An offline dictionary attack against zkPAKE protocol

Lopez Becerra, José Miguel; Ryan, Peter; Sala, Petra; Skrobot, Marjan

Reference : An offline dictionary attack against zkPAKE protocol


	Document type :	Scientific congresses, symposiums and conference proceedings : Paper published in a book
	Discipline(s) :	Engineering, computing & technology : Computer science
	Focus Areas :	Security, Reliability and Trust
	To cite this reference:	http://hdl.handle.net/10993/39540

Title :	An offline dictionary attack against zkPAKE protocol
Language :	English
Author, co-author :	Lopez Becerra, José Miguel [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Ryan, Peter [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
	Sala, Petra [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
	Skrobot, Marjan []
Publication date :	2019
Main document title :	An offline dictionary attack against zkPAKE protocol
Publisher :	Springer
Peer reviewed :	Yes
On invitation :	No
Audience :	International
Event name :	34th IFIP TC-11 SEC 2019 International Conference on Information Security and Privacy Protection
Event date :	from 25-6-2019 to 27-6-2019
Keywords :	[en] Password Authenticated Key Exchange ; Augmented PAKE ; zk-PAKE
Abstract :	[en] Password Authenticated Key Exchange (PAKE) allows a user to establish a secure cryptographic key with a server, using only knowledge of a pre-shared password. One of the basic security require- ments of PAKE is to prevent o ine dictionary attacks. In this paper, we revisit zkPAKE, an augmented PAKE that has been recently proposed by Mochetti, Resende, and Aranha (SBSeg 2015). Our work shows that the zkPAKE protocol is prone to o ine password guess- ing attack, even in the presence of an adversary that has only eavesdrop- ping capabilities. Results of performance evaluation show that our attack is practical and e cient.Therefore, zkPAKE is insecure and should not be used as a password-authenticated key exchange mechanism.
Research centres :	Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Applied Security and Information Assurance Group (APSIA)
Funders :	Fonds National de la Recherche - FnR
Name of the research project :	PRIDE15
Target :	Researchers ; Professionals ; Students ; General public
Permalink :	http://hdl.handle.net/10993/39540
Commentary :	This work was supported by the Luxembourg National Research Fund through grant PRIDE15/10621687/SPsquared and under CORE project AToMS (Project ID 8293135).
FnR project :	FnR ; FNR8293135 > Peter Y. A. Ryan > AToMS > A Theory of Matching Sessions > 01/05/2015 > 30/04/2018 > 2014

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Open access	zkPAKE_final.pdf		Publisher postprint	302.65 kB	View/Open

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices