson s wrong, the success probablty of O s non-neglgble. Detals are omtted. Due to the above modfcaton, the subsequent proof content should be adusted accordngly by allowng a neglgble gap. 11

12 As a summary, the success probablty of adversary n Test sesson s exactly 1 2. Let α be the probablty of ITr event. Then the total success probablty of adversary s α+(1 α) Q send 2 D. Proof of Theorem 1 Summarzng the results n Lemmas 1-9 and success probablty of A n Γ 9, we have Adv(A) < Q send D + negl(n). Acknowledgement The authors would lke to thank anonymous referees for valuable comments. S. Jang would lke to thank Mhr Bellare for knd response upon query on mutual authentcaton, and he especally feels grateful to Davd Pontcheval for an nstructve dscusson on the defnton of mutual authentcaton. References 1. Mhr Bellare, Ran Canett, and Hugo Krawczyk, A Modular Approach to the Desgn and Analyss of Authentcaton and Key Exchange Protocols, STOC 98: Mhr Bellare, Davd Pontcheval, Phllp Rogaway: Authentcated Key Exchange Secure aganst Dctonary Attacks. EUROCRYPT 2000: Mhr Bellare, Phllp Rogaway: Entty Authentcaton and Key Dstrbuton. CRYPTO 1993: Bellovn, S.M.; Merrtt, M., Encrypted key exchange: password-based protocols secure aganst dctonary attacks, In Proceedngs of the 1992 IEEE Computer Socety Symposum on Research n Securty and Prvacy, Steven M. Bellovn, Mchael Merrtt: Augmented Encrypted Key Exchange: A Password-Based Protocol Secure aganst Dctonary Attacks and Password Fle Compromse. ACM Conference on Computer and Communcatons Securty 1993: Smon Blake-Wlson, Don Johnson, Alfred Menezes: Key Agreement Protocols and Ther Securty Analyss. IMA Int. Conf. 1997: Vctor Boyko, Phlp D. MacKenze, Sarvar Patel: Provably Secure Password-Authentcated Key Exchange Usng Dffe-Hellman. EUROCRYPT 2000: Ran Canett and Hugo Krawczyk, Analyss of Key-Exchange Protocols and Ther Use for Buldng Secure Channels, Eurocrypt 2001: Ran Canett, Oded Goldrech, Sha Halev: The Random Oracle Methodology, Revsted (Prelmnary Verson). STOC 1998: Ronald Cramer, Vctor Shoup: A Practcal Publc Key Cryptosystem Provably Secure Aganst Adaptve Chosen Cphertext Attack. CRYPTO 1998: Davd Pontcheval, prvate communcaton, Aprl W. Dffe, P.C. van Oorschot, and M.J. Wener, Authentcaton and Authentcated Key Exchanges, Desgns, Codes and Cryptography, vol. 2, no. 2, 1992, pp Rosaro Gennaro, Yehuda Lndell: A Framework for Password-Based Authentcated Key Exchange. EURO- CRYPT 2003: Oded Goldrech, Yehuda Lndell: Sesson-Key Generaton Usng Human Passwords Only. CRYPTO 2001: Sha Halev, Hugo Krawczyk: Publc-Key Cryptography and Password Protocols. ACM Conference on Computer and Communcatons Securty 1998: Davd P. Jablon, Extended Password Key Exchange Protocols Immune to Dctonary Attacks. WETICE 1997: Shaoquan Jang and Guang Gong, Password based Key Exchange wth Mutual Authentcaton, SAC The current paper s the full verson. 18. Jonathan Katz, Rafal Ostrovsky, Mot Yung: Effcent Password-Authentcated Key Exchange Usng Human- Memorable Passwords. EUROCRYPT 2001: Stefan Lucks, Open Key Exchange: How to Defeat Dctonary Attacks Wthout Encryptng Publc Keys. Securty Protocols Workshop 1997: Avalable at Alfred Menezes, Paul C. van Oorschot, Scott A. Vanstone: Handbook of Appled Cryptography. CRC Press