Paper 2018/286

AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT

Björn Haase and Benoît Labrique


Increasingly connectivity becomes integrated in products and devices that previously operated in a stand-alone setting. This observation holds for many consumer ap- plications in the so-called "Internet of Things" (IoT) as well as for corresponding industry applications (IIoT), such as industrial process sensors. Often the only practicable means for authentication of human users is a password. The security of password-based authentication schemes frequently forms the weakest point of the security infrastructure. Missing integration of IoT or IIoT device in a WEB-PKI should be considered a significant real-world risk. In this setting, verifier-based password-authenticated key- exchange (V-PAKE) protocols are known to provide a significant security improvement by preventing phishing and offline dictionary attacks. For IIoT, availability concerns for the case of failures of (part of) the communication infrastructure makes local storage of access credentials mandatory. The larger threat of physical attacks makes it important to use memory-hard password hashing. This paper presents a corresponding tailored protocol, AuCPace, together with a security proof within the Universal Composability (UC) framework considering fully adaptive adversaries. AuCPace uses CPace as a building block which could be used as a stand-alone balanced PAKE protocol. Moreover, we show how AuCPace could optionally provide for pre-computation attack resistance. In this paper we also introduce a new security notion of partially augmented PAKE that provides specific performance advantages for constrained servers. We also present an actual instantiation of our protocol, AuCPace25519, and present performance results on ARM Cortex-M0 and Cortex-M4 microcontrollers, demon- strating the suitability of AuCPace for the constrained server setting. This specific paper revision is an update of the journal version. It was setup for the PAKE selection process of the CFRG working group of the IETF for which AuCPace and CPace have been nominated.

Note: Revision prepared for discussion within the CFRG working group at IETF. This revision fixes problems that were brought up by Björn Tackmann and Julia Hesse in the course of the CFRG PAKE selection process.

Available format(s)
Publication info
A major revision of an IACR publication in TCHES 2019
Password Authenticated Key ExchangeV-PAKEPAKEelliptic curvesCryptographic ProtocolsUniversal ComposabilityIEC-62443Industrial ControlCurve25519X25519OPRF
Contact author(s)
bjoern m haase @ web de
2019-09-22: last of 10 revisions
2018-03-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Björn Haase and Benoît Labrique},
      title = {AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT},
      howpublished = {Cryptology ePrint Archive, Paper 2018/286},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.