Applied Cryptography and Network Security

Volume 3531 of the series Lecture Notes in Computer Science pp 1-16

Two-Server Password-Only Authenticated Key Exchange

  • Jonathan KatzAffiliated withDept. of Computer Science, University of Maryland
  • , Philip MacKenzieAffiliated withDoCoMo USA Labs
  • , Gelareh TabanAffiliated withDept. of Electrical and Computer Engineering, University of Maryland
  • , Virgil GligorAffiliated withDept. of Electrical and Computer Engineering, University of Maryland

* Final gross prices may vary according to local VAT.

Get Access


Typical protocols for password-based authentication assume a single server which stores all the information (e.g.), the password necessary to authenticate a user. Unfortunately, an inherent limitation of this approach (assuming low-entropy passwords are used) is that the user’s password is exposed if this server is ever compromised. To address this issue, a number of schemes have been proposed in which a user’s password information is shared among multiple servers, and these servers cooperate in a threshold manner when the user wants to authenticate.

We show here a two-server protocol for this task assuming public parameters available to everyone in the system (as well as the adversary). Ours is the first provably-secure two-server protocol for the important password-only setting (in which the user need remember only a password, and not the servers’ public keys), and is the first two-server protocol (in any setting) with a proof of security in the standard model.