2011 2nd International Conference on Networking and Information Technology
IPCSIT vol.17 (2011) © (2011) IACSIT Press, Singapore
An improved N-Party PAKE Protocol
Liu Xiumei1, Liu Junjiang2 and Chang Guiran1
1
Computing Center, Northeastern University, Shenyang, China
2
Tax Department, Neusoft Corporation, Shenyang, China
liuxm@cc.neu.edu.cn,liujunjiang@neusoft.com,chang@neu.edu.cn
Abstract. To improve the operation efficiency of N-Party AKE protocol, to reduce the communication
costs, we present an improved N-Party PAKE protocol. In N-Party PAKE protocol, the adjacent clients share
a temprory encryption key with the help of server, so it reduces the communication numbers between clients
and server. And we also show that the N-Party PAKE protocol can resist various attacks.
Keywords-PAKE; N-Party;DPWA
1. Introduction
In [1-2], Bresson et al. presented the first formal model of the authenticated group Diffie-Hellman key
exchange protocol to enable a treatment of dictionary attacks, which allows group members to agree on a
session key. And this model is base on shared password-authentication(SPWA, for short), that is all group
members use a shared password. However, Byun and Lee[3] pointed out that SPWA is not practical since a
password is not a common secret but a secret depending on an individual, and they proposed two provably
secure protocols, N-party EKE-U and N-party EKE-M, which are based on different
password-authentication(DPWA, for short) model, that is group members use different passwords.
N-party EKE-U protocol is designed for unicast network environment. Byun and Lee have proved it is
secure under the Diffie-Hellman-like assumptions. However, Tang et al.[4] show that the N-party EKE-U
protocol suffer from off-line dictionary attack. Phan et al.[5] show that the N-party EKE-U protocol suffer
from in-side attack. And the operation of TF protocol in N-party EKE-U brings the low efficiency. And there
have been proposed lots of group PAKE protocols[6-10].
To improve the operation efficiency, we propose an improved EKE-U protocol for group members based
on password in this paper, called N-Party PAKE. In the protocol, N-Party are clients C1 , C2 ," , Cn −1 and the
server S. Each client Ci (1 ≤ i ≤ n − 1) shares a different password pwi with the server.
The remainder of this paper is organized as follows. In Section II, we present N-Party PAKE protocol.
Next, in Section III, we show the security analysis and efficiency of N-Party PAKE protocol. Finally, we
make a conclusion in Section IV.
2. N-Party PAKE Protocol
The communication flows for the N-party PAKE protocol include two stages, called up-flow and
down-flow. In the up-flow, each client Ci (1 ≤ i ≤ n − 1) share a password pwi with the server S, and the
adjacent clients Ci (1 ≤ i ≤ n − 1) and Ci +1 (1 ≤ i ≤ n − 2) also share a temporary encryption key with the help of
Server S. The key will be used to encrypt and decrypt the message from Ci to Ci +1 . And each
Ci (1 ≤ i ≤ n − 1) will raise the received intermediate values to the power of its own secret xi and forwards
the resulting values to the next client Ci +1 (1 ≤ i ≤ n − 2) . In the flows, there are two functions defined as
follows:
φ (α1 ,..., α i −1 , α i , x) = {α x ,..., α x , α i } ∈ G i
1
(1)
i −1
322
π ({α1 ,..., α i −1 , α i }, m, n) = {α m , α m +1 ,..., α m + ( n −1) } ∈ G n
2.1.
(2)
Up-Flow of N-Party PAKE
The up-flow includes up-flow1 and up-flow2. The up- flow1 of N-Party PAKE protocol proceeds as
Figure 1.
a
X = E pw ( g a )
a ∈ Z q*
, computes g and encrypts 1
with its
1) The client C1 chooses a random value 1
1
1
1
password pw1 . Then C1 send X 1 to C2 . When client C2 receives X 1 , it also chooses a random value
a2 ∈ Z q*
X 2 = E pw2 ( g a2 )
, computes and encrypts
, then sends message X 1 |X 2 to the next client. Each client
ai
Ci (3 ≤ i ≤ n − 1) receives message { X } , inserts their own message X i = E pwi ( g ) and then passes it to
{ X j }nj −=11
to server S.
the next client Ci +1 (3 ≤ i ≤ n − 2) . The last client Cn −1 sends
i −1
j j =1
a
2) The server S can decrypt every X i and get each g by using password pwi . The server S chooses
i
random values
bi ∈ Z q* (1 ≤ i ≤ n − 1)
and encrypts message
b
ab
a
b
ab
a
, computes g , g , ski = H (Ci | S | g | g | g ) , Maci = H ( ski | g ) .
i
Yi = E pwi ( g bi )
i i
i
i
i i
i
. To help the adjacent clients Ci (1 ≤ i ≤ n − 1) and Ci +1 (1 ≤ i ≤ n − 2)
r
pw r
r ∈ Zq
generate a temporary key, S also chooses random values i
, computes g , g , and encrypts
n −1
ηi = Esk ( g pw r | g r )(1 ≤ i < n − 2)
η = Esk ( g r )
and n −1
. Then S sends {Yi | ηi | Maci }i =1 to C1 . The Maci is
*
i +1 i +1
i
i i
n −i
i
n −1
i
used to verify the temporary key by client Ci
C1
C2
a1 ∈ Z
Cn−1
…
S
*
q
X 1 = E pw1 ( g a1 )
X1
⎯⎯
→
a2 ∈ Z q*
X 2 = E pw2 ( g a2 )
2
{ X i }i =1
⎯⎯⎯
→
"
n−2
{ X i }i =1
⎯⎯⎯→
an−1 ∈ Z q*
X n−1 = E pwn −1 ( g an −1 )
n −1
{ X i }i =1
⎯⎯⎯→
bi , ri ∈ Z q*
g ai = D pwi ( X i )
ski = H (Ci | S | g ai | g bi | g aibi )
Maci = H ( ski | g ai )
{Yi |ηi |Maci }in=−11
Yi = E pwi ( g bi ) , ηi = Eski ( g pwi +1ri +1 | g ri )
←⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
Figure 1. The up-flow1 of the N-Party PAKE protocol
The up- flow2 of N-Party PAKE protocol proceeds as Figure 2.
ab
and sk1 . Then C1 can obtain
1) C1 obtains and decrypts Y1 and η1 , computes and verifies g
1 1
r
r
b
r
x ∈ Zq
and g , compute τ 1 = H ( g | g ) and m0 = {g } . C1 also chooses a random value 1
,
n −1
m
'
=
E
(
m
)
1
g
computes by using φ function and encrypts 1
. The C1 sends m1 ' | τ 1 | {Yi | ηi | Maci }i = 2 to
g pw2 r2
1
1
1
*
1
pw2r2
C2 .
pw r
r
r
r
rx
rx
and g , compute τ 2 = H ( g | g ) , m2 = φ (m1 , x2 ) = {g , g }
2) C2 can obtain Y2 , η 2 , sk2 , g
m′ = Eg (m2 )
m ' | {τ i }i2=1 | {Y j η j Mac j }nj =−13
and 2
, then C2 sends 2
| |
to the next client. The next client
i
Ci (3 ≤ i ≤ n − 1) obtains the message Yi and ηi , computes mi and τ i , then sends mi ' | {τ j } j =1 | {Yk | η k |
3 3
2
2
pw3r3
Mack }nk −=1i +1
to the next Ci +1 (3 ≤ i ≤ n − 2) .
C1
x1 ∈ Z
C2
"
Cn−1
*
q
323
S
2
1 2
1 1
τ1 = H ( g r | g b )
1
1
m0 = {g }, m1 = φ (m0 , x1 )
r1
m1′ = E g pw2r2 ( m1 )
n −1
m1 '|τ1|{Yi |ηi |Maci }i = 2
⎯⎯⎯⎯⎯⎯
→
x2 ∈ Z q*
τ 2 = H (g r | gb )
2
2
m2 = φ (m1 , x2 ) , m2′ = E g pw3r3 ( m2 )
m |{τ }2 |{Y |η |Mac }n −1
2′ i i =1
j j
j j =3
⎯⎯⎯⎯⎯⎯⎯⎯
→
"
mn − 2 '|{τ i }in=−12 |{Y j |η j |Mac j }nj =−1n −1
⎯⎯⎯⎯⎯⎯⎯⎯⎯
→
xn−1 ∈ Z q*
τ n−1 = H ( g r | g b )
n −1
n −1
mn−1 = π (φ (mn−2 , xn−1 )), mn′ −1 = Eg rn −1 ( mn−1 )
n −1
mn′ −1|{τ i }i =1
⎯⎯⎯⎯
→
Figure 2. The up-flow2 of the N-Party PAKE protocol
′
x
∈ Z*
q
3) The last client Cn −1 decrypts mn − 2 , chooses a random value n −1
, and computes
n −1
mn −1 = π (φ (mn − 2 , xn −1 )) by using the function φ and π . Then Cn −1 sends all {τ i }i =1 to server S.
2.2.
Down-Flow of N-Party PAKE
The down-flow of N-Party PAKE protocol proceeds as Figure 3.
1) The server S receives the message and verifiers all τ i . Then S decrypts mn −1′ and obtains each
m i = g r x "x x "x (1 ≤ i ≤ n − 1) . S computes each m n,i = Esk (m i )(1 ≤ i ≤ n − 1) and sends it to Cn −1 .
1 1
i −1 i +1
n−1
i
C1
"
C2
Cn−1
S
?
τi = H (g r | gb )
i
i
mn−1 = Dg rn −1 ( mn′ −1 )
m i = g r x "x x "x
m n,i = Esk ( m i )
1 1
{m }n−1
{m }n−2
i −1 i +1
n −1
i
n ,i i =1
←⎯⎯⎯
⎯
n ,i i =1
←⎯⎯⎯
⎯
"
{m }2
n ,i i =1
←⎯⎯⎯
⎯
m
n ,1
←⎯⎯
⎯
Figure 3. The down-flow of the N-Party PAKE protocol
m = Esk (m i )(1 ≤ i ≤ n − 1)
2) The message n,i
send from Cn −1 to C1 . Each client decrypts the message and
x
x ∈ Z q∗
. And then, each client can compute the
computes K = (m i ) (1 ≤ i ≤ n − 1) by using the random value i
i
i
SK = H ( K | C ) by C = {C1 ," , Cn −1} .
3. Security Analysis and Efficiency
3.1.
Security Analysis
In this section, we briefly discuss the security against several conventional attacks.
1) Tang-Chen attack
Assume that C1 is a inside attacker, it wants to obtain the password of C3 . C1 intercepts the message
∗
rx
rx
rx x
m2′ from C2 to C3 . Because the message is m2′ = Eg pw3r3 ({g 1 2 , g 1 1 , g 1 1 2 }) and x1 ∈ Z q is chose by C1 ,
C1 wants to guess pw3 from g pw3r3 . But r3 ∈ Z q∗ is chose by server S, even guessed g pw3r3 , C1 still can’t
figure out pw3 . Therefore, we could say the proposed protocol is secure against Tang-Chen attack.
2) Undetectable on-line dictionary attack
Assume n = 4 , the N-Party are C1 , C2 , C3 and S, and an outside attacker is A. A attempts to guess the
2
password of C3 on-line. First, A intercepts messages { X i }i =1 from C2 to C3 . A chooses a random value
324
a ∈ Z q*
a
′
′
to compute g , and uses the guessed password pw3 to encrypt the message X 3 , and then pass it to
a′
S. After receiving the messages, S uses the correct password pw3 to decrypt the message, gets g , and then
r
Y3 = E pw ( g b ) sk3′ = H (C3 | S | g a ′ | g b | g a ′b ) η3′ = Esk ′ ( g )
b3 ∈ Z q*
chooses a random number
, makes
,
,
, and
other calculations are performed correctly according to the protocol. Next, the attacker A intercepts the
3
3
3
3
3
3
b′
′
message from C2 to C3 again, using the guessed password pw3 to decrypt Y3 , to get g , and then to
r
′
′
′
calculate sk3 to decrypt message η3 , get g . Although A can calculate the message m3 to pass the
b
message to the server S, it can’t obtain the right τ 3 without the real g . So the messages will not pass the
3
3
3
authentication from server S. And the on-line attack can be detected by S. Therefore, the N-Party PAKE
protocol can prevent undetectable on-line dictionary attacks.
3) Off-line dictionary attack
X = E pw ( g a )
from Ci
The passwords pwi of clients used only in the up-flow1 to encrypt the message i
i
i
to S, and the returned message
Yi = E pwi ( g bi )
. In these two messages, whether internal or external attacker
wants to launch off-line dictionary attack are impossible. It is because that
ai , bi ∈ Z q∗
are chose by the
clients Ci and S respectively. The attackers can’t obtain the random values, so they can’t guess the
passwords. Therefore, the N-Party PAKE protocol can resist off-line dictionary attacks.
4) Man-in-the-Middle attack
Man-in-the-Middle attack means an adversary deceive the parties in a legal communication.
Similarly, assume n = 4 , the N-Party are C1 , C2 , C3 and S, and an outside attacker is A. A attempts to
impersonate a party communicate with the other parties. First, A intercepts message X 1 from C1 , then
a
∗
chooses a random value a ∈ Z q and computes X 1′ = E pw′ ( g ) by using a guessed password pw1′ , then sends
1
X 1′ = E pw1′ ( g a ) to S. S decrypts X 1′ and obtains g a ′ by using the real pw1 , then S chooses a random value
b
b1 ∈ Z q∗ , computes g b1 ， g a ′b1 ， Y1 = E pw1 ( g 1 ) ， sk A, S = H (C1 | S | g a′ | g b1 | g a′b1 ) ， MacA, S = H ( sk A, S | g a′ ) and
η A, S = Esk ( g pw r | g r ) . A intercepts the message from S, chooses b ∈ Z q∗ , and computes the false message
2 2
2
A ,S
a′
a ′b
a′
b
Y1′ = E pw1′ ( g b ) , sk A,C = H (C1 | S | g 1 | g | g 1 ) , MacA,C = H ( sk A,C | g 1 ) , Then A sends the false message to C1 .
When C1 receives the message, C1 will verify the message by using the real g a . Obviously, the verifying
can not be passed. Therefore, the N-Party PAKE protocol can resist Man-in-the-Middle attack.
5) Forward secrecy
If an attacker obtained all passwords pwi and the early messages, he can only get g a and g b . But he
1
i
i
has no idea about g , then he can’t compute the session key ski . If the attacker obtained the session key
ski , he still can’t compute the early group session key SK. Therefore, the N-Party PAKE protocol is forward
secrecy.
ai bi
3.2.
Efficiency Analysis
In Table 1, we compare the Byun’s N-Party EKE-U protocol with the N-Party PAKE protocol in
computational costs and communication costs.
TABLE I.
Protocol
Costs
Computational costs
for clients
Computational costs
for server
Total computational
costs
Communication
costs
EFFICIENCY COMPARISON
N-Party PAKE
Byun’s N-Party
protocol
EKE-U protocol
(n2+5n-6)/2
(n2+6n-9)/2
4n-5
(n2+3n-6)/2
(n2+13n-16)/2
(2n2+9n-15)/2
3n-2
4n-6
From the comparison, we could see that the N-Party PAKE protocol has some improvements in
computational costs and communication costs.
325
4. Conclusion
To improve the operation efficiency, we propose an N-Party PAKE protocol. The protocol has some
improvements in computational costs and communication costs. The improved protocol can resist many
familiar attacks.
5. References
[1] Bresson, O. Chevassut, and D. Pointcheval, Group diffie-hellman key exchange secure against dictionary attacks,
In proceedings of Asiacrypt’02, LNCS Vol. 2501, Springer-Verlag, 2002, pp. 497-514.
[2] E. Bresson, O. Chevassut, D. Pointcheval, and J. J. Quisquater, Provably authenticated group diffie-hellman key
exchange, In proceedings of 8th ACM Conference on Computer and Communications Security, 2001, pp. 255-264.
[3] J.W.Byun, D.H.Lee , N-Party Encrypted Diffie-Hellman Key Exchange Using Different Passwords. In: Ioannidis,
J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, Springer, Heidelberg, 2005, pp. 75–90.
[4] Q. Tang, L. Chen: Weaknesses in two group Diffie-Hellman Key Exchange Protocols, Cryptology ePrint Archive
(2005), 2005/197.
[5] R.C.W. Phan, B.M.Goi: Cryptanalysis of the N-party encrypted diffie-hellman key exchange using different
passwords, Lecture Notes in Computer Science: Proceedings of the 4th International Conference on Applied
Cryptography and Network Security, ACNS(2006). Singapore, pp. 226-238.
[6] E. Bresson, O. Chevassut, and D. Pointcheval. The Group Diffie-Hellman Problems. In H. Heys and K. Nyberg,
editors, Proc. Of SAC ’2002, LNCS. Springer-Verlag, August 2002.
[7] J.O.KWON, I.R.JEONG, D.H.LEE. Provably-secure two-round password-authenticated group key exchange in the
standard model[A]. IWSEC 2006[C]. Kyoto, Japan, 322-336(2006)
[8] R.M.SAYED, M.H.IBRAHIM, Z.B.NOSSAIR. Group key exchange protocol for users with individual
passwords[J]. Journal of Engineering and Applied Science, 55(8):327-342(2008)
[9] E.BRESSON, O.CHEVASSUT, D.POINTCHEVAL. Group Diffie-Hellman key exchange secure against
dictionary attacks[A]. Asiacrypt'02[C]. Queenstown, New Zealand, 497-514(2002)
[10] Z.WAN, R.H.DENG, F.BAO, et al. nPAKE+: a hierarchical group password-authenticated key exchange protocol
using different passwords[A]/ ICICS 2007[C]. Zhengzhou, China, 31-43 (2007)
326