Cryptology ePrint Archive: Report 2010/190
J-PAKE: Authenticated Key Exchange Without PKI
Feng Hao and Peter Ryan
Abstract: Password Authenticated Key Exchange (PAKE) is one of the
important topics in cryptography. It aims to address a
practical security problem: how to establish secure
communication between two parties solely based on a shared
password without requiring a Public Key Infrastructure (PKI).
After more than a decade of extensive research in this field,
there have been several PAKE protocols available. The EKE and
SPEKE schemes are perhaps the two most notable examples. Both
techniques are however patented. In this paper, we review these
techniques in detail and summarize various theoretical and
practical weaknesses. In addition, we present a new PAKE
solution called J-PAKE. Our strategy is to depend on
well-established primitives such as the Zero-Knowledge Proof
(ZKP). So far, almost all of the past solutions have avoided
using ZKP for the concern on efficiency. We demonstrate how to
effectively integrate the ZKP into the protocol design and
meanwhile achieve good efficiency. Our protocol has comparable
computational efficiency to the EKE and SPEKE schemes with
clear advantages on security.
Category / Keywords: cryptographic protocols / Password-Authenticated Key Exchange, EKE, SPEKE, key agreement
Publication Info: A preliminary workshop version of the paper was presented at the 16th Workshop on Security Protocols, Cambridge, April 2008. This is a journal version of the paper. There is no technical change to the J-PAKE protocol.
Date: received 6 Apr 2010, last revised 25 Oct 2010
Contact author: haofeng66 at gmail com
Available format(s): PDF | BibTeX Citation
Note: The earlier version of the paper can be found at: http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
2010-10-25: paper accepted by the TCS Journal - Springer Transactions on Computational Science after minor revision.
Version: 20101025:211417 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]