# On Password-Authenticated Key Exchange Security Modeling

## Abstract

Deciding which security model is the right one for Authenticated Key Exchange (AKE) is well-known to be a difficult problem. In this paper, we examine definitions of security for Password-AKE (PAKE) in the style proposed by Bellare et al. [5] at *Eurocrypt 2000*. Indeed, there does not seem to be any consensus, even when narrowing the study down to this particular authentication method and model style, on how to precisely define fundamental notions such as accepting, terminating, and partnering. The aim of this paper is to begin addressing this problem. We first show how definitions vary from paper to paper. We then propose and thoroughly motivate a definition of our own, and use the opportunity to correct a minor flaw in a more recent and more PAKE-appropriate model proposed by Abdalla et al. [3] at *Public Key Cryptography 2005*. Finally, we argue that the uniqueness of partners holding with overwhelming probability ought to be an explicitly required and proven property for AKE in general, but even more so in the password case, where the optimal security bound one aims to achieve is no longer a negligible value. To drive this last point, we exhibit a protocol that is provably secure following the Abdalla et al. definition, and at the same time fails to satisfy this property.

## Notes

### Acknowledgments

We would like to thank the reviewers for their comments. The author is supported by the *Fonds National de la Recherche, Luxembourg*, via the CORE project AToMS and the INTER project SEQUOIA.

### References

- 1.Abdalla, M., Benhamouda, F., MacKenzie, P.: Security of the J-PAKE Password-Authenticated Key Exchange Protocol. In: 2015 IEEE Symposium on Security and Privacy (2015)Google Scholar
- 2.Abdalla, M., Benhamouda, F., Pointcheval, D.: Public-key encryption indistinguishable under plaintext-checkable attacks. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 332–352. Springer, Heidelberg (2015). http://dx.doi.org/10.1007/978-3-662-46447-2_15Google Scholar
- 3.Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005). http://dx.doi.org/10.1007/978-3-540-30580-4_6CrossRefGoogle Scholar
- 4.An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 83. Springer, Heidelberg (2002). http://dl.acm.org/citation.cfm?id=647087.715701CrossRefGoogle Scholar
- 5.Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 139. Springer, Heidelberg (2000)CrossRefGoogle Scholar
- 6.Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)CrossRefGoogle Scholar
- 7.Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Computer Society Symposium on Research in Security and Privacy, May 4–6, pp. 72–84 (1992)Google Scholar
- 8.Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: New techniques for SPHFs and efficient one-round PAKE protocols. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 449–475. Springer, Heidelberg (2013). http://dx.doi.org/10.1007/978-3-642-40041-4_25CrossRefGoogle Scholar
- 9.Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 156. Springer, Heidelberg (2000)CrossRefGoogle Scholar
- 10.Bresson, E., Chevassut, O., Pointcheval, D.: Security proofs for an efficient password-based key exchange. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM Conference on Computer and Communications Security, pp. 241–250. ACM (2003)Google Scholar
- 11.Bresson, E., Chevassut, O., Pointcheval, D.: New security results on encrypted key exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 12.Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of the 42Nd IEEE Symposium on Foundations of Computer Science, FOCS 2001, p. 136 (2001). http://dl.acm.org/citation.cfm?id=874063.875553
- 13.Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
- 14.Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Examining indistinguishability-based proof models for key establishment protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005). http://dx.doi.org/10.1007/11593447_32CrossRefGoogle Scholar
- 15.Cremers, C.: Examining indistinguishability-based security models for key exchange protocols: The case of CK, CK-HMQV, and eCK. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, NY, USA, pp. 80–91 (2011). http://doi.acm.org/10.1145/1966913.1966925
- 16.Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theor.
**22**(6), 644–654 (2006). http://dx.doi.org/10.1109/TIT.1976.1055638MathSciNetCrossRefMATHGoogle Scholar - 17.Gennaro, R., Lindell, Y.: A framework for password-based authenticated key exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 524–543. Springer, Heidelberg (2003). http://dx.doi.org/10.1007/3-540-39200-9_33CrossRefGoogle Scholar
- 18.Goldreich, O., Lindell, Y.: Session-key generation using human passwords only. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 408. Springer, Heidelberg (2001). http://dx.doi.org/10.1007/3-540-44647-8_24CrossRefGoogle Scholar
- 19.Groce, A., Katz, J.: A new framework for efficient password-based authenticated key exchange. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, NY, USA, pp. 516–525 (2010). http://doi.acm.org/10.1145/1866307.1866365
- 20.Halevi, S., Krawczyk, H.: Public-key cryptography and password protocols. ACM Trans. Inf. Syst. Secur.
**2**(3), 230–268 (1999). http://doi.acm.org/10.1145/322510.322514CrossRefGoogle Scholar - 21.Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev.
**26**(5), 5–26 (1996)CrossRefGoogle Scholar - 22.Jiang, S., Gong, G.: Password based key exchange with mutual authentication. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 267–279. Springer, Heidelberg (2004). http://dx.doi.org/10.1007/978-3-540-30564-4_19CrossRefGoogle Scholar
- 23.Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 475. Springer, Heidelberg (2001)CrossRefGoogle Scholar
- 24.Katz, J., Ostrovsky, R., Yung, M.: Efficient and secure authenticated key exchange using weak passwords. J. ACM
**57**(1), 78–116 (2009)MathSciNetCrossRefMATHGoogle Scholar - 25.Katz, J., Vaikuntanathan, V.: Smooth projective hashing and password-based authenticated key exchange from lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 636–652. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-10366-7_37CrossRefGoogle Scholar
- 26.Katz, J., Vaikuntanathan, V.: Round-optimal password-based authenticated key exchange. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 293–310. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/ 978-3-642-19571-6_18CrossRefGoogle Scholar
- 27.Kiefer, F., Manulis, M.: Oblivious PAKE: efficient handling of password trials. Cryptology ePrint Archive, report 2013/127 (2013). http://eprint.iacr.org/
- 28.Kwon, T.: Authentication and key agreement via memorable password. In: ISOC Network and Distributed System Security Symposium (2001)Google Scholar
- 29.Kwon, T.: Practical authenticated key agreement using passwords. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 1–12. Springer, Heidelberg (2004)CrossRefGoogle Scholar
- 30.Lucks, S.: Open key exchange: how to defeat dictionary attacks without encrypting public keys. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 79–90. Springer, Heidelberg (1998). http://dl.acm.org/citation.cfm?id=647215.720526CrossRefGoogle Scholar
- 31.MacKenzie, P.: The PAK Suite: protocols for password-authenticated key exchange. DIMACS Technical report 2002–46 , pp. 7 (2002)Google Scholar
- 32.MacKenzie, P., Patel, S., Swaminathan, R.: Password-authenticated key exchange based on RSA. Int. J. Inf. Secur.
**9**(6), 387–410 (2010). http://dx.doi.org/10.1007/s10207-010-0120-3CrossRefMATHGoogle Scholar - 33.Pointcheval, D.: Password-based authenticated key exchange. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 390–397. Springer, Heidelberg (2012)CrossRefGoogle Scholar
- 34.Shoup, V.: On Formal Models for Secure Key Exchange. Cryptology ePrint Archive, Report 1999/012 (1999). http://eprint.iacr.org/1999/012