Zero-Knowledge Password Policy Check from Lattices

02/14/2018
by   Khoa Nguyen, et al.
0

Passwords are ubiquitous and most commonly used to authenticate users when logging into online services. Using high entropy passwords is critical to prevent unauthorized access and password policies emerged to enforce this requirement on passwords. However, with current methods of password storage, poor practices and server breaches have leaked many passwords to the public. To protect one's sensitive information in case of such events, passwords should be hidden from servers. Verifier-based password authenticated key exchange, proposed by Bellovin and Merrit (IEEE S&P, 1992), allows authenticated secure channels to be established with a hash of a password (verifier). Unfortunately, this restricts password policies as passwords cannot be checked from their verifier. To address this issue, Kiefer and Manulis (ESORICS 2014) proposed zero-knowledge password policy check (ZKPPC). A ZKPPC protocol allows users to prove in zero knowledge that a hash of the user's password satisfies the password policy required by the server. Unfortunately, their proposal is not quantum resistant with the use of discrete logarithm-based cryptographic tools and there are currently no other viable alternatives. In this work, we construct the first post-quantum ZKPPC using lattice-based tools. To this end, we introduce a new randomised password hashing scheme for ASCII-based passwords and design an accompanying zero-knowledge protocol for policy compliance. Interestingly, our proposal does not follow the framework established by Kiefer and Manulis and offers an alternate construction without homomorphic commitments. Although our protocol is not ready to be used in practice, we think it is an important first step towards a quantum-resistant privacy-preserving password-based authentication and key exchange system.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
11/21/2019

Zero Knowledge Proof based authentication protocol using graph isomorphism

We live in an era of information and it is very important to handle the ...
research
04/13/2019

SPHINCS^+ digital signature scheme with GOST hash functions

Many commonly used public key cryptosystems will become insecure once a ...
research
12/24/2022

zkFaith: Soonami's Zero-Knowledge Identity Protocol

Individuals are encouraged to prove their eligibility to access specific...
research
07/03/2019

Uncovering Information Flow Policy Violations in C Programs

Programmers of cryptographic applications written in C need to avoid com...
research
08/13/2023

A Zero-Knowledge Revocable Credential Verification Protocol Using Attribute-Based Encryption

We introduce a zero-knowledge credential verification protocol leveragin...
research
12/05/2022

Extending Expressive Access Policies with Privacy Features

Authentication, authorization, and trust verification are central parts ...
research
11/09/2022

ZK-IMG: Attested Images via Zero-Knowledge Proofs to Fight Disinformation

Over the past few years, AI methods of generating images have been incre...

Please sign up or login with your details

Forgot password? Click here to reset