# On the Provable Security of the Dragonfly Protocol

## Abstract

**Dragonfly** is a password-authenticated key exchange protocol that was proposed by Harkins [11] in 2008. It is currently a candidate for standardization by the Internet Engineering Task Force, and would greatly benefit from a security proof. In this paper, we prove the security of a very close variant of **Dragonfly** in the random oracle model. It shows in particular that **Dragonfly**’s main flows - a kind of Diffie-Hellman variation with a password-derived base - are sound. We employ the standard Bellare et al. [2] security model, which incorporates forward secrecy.

## Notes

### Acknowledgments

We thank the anonymous reviewers for their helpful comments. This work was partially supported by project SEQUOIA, a joint project between the *Fonds National de la Recherche, Luxembourg* and the *Agence Nationale de la Recherche* (France).

### References

- 1.Abdalla, M., Benhamouda, F., MacKenzie, P.: Security of the J-PAKE password-authenticated key exchange protocol. In: 2015 IEEE Symposium on Security and Privacy, pp. 6–11 (2015)Google Scholar
- 2.Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000) CrossRefGoogle Scholar
- 3.Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) Google Scholar
- 4.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73. ACM Press (1993)Google Scholar
- 5.Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Computer Society Symposium on Research in Security and Privacy, 4–6 May 1992, pp. 72–84 (1992)Google Scholar
- 6.Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000) CrossRefGoogle Scholar
- 7.Bresson, E., Chevassut, O., Pointcheval, D.: New security results on encrypted key exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 8.Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005) CrossRefGoogle Scholar
- 9.Clarke, D., Hao, F.: Cryptanalysis of the Dragonfly Key Exchange Protocol. Cryptology ePrint Archive, Report 2013/058 (2013). http://eprint.iacr.org/
- 10.Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theor.
**22**(6), 644–652 (1976)MathSciNetCrossRefMATHGoogle Scholar - 11.Harkins, D.: Simultaneous authentication of equals: a secure, password-based key exchange for mesh networks. In: Second International Conference on Sensor Technologies and Applications, 2008, SENSORCOMM 2008, pp. 839–844, August 2008Google Scholar
- 12.Harkins, D.: Dragonfly Key Exchange (2015). https://datatracker.ietf.org/doc/draft-irtf-cfrg-dragonfly/
- 13.Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev.
**26**(5), 5–26 (1996)CrossRefGoogle Scholar - 14.Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001) CrossRefGoogle Scholar
- 15.Kwon, T.: Practical authenticated key agreement using passwords. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 1–12. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 16.MacKenzie, P.: On the Security of the SPEKE Password-Authenticated Key Exchange Protocol. Cryptology ePrint Archive, Report 2001/057 (2001). http://eprint.iacr.org/2001/057
- 17.MacKenzie, P.: The PAK Suite: Protocols for Password-Authenticated Key Exchange. DIMACS Technical report 2002–46, p. 7 (2002)Google Scholar
- 18.Pointcheval, D.: Password-based authenticated key exchange. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 390–397. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 19.Shoup, V.: On Formal Models for Secure Key Exchange. Cryptology ePrint Archive, Report 1999/012 (1999). http://eprint.iacr.org/1999/012