Prevention of Exponential Equivalence in Simple Password Exponential Key Exchange (SPEKE)

Abstract

Simple Password Exponential Key Exchange (SPEKE) and Dragonfly are simple password-based authenticated key exchange protocols that use a value derived from a shared password as a generator for modular exponentiation, as opposed to Diffie–Hellman key exchange, which uses a fixed value. However, it has been shown that in SPEKE, an active attacker, can examine multiple passwords in a single attempt because the passwords have an exponential correlation. We show that Dragonfly can also suffer from the same problem, and we propose a simple countermeasure to prevent the exponential equivalence in SPEKE.

1. Introduction

Password-Authenticated Key Exchange (PAKE) is an authenticated key exchange protocol between two or more parties that share only a human-memorable password without depending on any third party and communicating only via an insecure network. Because the password dictionary is sufficiently small, PAKE protocols are designed with the assumption that an attacker can enumerate all the possible passwords off-line within a reasonable time. The intention of PAKE protocols is to prevent off-line guessing attack. They are considered to be safe when an exhaustive search is the only available means of attack.

Simple Password Exponential Key Exchange (SPEKE), proposed by Jablon [1], and Dragonfly, proposed by Harkins [2], are well-known PAKE protocols. These protocols are similar to Diffie–Hellman key exchange except that they use a value derived from a shared password as a generator for exponentiation, instead of a fixed value. Such a characteristic makes these protocols seem simpler yet more efficient than other PAKE protocols. However, in 2004, Zhang showed that an active attacker can try multiple passwords in a single attempt by exploiting the exponential equivalence of the passwords in SPEKE [3]. Furthermore, in 2005, Tang and Mitchell identified other security vulnerabilities such as unknown key-share attack and generic attack as well as the exponential equivalence problem [4]. Subsequently, in 2014, Hao and Shahandashti showed that SPEKE can suffer from impersonation attack and key-malleability attack [5] and Clark and Hao showed that Dragonfly can suffer from a small subgroup attack [6].

The above-mentioned vulnerabilities except the exponential equivalence problem can be addressed in SPEKE by modifying the key confirmation process [4,5] and in Dragonfly by checking that the received element is a member of the supergroup [6]. A possible solution to the exponential equivalence problem is hashing passwords, as in the case of the revised version of SPEKE, which makes it difficult for an attacker to guess the password [7]. However, this approach does not overcome the essential problem, because the exponential equivalence of passwords persists even after the passwords are hashed. Hao and Ryan claimed that there is no guarantee that an attacker is unable to formulate exponential relationships among hashed passwords; no existing hash function is designed for that purpose [8].

In this paper, we show that Dragonfly can also suffer from the exponential equivalence problem, and we propose a simple solution that can prevent password-guessing attacks based on the exponential equivalence of passwords in the SPEKE protocol.

2. Review of SPEKE and Dragonfly

2.1. The SPEKE Protocol

Let p be a safe prime, $p=2q+1$, where q is also a prime. SPEKE is defined over a subgroup of ${\mathbb{Z}}_p^{*}$ of prime order q. Assume that two parties, Alice and Bob, share a common password π and want to exchange a password-authenticated key. SPEKE defines a function f to map the password π to a generator, i.e., $f\left(\pi \right)={\pi }^2\mathrm{mod}p$ in the original SPEKE [1] or $f\left(\pi \right)={\left(h\right(\pi \left)\right)}^2\mathrm{mod}p$ in the revised version of SPEKE [7], where h is a cryptographic hash function (e.g., SHA-256). Let g denote the generator corresponding to π, i.e., $g=f\left(\pi \right)$. The squaring of π or $h\left(\pi \right)$ ensures that the generator g does not fall into the small subgroup of order two, which contains $\{1,p-1\}$.

SPEKE is exactly the same as Diffie–Hellman key exchange except that it uses a value derived from π as a generator for exponentiation. The details of fully constrained SPEKE are as follows:

• Alice → Bob: Send $A=g^a\mathrm{mod}p$, where a is randomly selected in ${\mathbb{Z}}_q^{*}$.
• Alice ← Bob: Send $B=g^b\mathrm{mod}p$, where b is randomly selected in ${\mathbb{Z}}_q^{*}$.
• Alice & Bob: Compute $K=B^a\mathrm{mod}p$ and $K=A^b\mathrm{mod}p$, respectively.

Now, Alice and Bob share the secret $K=g^{ab}\mathrm{mod}p$.

Alice and Bob confirm that they are sharing the same secret K. For this purpose, Alice and Bob exchange validation values $V_A$, $V_B$, and validate them. A hash function is used to generate the values. The details are as follows:

4.

Alice ← Bob: Send $V_B=h\left(h\left(h\left(K\right)\right)\right)$.

5.

Alice: Verify $V_B$.

6.

Alice → Bob: Send $V_A=h\left(h\left(K\right)\right)$.

7.

Bob: Verify $V_A$.

2.2. The Dragonfly Protocol

Although Dragonfly, based on discrete logarithm cryptography, can be implemented either on a finite field or on an elliptic curve, in this paper we deal with the protocol operated on a finite field.

Let p be a large prime of the form $p=rq+1$, where r and q relatively prime. Dragonfly is defined over a finite cyclic group Q, which is a subgroup of ${\mathbb{Z}}_p^{*}$ of prime order q. Assume that two parties, Alice and Bob, share a common password π and want to exchange a password-authenticated key. Dragonfly defines two functions f and $h_1$ to map the identities of the two participants and the shared password π to a generator, i.e., $f(\mathrm{Alice},\mathrm{Bob},\pi )={\left(h_1(\mathrm{Alice},\mathrm{Bob},\pi )\right)}^r\mathrm{mod}p$. The functions can be briefly represented as $f:{\{0,1\}}^{*}\to Q$ and $h_1:{\{0,1\}}^{*}\to {\mathbb{Z}}_p^{*}$, respectively. (For more details, see [2].) Let g denote the generator, i.e., $g=f(\mathrm{Alice},\mathrm{Bob},\pi )$.

The Dragonfly protocol works as follows:

• Alice→Bob: Send $A=g^{-a_1}\mathrm{mod}p$ and $a=(a_1+a_2)\mathrm{mod}q$, where $a_1$ and $a_2$ are randomly selected in ${\mathbb{Z}}_q^{*}$.
  Alice←Bob: Send $B=g^{-b_1}\mathrm{mod}p$ and $b=(b_1+b_2)\mathrm{mod}q$, where $b_1$ and $b_2$ are randomly selected in ${\mathbb{Z}}_q^{*}$.
• Alice & Bob: Compute $K={(g^b·B)}^{a_2}\mathrm{mod}p$ and $K={(g^a·A)}^{b_2}\mathrm{mod}p$, respectively.

Now, Alice and Bob share the secret $K=g^{a_2{b}_2}\mathrm{mod}p$.

3.

Alice → Bob: Send $V_A=h\left(K\right|\left|A\right|\left|a\right|\left|B\right|\left|b\right)$.

Alice ← Bob: Send $V_B=h\left(K\right|\left|B\right|\left|b\right|\left|A\right|\left|a\right)$.

4.

Alice & Bob: Verify $V_A$ and $V_B$, respectively.

3. Exponential Equivalence in SPEKE and Dragonfly

3.1. Exponential Equivalence in SPEKE

In this subsection, we review the problem identified by Zhang, i.e., a single on-line attempt can scan through all the exponentially equivalent passwords [3]. First, if p is a large safe prime, then for arbitrary given b, it is extremely difficult to find an integer x that satisfies the following equation:

$$b=a^x\mathrm{mod}p.$$

However, if mod p is not present, this equation can be converted into a simple equation that yields ${log}_{a}b$. As such, we can say that two elements, $b_1=a^{x_1}$ and $b_2=a^{x_2}$, where $a,b_1,b_2\in Z_p^{*}$, are exponentially equivalent, and the set of exponentially equivalent elements is identified as the exponential equivalence class. For example, among the numbers less than 100, the exponential equivalence classes are as follows:

$$\{2^1,2^2,2^3,2^4,2^5,2^6\},\{3^1,3^2,3^3,3^4\},\{5^1,5^2\},\{7^1,7^2\}.$$

Now, let us consider how every element can be examined at once in the SPEKE protocol. Assume that the outputs of the mapping function f for j passwords from ${\pi }_1$ to ${\pi }_j$ are exponentially equivalent with a base m. The actual class in SPEKE is

$$\{f\left({\pi }_1\right)=m^{e_1},f\left({\pi }_2\right)=m^{e_2},\cdots ,f\left({\pi }_j\right)=m^{e_j}\},$$

where the exponent $e_i$ for each $i\in \{1,2,...,j\}$, is an integer greater than or equal to 1. An active attacker, Eve, masquerading as Alice, generates a random $a^{\prime }$ and sends $A^{\prime }$ to Bob when $A^{\prime }=m^{a^{\prime }}$ mod p is calculated. Bob generates a random b and sends B and $V_B^{\prime }$ to Eve when $B={\left(f\left(\pi \right)\right)}^b$ mod p, $K^{\prime }={\left(A^{\prime }\right)}^b$ mod p, and $V_B^{\prime }=h\left(h\left(h\left(K^{\prime }\right)\right)\right)$ are calculated. On receiving B and $V_B^{\prime }$ from Bob, Eve terminates the protocol and for each i, $1\le i\le j$, computes

$$\begin{array}{cc}\hfill K_i& =B^{a^{\prime }/e_i\mathrm{mod}(p-1)}\mathrm{mod}p\hfill \\ \hfill V_i& =h\left(h\left(h\left(K_i\right)\right)\right).\hfill \end{array}$$

If $V_i$ is the same as $V_B^{\prime }$ received from Bob, then the guessed password ${\pi }_i$ is the same as π, which means that it is correctly guessed:

$$\begin{array}{cc}\hfill K_i& =B^{a^{\prime }/e_i}\mathrm{mod}p\hfill \\ & ={({\left(f\left(\pi \right)\right)}^b)}^{a^{\prime }/e_i}\mathrm{mod}p\hfill \\ & ={\left(m^{e_i·b}\right)}^{a^{\prime }/e_i}\mathrm{mod}p\hfill \\ & =m^{a^{\prime }b}\mathrm{mod}p\hfill \\ & ={\left(A^{\prime }\right)}^b\mathrm{mod}p\hfill \\ & =K^{\prime }.\hfill \end{array}$$

To prevent an exponential equivalence attack in SPEKE, Tang and Mitchell suggested that the function f be modified as $f\left(\pi \right)=h\left(\pi \right|\left|I{D}_A\right|\left|I{D}_B\right|\left|i\right)\mathrm{mod}p$, where $i(i\ge 0)$ is the smallest integer that makes g a generator of a multiplicative subgroup of order q in ${\mathbb{Z}}_p^{*}$. However, there is no difference between the function proposed by Tang and Mitchell and the function $f\left(\pi \right)={\left(h\left(\pi \right)\right)}^2\mathrm{mod}p$ in the revised version of SPEKE [7] from the viewpoint of preventing an exponential equivalence attack.

Furthermore, exponential equivalence among hash outputs has no effect on the security of hash-based protocols other than SPEKE or Dragonfly, which use a generator derived from hashing a shared password.

3.2. Exponential Equivalence in Dragonfly

In this subsection, we show the exponential equivalence problem in the Dragonfly protocol. A single on-line attempt can scan through all the exponentially equivalent passwords.

Assume that the outputs of the mapping function f for j passwords from ${\pi }_1$ to ${\pi }_j$ are exponentially equivalent with a base m. The actual class in Dragonfly is

$$\{f(\mathrm{Alice},\mathrm{Bob},{\pi }_1)=m^{e_1},f(\mathrm{Alice},\mathrm{Bob},{\pi }_2)=m^{e_2},\cdots ,f(\mathrm{Alice},\mathrm{Bob},{\pi }_j)=m^{e_j}\},$$

where the exponent $e_i$ for each $i\in \{1,2,...,j\}$, is an integer greater than or equal to 1. An active attacker, Eve, masquerading as Alice, generates two random $a_1^{\prime }$ and $a_2^{\prime }$, and sends $A^{\prime }$ and $a^{\prime }$ to Bob when $A^{\prime }=m^{-a_1^{\prime }}\mathrm{mod}p$ and $a^{\prime }=(a_1^{\prime }+a_2^{\prime })\mathrm{mod}q$ are calculated. Bob also generates two random $b_1$ and $b_2$, and sends B and b to Eve when $B={\left(f(\mathrm{Alice},\mathrm{Bob},\pi )\right)}^{-b_1}\mathrm{mod}p$ and $b=(b_1+b_2)\mathrm{mod}q$ are calculated. On receiving $A^{\prime }$ and $a^{\prime }$ from Eve, Bob computes $K^{\prime }={({\left(f(\mathrm{Alice},\mathrm{Bob},\pi )\right)}^{a^{\prime }}·A^{\prime })}^{b_2}\mathrm{mod}p$ and send $V_B^{\prime }=h(K^{\prime }\left|\right|B\left|\right|b\left|\right|A^{\prime }\left|\right|a^{\prime })$ to Eve.

On receiving B and $V_B^{\prime }$ from Bob, Eve terminates the protocol and for each i, $1\le i\le j$, computes

$$\begin{array}{cc}\hfill K_i& ={(m^b·B^{1/e_i\mathrm{mod}q})}^{(e_i·a^{\prime }-a_1^{\prime })\mathrm{mod}q\mathrm{mod}p}\hfill \\ \hfill V_i& =h\left(K_i\right|\left|B\right|\left|b\right|\left|A^{\prime }\right|\left|a^{\prime }\right).\hfill \end{array}$$

If $V_i$ is the same as $V_B^{\prime }$ received from Bob, then the guessed password ${\pi }_i$ is the same as π, which means that it is correctly guessed:

$$\begin{array}{cc}\hfill K_i& ={(m^b·B^{1/e_i})}^{(e_i·a^{\prime }-a_1^{\prime })}\mathrm{mod}p\hfill \\ & ={(m^b·{({\left(m^{e_i}\right)}^{-b_1})}^{1/e_i})}^{(e_i·a^{\prime }-a_1^{\prime })}\mathrm{mod}p\hfill \\ & ={(m^{b_2})}^{(e_i·a^{\prime }-a_1^{\prime })}\mathrm{mod}p\hfill \\ & ={(m^{(e_i·a^{\prime }-a_1^{\prime })})}^{b_2}\mathrm{mod}p\hfill \\ & ={({\left(m^{e_i}\right)}^{a^{\prime }}·A^{\prime })}^{b_2}\mathrm{mod}p\hfill \\ & =K^{\prime }.\hfill \end{array}$$

4. Prevention of Exponential Equivalence in SPEKE

In this section, we present a simple solution for preventing an attacker from guessing multiple passwords in a single on-line attempt based on exponential equivalence of the passwords in the SPEKE protocol.

Our approach is based on the property that there is no exponentially equivalent element when twice the minimum element is greater than the maximum element within a given set. Similarly, this approach can be applied to SPEKE by modifying the password-mapping function f by prefixing fixed bits to the output of the hash function h.

Theorem 1.

Let $h:{\{0,1\}}^{*}\to {\{0,1\}}^{\ell }$ be a function that maps an input of arbitrary length to an output of fixed length ℓ. Let p be a safe prime, $p=2q+1$ where q is also a prime. There is no exponentially equivalent element among all the outputs of $f\left(x\right)$ over a subgroup of ${\mathbb{Z}}_p^{*}$ of prime order q satisfying

$$f\left(x\right)={(h\left(x\right)+k·2^{\ell })}^2,$$

(1)

where k is any integer satisfying $3\le k\le \lfloor {\displaystyle \frac{p}{2^{\ell }}}\rfloor -1$ and $k\ne \lfloor {\displaystyle \frac{q-1}{2^{\ell }}}\rfloor$.

Proof.

From the given condition $0\le h\left(x\right)<2^{\ell }$, we can derive the following equations.

$$k·2^{\ell }\le h\left(x\right)+k·2^{\ell }\le (k+1)·2^{\ell }-1<(k+1)·2^{\ell }.$$

(2)

$$k^2·2^{2\ell }\le {(h\left(x\right)+k·2^{\ell })}^2<{(k+1)}^2·2^{2\ell }.$$

$$k^2·2^{2\ell }\le f\left(x\right)<{(k+1)}^2·2^{2\ell }.$$

For a base c, two successive elements of an exponential equivalence class should be $c^i$ and $c^{i+1}$. To ensure that no exponentially equivalent element can be found, the maximum value of $f\left(x\right)$ must be less than c times the minimum value for all c.

$$c·k^2·2^{2\ell }\ge {(k+1)}^2·2^{2\ell }$$

If we divide both sides by $2^{2\ell }$, we get

$$c·k^2\ge {(k+1)}^2.$$

Since $c\ge 2$, if $c=2$ is satisfied, it is satisfied for all c:

$$2k^2>{(k+1)}^2.$$

$$\therefore k\ge 3$$

(3)

The modular square is symmetric with respect to half of modulus p. Therefore, to prevent output duplication, the domain of definition of the modular square, or the range of $h\left(x\right)+k·2^{\ell }$, must be included in

$$tq+1\le h\left(x\right)+k·2^{\ell }\le (t+1)q,\mathrm{for}t=0\mathrm{or}1.$$

(4)

Because (2) and (4) are the codomain and range of $h\left(x\right)+k·2^{\ell }$, respectively, the following equation is established:

$$tq+1\le k·2^{\ell }\mathrm{and}(k+1)·2^{\ell }-1\le (t+1)q,\mathrm{for}t=0\mathrm{or}1.$$

$$\therefore 1\le k\le \lfloor \frac{q+1}{2^{\ell }}\rfloor -1\mathrm{or}\lceil \frac{q+1}{2^{\ell }}\rceil \le k\le \lfloor \frac{p}{2^{\ell }}\rfloor -1.$$

(5)

From (3) and (5), when (1) is satisfied, no exponentially equivalent element is found in $f\left(x\right)$.  ☐

For the 112-bit security level, the sizes of p, q and $2^{\ell }$ should be greater than or equal to 2048, 2047 and 224 bits, respectively [9].

5. Discussion

Our solution for preventing exponential equivalence cannot be applied directly over a subgroup in which modulus p is not a safe prime, such as in Dragonfly. To make a generator of a subgroup, exponentiation with exponent r, i.e., $f\left(x\right)={(h\left(x\right)+k·2^{\ell })}^r$, is needed. Because r is very large, e.g., an 896-bit integer corresponding to a 1024-bit modulus, subsequently most of outputs of $f\left(x\right)$ will exceed p. We reserve this problem for future research.

6. Conclusions

In this paper, we showed that an active attacker can try multiple passwords in a single attempt by exploiting the exponential equivalence of the passwords in Dragonfly as well as in SPEKE. Furthermore, we proposed and proved a simple solution for preventing this problem in the SPEKE protocol. Our solution can be easily applied to variants of the Diffie-Hellman protocol (e.g., the B-SPEKE protocol) that use a safe prime modulus and do not use a fixed generator.