Paper 2020/529

CHIP and CRISP: Protecting All Parties Against Compromise through Identity-Binding PAKEs

Cas Cremers, Helmholtz Center for Information Security
Moni Naor, Weizmann Institute of Science
Shahar Paz, Tel Aviv University
Eyal Ronen, Tel Aviv University

Recent advances in password-based authenticated key exchange (PAKE) protocols can offer stronger security guarantees for globally deployed security protocols. Notably, the OPAQUE protocol [Eurocrypt2018] realizes Strong Asymmetric PAKE (saPAKE), strengthening the protection offered by aPAKE to compromised servers: after compromising an saPAKE server, the adversary still has to perform a full brute-force search to recover any passwords or impersonate users. However, (s)aPAKEs do not protect client storage, and can only be applied in the so-called asymmetric setting, in which some parties, such as servers, do not communicate with each other using the protocol. Nonetheless, passwords are also widely used in symmetric settings, where a group of parties share a password and can all communicate (e.g., Wi-Fi with client devices, routers, and mesh nodes; or industrial IoT scenarios). In these settings, the (s)aPAKE techniques cannot be applied, and the state-of-the-art still involves handling plaintext passwords. In this work, we propose the notions of (strong) identity-binding PAKEs that improve this situation: they protect against compromise of any party, and can also be applied in the symmetric setting. We propose counterparts to state-of-the-art security notions from the asymmetric setting in the UC model, and construct protocols that provably realize them. Our constructions bind the local storage of all parties to abstract identities, building on ideas from identity-based key exchange, but without requiring a third party. Our first protocol, CHIP, generalizes the security of aPAKE protocols to all parties, forcing the adversary to perform a brute-force search to recover passwords or impersonate others. Our second protocol, CRISP, additionally renders any adversarial pre-computation useless, thereby offering saPAKE-like guarantees for all parties, instead of only the server. We evaluate prototype implementations of our protocols and show that even though they offer stronger security for real-world use cases, their performance is in line with, or even better than, state-of-the-art protocols.

Note: Extended version of the 2022 CRYPTO paper.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in CRYPTO 2022
Password authentication PAKE Compromise Resilience Key Compromise Impersonation Symmetric PAKE
Contact author(s)
eyal ronen @ cs tau ac il
2022-08-17: last of 4 revisions
2020-05-06: received
See all versions
Short URL
Creative Commons Attribution


      author = {Cas Cremers and Moni Naor and Shahar Paz and Eyal Ronen},
      title = {CHIP and CRISP:  Protecting All Parties Against Compromise through Identity-Binding PAKEs},
      howpublished = {Cryptology ePrint Archive, Paper 2020/529},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.