Universally composable two-server PAKE

Abstract

Two-Server Password Authenticated Key Exchange (2PAKE) protocols apply secret sharing techniques to achieve protec- tion against server-compromise attacks. 2PAKE protocols eliminate the need for password hashing and remain secure as long as one of the servers remains honest. This concept has also been explored in connection with two-server password authenticated secret sharing (2PASS) protocols for which game-based and universally composable versions have been pro- posed. In contrast, universally composable PAKE protocols exist cur- rently only in the single-server scenario and all proposed 2PAKE proto- cols use game-based security definitions. In this paper we propose the first construction of an universally composable 2PAKE protocol, alongside with its ideal functionality. The protocol is proven UC-secure in the standard model, assuming a com- mon reference string which is a common assumption to many UC-secure PAKE and PASS protocols. The proposed protocol remains secure for arbitrary password distributions. As one of the building blocks we define and construct a new cryptographic primitive, called Trapdoor Distrib- uted Smooth Projective Hash Function (TD-SPHF), which could be of independent interest.