Paper 2023/324

LATKE: An identity-binding PAKE from lattice assumptions

Michael Rosenberg, University of Maryland, College Park

In a recent work, Cremers, Naor, Paz, and Ronen (CRYPTO '22) point out the problem of catastrophic impersonation in balanced password authenticated key exchange protocols (PAKEs). Namely, in a balanced PAKE, when a single party is compromised, the attacker learns the password and can subsequently impersonate anyone to anyone using the same password. The authors of the work present two solutions to this issue: CHIP, an identity-binding PAKE (iPAKE), and CRISP, a strong identity-binding PAKE (siPAKE). These constructions prevent the impersonation attack by generating a secret key on setup that is inextricably tied to the party's identity, and then deleting the password. Thus, upon compromise, all an attacker can immediately do is impersonate the victim. The strong variant goes further, preventing attackers from performing any precomputation before the compromise occurs. In this work we present LATKE, an iPAKE from lattice assumptions in the random oracle model. In order to achieve security and correctness, we must make changes to CHIP's primitives, security models, and protocol structure.

Available format(s)
Cryptographic protocols
Publication info
key agreementpassword-based cryptographyIIoTpost-quantum cryptography
Contact author(s)
micro @ cs umd edu
2023-03-05: approved
2023-03-05: received
See all versions
Short URL
Creative Commons Attribution


      author = {Michael Rosenberg},
      title = {LATKE: An identity-binding PAKE from lattice assumptions},
      howpublished = {Cryptology ePrint Archive, Paper 2023/324},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.