Paper 2017/470

On the Relation Between SIM and IND-RoR Security Models for PAKEs

José Becerra, Vincenzo Iovino, Dimiter Ostrev, and Marjan Skrobot


Password-based Authenticated Key-Exchange (PAKE) protocols allow users, who need only to share a password, to compute a high-entropy shared session key despite passwords being taken from a dictionary. Security models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy when executed in the presence of an active adversary. They are usually classified into i) indistinguishability-based (IND-based) or ii) simulation-based (SIM-based). The relation between these two security notions is unclear and mentioned as a gap in the literature. In this work, we prove that SIM-BMP security from Boyko et al. (EUROCRYPT 2000) implies IND-RoR security from Abdalla et al. (PKC 2005) and that IND-RoR security is equivalent to a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR security implies (unmodified) SIM-BMP security.

Note: Accepted for publication in SECRYPT 2017

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. SECRYPT 2017
Security ModelsSIM-based SecurityIND-based SecurityPassword Authenticated Key Exchange
Contact author(s)
jose becerra @ uni lu
2017-05-28: received
Short URL
Creative Commons Attribution


      author = {José Becerra and Vincenzo Iovino and Dimiter Ostrev and Marjan Skrobot},
      title = {On the Relation Between SIM and IND-RoR Security Models for PAKEs},
      howpublished = {Cryptology ePrint Archive, Paper 2017/470},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.