Paper 2021/114

Security Analysis of CPace

Michel Abdalla, Björn Haase, and Julia Hesse


In response to standardization requests regarding password-authenticated key exchange (PAKE) protocols, the IRTF working group CFRG has setup a PAKE selection process in 2019, which led to the selection of the CPace protocol in the balanced setting, in which parties share a common password. In subsequent standardization efforts, the CPace protocol further developed, yielding a protocol family whose actual security guarantees in practical settings are not well understood. In this paper, we provide a comprehensive security analysis of CPace in the universal composability framework. Our analysis is realistic in the sense that it captures adaptive corruptions and refrains from modeling CPace's MapToPoint function that maps field elements to curve points as an idealized function. In order to extend our proofs to different CPace variants optimized for specific elliptic-curve ecosystems, we employ a new approach which represents the assumptions required by the proof as libraries accessed by a simulator. By allowing for the modular replacement of assumptions used in the proof, this new approach avoids a repeated analysis of unchanged protocol parts and lets us efficiently analyze the security guarantees of all the different CPace variants. As a result of our analysis, all of the investigated practical CPace variants enjoy adaptive UC security.

Note: Added appendix with game-based proof.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in ASIACRYPT 2021
Password authenticationuniversal composabilityPAKE
Contact author(s)
michel abdalla @ gmail com
bjoern m haase @ web de
juliahesse2 @ gmail com
2021-10-11: last of 3 revisions
2021-02-01: received
See all versions
Short URL
Creative Commons Attribution


      author = {Michel Abdalla and Björn Haase and Julia Hesse},
      title = {Security Analysis of CPace},
      howpublished = {Cryptology ePrint Archive, Paper 2021/114},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.