Security Analysis of CPace

Michel Abdalla, Björn Haase, and Julia Hesse

Abstract

In response to standardization requests regarding password-authenticated key exchange (PAKE) protocols, the IRTF working group CFRG has setup a PAKE selection process in 2019, which led to the selection of the CPace protocol in the balanced setting, in which parties share a common password. In subsequent standardization efforts, the CPace protocol further developed, yielding a protocol family whose actual security guarantees in practical settings are not well understood. In this paper, we provide a comprehensive security analysis of CPace in the universal composability framework. Our analysis is realistic in the sense that it captures adaptive corruptions and refrains from modeling CPace's MapToPoint function that maps field elements to curve points as an idealized function. In order to extend our proofs to different CPace variants optimized for specific elliptic-curve ecosystems, we employ a new approach which represents the assumptions required by the proof as libraries accessed by a simulator. By allowing for the modular replacement of assumptions used in the proof, this new approach avoids a repeated analysis of unchanged protocol parts and lets us efficiently analyze the security guarantees of all the different CPace variants. As a result of our analysis, all of the investigated practical CPace variants enjoy adaptive UC security.

Note: Added appendix with game-based proof.

Available format(s)
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in ASIACRYPT 2021
Keywords
Contact author(s)
michel abdalla @ gmail com
bjoern m haase @ web de
juliahesse2 @ gmail com
History
2021-10-11: last of 3 revisions
See all versions
Short URL
https://ia.cr/2021/114

CC BY

BibTeX

@misc{cryptoeprint:2021/114,
author = {Michel Abdalla and Björn Haase and Julia Hesse},
title = {Security Analysis of CPace},
howpublished = {Cryptology ePrint Archive, Paper 2021/114},
year = {2021},
note = {\url{https://eprint.iacr.org/2021/114}},
url = {https://eprint.iacr.org/2021/114}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.