On Password-Authenticated Key Exchange Security Modeling

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9551)


Deciding which security model is the right one for Authenticated Key Exchange (AKE) is well-known to be a difficult problem. In this paper, we examine definitions of security for Password-AKE (PAKE) in the style proposed by Bellare et al. [5] at Eurocrypt 2000. Indeed, there does not seem to be any consensus, even when narrowing the study down to this particular authentication method and model style, on how to precisely define fundamental notions such as accepting, terminating, and partnering. The aim of this paper is to begin addressing this problem. We first show how definitions vary from paper to paper. We then propose and thoroughly motivate a definition of our own, and use the opportunity to correct a minor flaw in a more recent and more PAKE-appropriate model proposed by Abdalla et al. [3] at Public Key Cryptography 2005. Finally, we argue that the uniqueness of partners holding with overwhelming probability ought to be an explicitly required and proven property for AKE in general, but even more so in the password case, where the optimal security bound one aims to achieve is no longer a negligible value. To drive this last point, we exhibit a protocol that is provably secure following the Abdalla et al. definition, and at the same time fails to satisfy this property.



We would like to thank the reviewers for their comments. The author is supported by the Fonds National de la Recherche, Luxembourg, via the CORE project AToMS and the INTER project SEQUOIA.


  1. 1.
    Abdalla, M., Benhamouda, F., MacKenzie, P.: Security of the J-PAKE Password-Authenticated Key Exchange Protocol. In: 2015 IEEE Symposium on Security and Privacy (2015)Google Scholar
  2. 2.
    Abdalla, M., Benhamouda, F., Pointcheval, D.: Public-key encryption indistinguishable under plaintext-checkable attacks. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 332–352. Springer, Heidelberg (2015). http://dx.doi.org/10.1007/978-3-662-46447-2_15Google Scholar
  3. 3.
    Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005). http://dx.doi.org/10.1007/978-3-540-30580-4_6CrossRefGoogle Scholar
  4. 4.
    An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 83. Springer, Heidelberg (2002). http://dl.acm.org/citation.cfm?id=647087.715701CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 139. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  7. 7.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Computer Society Symposium on Research in Security and Privacy, May 4–6, pp. 72–84 (1992)Google Scholar
  8. 8.
    Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: New techniques for SPHFs and efficient one-round PAKE protocols. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 449–475. Springer, Heidelberg (2013). http://dx.doi.org/10.1007/978-3-642-40041-4_25CrossRefGoogle Scholar
  9. 9.
    Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 156. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Bresson, E., Chevassut, O., Pointcheval, D.: Security proofs for an efficient password-based key exchange. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM Conference on Computer and Communications Security, pp. 241–250. ACM (2003)Google Scholar
  11. 11.
    Bresson, E., Chevassut, O., Pointcheval, D.: New security results on encrypted key exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of the 42Nd IEEE Symposium on Foundations of Computer Science, FOCS 2001, p. 136 (2001). http://dl.acm.org/citation.cfm?id=874063.875553
  13. 13.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Examining indistinguishability-based proof models for key establishment protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005). http://dx.doi.org/10.1007/11593447_32CrossRefGoogle Scholar
  15. 15.
    Cremers, C.: Examining indistinguishability-based security models for key exchange protocols: The case of CK, CK-HMQV, and eCK. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, NY, USA, pp. 80–91 (2011). http://doi.acm.org/10.1145/1966913.1966925
  16. 16.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (2006). http://dx.doi.org/10.1109/TIT.1976.1055638MathSciNetCrossRefMATHGoogle Scholar
  17. 17.
    Gennaro, R., Lindell, Y.: A framework for password-based authenticated key exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 524–543. Springer, Heidelberg (2003). http://dx.doi.org/10.1007/3-540-39200-9_33CrossRefGoogle Scholar
  18. 18.
    Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 408. Springer, Heidelberg (2001). http://dx.doi.org/10.1007/3-540-44647-8_24CrossRefGoogle Scholar
  19. 19.
    Groce, A., Katz, J.: A new framework for efficient password-based authenticated key exchange. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, NY, USA, pp. 516–525 (2010). http://doi.acm.org/10.1145/1866307.1866365
  20. 20.
    Halevi, S., Krawczyk, H.: Public-key cryptography and password protocols. ACM Trans. Inf. Syst. Secur. 2(3), 230–268 (1999). http://doi.acm.org/10.1145/322510.322514CrossRefGoogle Scholar
  21. 21.
    Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev. 26(5), 5–26 (1996)CrossRefGoogle Scholar
  22. 22.
    Jiang, S., Gong, G.: Password based key exchange with mutual authentication. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 267–279. Springer, Heidelberg (2004). http://dx.doi.org/10.1007/978-3-540-30564-4_19CrossRefGoogle Scholar
  23. 23.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 475. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient and secure authenticated key exchange using weak passwords. J. ACM 57(1), 78–116 (2009)MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Katz, J., Vaikuntanathan, V.: Smooth projective hashing and password-based authenticated key exchange from lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 636–652. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-10366-7_37CrossRefGoogle Scholar
  26. 26.
    Katz, J., Vaikuntanathan, V.: Round-optimal password-based authenticated key exchange. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 293–310. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/ 978-3-642-19571-6_18CrossRefGoogle Scholar
  27. 27.
    Kiefer, F., Manulis, M.: Oblivious PAKE: efficient handling of password trials. Cryptology ePrint Archive, report 2013/127 (2013). http://eprint.iacr.org/
  28. 28.
    Kwon, T.: Authentication and key agreement via memorable password. In: ISOC Network and Distributed System Security Symposium (2001)Google Scholar
  29. 29.
    Kwon, T.: Practical authenticated key agreement using passwords. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 1–12. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  30. 30.
    Lucks, S.: Open key exchange: how to defeat dictionary attacks without encrypting public keys. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 79–90. Springer, Heidelberg (1998). http://dl.acm.org/citation.cfm?id=647215.720526CrossRefGoogle Scholar
  31. 31.
    MacKenzie, P.: The PAK Suite: protocols for password-authenticated key exchange. DIMACS Technical report 2002–46 , pp. 7 (2002)Google Scholar
  32. 32.
    MacKenzie, P., Patel, S., Swaminathan, R.: Password-authenticated key exchange based on RSA. Int. J. Inf. Secur. 9(6), 387–410 (2010). http://dx.doi.org/10.1007/s10207-010-0120-3CrossRefMATHGoogle Scholar
  33. 33.
    Pointcheval, D.: Password-based authenticated key exchange. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 390–397. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  34. 34.
    Shoup, V.: On Formal Models for Secure Key Exchange. Cryptology ePrint Archive, Report 1999/012 (1999). http://eprint.iacr.org/1999/012

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Interdisciplinary Centre for Security, Reliability and TrustUniversité du LuxembourgLuxembourg CityLuxembourg

Personalised recommendations