Paper 2019/351

Forward Secrecy of SPAKE2

Jose Becerra, Dimiter Ostrev, and Marjan Skrobot

Abstract

Currently, the Simple Password-Based Encrypted Key Exchange (SPAKE2) protocol of Abdalla and Pointcheval (CT-RSA 2005) is being considered by the IETF for standardization and integration in TLS 1.3. Although it has been proven secure in the Find-then-Guess model of Bellare, Pointcheval and Rogaway (EUROCRYPT 2000), whether it satisfies some notion of forward secrecy remains an open question. In this work, we prove that the SPAKE2 protocol satisfies the so-called weak forward secrecy introduced by Krawczyk (CRYPTO 2005). Furthermore, we demonstrate that the incorporation of key-confirmation codes in SPAKE2 results in a protocol that provably satisfies the stronger notion of perfect forward secrecy. As forward secrecy is an explicit requirement for cipher suites supported in the TLS handshake, we believe this work could fill the gap in the literature and facilitate the adoption of SPAKE2 in the recently approved TLS 1.3.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. ProvSec 2018
Keywords
Provable SecurityPassword Authenticated Key ExchangeForward SecrecyCommon Reference String
Contact author(s)
jose becerra @ uni lu
History
2019-04-03: received
Short URL
https://ia.cr/2019/351
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2019/351,
      author = {Jose Becerra and Dimiter Ostrev and Marjan Skrobot},
      title = {Forward Secrecy of {SPAKE2}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2019/351},
      year = {2019},
      url = {https://eprint.iacr.org/2019/351}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.