TY - GEN
T1 - Efficient password-authenticated key exchange based on RSA
AU - Park, Sangjoon
AU - Nam, Junghyun
AU - Kim, Seungjoo
AU - Won, Dongho
N1 - Funding Information:
★ This work was supported by the Korean Ministry of Information and Communica-tion under the ITRC (Information Technology Research Center) support program supervised by the IITA (Institute of Information Technology Assessment). ★★ Corresponding author.
Funding Information:
This work was supported by the Korean Ministry of Information and Communication under the ITRC (Information Technology Research Center) support program supervised by the IITA (Institute of Information Technology Assessment).
Publisher Copyright:
© Springer-Verlag Berlin Heidelberg 2007.
PY - 2007
Y1 - 2007
N2 - In this paper, we propose an efficient password-authenticated key exchange (PAKE) based on RSA, called RSA-EPAKE. Unlike SNAPI using a prime pubic key e greater than an RSA modulus n, RSA-EPAKE uses the public key e of a 96-bit prime, where e = 2H(n, s) +1 for some s. By the Prime Number Theorem, it is easy to find such an s. But the probability that an adversary finds n and s with gcd(e, φ(n)) ≠ 1 is less than 2−80. Hence, in the same as SNAPI, RSA-EPAKE is also secure against e-residue attacks. The computational load on Alice (or Server) and Bob (or Client) in RSA-EPAKE is less than in the previous RSA-based PAKEs such as SNAPI, PEKEP,CEKEP, and QR-EKE. In addition, the computational load on Bob in RSA-EPAKE is less than in PAKEs based on Diffie-Hellman key exchange (DHKE) with a 160-bit exponent. If we exclude perfect forward secrecy from consideration, the computational load on Alice is a little more than that in PAKEs based on DHKE with a 160-bit exponent. In this paper, we compare RSA-EPAKE with SNAPI, PEKEP, and CEKEP in computation and the number of rounds, and provide a formal security analysis of RSA-EPAKE under the RSA assumption in the random oracle model.
AB - In this paper, we propose an efficient password-authenticated key exchange (PAKE) based on RSA, called RSA-EPAKE. Unlike SNAPI using a prime pubic key e greater than an RSA modulus n, RSA-EPAKE uses the public key e of a 96-bit prime, where e = 2H(n, s) +1 for some s. By the Prime Number Theorem, it is easy to find such an s. But the probability that an adversary finds n and s with gcd(e, φ(n)) ≠ 1 is less than 2−80. Hence, in the same as SNAPI, RSA-EPAKE is also secure against e-residue attacks. The computational load on Alice (or Server) and Bob (or Client) in RSA-EPAKE is less than in the previous RSA-based PAKEs such as SNAPI, PEKEP,CEKEP, and QR-EKE. In addition, the computational load on Bob in RSA-EPAKE is less than in PAKEs based on Diffie-Hellman key exchange (DHKE) with a 160-bit exponent. If we exclude perfect forward secrecy from consideration, the computational load on Alice is a little more than that in PAKEs based on DHKE with a 160-bit exponent. In this paper, we compare RSA-EPAKE with SNAPI, PEKEP, and CEKEP in computation and the number of rounds, and provide a formal security analysis of RSA-EPAKE under the RSA assumption in the random oracle model.
UR - http://www.scopus.com/inward/record.url?scp=84964306296&partnerID=8YFLogxK
U2 - 10.1007/11967668_20
DO - 10.1007/11967668_20
M3 - Conference contribution
AN - SCOPUS:84964306296
SN - 9783540693277
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 309
EP - 323
BT - Topics in Cryptology
A2 - Abe, Masayuki
PB - Springer Verlag
T2 - Cryptographers Track at the RSA Conference, CT-RSA 2007
Y2 - 5 February 2007 through 9 February 2007
ER -