Paper 2020/313

Security analysis of SPAKE2+

Victor Shoup

Abstract

We show that a slight variant of Protocol $\mathit{SPAKE2}+$, which was presented but not analyzed in Cash, Kiltz, and Shoup (2008) is a secure asymmetric password-authenticated key exchange protocol (PAKE), meaning that the protocol still provides good security guarantees even if a server is compromised and the password file stored on the server is leaked to an adversary. The analysis is done in the UC framework (i.e., a simulation-based security model), under the computational Diffie-Hellman (CDH) assumption, and modeling certain hash functions as random oracles. The main difference between our variant and the original Protocol~$\mathit{SPAKE2}+$ is that our variant includes standard key confirmation flows; also, adding these flows allows some slight simplification to the remainder of the protocol. Along the way, we also: provide the first proof (under the same assumptions) that a slight variant of Protocol $\mathit{SPAKE2}$ from Abdalla and Pointcheval (2005) is a secure symmetric PAKE in the UC framework (previous security proofs were all in the weaker BPR framework of Bellare, Pointcheval, and Rogaway (2000); provide a proof (under very similar assumptions) that a variant of Protocol $\mathit{SPAKE2}+$ that is currently being standardized is also a secure asymmetric PAKE; repair several problems in earlier UC formulations of secure symmetric and asymmetric PAKE.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MINOR revision.
Keywords
PAKEpassword authenticated key exchange
Contact author(s)
shoup @ cs nyu edu
History
2020-03-15: received
Short URL
https://ia.cr/2020/313
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2020/313,
      author = {Victor Shoup},
      title = {Security analysis of {SPAKE2}+},
      howpublished = {Cryptology ePrint Archive, Paper 2020/313},
      year = {2020},
      note = {\url{https://eprint.iacr.org/2020/313}},
      url = {https://eprint.iacr.org/2020/313}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.