Paper 2020/313

Security analysis of SPAKE2+

Victor Shoup


We show that a slight variant of Protocol $\mathit{SPAKE2}+$, which was presented but not analyzed in Cash, Kiltz, and Shoup (2008) is a secure asymmetric password-authenticated key exchange protocol (PAKE), meaning that the protocol still provides good security guarantees even if a server is compromised and the password file stored on the server is leaked to an adversary. The analysis is done in the UC framework (i.e., a simulation-based security model), under the computational Diffie-Hellman (CDH) assumption, and modeling certain hash functions as random oracles. The main difference between our variant and the original Protocol~$\mathit{SPAKE2}+$ is that our variant includes standard key confirmation flows; also, adding these flows allows some slight simplification to the remainder of the protocol. Along the way, we also: provide the first proof (under the same assumptions) that a slight variant of Protocol $\mathit{SPAKE2}$ from Abdalla and Pointcheval (2005) is a secure symmetric PAKE in the UC framework (previous security proofs were all in the weaker BPR framework of Bellare, Pointcheval, and Rogaway (2000); provide a proof (under very similar assumptions) that a variant of Protocol $\mathit{SPAKE2}+$ that is currently being standardized is also a secure asymmetric PAKE; repair several problems in earlier UC formulations of secure symmetric and asymmetric PAKE.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
PAKEpassword authenticated key exchange
Contact author(s)
shoup @ cs nyu edu
2020-03-15: received
Short URL
Creative Commons Attribution


      author = {Victor Shoup},
      title = {Security analysis of {SPAKE2}+},
      howpublished = {Cryptology ePrint Archive, Paper 2020/313},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.