Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords

  • Jonathan Katz
  • Rafail Ostrovsky
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2045)


There has been much interest in password-authenticated keyexchange protocols which remain secure even when users choose passwords from a very small space of possible passwords (say, a dictionary of English words). Under this assumption, one must be careful to design protocols which cannot be broken using off-line dictionary attacks in which an adversary enumerates all possible passwords in an attempt to determine the correct one. Many heuristic protocols have been proposed to solve this important problem. Only recently have formal validations of security (namely, proofs in the idealized random oracle and ideal cipher models) been given for specific constructions [3,10,22].

Very recently, a construction based on general assumptions, secure in the standard model with human-memorable passwords, has been proposed by Goldreich and Lindell [17]. Their protocol requires no public parameters; unfortunately, it requires techniques from general multi-party computation which make it impractical. Thus, [17] only proves that solutions are possible “in principal”. The main question left open by their work was finding an efficient solution to this fundamental problem.

We showan efficient, 3-round, password-authenticated key exchange protocol with human-memorable passwords which is provably secure under the Decisional Diffie-Hellman assumption, yet requires only (roughly) 8 times more computation than “standard” Diffie-Hellman key exchange [14] (which provides no authentication at all). We assume public parameters available to all parties. We stress that we work in the standard model only, and do not require a “random oracle” assumption.


Signature Scheme Random Oracle Mutual Authentication Dictionary Attack Decryption Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, A. Boldyreva, and S. Micali. Public-Key Encryption in a Multi-User Setting: Security Proofs and Improvements. Eurocrypt 2000.Google Scholar
  2. 2.
    M. Bellare, R. Canetti, and H. Krawczyk. A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols. STOC '98.Google Scholar
  3. 3.
    M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated Key Exchange Secure Against Dictionary Attacks. Eurocrypt 2000.Google Scholar
  4. 4.
    M. Bellare and P. Rogaway. Entity Authentication and Key Distribution. Crypto '93.Google Scholar
  5. 5.
    M. Bellare and P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. ACM CCCS '93.Google Scholar
  6. 6.
    M. Bellare and P. Rogaway. Provably Secure Session Key Distribution: the Three Party Case. STOC '95.Google Scholar
  7. 7.
    S. Bellovin and M. Merritt. Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks. IEEE Symposium on Security and Privacy, 1992.Google Scholar
  8. 8.
    D. Boneh. The Decision Diffie-Hellman Problem. Proceedings of the Third Algorithmic Number Theory Symposium, 1998.Google Scholar
  9. 9.
    M. Boyarsky. Public-Key Cryptography and Password Protocols: The Multi-User Case. ACM CCCS '99.Google Scholar
  10. 10.
    V. Boyko, P. MacKenzie, and S. Patel. Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. Eurocrypt 2000.Google Scholar
  11. 11.
    V. Boyko. On All-or-Nothing Transforms and Password-Authenticated Key Exchange Protocols. PhD Thesis, MIT, Department of Electrical Engineering and Computer Science, Cambridge, MA, 2000.Google Scholar
  12. 12.
    R. Canetti, O. Goldreich, and S. Halevi. The Random Oracle Methodology, Revisited. STOC '98.Google Scholar
  13. 13.
    R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure Against Chosen Ciphertext Attack. Crypto '98.Google Scholar
  14. 14.
    W. Diffie and M. Hellman. New Directions in Cryptography. IEEE Trans. Info. Theory, 22(6): 644–654, 1976.zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    S. Even, O. Goldreich, and S. Micali. On-Line/Off-Line Digital Signatures. Crypto '89.Google Scholar
  16. 16.
    O. Goldreich. On the Foundations of Modern Cryptography. Crypto '97.Google Scholar
  17. 17.
    O. Goldreich and Y. Lindell. Personal Communication and Crypto 2000 Rump Session. Session-Key Generation using Human Passwords Only. Available at
  18. 18.
    O. Goldreich, S. Micali, and A. Wigderson. How to Play Any Mental Game, or a Completeness Theorem for Protocols with an Honest Majority. STOC '87.Google Scholar
  19. 19.
    S. Goldwasser, R. Rivest, and S. Micali. A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks. SIAM J. Comp. 17(2): 281–308, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    S. Halevi and H. Krawczyk. Public-Key Cryptography and Password Protocols. ACM Transactions on Information and System Security, 2(3): 230–268, 1999.CrossRefGoogle Scholar
  21. 21.
    S. Lucks. Open Key Exchange: Howto Defeat Dictionary Attacks Without Encrypting Public Keys. Proceedings of the Workshop on Security Protocols, 1997.Google Scholar
  22. 22.
    P. MacKenzie, S. Patel, and R. Swaminathan. Password-Authenticated Key Exchange Based on RSA. Asiacrypt 2000.Google Scholar
  23. 23.
    M. Naor and M. Yung. Universal One-Way Hash Functions and Their Cryptographic Applications. STOC '89.Google Scholar
  24. 24.
    G. Poupard and J. Stern. Security Analysis of a Practical Ȝon the flyȝ Authentication and Signature Generation. Eurocrypt ’98.Google Scholar
  25. 25.
    G. Poupard and J. Stern. On the Fly Signatures Based on Factoring. ACM CCCS '99.Google Scholar
  26. 26.
    J. Rompel. One-Way Functions are Necessary and Sufficient for Secure Signatures. STOC '90Google Scholar
  27. 27.
    C.-P. Schnorr. Efficient Signature Generation by Smartcards. J. Crypto. 4(3): 161–174 (1991).zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    V. Shoup. On Formal Models for Secure Key Exchange. Available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Jonathan Katz
    • 1
  • Rafail Ostrovsky
    • 2
  • Moti Yung
    • 3
  1. 1.Telcordia Technologies and Department of Computer ScienceColumbia UniversityColumbia
  2. 2.Telcordia Technologies, Inc.Morristown
  3. 3.CertCo, Inc.Columbia

Personalised recommendations