Universally Composable Two-Server PAKE

  • Franziskus Kiefer
  • Mark Manulis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9866)


Two-Server Password Authenticated Key Exchange (2PAKE) protocols apply secret sharing techniques to achieve protection against server-compromise attacks. 2PAKE protocols eliminate the need for password hashing and remain secure as long as one of the servers remains honest. This concept has also been explored in connection with two-server password authenticated secret sharing (2PASS) protocols for which game-based and universally composable versions have been proposed. In contrast, universally composable PAKE protocols exist currently only in the single-server scenario and all proposed 2PAKE protocols use game-based security definitions.

In this paper we propose the first construction of an universally composable 2PAKE protocol, alongside with its ideal functionality. The protocol is proven UC-secure in the standard model, assuming a common reference string which is a common assumption to many UC-secure PAKE and PASS protocols. The proposed protocol remains secure for arbitrary password distributions. As one of the building blocks we define and construct a new cryptographic primitive, called Trapdoor Distributed Smooth Projective Hash Function (TD-SPHF), which could be of independent interest.


Common Reference String Bilinear Group Protocol Participant Correct Password 2PAKE Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abdalla, M., Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D.: SPHF-friendly non-interactive commitments. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 214–234. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  2. 2.
    Abdalla, M., Benhamouda, F., Pointcheval, D.: Removing Erasures with Explainable Hash Proof Systems. Cryptology ePrint Archive, Report 2014/125 (2014)Google Scholar
  3. 3.
    Abdalla, M., Chevalier, C., Pointcheval, D.: Smooth projective hashing for conditionally extractable commitments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 671–689. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical group signatures without random oracles. Cryptology ePrint Archive, 2005:385 (2005)Google Scholar
  6. 6.
    Ballard, L., Green, M., de Medeiros, B., Monrose, F.: Correlation-resistant storage via keyword-searchable encryption. Cryptology ePrint Archive, 2005:417 (2005)Google Scholar
  7. 7.
    Barak, B., Lindell, Y., Rabin, T.: Protocol Initialization for the Framework of Universal Composability. Cryptology ePrint Archive, 2004:6 (2004)Google Scholar
  8. 8.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Bellovin, S.M., Merritt, M.: Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: ACM CCS 1993, pp. 244–250. ACM (1993)Google Scholar
  10. 10.
    Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: New techniques for SPHFs and efficient one-round PAKE protocols. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 449–475. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Benhamouda, F., Pointcheval, D.: Verifier-based password-authenticated key exchange: New models and constructions. Cryptology ePrint Archive, 2013:833 (2013)Google Scholar
  12. 12.
    Brainard, J., Juels, A.: A new two-server approach for authentication with short secrets. In: USENIX03 (2003)Google Scholar
  13. 13.
    Camenisch, J., Enderlein, R.R., Neven, G.: Two-Server Password-Authenticated Secret Sharing UC-Secure Against Transient Corruptions. Cryptology ePrint Archive, 2015:006 (2015)Google Scholar
  14. 14.
    Camenisch, J., Lysyanskaya, A., Neven, G.: Practical yet universally composable two-server password-authenticated secret sharing, pp. 525–536. ACM (2012)Google Scholar
  15. 15.
    Canetti, R., Security, U.C.: A new paradigm for cryptographic protocols. In: FOCS 2001, p. 136. IEEE CS, Washington, DC, USA (2001)Google Scholar
  16. 16.
    Canetti, R.: Universally composable signature, certification, and authentication. In: CSFW 2004, p. 219. IEEE CS (2004)Google Scholar
  17. 17.
    Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Damgård, I.B.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    Gentry, C., MacKenzie, P.D., Ramzan, Z.: A method for making password-based key exchange resilient to server compromise. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 142–159. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    hashcat. hashcat - advanced password recovery (2014). Accessed 1 Dec 2014
  24. 24.
    Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014)Google Scholar
  25. 25.
    Jarecki, S., Lysyanskaya, A.: Adaptively secure threshold cryptography: introducing concurrency, removing erasures (Extended Abstract). In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 221–242. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  26. 26.
    Jin, H., Wong, D.S., Xu, Y.: An efficient password-only two-server authenticated key exchange system. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 44–56. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  27. 27.
    Katz, J., MacKenzie, P.D., Taban, G., Gligor, V.D.: Two-server password-only authenticated key exchange. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 1–16. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Katz, J., Vaikuntanathan, V.: Round-optimal password-based authenticated key exchange. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 293–310. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  29. 29.
    Kiefer, F., Manulis, M.: Distributed smooth projective hashing and its application to two-server password authenticated key exchange. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 199–216. Springer, Heidelberg (2014)Google Scholar
  30. 30.
    MacKenzie, P., Shrimpton, T., Jakobsson, M.: Threshold password-authenticated key exchange. In: CRYPTO 2002, p. 141 (2002)Google Scholar
  31. 31.
    Openwall. John the Ripper password cracker (2014). Accessed 1 Dec 2014
  32. 32.
    Raimondo, M.D., Gennaro, R.: Provably secure threshold password-authenticated key exchange. In: EUROCRYPT 2003, p. 507523 (2003)Google Scholar
  33. 33.
    Szydlo, M., Kaliski, B.: Proofs for two-server password authentication. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 227–244. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  34. 34.
    Wu, T.: RFC 2945 - The SRP Authentication and Key Exchange System, September 2000Google Scholar
  35. 35.
    Yang, Y., Deng, R., Bao, F.: A practical password-based two-server authentication and key exchange system. IEEE TDSC 3(2), 105–114 (2006)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.MozillaBerlinGermany
  2. 2.Department of Computer Science, Surrey Center for Cyber SecurityUniversity of SurreyGuildfordUK

Personalised recommendations