About Security of Threshold Anonymous Password-Authenticated Key Exchange

摘要

An anonymous password-authenticated key exchange protocol is designed to provide both password-only authentication and client anonymity against a semi-honest server, who honestly follows the protocol. In IN-DOCRYPT2008, Yang and Zhang 24 proposed a new anonymous PAKE (NAPAKE) protocol and its threshold (D-NAPAKE) which they claimed to be secure against insider attacks. In this paper, we first show that the D-NAPAKE protocol 24 is insecure against insider attacks unlike their claim. Specifically, only one legitimate client can freely impersonate any subgroup of clients (the threshold t > 1) to the server. Then, we propose a threshold anonymous PAKE (called, TAP~+) protocol which provides security against insider attacks. Moreover, we prove that the TAP~+ protocol is AKE-secure against active attacks as well as insider attacks under the computational Diffie-Hellman problem, and provides client anonymity against a semi-honest server, who honestly follows the protocol. Finally, several discussions are followed: 1) We also show another threshold anonymous PAKE protocol by applying our Rationale; to the (non-threshold) anonymous PAKE (VEAP) protocol 21; and 2) We give the efficiency comparison and security consideration of the TAP~+ protocol.