Authentication and key agreement via memorable password

Authentication and Key Agreement via Memorable Password Taekyoung Kwon University of California, Berkeley [email protected] or [email protected] Updated on August 20, 2000 Preliminary Version 2.51 since May 1, 2000 Abstract This paper presents a new password authentication and key agreement protocol, AMP, based on the ampli ed password idea. The intrinsic problems with password authentication are the password itself has low entropy and the password le is very hard to protect. We present the ampli ed password proof and the ampli ed password le for solving these problems. A party commits the high entropy information and ampli es her password with that information in the amplifed password proof. She never shows any information except that she knows it. Our ampli ed password proof idea is very similar to the zero-knowledge proof in that sense. We adds one more idea; the ampli ed password le for password le protection. A server stores the ampli ed veri ers in the ampli ed password le that is secure against a server le compromise and a dictionary attack. AMP mainly provides the password-veri er based authentication and the Die-Hellman based key agreement, securely and eciently. AMP is easy to generalize in any other cyclic groups. In spite of those plentiful properties, AMP is actually the most ecient protocol among the related protocols due to the simultaneous multiple exponentiation method. Several variants such as AMPi , AMPn , AMPn+ , AMP+ , AMP++ , and AMPc are also proposed. Among them, AMPn is actually the basic protocol of this paper that describes the ampli ed password proof idea while AMP is the most complete protocol that adds the ampli ed password le. AMPi simply removes the ampli ed password le from AMP. In the end, we give a comparison to the related protocols in terms of eciency. This manuscript is a preliminary version of our paper available from the IACR eprint archive, http://eprint.iacr.org/2000/026. The protocols described in this paper were submitted as a contribution to the IEEE P1363 study group for future PKC standards, Ultimate Solution to Authentication via Memorable Password[23]. It is available from the website, http://grouper.ieee.org/groups/1363/StudyGroup/Passwd.html#amp. Keywords: Authentication, key agreement, password guessing, password veri er, publickey cryptography, discrete logarithm problem, Die-Hellman problem, ampli ed password proof, ampli ed password le. 1 1 Introduction Entity authentication is one of the most important security functions. It is necessary for verifying the identities of the communicating parties when they initiate their connection. This function is usually provided in combination with a key establishment scheme such as key transport or key agreement between the parties. For user authentication, three kinds of approaches exist; knowledge-based authentication, token-based authentication, and biometric authentication. Among them, the knowledge-based scheme is for human memory ( mind). Actually, it is the most widely-used method due to such advantages as simplicity, convenience, adaptability, mobility, and less hardware requirement. It requires users only to remember and type in their knowledge such as a password or PIN(personal identi cation number). Therefore, users are allowed to move conveniently without carrying hardware tokens. However, a complex problem with this password-only authentication is that a human-memorable password has low entropy so that it could be vulnerable to malicious guessing attacks. The problem becomes much more critical in an open distributed environment. Moreover, password le protection is another problem that makes password authentication more unreliable. If a password le is compromised, at least it is vulnerable to dictionary attacks. A cryptographic protocol based on public-key cryptography is the most promising solution to this problem. Since the rst scheme, LGSN[25], was introduced in 1989, many protocols have followed it. Among them, EKE[7] was a great landmark of certi cate-free protocols. One variant of EKE, DH-EKE[7], introduced the password authentication and key agreement, and was \enhanced" to A-EKE[8] that was the rst veri er-based protocol to resist a password- le compromise and to accommodate salt while there was an earlier work describing the use of salt[38]. GLNS[15] was enhanced from LGSN. Due to the ineciency and constraints of older schemes, various modi cations and improvements have followed. They include TH[37], AL[1], M-EKE[36], Gong[16], KS[21], SPEKE[18, 19], S3P[34], SRP[39], HK[17], and GXY[22]. However, some of them have been broken and some are still being cryptanalyzed[2, 13, 31, 9]; most were inadequate for the security proof due to ad-hoc methods of protecting the password. In the mean time, OKE[26] introduced a provable approach and was followed by several great work such as SNAPI[27], EKE2[5], AuthA[6], and PAK[10]. They show the provable approach in this area is getting matured. Among the password protocols, A-EKE, B-SPEKE, SRP, GXY, SNAPI-X, AuthA, and PAK-X are classi ed as password-veri er based protocols[8, 19, 39, 22, 27, 6, 10]. They allow the asymmetric model in which a client possesses a password, while a server stores its veri er rather than the password. Following A-EKE[8], B-SPEKE was augmented from SPEKE[18, Password Protocols. 1 Readers are referred to Figure 8 attached in Appendix of this document. Jablon's work[18] is recommended as the best tutorial for the password protocol study while Wu's work[39] is the best for the veri er protocol study. Bellare and Rogaway's work[3] is the fundamental of the provable approach. 1 2 19]. SRP showed ecient work on a veri er and GXY was derived from SRP[39, 22]. SNAPIX was augmented from SNAPI while PAK-X was enhanced from PAK[27, 10]. AuthA was derived from several previous protocols but strongly studies a provable approach[6]. However, even the veri er-based protocols still allow dictionary attacks and server impersonation attacks if a server le is compromised. Currently, standardization work on this eld is being considered in IEEE P1363 group. Our goal is to design a new protocol in a provable manner, which combines the following functions securely and eciently. Contribution.  Password(-veri er) based authentication[8]  Die-Hellman based key agreement[12]  Easy generalization[28]  Password le protection For achieving the goal, we propose two simple ideas called the ampli ed password proof that makes a user amplify her password and prove to know the ampli ed password, and the ampli ed password le that makes a server store the ampli ed veri er for resisting a server le compromise and a dictionary attack. From the point of view, we name our protocol AMP that stands for Authentication and key agreement via Memorable Password. Regarding several functional issues, we also present major variants of AMP. They are called AMPi , AMPn , AMPn+ , AMP+ , AMP++ , and AMPc . Among them, AMPn is actually the basic protocol of this paper that describes the ampli ed password proof idea though it is designed for a symmetric setup. Several minor variants also can be considered but they are explained implicitly. We compare the eciency of all veri er-based protocols. Actually, AMP is the most ecient protocols among the existing veri er-based protocols. Note that AMP will be designed to avoid explicit encryption/decryption at least for authentication and veri cation though it will provide a key agreement function. 2 AMP Protocol Design 2.1 Preliminaries AMP is typically the two party case so that we use Alice and Bob for describing a client and a server, respectively. Eve indicates an adversary whether she is passive or active.  and  denotes password and salt, respectively. =: means a comparison of two terms, for example, =: . Let f0; 1g denote the set of nite binary strings and f0; 1g1 the set of in nite ones.  implies the empty string. k is our security parameter long enough to prevent brute-forcing while l(k)  2k, !(k)  32 k, and t(k)  31 k. h() : f0; 1g ! f0; 1gl(k) means a collision-free 3 one-way hash function. All hash functions are assumed to behave like random oracles for security proof[3]. Note we abbreviate a modular notation, mod p, for convenience hereafter. Random Oracle. We assume random oracles hi () : f0; 1g ! f0; 1gl(k) for i 2 [1; 5]. If Eve sends queries Q1 ; Q2 ; Q3 ; ::: to the random oracle hi , she can receive answers hi (Qj ), all independently random values, from the oracle. Let h() denote a real world hash function. For practical recoveries of random oracles in the real world, we de ne; h1 (x) = h(00jxj00), h2 (x) = h(01jxj01), h3 (x) = h(01jxj10), h4 (x) = h(10jxj10) and h5 (x) = h(11jxj11) by following the constructions given in the Bellare and Rogaway's work[3]. j denotes the concatenation. Numerical Assumption. Security of AMP is based on two familiar hard problems which are believed infeasible to solve in polynomial time. One is Discrete Logarithm Problem; given a prime p, a generator g of a multiplicative group Zp , and an element gx 2 Zp , nd the integer x 2 [0; p ? 2]. The other is Die-Hellman Problem; given a prime p, a generator g of a multiplicative group Zp , and elements gx 2 Zp and gy 2 Zp , nd gxy 2 Zp . These two problems hold their properties in a prime-order subgroup[30, 28]. We assume that all numerical operations of the protocol are on the cyclic group where it is hard to solve these problems. We consider the multiplicative group Zp and actually use its prime-order subgroup Zq . We should use its main operation, a modular multiplication, for easy generalization. For the purpose, Bob chooses g that generates a prime-order subgroup Zq where p = qr +1. Note that a prime q must be suciently large (> l(k)) to resist Pohlig-Hellman decomposition and various index-calculus methods but can be much smaller than p[30, 32, 33]. It is easy to make g by (p?1)=q where generates Zp . Zq is preferred for eciency and for preventing a small subgroup con nement more e ectively. By con ning all exponentiation to the large prime-order subgroup through g of Zq , each party of the protocol is able to detect on-line attack whenever a received exponential is con ned to a small subgroup. We can use a secure prime modulus p such that (p ? 1)=2q is also prime or each prime factor of (p ? 1)=2q is larger than q, or a safe prime modulus p such that p = 2q + 1[24]. We strongly recommend to use a secure prime modulus because it allows much smaller q, e.g., closely down to l(k). 2.2 Our Idea Our idea is to \amplify" the low entropy of password (1) on the well-structured cryptographic protocol, i.e., on the secure interaction between communicating parties, and (2) in the wellstructured password le, both for securing password authentication and password le. Definitions. Firstly we give some useful de nitions followed by our detailed idea. De nition 1 A Password Proof de nes; a party A who knows a low entropy secret called a password makes a counterpart B convinced that A is who knows the password. 4 We can consider two kinds of setup such as a symmetric setup and an asymmetric setup. The asymmetric setup could bene t from salt for overcoming the text-equivalence of the symmetric setup. The password proof is actually composed of two kinds of proof. De nition 2 A Secure Password Proof de nes; a party A successfully performs the Password Proof without revealing any information about the password itself. De nition 3 An Insecure Password Proof de nes; a party A successfully performs the Pass- word Proof but fails the Secure Password Proof, or a party A successfully performs the Password Proof by showing some or all information about the password. The insecure proof can be classi ed into the fully insecure password proof such as PAP(password only), the partially insecure password proof such as CHAP(challenge and handshake), and the cryptographically insecure password proof such as some cryptographic protocols. De nition 4 An Ampli ed Password Proof de nes; a party A who knows a password am- pli es the password and makes a counterpart B convinced that A is who knows the ampli ed password. The Amplification. Our ampli cation idea is very simple, for example, Alice insists on her knowledge of password  by giving x +  mod q rather than  only, while x is the randomlychosen high entropy information. For the purpose, fresh x must be securely committed by Alice prior to her proof of each session. (x +  is not guessable at all whereas  is guessable, if x is kept secret.) De nition 5 The Ampli ed Password $ de nes a value that only who knows  and x can make from A(; x) where x is chosen randomly at Zq and  is a human-memorable password for an arbitrary ampli cation function A(). (Note: $ is rather ephemeral.) We con gure this idea as an ampli ed password proof. The Amplified Password Proof. Assume that Alice knows  while Bob knows g . The procedure of the ampli ed password proof is composed of basically three steps such as initial commitment, challenge, and response; the initial commitment step performs a secure commitment of x having high entropy by Alice; the challenge step performs a random challenge of y by Bob; the response step performs a knowledge proof of Alice about the ampli ed password $. We de ne three functions for each step; they are G1 () for initial commitment, G2 () for challenge, and H() for response. De nition 6 The Ampli ed Password Proof performs; Alice who knows her password , randomly chooses and commits the high-entropy information x to Bob. Bob who knows g , picks y at random and asks Alice if she knows the password and the committed information. Alice responds with the fact she knows the ampli ed password $. 5 Alice initial commitment G1 (x) ?! G2 (y) Bob ? challenge response ?! H($) For secure commitment, G1 () should not reveal x even to Bob, for example, gx . While G2 () transmits a fresh challenge, H() should imply the fact only that Alice knows $ without revealing any information about x and . If we set A(; x) = (x + )?1 mod q, then only who knows x and  can compute $. So we set G2 () = g(x+)y for making veri cation information, i.e., (g(x+)y )$ = gy . Bob who knows G1 () as well as g , can make G2 () by (gx g )y . As a result, both parties can get gy , the veri cation information, so we set H() = gy . Of course, they can also make gxy due to the Die-Hellman scheme. Therefore, we can derive the following theorem that is easy to prove by assuming x is randomly chosen at Zq . (hint : $ is not derivable from gx , g(x+)y , gy and even g .  as well as x are necessary for computing A(; x).) Theorem 1 The Ampli ed Password Proof is a Secure Password Proof. This means Alice never shows the password itself for her proof, rather she proves the fact of knowing it. The ampli ed password proof idea is very similar to the zero-knowledge proof in that sense, but g must be kept secure because it is actually vulnerable to guessing attacks. The Amplification and Key Exchange. It is easy to add key exchange to the ampli ed password proof because we already utilized the Die-Hellman scheme. For key exchange, Alice can derive a session key from gxy and show the fact of agreeing on it. Bob is also able to do the same thing. A strong one-way hash function must be the best tool for this. For Alice to agree on gxy , we set $ = (x + )?1 x mod q. For mutual key con rmation as well as mutual authentication, however, the protocol must be con gured by four steps to add Bob's response. The following describes the basic version. Note that the cases, x 2 f0; 1g1 , y 2 f0; 1g1 , G1 2 f0; 1g1 , G2 2 f0; 1g1 , and their small subgroup con nements must be avoided for a security reason. Alice(id; ) x 2R Zq G1 = gx $ = (x + )?1 x mod q = (G2 )$ Bob(id; g or ) id;gx ?! g(x+)y ? 6 fetch (id; ) y 2 R Zq G2 = (G1g )y or (G1 )y gy = (G1 )y K =h ( ) H = h (G ; K ) 1 11 2 1 1 1 H = h (G ; K ) verify H =: H 21 3 21 2 1 h(G1 ;K1 ) ?! h(G2 ;K2 ) ? K =h ( ) H = h (G ; K ) verify H =: H H = h (G ; K ) 2 12 1 2 1 2 11 22 3 12 2 2 22 Figure 1: AMPn Protocol Both parties compute exponentials as like the Die-Hellman scheme. The di erence is that the random exponent of and the base of G2 are tactfully transformed. We call this protocol AMPn (AMP-naked) because the protocol is actually vulnerable to client impersonations as well as server impersonations and dictionary attacks if a password le is compromised. Bob can store  rather than g and for this case G2 bene ts from the simultaneous multiple exponentiation method in terms of eciency[28, 35]. Above all, g must be kept secure because it is actually vulnerable to guessing attacks. So we propose an ampli ed password le idea for improving the security of the password le. The Amplified Password File. As for the password le, an asymmetric setup is preferred because of the weakness of text-equivalence in a symmetric setup[8, 19, 39]. If a password le is compromised, it can be used directly for a client impersonation in the symmetric setup. However, the low entropy of password makes the password le vulnerable to dictionary attacks and server impersonation attacks even if each password is hashed or exponentiated in the asymmetric setup. For example, a veri er such as  = h() is vulnerable to guessing attacks and sever impersonation attacks. For the password le protection, encryption can be considered but the key management and performance issue must be overcome. The ampli ed password le is a password le of which a record includes an ampli ed veri er. De nition 7 The Ampli ed Veri er  de nes a value that only who knows & and  can use for password veri cation where & is chosen randomly at Zq and  is is chosen randomly at f0; 1gk . Set  = g(& + )?1  where  = h(id; ). If (& +  )?1 = 1,  is not the ampli ed veri er. (Note:  is semi-permanent.) A record of the ampli ed password le is (id; ;  ). The ampli ed password le is stored in an ordinary server system while & must be stored in and supplied from a secure storage device such as a smart card. Ideally, & should not leave such a secure device but a bottleneck may be a problem with a poor-performance device. Otherwise, we can devise a special hardware device for performing & related operations with higher performance but practically & may be loaded to the server's memory. However, even if & resides in the server's run-time memory, the memory dump and its analysis are necessary for launching a server impersonation attack or a dictionary attack with the compromised password le. That is, the ampli ed password le itself is secure against such attacks if & is secure; even if not, an adversary cannot directly 7 impersonate a server or launch dictionary attacks without memory dump. AMP will be the protocol that enables the ampli ed password ideas and the key agreement. The following subsection describes AMP. 2.3 Complete Protocol Description We set $ = (x + )?1 (x + e) where  = h1 (id; ) and e = h2 (G1 ; G2 ; id; Alice; Bob). Protocol Setup. This step determines and publishes global parameters of AMP. 1. Alice and Bob share g, p and q. id indicates precisely a user name (id) while Alice and Bob mean rather addresses. 2. Alice chooses  2R f0; 1g!(k) and notify Bob, in an authentic and con dential manner (secure registration, o -line distribution with picture id proof). 3. Bob chooses  2R f0; 1gk and stores (id; ;  = g(& + )?  ) where  = h1 (id; ). Bob should throw away  and . 1 Note that the cases, x 2 f0; 1g1 , y 2 f0; 1g1 , G1 2 f0; 1g1 , G2 2 f0; 1g1 ,  2 f0; 1g1 , and their small subgroup con nements must be avoided for a security reason. Protocol Run. Alice (id; ) x 2R Zq G = gx 1  = h (id; )  = (x + )? mod q e = h (G ; G ; id; Alice; Bob) $ = (x + e) mod q = (G )$ K =h ( ) H = h (G ; K ) Bob (id; ;  ) id;g x ?! 1 1 2 1 g (x+ )y ? 2 11 3 4 1 1 H = h (G ; K ) verify H =: H 21 5 21 2 1 22 2 G ;K ?! h( 1 1) G2 ;K2 ) h( ? 1 1 2 = (G1 )y gey = (G1 ge )y K 2 = h3 ( ) H12 = h4 (G1 ; K2 ) verify H11 =: H12 H22 = h5 (G2 ; K2 ) Figure 2: AMP Protocol The following steps explain how the protocol is executed in Figure 2. 8 ( + ) 1 2 2 1 fetch (id; ;  ) y 2 R Zq G = (G )y  &  y = (G g )y e = h (G ; G ; id; Alice; Bob) 1. Alice computes G1 = gx by choosing x 2R Zq and sends (id; G1 ) to Bob. 2. After receiving message 1, Bob loads  and  , and computes G2 = (G1 )y  (& + )y by choosing y 2R Zq . This can be done by the simultaneous multiple exponentiation method. Note that G2 = (G1 )y  (& + )y = (gx g )y . He sends G2 to Alice. 3. While waiting for message 2, Alice computes  = h1 (id; ) and  = (x + )?1 mod q. After receiving message 2, Alice computes e = h2 (G1 ; G2 ; id; Alice; Bob), $ = (x + e) mod q and = (G2)$ . Note that = (g(x+)y )$ = gy(x+e) . She computes K1 = h3 ( ) and H11 = h4 (G1 ; K1 ). She sends Bob H11. 4. While waiting for message 3, Bob computes e = h2 (G1 ; G2 ; id; Alice; Bob), = (G1 )y gey = (gx ge )y = g(x+e)y , K2 = h3 ( ) and H12 = h4 (G1 ; K2 ). After receiving message 3, Bob compares H12 with H11 . If they are matched, he computes H22 = h5 (G2 ; K2 ) and sends Alice H22 . This means he authenticated Alice who knows $ (actually  and thus  since x is secure from gx ), and agreed upon K(= K1 = K2 ). 5. While waiting for message 4 from Bob, Alice computes H21 = h5 (G2 ; K1 ). After receiving message 4, she compares H21 with H22 . If they are matched, Alice also agrees on K(= K1 = K2 ) with authenticating Bob who knows  . Small Discussion. AMP passes four messages between Alice and Bob who agree on g(x+e)y while AMPn agreed on gxy . The password le compromise still needs memory dump and its analysis for getting & . The existence of e is explicit against a compromise of both. For example, if Eve sends  (& + )x to Bob, then Bob will respond with (gx g )y and compute = (gx ge )y = g(x+e)y . If e does not exist, will be equal to gxy so that it will be ?1 computable by G2(x+1) x. Due to the existence of e, Eve cannot compute from  , x, e ?1 and gy (= G2(x+1) ). That is, she cannot falsely convince Bob that she is Alice even with the password le and & . Here, we should note that the statistical di erence between G2 and (= ) is only dependent upon the di erence between  and e. If ABS ( ? e) = 0, they must be exactly same to each other though its probability is extremely low. Such a case can be detected easily by both parties, for example, =: G2 and =: G2 . Note that  and e is unchangeable and untraceable in G2 and (= ) actually without knowing either x or y (see Lemma 1 in Appendix). We can make h1 () and h2 () have far di erence for  and e. In this point, we could set q larger than h2 () where h2 () should be at least k larger than h1 (). For example, we de ne h2 (x) = h(01jxj01)h(10jxj01) while h1 (x) = h(00jxj00) by recommending SHA-1 or RIPEMD-160 for 160-bit hash. Otherwise, there are several variants removing such a point, for example, AMPn , AMP+ , and AMP++ . Final two steps can be modi ed, for example, H11 = h4 ( ; G1 ; G2 ; id; A; B ) and H22 = h5 ( ; G2 ; G1 ; B; A; id). We can choose salt  implicitly by computing f (id; B ) where f () is an implicit salt function[6, 10], for example, 9  = h (id; f (id; B ); ). For updating the existing system such as Unix, we can modify  such that  = h( ; ) and sends  in message 2 where h( ; ) is an existing veri er. 1 0 0 0 3 AMP Protocol Variants We present ve explicit variants of AMP and AMPn. They are AMPi , AMPn+ , AMP+ , AMP++ , and AMPc. Among them, AMPi excludes the use of the ampli ed password le while AMPn+ loses the zero-knowledge property for enabling veri er-based authentication to AMPn . AMP+ and AMP++ are extended for perturbing the structural similarity between G2 and (= ) in AMP. Every AMP provides one-way authentication in three steps. Finally, AMPc is a crippled version of AMP family for one-way authentication in two steps. 3.1 AMP i AMPi excludes the ampli ed password le from AMP. The di erence of protocol setup is that Bob stores (id; ;  = g ) where  = h1 (; ). Of course, salt can be obtained implicitly. The di erence in protocol run is that Alice computes the inverse of the ampli ed password, after receiving message G2 . AMPi slightly reduces the running time about G2 but loses the strong security against a password le compromise. That is, if the password le is compromised, Eve is able to directly impersonate a server or launch dictionary attacks in AMPi while it was much more dicult in AMP. We set $ = (x + )?1 (x + e) mod q. Note that the cases, x 2 f0; 1g1 , y 2 f0; 1g1 , G1 2 f0; 1g1 , G2 2 f0; 1g1 ,  2 f0; 1g1 , and their small subgroup con nements must be avoided for a security reason. Protocol Run. Alice(id; ) x 2R Zq G = gx 1 Bob(id; ;  ) id;g x ?! ;g (x+ )y e = h (G ; G ; id; Alice; Bob)  = h (; ) $ = (x + )? (x + e) mod q = (G )$ K =h ( ) H = h (G ; K ) 2 1 ? 2 fetch (id; ;  ) y 2R Zq G = (G  )y e = h (G ; G ; id; Alice; Bob) 2 1 2 1 2 1 1 2 1 11 4 3 1 1 G ;K ?! h( 1 10 1) = (G1 )y gey = (G1 ge )y K 2 = h3 ( ) H12 = h4 (G1 ; K2 ) verify H11 =: H12 H = h (G ; K ) verify H =: H 21 5 2 h(G2 ;K2 ) ? 1 21 22 H = h (G ; K ) 22 5 2 2 Figure 3: AMPi Protocol 3.2 AMPn + AMPn was totally vulnerable to the password le compromise. However, we can extend AMPn for veri er-based authentication in the asymmetric setup model. Comapred to AMP, this extension is proposed for eciency and \easy deployment" at the cost of security. AMPn+ actually loses the zero-knowledge property, that is, Bob is always able to read  in a protocol run. The main di erence of protocol setup is that  = h2 (; ) where  = h1 (id; ). Of course, we can remove salt or use implicit salt; the following version explicitly uses salt. For AMPn+ , we de ne a function such that E (x; y) = x + y mod q and D(x; y) = x ? y mod q. We can replace their operations with a modular multiplication or a conventional encryption function though the conventional encryption is not recommended. We set (x +  )?1 x mod q. Note that the cases, x 2 f0; 1g1 , y 2 f0; 1g1 , G1 2 f0; 1g1 , G2 2 f0; 1g1 , and their small subgroup con nements must be avoided for a security reason. Protocol Run. Alice(id; ) Bob(id; ;  ) x 2R Zq G = gx id;gx ?! 1  = h (id; ) 1 ;(g(x+ )y ?  = h (; ) $ = (x +  )? x mod q = (G )$ K =h ( ) e = h (id; Alice; Bob; K ; ) H = E (e; ) fetch (id; ;  ) y 2R Zq G = (G )y gy 2 1 2 1 2 1 3 4 1 E (e;) ?! 11 H = h (G ; K ) verify H =: H 21 5 21 2 h(G2 ;K2 ) ? 1 22 Figure 4: AMPn+ Protocol e? is applied to H for recovering . 1 11 11 = (G1 )y K 2 = h3 ( ) e = h4 (id; Alice; Bob; K2 ; ) verify  =: h (; D(H ; e)) H = h (G ; K ) 2 22 5 2 11 2 3.3 AMP + AMP+ perturbs the structural similarity between G2 = g(x+)y and = = g(x+e)y . The di erence in protocol setup is to set $ = (x + )?1 (x + e2 ) mod q. The main di erence in protocol run is that both parties compute e1 such that e1 = h2 (G1 ; id; Alice; Bob). We set $ = (xe1 + )?1 (x + e2 ) mod q. The randomness of e1 is totally dependent upon that of G1 so that Bob cannot contribute to its randomness, while the randomness of e2 is dependent upon that of G2 as well as G1 . Note that the cases, x 2 f0; 1g1 , y 2 f0; 1g1 , G1 2 f0; 1g1 , G2 2 f0; 1g1 ,  2 f0; 1g1 , and their small subgroup con nements must be avoided for a security reason. Protocol Run. (id; ) Alice Bob (id; ;  ) x 2R Zq G = gx id;g x ?! 1  = h (id; ) e = h (G ; id; Alice; Bob)  = (xe + )? mod q e = h (G ; G ; id; Alice; Bob) $ = (x + e ) mod q = (G )$ K =h ( ) H = h (G ; K ) 1 1 2 1 2 3 1 1 g (xe1 + )y ? 1 1 2 5 4 1 21 6 21 2 G ;K ?! h( 1 H = h (G ; K ) verify H =: H 1 1) G2 ;K2 ) h( 1 22 1 1 3 ( + ) 1 1 1 1 2 = (G1 )y ge y K 2 = h4 ( ) H12 = h5(G1 ; K2 ) verify H11 =: H12 H22 = h6(G2 ; K2 ) 2 2 11 2 2 2 2 1 fetch (id; ;  ) y 2R Zq e = h (G ; id; Alice; Bob) G = (G )e y  &  y = (G e g )y e = h (G ; G ; id; Alice; Bob) ? Figure 5: AMP+ Protocol Note that G2 = g(xe +)y while = g(x+e )y . We should de ne h6 (x) = h(10jxj01) for AMP+. 1 2 3.4 AMP ++ AMP++ is another form of perturbing the structural similarity between G2 and (= ). The di erence in protocol setup is that Bob stores (id;  = g?(& + )?  ) where  = h1 (id; f (id; Bob); ). Protocol run is di erent that Alice chooses two ephemeral parameters such as x1 and x2 . Alice computes G0 = x1 +  mod q and G1 = gx , sends them to Bob who will respond with G2. We set $ = (x2 ? )?1 (x1 + ex2 ) mod q so that Alice computes  = $?1 (x1 + ex2 ) mod q for 1 2 12 getting . Bob gets by computing (g)G y ( )y (G1 )ey . Therefore, the agreed key is g(x +ex )y while G2 = g(x ?)y . 0 1 2 2 The following describes how to run AMP++ . Note that the cases, x1 2 f0; 1g1 , x2 2 f0; 1g1 , y 2 f0; 1g1 , G0 2 f0; 1g1 , G1 2 f0; 1g1 , G2 2 f0; 1g1 ,  2 f0; 1g1 ,, and their small subgroup con nements must be avoided for a security reason. Protocol Run. Alice(id; ) x ; x 2R Zq  = h (id; f (id; B ); ) G = x +  mod q G = gx 1 Bob(id;  ) 2 1 0 1 2 1 id; x1 +; g x2 ?! g (x2 ? )y e = h (G ; G ; G ; id; Alice; Bob) $ = (x ? )? (x + ex ) mod q = (G )$ K =h ( ) H = h (G ; G ; K ) 2 0 1 2 1 2 ? 1 11 4 0 1 1 H = h (G ; K ) verify H =: H 21 5 21 2 1 22 ( + ) 1 0 1 1 2 = gG y  (& + )y (G1 )ey K 2 = h3 ( ) H12 = h4 (G0 ; G1 ; K2 ) verify H11 =: H12 H22 = h5 (G2 ; K2 ) 0 2 3 2 2 2 1 fetch (id;  ) y 2 R Zq G = (G )y  &  y = (G g? )y e = h (G ; G ; G ; id; Alice; Bob) G ;K ?! h( 1 1) G2 ;K2 ) h( ? Figure 6: AMP++ Protocol 3.5 AMP c AMPc is a crippled version of AMP for allowing one-way authentication in a very restricted environment where Bob is allowed only one random challenge and Alice is allowed only one response to it. This protocol is inevitably vulnerable to a server impersonation attack. However, our idea is that if a server is strongly wired, AMPc may be useful for strong authentication even without encryption in two steps. For example, practically, by combining with a digital signature scheme, AMPc can be a complete protocol like sf AMP only in two steps. We de ne a signature function S () and a veri cation function V () for AMPc. We assume Alice has a certi cate of Bob but it can be sent to Alice in step 1. The protocol setup is the same to that of AMP. We set $ = ye +  mod q where  = h1 (id; ). 13 Note that the cases, x 2 f0; 1g1 , y 2 f0; 1g1 , G1 2 f0; 1g1 , G2 2 f0; 1g1 ,  2 f0; 1g1 , and their small subgroup con nements must be avoided for a security reason. Protocol Run. Alice(id; ) Bob(id;  ) G1 ;S1 ? verify D(S ) y 2R Zq G = gy e = h (G ; G ; id; Alice; Bob)  = h (id; ) $ = ye +  mod q = (G )$ H =h ( ) x 2R Zq G = gx S = S (G ) 1 1 1 1 2 2 1 2 1 1 1 id;G2 ;H1 ?! 3 e = h (G ; G ; id; Alice; Bob) fetch (id;  ) = (G )xe  &  x H =h ( ) verify H =: H 2 1 ( + ) 2 2 2 3 1 2 Figure 7: AMP Protocol with Digtal Signature c The above protocol is an implicit salt version of AMPc but it is easy to get a symmetric setup version by removing e where a server stores  or . Of course, an explicit salt version must need one more step for exchanging the assigned salt. AMPc with digital signature scheme must be useful for secure web login by assuming Alice a signed active program such as a signed Java Applet. Suppose that Alice is a signed Java Applet that can be downloaded from a web server Bob; the signed applet is being widely used for preventing a hostile applet. Then, our simple idea is embedding an uncerti ed signature-veri cation key (a public key) of Bob into Alice because Alice is an active program signed by a certi cate authority. That is, we don't need to verify Bob's veri cation key additionally. Otherwise, we can remove the digital signature of G1 by simply imbedding gc in the singed Java Applet where c is a private key of a server. 14 4 Analysis and Comparison 4.1 Security of AMP Appendix A (Lemma 1,2 and Theorem 2) may be helpful for security discussion. 1. AMP provides perfect forward secrecy via the Die-Hellman problem and the discrete logarithm problem (Lemma 2-2). That is, even if  (or ) is compromised, Eve cannot nd old session keys because she is not able to solve the hard problems. 2. Denning-Sacco attack is the case that Eve, who compromised an old session key, attempts to nd  or to make the oracle accept her[11]. For the purpose, Eve has to solve the discrete logarithm problem even if g(x+e)y (= = ) is compromised. It is also infeasible to check the di erence between e and  in g(x+e)y and g(x+)y without solving the discrete logarithm of gx . Therefore, AMP is secure against this attack (Lemma 2-1). 3. Replay attack is negligible because G1 should include an ephemeral parameter of Alice while the others such as G2 , H1 and H2 , should include ephemeral parameters of both parties of the session (Theorem 2-2,5). Finding those parameters corresponds to solving the discrete logarithm problem and each parameter is bounded by 2?l(k) < 2?k . Therefore, both active replay and succeeding veri cation are negligible. 4. Small subgroup con nement is defeated and avoided by con ning to the large prime-order subgroup. An intentional small subgroup con nement can be detected easily. 5. On-line guessing attack is detectable and the following o -line analysis can be frustrated, even if Eve attempts to disguise parties (Lemma 1, Theorem 2). Actually, Eve is able to perform the on-line attack to either party but its failure is countable. Impersonation of the party or man-in-the-middle attack is also infeasible without knowing  or  . 6. O -line guessing attack is also infeasible because Eve cannot disintegrate G2 (Lemma 1, Theorem 2). Partition attack is to reduce the set of passwords logarithmically by asking the oracle in parallel with o -line analysis, while chosen exponent attack is to analyze it via her chosen exponent. Both attacks are infeasible because Eve cannot solve or reduce y = (x + )y(x +  )?1 mod q for guessed passwords without knowing both x and y. 0 0 7. Security against password- le compromise is the basic property of AMP family except AMPn that has a naked assumption (Lemma 1-2). Additionally, AMP, AMP+ , AMP++ , and AMPc provides the stronger security against the password le compromise by using & without degrading the performance notably; they make such an attack much more dicult. That is, the password le compromise does not allow dictionary attacks and server impersonations. Even if & is compromised, a dictionary attack is still necessary to impersonate a client. 15 4.2 Eciency and Constraints We examine the eciency of AMP and compare it with other related protocols. 1. In the aspect of a communication load, AMP has only four protocol steps while the number of large message blocks is only two in AMP. They are G1 and G2 . For AMP++ , the size of G0 can be bounded by l(k) +  with negligible  when we use a secure prime. Efficiency. 2. A total amount of execution time could be approximated by the number of modular exponentiation by considering the parallel execution of both parties. We describe it as E (Alice : Bob). Note that AMP has intrinsically only 3E , except that AMP++ has 4E with explicit salt. AMP has E (gx : ?), E (? : (G1 )y  (& + )y ) and E (G2$ : G1y gey ) while all variants have similar operations. Here '?' means no-modular-exponentiation such as O((log n)3 ). Note that AMP operations should bene t from the simultaneous multiple exponentiation method for eciency[35, 28]. As for g1 e1 g2 e2 , we don't need to compute g1 e1 and g2 e2 separately. A simple description of the simultaneous method is as follows; (a) (b) (c) (d) (e) (f) (g) t = length(e); // length of exponent : gx = g 1 g2 set() mod p; // precomputation fG[0]=1; blog qc + 1 g G[1]=g1 ; G[2]=g2 ; G[3]=gx ; A = 1; ffor(i=1;i<=t;i++) fBi = ExponentArray(i);gg for(i=1;i<=t;i++) fA = A*A mod p; A=A*G[Bi] mod p;g set() return(A); Note that g1 e1 g2 e2 needs 16% and g1 e1 g2 e2 g3 e3 needs 25% more multi-precision multiplications than g1 e1 does on the average[35, 28]. 3. Each party of AMP performs only two exponentiations, respectively, regarding the eciency of the simultaneous multiple exponentiation. It is the same to the number in the Die-Hellman scheme though AMP needs more operations for larger base, Zq operation or simultaneous exponentiation. 4. For run time parameters, each party generates only one random number, respectively, in AMP family except for AMP++ . Alice can reduce her run time exponentiations to only once and parallel exponentiations to only twice, by pre-computation of gx . AMP++ needs Alice to generate two random numbers. 5. In step 3, Alice should compute (x + )?1 but only in the q-order subgroup. Modular inversion, O((log q)2 ), is much less expensive than modular exponentiation, O((log p)3 ). Moreover, the size of q can be bounded by only l(k) +  with negligible  by virtue of a secure prime. Note that O(log l(k)) << O(log p). Therefore, it is quite negligible when we consider modular exponentiation. 16 Protocol Steps A-EKE 7 (+4) B-SPEKE 4 (+1) SRP 4 (+1) GXY 4 (+1) SNAPI-X 5 (+2) AuthA 5 (+2) / 3 (+0) PAK-X 5 (+2) / 3 (+0) AMP 4 (+1) Large Blocks 3 (+1) 3 (+1) 2 (+0) 2 (+0) 5 (+3) 2 (+0) 3 (+1) 2 (+0) Exponentiations Client Server Parallel 4 (+2) 4 (+2) 6 (+3) 3 (+1) 4 (+2) 6 (+3) 3 (+1) 3 (+1) 4 (+1) 4 (+2) 3 (+1) 5 (+2) 5 (+3) 4 (+2) 7 (+4) 4 (+2) 3 (+1) 6 (+3) 4 (+2) 4 (+2) 8 (+5) 2 (+0) 2 (+0) 3 (+0) Random Numbers Client Server 1 (+0) 1 (+0) 1 (+0) 2 (+1) 1 (+0) 1 (+0) 1 (+0) 1 (+0) 2 (+1) 3 (+2) 1 (+0) 1 (+0) 1 (+0) 2 (+1) 1 (+0) 1 (+0) Table 1: Comparisons of Veri er-based Protocols 6. AMP uses the main group operation so that it is easy-to-generalize in any cyclic groups. Therefore, AMP can be easily implemented on the elliptic curve group. A generalization on such a group must be very useful for further eciency of space and speed, though there may be a patent restriction on the elliptic curve algorithms. Eciency can be compared to the other related protocols such as A-EKE, B-SPEKE, SRP, GXY, SNAPI-X, AuthA and PAK-X[8, 19, 39, 22, 27, 6, 10]. Table 1 compares them with regard to several factors such as the number of protocol steps, large message blocks, and exponentiations. Note that the number of exponentiations of AMP is approximated; actually 2.32 for a server and 3.32 for parallel on the average. Note that AuthA and PAK-X have ve steps with explicit salt and three steps with implicit salt. We consider ve as their steps respectively because other protocols are the cases that use explicit salt. The use of explicit salt does not a ect any other parameters of AuthA and PAK-X except the number of steps. The number of random numbers is given as a subsidiary reference. The number of parallel exponentiations could compare approximately the amount of protocol execution time. The value in parenthesis implies the di erence from the most ecient one that is denoted by bold characters. Note that AMP provides the stronger security against the password le compromise compared to all the others in Table 1. AMP prefers g to be a generator of the large (> l(k)) prime-order subgroup Zq for defeating and avoiding a small subgroup con nement e ectively by con ning exponentials into the large prime-order subgroup[30]. A secure prime modulus is higly recommended for easy detection of an intentional small subgroup con nement and great eciency of the protocols though a safe prime modulus is also favorable. Note that the secure prime is easier to get than the safe prime[24]. A compromise of  does not allow a guessing attack Constraints. 17 10 A-EKE B-SPEKE SRP GXY SNAPI-X AuthA PAK-X AMP The Number of Each Item 8 6 4 2 0 steps blocks exp(c) exp(s) exp(p) rng(c) rng(s) Figure 8. Graphical Representation of Table 1 and a server impersonation without additional comromise of & that can be loaded to memory from a secure storage like a smart card. As a strong veri er-based protocol, AMP needs an additional guessing attack complexity for a client impersonation even if  and & are all compromised. AMP needs both parties to count the other side's on-line failure to detect the on-line guessing attack. However, this is the shared requirement of all password protocols. 4.3 Why AMP Figure 8 rewrites Table 1 graphically so that we can see AMP() has the best performance. 1. AMP is a secure password(-veri er) based protocol on the basis of the ampli ed password proof and the ampli ed password le, and its security is provable in the random oracle model. 2. AMP is the most ecient protocol among the existing veri er-based protocols; AMP provides the best eciency even with the ampli ed password le. 3. AMP has the light constraints and is easy to generalize, e.g., in elliptic curve groups for further eciency. 4. AMP has several variants for various functional considerations. 5. AMP truly allows the Die-Hellman based key agreement. 6. AMP has a simple structure so that it is easy to understand and implement the protocol. 7. AMP is favorable to upgrading the existing system; AMP accommodates any kinds of salt schemes without notable degrade of performance. 18 5 Conclusion In this paper, we introduced a new protocol, AMP, for password authentication and key agreement, by following the various notable predecessors. AMP has been designed on the basis of the ampli ed password proof and the ampli ed password le ideas. The adavantages are well summarzied in section 4.3. We are considering several applications such as A-Updates (A-Telnet, A-FTP, A-RADIUS, A-CHAP, and etc.), A-Web Login, AA-Gate, and Networked Smart Card. Internet business and commercial services are growing rapidly while personal privacy and security concerns are slower than those activities. Authentication is undoubtedly very important. Though the hardware-dependent authentication methods are growing steadily, the pure password authentication scheme is still reasonable in a distributed environment, and the public-key based cryptographic protocol is the best solution for improving its security. We should note that the only password authentication method can truly authenticate the human mind over the network. For example, a private-key is not memorable for human users even in the public key infrastructure so that we need a hardware storage. We might keep using passwords over the Internet and in mobile environments even with the hardware-supported authentication schemes such as smart card or biometric method. Appendices include the proof story and the geneology of password protocols. Acknowledgment The author thanks Doug Tygar, David Wagner, David Jablon, Radia Perlman and Li Gong for their helpful comments and kind suggestions on this work. References [1] R.Anderson and T.Lomas, \Fortifying key negotiation schemes with poorly chosen passwords," Electronics Letters, vol.30, no.13, pp.1040-1041, 1994 [2] R.Anderson and S.Vaudenay, \Minding your p's and q's," Asiacrypt'96, LNCS, 1996 [3] M.Bellare and P.Rogaway, \Entity authentication and key distribution," Crypto 93, LNCS 773, 1993 [4] M.Bellare, R.Canetti, and H.Krawczyk, \A modular approach to the design and analysis of authentication and key exchange protocols," STOC 98, pp.419-428, 1998 [5] M. Bellare, D. Pointcheval and P. Rogaway, \Authenticated key exchange secure against dictionary attack," Eurocrypt 2000 [6] M.Bellare and P.Rogaway, \The AuthA protocol for password-based authenticated key exchange," available from http://grouper.ieee.org/groups/1363/Study Group/submissions.html#autha 19 [7] S.Bellovin and M.Merritt, \Encrypted key exchange : password-based protocols secure against dictionary attacks," Proc. IEEE Comp. Society Symp. on Research in Security and Privacy, pp. 72-84, 1992 [8] S.Bellovin and M.Merritt, \Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password- le compromise," Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 244-250, 1993 [9] M.Boyarsky, \Public-key cryptography and password protocols: the multi-user case," ACM Conference on Computer and Communication Security, 1999 [10] V. Boyko, P. MacKenzie and S. Patel, \Provably secure password authenticated key exchange using Die-Hellman," Eurocrypt 2000 [11] D.Denning, G.Sacco, \Timestamps in key distribution protocols," Commun. ACM, vol.24, no.8, pp.533-536, 1981 [12] W.Die and M.Hellman, \New directions in cryptography," IEEE Transactions on Information Theory, vol.22, no.6, pp.644-654, Nov. 1976 [13] Y.Ding and P.Hoster, \Undetectable on-line password guessing attacks," ACM Operating Sys. Review, vol.29, no.4, pp.77-86, Oct. 1995 [14] T.Elgamal, \A public-key cryptosystem and a signature scheme based on discrete logarithms," IEEE Trans. Information Theory, vol.IT-31, no.4, pp.469-472, 1985 [15] L.Gong, M.Lomas, R.Needham, and J.Saltzer, \Protecting poorly chosen secrets from guessing attacks," IEEE Journal on SAC., vol.11, no.5, pp.648-656, June 1993 [16] L.Gong, \Optimal authentication protocols resistant to password guessing attacks," IEEE Comp. Security Foundation Workshop,, pp. 24-29 June 1995 [17] S.Halevi and H.Krawczyk, \Public-key cryptography and password protocols," The 5th ACM Conference on Computer and Communications Security, 1998 [18] D.Jablon, 'Strong password-only authenticated key exchange', ACM Comp. Comm. Review, vol.26, no.5, pp.5-26, 1996 [19] D.Jablon, \Extended password key exchange protocols," WETICE Workshop on Enterprise Security, 1997 [20] D.Jablon, Personal Communication, May 2000 [21] T.Kwon and J.Song, \Ecient key exchange and authentication protocols protecting weak secrets," IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol.E81-A, no.1, pp.156-163, January 1998 20 [22] T.Kwon and J.Song, \Secure agreement scheme for gxy via password authentication," Electronics Letters, vol.35, no.11, pp.892-893, 27th May 1999 [23] T.Kwon, \Ultimate solution to authentication via memorable password," Contribution to the IEEE P1363 study group for Future PKC Standards, available from http://grouper.ieee.org/groups/1363/StudyGroup/Passwd.html#amp [24] C.Lim and P.Lee, \A key recovery attack on discrete log-based schemes using a prime order subgroup," Crypto 97, pp.249-263, 1997 [25] M.Lomas, L.Gong, J.Saltzer, and R.Needham, \Reducing risks from poorly chosen keys," ACM Symposium on Operating System Principles, 1989, pp.14-18 [26] S.Lucks, \Open key exchange: how to defeat dictionary attacks without encrypting public keys," The Security Protocol Workshop '97, April 7-9, 1997 [27] P.MacKenzie amd R.Swaminathan, \Secure network authentication with password identi cation," Presented to IEEE P1363a, August 1999 [28] A.Menezes, P.van Oorschot, S.Vanstone, Handbook of applied cryptography, CRC Press,Inc., 1997 [29] K.Nyberg and R.A.Rueppel, \Message recovery for signature scheme based on the discrete logarithm problem," Eurocrypt 94, pp. 182-193, 1994 [30] P.van Oorschot and M.Wiener, \On Die-Hellman key agreement with short exponents," EUROCRYPT 96, pp. 332-343, 1996 [31] S.Patel, \Number theoretic attacks on secure password schemes," IEEE Symposium on Security and Privacy, 1997 [32] S.Pohlig and M.Hellman, \An improved algorithm for computing logarithms over GF (p) and its cryptographic signi cance," IEEE Transactions on Information Theory, vol.24, no.1, pp.106-110, 1978 [33] J.Pollard, \Monte carlo methods for index computation mod p," Mathematics of Computation, vol.32, pp.918-924, 1978 [34] M.Roe, B.Christianson, D.Wheeler, \Secure sessions from weak secrets," Technical report from University of Cambridge and University of Hertfordshire, 1998 [35] C.P.Schnorr, \Ecient identi cation and signatures for smart cards," Crypto 89, LNCS, pp.239-251, 1989 [36] M.Steiner, G.Tsudik, and M.Waidner, \Re nement and extension of encrypted key exchange," ACM Operating Sys. Review, vol.29, no.3, 1995, pp.22-30 21 [37] G.Tsudik, E.van Herreweghen, \Some remarks on protecting weak keys and poorlychosen secrets from guessing attacks," Proc. 6th IEEE Comp. Security Foundation Workshop, 1993, pp.136-142 [38] V.Voydoc and S.Kent, \Security mechanisms in high-level network protocols," Computing Surveys, vol.15, no.2, June 1983, pp.135-171 [39] T.Wu, \Secure remote password protocol," Internet Society Symposium on Network and Distributed System Security, 1998 A AMP Proof Story A.1 A Communication Model We assume all communication among interacting parties is under the adversary's control[3]. The Protocol. The protocol can be formally speci ed by an eciently computable function  for two players; set I 2 fA; B g for Alice and Bob. Eve is not included in the players[3]. De nition 8 Our protocol is a set of function I (1k ; ; ; r) = (m; ; ) for I . 1k is the security parameter, k 2 N .  2 f0; 1g is the secret information of the sender.  2 f0; 1g is the conversation so far. r 2 f0; 1g1 is the random coin ips of the sender. m 2 f0; 1g [ fg is the next message for a reply.  2 fAccept; Reject; g is the decision.  2 f0; 1g [ fg is the agreed session key. For example, sA indicate Alice computes on Bob's message and gives out an output in session s. Each party is formally modeled by an in nite collection of oracles; iA and jB where i and j 2 N indicate the instances. Thus Eve can call the oracles, iA and jB , and attempts to obtain desired information. The Long-lived Weak-key Generator. A long-lived weak-key(LW-key) generator is where  2 I [ fE g and rG 2 f0; 1; g1 . Note that the LW-key may have a length of k but its entropy is totally di erent2 When we assume the strong-key length is only k, i.e., our security parameter, the parameter !(k) means the low entropy of the LW-key. Brute-forcing 2!(k) values is feasible whereas k is large enough against brute-forcing 2k values (hence 2!(k) << 2k ). The point of the LW-key is that the adversary is denied by the generator as like the long-lived key case[3] but it is acceptable in the probability of 2?!(k) . Our model agrees on W (1!(k) ; A; rG ) = , W (1!(k) ; B; rG ) =  , and W (1!(k) ; E; rG ) = . W (1!(k) ; ; rG ) The Adversary. The adversary Eve is represented as a probabilistic machine E (1k ; E ; rE ) equipped with an in nite collection of oracles sI for i 2 I and s 2 N [3]. Let Pr[]  2?k be a 2 Actually the LW-key, i.e., the password, is chosen by a human-user through a restricted input device. 22 negligible probability for our security parameter k. Eve is allowed to do everything she wants except for solving the discrete logarithm problem as well as the Die-Hellman problem, and nding out a hidden-value in a negligible probability. Therefore, we can say; fPr[DiscreteLogE (k)],Pr[Die-HellmanE (k)]g< 2?k where Discrete-LogE (k) and Die-HellmanE (k) are such events. When the adversary is deterministic and restricts its action to faithfully conveying each ow among oracles, i.e., matching conversations, she is called a benign adversary[3]. Let No-MatchingE (k) be the event that si is accepted and there is no oracle tj which engaged in a matching conversation. Eve communicates with the oracles via queries of the form Q(i; s; n); Eve sends message n to the oracle of i. There are some special queries for adversary such as Q(i; s; guess) for searching at most 2!(k) space with the LW-key generator, and Q(i; s; compromise) for compromising a veri er. Note that a compromise query converts s to a compromised session for handling a password le compromise[8]. Also note that the number of failures of the query Q(i; s; guess) asked to fresh oracles is counted globally. We de ne that counter Ci for i 2 I . If si has accepted, Eve is able to send other special queries; Q(i; s; reveal) for compromising a session key, Q(i; s; corrupt) for compromising a password and Q(i; s; test) for measuring adversarial success. Note that a corrupt query converts s to a corrupted session for handling perfect forward secrecy[18], while a reveal query converts s to a revealed session for handling a known-key attack (Denning-Sacco attack)[11]. Depending on the ability of the adversary, we can classify considerable sessions as follows. There must be FreshSession and UnfreshSession. They can be converted to SucceededSession or FailedSession. SucceededSession can be devided into MatchedSession and No-matchedSession. Each session could allow the adversary to have some valid information before running or examining those sessions. FreshSession can be devided into PureFreshSession in which valid information is never provided, and CompromisedButFreshSession where the veri er  is provided. UnfreshSession can be devided into RevealedSession that provides g(x+e)y or K, and and CorruptedSession provides . CompromisedUnfreshSession is negligible because o -line guessing attacks on  is inevitable in every protocol. The adversary is allowed to use all of these session for achieving her goals. The Sessions. Running a protocol  (with the LW-key generator W ) in the presence of Eve and k, means performing the following experiment in a given session: Choose a string rG 2R f0; 1g1 and i = W (1k ; i; rG ), for i 2 I , and set E = W (1k ; E; rG ). Choose a string ris 2R f0; 1g1 for i 2 I and s 2 N , and a string rE 2R f0; 1g1 . Let si =  for all i 2 I and s 2 N . Run the adversary, E (1k ; E ; rE ), answering oracle calls as follows. When E asks a query, Q(i; s; n), oracle si answers with (m; ) by computing (m; ; ) = I (1k ; ; si :n; ris ), and sets si = si :n. The adversary chooses an oracle si and asks as she wants. Running The Protocol. Security Definition. The following de nition is derived from work of Bellare and Rogaway[3], 23 and the following work of Stefan Lucks[26]. De nition 9 Protocol  is a secure authenticated key exchange with a LW-key generator W () if the following statements are true: 1. If two oracles have matching conversations, then both oracles accept and agree on the identical key. 2. If it is the case that the oracles accept and agree on the same key, then the probability of no-matching is negligible. 3. If Eve is benign, her probability of success is negligible. 4. If Eve has been rejected R times, the possible set of  decreases linearly, 2!(k) ? R. 5. If Eve has been rejected R(< 2!(k) ? 1) times but nally remains benign, her probability of success is still negligible. A.2 Security Examination Note that we abbreviate & for convenience in this section. We show the security of our protocol by inducing that the probability of success for adversary is negligible. Our most favorite tools are, of course, Discrete-LogE (k) and Die-HellmanE (k). Lemma 1 The probability of success is negligible for forging G or G in FreshSession of AMP. Proof Sketch: The adversary Eve is allowed to ask Q(i; s; G ) or Q(i; s; G ) for FreshSession. 1. Let Eve choose x 2R Zq and ask Q(B; s; gx ) in PureFreshSession. Then B responds with G = g x  y . Eve could nd 0 = gy0 x e by computing G x 0 ?1 x e and asking Q(B; s; guess) with 0 2R f0; 1g! k . However, she cannot verify 0 =: , i.e., gy0 x e =: g x e y , without submitting H0 ahead of H . The probability of successful submission is 2?! k . CB must count up the number of failures so that her attack can 1 1 2 ( + ) ( + ) 2 2 2 ( + ) ( + ) ( ) ( + ) ( + ) 1 2 ( ) be detected easily in only R trials where R is very small such that R << 2!(k)=2 . 2. Let Eve choose x 2R Zq and ask Q(B; s;  x ) in CompromisedButFreshSession. Note that guessing attacks on  is not a concern in CompromisedButFreshSession. Then B ?1 responds with G2 = g(x+1)y . Eve could nd gy simply by G2(x+1) . However, as long as she is not given , she cannot compose g(x+e)y without nding y. Finding y is bounded by Pr[Discrete-LogE (k)] so that it is negligible. 3. Let Eve choose c 2R Zq and ask Q(A; s; gc ) where she is given G1 in PureFreshSession. Then A responds with H1 by getting = (G20 )(x+)?1 (x+e) . We can rewrite c = (x + 0 )y0 mod q where 0 and y0 are variables. Eve must nd y0 such that y0  c(x + 0 )?1 ( mod q) for getting 0 = (G1 ge )y0 and verifying =: 0 . For the computation 24 of y0 , it is necessary to know x of G1 . However, getting x from G1 is bounded by Pr[Discrete-LogE (k)] so that it is negligible. 4. Let Eve choose y 2R Zq and 0 2R f0; 1g!(k) , and ask Q(A; s; G20 ) where she is given G1 in PureFreshSession and G20 = (G1 g0 )y . Then A responds with H1 by computing = (G20 )(x+)? (x+e) , but note that = (g(x+0 )y )(x+)? (x+e) , i.e., = gy0 (x+e) rather than gy(x+e) where y0  (x + 0 )y(x + )?1 (mod q). Finding y0 or  is the only way for Eve to be accepted by the oracle. (a) x chosen by A , x 2R f0; 1g>l(k) , is not given to Eve. We can say that  = 0 if and only if y0  y( mod q). It corresponds to the on-line attack. (i) Let Eve attempt to verify  =: 0 . However, 0 is rather a constant because she de ned it before receiving H1 from A. Eve cannot replace 0 for further veri cation without retrying it on line. The probability of  = 0 is 2?!(k) ; an extremely low probability for on-line success. Due to the maximum count of on-line failure, CA = R, she must be denied by the oracle before trying 2!(k) ? R more guesses. The probability of  6= 0 is very high such that Pr[]  1 ? 2! k1 ?R . Therefore, we can say hereafter 0 is a constant such that  6= 0 in this case. (ii) Let Eve attempt to nd y0 but she has to know x for attempting the equation, y0  (x+0 )y(x+)?1 ( mod q). Finding x from G1 is bounded by Pr[DiscreteLogE (k)] so that it is negligible. Even if Eve computes 0 = (G1 ge )y = g(x+e)y , it is clear that 6= 0 when  6= 0 . Thus, the probability of nding y0 is Pr[] < 2?k . (b) Let Eve guess 00 2R f0; 1g!(k) and compute 00 = G200 g?00 y = g(x+e+0 )y?00 y for verifying 00 =: in 2?!(k) probability, rather than attempt to replace 0 with 00 , where G200 = (G1 geg0 )y . If 00 = with guessed 00 , she can be convinced  = 00 . Thus, if the equation, (x + 0 )y(x + )?1 (x + e)  (x + e)y + 0 y ? 00 y(mod q) is true, then she can nd  in 2?!(k) probability, regardless of x and 0 . Otherwise, she has to nd x rst. We can rewrite it as, (x + 0 ) 6 y(x + )?1 (6 x+ 6 e)  (6 x+ 6 e) 6 y(1 + 0 x?1 ? 00 x?1 )( mod q). That is, (x + 0 )(x + )?1  (1+ 0 x?1 ? 00 x?1 )( mod q). We can transpose (x + )?1 so that, (x + 0 )  (x + )+(x + )0 x?1 ? (x + )00 x?1  x +  + 0 + 0 x?1 ? 00 ? 00 x?1  (x + 0 ) + ( ? 00 ) + (0 ? 00 )x?1 (mod q). Then, we can transpose (x + 0 ) so that; 0  ( ? 00 ) + (0 ? 00 )x?1 (mod q). Therefore, the equality such that,  = 0 = 00 (due to  = 00 and 0 = 00 ), is the mandatory requiremet of this modular equation. However, the probability of success is negligible because  6= 0 with very high probability as we mentioned above in (a). Therefore, Eve must nd x for getting . The probability of verifying 00 =: is Pr[] < 2?k . 1 1 ( ) After all, the probability of success is negligible for forged queries in FreshSession.  Theorem 2 AMP Proof Sketch: We deal with each condition of De nition 9. is a secure authenticated key exchange protocol with W () . 1. A completeness of the protocol in MatchedSession is already shown in Figure 1. 25 2. The nal acceptance means both H1 and H2 are successfully veri ed. Therefore, we have to scrutinize whether it is possible in No-matchedSession. If it is not true, we may have P r[No?MatchingE (k)]  2?k . (a) The birthday paradox is negligible due to the nature of the random oracle, hi () : f0; 1g ! f0; 1gl(k) ; the probability is 2? l(k)  2?k . (b) Due to item (a), the correct value K(= K1 = K2 ) is mandatory for the acceptance even in sf No-matchedSession. For nding K, Eve must obtain or due to the one-way property of random oracles. i) The probability of guessing g(x+e)y (= = ) in PureFreshSession is P r[] < 2?k . ii) Rewrite and where G1 = glog G and G2 = (G1  )(log G +)? log G , i.e., = (G2 )(log G +)? (log G +e) = (G1 ge )(log G +)? log G = . For G1 there is nothing ahead, but for G2 we need G1 . Note that (G1 ; G2 ) ! e. Thus, we can nd easily the ows, (G1 ! G2 ! e ! ) and (G1 ! G2 ! e ! ). Without such ows, the exponents of G1 and G2 must be analyzed but the probability is P r[]  2?l(k) even with a forged attempt by Lemma 1. After all, we have P r[No?MatchingE (k)]  2?k so that it is infeasible in No-matchedSession. 1 2 1 1 1 2 1 1 1 1 1 2 3. When Eve is benign, all she receives from the oracle are fid; ; G1 ; G2 ; H1 ; H2 g for every session where their internal values, x and y, are independent random values from f0; 1g>l(k) . Therefore, gx , gy , and their composition on the cyclic group must be well distributed on the group. We assume the uniform distribution. Since W (E ) =  and G2 = (G1 g )y , the probability of nding gy0 by guessing 0 in G1 and G2 , is less than 2?(!(k)+l(k)) . For verifying the guess of 0 , Eve must nd or for asking the random oracle. However, nding g(x+e)y over gx and g(x+)y without  must be bounded by P r[Die-HellmanE (k)] so that it is negligible. Therefore, the probability of success for benign Eve is P r[] < 2?k . 4. Since G1 and G2 remain on the cyclic group under uniform distribution, there is no way to nd the relationship between the rejected guesses and the remaining guesses. Other possibilities are all negligible by Lemma 1. If Eve is rejected, she must reduce the set by one, 2!(k) ? 1, and try again with another guess. That is, the set is reduced linearly. Therefore, the success probability of her on-line guess is only P r[]  2! k 1?R?c for very small c( 0). She must be denied by the oracle only in R trials by Lemma 1. ( ) 5. Assume all Ci s are set o and Eve has been rejected with di erent guesses 2!(k) ? 2 times by the oracle, then she could have bernoulli trial on two remaining guesses; if one is rejected then the other is the one and vice versa. However, assume Eve does not participate in FreshSession any more but she only be benign in FreshSession. Then, she is only able to analyze all rejected messages and new eavesdropped messages equipped with bernoulli trial on guess. For actual participation, the probability was less than 2?k by Lemma 1. For her analysis, the probability is 2?(l(k)+1) (< 2?k ) by item 3 of this proof. Hence, the probability of success for partially benign Eve is negligible. That 26 means if Eve attempts o -line analysis even with a small dictionary, she does not have any advantage without knowing x or y for each message. AMP is a secure authenticated key exchange protocol with a LW-key generator W ().  Lemma 2 The adversary does not bene t from RevealedSession or CorruptedSession for achieving each goal. Proof Sketch: Eve attempts to nd  or  in RevealedSession while she attempts to nd K or (= ) in CorruptedSession. If Eve bene ts from each session, the given information must make non-negligible probability of success or make some advantage for the query Q(i; s; test). 1. Let Eve ask Q(i; s; reveal). Then she is given K and (= ) in RevealedSession. Due to the one-way property of random oracles, we assume (= ) is given. Since (= ) is not re-usable due to x and y, she cannot attempt to be granted on-line. For tracking to  or , she must be also in MatchedSession. Then we say she is given fid; ; e; gx ; g(x+)y ; g(x+e)y ; H1; H2 g with matching-conversations. For verifying  and  , she should make g(x+ )y on the given information but she cannot make it without nding y. Otherwise, she has to nd x for nding gy from g(x+e)y and making gy(x+ ) . Both are still bounded by P r[Discrete-LogE (k)]. It is not dicult to understand RevealedSession is not advantageous to Eve. 0 0 0 0 2. Let Eve ask Q(i; s; corrupt). Then she is given  and  in CorruptedSession. Due to the one-way property of random oracles, we assume  is given. For tracking to K or (= ), she must be also in MatchedSession. Then she is also given fid; ; ; e; gx ; g(x+)y ; H1 ; H2 g with matching-conversations. For making g(x+e)y , she should remove $ from g$y and nd y where $ = x + . Finding $ includes x so that both ndings must be bounded by P r[Discrete-LogE (k)]. Even if we assume $ is removed, the problem is still bounded by P r[Die-HellmanE (k)]. It is not dicult to understand CorruptedSession is not advantageous to Eve.  27 B Genealogy of Password Protocol 1989 LGSN [25] EKE [7] DH-EKE 1992 1993 TH [37] GLNS [15] [7] A-EKE [8] 1994 AL [1] 1995 Gong [16] M-EKE [36] 1996 SPEKE [18] 1997 1998 HK [17] S3P [34] 1999 Boyarsky 2000 [9] OKE [26] A-SPEKE [19] B-SPEKE [19] KS [21] KS-II [21] SRP [39] SNAPI [27] GXY [22] SNAPI-X [27] PAK [10] AuthA [6] AMP [23] PAK-X [10] Figure 9. Password Authentication Protocols 3 3 The above genealogy is typically based on the opinion of the author. We analyzed all the protocols carefully and arranged them in the figure by considering their similarity or improvement. However, each author of the protocols could have different opinions. At this moment, we would like to make it clear that the above genealogy is only one of good references. 28