TY - GEN
T1 - Efficient password-authenticated key exchange based on RSA
AU - Park, Sangjoon
AU - Nam, Junghyun
AU - Kim, Seungjoo
AU - Won, Dongho
PY - 2007
Y1 - 2007
N2 - In this paper, we propose an efficient password-authenticated key exchange (PAKE) based on RSA, called RSA-EPAKE. Unlike SNAPI using a prime pubic key e greater than an RSA modulus n, RSA-EPAKE uses the public key e of a 96-bit prime, where e = 2H(n, s) +1 for some s. By the Prime Number Theorem, it is easy to find such an s. But the probability that an adversary finds n and s with gcd(e, φ(n)) ≠ 1 is less than 2−80. Hence, in the same as SNAPI, RSA-EPAKE is also secure against e-residue attacks. The computational load on Alice (or Server) and Bob (or Client) in RSA-EPAKE is less than in the previous RSA-based PAKEs such as SNAPI, PEKEP,CEKEP, and QR-EKE. In addition, the computational load on Bob in RSA-EPAKE is less than in PAKEs based on Diffie-Hellman key exchange (DHKE) with a 160-bit exponent. If we exclude perfect forward secrecy from consideration, the computational load on Alice is a little more than that in PAKEs based on DHKE with a 160-bit exponent. In this paper, we compare RSA-EPAKE with SNAPI, PEKEP, and CEKEP in computation and the number of rounds, and provide a formal security analysis of RSA-EPAKE under the RSA assumption in the random oracle model.
AB - In this paper, we propose an efficient password-authenticated key exchange (PAKE) based on RSA, called RSA-EPAKE. Unlike SNAPI using a prime pubic key e greater than an RSA modulus n, RSA-EPAKE uses the public key e of a 96-bit prime, where e = 2H(n, s) +1 for some s. By the Prime Number Theorem, it is easy to find such an s. But the probability that an adversary finds n and s with gcd(e, φ(n)) ≠ 1 is less than 2−80. Hence, in the same as SNAPI, RSA-EPAKE is also secure against e-residue attacks. The computational load on Alice (or Server) and Bob (or Client) in RSA-EPAKE is less than in the previous RSA-based PAKEs such as SNAPI, PEKEP,CEKEP, and QR-EKE. In addition, the computational load on Bob in RSA-EPAKE is less than in PAKEs based on Diffie-Hellman key exchange (DHKE) with a 160-bit exponent. If we exclude perfect forward secrecy from consideration, the computational load on Alice is a little more than that in PAKEs based on DHKE with a 160-bit exponent. In this paper, we compare RSA-EPAKE with SNAPI, PEKEP, and CEKEP in computation and the number of rounds, and provide a formal security analysis of RSA-EPAKE under the RSA assumption in the random oracle model.
UR - http://www.scopus.com/inward/record.url?scp=84964306296&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84964306296&partnerID=8YFLogxK
U2 - 10.1007/11967668_20
DO - 10.1007/11967668_20
M3 - Conference contribution
AN - SCOPUS:84964306296
SN - 9783540693277
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 309
EP - 323
BT - Topics in Cryptology
A2 - Abe, Masayuki
PB - Springer Verlag
T2 - Cryptographers Track at the RSA Conference, CT-RSA 2007
Y2 - 5 February 2007 through 9 February 2007
ER -