[Resource Topic] 2020/313: Security analysis of SPAKE2+

Welcome to the resource topic for 2020/313

Title:
Security analysis of SPAKE2+

Authors: Victor Shoup

Abstract:

We show that a slight variant of Protocol \mathit{SPAKE2}+, which was presented but not analyzed in Cash, Kiltz, and Shoup (2008) is a secure asymmetric password-authenticated key exchange protocol (PAKE), meaning that the protocol still provides good security guarantees even if a server is compromised and the password file stored on the server is leaked to an adversary. The analysis is done in the UC framework (i.e., a simulation-based security model), under the computational Diffie-Hellman (CDH) assumption, and modeling certain hash functions as random oracles. The main difference between our variant and the original Protocol~\mathit{SPAKE2}+ is that our variant includes standard key confirmation flows; also, adding these flows allows some slight simplification to the remainder of the protocol. Along the way, we also: provide the first proof (under the same assumptions) that a slight variant of Protocol \mathit{SPAKE2} from Abdalla and Pointcheval (2005) is a secure symmetric PAKE in the UC framework (previous security proofs were all in the weaker BPR framework of Bellare, Pointcheval, and Rogaway (2000); provide a proof (under very similar assumptions) that a variant of Protocol \mathit{SPAKE2}+ that is currently being standardized is also a secure asymmetric PAKE; repair several problems in earlier UC formulations of secure symmetric and asymmetric PAKE.

ePrint: https://eprint.iacr.org/2020/313

Talk: https://www.youtube.com/watch?v=IAUhBRr8Rgc

Slides: https://iacr.org/submit/files/slides/2020/tcc/tcc2020/245/slides.pdf

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .