We recall game-based PAKE and VPAKE security models proposed by Bellare et al. [24] and Abdalla et al. [14], and Benhamouda and Pointcheval [31] respectively, and further describe the tagged PAKE protocol tSOKE by Manulis et al. [147], which is based on the PAKE protocol by Abdalla et al. [7].
2.3.1 PAKE
We describe the commonly used game-based PAKE model from Bellare et al. [24] and highlight modifications introduced by Abdalla et al. [14]. The model considers two parties; a client C, holding a password pwd, and a server S, holding a vector of passwords of all registered clients. Both parties are chosen from a fixed disjoint set of
2 Security Models 31 Functionality FPAKE
The functionality FPAKE is parametrised by a security parameter λ. It interacts
with an adversary SIM and a set of parties via the following queries:
NewSession: Upon input (NS, sid, Pi, Pj, pwd, role) from Pi, check that Pj is legit
and send (NS, sid, Pi, Pj, role) to SIM. If this is the first NewSession query, or
if this is the second NewSession query and there is a record (sid, Pj, Pi, pwd′),
then record (sid, Pi, Pj, pwd) and mark this record fresh.
TestPwd: Upon input (TP, sid, Pi, pwd′) from SIM, check that a fresh record
(sid, Pi, Pj, pwd) exists, then do: If pwd = pwd′, mark the record as
compromisedand reply to SIM with “correct guess”. If pwd ̸= pwd′, mark the record interrupted and reply with “wrong guess”.
NewKey: Upon input (NK, sid, Pi, sk) from SIM, check that a record
(sid, Pi, Pj, pwd) exists, |sk| = λ and this is the first NewKey query for
Pi, then:
• If the record is compromised, or either Pi or Pj is corrupted, then output
(sid, sk) to Pi.
• If the record is fresh, and there is a record (sid, Pj, Pi, pwd′) with
pwd′ = pwd, and a key sk′ was sent to Pj and (sid, Pj, Pi, pwd) was fresh
at the time, then output (sid, sk′) to P
i.
• In any other case, pick a new random key sk′ of length λ and send
(sid, sk′) to P
i.
Either way, mark the record (sid, Pi, Pj, pwd) as completed.
Fig. 4: Ideal Functionality FPAKE
clients and servers. (For convenience it is assumed that every client shares a password with every server.) Passwords pwd are drawn from a dictionary D of size |D| = n. Each participant instance Pi holds a state with sidiP, pidiP, and sk
i
P to keep track of
sessions, partners, and the negotiated session key. Further termi
P and acciP keep track
whether Pi terminated, respectively accepted, and stateiP and usediP record the state
and whether a session has been used. Adversary A has access to the following oracles to interact with protocol participants:
• Send(Pi, m) sends message m to Pi and returns message m′ output by Pi, if any.
• Execute(Ci, Sj) executes the protocol between the two parties and returns the
transcript. In addition, the adversary is given the internal state of any corrupted party as well as the state variables of all participants.
• Reveal(Pi) returns session key skiP of Pi.
• Test(Pi) returns ⊥ if skiP = NULL, and either skiP of Pi if a randomly chosen bit
b= 1, or a random value if b? = 0. This oracle can only be queried once.?
Two protocol participants are partnered if they have matching transcripts, i. e. the recorded transcript of one participant is a subset of the one recorded by the other party. A PAKE protocol is correct if for two partnered instances Ciand Sj acciC
? = accj S ? = true and ski C ? = skj
S. An instance Pi is fresh unless one of the following is true at the
conclusion of the experiment: (1) at some point, the adversary queried Reveal(Pi); or
(2) at some point, the adversary queried Reveal(Pj), where Pj and Pi are partnered.
The attacker can only succeed if at the time of the Test query the queried instance is fresh and has accepted, i. e. acci
P
?
= true. The attacker’s advantage is then given by AdvA,Π(λ) = Pr[Succ] − 1 2 ≤ qs |D| + ε(λ) for qs active sessions and dictionary D.
Sometimes an additional Corrupt oracle is given that allows the attacker to retrieve passwords from protocol participants. (Corrupted sessions are then prohibited in Test queries as well.) Abdalla et al. [14] showed that allowing multiple Test queries strengthens the model and allows to drop the Reveal oracle.
2.3.2 Verifier-based PAKE
We now recall the game-based security model for VPAKE protocols proposed by Benhamouda and Pointcheval [31]. It considers client C, holding password pwdC, and
servers S, holding password verifier ver = (H, sH) with H ← PHash(pP, sH, pwdS) and
random salt sH ← PHSalt(pP). Passwords pwdC and pwdS are drawn from dictionary
D with min-entropy β. Adversary A has access to the following oracles to interact with protocol participants:
• Execute(Ci, Sj) returns the transcript of the protocol execution between two
2 Security Models 33
• Send(Pi, Pj′, m) returns the result of P
′
j on input of message m from alleged sender
Pi. Invoking Send with a specific message initiates a session between Pi and Pj′.
This models active attacks.
• Corrupt(S) returns the server’s secret ver = (H, sH). Clients with pwdS are
marked as corrupted.
Let b denote a bit chosen prior to every execution of the experiment. Security is modelled with a real-or-random style Test(Pi) oracle that, on input of participant
instance Pi, returns a session key sk chosen as follows:
• If Pi has not computed a session key or Pi is a partnered and corrupted client
instance, return ⊥.
• If Pi is partnered with compatible Pj′ and a Test query has been asked for P
′
j
previously, then return the same session key as for P′
j.
• If Pi has been queried before, output the same as for the previous query.
• Otherwise return the real session key of Pi if b
?
= 1, and a random session key if
b = 0.?
Two protocol participants are partnered if they have matching transcripts, i. e. the recorded transcript of one participant is a subset of the one recorded by the other party. A VPAKE protocol Π is secure if for all PPT adversaries A running in time t there exists a negligible function ε(·) such that the advantage of A is upper-bounded by 2−βq
s+ AdvOW(B, λ) + ε(λ) for some attacker B on the one-wayness of the used
password hashing scheme running in time r, qs active sessions, and independently
chosen passwords from D of min-entropy β. Password hashing and its security if defined in Chapter III Section 2.
2.3.3 tSoke
In our demo we use the tSoke protocol proposed by Manulis et al. [147] as authentication protocol for convenience. It is recalled in Figure 5. First note that the description in Figure 5 omits session key generation and describes a tPAuth protocol. Further note that while the original tSOKE protocol is proven to be a secure PAKE protocol, it is not a secure VPAKE protocol. Since it is sufficient for the client to know the password hash (he does not have to know the password), it is straightforward to build a successful attacker against the tSOKE protocol in the VPAKE security experiment.
Client C Server S Input: tg, pwd Input: tg x ∈RZp X = gx C, X −−−−−−−−−→
Look up ver for C.
y ∈RZp Y = gy Y∗ = Y · hH for ver = (H, r) r, Y∗ ←−−−−−−−−− H ← HashP(pwd, r) Y = Y∗/hH Z = Yx Z′ = Xy K ← SHA(C, H, tg, X, Y∗, Z) K′ ← SHA(C, H, tg, X, Y∗, Z) A1 ← SHA(K, “auth1”) A1 −−−−−−−−−→
Abort if A1 ̸= SHA(K′, “auth1”) A2 ← SHA(K′, “auth2”)
A2
←−−−−−−−−− Abort if A2 ̸= SHA(K, “auth2”)
Accept Accept
Fig. 5: The tSoke Protocol by Manulis et al. [147]
VPAKE protocols built according to the framework from Benhamouda and Pointcheval [31] (including the one proposed in this thesis) are however secure VPAKE protocols. Nonetheless, the protocol has advantages stemming from the use of a verifier such that it is not possible to re-use the verifier on a different server where the client may use the same password.