Paper 2022/1607

A Universally Composable PAKE with Zero Communication Cost (And Why It Shouldn't Be Considered UC-Secure)

Lawrence Roy, Aarhus University
Jiayu Xu, Oregon State University

A Password-Authenticated Key Exchange (PAKE) protocol allows two parties to agree upon a cryptographic key, when the only information shared in advance is a low-entropy password. The standard security notion for PAKE (Canetti et al., Eurocrypt 2005) is in the Universally Composable (UC) framework. We show that unlike most UC security notions, UC PAKE does not imply correctness. While Canetti et al. has briefly noticed this issue, we present the first comprehensive study of correctness in UC PAKE. Our contributions are four-fold: 1. We show that TrivialPAKE, a no-message protocol that does not satisfy correctness, is a UC PAKE; 2. We propose nine approaches to guaranteeing correctness in the UC security notion of PAKE, and show that seven of them are equivalent, whereas the other two are unachievable; 3. We prove that a direct solution, namely changing the UC PAKE functionality to incorporate correctness, is impossible; 4. Finally, we show how to naturally incorporate correctness by changing the model — we view PAKE as a three-party protocol, with the man-in-the-middle adversary as the third party. In this way, we hope to shed some light on the very nature of UC-security in the man-in-the-middle setting.

Available format(s)
Cryptographic protocols
Publication info
Contact author(s)
ldr709 @ gmail com
xujiay @ oregonstate edu
2023-01-26: revised
2022-11-17: received
See all versions
Short URL
Creative Commons Attribution


      author = {Lawrence Roy and Jiayu Xu},
      title = {A Universally Composable PAKE with Zero Communication Cost (And Why It Shouldn't Be Considered UC-Secure)},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1607},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.