• PDF / 444,113 Bytes
• 19 Pages / 439.37 x 666.142 pts Page_size
• 85 Downloads / 248 Views

DOWNLOAD

REPORT

School of CS and IT, RMIT University, Melbourne, Australia [email protected] 2 School of Computing Science, Newcastle University, Newcastle upon Tyne, UK 3 Hewlett-Packard Laboratories, Bristol, UK 4 Faculty of Information Technology, Monash University, Melbourne, Australia

Abstract. Threshold password-authenticated secret sharing (TPASS) protocols allow a client to secret-share a secret s among n servers and protect it with a password pw, so that the client can later recover s from any subset of t of the servers using the password pw, but so that no coalition smaller than t learns anything about s or can mount an offline dictionary attack on the password pw. Some TPASS protocols have appeared in the literature recently. The protocol by Bagherzandi et al. (CCS 2011) leaks the password if a client mistakenly executes the protocol with malicious servers. The first t-out-of-n TPASS protocol for any n > t that does not suffer from this shortcoming was given by Camenisch et al. (CRYPTO 2014). This protocol, proved to be secure in the UC framework, requires the client to involve in many communication rounds so that it becomes impractical for the client. In this paper, we present a practical TPASS protocol which is in particular efficient for the client, who only needs to send a request and receive a response. In addition, we have provided a rigorous proof of security for our protocol in the standard model. Keywords: Threshold password-authenticated secret sharing protocol · ElGamal encryption scheme · Shamir secret sharing scheme · DiffieHellman problems

1

Introduction

Threshold password-authenticated secret sharing (TPASS) protocols consider a scenario [5], inspired by the movie “Memento” in which the main character suffers from short-term memory loss, leads to an interesting cryptographic problem, can a user securely recover his secrets from a set of servers, if all the user can or wants to remember is a single password and all of the servers may be adversarial? In particular, can he protect his previous password when accidentally trying to run the recovery with all-malicious servers? A solution for this problem can act as a natural bridge from human-memorisable passwords to strong keys for cryptographic tasks. Practical applications include secure password managers (where the shared secret is a list of strongly random website passwords) and encrypting c Springer International Publishing Switzerland 2015  G. Pernul et al. (Eds.): ESORICS 2015, Part I, LNCS 9326, pp. 347–365, 2015. DOI: 10.1007/978-3-319-24174-6 18

348

X. Yi et al.

data in the cloud (where the shared secret is the encryption key) based on a single master password. The first TPASS protocol was given by Bagherzandi et al. [1]. It is built on the PKI model, secure under the decisional Diffie-Hellman assumption, using noninteractive zero-knowledge proofs. The basic idea is: The client initially generates an ElGamal public and private key pairs (sk, pk = g sk ) [7] and secret-shares sk among servers using an t-out-of-n secret sharing [15] and outputs public p

Recommend Documents

Optimal Threshold Changeable Secret Sharing with New Threshold Change Range

193 6 12MB

Threshold Secret Sharing Requires a Linear Size Alphabet

146 10 262KB

Secret Sharing

186 11 49MB

Image Secret Sharing

195 99 9MB

Image Secret Sharing

183 4 27MB

Compression in Image Secret Sharing

199 41 27MB

Compression in Image Secret Sharing

162 77 8MB

Forward Secure Conjunctive-Keyword Searchable Symmetric Encryption Using Shamir Threshold Secret Sharing Scheme

169 73 7MB

(k, n) Threshold Secret Sharing Scheme Based on N-Dimensional Cube

150 42 22MB

A Quantum Evolving Secret Sharing Scheme

178 83 1MB

A Secret-Sharing Based MPC Protocol for Boolean Circuits with Good Amortized Complexity

142 62 29MB

Quantum Secret Sharing via Cavity QED

166 61 217KB