Paper 2001/057
On the Security of the SPEKE Password-Authenticated Key Exchange Protocol
Philip MacKenzie
Abstract
In the most strict formal definition of security for password-authenticated key exchange, an adversary can test at most one password per impersonation attempt. We propose a slightly relaxed definition which restricts an adversary to testing at most a constant number of passwords per impersonation attempt. This definition seems useful, since there is currently a popular password-authenticated key exchange protocol called SRP that seems resistant to off-line dictionary attack, yet does allow an adversary to test two passwords per impersonation attempt. In this paper we prove (in the random oracle model) that a certain instantiation of the SPEKE protocol that uses hashed passwords instead of non-hashed passwords is a secure password-authenticated key exchange protocol (using our relaxed definition) based on a new assumption, the Decision Inverted-Additive Diffie-Hellman assumption. Since this is a new security assumption, we investigate its security and relation to other assumptions; specifically we prove a lower bound for breaking this new assumption in the generic model, and we show that the computational version of this new assumption is equivalent to the Computational Diffie-Hellman assumption.
Metadata
- Available format(s)
-
PDF
PS
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- password authenticationkey exchangeDiffie-Hellman protocol
- Contact author(s)
- philmac @ lucent com
- History
- 2001-07-19: received
- Short URL
- https://ia.cr/2001/057
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2001/057,
author = {Philip MacKenzie},
title = {On the Security of the SPEKE Password-Authenticated Key Exchange Protocol},
howpublished = {Cryptology ePrint Archive, Paper 2001/057},
year = {2001},
note = {\url{https://eprint.iacr.org/2001/057}},
url = {https://eprint.iacr.org/2001/057}
}
