Paper 2023/324

LATKE: An identity-binding PAKE from lattice assumptions

Michael Rosenberg, University of Maryland, College Park

In a recent work, Cremers, Naor, Paz, and Ronen (CRYPTO '22) point out the problem of catastrophic impersonation in balanced password authenticated key exchange protocols (PAKEs). Namely, in a balanced PAKE, when a single party is compromised, the attacker learns the password and can subsequently impersonate anyone to anyone using the same password. The authors of the work present two solutions to this issue: CHIP, an identity-binding PAKE (iPAKE), and CRISP, a strong identity-binding PAKE (siPAKE). These constructions prevent the impersonation attack by generating a secret key on setup that is inextricably tied to the party's identity, and then deleting the password. Thus, upon compromise, all an attacker can immediately do is impersonate the victim. The strong variant goes further, preventing attackers from performing any precomputation before the compromise occurs. In this work we present LATKE, an iPAKE from lattice assumptions in the random oracle model. In order to achieve security and correctness, we must make changes to CHIP's primitives, security models, and protocol structure.

Note: We discovered an error in the composition of the two primary components of the LATKE construction, yielding a significant key recovery attack. We have added a disclaimer on the first page of this version explaining the error. This shortcoming will be fixed in a future version of this paper.

Available format(s)
Cryptographic protocols
Publication info
key agreementpassword-based cryptographyIIoTpost-quantum cryptography
Contact author(s)
micro @ cs umd edu
2023-06-20: revised
2023-03-05: received
See all versions
Short URL
Creative Commons Attribution


      author = {Michael Rosenberg},
      title = {LATKE: An identity-binding PAKE from lattice assumptions},
      howpublished = {Cryptology ePrint Archive, Paper 2023/324},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.