Oblivious PAKE: Efficient handling of password trials

Abstract

In this work we introduce Oblivious Password based Authenticated Key Exchange (O-PAKE) and show how ordinary PAKE protocols can be transformed into O-PAKE. O-PAKE allows a client that holds multiple passwords and is registered with one of them at some server to use any subset of his passwords in a PAKE session with that server. The term oblivious is used to emphasise that the only information leaked to the server is whether the one password used on the server side matches any of the passwords input by the client. O-PAKE protocols can be used to improve the overall efficiency of login attempts using PAKE protocols in scenarios where users are not sure (e.g. no longer remember) which of their passwords has been used at a particular web server. Using special processing techniques, our O-PAKE compiler reaches nearly constant run time on the server side, independent of the size of the client’s password set; in contrast, a naive approach to run a new PAKE session for each login attempt would require linear run time for both parties. We prove security of the O-PAKE compiler under standard assumptions using the latest game-based PAKE model by Abdalla, Fouque and Pointcheval (PKC 2005), tailored to our needs. We identify the requirements that standard PAKE protocols must satisfy in order to suit our O-PAKE transformation and give two examples.