On Password-Authenticated Key Exchange Security Modeling
Date: December 2015
Publication: 9th International Conference on Passwords (Passwords15 London). Lecture Notes in Computer Science, Volume 9551
Page(s): 120 - 143
Source 1: https://passwordscon.org/wp-content/uploads/2015/12/Jean_Lancrecon.pdf
Source 2: https://dx.doi.org/10.1007/978-3-319-29938-9_8 - Subscription or payment required
Abstract or Summary:
Deciding which security model is the right one for Authenticated Key Exchange (AKE) is well-known to be a difficult problem. In this paper, we examine definitions of security for Password-AKE (PAKE) in the style proposed by Bellare et al.  at Eurocrypt 2000. Indeed, there does not seem to be any consensus, even when narrowing the study down to this particular authentication method and model style, on how to precisely define fundamental notions such as accepting, terminating, and partnering. The aim of this paper is to begin addressing this problem. We first show how definitions vary from paper to paper. We then propose and thoroughly motivate a definition of our own, and use the opportunity to correct a minor flaw in a more recent and more PAKE-appropriate model proposed by Abdalla et al.  at Public Key Cryptography 2005. Finally, we argue that the uniqueness of partners holding with overwhelming probability ought to be an explicitly required and proven property for AKE in general, but even more so in the password case, where the optimal security bound one aims to achieve is no longer a negligible value. To drive this last point, we exhibit a protocol that is provably secure following the Abdalla et al. definition, and at the same time fails to satisfy this property.
PasswordResearch.com Note: Video of presentation: https://www.youtube.com/watch?v=ShTOIkTApbk First source linked above is to the slides of this talk and not the full paper.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.