Authenticated Key Exchange Secure against Dictionary Attacks

  • Mihir Bellare
  • David Pointcheval
  • Phillip Rogaway
Conference paper

DOI: 10.1007/3-540-45539-6_11

Part of the Lecture Notes in Computer Science book series (LNCS, volume 1807)
Cite this paper as:
Bellare M., Pointcheval D., Rogaway P. (2000) Authenticated Key Exchange Secure against Dictionary Attacks. In: Preneel B. (eds) Advances in Cryptology — EUROCRYPT 2000. EUROCRYPT 2000. Lecture Notes in Computer Science, vol 1807. Springer, Berlin, Heidelberg


Password-based protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by defining a model for this problem, one rich enough to deal with password guessing, forward secrecy, server compromise, and loss of session keys. The one model can be used to define various goals. We take AKE (with “implicit” authentication) as the “basic” goal, and we give definitions for it, and for entity-authentication goals as well. Then we prove correctness for the idea at the center of the Encrypted Key-Exchange (EKE) protocol of Bellovin and Merritt: we prove security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Mihir Bellare
    • 1
  • David Pointcheval
    • 2
  • Phillip Rogaway
    • 3
  1. 1.Dept. of Computer Science & EngineeringUniversity of California at San DiegoLa JollaUSA
  2. 2.Dépt. d’Informatique-CNRSÉcole Normale SupérieureParis Cedex 05France
  3. 3.Dept. of Computer ScienceUniversity of California at DavisDavisUSA

Personalised recommendations