Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
- 24 October 2016
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM) in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
- p. 1179-1191
- https://doi.org/10.1145/2976749.2978354
Abstract
Anonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables a client to authenticate herself by a human-memorable password while preserving her privacy. In this paper, we introduce a novel approach for designing anonymous password-authenticated key exchange (APAKE) protocols using algebraic message authentication codes (MACs), where an algebraic MAC wrapped by a password is used by a client for anonymous authentication, and a server issues algebraic MACs to clients and acts as the verifier of login protocols. Our APAKE construction is secure provided that the algebraic MAC is strongly existentially unforgeable under random message and chosen verification queries attack (suf-rmva), weak pseudorandom and tag-randomization simulatable, and has simulation-sound extractable non-interactive zero-knowledge proofs (SE-NIZKs). To design practical APAKE protocols, we instantiate an algebraic MAC based on the q-SDH assumption which satisfies all the required properties, and construct credential presentation algorithms for the MAC which have optimal efficiency for a randomize-then-prove paradigm. Based on the algebraic MAC, we instantiate a highly practical APAKE protocol and denote it by APAKE, which is much more efficient than the mechanisms specified by ISO/IEC 20009-4. An efficient revocation mechanism for APAKE is also proposed. We integrate APAKE into TLS to present an anonymous client authentication mode where clients holding passwords can authenticate themselves to a server anonymously. Our implementation with 128-bit security shows that the average connection time of APAKE-based ciphersuite is 2.8 ms. With APAKE integrated into the OpenSSL library and using an Apache web server on a 2-core desktop computer, we could serve 953 ECDHE-ECDSA-AES128-GCM-SHA256 HTTPS connections per second for a 10 KB payload. Compared to ECDSA-signed elliptic curve Diffie-Hellman ciphersuite with mutual authentication, this means a 0.27 KB increased handshake size and a 13% reduction in throughput.Keywords
Funding Information
- The National Basic Research Program of China (2013CB338003)
- The National Natural Science Foundation of China (U1536205, 61572485, 61502527)
This publication has 49 references indexed in Scilit:
- New Techniques for SPHFs and Efficient One-Round PAKE ProtocolsLecture Notes in Computer Science, 2013
- Anonymous Password-Authenticated Key Exchange: New Construction and Its ExtensionsIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 2010
- A Verifiable Random Function with Short Proofs and KeysLecture Notes in Computer Science, 2005
- Short Group SignaturesLecture Notes in Computer Science, 2004
- Efficient Selective-ID Secure Identity-Based Encryption Without Random OraclesLecture Notes in Computer Science, 2004
- Short Signatures Without Random OraclesLecture Notes in Computer Science, 2004
- Synthesizers and Their Application to the Parallel Construction of Pseudo-Random FunctionsJournal of Computer and System Sciences, 1999
- Efficient group signature schemes for large groupsLecture Notes in Computer Science, 1997
- A Digital Signature Scheme Secure Against Adaptive Chosen-Message AttacksSIAM Journal on Computing, 1988
- Blind Signatures for Untraceable PaymentsPublished by Springer Science and Business Media LLC ,1983