【作者】 胡学先；

【导师】 刘文芬；

【作者基本信息】 解放军信息工程大学 ， 密码学， 2010， 博士

【摘要】 口令认证密钥交换(PAKE)协议使得参与通信的用户用一个低熵的口令就可以实现实体认证,并能通过不安全的信道安全地生成共享的高熵会话密钥.它们避免了一般认证密钥交换协议要求存在公钥基础设施或要求用户拥有存储长对称密钥的安全硬件等前提假设,有着较强的实用性因而受到了广泛关注.为了使PAKE协议能够抵抗离线字典攻击,达到既定的安全性目标,采用可证明安全性理论进行安全性证明是现在普遍采用的协议分析与设计方法.在协议的安全性分析模型中,标准模型是比理想模型更为自然、更为合理的一类分析模型,且能比理想模型提供更强的安全性保证.但目前关于标准模型下PAKE协议的研究工作还较为缺乏,已有协议的效率和理想模型下的协议相比还有较大的差距.本文对标准模型下PAKE协议的分析与设计进行了研究,重点研究了两方PAKE协议和三方PAKE协议的设计.分别针对不同安全性分析模型、基于不同计算困难性难题假设构造了新的安全的PAKE协议,使其在安全性和效率上比现有同类协议更具有竞争优势.主要完成了以下几方面的工作:1.对几个已有的标准模型下设计的PAKE协议进行了安全性分析.分析了文献“标准模型下可证安全的加密密钥协商协议”中提出的两方PAKE协议,给出了外部攻击者实施的假冒服务器攻击;分析了“标准模型下高效的基于口令认证密钥协商协议”中提出的两方PAKE协议,给出了对协议主动攻击的外部攻击者实施的离线字典攻击;分析了“基于验证元的三方口令认证密钥交换协议”中提出的三方PAKE协议,给出了被动窃听的外部攻击者实施的离线字典攻击.同时还指出了这些协议设计或证明中的被疏忽之处,为同类协议的分析与设计提供了参考和借鉴.2.研究了标准模型下两方PAKE协议的设计.首先,基于非交互、完美绑定且不可延展的承诺体制,平滑投射Hash函数簇等一般性组件设计了一个标准模型下安全的两方PAKE协议.该协议是第一个标准模型下的两轮PAKE协议,同时还能被实例化得到基于DDH假设、二次剩余假设和N次剩余假设等不同难题假设的具体协议;其次,在Katz等最近提出的基于格的口令认证密钥传输协议基础上,利用基于LWE假设的CCA2安全公钥加密体制、近似平滑投射Hash函数簇以及纠错编码等组件,设计了第一个基于格的口令认证密钥交换协议.3.研究了UC框架下基于标准模型的两方PAKE协议的设计.首先对Canetti等提出的协议进行了改进,提出了一个新的PAKE协议,使之同样是标准模型下可证明UC安全的,但具有更高的通信和计算效率;其次,通过构造不可延展的、可提取的且是弱模拟可靠的陷门承诺体制,以及相应的平滑投射Hash函数簇,设计了一个高效的UC安全的两方PAKE协议.该协议采取和Canetti等所提出的协议完全不同的设计方法,避免了零知识证明协议的使用,在保持计算复杂度相当的前提下有效地提高了通信效率,使PAKE协议首次在UC框架下达到了最优的两轮.4.研究了标准模型下三方PAKE协议的设计.针对三方情形设计了一个标准模型下安全的PAKE协议,并在Real-or-Random模型中证明了所设计协议的安全性.该协议具有会话密钥的语义安全性、针对诚实但好奇服务器的密钥私密性,并提供了客户和服务器之间的双向认证.与三方PAKE协议的通用构造相比,该协议不仅减少了通信轮数,还降低了计算复杂度.更多还原

【Abstract】 Password authenticated key exchange (PAKE) protocols allow parties sharing only a low-entropy, human-memorable password to authenticate themselves and establish a common session key over an insecure channel in a secure manner. Since PAKE protocols do not require complex public-key infrastructure or trusted hardware of storing high entropy secrets, they have attracted many attentions since being introduced. In order to guarantee PAKE protocols resisting off-line dictionary attacks and securely realizing their designed goals, a popular measure is to resort protocol design and analysis to the theory of provable security. Among all security models, the standard model is more nature and, as it named, more standard than the ideal model, such as random oracle model and ideal cipher model. However, due to various reasons, protocols with security proof in the standard model are far less than those in the ideal model, and the computational and communication efficiency of these protocols is also lower.In this thesis, we address with the problem of analyzing and designing PAKE protocols provably secure in the standard model, particularly the PAKE protocols in the two-party setting and in the three-party setting. We have designed several novel and secure PAKE protocols based on different security models and different computational difficult assumptions, such that they are more efficient in term of computation complexity or communication cost. Based on this start point, we did in-depth research on the analysis and design of PAKE protocols, and got the following results.1. Several existed PAKE protocols designed in the standard model are analyzed. Firstly, cryptanalysis of a protocol proposed by Yin et al. in the paper of“Provable Secure Encrypted Key Exchange Protocol under Standard Model”is presented. A concrete attack in which an outside adversary impersonates a valid server is also given. Secondly, a protocol proposed by Shu et al. in the paper of“Provable Secure Encrypted Key Exchange Protocol under Standard Model”is analyzed. An off-line dictionary attack conducted by an active outside adversary is also introduced. Thirdly, a protocol proposed by Li et al. in the paper of“Verifier-Based Password Authenticated Key Exchange for Three-party”is pointed out to be vulnerable to off-line dictionary attack by any passive outside adversary. Further, the errors in the original protocols design and security proofs are also analyzed, which might be instructive to future PAKE protocols design.2. Two-party PAKE protocols with provable security in the well-known Real-or-Random model are researched. Firstly, by utilizing non-interactive, perfect-biding and non-malleable commitment and smooth projective hashing function family, we proposed a two-party PAKE protocol in standard model, which is the first PAKE protocol achieving optimal two rounds. Since general building blocks are used, this protocol can be efficiently instantiated with primitives based on either the DDH, Quadratic Residuosity or N-Residuosity assumptions. Secondly, through using CCA2 secure public key encryption schemes based on LWE assumption, approximate smooth projective hash function family, and error-correcting codes, we constructed a two-party PAKE protocol based on Lattice and proved its security strictly. Note that the protocol introduced by Katz and Vaikuntanathan is in fact a key transport protocol, ours is the first truly key exchange protocol in this setting.3. Two-party PAKE protocols designed in the UC framework and based on standard assumptions are presented. Firstly, based on Canetti’s protocol we proposed a new protocol which is also proven secure in the UC framework but with improved communication and computation performance. Secondly, we adopted a designing approach totally different from that used in Canetti’s protocol and designed an efficient protocol with provable security in the UC framework. To this end, we first defined a new definition for commitment, called weak simulation-sound trapdoor commitment. Then, we presented a concrete construction of non-malleable, extractable and weak simulation-sound commitment scheme, and also the corresponding smooth projective hash function family. By means of these newly constructed building blocks, our protocol avoids the usage of zero-knowledge protocols and achieves high performance in terms of communication efficiency, which is the first two round PAKE protocol in the UC framework.4. We introduced a new PAKE protocol which is optimized for the special three-party setting; the resulting protocol is more efficient than the general construction in terms of round numbers as well as computational complexity. The protocol also enjoys provable security in the Real-or-Random model for three-party PAKE protocols, which provides semantic security for the session keys, guarantees key privacy against honest-but-curious server as well as resistance to undetectable on-line dictionary attacks.更多还原