On the Relation Between SIM and IND-RoR Security Models for PAKEs
Jos
´
e Becerra, Vincenzo Iovino, Dimiter Ostrev and Marjan
ˇ
Skrobot
University of Luxembourg, Interdisciplinary Centre for Security, Reliability and Trust, 6, avenue de la Fonte, L-4364,
Esch-sur-Alzette, Luxembourg
Keywords:
Security Models, SIM-based Security, IND-based Security, Password Authenticated Key Exchange.
Abstract:
Password-based Authenticated Key-Exchange (PAKE) protocols allow users, who need only to share a pass-
word, to compute a high-entropy shared session key despite passwords being taken from a dictionary. Security
models for PAKE protocols aim to capture the desired security properties that such protocols must satisfy
when executed in the presence of an active adversary. They are usually classified into i) indistinguishability-
based (IND-based) or ii) simulation-based (SIM-based). The relation between these two security notions is
unclear and mentioned as a gap in the literature. In this work, we prove that SIM-BMP security from Boyko et
al. (EUROCRYPT 2000) implies IND-RoR security from Abdalla et al. (PKC 2005) and that IND-RoR secu-
rity is equivalent to a slightly modified version of SIM-BMP security. We also investigate whether IND-RoR
security implies (unmodified) SIM-BMP security.
1 INTRODUCTION
The Password Authenticated Key Exchange (PAKE)
problem asks for two entities, who only share a pass-
word, to engage in a conversation so that they agree
on a session key. The established session key can
be used to protect their subsequent communication.
PAKE protocols play a key role in today’s world as
they allow for authenticated key exchange to occur
without the use of Public-Key Infrastructure (PKI), by
using a human-memorable password instead. Theo-
retically, they are fascinating, because of their ability
to use a weak secret such as a password to produce
a strong cryptographic key in a provably secure way
over a hostile communications network.
The nature of passwords makes PAKE protocols
vulnerable to dictionary attacks. In such attacks, an
adversary tries to break the security of the protocol
by exhaustively enumerating all possible passwords
until a guess is correct. This strategy might not be
very successful on AKE schemes where the legitimate
entities share as long-term secret a high-entropy key.
However, in the PAKE setting the long term secrets
come from a small set of values, i.e. a dictionary,
posing a genuine security threat.
We distinguish between two types of possible dic-
tionary attacks: offline and online dictionary attacks.
In an offline dictionary attack, the adversary uses in-
teraction with the honest parties – or mere eavesdrop-
ping – to get information about the password that al-
lows him to launch an exhaustive offline search. In an
online dictionary attack, an attacker takes a password
from the set of possible passwords, interacts with a
legitimate party by running the protocol and checks
whether the key exchange succeeds for the candidate
password or not.
The cryptographic goal when designing PAKE
protocols is to ensure that the attacker essentially can-
not do better than an online dictionary attack. This
goal recognizes that while online dictionary attacks
cannot be avoided, offline dictionary attacks can and
should be prevented. Numerous PAKE protocols have
been designed trying to meet this goal but have later
been found to be flawed (Nam et al., 2013; Clarke and
Hao, 2014). Consequently, security models for PAKE
have been devised to get assurance on the claimed se-
curity properties by performing a rigorous analysis.
In this work, we consider the provable security ap-
proach, where protocols are analyzed in a complexity-
theoretic security model, the goal being that no rea-
sonable algorithm can violate security under various
hardness assumptions. The complexity-theoretic se-
curity models are classified into indistinguishability-
based (IND-based) and simulation-based (SIM-
based). In the IND-based approach security means
that no probabilistic polynomial-time (PTT) adver-
sary can distinguish an established session key sk
from a random string, i.e. it guarantees semantic se-
curity on sk. The SIM-based approach defines two
worlds: an ideal world which is secure by definition
Becerra, J., Iovino, V., Ostrev, D. and Škrobot, M.
On the Relation Between SIM and IND-RoR Security Models for PAKEs.
DOI: 10.5220/0006430301510162
In Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017) - Volume 4: SECRYPT, pages 151-162
ISBN: 978-989-758-259-2
Copyright © 2017 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
151
and the real world which is the real protocol execution
against some PPT attacker. In the SIM-based setting,
security asks for the indistinguishability between the
ideal world and real world executions.
When dealing with formal security modeling of
PAKE, the difference between the two previously
mentioned approaches, IND and SIM, has practical
consequences. It is accepted that IND-based mod-
els are easier to work with for protocol designers
that wish to prove the security of their protocols.
In fact, currently, most of the security proofs for
PAKEs are constructed under the IND-based mod-
els Find-then-Guess (IND-FtG) from (Bellare et al.,
2000) and Real-or-Random (IND-RoR)
1
from (Ab-
dalla et al., 2005). In contrast, constructing security
proofs in SIM-based models is considered more chal-
lenging. Two SIM-based models for PAKE that have
seen wider use are Boyko, MacKenzie and Patel’s
(BMP) model (Boyko et al., 2000) that is derived from
Shoup’s SIM-based model for AKE (Shoup, 1999)
and the Universal Composability (UC) framework of
Canetti et al. (Canetti et al., 2005) that follows UC
paradigm of Canetti (Canetti, 2001). While complex
for constructing proofs of security, it is fair to recog-
nize that SIM-based security i) offers a more intuitive
and natural approach to defining security, ii) it is sim-
pler to describe and interpret the security properties
captured by the model, iii) SIM-secure protocols are
well suited to accommodate secure composition re-
sults, and iv) it is possible to prove security of PAKE
protocols even in the case of correlated passwords that
may come from arbitrary password distributions.
INDRoR SIMBMP
INDFtG SIMUC
Figure 1: Known relations between PAKE security defini-
tions.
The known relations between PAKE security def-
initions are summarized in Figure 1. In particular, to
the best of the knowledge of the authors, no work
has been done to formally analyze the relation be-
tween the IND-RoR and SIM-BMP security notions
for PAKE.
2
As we can see in Figure 1, the only exist-
ing result that is known to hold between IND and SIM
1
IND-RoR is a refinement of IND-FtG model in which the
adversary has access to multiple test queries instead of a
single one.
2
The result by Shoup (Shoup, 1999) on the equivalence be-
tween IND-FTG model and SIM model for authenticated
key exchange with a high-entropy long-term secret does
not carry over to the PAKE setting. The reason for this is
based definitions is the one from (Canetti et al., 2005).
There, the authors show that their SIM-UC definition
implies the IND-FtG definition from (Bellare et al.,
2000).
In practical terms, the lack of comparison re-
sults between IND-based and SIM-based models for
PAKEs means that the security of PAKE protocols,
such as SPEKE,
3
that have been studied in the SIM-
BMP simulation model of (Boyko et al., 2000) can
not be compared with other PAKE protocols that are
secure according to the SIM-UC or IND definitions.
1.1 Our Contribution
In this work our contributions can be summarized as
follows:
We first reconcile the syntactic differences be-
tween the IND-RoR and SIM-BMP models for
PAKE thus allowing honest comparison between
them. More specifically, we slightly modify the
initialization procedure of the IND-RoR model
(Abdalla et al., 2005) such that it follows the SIM-
BMP model.
We prove that SIM-BMP security implies IND-
RoR security and that IND-RoR security is equiv-
alent to a slightly modified version of SIM-BMP
security adapted to the model of (Goldreich and
Lindell, 2001). We also investigate whether IND-
RoR security implies (unmodified) SIM-BMP se-
curity.
1.2 Related Work
Authenticated Key Exchange (AKE). The complex-
ity theoretic treatment of security for AKE protocols
was initiated by Bellare and Rogaway in 1993 (Bel-
lare and Rogaway, 1993). In their groundbreaking
work, they followed the indistinguishability (IND)
approach to formalize the notion of security for Key
Exchange (KE) protocols, using previously estab-
lished symmetric keys as long-term secrets and con-
sidering the realistic scenario of concurrent sessions
running on a network under full control of the adver-
sary. In their model, an AKE protocol is secure if,
that there is a non-negligible upper bound on the advan-
tage of the adversary in IND-based security definitions for
PAKE. This, in turn, does not admit loose reductions.
3
The SPEKE protocol (Jablon, 1996) is one of the most
well-known PAKE designs. It has been proposed by Jablon
in 1996 and proven secure in the SIM-BMP model un-
der the Random Oracle (RO) assumption by MacKenzie
(MacKenzie, 2001). SPEKE is practically relevant as it is
specified in the ISO/IEC 11770-4 (ISO/IEC 11770-4:2006,
2009) and IEEE P1363.2 (IEEE P1363.2, 2002) standards.
SECRYPT 2017 - 14th International Conference on Security and Cryptography
152
under the allowed adversary actions, the established
session key is computationally indistinguishable from
a random string. After this initial work, numerous
others have appeared studying the cryptographic se-
curity for KE protocols following the IND-based ap-
proach (Bellare and Rogaway, 1995; Blake-Wilson
and Menezes, 1997; Canetti and Krawczyk, 2001;
LaMacchia et al., 2007; Cremers, 2011; Brzuska
et al., 2011; Jager et al., 2012).
In parallel, the first simulation (SIM) definition for
KE was given by Bellare, Canetti and Krawczyk (Bel-
lare et al., 1998). In 1999, Shoup proposed another
security model for AKE protocols in the SIM-based
setting (Shoup, 1999) and informally compared his
model with the one from (Bellare et al., 1998). In the
same work, the author gave a sketch of a proof argu-
ing that SIM-security against both static and adaptive
adversaries is equivalent to the corresponding IND-
security notions of (Bellare and Rogaway, 1995).
Canetti and Krawczyk in (Canetti and Krawczyk,
2002) took SIM definitions further by expanding the
composition guarantees of KE from (Shoup, 1999) to
arbitrary protocols within the Universal Composabil-
ity (UC) framework of Canetti (Canetti, 2001).
Password Authenticated Key Exchange (PAKE).
The idea of PAKE has been first put forward by
Bellovin and Meritt in (Bellovin and Merritt, 1992).
Their proposal, the EKE protocol, was the first
to show that it is possible to design a password
authentication mechanism that can withstand of-
fline dictionary attacks. The SPEKE protocol from
Jablon (Jablon, 1996) soon appeared, following a very
different design strategy. However, both of these
works included only informal security justifications.
The first adequate security models for PAKE ap-
peared in (Bellare et al., 2000) and (Boyko et al.,
2000) around the same time. Both models were
built upon already existing AKE models. Although
the SIM-based model from (Boyko et al., 2000)
has been used to prove secure several PAKE proto-
cols (PAK (Boyko et al., 2000), RSA-based SNAPI
(MacKenzie et al., 2000), and SPEKE (MacKenzie,
2001)), it is the IND-FtG model from (Bellare et al.,
2000) that has established itself as the model of choice
when analyzing PAKEs. Using the IND-FtG model,
Katz et al. (Katz et al., 2001) managed to achieve
a breakthrough: they have shown how one can effi-
ciently realize PAKE without random oracles, but in-
stead relying on a common reference string (CRS). In
more theoretical work, Goldreich and Lindell (Gol-
dreich and Lindell, 2001) proposed a PAKE in the
plain model
4
that follows the simulation tradition. A
4
In the plain model, the security of a cryptosystem is proved
using only general complexity assumptions and no trusted
few years later, Abdalla et al. (Abdalla et al., 2005)
showed that a stronger model than IND-FtG is neces-
sary when trying to achieve three-party PAKE. Hence,
they proposed a new model, known as the IND-RoR
model, which is proven to be stronger than the IND-
FtG model in the case of PAKE. The IND-RoR model
enriched to handle forward secrecy is consid-
ered the state-of-the-art model and has been used in
the analysis of most recent PAKE protocols (Abdalla
et al., 2015; Lancrenon et al., 2016). Another model
which is prominent in PAKE research is the Universal
Composability (UC) framework for PAKE of Canetti
et al. (Canetti et al., 2005). For more relevant papers
on PAKE, we refer the reader to Pointcheval’s survey
(Pointcheval, 2012).
1.3 Organization
The rest of the paper is organized as follows: In Sec-
tion 2 we describe the Real-or-Random model for
PAKE due to Abdalla et al. (Abdalla et al., 2005).
Next, in Section 3, we introduce simulation-based
model for PAKE from Boyko et al. (Boyko et al.,
2000). We assume some familiarity with the mod-
els and refer to the original publications for a full de-
scription. Section 4 examines the relation between the
Real-Or-Random model of (Abdalla et al., 2005) and
the simulation-based model of Boyko et al. (Boyko
et al., 2000). Finally, we conclude the paper in Sec-
tion 5.
2 THE REAL OR RANDOM
SECURITY MODEL FOR PAKE
In this section, we recall the so-called Real-or-
Random (IND-RoR) security model for 2-party
PAKE, but before doing so, we introduce the notation
used throughout this paper.
2.1 Notation
We write d
$
D for sampling uniformly at random
from set D and |D| its cardinality. The output of a
probabilistic algorithm A on input x is denoted by
y A(x), while y := A(x, r) denotes the (determinis-
tic) output of an algorithm A on input x and fixed ran-
dom tape r. Adversaries (respectively, challengers)
will be denoted A (resp. C H ) in the IND-RoR model
and B (resp. R M ) in the SIM model. The direc-
tory of passwords is pw, PPT stands for probabilistic
polynomial-time and λ is the security parameter. A
setup.
On the Relation Between SIM and IND-RoR Security Models for PAKEs
153
function f : N R
+
is said to be negligible if it de-
creases faster than the inverse of any polynomial and
the symbol negl designates some unspecified negligi-
ble function. We write A
c
B to denote two computa-
tionally indistinguishable distributions.
2.2 Description of the IND-RoR Model
The IND-RoR model of Abdalla et al. (Abdalla et al.,
2005) is built upon the Find-then-Guess (IND-FtG)
from (Bellare et al., 2000). As in IND-FtG, security
in the IND-RoR model is defined by a game played
between a challenger C H and adversary A whose
goal is to distinguish real session keys from random
strings. The main difference between the two models
is that the adversary – during the security experiment
is allowed to ask multiple test queries in the IND-
RoR model, while in IND-FtG she is restricted to a
single test query.
Note that we will introduce only a minor change
to the IND-RoR and the SIM-BMP model in order
to allow meaningful comparison between them. Oth-
erwise, the models would be syntactically incompa-
rable. Whenever possible, we prefer to change the
SIM-BMP model rather than IND-RoR since the lat-
ter is more widespread.
PROTOCOL PARTICIPANTS. Each participant in a
two party PAKE protocol is either a client C C or a
server S S . Let U = C
S
S denote the set of all (hon-
est) participants. Additionally, each initialized par-
ticipant U is associated with a unique identifier id
U
.
During the execution of the protocol, there might be
several running instances of each participant. A run-
ning instance i of some participant U U is called an
oracle instance and is denoted by Π
i
U
.
LONG-TERM SECRETS. Server S holds a password
π for each client C. In the opposite direction, client C
holds a password π for each server S. For simplicity
let π also denote the function assigning passwords to
pair of users. We will refer to π[id
C
,id
S
] as the pass-
word shared between client C and server S. Note that
π[id
C
,id
S
] = π[id
S
,id
C
], while π[id
S
,id
S
] or π[id
C
,id
C
]
are not allowed in the model. The passwords are as-
sumed to be independent and uniformly distributed.
PROTOCOL EXECUTION. Protocol P is an algo-
rithm that describes how participants behave in re-
sponse to inputs from their environment. Each par-
ticipant can run P in parallel with different partners,
which is modeled by allowing an unlimited number
of instances of each participant to be created. We
assume the presence of an adversary A who has full
control over the network i.e. she entirely controls the
communication between legitimate entities. She can
enumerate, off-line, the words of the password direc-
tory pw.
SECURITY EXPERIMENT IN IND-ROR MODEL.
Security in the IND-RoR model is defined via a game
played between the challenger C H and adversary A.
At the beginning of the experiment, CH tosses a coin
and sets b {0, 1} outside of As view. Then A is
given access to i) endless supply of user instances Π
i
U
and ii) oracle queries to control them. Oracle queries
are answered by the corresponding Π
i
U
according to
P. As goal is to find out the value of the hidden bit b.
Next, we summarize the oracle queries A can access
during the security experiment.
Initialize User.(U,id
U
,role
U
). A assigns the
string id
U
as identity and role
U
{client,server}
to user U U, subject to the restriction that id
U
has not been already assigned to another user.
There are two cases:
In case role
U
= client we shall simply write C
instead of U. Then, for every initialized server
S S with id
S
, a password is picked uniformly
at random from the dictionary and assigned
to the corresponding pair of client-server, i.e.
π[id
C
,id
S
]
$
pw.
If role
U
= server we simply write S instead of
U. Then, for every initialized client C C do
π[id
C
,id
S
]
$
pw.
Initialize User Instance.(U, i, role
i
U
, pid
i
U
). An
instance i N of initialized user U U is cre-
ated and denoted by Π
i
U
. It is assigned i) a role
role
i
U
{open,connect} and ii) a partner identity
pid
i
U
corresponding to the identity of some user
U
0
that Π
i
U
is supposed to communicate with in
the future. The following constraint must hold:
role
U
and role
U
0
are complementary, i.e.
role
U
= server and role
U
0
= client or the other
way around.
User instances are modeled as state machines with
implicit access to the protocol description P and
its corresponding password, i.e. some Π
i
U
with
pid
i
U
= id
U
0
is given access to π[U, pid
i
U
].
Send. (U,i,m). A sends message m to user in-
stance Π
i
U
. The latter behaves according to proto-
col description, sends back the response m
0
to A
(if any) and updates its state as follows:
continue: Π
i
U
is ready to receive another mes-
sage.
reject: Π
i
U
aborts the protocol execution and
sets the session key sk
i
U
=. This can be due
to receiving an unexpected message m.
accept: Π
i
U
holds pid
i
U
, session identifier sid
i
U
and sk
i
U
. However, Π
i
U
still expects to receive
SECRYPT 2017 - 14th International Conference on Security and Cryptography
154
another message to fulfill the protocol specifi-
cation.
terminate: Π
i
U
holds pid
i
U
, sid
i
U
and sk
i
U
. It has
completed the protocol execution and will not
send nor receive any other message.
Execute. (U,i,U
0
, j). The transcript of the execu-
tion is returned to A. It models honest execution
of the protocol between Π
i
U
and Π
j
U
0
.
Test. (U,i). A asks for the session key of user
instance Π
i
U
, C H responds as follows:
If status
i
U
6= terminate return .
If status
i
U
= terminate, C H responds using the
bit b. If b = 1 then A gets the real sk of Π
i
U
,
if b = 0 she gets a random string r
$
{0,1}
l
sk
,
where l
sk
denotes the length of session keys. To
ensure consistency, whenever b = 0 the same
random string is returned for test queries asked
to two partnered instances.
Matching Instances. Two user instances, Π
i
U
and
Π
j
U
0
, are matching instances if:
pid
i
U
= id
U
0
, pid
j
U
0
= id
U
Users have complimentary roles, i.e. one has role
client and the other has role server.
User instances have complimentary roles, i.e. one
instance has the role open and the other connect.
Partnering. Two matching instances Π
i
U
and Π
j
U
0
are
partners if both instances accept each holding pid
i
U
,
sid
i
U
, sk
i
U
and pid
j
U
0
, sid
j
U
0
, sk
j
U
0
respectively – and the
following holds:
sid
i
U
= sid
j
U
0
and sk
i
U
= sk
j
U
0
No oracle besides Π
i
U
and Π
j
U
0
accepts with some
sid
0
= sid
i
U
, except with negligible probability.
Advantage of the Adversary. During the experi-
ment, A is allowed to ask several test queries directed
to different oracle instances Π
i
U
in the terminate state.
All these queries are answered depending on the bit b
chosen at the beginning of the experiment with either
the real session key if b = 1 or a random string other-
wise. At the end of the game, A outputs a bit b
0
and
wins the game if b
0
= b, i.e. if she distinguished real
session keys from random strings. The advantage of
A in the IND-RoR security game for protocol P and
passwords sampled uniformly at random from dictio-
nary pw is defined as follows:
Adv
RoR
P,pw
(A) := 2 · Pr(b
0
= b) 1. (1)
Definition 1. Protocol P is secure in the IND-RoR
sense if for any PPT adversary A:
Adv
RoR
P,pw
(A)
k · n
|pw|
+ negl(λ) , (2)
where n is an upper bound on the number of sessions
initialized by A, k N and λ is the security parameter.
Remark 1. When using passwords as means of au-
thentication, there is a non-negligible probability of
an adversary successfully impersonating an honest
user by simply guessing its password. This problem is
unavoidable and inherent to PAKE protocols. Conse-
quently the security definition considers a PAKE pro-
tocol to be secure if only on-line dictionary attacks are
possible i.e. the protocol should not leak any informa-
tion that allows the adversary to obtain the password
in an off-line manner. In the remaining of the paper,
we consider the best scenario where k = 1 i.e. the
adversary can test at most one password per active
instance.
3 SECURITY IN SIMULATION
MODEL
SIM-based security requires the definition of two sce-
narios: i) an Ideal World (IW ) which describes the key
exchange service that is meant to be provided and ii)
a Real World (RW ) to describe the real interaction be-
tween honest protocol participants and an adversary
attacking the protocol. The IW is designed in such a
way that it is secure by definition and follows the de-
sired security properties that a PAKE should satisfy.
As mentioned in (Boyko et al., 2000) and (Canetti
et al., 2005), there are two ways to incorporate online
dictionary attacks in SIM-based security models:
1. Incorporate the non-negligible probability of an
adversary guessing the password into the ideal
world, by explicitly allowing the ideal world ad-
versary to verify the guess of a candidate pass-
word. Then one defines a protocol to be secure if
the real-world execution is computationally indis-
tinguishable from an execution in the ideal world.
2. Do not allow password guessing in the ideal world
but relax the requirement of indistinguishability
between the real world and ideal world transcripts.
One defines a protocol to be secure as one whose
real-world execution is distinguishable from an
execution in the ideal world with probability at
most n/|pw| + negl(λ), where n is the number
of active user instances and pw is the dictionary.
Keep in mind that we make use of this approach
in Section 4 when we prove Theorem 3.
On the Relation Between SIM and IND-RoR Security Models for PAKEs
155
The first approach is considered in (Boyko et al.,
2000), (Canetti et al., 2005) and the second is consid-
ered in (Goldreich and Lindell, 2001), (Nguyen and
Vadhan, 2008).
Next, we describe the simulation model of Boyko
et al. (Boyko et al., 2000), which we simply call
the SIM-BMP model. Their work is an extension of
(Shoup, 1999) to the password setting.
3.1 Ideal World
The ideal world (IW ) model describes the service that
a PAKE aims to provide, i.e. to allow parties to jointly
compute a high entropy secret session key, which can
be used later in higher level applications. In the IW
there are no messages flowing around the network nor
cryptography. The session keys are chosen at ran-
dom by a trusted party and delivered out-of-band to
the honest users.
Formally, the ideal world involves interaction be-
tween a trusted entity called ideal world Ring Mas-
ter and an ideal world adversary, denoted by R M
and B
respectively. The ring master is similar to the
challenger in the IND-RoR experiment. The details
of the ideal world execution follow.
PROTOCOL PARTICIPANTS: As defined in the
IND-RoR model.
LONG-TERM SECRETS: The SIM-BMP model
does not make any assumption on the password dis-
tribution. However, to allow a fair comparison to the
IND-RoR model, we assume the passwords to be in-
dependent and uniformly distributed.
PROTOCOL EXECUTION: There is no protocol ex-
ecution in the ideal world. The session key of an in-
stance is generated by the R M
when B
asks that
instance the start session query. Additionally B
is
given access to the following oracles:
Initialize User.(U,id
U
,role
U
). Identical to that in
the IND-RoR model.
[Transcript:(“init. user”,U,role
U
)]
Initialize User Instance.(U,i,role
i
U
, pid
i
U
).
Identical to that in the IND-RoR model.
[Transcript: (“init. inst.”,U,i,role
i
U
, pid
i
U
)]
Abort User Instance. (U,i) Adversary B
asks
R M
to abort user instance Π
i
U
. We say then that
Π
i
U
is aborted.
[Transcript: (“abort. user inst.”,U,i)]
Test Instance Password. (U,i,π
0
). For user in-
stance Π
i
U
and password guess π
0
, B
queries if
π
0
equals π(U, pid
i
U
). If this is true, the query is
called successful guess on {U, pid
i
U
}.
This query can be asked only once per user in-
stance. The user instance must be initialized and
not yet engaged in a session, i.e. no start session
operation has been performed for that instance.
Note that B
is allowed to ask a test instance pass-
word query to an instance that is aborted. This
query does not leave any records in the transcript.
Start Session.(U, i). B
specifies that a session
key for user instance Π
i
U
must be generated, by
specifying one of the three connection assigments
available:
Open For Connection From. (U
0
, j). This op-
eration is allowed if: c1) role
i
U
= open and user
instances Π
i
U
and Π
j
U
0
are matching instances,
c2) Π
j
U
0
has been initialized and not aborted,
c3) no other instance is open for connection
from Π
j
U
0
and c4) no test instance password op-
eration has been performed on Π
i
U
. Then R M
generates session key sk
i
U
at random. Then Π
i
U
is said to be open for connection from Π
j
U
0
.
Connect To. (U
0
, j). This operation is allowed
if: c1) role
i
U
= connect and user instances Π
i
U
and Π
j
U
0
are matching instances, c2) Π
j
U
0
has
been initialized and not aborted, c3) Π
j
U
0
was
open for connection from Π
i
U
after Π
i
U
was ini-
tialized and Π
j
U
0
is still open for connection
and c4) no test instance password operation
has been performed on Π
i
U
. The R M
sets
sk
i
U
= sk
j
U
0
and Π
j
U
0
is no longer open for con-
nection.
Expose. (U,i,sk). B
assigns session key sk to
user instance Π
i
U
. It requires that there has been
a successful test instance password on Π
i
U
.
[Transcript: (“start session”,U,i)]
Application. ( f ,U,i). The adversary specifies
an efficiently computable function f and a user
instance Π
i
U
for which a session key sk
i
U
has al-
ready been established. It gets back f ({sk
i
U
},R),
where R is a global random bit string which user
instances are given access to. R is not correlated
to the established session keys and usually is re-
ferred to as the environment.
[Transcript: (“application”, f , f (sk
i
U
,R))]
Implementation. This is a do nothing operation.
B
is allowed to place implementation operations
without taking any effect in the ideal world. It is
needed to allow B
to construct transcripts that
are equivalent to those in the real world.
[Transcript: (“impl”, cmmt)]
Transcript. Some of the previously mentioned
queries are recorded in a transcript. Let IW T
denote
the transcript generated by B
.
SECRYPT 2017 - 14th International Conference on Security and Cryptography
156
Remark 2. The SIM-BMP model handles on-line dic-
tionary attacks by introducing the notion of passwords
and specifically the test instance password query in
the IW . This approach allows having ideal world ex-
ecutions which are computationally indistinguishable
from real world ones.
The purpose of running a key exchange protocol is
to later use the established session keys in higher-level
application protocols, e.g. encryption for secure com-
munication. However, the use of such session keys
may leak information about the key to the adversary.
The application query models the ability of the ad-
versary to get any information she wishes about the
environment and the established session keys. The
function f is defined by B
, the only constraint is that
it must be efficiently computable.
3.2 Real World
The real-world (RW ) describes the scenario where a
PAKE protocol runs. There is a real world Ring Mas-
ter (R M ), whose role is similar to the role of the chal-
lenger in the IND-RoR experiment, and a real-world
adversary B who tries to attack the PAKE.
PROTOCOL PARTICIPANTS: Identical to IW .
LONG-TERM SECRETS: Identical to IW .
PROTOCOL EXECUTION: The same as in the IND-
RoR model. Also, user instances are defined as state
machines with implicit access to id
U
, pid
i
u
and the
corresponding password. The communication be-
tween the instances is entirely controlled by B via the
following queries:
Initialize Use.r(U,id
U
,role
U
). Identical to that
in the IND-RoR model.
[Transcript:(“init. user”,U,role
U
)]
Initialize User Instance.(U,i,role
i
U
, pid
i
U
).
Identical to that in the IND-RoR model.
[Transcript: (“init. inst.”,U,i,role
i
U
, pid
i
U
)]
Send. (U,i,m). The same as in the IND-RoR
model except that the following is added to the
transcript:
[Transcript: (“impl”, “msg”,U,i,m,m
0
,state
i
U
)].
Additionally, the following record is added to the
transcript depending on state
i
U
.
If state
i
U
= “terminate” add (“start session”,U,i).
If state
i
U
= “abort” add (“abort”,U, i).
Application. ( f ,U,i). The same as in IW .
[Transcript: (“application”, f , f (sk
i
U
,R))]
Transcript. Let RW T be the transcript generated by
B. This is a sequence of records describing the ac-
tions of B when interacting with the real world proto-
col. R M generates Bs random tape and places it in
the first record of the transcript.
[Transcript: (“impl”, “random tape”, rt).
Definition 2. (Simulatability.) A protocol is SIM-
BMP secure if for every efficient real-world adversary
B, there exists an efficient ideal world adversary B
,
such that RW T
c
IW T
. Alternatively:
B B
D : |Pr [1 D(RW T )]
Pr[1 D(IW T
)]| negl(λ) (3)
4 RELATIONS BETWEEN
IND-ROR AND SIM-BMP
In this section, we establish the relations between
IND-RoR and SIM-BMP security models for PAKE.
We start by showing that SIM-BMP security implies
IND-RoR security.
Table 1: Correspondence of As and Bs queries.
IND-RoR SIM-BMP
init user init user
init user instance init user instance
send send
execute send
test application
Theorem 1. (SIM-BMP Security IND-RoR Secu-
rity). If protocol P is secure in the SIM-BMP model,
then P is also secure in the IND-RoR model.
Proof. We show that if protocol P satisfies SIM-BMP
security, then the advantage of any adversary A in
the IND-RoR experiment is bounded by n/|pw| +
negl(λ), where n is an upper bound on the number
of instances created by A.
For simplicity the proof is divided in two parts:
i) Building a real-world adversary B from A and ii)
Building a distinguisher D. Details follow:
i) First we construct B using an A as a subroutine,
where B uses his own R M to answer As queries.
B, using his own queries, can perfectly simulate the
IND-RoR experiment to A (see Table 1). The interac-
tion R M vs B produces a transcript RWT . Next we
describe the procedure in detail:
The interaction R M vs B starts when the for-
mer initializes B with random tape rt
B
- as de-
scribed in Section 3. Next B, who simulates the
challenger C H in the IND-RoR game, generates a
uniformly distributed bit-string rt
A
and initializes
A with random tape rt
A
.
On the Relation Between SIM and IND-RoR Security Models for PAKEs
157
B sets b
$
{0,1} outside As view.
B interacts with his R M as follows: When A
makes initialize user, initialize user instance or
send queries, B simply forwards them to his R M
and its response (if any) is forwarded back to A.
When A makes execute queries, they are con-
verted into send queries appropriately.
B answers As test query using his application
query and bit b. If b = 1 then B uses his applica-
tion query to reveal sk
i
U
, however, if b = 0, then B
generates a random string r {0,1}
l
sk
and gives
it to A. As in the IND-RoR experiment, in order
to avoid strategies where A could trivially win the
game, whenever b = 0 the same r is returned for
test queries asked to two partnered instances
5
.
The game continues and A is allowed to make
more queries as she wishes. Eventually, A out-
puts her guess b
0
and the IND-RoR game finishes.
B makes an application query and writes in the
transcript the string “b,rt
A
”.
The transcript created is RW T . We recall
that SIM-BMP security definition guarantees that
B B
such that RW T
c
IW T
.
ii) Build a PPT distinguisher D whose aim is to distin-
guish real-word from ideal-world transcripts. D gets
as input a transcript t {RW T,IW T
}, which D uses
to initialize a PPT adversary A and simulate an IND-
RoR experiment to A. We show that, if SIM-security
holds, A can not win his IND-RoR experiment with
advantage greater than n/|pw| + negl(λ). On input
some transcript t, D proceeds as follows:
Look for the last record of the transcript contain-
ing the string “b,rt
A
”.
D “simulates” the challenger in the IND-RoR ex-
periment. He initializes A on random tape rt
A
.
Since A is given rt
A
, she behaves (deterministic)
the same way as recorded in the transcript t. Ev-
ery query asked by A can be answered by D by
just reading t.
Eventually A outputs her guess b
0
and D proceeds
as follows: If b = b
0
D outputs “1” and if b 6=
b
0
it outputs “0”. Additionally, when a bad event
occurs, e.g. A can not be initialized, or her queries
can not be answered by reading t, then D outputs
.
A wins her IND-RoR game whenever she outputs
b
0
= b. By construction of D it holds that:
Pr[1 D(RW T )] = Pr [ A wins | t = RW T ]
5
In order to achieve sound simulation, we assume that part-
nering information is publicly computable (Brzuska et al.,
2011).
and
Pr[1 D(IW T
)] = Pr[A wins | t = IW T
]
From Equation 3 of SIM-BMP security we know the
following holds:
|Pr[A wins | t = RW T ]
Pr[A wins | t = IW T
]| negl(λ) (4)
The term Pr[A wins | t = RW T ] is actually the
probability of A winning on a perfectly simu-
lated IND-RoR experiment. In order to prove
SIM-BMP IND-RoR we have to show that
Pr[A wins | t = IW T
] n/(2 |pw|) + 1/2.
We proceed to analyze the term
Pr[A wins | t = IW T
]. Let γ be the event that
a successful test instance password query occurs
during the execution of B
interacting with R M
.
Let β be the complement of γ.
Claim 1: Pr(b = b
0
| β) = 1/2.
Proof. Given that β occurred, the sks placed in IW T
were generated according to the open and connect as-
signments of the start session query. Therefore, the
part of the IW T
used to answer As queries is in-
dependent of the hidden bit b so Pr(b = b
0
| β) =
1/2.
Claim 2: Pr(γ) n/|pw|.
Proof. For a single user instance, the probability of a
successful password guess by B
is 1/|pw|. We apply
the union bound, and get that if there are at most n
instances, Pr(γ) n/|pw|.
Using Claim 1 and Claim 2 we get:
Pr[A wins | IW T
] = Pr[β] · Pr
(b
0
= b) | β
+ Pr[γ] · Pr
(b
0
= b) | γ
1
2
+
n
2 · |pw|
(5)
We combine with Equation 4 and obtain:
Pr[A wins | RW T ]
1
2
+
n
2 · |pw|
+ negl(λ)
We get that, if SIM-BMP-security holds, then
PPT A Adv
RoR
P,pw
(A) n/|pw| + negl(λ), proving that
SIM-BMP IND-RoR.
Now we investigate the reverse, i.e. whether IND-
RoR security implies SIM-BMP security. We obtain
the following result:
Theorem 2. If P is not SIM-BPM secure, then A s.t.
Adv
RoR
P,pw
(A,n) > n
A
/|pw| + ω, where n
A
is the num-
ber of explicit password guesses of A and ω is a non-
negligible function of the security parameter.
SECRYPT 2017 - 14th International Conference on Security and Cryptography
158
Proof. We build A as the sequential composition of
two adversaries: A
1
and A
2
. First, A invokes A
1
. A
1
tries a number of online dictionary attacks. If one of
these is successful, then A can win the IND-RoR ex-
periment. If none of the online dictionary attacks is
successful, then A invokes A
2
. Next, we describe the
details of A
1
and A
2
.
i) Build A
1
. Let A
1
be an adversary who tries to im-
personate user U to user V n
A
times. Each time, A
1
chooses a new candidate password and runs the proto-
col with V . If one of the password guesses is success-
ful, then A
1
can win the IND-RoR experiment. By
construction,
Pr[A
1
wins] =
n
A
|pw|
(6)
ii) Build A
2
. We have assumed that SIM security does
not hold. Then B B
D s.t.:
|Pr[1 D(RW T )]Pr [1 D(IW T
)]| > ω ,
(7)
where ω is non-negligible term.
Let A
2
be an adversary in the IND-RoR experi-
ment which uses B and D as subroutine. The game
A
2
vs C H proceeds as follows:
At the beginning of the experiment, C H chooses
a bit b at random and outside A
2
s view.
A
2
uses B as subroutine and answers Bs queries
as follows: When B asks for initialize user, initial-
ize user instance or send queries, A
2
simply for-
wards them to her C H and its response (if any) is
forwarded back to B.
A
2
uses her test query to answer Bs application
queries. When B asks for an application of the
efficiently computable function f on sk
i
U
and a
global random string R, A
2
asks Test(U,i) to her
C H , obtains sk
i
U
, computes f (sk
i
U
,R) and sends
the result to B.
The game continues until B decides to stop. Let
n
B
be the number of instances initialized by B.
Bs actions produce a transcript t. Based on
whether b = 1 or b = 0 this is either a real-world or
ideal world transcript. Indeed, depending on the
bit b, Test(U,i) either returns the real session keys
or a random string. Therefore, when b = 1, A
2
can
perfectly simulate the R M to B and the transcript
produced is RW T . However, when b = 0, appli-
cation queries are computed with random strings,
in which case the transcript produced is IW T
.
Next, A
2
invokes D(t) and simply forwards Ds
output to C H .
By construction, A
2
wins whenever D is able to
distinguish real-world from ideal-world transcripts.
Therefore:
Pr[A
2
wins] = Pr[b = 1] · Pr [ 1 D(RW T ) ]
+ Pr[b = 0 ] · Pr [0 D(IW T
)] ,
which using Equation 7 gives:
Pr[A
2
wins] >
1
2
+ ω (8)
We build A as the sequential composition of A
1
and A
2
. It follows that:
Pr[A wins] = Pr [ A
1
wins] + Pr [ A
2
wins]
Pr[A
1
wins] · Pr [ A
2
wins],
which from Equations 6 and 8 yields:
Pr[A wins] >
n
A
2 · pw
+
1
2
+ ω
Adv
RoR
P,pw
(A) >
n
A
pw
+ ω , (9)
where ω is a non-negligible function.
Unfortunately, Theorem 2 is not enough to prove
that IND-RoR SIM-BMP. The reason is that the
total number of instances initialized by A is n
A
+ n
B
.
Therefore, proving by contradiction that IND-RoR
SIM-BMP would require Adv
RoR
P,pw
(A) > (n
A
+
n
B
)/pw + ω.
We recall from Section 3 that there are two ways
to take account of online dictionary attacks in SIM-
based security models for PAKEs:
1. Include a test instance password query in IW
and require computational indistinguishability of
RW T and IW T
.
2. Do not include a test instance password in IW but
allow a non-negligible bound on the distinguisha-
bility of RW T and IW T
.
The original SIM-BMP model follows the first
style. Now we modify it to follow the second style.
We call the modified model SIM-BMP’. The only
changes are the following:
1. Remove the test instance password query from
IW in SIM-BMP.
2. Relax the requirement of indistinguishability be-
tween real and ideal world.
SIM-BMP’ Security. Protocol P is SIM-BMP’ se-
cure if for all adversaries B, there exits an Ideal World
adversary B
such that for all distinguishers D:
|Pr[1 D(RW T )] Pr [ 1 D(IW T
)]|
n
|pw|
+ negl(λ) (10)
Next, we show that IND-RoR security implies
SIM-BMP’ security.
On the Relation Between SIM and IND-RoR Security Models for PAKEs
159
Theorem 3. (IND-RoR Security SIM-BMP’ Secu-
rity). If protocol P is secure in the IND-RoR model,
then P is also secure in the SIM-BMP’ model.
Proof. This is a proof by contradiction and the strat-
egy is similar to the one employed in Theorem 2.
We assume that SIM-BMP’ security does not
hold. Then B B
D s.t.:
|Pr[1 D(RW T )] Pr [ 1 D(IW T
)]|
>
n
|pw|
+ ω , (11)
where n is an upper bound on the number of sessions
initialized and ω is non-negligible function.
Then, we build an adversary A using B and D
as subroutines such that A breaks IND-RoR security.
We construct A from B and D in exactly the same
way as we built A
2
from B and D in the proof of
Theorem 2.
Using the same analysis as in the proof of Theo-
rem 2, we get:
Pr[A wins] = Pr [ b = 1 ] · Pr[1 D(RW T )]
+ Pr[b = 0 ] · Pr [0 D(IW T
)] ,
which using Equation 11 gives:
Pr[A wins] =
1
2
+
n
2 · |pw|
+ ω ,
And finally from Equation 1:
Adv
RoR
P,pw
(A) >
n
|pw|
+ ω
but ω is not negligible, a contradiction.
We investigate the reverse, i.e. whether SIM-
BMP’ security implies IND-RoR security. We obtain
the following results:
Theorem 4. (SIM-BMP’ Security IND-RoR Secu-
rity). If protocol P is SIM-BMP’ secure, then for all
PPT A, Adv
RoR
P,pw
(A) 2 · n/|pw| + negl(λ).
Proof. We follow the same argument as in the proof
of Theorem 1 up to Equation 4, which we simply up-
date according to the SIM-BMP’ security definition
given in Equation 10. Hence:
|Pr[A wins | t = RW T ]Pr[A wins | t = IW T
]|
n
|pw|
+ negl(λ) (12)
It is easy to see that Pr[A wins | t = IW T
] =
1/2 since A cannot gain any information about the
hidden bit b. However, Pr[A wins | t = RW T ] =
1/2 + 1/2 · Adv
RoR
P,pw
(A) as result of A running on a
perfectly simulated IND-RoR experiment. Following
Equation 12 we obtain:
Adv
RoR
P,pw
(A)
2 · n
|pw|
+ negl(λ)
The guarantee A, Adv
RoR
P,pw
(A)
2·n
|pw|
+ negl(λ)
means that protocol P satisfies the definition of IND-
RoR security (Definition 1) with parameter k = 2. A
similar factor of 2 appears in the reduction used in
(Abdalla et al., 2005) to prove that IND-RoR security
implies IND-FtG security.
Using the results of Theorem 1 and Theorem 3,
as well as the known relation IND-RoR IND-
FtG (Abdalla et al., 2005), we obtain the following
corollary:
Corollary 1. The following relations hold
SIM-BMP Security IND-FtG Security
SIM-BMP Security SIM-BMP’ Security
The question of whether SIM-BMP’ Security
SIM-BMP Security remains open. Note SIM-BMP’
SIM-BMP would imply that the three security no-
tions IND-RoR, SIM-BPM and SIM-BMP’ are equiv-
alent.
5 CONCLUSION AND FUTURE
WORK
Although PAKE is a widely studied primitive and
found in real-world security protocols, a clear relation
between its major security notions (IND and SIM)
was missing in the literature. In this work, we aimed
at filling this gap. We have summarized the relations
obtained in this paper in Figure 2.
During our work on this topic, we identified some
delicate definitional issues veiled under the many sub-
tleties of the security notions for PAKE. Among them,
we mention that in previous works the advantage of
an IND-RoR attacker is formulated according to pa-
rameter n, which represents the number of instances
created by such adversary. As nothing else is said
about n, we interpret it as the worst-case number of
instances created by the adversary. Note that such
naive definition does not specify or take into account
the fact that the adversary’s strategy is randomized,
and thus n may be a randomized function as well. For
instance, an adversary could create a large number
of instances with negligible probability making the
bound on its advantage grow. Another related issue is
about the password correlation between the instances.
We leave the quest for a more precise definition that
SECRYPT 2017 - 14th International Conference on Security and Cryptography
160
would take into account the above-mentioned remarks
for future work.
SIMBMP
0
INDRoR SIMBMP
INDFtG SIMUC
Figure 2: Relation between PAKE security definitions. In
dashed arrows are the new results of this paper.
ACKNOWLEDGEMENTS
We are especially grateful to Jean Lancrenon for all
his suggestions and fruitful discussions. This work
was supported by the Luxembourg National Research
Fund (CORE project AToMS and CORE Junior grant
no. 11299247).
REFERENCES
Abdalla, M., Benhamouda, F., and MacKenzie, P. (2015).
Security of the J-PAKE Password Authenticated Key
Exchange Protocol. In 2015 IEEE Symposium on Se-
curity and Privacy, SP 2015, pages 571–587. IEEE
Computer Society.
Abdalla, M., Fouque, P., and Pointcheval, D. (2005).
Password-Based Authenticated Key Exchange in the
Three-Party Setting. In Vaudenay, S., editor, Public-
Key Cryptography PKC 2005, volume 3386 of
LNCS, pages 65–84. Springer.
Bellare, M., Canetti, R., and Krawczyk, H. (1998). A Mod-
ular Approach to the Design and Analysis of Authen-
tication and Key Exchange Protocols. In Vitter, J. S.,
editor, Proceedings of the Thirtieth Annual ACM Sym-
posium on the Theory of Computing, STOC ’98, pages
419–428. ACM.
Bellare, M., Pointcheval, D., and Rogaway, P. (2000).
Authenticated Key Exchange Secure Against Dictio-
nary Attacks. In Advances in Cryptology EURO-
CRYPT 2000, volume 1807 of LNCS, pages 139–155.
Springer.
Bellare, M. and Rogaway, P. (1993). Entity Authentication
and Key Distribution. In Stinson, D. R., editor, Ad-
vances in Cryptology CRYPTO 1993, volume 773
of LNCS, pages 232–249. Springer.
Bellare, M. and Rogaway, P. (1995). Provably Secure
Session Key Distribution: the three party case. In
Leighton, F. T. and Borodin, A., editors, Proceedings
of the Twenty-Seventh Annual ACM Symposium on
Theory of Computing, STOC ’95, pages 57–66. ACM.
Bellovin, S. M. and Merritt, M. (1992). Encrypted Key
Exchange: Password-Based Protocols Secure Against
Dictionary Attacks. In 1992 IEEE Symposium on Re-
search in Security and Privacy, SP 1992, pages 72–84.
Blake-Wilson, S. and Menezes, A. (1997). Entity Authen-
tication and Authenticated Key Transport Protocols
Employing Asymmetric Techniques. In Christianson,
B., Crispo, B., Lomas, T. M. A., and Roe, M., edi-
tors, Security Protocols, 5th International Workshop,
volume 1361 of LNCS, pages 137–158. Springer.
Boyko, V., MacKenzie, P. D., and Patel, S. (2000). Provably
Secure Password-Authenticated Key Exchange Using
Diffie-Hellman. In Preneel, B., editor, Advances in
Cryptology EUROCRYPT 2000, volume 1807 of
LNCS, pages 156–171. Springer.
Brzuska, C., Fischlin, M., Warinschi, B., and Williams,
S. C. (2011). Composability of Bellare-Rogaway Key
Exchange Protocols. In Chen, Y., Danezis, G., and
Shmatikov, V., editors, Proceedings of the 18th ACM
Conference on Computer and Communications Secu-
rity, CCS 2011, pages 51–62. ACM.
Canetti, R. (2001). Universally Composable Security: A
New Paradigm for Cryptographic Protocols. In 42nd
Annual Symposium on Foundations of Computer Sci-
ence, FOCS 2001, pages 136–145. IEEE Computer
Society.
Canetti, R., Halevi, S., Katz, J., Lindell, Y., and MacKen-
zie, P. D. (2005). Universally Composable Password-
Based Key Exchange. In Cramer, R., editor, Advances
in Cryptology EUROCRYPT 2005, volume 3494 of
LNCS, pages 404–421. Springer.
Canetti, R. and Krawczyk, H. (2001). Analysis of Key-
Exchange Protocols and Their Use for Building Se-
cure Channels. In Pfitzmann, B., editor, Advances
in Cryptology - EUROCRYPT 2001, volume 2045 of
LNCS, pages 453–474. Springer.
Canetti, R. and Krawczyk, H. (2002). Universally Com-
posable Notions of Key Exchange and Secure Chan-
nels. In Knudsen, L. R., editor, Advances in Cryp-
tology - EUROCRYPT 2002, volume 2332 of LNCS,
pages 337–351. Springer.
Clarke, D. and Hao, F. (2014). Cryptanalysis of the Dragon-
fly Key Exchange Protocol. IET Information Security,
8(6):283–289.
Cremers, C. (2011). Examining Indistinguishability-based
Security Models for Key Exchange Protocols: the
case of CK, CK-HMQV, and eCK. In Proceedings
of the 6th ACM Symposium on Information, Computer
and Communications Security, ASIACCS 2011, pages
80–91. ACM.
Goldreich, O. and Lindell, Y. (2001). Session-Key Gen-
eration Using Human Passwords Only. In Kilian, J.,
editor, Advances in Cryptology CRYPTO 2001, vol-
ume 2139 of LNCS, pages 408–432. Springer.
IEEE P1363.2 (2002). Standard Specifications for
Password-Based Public Key Cryptographic Tech-
niques. Standard, IEEE Standards Association, Pis-
cataway, NJ, USA.
ISO/IEC 11770-4:2006 (2009). ISO/IEC 11770-4:2006/cor
1:2009, Information Technology Security tech-
niques Key Management Part 4: Mechanisms
On the Relation Between SIM and IND-RoR Security Models for PAKEs
161
Based on Weak Secrets. Standard, International Or-
ganization for Standardization, Gen
`
eve, Switzerland.
Jablon, D. P. (1996). Strong Password-Only Authenticated
Key Exchange. ACM SIGCOMM Computer Commu-
nication Review, 26(5):5–26.
Jager, T., Kohlar, F., Sch
¨
age, S., and Schwenk, J. (2012).
On the security of TLS-DHE in the standard model. In
Safavi-Naini, R. and Canetti, R., editors, Advances in
Cryptology - CRYPTO 2012, volume 7417 of LNCS,
pages 273–293. Springer.
Katz, J., Ostrovsky, R., and Yung, M. (2001). Effi-
cient Password-Authenticated Key Exchange Using
Human-Memorable Passwords. In Pfitzmann, B., ed-
itor, Advances in Cryptology EUROCRYPT 2001,
volume 2045 of LNCS, pages 475–494. Springer.
LaMacchia, B. A., Lauter, K. E., and Mityagin, A. (2007).
Stronger Security of Authenticated Key Exchange. In
Susilo, W., Liu, J. K., and Mu, Y., editors, Prov-
able Security, First International Conference, ProvSec
2007, volume 4784 of LNCS, pages 1–16. Springer.
Lancrenon, J., Skrobot, M., and Tang, Q. (2016). Two
More Efficient Variants of the J-PAKE Protocol. In
Manulis, M., Sadeghi, A., and Schneider, S., editors,
Applied Cryptography and Network Security ACNS
2016, volume 9696 of LNCS, pages 58–76. Springer.
MacKenzie, P. (2001). On the Security of the
SPEKE Password-Authenticated Key Exchange Pro-
tocol. Cryptology ePrint Archive, Report 2001/057.
http://eprint.iacr.org/2001/057.
MacKenzie, P. D., Patel, S., and Swaminathan, R. (2000).
Password-Authenticated Key Exchange Based on
RSA. In Advances in Cryptology - ASIACRYPT 2000,
LNCS, pages 599–613. Springer.
Nam, J., Choo, K. R., Paik, J., and Won, D. (2013). An
Offline Dictionary Attack against a Three-Party Key
Exchange Protocol. IACR Cryptology ePrint Archive,
2013:666. http://eprint.iacr.org/2013/666.
Nguyen, M. and Vadhan, S. P. (2008). Simpler Session-
Key Generation from Short Random Passwords. J.
Cryptology, 21(1):52–96.
Pointcheval, D. (2012). Password-Based Authenticated
Key Exchange. In Fischlin, M., Buchmann, J. A.,
and Manulis, M., editors, Public Key Cryptography
- PKC 2012, volume 7293 of LNCS, pages 390–397.
Springer.
Shoup, V. (1999). On Formal Models for Secure Key Ex-
change. Cryptology ePrint Archive, Report 1999/012.
http://eprint.iacr.org/1999/012.
SECRYPT 2017 - 14th International Conference on Security and Cryptography
162