Simulatable Adaptive Oblivious Transfer
EUROCRYPT '07 Proceedings of the 26th annual international conference on Advances in Cryptology
New Anonymity Notions for Identity-Based Encryption
SCN '08 Proceedings of the 6th international conference on Security and Cryptography for Networks
Weakness in a RSA-based password authenticated key exchange protocol
Information Processing Letters
A Secure Authenticated Key Exchange Protocol for Credential Services
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
RSA-Based Password-Authenticated Key Exchange, Revisited
IEICE - Transactions on Information and Systems
New Anonymity Notions for Identity-Based Encryption
Formal to Practical Security
Efficient sequential aggregate signed data
EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
An authentication and key exchange protocol for secure credential services
ISC'06 Proceedings of the 9th international conference on Information Security
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Hi-index | 0.00 |
In the security chain the weakest link is definitely the human one: human beings cannot remember long secrets and often resort to rather insecure solutions to keep track of their passwords or pass-phrases. For this reason it is very desirable to have protocols that do not require long passwords to guarantee security, even in the case in which exhaustive search is feasible. This is actually the goal of password-based key exchange protocols, secure against off-line dictionary attacks: two people share a password (possibly a very small one, say a 4-digit number), and after the protocol execution, they end up sharing a large secret session key (known to both of them, but nobody else). Then an adversary attacking the system should try several connections (on average 5000 for the above short password) in order to be able to get the correct password. Such a large number of erroneous connections can be prevented by various means. Our results can be highlighted as follows. First we define a new primitive that we call trapdoor hard-to-invert group isomorphisms, and give some candidates. Then we present a generic password-based key exchange construction that admits a security proof assuming that these objects exist. Finally, we instantiate our general scheme with some concrete examples, such as the Diffie-Hellman function and the RSA function, but more interestingly the modular square-root function, which leads to the first scheme with security related to the integer factorization problem. Furthermore, the latter variant is very efficient for one party (the server). Our results hold in the random-oracle model.