Paper 2026/1053

Beyond 128 Bits: The Concrete Security of EKE

Jiawei Bao, University of Kassel
Tibor Jager, University of Wuppertal
Eike Kiltz, Ruhr University Bochum
Aysan Nishaburi, Ruhr University Bochum
Samin Nooripoor, Ruhr University Bochum
Jiaxin Pan, University of Kassel
Abstract

Can a relevant cryptographic primitive, when instantiated over the NIST P-256 elliptic curve, achieve a bit-security level exceeding $128$ bits? Yes. We formally prove that the well-known password-authenticated key exchange protocol $\mathsf{EKE}$, introduced by Bellovin and Merritt (S&P 1992), achieves a generic security level of $128+\frac{1}{2}\log_2(N)$ bits, where $N$ denotes the size of the password space. To prove this result, we introduce and develop a new approach for showing that breaking a cryptosystem with a prescribed advantage requires solving many instances of an underlying computational assumption. To this end, we formulate the Hidden-Target Diffie-Hellman assumption. In this assumption, the adversary is given a set of $N$ Diffie-Hellman challenge instances. The Diffie-Hellman key of one uniformly random instance is designated as the hidden target. The adversary does not know which instance is the target, but may output an arbitrary subset of candidate solutions and succeeds only if this subset contains the target. We formally prove that breaking the Hidden-Target Diffie-Hellman assumption with probability greater than $(k-1)/N$ requires solving at least $k$ of the $N$ Diffie-Hellman instances. We then show that the security of $\mathsf{EKE}$ in the ideal-cipher model is equivalent to the Hidden-Target Diffie-Hellman assumption. A somewhat surprising consequence of this equivalence is that $\mathsf{EKE}$ achieves the claimed generic security level of $128+\frac{1}{2}\log_2(N)$ bits. Moreover, the equivalence implies that $\mathsf{EKE}$ remains secure even in settings where the hardness of $\mathsf{DLOG}$ or $\mathsf{CDH}$ is weaker than expected: an adversary may still need to solve on the order of hundreds or thousands of discrete logarithm instances in order to succeed, a task that may remain infeasible even for powerful attackers, including those equipped with early quantum computers.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Contact author(s)
jiawei bao @ uni-kassel de
jager @ uni-wuppertal de
eike kiltz @ rub de
aysan nishaburi @ rub de
samin nooripoor @ rub de
jiaxin pan @ uni-kassel de
History
2026-05-27: approved
2026-05-25: received
See all versions
Short URL
https://ia.cr/2026/1053
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2026/1053,
      author = {Jiawei Bao and Tibor Jager and Eike Kiltz and Aysan Nishaburi and Samin Nooripoor and Jiaxin Pan},
      title = {Beyond 128 Bits: The Concrete Security of {EKE}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/1053},
      year = {2026},
      url = {https://eprint.iacr.org/2026/1053}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.