Quantum-Safe Round-Optimal Password Authentication for Mobile Devices

Password authentication is the dominant form of access control for the Web and mobile devices, and its practicality and ubiquity is unlikely to be replaced by other authentication approaches in the foreseeable future. To guarantee the security of data communication and mitigate the problem of password-cracking, a Password Authenticated Key Exchange (PAKE ) system can be deployed between two peer participants. The main drawback of traditional PAKE is that passwords are exposed in plaintext when the remote server is compromised. To overcome this limitation, it is recommended by industry standards (such as SRP family RFC 5054, RFC6628, RFC7914, OPAQUE, etc ) to use asymmetric-PAKE protocols, which enable the server to store a hash of the user's password with a random salt, providing guarantees that the user's password is never transmitted in plain-text to the server when login. However, most of the existing asymmetric-PAKE protocols either are based on traditional hash functions under random oracles, or depend on non-quantum-secure hardness assumptions and become insecure in the quantum era. To bridge the gap between asymmetric-PAKE and quantum-security, in this article, we resort to smooth projective hash functions (SPHF ) and commitment-based password-hashing schemes (PHS ) over lattice-based cryptography, and construct an asymmetric PAKE protocol secure against quantum attacks. Our construction eliminates the costly non-interactive zero-knowledge (NIZK) method, bypasses assumptions of the random oracle model, and achieves quantum resistance. We also show that our asymmetric- PAKE protocol can achieve security and efficiency under the Bellare-Pointcheval-Rogaway (BPR) model. Finally, we develop a prototype implementation of our instantiation and use it to evaluate its performance in realistic settings.

Automated summary

Password authentication is a dominant form of access control for the Web and mobile devices, and the use of Password Authenticated Key Exchange (PAKE) systems is recommended for secure data communication. The industry standard suggests using asymmetric-PAKE protocols to prevent password exposure.