We describe a simple and novel cryptographic construction that we call a fuzzy vault. Alice may place a secret value /spl kappa/ in a fuzzy vault and "lock" it using an unordered set A of elements from some public universe U. If Bob tries to "unlock" the vault using an unordered set B, he obtains /spl kappa/ only if B is close to A, i.e., only if A and B overlap substantially.

A fuzzy vault scheme

Password-based protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by defining a model for this problem, one rich enough to deal with password guessing, forward secrecy, server compromise, and loss of session keys. The one model can be used to define various goals. We take AKE (with "implicit" authentication) as the "basic" goal, and we give definitions for it, and for entity-authentication goals as well. Then we prove correctness for the idea at the center of the Encrypted Key-Exchange (EKE) protocol of Bellovin and Merritt: we prove security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.

/pdf/authenticated-key-exchange-secure-against-dictionary-attacks-3e7gjz9v6y.pdf

Authenticated key exchange secure against dictionary attacks

Protocols for authentication and key establishment are the foundation for security of communications. The range and diversity of these protocols is immense, while the properties and vulnerabilities of different protocols can vary greatly.This is the first comprehensive and integrated treatment of these protocols. It allows researchers and practitioners to quickly access a protocol for their needs and become aware of existing protocols which have been broken in the literature.As well as a clear and uniform presentation of the protocols this book includes a description of all the main attack types and classifies most protocols in terms of their properties and resource requirements. It also includes tutorial material suitable for graduate students.

Protocols for Authentication and Key Establishment

We present as-strong-as-possible definitions of privacy, and constructions achieving them, for public-key encryption schemes where the encryption algorithm is deterministic. We obtain as a consequence database encryption methods that permit fast (i.e. sub-linear, and in fact logarithmic, time) search while provably providing privacy that is as strong as possible subject to this fast search constraint. One of our constructs, called RSA-DOAEP, has the added feature of being length preserving, so that it is the first example of a public-key cipher. We generalize this to obtain a notion of efficiently-searchable encryption schemes which permit more flexible privacy to search-time trade-offs via a technique called bucketization. Our results answer much-asked questions in the database community and provide foundations for work done there.

/pdf/deterministic-and-efficiently-searchable-encryption-by0gb957lb.pdf

Deterministic and efficiently searchable encryption

Password-based authenticated key exchange are protocols which are designed to be secure even when the secret key or password shared between two users is drawn from a small set of values. Due to the low entropy of passwords, such protocols are always subject to on-line guessing attacks. In these attacks, the adversary may succeed with non-negligible probability by guessing the password shared between two users during its on-line attempt to impersonate one of these users. The main goal of password-based authenticated key exchange protocols is to restrict the adversary to this case only. In this paper, we consider password-based authenticated key exchange in the three-party scenario, in which the users trying to establish a secret do not share a password between themselves but only with a trusted server. Towards our goal, we recall some of the existing security notions for password-based authenticated key exchange protocols and introduce new ones that are more suitable to the case of generic constructions. We then present a natural generic construction of a three-party protocol, based on any two-party authenticated key exchange protocol, and prove its security without making use of the Random Oracle model. To the best of our knowledge, the new protocol is the first provably-secure password-based protocol in the three-party setting.

/pdf/password-based-authenticated-key-exchange-in-the-three-party-47tk2krj6c.pdf

Password-Based authenticated key exchange in the three-party setting

When designing password-authenticated key exchange protocols (as opposed to key exchange protocols authenticated using cryptographically secure keys), one must not allow any information to be leaked that would allow verification of the password (a weak shared key), since an attacker who obtains this information may be able to run an off-line dictionary attack to determine the correct password. We present a new protocol called PAK which is the first Diffie-Hellman-based password-authenticated key exchange protocol to provide a formal proof of security (in the random oracle model) against both passive and active adversaries. In addition to the PAK protocol that provides mutual explicit authentication, we also show a more efficient protocol called PPK that is provably secure in the implicit -authentication model. We then extend PAK to a protocol called PAK-X, in which one side (the client) stores a plaintext version of the password, while the other side (the server) only stores a verifier for the password. We formally prove security of PAK-X, even when the server is compromised. Our formal model for password-authenticated key exchange is new, and may be of independent interest.

/pdf/provably-secure-password-authenticated-key-exchange-using-5dbmuqk5rz.pdf

Provably secure password-authenticated key exchange using Diffie-Hellman

We present fast and practical methods for generating randomly distributed pairs of the form (x,gx mod p) or (x, xe mod N), using precomputation. These generation schemes axe of wide applicability for speeding-up public key systems that depend on exponentiation and offer a smooth memory-speed trade-off. The steps involving exponentiation in these systems can be reduced significantly in many cases. Our schemes are most suited for server applications. We present security analyses of our schemes using standard assumptions, including analyses for fully adaptive attacks. Our methods are novel in the sense that they identify and thoroughly exploit the randomness issues related to the instances generated in these public-key schemes. Our constructions use random walks on Cayley (expander) graphs over Abelian groups. Our analysis involves non-linear versions of lattice problems. It appears that any realistic attack on our schemes would need to solve such problems.

/pdf/speeding-up-discrete-log-and-factoring-based-schemes-via-o8cf4niv15.pdf

Speeding up discrete log and factoring based schemes via precomputations

This paper studies All-or-Nothing Transforms (AONTs), which have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is known. Applications of AONTs include improving the security and speed of encryption. We give several formal definitions of security for AONTs that are stronger and more suited to practical applications than the original definitions. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model). This is the first construction of an AONT that has been proven secure in the strong sense. Our bound on the adversary's advantage is nearly optimal, in the sense that no adversary can do substantially better against the OAEP than by exhaustive search. We also show that no AONT can achieve substantially better security than OAEP.

/pdf/on-the-security-properties-of-oaep-as-an-all-or-nothing-3i9m2cx7nb.pdf

On the Security Properties of OAEP as an All-or-Nothing Transform

This paper studies All-or-Nothing Transforms (AONTs). which have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is tion, with the property that it is hard to invert unless all of the output is known. Applications of AONTs mclude improving the security and speed of encryption. We give several formal definitions of security for AONTs that are stronger and more suited to practical applications than the original definitions. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model). This is the first construction of an AONT that has been proven secure in the strong sense. Our bound on the adversary's advantage is nearly optimal, in the sense that no adversary can do substantially better against the OAEP than by exliaustive search We also show that no AONT can achieve substantially better security than OAEP.

On the security properties of OAEP as an All-or-Nothing transform

Secure communication protocols are disclosed in which two parties generate a shared secret which may be used as a secure session key for communication between the parties. The protocols are based on Diffie-Hellman type key exchange in which a Diffie-Hellman value is combined with a function of at least a password using the group operation such that the Diffie-Hellman value may be extracted by the other party using the inverse group operation and knowledge of the password. In one embodiment, each of the parties explicitly authenticates the other party, while in another embodiment, the parties utilize implicit authentication relying on the generation of an appropriate secret session key to provide the implicit authentication. Typically, the parties will be a client computer and a server computer. In accordance with other embodiments of the invention, in order to protect against a security compromise at the server, the server is not in possession of the password, but instead is provided with, and stores, a so-called password verifier which is a function of the password and where the password itself cannot be determined from the value of the password verifier.

Victor Boyko

Papers

Provably secure password-authenticated key exchange using Diffie-Hellman

Speeding up discrete log and factoring based schemes via precomputations

On the Security Properties of OAEP as an All-or-Nothing Transform

On the security properties of OAEP as an All-or-Nothing transform

Secure mutual network authentication and key exchange protocol