**On the Security of the SPEKE Password-Authenticated Key Exchange Protocol**

*Philip MacKenzie*

**Abstract: **In the most strict formal definition of security for
password-authenticated key exchange, an adversary can test at most one
password per impersonation attempt. We propose a slightly relaxed
definition which restricts an adversary to testing at most a constant
number of passwords per impersonation attempt. This definition seems
useful, since there is currently a popular password-authenticated key
exchange protocol called SRP that seems resistant to off-line
dictionary attack, yet does allow an adversary to test two passwords
per impersonation attempt. In this paper we prove (in the random
oracle model) that a certain instantiation of the SPEKE protocol that
uses hashed passwords instead of non-hashed passwords is a secure
password-authenticated key exchange protocol (using our relaxed
definition) based on a new assumption, the Decision
Inverted-Additive Diffie-Hellman assumption. Since this is a new
security assumption, we investigate its security and relation to other
assumptions; specifically we prove a lower bound for breaking this new
assumption in the generic model, and we show that the computational
version of this new assumption is equivalent to the Computational
Diffie-Hellman assumption.

**Category / Keywords: **cryptographic protocols / password authentication, key exchange, Diffie-Hellman protocol

**Date: **received 19 Jul 2001

**Contact author: **philmac at lucent com

**Available format(s): **Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

**Version: **20010719:211604 (All versions of this report)

**Short URL: **ia.cr/2001/057

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]