Paper 2024/307

SweetPAKE: Key exchange with decoy passwords

Afonso Arriaga, University of Luxembourg
Peter Y.A. Ryan, University of Luxembourg
Marjan Skrobot, University of Luxembourg

Decoy accounts are often used as an indicator of the compromise of sensitive data, such as password files. An attacker targeting only specific known-to-be-real accounts might, however, remain undetected. A more effective method proposed by Juels and Rivest at CCS'13 is to maintain additional fake passwords associated with each account. An attacker who gains access to the password file is unable to tell apart real passwords from fake passwords, and the attempted usage of a false password immediately sets off an alarm indicating a password file compromise. Password-Authenticated Key Exchange (PAKE) has long been recognised for its strong security guarantees when it comes to low-entropy password authentication and secure channel establishment, without having to rely on the setup of a PKI. In this paper, we introduce SweetPAKE, a new cryptographic primitive that offers the same security guarantees as PAKE for key exchange, while allowing clients with a single password to authenticate against servers with $n$ candidate passwords for that account and establish a secure channel. Additional security properties are identified and formalized to ensure that (a) high-entropy session keys are indistinguishable from random, even if later on the long-term secret password becomes corrupted (forward secrecy); (b) upon password file leakage, an adversary cannot tell apart real from fake passwords; and (c) a malicious client cannot trigger a false alarm. We capture these properties by extending well-established game-based definitions of PAKE. Furthermore, we propose a new UC formulation that comprehensively unifies both SweetPAKE (session key indistinguishability and sugarword indistinguishability) and a related notion known as Oblivious-PAKE. Finally, we propose efficient SweetPAKE and Oblivious-PAKE protocols constructed from Password-Authenticated Public-Key Encryption (PAPKE) that satisfy all the proposed notions.

Note: This is the full version of the paper to appear in the proceedings of AsiaCCS'24, with comprehensive proofs of all theorems presented.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. AsiaCCS'24
SweetPAKEHoneywordsPAKEPAPKEOblivious PAKE
Contact author(s)
afonso arriaga @ gmail com
peter ryan @ uni lu
marjan skrobot @ uni lu
2024-02-26: approved
2024-02-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Afonso Arriaga and Peter Y.A. Ryan and Marjan Skrobot},
      title = {{SweetPAKE}: Key exchange with decoy passwords},
      howpublished = {Cryptology ePrint Archive, Paper 2024/307},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.