Paper 2013/833

Verifier-Based Password-Authenticated Key Exchange: New Models and Constructions

Fabrice Benhamouda and David Pointcheval

Abstract

While password-authenticated key exchange (or PAKE) protocols have been deeply studied, a server corruption remains the main threat, with many concrete cases nowadays. Verifier-based PAKE (or VPAKE) protocols, initially called Augmented-PAKE, have been proposed to limit the impact of any leakage. However, no satisfactory security model has ever been proposed to quantify the actual security of a protocol in the standard model. The unique model proposed so far is an ideal functionality in the universal composability (UC) framework, but is only meaningful in idealized models. In this paper, we first enhance the Bellare-Pointcheval-Rogaway game-based model for PAKE to VPAKE protocols, and then propose the first game-based security model for both PAKE and VPAKE protocols that additionally handles related passwords. It also allows a VPAKE protocol to be secure in the standard model. We then propose several VPAKE candidates which involve smooth projective hash functions and multi-linear maps.