Paper 2020/060

Auditable Asymmetric Password Authenticated Public Key Establishment

Antonio Faonio, EURECOM
Maria Isabel Gonzalez Vasco
Claudio Soriente
Hien Thi Thu Truong

Non-repudiation of messages generated by users is a desirable feature in a number of applications ranging from online banking to IoT scenarios. However, it requires certified public keys and usually results in poor usability as a user must carry around his certificate (e.g., in a smart-card) or must install it in all of his devices. A user-friendly alternative, adopted by several companies and national administrations, is to have a ``cloud-based'' PKI. In a nutshell, each user has a PKI certificate stored at a server in the cloud; users authenticate to the server---via passwords or one-time codes---and ask it to sign messages on their behalf. As such, there is no way for the server to prove to a third party that a signature on a given message was authorized by a user. As the server holds the user's certified key, it might as well have signed arbitrary messages in an attempt to impersonate that user. In other words, a user could deny having signed a message, by claiming that the signature was produced by the server without his consent. The same holds in case the secret key is derived deterministically from the user's password, for the server, by knowing the password, may still frame the user. In this paper we provide a "password-only" solution to non-repudiation of user messages by introducing Auditable Asymmetric Password Authenticated Public Key Establishment (A2PAKE). This is a PAKE-like protocol that generates an asymmetric key-pair where the public key is output to every participant, but the secret key is private output to just one of the parties (e.g., the user). Further, the protocol can be audited, i.e., given the public key output by a protocol run with a user, the server can prove to a third party that the corresponding secret key is held by that specific user. Thus, if the user signs messages with that secret key, then signatures are non-repudiable. We provide a universally composable definition of A2PAKE and an instantiation based on a distributed oblivious pseudo-random function. We also develop a prototype implementation of our instantiation and use it to evaluate its performance in realistic settings.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. CANS 2022
Contact author(s)
antonio faonio @ eurecom fr
2022-09-07: last of 2 revisions
2020-01-21: received
See all versions
Short URL
Creative Commons Attribution


      author = {Antonio Faonio and Maria Isabel Gonzalez Vasco and Claudio Soriente and Hien Thi Thu Truong},
      title = {Auditable Asymmetric Password Authenticated Public Key Establishment},
      howpublished = {Cryptology ePrint Archive, Paper 2020/060},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.