Perfect Forward Security of SPAKE2

Michel Abdalla and Manuel Barbosa

Abstract

SPAKE2 is a balanced password-authenticated key exchange (PAKE) protocol, proposed by Abdalla and Pointcheval at CTRSA 2005. Due to its simplicity and efficiency, SPAKE2 is one of the balanced PAKE candidates currently under consideration for standardization by the CFRG, together with SPEKE, CPace, and J-PAKE. In this paper, we show that SPAKE2 achieves perfect forward security in the random-oracle model under the Gap Diffie-Hellman assumption. Unlike prior results, which either did not consider forward security or only proved a weak form of it, our results guarantee the security of the derived keys even for sessions that were created with the active involvement of the attacker, as long as the parties involved in the protocol are not corrupted when these sessions take place. Finally, our proofs also demonstrate that SPAKE2 is flexible with respect to the generation of its global parameters M and N. This includes the cases where M is a uniform group element and M=N or the case where M and N are chosen as the output of a random oracle.

Note: The results in this paper have now been merged with those in ePrint 2020/320 (Universally Composable Relaxed Password Authenticated Key Exchange), which analyzes the security of several PAKE protocols (including SPAKE2) in the universal composability framework and their relation to game-based PAKE notions.

Available format(s)
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
Contact author(s)
michel abdalla @ ens fr
mbb @ fc up pt
History
2020-04-27: last of 4 revisions
See all versions
Short URL
https://ia.cr/2019/1194

CC BY

BibTeX

@misc{cryptoeprint:2019/1194,
author = {Michel Abdalla and Manuel Barbosa},
title = {Perfect Forward Security of SPAKE2},
howpublished = {Cryptology ePrint Archive, Paper 2019/1194},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/1194}},
url = {https://eprint.iacr.org/2019/1194}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.