Client-Server Multi-Factor Authentication Using Pairings

What would be the ideal attributes of a client-server authentication scheme? One might like an identity based scheme not requiring PKI, plus support for multi-factor authentication based on a token, a PIN number, and optionally a biometric. The former might hold a high-entropy secret, and the latter may be represented as relatively lowentropy parameters. However it would be preferred if the token could be in the form of a relatively inexpensive USB stick rather than a SmartCard. The user should be at complete liberty to choose and change a PIN number, but if they forget it a recovery mechanism should be available. A fuzzy biometric measurement could be supported and accepted if accurate within certain limits. However the Server should not be required to store any information derived from client secrets, so there should be no equivalent of a vulnerable “password file”. In fact neither the PIN nor the biometric should be stored anywhere (other than in the client’s brain or as part of the client’s body respectively). Reasonable performance on relatively low-powered devices should be possible. The damage caused by compromise of the Server and the loss of its long term secrets should be mitigated as much as possible. The property of Perfect Forward Secrecy, a requirement for clients concerned about long-term privacy, should be supported. In this paper we aim to deliver such a scheme.