Practical threshold password-authenticated secret sharing protocol. (English) Zbl 1503.94053

Pernul, Günther (ed.) et al., Computer security – ESORICS 2015. 20th European symposium on research in computer security, Vienna, Austria, September 21–25, 2015. Proceedings. Part I. Cham: Springer. Lect. Notes Comput. Sci. 9326, 347-365 (2015).
Summary: Threshold password-authenticated secret sharing (TPASS) protocols allow a client to secret-share a secret \(s\) among \(n\) servers and protect it with a password pw, so that the client can later recover \(s\) from any subset of \(t\) of the servers using the password pw, but so that no coalition smaller than \(t\) learns anything about \(s\) or can mount an offline dictionary attack on the password pw. Some TPASS protocols have appeared in the literature recently. The protocol by A. Bagherzandi et al. [“Password-protected secret sharing”, in: Proceedings of the 18th ACM conference on computer and communications security, CCS ’11, Chicago, IL, USA, 2011. New York, NY: Association for Computing Machinery (ACM). 433–444 (2011; doi:10.1145/2046707.2046758)] leaks the password if a client mistakenly executes the protocol with malicious servers. The first \(t\)-out-of-\(n\) TPASS protocol for any \(n>t\) that does not suffer from this shortcoming was given by J. Camenisch [“Efficient and generalized group signatures”, Lect. Notes Comput. Sci. 1233, 465–479 (1997; https://doi.org/10.1007/3-540-69053-0_32)]. This protocol, proved to be secure in the UC framework, requires the client to involve in many communication rounds so that it becomes impractical for the client. In this paper, we present a practical TPASS protocol which is in particular efficient for the client, who only needs to send a request and receive a response. In addition, we have provided a rigorous proof of security for our protocol in the standard model.
For the entire collection see [Zbl 1492.68028].


94A62 Authentication, digital signatures and secret sharing
94A60 Cryptography
Full Text: DOI


[1] Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: ACM CCS 2011, pp. 433-444 (2011)
[2] Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Eurocrypt 2000, pp. 139-155 (2000) · Zbl 1082.94533
[3] Brainard, J., Juels, A., Kaliski, B., Szydlo, M.: Nightingale: a new two-server approach for authentication with short secrets. In: 12th USENIX Security Symposium, pp. 201-213 (2003)
[4] Camenisch, J., Lysyanskaya, A., Neven, G.: Practical yet universally composable two-server password-authenticated secret sharing. In: ACM CCS 2012, pp. 525-536 (2012)
[5] Camenisch, J., Lysyanskaya, A., Lysyanskaya, A., Neven. G.: Memento: How to reconstruct your secrets from a single password in a hostile environment. In: Crypto 2014, pp. 256-275 (2014) · Zbl 1334.94098
[6] Diffie, W.; Hellman, M., New directions in cryptography, IEEE Trans. Inf. Theory, 32, 2, 644-654, 1976 · Zbl 0435.94018 · doi:10.1109/TIT.1976.1055638
[7] ElGamal, T., A public-key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inf. Theory, 31, 4, 469-472, 1985 · Zbl 0571.94014 · doi:10.1109/TIT.1985.1057074
[8] Ford, W., Kaliski, B.S.: Server-assisted generation of a strong secret from a password. In: 5th IEEE International Workshop on Enterprise Security (2000)
[9] Jablon, D.: Password authentication using multiple servers. In: CT-RSA 2001, pp. 344-360 (2001) · Zbl 0968.68048
[10] Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Eurocrypt 2001, pp. 457-494 (2001) · Zbl 1010.94555
[11] Katz, J., MacKenzie, P., Taban, G., Gligor, V.: Two-server password-only authenticated key exchange. In: ACNS 2005, pp. 1-16 (2005) · Zbl 1126.68402
[12] MacKenzie, P.; Shrimpton, T.; Jakobsson, M., Threshold password-authenticated key exchange, J. Cryptol., 19, 1, 27-66, 2006 · Zbl 1096.94032 · doi:10.1007/s00145-005-0232-5
[13] Di Raimondo, M.; Gennaro, R., Provably secure threshold password-authenticated key exchange, J. Comput. Syst. Sci., 72, 6, 978-1001, 2006 · Zbl 1100.68571 · doi:10.1016/j.jcss.2006.02.002
[14] RSA, The Security Division of EMC: New RSA innovation helps thwart “smash-and-grab” credential theft. Press release (2012)
[15] Shamir, A., How to share a secret, Commun. ACM, 22, 11, 612-613, 1979 · Zbl 0414.94021 · doi:10.1145/359168.359176
[16] Yi, X.; Ling, S.; Wang, H., Efficient two-server password-only authenticated key exchange, IEEE Trans. Parallel Distrib. Syst., 24, 9, 1773-1782, 2013 · doi:10.1109/TPDS.2012.282
[17] Yi, X., Hao, F., Bertino, E.: ID-based two-server password-authenticated key exchange. In: ESORICS 2014, pp. 257-276 (2014)
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.