Optimal Distributed Password Verification

Transcription

1 Optmal Dstrbuted Password Verfcaton Jan Camensch IBM Research Zurch Anja Lehmann IBM Research Zurch Gregory Neven IBM Research Zurch ABSTRACT We present a hghly effcent cryptographc protocol to protect user passwords aganst server compromse by dstrbutng the capablty to verfy passwords over multple servers. Password verfcaton s a sngle-round protocol and requres from each server only one exponentaton n a prme-order group. In spte of ts smplcty, our scheme boasts securty aganst dynamc and transent corruptons, meanng that servers can be corrupted at any tme and can recover from corrupton by gong through a non-nteractve key refresh procedure. The users passwords reman secure aganst offlne dctonary attacks as long as not all servers are corrupted wthn the same tme perod between refreshes. The only currently known scheme to acheve such strong securty guarantees ncurs the consderable cost of several hundred exponentatons per server. We prove our scheme secure n the unversal composablty model, whch s well-known to offer mportant benefts for password-based prmtves, under the gap one-more Dffe-Hellman assumpton n the random-oracle model. Server ntalzaton and refresh must take place n a trusted executon envronment. Intalzaton addtonally requres a secure message to each server, but the refresh procedure s non-nteractve. We show that these requrements are easly met n practce by provdng an example deployment archtecture. Categores and Subject Descrptors D.4.6 [Securty and Protecton]: Cryptographc control; D.4.6 [Securty and Protecton]: Access controls; D.4.6 [Securty and Protecton]: Authentcaton Keywords Password verfcaton, proactve securty, UC securty. 1. INTRODUCTION In spte of all ther shortcomngs n terms of securty and usablty, passwords are stll the predomnant method of on- Permsson to make dgtal or hard copes of all or part of ths work for personal or classroom use s granted wthout fee provded that copes are not made or dstrbuted for proft or commercal advantage and that copes bear ths notce and the full ctaton on the frst page. Copyrghts for components of ths work owned by others than the author(s) must be honored. Abstractng wth credt s permtted. To copy otherwse, or republsh, to post on servers or to redstrbute to lsts, requres pror specfc permsson and/or a fee. Request permssons from Permssons@acm.org. CCS 15, October 12 16, 2015, Denver, Colorado, USA. Copyrght s held by the owner/author(s). Publcaton rghts lcensed to ACM. ACM /15/10...$ DOI: lne user authentcaton. One of the man threats currently posed to password securty s server compromse. More than one bllon personal data records were reported stolen n 2014 alone [16]; most of these records ncluded user passwords. Wth more personal and fnancal data movng nto the cloud, a further ncrease n breaches targetng usernames and passwords s expected for 2015 [14]. Even when properly salted and hashed, the low entropy n human-memorzable passwords s no match for the brute force of modern hardware: already n 2012, a rg of 25 GPUs could test up to 350 bllon guesses per second n an offlne dctonary attack. More complcated password hash functons [20, 24] can provde some relef, but at a lnear rate at best: the computatonal effort to verfy passwords for an honest server ncreases by the same factor as for the attacker whle the latter s probably better equpped wth dedcated password-crackng hardware. The problem of offlne dctonary attacks when a server s compromsed s nherent whenever that sngle server can test the correctness of passwords. A natural soluton, frst proposed by Ford and Kalsk [15], s therefore to splt up the capablty to verfy passwords over two or more servers, so that securty s preserved as long as less than a threshold of them are hacked. Ths has been the central dea behnd several threshold password-authentcated key exchange (TPAKE) [17, 22, 2, 12, 25, 21] and threshold passwordauthentcated secret sharng (TPASS) [3, 10, 9, 18, 6] protocols as well as behnd the RSA product Dstrbuted Credental Protecton (DCP) [13]. Resstance aganst server compromse s one thng, but knowng how to recover from t s another. Wthout secure recovery, all one can do n case of a detected breach s to re-ntalze all servers and request all users to reset ther passwords whch s probably exactly what one wanted to avod by deployng the scheme. In cryptographc lterature, recovery from compromse s known as proactve securty or securty aganst transent corruptons. Of the aforementoned threshold password-authentcated protocols, only Camensch et al. [6] descrbe a recovery procedure and prove ther protocol secure aganst transent corruptons. D Ramondo and Gennaro [12] menton the possblty to refresh shares and the RSA DCP product descrpton [13] mentons a re-randomzaton feature, but nether provdes detals or a securty proof. Proactve securty n the protocol of Camensch et al. [6] unfortunately comes at a consderable cost: a few hundred exponentatons per server may be wthn practcal reach for occasonal data retreval, but not for hghvolume password verfcaton.

2 Our contrbuton. We present two smple and extremely effcent proactvely secure dstrbuted password verfcaton protocols, allowng a logn server LS and a number of back-end servers S 1,..., S n to jontly determne the correctness of a user s password, whle rulng out offlne dctonary attacks unless all servers are corrupted durng the same tme perod. A corrupt LS only sees the passwords of user accounts that are created or logged nto durng the corrupton. No passwords, password hashes, or any other offlne-attackable nformaton s leaked for accounts that are nactve durng the corrupton. We thnk ths s a reasonable compromse for not requrng user-sde software, as t provdes adequate protecton aganst smash-and-grab attacks and short-term corruptons. Logn,.e., password verfcaton, s a sngle-round protocol requrng just one exponentaton n a prme-order group on each server (two for LS), whch s essentally optmal unless schemes wthout publc-key operatons can be found. The recovery and key refresh procedure s non-nteractve and only nvolves a couple of addtons and pseudo-random functon evaluatons per server, makng t more than effcent enough to perform t preventvely on a regular bass nstead of just after a detected breach. Our frst constructon works n any prme-order group, ncludng ellptc curves, and nvolves a three-round account creaton (password setup) protocol wth three exponentatons per server (sx for LS). Our second constructon s based on ellptc curves wth blnear maps and also offers sngle-round account creaton wth one exponentaton per back-end server and one exponentaton and one parng computaton for LS. Both our protocols assume that the key refresh procedure has access to a specal backup tape that s not connected durng normal operaton. In practce, ths can be acheved by usng smart cards or by makng use of propertes of modern cloud platforms, as we wll explan. Gven ther extreme effcency, t s all the more surprsng that we managed to prove our constructons secure under a very strong unversally composable (UC) [5] noton wth transent corruptons. Partes can be dynamcally corrupted at any pont n the protocol, even between communcaton rounds. Transently corrupted partes leak ther full state, but not the content of ther backup tape, to the adversary and reman corrupted untl the next key refresh. Permanently corrupted partes addtonally leak the backup tape and cannot be recovered. As was argued before [21, 10, 9, 6], unversal composablty offers mportant advantages over tradtonal game-based defntons n the partcular case of password-based protocols. Namely, UC notons leave the choce of passwords to the envronment, so that arbtrary dstrbutons and dependences between passwords are correctly modeled. Ths s crucal to guarantee securty n real-lfe settngs where users make typos when enterng ther passwords, share passwords, or use the same password for dfferent accounts none of whch are covered by currently known game-based notons. Also, t s very unclear whether protocols can be securely composed wth the non-neglgble attack probabltes that game-based defntons tend to employ. We prove our constructons secure n the random-oracle model under the (gap) one-more Dffe-Hellman assumpton that was prevously used to prove securty for blnd sgnature [4], oblvous transfer [11], TPASS protocols [18], and set ntersecton protocols [19]. We acheved ths rare combnaton of strong securty and hgh effcency by careful proof technques n the randomoracle model, as well as through some of compromses n securty that are very reasonable for practcal use, but save on cryptographc machnery n the protocol desgn. Frst, we assume that the ntalzaton of all servers takes place n a trusted envronment where all servers are honest. Durng ntalzaton, we assume that LS can transmt one secure message to each back-end server S. Ths secure ntalzaton s not hard to acheve n practce, as we explan n Secton 6. Server refresh,.e., whereby a server can recover from a transent corrupton, does not requre any nteracton wth other servers. Second, the back-end servers S 1,..., S n do not learn whch user s loggng n or whether the password was correct. Ths defntely lmts ther ablty to throttle faled logn attempts, but snce LS can apply clever throttle algorthms based on user d and logn results, the natural throttlng of back-end servers just by requrng network communcaton should suffce to fend off attacks. Fnally, we do not cover robustness: an adversary can make LS err on the safe sde and conclude that the password was false whle n fact t was correct but not the other way around. Ths could be fxed by addng the same zero-knowledge or parng verfcaton as durng account regstraton. Ths would have a major mpact on effcency, however, so we prefer to accept ths rather bengn attack n the model. As a techncal contrbuton, our scheme employs a novel technque to obtan proactve securty that may be of ndependent nterest. In a nutshell, we start off from a basc scheme that s secure under dynamc but non-transent corruptons. The basc scheme s secure under the gap one-more Dffe-Hellman assumpton, but the securty proof requres guessng one server at the begnnng of the game that wll not get corrupted durng the game. Ths guessng nduces a tghtness loss n the reducton equal to the number of servers. Whle that loss could stll be tolerated, thngs get worse when movng ths scheme nto a proactve settng. Here one would have to guess an uncorrupted server at the begnnng of each epoch, so that the tghtness loss blows up exponentally n the number of epochs. An easy but unsatsfyng soluton could be to restrct the scheme to a logarthmc number of epochs, or to only model sem-statc corruptons where the adversary has to announce all servers that t wants to corrupt at the begnnng of each epoch. Instead, we modfy the scheme to apply random-oracle-generated blndng factors to all protocol messages, so that protocol messages do not commt servers to ther keys, wthout runng the overall functonng of the protocol. In the smulaton, we can therefore choose a server s keys only at the moment that t s corrupted and carefully program the random oracle to ensure consstency of prevous protocol messages, wthout havng to guess anythng upfront. Related work. Our constructons are closely related to the prme-ordergroup and blnear-map nstantatons of TPASS by Jareck et al. s [18] (whch they call PPSS ). In ther constructon, each server has a key for a verfable oblvous pseudorandom functon (V-OPRF). For each server, the user encrypts a share of hs secret under a key that s the evaluaton of the VOPRF of that server on hs password. The scheme supports thresholds as well as robustness thanks to the ver-

3 fablty of the V-OPRF. In prncple, our protocol could be seen as a varant where all servers jontly evaluate a sngle, dstrbuted V-OPRF, rather than a separate one each, and where servers can update ther key shares for the V-OPRF. Ths s not a straghtforward change, however, and doesn t work for any V-OPRF n general. Moreover, whereas ther protocol requres LS to perform t V-OPRF verfcatons (.e., zero-knowledge proofs or parngs) durng logn, our protocol doesn t need any at all, whch has a tremendous mpact on effcency. Even durng account creaton, our protocol only nvolves a sngle verfcaton. Fnally, we prove our protocol secure n the UC framework, as opposed to ther gamebased model, whch offers mportant securty mprovements as mentoned earler. 2. PRELIMINARIES Let κ N be a securty parameter. A polynomal-tme algorthm A s an algorthm that takes κ as an mplct nput and that has runnng tme bounded by a polynomal n κ. A functon ν(κ) s sad to be neglgble f for every polynomal p(κ) there exsts a κ N s.t. ν(κ) < 1/p(κ) for all κ > κ. For concrete securty, one could typcally use κ = 128. Gap One-More Dffe-Hellman. Let G be a multplcatve group of prme order q > 2 2κ wth generator g. The gap one-more Dffe-Hellman assumpton for G says that no polynomal-tme adversary A has a non-neglgble advantage of wnnng the followng game. On nput (g, X) where X g x for x R Z q, the adversary s gven access to the followng oracles: A target oracle T that returns a random target pont t R G each tme t s called. A computatonal Dffe-Hellman oracle CDH that, on nput a group element h G, returns h x. A decsonal Dffe-Hellman oracle DDH that, on nput group elements h, z, returns 1 f z = h x and returns 0 otherwse. Eventually, A outputs a lst of tuples ((t 1, z 1),..., (t n, z n)). It wns the game f t 1,..., t n are dfferent target ponts generated by T, z = t x for all = 1,..., n, and A made less than n queres to ts CDH oracle. The adversary s advantage Adv gomcdh A,G (κ) s defned as the probablty that A wns the game. Let G 1, G 2, G t be multplcatve groups of prme order q > 2 2κ wth generators g 1, g 2, g t, respectvely, and wth an effcently computable parng functon e : G 1 G 2 G t that s a non-trval blnear map,.e., for all a G 1, b G 2, and x, y Z q, e(a x, b y ) = e(a, b) xy, and e(g 1, g 2) = g t. The one-more Dffe-Hellman assumpton for (G 1, G 2) s defned analogously to the game above, but now A s gven (g 1, g 2, X = g2 x ) as nput and the T and CDH oracles generate, respectvely rase to the x, elements of G 1. There s no DDH oracle, but dependng on the type of curve, DDH may be easy va the parng functon. The one-more DH [4, 11, 18] and the gap one-more DH [18] were used to prove the securty of protocols, as well as nonadaptve varants [19]. Cheon [8] presented an attack on the (gap) one-more Dffe-Hellman assumptons that reduces the complexty of recoverng x from O( q) to O( q/d) f d p 1 and g xd s gven to the adversary. That s, the securty s reduced by a factor O( d), so t s prudent to prevent ths attack by ncreasng the group order wth log d bts. 1. Upon nput (SEND, sd, S, R, m) from S, send (SENT, sd, S, R, m )) to A, generate a prvate delayed output (SENT, sd, S, m) to R and halt. 2. Upon recevng (CORRUPT, sd, P) from A, where P {S, R}, dsclose m to A. Next, f the adversary provdes a value m, and P = S, and no output has been yet wrtten to R, then output (SENT, sd, S, m ) to R and halt. Fgure 1: The functonalty F smt. Combnatoral Secret Sharng. A straghtforward way to create n-out-of-n secret shares of the unty element n a group G among partes P 1,..., P n s to choose shares s 2,..., s n R G and set s 1 1/ n =2 s. Each party P s gven secret share s ; they are correct shares of one because n =1 s = 1. An alternatve way to compute the same shares s by choosng s {,j} R G for all 1 < j n and handng (s {,j} ) n j=1,j to P for = 1,..., n. Note that each share s {,j} s known to partes P and P j. Party P computes ts share of unty s n j=1,j s,j {,j}, where,j = 1 f < j or,j = 1 otherwse. One can easly see that n =1 s = n n =1 j=1,j s,j {,j} = n n =1 j=+1 s {,j} s 1 {,j} = 1. Ths constructon s partcularly nterestng because t offers a practcal way to non-nteractvely generate arbtrarly many shares of unty by lettng s {,j} be generated pseudorandomly from a seed that s known to partes P and P j only. Secure Message Transmsson. The deal functonalty for secure message transmsson F smt depcted n Fgure 1 allows a sender S to send a prvate and ntegrty-protected message to a recever R. It s the specal case of Canett s [5] functonalty for leakage functon l(m) = m Pseudo-Random Generators. A pseudo-random generator (PRG) s a functon PRG : D R where no polynomal-tme adversary can dstngush the output of PRG on a random nput from a truly random strng. The advantage Adv pr A,PRG (κ) of an adversary A s defned as Pr[1 = A(y) : x R D, y PRG(x)] Pr[1 = A(y) : y R R]. Message Authentcaton Codes. A message authentcaton code (MAC) s a functon MAC : K {0, 1} T that on nput a key µ and a message m {0, 1} returns a tag τ. We say that MAC s unforgeable aganst chosen-message attack f all polynomal-tme adversares A have neglgble advantage Adv ufcma A,MAC(κ) defned as Pr[τ = MAC(µ, m) m Q : µ R K ; (m, τ) R A MAC(µ, ) ], where Q s the set of messages that A submtted to ts MAC(µ, ) oracle. 3. SECURITY DEFINITION In ths secton we now formally defne our dstrbuted password verfcaton scheme by descrbng ts deal functonalty n the unversal composablty (UC) framework [5]. Roughly, a protocol s sad to securely realze an deal functonalty F f an envronment E cannot dstngush whether t s nteractng wth the real protocol π and a real adversary A, or wth F and a smulator SIM. We denote the

4 probablty that E outputs 1 n both worlds as Real π E,A(κ) and Ideal F E,SIM(κ), respectvely. Frst, let s brefly recall the goal of our dstrbuted password verfcaton system, before we present our deal functonalty. In our system, a logn server LS s the man access pont where users provde ther username ud and password pwd. Once a user has created an account for such a username-password combnaton wth the LS, he can subsequently logn by provdng the correct username and password agan. Thus, the logn server must be able to verfy whether a password attempt pwd matches the stored password pwd or not. Our goal s to provde that functonalty wthout ntroducng a sngle pont of falure that, when corrupted, leaks all passwords to the adversary or allows offlne attacks aganst them. Therefore, LS s asssted by n servers S 1,..., S n runnng n the back-end. Those servers have to actvely contrbute to allow the verfcaton of a password verfcaton and thus can refuse whenever they notce suspcous actvty that mght be amed at an onlne password guessng attack. Note that password changes are not explctly modeled; these can always be mplemented by performng a logn under the old password followed by an account creaton wth the new password (f necessary for a new username, e.g., contanng an ncreased ndex). To model a realstc settng, we consder actve and adaptve corruptons, allowng the adversary to take control of any ntally honest party at any tme. We dstngush between transent and permanent corruptons. Transently corrupted partes do not leak the contents of ther backup tape and can recover from an attack by gong through a refresh procedure. In a permanent corrupton, the backup tape s leaked to the adversary, and there s no way to recover, meanng that the server s corrupted for all future epochs. As long as the adversary does not corrupt all servers LS, S 1,..., S n n the same epoch, our dstrbuted password verfcaton scheme protects the stored passwords, meanng that the adversary nether learns the passwords nor s able to perform offlne attacks on them. 3.1 Ideal Functonalty The detaled descrpton of our deal functonalty F dpv s gven n Fgure 2. When descrbng our functonalty, we use the followng wrtng conventons to reduce repettve notaton: The functonalty gnores all nputs other than INIT untl the nstance s actve. Once the nstance s actve, t gnores further calls to INIT. For all nterfaces (except INIT), the deal functonalty only consders the frst nput for each ssd and for each orgnatng party P. Subsequent nputs to the same nterface for the same ssd comng from the same party P are gnored. At each nvocaton, the functonalty checks that sd = (LS, S 1,..., S n, sd ) for server denttes LS, S 1,..., S n, and sd {0, 1}. Also, whenever we say that the functonalty receves nput from or provdes output to LS or S, we mean LS or S as specfed n the sd. When we say that the functonalty looks up a record, we mplctly understand that f the record s not found, F. gnores the nput and returns control to the envronment. We assume that the sesson dentfer sd and sub-sesson dentfers ssd gven as nput to our functonalty are globally unque, and that honest partes drop any nputs wth (sub)sesson dentfers that are not locally unque. We now also descrbe the behavor of the man nterfaces n a somewhat nformal manner to clarfy the securty propertes that our functonalty provdes. Account Creaton. The creaton of a new account for username ud and password pwd s ntated by the logn server LS and requres the actve approval of all n back-end servers S 1,... S n (f LS s honest). Several account creaton (and logn) sessons can be run n parallel; a unque sub-sesson dentfer ssd s nput to all create and logn related nterfaces and dentfes the respectve sub-sesson. 2: The CREATE nterface allows the logn server to trgger the creaton of a new user record (setup, ssd, ud, pwd, proceed, fnshed). The two flags, proceed and fnshed, reflect the status of the record and are both ntally set to 0. 3: The PROCEED nterface can be nvoked by the back-end servers S to sgnal ther wllngness to contnue an account creaton (or logn) sesson, dentfed by the gven ssd. Only f all n servers have gven the ok to proceed, the setup (or logn) account assocated wth ssd gets actvated for fnalzaton, whch s modeled by settng proceed 1. Awatng explct approval of all servers gves each server the opportunty to throttle or block a sesson f they detect some suspcous behavour, whch s crucal to prevent offlne attacks aganst the password. If the logn server s corrupt, an actvated account creaton (or logn) sesson also ncreases the global guesses counter, gvng the adversary one more password guess (va the nterface PWDGUESS ). 4: The CREATEOK nterface can be nvoked by the adversary to allow completon of the setup account for ssd, whch s realzed by settng fnshed 1. However, f the logn server s honest, the adversary can only complete records for those ssd s to whch all servers have already agreed to proceed. Ths restrcton does not hold for a corrupt logn server though, as n the real world, the corrupt LS could always create as many (bogus) user records as he wants. Whenever the LS gets honest agan, the logn wll most lkely fal for such bogus records though. Ths s modeled accordngly n our RESULT nterface where the adversary can always make the verfcaton fal for such forged accounts. Logn. To verfy whether a provded username-password combnaton ud, pwd s correct, the logn server LS can ntate a logn request. Then, f all servers agree to proceed (usng the 3.PROCEED nterface), the adversary can nstruct the deal functonalty to nform the LS whether the provded password attempt pwd matches the setup password pwd stored for ud. Agan, each logn sub-sesson s dentfed va a unque ssd. 5: The LOGIN nterface s nvoked by the LS on nput ssd, ud, pwd and trggers the creaton of a new logn record (logn, ssd, ud, pwd, proceed ) wth proceed 0. 6: The RESULT nterface allows the adversary to nstruct F dpv to release the result of the password verfcaton to the

5 1. Intalzaton. On nput (INIT, sd) from logn server LS: Record ths nstance as actve, set guesses 0 and create a record (corrupt, TC, PC) wth TC, PC. Send (INIT, sd) to A. 2. Account Creaton Request. On nput (CREATE, sd, ssd, ud, pwd) from logn server LS: If LS s honest, and a setup record for ud exsts, then gnore ths nput. Create a new record (setup, ssd, ud, pwd, proceed, fnshed) wth proceed 0 and fnshed 0. Send (CREATE, sd, ssd, ud) to A. 3. Server Proceed (used n account creaton and logn). On nput (PROCEED, sd, ssd) from a server S : Look up setup or logn record for ssd. If PROCEED messages from all n servers S 1,..., S n have been receved for ssd, update the logn or setup record for ssd by settng proceed 1, and f LS s corrupt, set guesses guesses + 1. Send (PROCEED, sd, ssd, S ) to A. 4. Creaton Result. On nput (CREATEOK, sd, ssd) from A: Look up setup record (setup, ssd, ud, pwd, proceed, fnshed) for ssd. If the LS s honest, only proceed f proceed = 1. Update the record by settng fnshed 1 and output (CREATEOK, sd, ssd) to LS. 5. Logn Request. On nput (LOGIN, sd, ssd, ud, pwd ) from LS: Create a new record (logn, ssd, ud, pwd, proceed ) wth proceed 0. and send (LOGIN, sd, ssd, ud) to A. 6. Logn Result. On nput (RESULT, sd, ssd, fal) from adversary A: Look up logn record (logn, ssd, ud, pwd, proceed ) for ssd and the correspondng setup record (setup, ssd, ud, pwd, proceed, fnshed) for ud. Ignore ths nput f proceed = 0 or fnshed = 0. If pwd pwd, or f fal = 1 and at least one server from S 1,..., S n s corrupt or proceed = 0, then set pwdok 0. Else, set pwdok 1. If LS s corrupt, set guesses guesses 1. Delete the logn record for ssd and send a delayed output (RESULT, sd, ssd, pwdok) to LS. 7. SSID Tmeout. On nput (TIMEOUT, sd, ssd) from LS: If a logn record for ssd exsts, delete the record. If a setup record (setup, ssd, ud, pwd, proceed, fnshed) for ssd and wth fnshed = 0 exsts, then delete the record. 8. Server Corrupton. On nput (CORRUPT, sd, S, mode) from A, where S {LS, S 1,..., S n} and mode {trans, perm}: Look up record (corrupt, TC, PC). If mode = trans, update the record wth TC TC {S}. If mode = perm, update the record wth PC PC {S}. If TC PC = {LS, S 1,..., S n} then set guesses. If S = LS, then assemble L {(ssd, ud, pwd )} for all ongong sessons,.e., extract the passwords from all setup records (setup, ssd, ud, pwd, proceed, fnshed ) wth fnshed = 0 and all stored logn records (logn, ssd, ud,pwd, proceed ). If S = LS, set L. Send (CORRUPT, sd, L) to A. 9. Server Refresh. On nput (REFRESH, sd) from LS: Look up the corrupton record (corrupt, TC, PC) and update the record to (corrupt,, PC). Delete all setup records wth fnshed = 0 and all logn records. Send (REFRESH, sd, S) to A. 10. Password Guessng. On nput of (PWDGUESS, sd, ud, pwd ) from adversary A: Look up the setup record (setup, ssd, ud, pwd, proceed, fnshed) wth fnshed = 1. If guesses = 0 set pwdok. Else, set guesses guesses 1 and, f pwd = pwd, set pwdok 1, otherwse set pwdok 0. Send (PWDGUESS, sd, ud, pwdok) to A. Fgure 2: Ideal Functonalty F dpv wth sd = (LS, S 1,..., S n, sd ). logn server LS. The adversary can do so only for those logn sessons for whch all servers already gave the ok to proceed,.e., the logn record for ssd contans proceed = 1 (set va the 3.PROCEED nterface). Note that here the check whether proceed = 1 s also requred for a corrupt LS, as otherwse a corrupt logn server could offlne attack the user passwords. If all servers agreed to proceed, the deal functonalty then looks up the correspondng setup record (setup, ssd, ud, pwd, proceed, 1) for ud and sets the verfcaton result to pwdok 1 f the password match,.e., pwd = pwd, and pwdok 0 otherwse. If at least one back-end server S {S 1,..., S n} s corrupt, or the account was created by a corrupt LS, then A can enforce a negatve result pwdok 0, by passng fal = 1 as extra nput. However, the adversary can only turn a successful result nto a faled one, but not vce versa,.e., he cannot make a msmatch of the passwords look lke a match. Further, f the logn result s delvered to a corrupt LS, then the global guesses counter s decreased. Recall that guesses gets ncreased n the PROCEED nterface when LS s corrupt and all servers want to proceed wth ssd. Thus, for logn, the adversary can bascally choose whether t wants to use that guess to complete the logn request, or to perform a password guess at an arbtrary user account va the PWDGUESS nterface. Note that for the latter, the LS can already be honest agan (f a refresh took place),.e., that the adversary can keep the password guess for a later tme. Fnally, when a logn sesson s completed, the correspondng logn record s deleted. Ths s mportant for corrupton, because an adversary who corrupts the LS learns the passwords of all ongong (or nterrupted) setup and logn sessons. Tme Out. 7: The TIMEOUT nterface allows the logn server to termnate ongong account creaton or logn sessons. The deal functonalty then deletes the logn or setup record for the specfed ssd. For setup accounts ths s only possble for ncomplete records,.e., where fnshed = 0. Ths models the desred ablty of a real world LS to abandon sessons when t hasn t receved all server responses n an approprate tme, e.g., f a server refuses to proceed, or the response got ntercepted by the adversary.

6 (Un)Corrupton & Password Guessng. Our functonalty supports adaptve and transent as well as permanent corruptons. The envronment can, at any tme, decde to corrupt any ntally honest server LS or S and specfy the corrupton type. In a transent corrupton, the party remans corrupted untl the next refresh of that server. Partes that are permanently corrupted cannot be recovered and reman corrupted untl the end of the game. As long as not all partes are corrupted at the same tme (regardless of whether they are transently or permanently corrupted), the adversary has only very lmted power for attackng the stored passwords, whch s modeled by the password guessng nterface. Note that we do not follow the standard UC corrupton model whch, upon corrupton of a party, gves all past n- and outputs to the adversary. Ths s clearly not desrable n the gven context of protectng bulk user passwords that are processed by the logn server. Thus, we am at stronger securty guarantees, despte adaptve corruptons, whch s modeled by the followng nterfaces. 8: The CORRUPT nterface allows the adversary to transently (mode = trans) or permanently (mode = perm) corrupt any party S {LS, S 1,..., S n}. If S = LS,.e., the adversary decded to corrupt the logn server, t learns the passwords of all ongong setup and logn sessons. When all partes are corrupted at the same tme, the adversary s stll not gven the stored passwords. Instead, the functonalty sets guesses, whch gves the adversary unlmted access to the PWDGUESS nterface descrbed below. 9: By nvokng the REFRESH nterface, all transently corrupted servers become honest agan. From then on, nputs and outputs of non-permanently-corrupted servers go to the envronment, nstead of to the adversary (untl a server s corrupted agan). Once the adversary has corrupted all partes at the same tme, however, the unlmted capabltes for offlne attacks reman. Further, the functonalty deletes all records of ncomplete setup or logn sessons. 10: The PWDGUESS nterface s the only possblty of the adversary to attack the stored user passwords. The access to ths nterface s lmted by the guesses counter. As long as not all partes got corrupted at the same tme, guesses s only ncreased when a corrupt logn server started a new setup or logn sesson, and all servers agreed to proceed. For each such sesson, the adversary gets one more guess aganst a password for a ud of hs choce. 4. OUR FIRST CONSTRUCTION The basc dea of the protocol s so smple that t can actually be explaned n a couple of lnes. Each server S {LS = S 0, S 1,..., S n} has ts own secret exponent K. The password hash stored by LS for user ud and password pwd s G(ud, pwd, H(ud, pwd) K ), where K = n =0 K mod q and G and H are hash functons. To compute ths value, LS chooses a random nonce N R Z q and sends u H(ud, pwd) N to S, who responds wth v u K so that LS can compute v n = H(ud, pwd) K. Ths =0 v1/n computaton s performed at account creaton and agan at each logn to check that the recomputed value matches the stored hash. To refresh ther keys, all servers add a pseudorandomly and non-nteractvely generated share of zero to ther K so that the ndvdual keys are ndependent of those n the prevous epoch, but ther sum K = n =0 K mod q remans constant. There are two problems that slghtly complcate the protocol, however. Frst, to obtan proactve securty for arbtrarly many epochs, t s crucal that prevous protocol messages do not commt a server S to ts secret key K. Non-commttng encrypton [7] doesn t help, because the adversary could corrupt LS and decrypt the elements v that commt S to ts key K. Instead, we apply a clever combnaton of blndng factors to each protocol message that preserve the overall result of the protocol, but that avod honest servers from havng to commt to ther keys. Second, a corrupt server S may msbehave and use a dfferent exponent K K durng ts computaton of v. Ths sn t much of a problem f t happens durng logn: at most, t could make an honest LS erroneously conclude that a correct password was ncorrect, but our functonalty explctly tolerates such true negatves. A server usng a dfferent exponent durng account creaton s more problematc, however. Whle there doesn t seem to be an obvous attack, the reducton to the gap one-more Dffe- Hellman problem ceases to go through. Normally, the reducton works by nsertng CDH target ponts as responses to H( ) queres and observng the adversary s G( ) queres for CDH solutons H(ud, pwd) K. When LS stores a password hash G(ud, pwd, H(ud, pwd) K ) for K K, however, the reducton can no longer extract H(ud, pwd) K when the adversary guesses the password. To prevent ths, LS must verfy at account creaton that the obtaned value v s ndeed H(ud, pwd) K. In our second constructon, the LS can do so usng a parng computaton. In our frst protocol, we let the servers engage n a dstrbuted nteractve zero-knowledge protocol allowng LS to check that the overall exponent K was correct, but wthout commttng servers to ther ndvdual exponents K. 4.1 Scheme Let G be a multplcatve group of prme order q > 2 2κ wth generator g. Let H : {0, 1} {0, 1} G, G : {0, 1} {0, 1} G {0, 1} 2κ, C : Z q {0, 1} 2κ, B 0 : {0, 1} κ N G, B 1 : {0, 1} κ N G, B 2 : {0, 1} κ N G, and B 3 : {0, 1} κ N Z q be hash functons modeled as random oracles. Let PRG : {0, 1} κ {0, 1} κ Z q {0, 1} κ {0, 1} κ be a pseudo-random generator and MAC : {0, 1} κ {0, 1} T be a message authentcaton code. Intalzaton takes place n a secure envronment where all partes are uncorrupted and can communcate securely over a secure message transmsson functonalty F smt. Durng ntalzaton and refresh, each party addtonally has read/wrte access to a backup tape backup. As the backup tape s not used durng account creaton and logn, t s easer to protect by dsconnectng t durng regular operaton. The dfference between a transent and a permanent corrupton n the real world s that, n a transent corrupton, the adversary s gven control of that party and ts current state nformaton, but not ts backup tape. In a permanent corrupton, the adversary s addtonally gven the content of the backup tape. Rather than assumng that partes revert to a fxed default state when recoverng from corrupton, as done n prevous works [1], we assume that a party refreshes by startng from a clean copy of ts code and dervng ts new state nformaton from ts backup tape and ts last state be-

7 fore refresh (whch may have been tampered wth by the adversary). Once ntalzaton s fnshed, the servers LS, S 1,..., S n communcate over an untrusted network, where messages can be arbtrarly observed, modfed, and delayed by the adversary, but all messages are ntegrty-protected wth a MAC. Our protocol provdes LS wth a shared MAC key µ {0,} wth each server S, = 1,..., n. Whenever the descrpton below says that LS sends m to S, t actually means that LS computes τ MAC(µ {0,}, (m, LS)) and sends (m, τ) to S. Whenever t says that S receves m from LS, t actually means that S receves (m, τ) and checks that τ = MAC(µ {0,}, (m, LS)), gnorng the message m f that s not the case. The communcaton n the other drecton from server S back to LS s protected n the same way wth the same MAC key µ {0,}. In the protocol below, the state nformaton of each server S {LS = S 0, S 1,..., S n} contans a lst of blndng seeds s {,j} for j = 1,..., n, j that are used to generate random shares of the unty element n G or of zero n Z q usng the combnatoral secret sharng scheme recalled n the prelmnares. All servers S 1,..., S n mantan an assocatve array USED to keep track of prevously used subsesson dentfers ssd. In each account creaton or logn sesson, the servers derve fresh shares β,0,..., β,3 of unty or zero usng the random oracles B 0,..., B 3 appled to s {,j} and ssd, and use these shares as blndng factors for ther protocol messages so that n =0 β,k = 1 for k = 0, 1, 2 and n =0 β,3 = 0 mod q. More precsely, S s blndng factors are computed as β,k n j=0,j B k(s {,j}, ssd),j for k = 0, 1, 2 and as β,3 n j=0,j,jb3(s {,j}, ssd) mod q, where,j = 1 f < j and,j = 1 otherwse. Intalzaton. Durng ntalzaton, all servers are uncorrupted and can communcate through the secure message transmsson functonalty F smt. 1. LS: The LS generates and dstrbutes master keys mk {,j} for all servers n the system. It also generates a secret key K for a jont publc key L. It uses the master keys to compute the ntal key share K 0 of K for LS, as well as ts ntal blndng seeds s {0,j}. The key share and blndng seeds are kept n the ntal state of LS, the master keys mk {0,j} are wrtten to the backup tape. On nput (INIT, sd), check that sd = (LS, S 1,..., S n, sd ) for hs own dentty LS and server denttes S 1,..., S n. For all 0 < j n, choose a master key mk {,j} R {0, 1} κ. The master key mk {,j} wll be known only to servers S and S j, so that each par of servers {, j} {0,..., n} wll have a common master key that s unknown to the other servers. For = 1,..., n, securely send (mk {,j} ) n j=0,j to server S by provdng nput (SEND, (LS, S, sd), LS, S, (mk {,j} ) n j=0,j ) to F smt for = 1,..., n. For all j = 1,..., n, compute (mk {0,j}, δ {0,j}, s {0,j}, µ {0,j} ) PRG(mk {0,j} ). Choose K R Z q and set L g K. Compute K 0 K + n j=1 δ {0,j} mod q. Intalze BUSY, USED 0, and the password hash table PH as empty assocatve arrays and store st 0 = (K 0, (s {0,j} ) n j=1, (µ {0,j} ) n j=1, L, PH, BUSY, USED 0) as ntal state and store backup 0 (K 0, (mk {0,j}) n j=1, L, PH ) on the backup tape. LS: S : N R Z q u H(ud, pwd) N c R Z q, ch C(c) u, ch v 0 u K 0 β 0,0 v u K β,0 r 0 R Z q r R Z q R 1,0 g r 0 β 0,1 R 1, g r β,1 R 2,0 u r 0 β 0,2 v, R 1,, R 2, 2, u r β,2 s 0 K 0 c + r 0 c Check C(c) = ch + β 0,3 mod q s s K c + r + β,3 mod q v n =0 v1/n R 1 n =0 R 1,, R 2 n =0 R 2, s n =0 s mod q If g s = L c R 1 and u s = v Nc R 2 then PH [ud] G(ud, pwd, v) Fgure 4: The account creaton protocol. All communcaton between LS and S s ntegrty-protected wth a MAC key µ {0,}. See the text for more nformaton on the blndng factors β,k. 2. S : Each server stores the receved master keys mk {,j} n backup memory and derves the ntal state for S. Upon nput (SENT, (LS, S, sd), LS, (mk {,j} ) n j=0,j ) from F smt, for all j = 0,..., n, j, compute (mk {,j}, δ {,j}, s {,j}, µ {,j} ) PRG(mk {,j} ). Compute the ntal key share as K n j=0,j,j δ {,j} mod q, where,j s as defned above. Intalze USED as an empty assocatve array and store st (K, (s {,j} ) n j=0,j, µ {0,}, USED ) as ntal state and store backup (K, (mk {,j}) n j=0,j ) on the backup tape. Account creaton. To create an account for user ud wth password pwd, the LS runs the followng protocol wth all n servers S 1,..., S n: 1. LS: The LS sends a blnded password hash and a challenge hash to all servers. On nput (CREATE, sd, ssd, ud, pwd), check whether PH [ud], BUSY [ud] or USED 0[ssd] s already defned. If so, abort. Else, set and store BUSY [ud] 1 and USED 0[ssd] 1. (Note that we already assumed that servers check that ssd s locally unque, but snce t s crucal for the securty of our protocol, we make these checks explct here.) Generate a random nonce N R Z q and a random challenge c R Z q. Compute u H(ud, pwd) N and ch C(c). Send (ssd, u, ch) to all servers for = 1,..., n. Store (ud, pwd, N, u, c) assocated wth ssd. 2. S : Each server sends a blnded response usng ts secret key share and the blnded frst move of a zero-knowledge proof. On nput (PROCEED, sd, ssd) from the envronment and after havng receved (ssd, u, ch) from LS, check that USED [ssd] s undefned. If not, abort. Compute v u K n j=0,j B0(s {,j}, ssd),j and set and store USED [ssd] 1. Compute R 1, g r n j=0,j B1(s {,j}, ssd),j and R 2, u r n j=0 B 2(s {,j}, ssd),j where r R Z q. j

8 LS: S : For 0 < j n do mk {,j} R {0, 1} κ (mk {,j}) n j=0,j For j = 1,..., n do For j = 0,..., n, j do (mk {0,j}, δ {0,j}, s {0,j}, µ {0,j} ) PRG(mk {0,j} ) (mk {,j}, δ {,j}, s {,j}, µ {,j} ) PRG(mk {,j} ) K R Z q, L g K, PH, BUSY, USED 0 empty USED empty K 0 K + n j=1 δ {0,j} mod q K n j=0,j,jδ {,j} mod q backup 0 (K 0, (mk {0,j} )n j=1, L, PH ) backup (K, (mk {,j} )n j=0,j ) st 0 (K 0, (s {0,j} ) n j=1, (µ {0,j}) n j=1, L, PH, BUSY, USED 0) st (K, (s {,j} ) n j=0,j, µ {0,}, USED ) Fgure 3: The ntalzaton protocol. All communcaton takes place va F smt. Respond by sendng (ssd, v, R 1,, R 2,) to LS. Store (r, ch) assocated wth ssd. 3. LS: The LS sends the challenge for the zero-knowledge proof. After havng receved (ssd, v, R 1,, R 2,) from servers S 1,..., S n, retreve (ud, pwd, N, u, c) assocated wth ssd. Abort f t doesn t exst. Update the nformaton stored wth ssd to (ud, pwd, N, u, c, (v, R 1,, R 2,) n =1). Send (ssd, c) to all servers S 1,..., S n. 4. S : Each server checks the challenge hash from the prevous round and sends the blnded last move of a zeroknowledge proof. When recevng (ssd, c) from LS, retreve (r, ch) assocated wth ssd. Abort f t doesn t exst. If C(c) ch, abort. Compute s K c + r + n j=0,j,jb3(s {,j}, ssd) mod q. Respond by sendng (ssd, s ) to LS. Remove all nformaton assocated to ssd. 5. LS: The LS verfes aggregated server responses through the zero-knowledge proof and computes fnal password hash. After havng receved (ssd, s ) from all servers S 1,..., S n, retreve (ud, pwd, N, u, c, (v, R 1,, R 2,) n =1) stored for ssd. Abort f t doesn t exst. Compute v 0 u K0 n j=1 B0(s {0,j}, ssd). Choose r 0 R Z q, compute R 1,0 g r0 n j=1 B1(s {0,j}, ssd) and R 2,0 u r0 n j=1 B2(s {0,j}, ssd). Also compute s 0 K 0c + r 0 + n j=1,jb3(s {0,j}, ssd) mod q. Compute v n n =0 R2,, and s n =0 =0 v1/n, R 1 n s mod q. =0 R1,, R2 Verfy that g s = L c R 1 and u s = v Nc R 2; f not, set BUSY [ud] to undefned n the state nformaton and abort. Store PH [ud] G(ud, pwd, v) as the password hash for ud and output (CREATEOK, sd, ssd). Remove all nformaton assocated to ssd. Logn request. The logn protocol s a smplfed verson of account creaton, wthout zero-knowledge proof. 1. LS: The LS sends a blnded password hash to all servers. Upon nput (LOGIN, sd, ssd, ud, pwd ), frst check that PH [ud] s defned and USED 0[ssd] s not defned. Abort otherwse. Set and store USED 0[ssd] 1. Generate a random nonce N R Z q and compute u H(ud, pwd ) N. Send (ssd, u) to all servers S 1,..., S n. LS: S : N R Z q u H(ud, pwd ) N u v 0 u K 0 β 0,0 v v u K β,0 v n =0 v1/n If PH [ud] = G(ud, pwd, v) then accept else reject Fgure 5: The logn protocol. All communcaton between LS and S s ntegrty-protected wth a MAC key µ {0,}. See the text for more nformaton on the blndng factors β,k. Store (ud, pwd, N, u) assocated wth ssd. 2. S : Each server sends a blnded response usng ts secret key share. On nput (PROCEED, sd, ssd) from the envronment and after recevng (ssd, u) from LS, frst check whether USED [ssd] = 1. If so, abort. Compute v u K n j=0,j B0(s {,j}, ssd),j and set and store USED [ssd] 1. Respond by sendng (ssd, v ) to LS. 3. LS: The LS verfes the re-computed fnal password hash aganst the stored password. After havng receved (ssd, v ) from all servers S 1,..., S n, retreve (ud, pwd, N, u) assocated to ssd. Abort f t doesn t exst. Compute v 0 u K0 n j=1 B0(s {,j}, ssd),j ) and v n =0 v1/n. If PH [ud] = G(ud, pwd, v), then set pwdok 1, else pwdok 0. Output (RESULT, sd, ssd, pwdok) and delete the stored tuple (ud, pwd, N, u) for ssd. Tmeout. The LS nterrupts a creaton or logn protocol. LS: Upon nput (TIMEOUT, sd, ssd), retreve record (ud, pwd,...) for ssd. If ssd s an unfnshed account creaton, set BUSY [ud] to undefned and delete all nformaton stored for ssd. If ssd s an unfnshed logn, then delete all nformaton stored for ssd. Refresh. Refresh s a non-nteractve process where each server has access to ts backup memory. We assume that all servers synchronze to refresh smultaneously, e.g., by performng refreshes at regular tme ntervals, or by agreeng on the tmng through out-of-band communcaton.

9 S : {LS = S 0, S 1,..., S n} Let backup = (K, (mk {,j} ) n j=0,j, L, PH ) For j = 0,..., n, j do (mk {,j}, δ {,j}, s {,j}, µ {,j} ) PRG(mk {,j} ) K K + n j=0,j δ {,j} mod q PH PH Let PH be as n st 0 For all ud where PH [ud] = and PH [ud] do PH [ud] PH [ud] backup (K, (mk {,j} )n j=0,j, L, PH ) USED, BUSY empty st (K, (s {,j}) n j=0,j, µ {0,} (µ {0,j} ) n j=1, L, PH, BUSY, USED ) Fgure 6: The refresh protocol. Items n dark gray apply to S = S 0 = LS only, tems n lght gray apply to S S 0 only. 1. S {LS = S 0, S 1,..., S n}: Based on the backup backup and the current state st, S computes ts new state st. If S = LS, on nput (REFRESH, sd) recover the backup tape backup 0 = (K 0, (mk {0,j} ) n j=1, L, PH ) and obtan the password hashes PH from st 0. If S {S 1,..., S n}, recover the backup backup = (K, (mk {,j}) n j=0,j ). For all j = 0,..., n, j compute (mk {,j}, δ {,j}, s {,j}, µ {,j} ) PRG(mk {,j} ) and compute the new key share K K + n j=0,j δ {,j} mod q. If S = LS, frst set PH PH. For all ud that were newly created durng the past epoch, set PH [ud] PH [ud]. Store backup 0 (K 0, (mk {0,j}) n j=1, L, PH ) and set the new state st 0 (K 0, (s {0,j} ) n j=1, (µ {0,j} ) n j=1, L, PH, BUSY, USED 0). If S {S 1,..., S n}, store the new backup backup (K, (mk {,j}) n j=0,j ) and set the new state to st (K, (s {,j} ) n j=0,j, µ {0,}, USED ). 4.2 Securty The securty propertes of our frst constructon are summarzed n the followng theorem. Theorem 4.1. If the gap one-more Dffe-Hellman assumpton holds n G, PRG s a secure pseudo-random generator, and MAC s an unforgeable MAC, then the protocol π of Secton 4 securely mplements the functonalty F n the (F smt, F ro)-hybrd model. For any polynomal-tme algorthms E, A, there exst polynomal-tme algorthms SIM and B, B 1, B 2 such that Real π E,A(κ) Ideal F E,SIM n en 2 Adv pr + Adv gomcdh B,G (κ) + n en Adv ufcma B 2,MAC(κ) B 1,PRG (κ) + 7(qro + nqc + q l) 2 2 2κ + 2n2 n e(q ro + n 2 n e) 2 κ., where n, n e, q ro, q c, q l are the number of back-end servers, epochs, random-oracle queres, account creaton sessons, and logn sessons, respectvely. As mentoned earler, the Cheon attack [8] on the (gap) one-more Dffe-Hellman assumpton potentally reduces securty wth a factor O( d) f the adversary s gven g xd. For our constructon, we have that d q c + q l, so t would be advsable to use a group order q that s log(q c + q l ) bts longer than usual to compensate for the attack. Due to space lmtatons, we only sketch the smulator SIM for the above theorem and the reducton from the gap one-more Dffe-Hellman problem Smulator The smulator nteracts as adversary wth the functonalty F and nternally runs smulated versons LS, S 1,..., S n of all honest servers aganst the real-world adversary A, who also plays the role of all corrupt servers. Intalzaton. The ntalzaton procedure takes place n a trusted envronment and hence s completely under control of the smulator SIM. It generates the ntal keys so that t knows K = n =0 K mod q and sets L gk. Rather than generatng blndng seeds s {,j} and MAC keys µ through the pseudo-random generator PRG, SIM chooses them truly at random. Values are assgned consstently across machnes, though, n the sense that f dfferent machnes S, S j use the same master key mk {,j} to derve a value, then the same random value wll be assgned n both cases. The smulaton s aborted whenever an honest logn server LS receves a network message for whch the MAC tag verfes correctly under µ but that was never sent by S and vce versa. Random Oracles. SIM smulates random oracles B 0,..., B 3, C by returnng random values from the approprate ranges, storng the values n tables for consstency. It responds to randomoracle queres H(ud, pwd) so that t knows the dscrete logarthm of all responses,.e., choosng HTL[ud, pwd] R Z q and returnng HT[ud, pwd] g HTL[ud,pwd]. Randomoracle queres G(ud, pwd, v) are answered wth the help of the PWDGUESS nterface; we provde detals n a moment. The smulator aborts when a collson s detected between outputs of C, H, or G. Account creaton. The smulator executes smulated versons of all honest back-end servers S 1,..., S n by followng the real protocol after recevng (PROCEED, sd, ssd, S ) from F. It can do so because t knows all of the relevant secrets K 1,..., K n and s {,j}. If LS s corrupt and A delvers (ssd, u) to an honest server S for a new ssd, then SIM sends (CREATE, sd, ssd, ud =, pwd = ) to F on behalf of LS and (PROCEED, sd, ssd) on behalf of all corrupt servers S C. To smulate the honest LS, however, t must perform an honest-lookng protocol wthout knowng the actual password. When SIM receves (CREATE, sd, ssd, ud) from F, SIM uses u g N n the frst round. If at the end of the protocol g s L c = R 1 and u s n =0 v c = R 2 but n =0 v u K, then SIM aborts. If g s L c = R 1, u s n =0 v c = R 2, and n =0 v = uk, then t t assgns a random value as password hash PH [ud] R {0, 1} 2κ and sends (CREATEOK, ssd, sd, ud) to F. To make sure that the password hash looks correct when LS gets corrupted, t answers A s queres G(ud, pwd, v) as follows. If v H(ud, pwd) K, then t smply returns a ran-

10 dom value. If v = H(ud, pwd) K, then SIM decreases a counter guesses that mrrors the counter mantaned by F,.e., t s ntally zero, s ncreased each tme the last honest server n a subsesson ssd receves (PROCEED, sd, ssd, S ), and s set to nfnty when all servers get corrupted n the same epoch. If guesses < 0, then SIM aborts the smulaton and gves up; we wll later show how ths event gves rse to solvng the gap one-more Dffe-Hellman problem. If guesses 0, t sends (PWDGUESS, sd, ud, pwd) to F to obtan a response (PWDGUESS, sd, ud, pwdok). If pwdok = 1, then t returns PH [ud] as hash output, else t returns a random value. Logn. Logn protocols for a corrupt LS are smulated smlarly as account creatons above: SIM sends (LOGIN, sd, ssd, ud =, pwd = ) to F whenever the frst honest server S receves a message for a protocol ssd, and otherwse runs the honest code of S. Logn protocols wth an honest LS are smulated dfferently dependng on whether the account for ud was created when LS was honest or corrupt. In the frst case, the value PH [ud] may not be assgned to any output G(ud, pwd, v) yet, but we are sure that at the tme of account creaton, the corrupt servers (f any) behaved honestly overall, n the sense that they dd not affect the computaton of the overall exponent K n n =0 v = uk, because the zero-knowledge proof was verfed by the honest LS. Snce there s no such proof durng logn, real-world corrupted servers can use a dfferent overall exponent K, causng LS to conclude that the password was false even though t was correct. The smulator forces the same outcome n the deal world by settng the fal flag n the RESULT nterface. Namely, t lets LS use u g N and, after havng receved all values v, checks whether n =0 v = uk. If so, t sets fal 0, otherwse t sets fal 1. In the second case, the password hash PH [ud] was stored by a corrupt LS. If there s no regstered output G(ud, pwd, v) = PH [ud], then for a successful logn to take place, A must predct an output of G, whch can happen only wth neglgble probablty. In ths case, LS runs the protocol usng u g N but always sets fal 1 at the end. If there s one (and only one, as SIM aborts on collsons) output G(ud, pwd, v) = PH [ud], then we stll cannot be sure that v = H(ud, pwd) K. The corrupt LS could for example have stored PH [ud] = G(ud, pwd, v) = H(ud, pwd) K for K K, and durng logn, corrupt servers S could bas the overall exponent to K agan, causng the honest LS to recompute v = v and conclude that logn succeeded. For any other overall exponent, however, logn must fal, even f the correct password was used. The smulator therefore lets LS perform the honest protocol wth the correct password pwd, whch t knows from the entry n GT, and checks whether the recomputed value s equal to v. If not, t sets fal 1, otherwse t sets fal 0. Corrupton. When A transently corrupts a back-end server S, SIM can hand over the full state of S as t knows all the secret keys and subsesson states. When t corrupts LS, SIM knows the long-term state st 0 = (K 0, (s {0,j} ) n j=1, (µ {0,j} ) n j=1, L, PH, BUSY, USED 0), but does not necessarly know the state of ongong subsessons that contan the password pwd and the nonce N such that u = H(ud, pwd) N. It obtans the actual passwords for all ongong protocols (CORRUPT, sd, L) from F. It can then compute smulated nonces N for the correct password usng the dscrete logarthms of H(ud, pwd) stored n HTL. When A permanently corrupts a server S {LS = S 0, S 1,..., S n}, t addtonally chooses master keys mk {,j} R {0, 1} κ for j = 0,..., n, j, to smulate the contents of the backup tape backup. Refresh. When the envronment nstructs all (non-permanentlycorrupted) servers to refresh, the smulator SIM computes (mk {,j}, δ {,j}, s {,j}, µ {,j} ) PRG(mk {,j} ) for all servers = 0,..., n and all permanently corrupted servers S j PC, where mk {,j} are the values gven to A as part of the backup tape when S j was permanently corrupted. For all other servers S j PC, SIM chooses random values for δ {,j}, s {,j}, µ {,j}. It otherwse computes the new state of S as n the real protocol. For all new entres ud that were added to the fnal state PH of a corrupt LS but were not yet defned at the begnnng of the epoch, SIM checks whether there exsts an output G(ud, pwd, v) = PH [ud], settng pwd f not. The smulator regsters a new account for each such ud by sendng (CREATE, sd, ssd, ud, pwd) and (CREATEOK, sd, ssd) to F for a fresh ssd Reducton from Gap One-More DH Suppose we are gven an adversary A and an envronment E that cause the event guesses < 0 to occur, where guesses s ntally zero, s decreased at each random-oracle query G(ud, pwd, v) wth v = H(ud, pwd) K, s ncreased for each protocol sesson ssd where all honest servers partcpate, and s set to nfnty when all servers are corrupted n the same epoch. We show how such E, A gve rse to a solver B for the gap one-more Dffe-Hellman problem. Algorthm B s gven nput (g, X) and has access to oracles T, CDH, and DDH. It sets L X, thereby mplctly settng K = n =0 K = x, and answers random-oracle queres H(ud, pwd) wth target ponts generated by ts T oracle. It only fxes values of the ndvdual K and blndng seeds s {,j} at the moment that S gets corrupted, however, avodng that B has to guess a server that wll reman uncorrupted n the next epoch. Note that B never needs to smulate values for K for all servers wthn the same epoch, because then the event guesses < 0 cannot occur. Account creaton. When E nstructs an honest LS to create an account ud wth password pwd, B frst LS honestly perform step 1 of the real protocol, but t lets all honest servers S choose random values for v, R,1, R,2, s. These are correctly dstrbuted because, f at least one of S 1,..., S n s honest, then at least one of the blndng factors B k (s {,j}, ssd) remans unknown to A, and f all S 1,..., S n are corrupt, then v 0, R 0,1, R 0,2 remans nternal to the honest LS anyway. Only when S later gets corrupted wll we program the random oracles B k so that these responses make sense. The LS cannot verfy the zero-knowledge proof as usual, but, because t prevously assgned values to the secrets K and s {,j} of corrupt servers S C = PC TC, t can check whether they behaved honestly overall, meanng, n a way that would have made

11 the zero-knowledge proof work out f the honest S would have responded correctly. If so, then LS accepts the creaton but stores a random strng n PH [ud]. When A later makes a query G(ud, pwd, v ) wth v = H(ud, pwd ) x, whch B can test usng ts DDH oracle, then B decreases guesses and adds (H(ud, pwd ), v ) to a set Sol of CDH solutons. If pwd s the password pwd used at creaton for ud, then B responds wth PH [ud], otherwse t returns a random strng. If a corrupt LS ntates an account creaton, then the honest servers S C = {LS, S 1,..., S n} \ C must behave honestly overall to ensure that LS computes the correct value v = H(ud, pwd) K and a correct zero-knowledge proof f t chooses to follow the protocol honestly. They do so by returnng random values v, except for the last honest server to respond S l, where B ncreases guesses and uses one query to ts CDH oracle to compute a response v l so that S C v = S C = S C u κ u κ n S j =1,j S j C B(s {,j}, ssd),j B(s {,j}, ssd),j for some random exponents κ Z q so that S C κ + S C K = x mod q, where u s the value for u that S receved n subsesson ssd. It smulates the zero-knowledge proof for honest S n a smlar way, choosng random values for R 1,, R 2,, s except for the last server, where B uses a smulated zero-knowledge proof usng the challenge c that t can look up from a response C(c ) = ch. Logn. When E nstructs the honest LS to perform a logn wth password pwd for account ud that was created by an honest LS wth password pwd, B lets LS run the honest protocol wth ud, pwd, but lets honest S return random values v. At the end, LS checks whether the corrupt servers behaved honestly overall as defned earler. If so, and pwd = pwd, then LS outputs pwdok = 1, else t outputs pwdok = 0. The LS proceeds smlarly for accounts ud created by a corrupt LS f there exsts no output G(ud, pwd, v) = PH [ud], or f such output exsts but pwd pwd. At the end of the protocol, however, t always outputs pwdok = 0. For an account created by a corrupt LS wth an exstng entry G(ud, pwd, v) = PH [ud] wth pwd = pwd, thngs are slghtly more complcated because, as explaned for the smulator above, we cannot be sure that v = H(ud, pwd) K, yet logn may stll succeed f corrupt servers S C apply the same bas to the overall exponent durng logn as durng account creaton. The LS detects whether a real protocol would have reconstructed v = v by checkng whether v = = n =0 ( S C v 1/N = ( S C v v u x S C K S C v ) 1 N S C S j C B(s {,j}, ssd),j ) 1 N whch B can test usng ts DDH oracle. If so, then LS outputs pwdok = 1, otherwse t outputs pwdok = 0. Logn protocols wth a corrupt LS are smulated smlarly as account creaton, but wthout the zero-knowledge proof. Note that here too, B wll make one CDH oracle query to compute the last honest server s response for each ssd. Corrupton and refresh. If A corrupts all servers durng the same epoch, guesses gets set to nfnty, so B can abort wthout affectng ts success probablty. When A transently corrupts S, B chooses a random key K and random blndng seeds (s {,j} ) n j=0,j, and programs the entres B k (s {,j}, ssd) of all prevous subsessons ssd so that the prevous responses make sense,.e., so that v = u K n j=0,j B0(s {,j}, ssd). As A cannot corrupt all servers, there s at least one seed s {,j} that s unknown to A, so that B can program the entres B 0(s {,j}, ssd) to satsfy the above equaton. It proceeds smlarly for the values R 1,, R 2,, s n account creaton protocols. For ongong account creaton protocols, B addtonally chooses r R Z q and programs B 1, B 2 so that g s = g c K R n 1, j=0,j B1(s {,j}, ssd),j and u s = v c R n 2, j=0,j B2(s {,j}, ssd),j, where s = s n j=0,j,jb3(s {,j}, ssd) mod q, so that t can hand r to A as part of the state of S. When A permanently corrupts S, then B addtonally chooses random master keys mk {,j} for all j = 0,..., n, j, to smulate the backup tape of S. When a nonpermanently-corrupted server S s refreshed, B takes back control of S and forgets all prevously chosen values for K and s {,j}. CDH solutons. When the event guesses < 0 occurs, B just added one more CDH soluton to Sol than the number of tmes that t nvoked ts CDH oracle. Indeed, B only nvokes the CDH oracle only once for each account creaton or logn protocol wth a corrupt LS where all honest servers partcpate. The counter guesses s ncreased mmedately before B nvokes ts CDH oracle and s only decreased when a vald CDH soluton s detected n a G( ) query. Therefore, B wns ts game by returnng Sol. 5. CONSTRUCTION WITH PAIRINGS We now present an even more effcent scheme based on parngs. It s almost dentcal to the dscrete-logarthm scheme, except that the nteractve zero-knowledge proof s replaced by a parng computaton by LS. Let G 1, G 2, G t be multplcatve groups of prme order q wth generators g 1, g 2, g t, respectvely, and an effcently computable parng functon e : G 1 G 2 G t. Let H : {0, 1} {0, 1} G 1, G : {0, 1} {0, 1} G 1 {0, 1} 2κ, and B 0 : {0, 1} κ N G 1 be hash functons modeled as random oracles. Intalzaton, logn, tmeout, and refresh are dentcal to the dscrete-logarthm scheme, except that L g2 K and that group operatons durng logn take place n G 1. Account creaton s consderably smpler, as the two-round zero-knowledge protocol s now replaced wth a parng computaton, as depcted n Fgure 7. Account creaton. To create an account for user ud wth password pwd, the LS runs the followng protocol wth all n servers S 1,..., S n: 1. LS: The LS sends a blnded password hash to all servers.

12 LS: S : N R Z q u H(ud, pwd ) N u v 0 u K 0 β 0,0 v v u K β,0 v n =0 v1/n If e(v, g 2 ) = e(h(ud, pwd), L) Then PH [ud] G(ud, pwd, v) Fgure 7: The account creaton protocol for the parng-based scheme. On nput (CREATE, sd, ssd, ud, pwd), check f PH [ud], BUSY [ud] or USED 0[ssd] s already defned. If so, abort. Set BUSY [ud] 1 and USED 0[ssd] 1. Compute u H(ud, pwd) N and send (ssd, epoch 0, u) to all servers S for = 1,..., n. Store (ud, pwd, N, u) assocated wth ssd. 2. S : Each server sends a blnded response usng ts secret key share. On nput (PROCEED, sd, ssd) from the envronment, and after havng receved (ssd, epoch 0, u) from LS, check whether USED [ssd] = 1 or epoch 0 epoch. If so, abort. Compute v u K n j=0,j B(s {,j}, ssd),j and set USED[ssd] 1. Respond by sendng (ssd, v ) to LS. 3. LS: The LS verfes the server contrbutons and computes fnal password hash. After havng receved (ssd, v ) from S for all = 1,..., n, retreve (ud, pwd, N, u) stored for ssd. Abort f t doesn t exst. Compute v 0 u K0 n j=1 B(s {0,j}, ssd) 0,j and v n =0 v1/n. Verfy that e(v, g 2) = e(h(ud, pwd), L); f not, set BUSY [ud] to undefned and abort. Store PH [ud] G(ud, pwd, v) as the password hash for ud and output (CREATEOK, sd, ssd). Remove all nformaton assocated to ssd. Theorem 5.1. If the one-more Dffe-Hellman assumpton holds n (G 1, G 2), then the protocol π n Secton 5 securely realzes the functonalty F n the (F smt, F ro)-hybrd model. 6. DEPLOYMENT OF OUR SCHEME As dscussed, our scheme requres the ntalzaton to be run n a trusted executon envronment and, to warrant the dfference between transent and permanent corruptons, requres the backup tape to be better protected from attacks than normal state nformaton. The ntalzaton could be run on a sngle trusted machne who then dstrbutes the keys to the other servers, e.g., by smart cards whch then can also act as backup tapes. A better alternatve seems to make use of cloud platforms whch wll make t also easer to recover from corrupton by startng a fresh vrtual machne. We dscuss ths n the followng. The features of modern cloud computng platforms such as Openstack [23] can be ncely exploted to realze proactve securty for protocols. Such platforms offer strong separaton between the vrtual machnes that are exposed to the S... S (j 1) S (0) S Cloud Platform S (j)... Internet Demltarzed Zone Fgure 8: The dfferent components of server S. Internet, and are thus subject to attacks, and the cloud management nterfaces that run n a protected, de-mltarzed zone. New vrtual machnes can be created on the fly from mages, machnes can be shut down, and the routng of traffc to machnes be dynamcally confgured. The platforms also vrtualze the storage for the vrtual machnes,.e., they offer dfferent knds of abstracton of hard-dsks such as fle system, block store, object store, etc. The management of all of ths s typcally a manual process va a web nterface n the de-mltarzed zone, but can easly be automated wth scrpts, whch s how t should be done for our protocol. The man dea to mplement our scheme n ths settng s that each server s realzed wth ts own cloud platform (cf. Fgure 8). Thus, each server S (and analogously LS) conssts of a cloud platform, a number of vrtual machnes S (0),..., S (j 1), S (j),... that are run on the cloud platform on a (physcal) machne S. The cloud platform s usually a sngle physcal machne or a cluster of them. The vrtual machnes are exposed to the nternet whle the cloud platform and S are run n the de-mltarzed zone,.e., n a protected envronment. For each epoch j, a fresh vrtual machne S (j) s started on the cloud platform. These vrtual machnes run the account creaton and the logn protocols and access ther states from the vrtual storage provded by the cloud platform. The machne S controls the cloud platform, mantans the mages for the vrtual machnes S (j), and prepares the state (storage) that s gven to each S (j) n order for them to run the account creaton and the logn request protocols. Indeed, S needs to be connected only to the cloud software platform and n practce such connectons are typcally physcally solated. To prepare the state for the S (j) s, the machne S runs the ntalzaton protocol, whch requres LS to securely send a message to each of the S s. As ths s a one-tme event that wll be part of settng up the overall system, ths communcaton can for nstance be realzed by wrtng the messages to a physcal medum such as a USB drve and dstrbute t by courer. In fact, the master keys could even be wrtten on paper and entered manually, as each server n our protocol receves only n κ bts, amountng to about 18n alphanumerc (7-bt) characters for practcal scenaros wth κ = 128. The master keys for S are stored n backup memory that s avalable to S but not to any of the. Durng refresh, S derves the ntal state for S (j) for the next epoch from the master keys and updates the master keys n the backup memory. nstances S (j) 7. IMPLEMENTATION To demonstrate the practcal feasblty and test the performance of our protocols, we created a prototype mple-

13 Table 1: Performance fgures of our frst protocol over the NIST P-256 ellptc curve. # dedcated cores throughput delay (ms) n LS S 1 S 2 S 3 (logns/s) mean 99% mentaton n Java. We mplemented our frst constructon (wthout parngs) over the NIST P-256 ellptc curve usng SHA-256 as a hash functon. All ellptc-curve operatons are performed usng the Bouncy Castle cryptographc lbrary. We expect that performance can be consderably mproved by usng other lbrares or mplementaton languages. We tested our mplementaton on a commercal cloud nfrastructure for dfferent numbers of dedcated 2.9 GHz computng cores for each server. Selected performance numbers for logn protocols, the most relevant operaton, are summarzed n Table 1. Roughly, our prototype mplementaton handles about 20 logns per second and per server core dedcated to the LS. The mean computaton and communcaton delay ncurred from the moment that LS receves the request untl t reaches a decson s always below 100 mllseconds, wth a 99 percentle well below 200 ms, small enough to not be notceable to the user. Snce the LS performs two exponentatons n each logn protocol, versus only one for each S, each S takes slghtly more than half of the computatonal resources of the LS. It would therefore make sense to assgn more computatonal power to the LS than to each S. Because all servers S operate n parallel, ncreasng the number of servers n has only a mnor mpact on the throughput and delays. Acknowledgements Ths work was supported by the European Commsson s Seventh Framework Programme under the PERCY grant (agreement #321310) and the FutureID project (agreement #318424). We are very grateful to Danel Kovacs and Franz- Stefan Press for ther work on the prototype mplementaton and performance testng, as well as for ther valuable feedback. We would also lke to thank Marc Bütkofer, Robn Künzler, Chrstoph Lucas, and Adran Schneder for ther feedback and mplementng our protocol at Ergon. 8. REFERENCES [1] J. F. Almansa, I. Damgård, J. B. Nelsen. Smplfed threshold RSA wth adaptve and proactve securty. EUROCRYPT [2] J. Branard, A. Juels, B. S. Kalsk Jr., Mchael Szydlo. A new two-server approach for authentcaton wth short secrets. USENIX Securty Symposum [3] A. Bagherzand, S. Jareck, N. Saxena, Y. Lu. Password-protected secret sharng. ACM CCS [4] A. Boldyreva. Threshold sgnatures, multsgnatures and blnd sgnatures based on the gap-dffe-hellman-group sgnature scheme. PKC [5] Ran Canett. Unversally composable securty: A new paradgm for cryptographc protocols. FOCS Full verson on Cryptology eprnt Archve, Report 2000/067, [6] J. Camensch, R. R. Enderlen, G. Neven. Two-server password-authentcated secret sharng UC-secure aganst transent corruptons. PKC [7] R. Canett, U. Fege, O. Goldrech, M. Naor. Adaptvely secure mult-party computaton. 28th ACM STOC [8] J. H. Cheon. Securty analyss of the strong Dffe-Hellman problem. EUROCRYPT [9] J. Camensch, A. Lehmann, A. Lysyanskaya, G. Neven. Memento: How to reconstruct your secrets from a sngle password n a hostle envronment. CRYPTO 2014, Part II. [10] J. Camensch, A. Lysyanskaya, G. Neven. Practcal yet unversally composable two-server password-authentcated secret sharng. ACM CCS [11] C.-K. Chu, W.-G. Tzeng. Effcent k-out-of-n oblvous transfer schemes wth adaptve and non-adaptve queres. PKC [12] M. D Ramondo, R. Gennaro. Provably secure threshold password-authentcated key exchange. EUROCRYPT [13] EMC Corporaton. RSA dstrbuted credental protecton. rsa-dstrbuted-credental-protecton.htm. [14] Experan Second annual data breach ndustry forecast, [15] W. Ford, B. S. Kalsk Jr. Server-asssted generaton of a strong secret from a password. WETICE [16] Gemalto Year of mega breaches & dentty theft: Fndngs from the 2014 breach level ndex, [17] D. P. Jablon. Password authentcaton usng multple servers. CT-RSA [18] S. Jareck, A. Kayas, H. Krawczyk. Round-optmal password-protected secret sharng and T-PAKE n the password-only model. ASIACRYPT 2014, Part II. [19] S. Jareck, X. Lu. Fast secure computaton of set ntersecton. SCN [20] B. Kalsk. PKCS #5: Password-based cryptography specfcaton. IETF RFC 2898, [21] J. Katz, P. D. MacKenze, G. Taban, V. D. Glgor. Two-server password-only authentcated key exchange. ACNS 05. [22] P. D. MacKenze, T. Shrmpton, M. Jakobsson. Threshold password-authentcated key exchange. CRYPTO [23] Openstack webste. [24] N. Provos, D. Mazères. A future-adaptable password scheme. USENIX Annual Techncal Conference, FREENIX Track, [25] M. Szydlo, B. S. Kalsk Jr. Proofs for two-server password authentcaton. CT-RSA 2005.