[Resource Topic] 2022/1607: A Universally Composable PAKE with Zero Communication Cost (And Why It Shouldn't Be Considered UC-Secure)

Welcome to the resource topic for 2022/1607

A Universally Composable PAKE with Zero Communication Cost (And Why It Shouldn’t Be Considered UC-Secure)

Authors: Lawrence Roy, Jiayu Xu


A Password-Authenticated Key Exchange (PAKE) protocol allows two parties to agree upon a cryptographic key, when the only information shared in advance is a low-entropy password. The standard security notion for PAKE (Canetti et al., Eurocrypt 2005) is in the Universally Composable (UC) framework. We show that unlike most UC security notions, UC PAKE does not imply correctness. While Canetti et al. seems to have implicitly noticed this issue, it has yet to be explicitly identified by the PAKE literature. We present a comprehensive study of correctness in UC PAKE:

  1. We show that TrivialPAKE, a no-message protocol that does not satisfy correctness, is a UC PAKE;
  2. We propose nine approaches to guaranteeing correctness in the UC security notion of PAKE, and show that seven of them are equivalent, whereas the other two are unachievable;
  3. We prove that a direct solution, namely changing the UC PAKE functionality to incorporate correctness, is impossible;
  4. Finally, we show how to naturally incorporate correctness by changing the model — we view PAKE as a three-party protocol, with the man-in-the-middle adversary as the third party.
    In this way, we hope to shed some light on the very nature of UC-security in the man-in-the-middle setting.

ePrint: https://eprint.iacr.org/2022/1607

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .