On the Relation Between SIM and IND-RoR Security Models for PAKEs with Forward Secrecy

  • José BecerraEmail author
  • Vincenzo IovinoEmail author
  • Dimiter OstrevEmail author
  • Marjan ŠkrobotEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 990)


Password-based Authenticated Key-Exchange (PAKE) protocols allow the establishment of secure communication entirely based on the knowledge of a shared password. Over the last two decades, we have witnessed the debut of a number of prominent security models for PAKE protocols, whose aim is to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. These models are usually classified into (i) indistinguishability-based (IND-based) or (ii) simulation-based (SIM-based). However, the relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that SIM-BMP security from Boyko et al. (EUROCRYPT 2000) implies IND-RoR security from Abdalla et al. (PKC 2005) and that IND-RoR security is equivalent to a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security. The results obtained also hold when forward secrecy is incorporated into the security models in question.


Security models SIM-based security IND-based security Password Authenticated Key Exchange Forward secrecy 



We are especially grateful to Jean Lancrenon for all his suggestions and fruitful discussions. This work was supported by the Luxembourg National Research Fund (CORE project AToMS and CORE Junior grant no. 11299247).


  1. 1.
    Nam, J., Choo, K.R., Paik, J., Won, D.: An offline dictionary attack against a three-party key exchange protocol. IACR Cryptology ePrint Archive 2013, p. 666 (2013).
  2. 2.
    Clarke, D., Hao, F.: Cryptanalysis of the dragonfly key exchange protocol. IET Inf. Secur. 8, 283–289 (2014)CrossRefGoogle Scholar
  3. 3.
    Becerra, J., Šala, P., Škrobot, M.: An offline dictionary attack against zkPAKE protocol. Cryptology ePrint Archive, Report 2017/961 (2017).
  4. 4.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). Scholar
  5. 5.
    Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005). Scholar
  6. 6.
    Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000). Scholar
  7. 7.
    Shoup, V.: On formal models for secure key exchange. Cryptology ePrint Archive, Report 1999/012 (1999).
  8. 8.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005). Scholar
  9. 9.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, pp. 136–145. IEEE Computer Society (2001)Google Scholar
  10. 10.
    Lopez Becerra, J.M., Iovino, V., Ostrev, D., Skrobot, M.: On the relation between SIM and IND-RoR security models for PAKEs. In: Proceedings of the International Conference on Security and Cryptography. SCITEPRESS (2017)Google Scholar
  11. 11.
    Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev. 26, 5–26 (1996)CrossRefGoogle Scholar
  12. 12.
    MacKenzie, P.: On the security of the speke password-authenticated key exchange protocol. Cryptology ePrint Archive, Report 2001/057 (2001).
  13. 13.
    ISO/IEC 11770–4:2006/cor 1:2009, Information Technology - Security techniques - Key Management - Part 4: Mechanisms Based on Weak Secrets. Standard, International Organization for Standardization, Genève, Switzerland (2009)Google Scholar
  14. 14.
    Standard Specifications for Password-Based Public Key Cryptographic Techniques. Standard, IEEE Standards Association, NJ, USA (2002)Google Scholar
  15. 15.
    Diffie, W., Van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Crypt. 2, 107–125 (1992)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Cameron, D.: Over 560 million passwords discovered in anonymous online database (2017).
  17. 17.
    Perlroth, N., Gelles, D.: Russian hackers amass over a billion internet passwords (2014).
  18. 18.
    Ian, P.: Linkedin confirms account passwords hacked (2012).
  19. 19.
    Hao, F., Ryan, P.: J-PAKE: authenticated key exchange without PKI. Trans. Comput. Sci. 11, 192–206 (2010)MathSciNetGoogle Scholar
  20. 20.
    MacKenzie, P.: The PAK Suite: protocols for password-authenticated key exchange. DIMACS Technical report 2002–46 (2002)Google Scholar
  21. 21.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). Scholar
  22. 22.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). Scholar
  23. 23.
    Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). Scholar
  24. 24.
    Katz, J., Ostrovsky, R., Yung, M.: Forward secrecy in password-only key exchange protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 29–44. Springer, Heidelberg (2003). Scholar
  25. 25.
    Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 408–432. Springer, Heidelberg (2001). Scholar
  26. 26.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). Scholar
  27. 27.
    Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: Leighton, F.T., Borodin, A., (eds.) Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of Computing, STOC 1995, pp. 57–66. ACM (1995)Google Scholar
  28. 28.
    Blake-Wilson, S., Menezes, A.: Entity authentication and authenticated key transport protocols employing asymmetric techniques. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 137–158. Springer, Heidelberg (1998). Scholar
  29. 29.
    Cremers, C.: Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 80–91. ACM (2011)Google Scholar
  30. 30.
    Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.C.: Composability of bellare-rogaway key exchange protocols. In Chen, Y., Danezis, G., Shmatikov, V., (eds.) Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 51–62. ACM (2011)Google Scholar
  31. 31.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). Scholar
  32. 32.
    Bellare, M., Canetti, R., Krawczyk, H.: A modular approach to the design and analysis of authentication and key exchange protocols. In: Vitter, J.S., (ed.) Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing, STOC 1998, pp. 419–428. ACM (1998)Google Scholar
  33. 33.
    Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002). Scholar
  34. 34.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Symposium on Research in Security and Privacy, SP 1992, pp. 72–84 (1992)Google Scholar
  35. 35.
    MacKenzie, P., Patel, S., Swaminathan, R.: Password-authenticated key exchange based on RSA. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 599–613. Springer, Heidelberg (2000). Scholar
  36. 36.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001). Scholar
  37. 37.
    Škrobot, M., Lancrenon, J.: On composability of game-based password authenticated key exchange. In: Piessens, F., Smith, M., (eds.) 3rd IEEE European Symposium on Security and Privacy – EuroS&P 2018. IEEE (2018)Google Scholar
  38. 38.
    Abdalla, M., Benhamouda, F., MacKenzie, P.: Security of the J-PAKE password authenticated key exchange protocol. In: IEEE Symposium on Security and Privacy, SP 2015, pp. 571–587. IEEE Computer Society (2015)Google Scholar
  39. 39.
    Lancrenon, J., Škrobot, M., Tang, Q.: Two more efficient variants of the J-PAKE protocol. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 58–76. Springer, Cham (2016). Scholar
  40. 40.
    Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). Scholar
  41. 41.
    Pointcheval, D.: Password-based authenticated key exchange. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 390–397. Springer, Heidelberg (2012). Scholar
  42. 42.
    Kunz-Jacques, S., Pointcheval, D.: About the security of MTI/C0 and MQV. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 156–172. Springer, Heidelberg (2006). Scholar
  43. 43.
    Nguyen, M., Vadhan, S.P.: Simpler session-key generation from short random passwords. J. Cryptology 21, 52–96 (2008)MathSciNetCrossRefGoogle Scholar
  44. 44.
    Canetti, R., Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Adaptive security for threshold cryptosystems. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 98–116. Springer, Heidelberg (1999). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Interdisciplinary Centre for Security, Reliability and TrustUniversity of LuxembourgEsch-sur-AlzetteLuxembourg

Personalised recommendations