Security analysis of SPAKE2+

Victor Shoup

Paper 2020/313

Security analysis of SPAKE2+

Victor Shoup

Abstract

We show that a slight variant of Protocol $SPAKE 2 +$ , which was presented but not analyzed in Cash, Kiltz, and Shoup (2008) is a secure asymmetric password-authenticated key exchange protocol (PAKE), meaning that the protocol still provides good security guarantees even if a server is compromised and the password file stored on the server is leaked to an adversary. The analysis is done in the UC framework (i.e., a simulation-based security model), under the computational Diffie-Hellman (CDH) assumption, and modeling certain hash functions as random oracles. The main difference between our variant and the original Protocol~ is that our variant includes standard key confirmation flows; also, adding these flows allows some slight simplification to the remainder of the protocol. Along the way, we also: provide the first proof (under the same assumptions) that a slight variant of Protocol from Abdalla and Pointcheval (2005) is a secure symmetric PAKE in the UC framework (previous security proofs were all in the weaker BPR framework of Bellare, Pointcheval, and Rogaway (2000); provide a proof (under very similar assumptions) that a variant of Protocol that is currently being standardized is also a secure asymmetric PAKE; repair several problems in earlier UC formulations of secure symmetric and asymmetric PAKE.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Preprint. MINOR revision.
Keywords: PAKE password authenticated key exchange
Contact author(s): shoup @ cs nyu edu
History: 2020-03-15: received
Short URL: https://ia.cr/2020/313
License: CC BY

BibTeX

@misc{cryptoeprint:2020/313,
      author = {Victor Shoup},
      title = {Security analysis of {SPAKE2}+},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/313},
      year = {2020},
      url = {https://eprint.iacr.org/2020/313}
}