We show that a slight variant of Protocol ,
which was presented but not analyzed in Cash, Kiltz, and Shoup (2008)
is a secure asymmetric
password-authenticated key exchange protocol (PAKE),
meaning that the protocol still provides good security
guarantees even if a server is compromised and the password
file stored on the server is leaked to an adversary.
The analysis is done in the UC framework (i.e.,
a simulation-based security model),
under the computational Diffie-Hellman (CDH) assumption,
and modeling certain hash functions as random oracles.
The main difference between our variant and the original
Protocol~ is that our variant includes
standard key confirmation flows;
also, adding these flows allows some slight simplification
to the remainder of the protocol.
Along the way, we also:
provide the first proof (under the same assumptions)
that a slight variant of Protocol from Abdalla and Pointcheval (2005)
is a secure symmetric PAKE in the UC framework
(previous security proofs were all in the weaker
BPR framework of Bellare, Pointcheval, and Rogaway (2000);
provide a proof (under very similar assumptions)
that a variant of Protocol
that is currently being standardized is also a secure asymmetric PAKE;
repair several problems in earlier UC formulations of
secure symmetric and asymmetric PAKE.