# Two-Round Password-Only Authenticated Key Exchange in the Three-Party Setting

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**We present the first provably-secure three-party password-only authenticated key exchange (PAKE) protocol that can run in only two communication rounds. Our protocol is generic in the sense that it can be constructed from any two-party PAKE protocol. The protocol is proven secure in a variant of the widely-accepted model of Bellare, Pointcheval and Rogaway (2000) without any idealized assumptions on the cryptographic primitives used. We also investigate the security of the two-round, three-party PAKE protocol of Wang, Hu and Li (2010) and demonstrate that this protocol cannot achieve implicit key authentication in the presence of an active adversary.

## 1. Introduction

Protocols for password-only authenticated key exchange (PAKE) enable two or more parties to generate a shared, cryptographically-strong key (called a session key) from their easy-to-remember passwords. PAKE protocols are increasingly popular, and perhaps, due to the popularity of passwords, as explained by Herley and van Oorschot, “despite countless attempts to dislodge passwords (in the past 20 years), they are more widely used and firmly entrenched than ever” [1]. There has been an enormous amount of research effort expended on the design and analysis of PAKE protocols, and yet, there are still worthwhile contributions to be made even in the simple scenario of two protocol participants (also known as clients) with an online trusted server. In such a three-party model, the server provides its registered clients with a centralized authentication service, which allows each client to remember and manage only a single password. Password guessing attacks (also known as dictionary attacks) present a more subtle threat in the three-party model (compared to a two-party model), as a malicious client can attempt to mount such an attack against another client; see [2–6].

It is generally considered that the design of secure, yet efficient key exchange protocols (including password-based protocols) is notoriously difficult, and performing a security analysis for such protocols is complicated and error-prone; see, e.g., [7–9]. The many vulnerabilities identified in published protocols have highlighted the importance of rigorous security proofs in a well-defined formal model. In the provable-security paradigm for key exchange protocols, a reductionist proof approach is adopted to show that an efficient algorithm for breaking the protocol implies an efficient algorithm for solving another problem believed to be (computationally) hard. A complete mathematical proof under a well-established cryptographic assumption offers a strong assurance to protocol implementers that the protocol in hand achieves the desired security properties. The provable-security paradigm for key exchange protocols was made popular by Bellare and Rogaway [10], who introduced the first formal model of adversary capabilities with an associated definition of session-key security. Since then, it has been standard practice for protocol designers to provide proofs of security for their protocols in a widely-accepted security model.

A number of three-party PAKE protocols have been proposed over the last decade [2,3,5,6,11–25]. Many of these protocols have never been proven secure in any model [3,13,17–21] and/or have been found to be vulnerable to some attack(s) [2,3,5,6,8,18–20,23,26–32]. Some protocols [2,11,12,15,23,24] have been proven secure only in a restricted model, in which the adversary is not allowed to corrupt protocol participants, and thus, no attacks by malicious clients can be captured.

Reducing the number of communication rounds is an important practical consideration in designing key exchange protocols. Adopting the usual convention in the three-party (and multi-party) setting, we let a round consist of all protocol messages that can be sent in parallel; note that messages in the same round cannot be dependent on one another. So far, there have been several two-round key exchange protocols presented in the three-party setting.

The protocols of [15,24] are the only two-round, three-party PAKE protocols published with a claimed security proof (although the two protocols presented by Lee and Hwang [23] can run in two rounds (without key confirmation), and they are insecure in the presence of a malicious client [31]; both protocols are susceptible to a man-in-the-middle attack, as well as an offline dictionary attack). However, it was later found that both protocols are not secure against an active adversary, and their associated claims of provable security are invalid (see [2,8,32,33] and Section 3 of this paper).

The protocols of [34,35] were proven secure and require only two rounds, but these protocols assume a “hybrid” three-party setting where a server’s public key is required in addition to passwords.

The recent protocol of Tsai and Chang [30] can run in two rounds (without key confirmation), but this protocol only works in a hybrid setting that requires both a cryptographic key and a password pre-established between each client and the server (see [4,29,36–44] for other protocols designed to work in a hybrid setting).

Table 1 summarizes the security properties and known weaknesses of published two-round three-party PAKE protocols with (claimed) proofs of security. To the best of our knowledge, there exists no (provably) secure three-party PAKE protocol running in only two rounds.

We regard our contributions of this paper to be two-fold:

We present the first two-round, three-party PAKE protocol that is provably secure in a well-defined communication model; see Section 4. The communication model in which we work allows the adversary to corrupt protocol participants and, therefore, captures not only the notion of forward secrecy, but also attacks by malicious clients. We make no idealizing assumptions in our security proof. Similar to the protocols of [2,11,12,19,24], our protocol is generic in the sense that it can be constructed from any two-party PAKE protocol. If the underlying two-party protocol is round-optimal [45–47], then our three-party protocol runs in only two communication rounds.

We also present a previously unpublished flaw in an existing two-round, three-party PAKE protocol proposed by Wang, Hu and Li [24]; see Section 3.2. The Wang–Hu–Li protocol (named NWPAKE-2) was claimed to be provably secure in a variant of the Real-Or-Random (ROR) model. We reveal that the NWPAKE-2 protocol fails to achieve implicit key authentication in the presence of an active adversary who is not even registered with the server, which invalidates the “claimed” security proof.

The remainder of this paper is structured as follows: Section 2 describes a communication model along with the associated security definition. In Section 3, we revisit the NWPAKE-2 protocol of Wang, Hu and Li [24] and reveal a previously unpublished flaw in the protocol. We then present our proposed two-round, three-party PAKE protocol and prove its security in Section 4. The last section concludes the paper.

## 2. The Communication Model

We now describe a communication model adapted from the widely-accepted indistinguishability-based model of Bellare, Pointcheval and Rogaway [45]. This will be the model that is used to prove the security of our proposed three-party PAKE protocol.

#### 2.1. Participants and Long-Term Keys

Let S be a trusted authentication server and
$\mathcal{C}$ the set of all clients registered with S. During registration, each client
$C\in \mathcal{C}$ selects a password pw_{C} from dictionary
$\mathcal{D}$ and shares pw_{C} with S via a secure/authenticated channel. The password pw_{C} is used as the long-term secret key between C and S. Any two clients C,
${C}^{\prime}\in \mathcal{C}$ may run a three-party PAKE protocol π with S at any point in time to establish a session key. Let
$\mathcal{U}=\mathcal{C}\phantom{\rule{0.2em}{0ex}}\cup \{S\}$. A user
$U\in \mathcal{U}$ may execute the protocol multiple times (including concurrent executions) with the same or different participants. Thus, a single user could have many instances of it at a point of time. We denote instance i of user U by
${\Pi}_{U}^{i}$. We say that a client instance
${\Pi}_{C}^{i}$ accepts when it successfully computes its session key
$s{k}_{C}^{i}$ in an execution of the protocol.

#### 2.2. Partnering

Intuitively, two instances are partners if they participate in a protocol execution and establish a (shared) session key. Formally, partnering between instances is defined in terms of the notions of session identifiers and partner identifiers (see [48] on the role and the possible construct of session and partner identifiers as a form of partnering mechanism that enables the right session key to be identified in concurrent protocol executions). A session identifier (sid) is a string that uniquely identifies a protocol session and is usually defined as a function of the messages transmitted in the session. Let $si{d}_{U}^{i}$ denote the sid of instance ${\Pi}_{U}^{i}$. A partner identifier (pid) is a sequence of identities of participants of a specific protocol session. Instances are given as input a pid before they can run the protocol. $pi{d}_{U}^{i}$denotes the pid given to instance ${\Pi}_{U}^{i}$. In a typical session, there will be three participants, namely two clients C and C′ and the server S. We say that two instances ${\Pi}_{C}^{i}$ and ${\Pi}_{{C}^{\prime}}^{j}$ are partners if all of the following conditions are satisfied: (1) both ${\Pi}_{C}^{i}$ and ${\Pi}_{{C}^{\prime}}^{j}$ have accepted; (2) $si{d}_{C}^{i}=si{d}_{{C}^{\prime}}^{j}$; and (3) $pi{d}_{C}^{i}=pi{d}_{{C}^{\prime}}^{j}$.

#### 2.3. Adversary Capabilities

The probabilistic polynomial-time (PPT) adversary $\mathcal{A}$ is in complete control of all communications between users, and its capabilities are modeled via a pre-defined set of oracle queries, as described below.

Execute( ${\Pi}_{C}^{i}$, ${\Pi}_{{C}^{\prime}}^{j}$${\Pi}_{S}^{k}$): This query models passive attacks against the protocol. It prompts an execution of the protocol between the instances ${\Pi}_{C}^{i}$, ${\Pi}_{{C}^{\prime}}^{j}$ and ${\Pi}_{S}^{k}$ and returns the transcript of the protocol execution to $\mathcal{A}$.

Send( ${\Pi}_{U}^{i}$, m): This query sends a message m to instance ${\Pi}_{U}^{i}$, modeling active attacks against the protocol. Upon receiving m, the instance ${\Pi}_{U}^{i}$ proceeds according to the protocol specification. The message output by ${\Pi}_{U}^{i}$, if any, is returned to $\mathcal{A}$. A query of the form Send( ${\Pi}_{C}^{i}$, start:(C, C′, S)) prompts ${\Pi}_{C}^{i}$ to initiate the protocol with $pi{d}_{C}^{i}=(C,\phantom{\rule{0.2em}{0ex}}C\prime ,\phantom{\rule{0.2em}{0ex}}S)$.

Reveal $({\Pi}_{C}^{i})$: This query captures the notion of known key security (it is often reasonable to suppose that the adversary can obtain session keys from any sessions other than the one under attack) and, if ${\Pi}_{C}^{i}$ has accepted, returns the session key $s{k}_{C}^{i}$ back to $\mathcal{A}$. However, this session (key) will be rendered unfresh (see Definition 1).

Corrupt(U): This query returns U’s password pw

_{U}to $\mathcal{A}$. If U = S (i.e., the server is corrupted), all clients’ passwords stored by the server are returned. This query captures not only the notion of forward secrecy, but also attacks by malicious clients.Test $({\Pi}_{C}^{i})$: This query is used to define the indistinguishability-based security of the protocol. If ${\Pi}_{C}^{i}$ has accepted, then depending on a randomly-chosen bit b, $\mathcal{A}$ is given either the real session key $s{k}_{C}^{i}$ (when b = 1) or a random key drawn from the session-key space (when b = 0). $\mathcal{A}$ is allowed to ask as many test queries as it wishes. All test queries are answered using the same value of the hidden bit b. Namely, the keys output by the test oracle are either all real or all random. However, we require that for each different set of partners, $\mathcal{A}$ should access the test oracle only once.

Although Execute and Reveal oracles can be simulated by accessing Send and Test oracles, respectively, multiple times, the former (i.e., Execute and Reveal oracles) often makes it easier to prove the security of protocols and to understand the proofs, and for this reason, we allow both Execute and Reveal queries in our model. The number of queries asked by an adversary is referred to as the query complexity of the adversary (Q) and is represented as an ordered sequence of five non-negative integers, Q = (q_{exec}, q_{send}, q_{reve}, q_{corr}, q_{test}). These five non-negative integers are the numbers of queries that the adversary asked, respectively, of the Execute, Send, Reveal, Corrupt and Test oracles.

#### 2.4. Security Definition

We define the security of a three-party PAKE protocol via the notion of freshness. Intuitively, a fresh instance is one that holds a session key that should not be known to the adversary $\mathcal{A}$, and an unfresh instance is one whose session key (or some information about the key) can be known by trivial means. The formal definition of freshness is explained in Definition 1.

**Definition 1.** An instance${\Pi}_{C}^{i}$ is fresh if none of the following occurs: (1)$\mathcal{A}$ queries Reveal
$({\Pi}_{C}^{i})$ or Reveal
$({\Pi}_{{C}^{\prime}}^{j})$, where${\Pi}_{{C}^{\prime}}^{j}$ is the partner of${\Pi}_{C}^{i}$; and (2)$\mathcal{A}$ queries Corrupt(U), for some$U\in pi{d}_{C}^{i}$, before${\Pi}_{C}^{i}$ or its partner${\Pi}_{{C}^{\prime}}^{j}$ accepts.

The security of a three-party PAKE protocol π is defined in the context of the following experiment:

Experiment **Exp _{0}**:

Phase 1. $\mathcal{A}$ makes any oracle queries at will as many times as it wishes, except that:

$\mathcal{A}$ is not allowed to ask the Test $({\Pi}_{C}^{i})$ query if the instance ${\Pi}_{C}^{i}$ is unfresh.

$\mathcal{A}$ is not allowed to ask the Reveal $({\Pi}_{C}^{i})$ query if it has already made a Test query to ${\Pi}_{C}^{i}$ or ${\Pi}_{{C}^{\prime}}^{j}$, where ${\Pi}_{{C}^{\prime}}^{j}$ is the partner of ${\Pi}_{C}^{i}$.

Phase 2. Once $\mathcal{A}$ decides that Phase 1 is over, it outputs a bit b′ as a guess on the hidden bit b chosen by the Test oracle. $\mathcal{A}$ is said to succeed if b = b′.

Let Succ_{0} be the event that
$\mathcal{A}$ succeeds in the experiment **Exp _{0}**. The advantage of
$\mathcal{A}$ in breaking the security of the authenticated key exchange protocol π is
${\mathrm{Adv}}_{\pi}^{\mathrm{ake}}(\mathcal{A})=2\cdot {\mathrm{Pr}}_{\pi ,\mathcal{A}}[{\mathrm{Succ}}_{0}]-1$.

**Definition 2.** A three-party PAKE protocol π is AKE-secure if, for any PPT adversary A asking at most q_{send} Send queries,
${\mathrm{Adv}}_{\pi}^{\mathrm{ake}}(\mathcal{A})$ is only negligibly larger than c · q_{send}/|D|, where c is a constant.

To represent the security of protocol π in terms of the amount of resources used by adversaries, we let ${\mathrm{Adv}}_{\pi}^{\mathrm{ake}}(t,Q)$ be defined as:

## 3. Revisiting Wang, Hu and Li’s (2010) NWPAKE-2 Protocol

Implicit key authentication is among the fundamental security properties that should be achieved by key exchange protocols. In this section, we show that the NWPAKE-2 protocol of Wang, Hu and Li [24] does not achieve implicit key authentication.

#### 3.1. Protocol Description

Assume two clients A and B who want to establish a session key. Let S be the trusted server with which A and B shared their passwords pw_{A} and pw_{B}, respectively. The public parameters of the NWPAKE-2 protocol include: (1) a cyclic group
$\mathbb{G}$of prime order q and a generator g of
$\mathbb{G}$; (2) a two-party PAKE protocol, 2PAKE; and (3) a pair of message authentication code (MAC) generation/verification algorithms (Mac, Ver), where Ver outputs a bit, with 1 meaning accept and 0 meaning reject. If the underlying two-party protocol, 2PAKE, is round-optimal, NWPAKE-2 completes in two communication rounds, as depicted in Figure 1. The protocol description is as follows:

**Step 1.**A and S establish a secret key k_{A}by running the two-party protocol, 2PAKE. Likewise, B and S establish a secret key k_{B}.**Step 2.**A (resp. B) selects a random $x\in {\mathbb{Z}}_{q}^{*}(\mathrm{resp}.\phantom{\rule{0.2em}{0ex}}y\in {\mathbb{Z}}_{q}^{*})$and sends X = g

^{x}(resp. Y = g^{y}) to S.**Step 3.**S chooses a random $z\in {\mathbb{Z}}_{q}^{*}$, computes:$$\begin{array}{c}\overline{X}={X}^{z},\phantom{\rule{1em}{0ex}}\overline{Y}={Y}^{z}\\ {\rho}_{A}={\mathrm{Mac}}_{{k}_{A}}(X\Vert \overline{Y}\Vert B\Vert A),\phantom{\rule{1em}{0ex}}{\rho}_{B}={\mathrm{Mac}}_{{k}_{B}}(Y\Vert \overline{X}\Vert A\Vert B)\end{array}$$

**Step 4.** A and B abort if their received MAC is invalid. Otherwise, they will compute their respective session keys,
$s{k}_{A}={\overline{Y}}^{x}$ and
$s{k}_{B}={\overline{X}}^{y}$.

At the end of the protocol execution, A and B will compute the same session key sk_{A} = sk_{B} = g^{xyz}.

#### 3.2. Violating Implicit Key Authentication

We now assume that there exists an adversary C who is not registered with the server and demonstrate how C can easily violate the implicit key authentication property of NWPAKE-2.

C chooses a random ${x}^{\prime}\in {\mathbb{Z}}_{q}^{*}$, computes X′=g

^{x}′ and replaces X (sent by A to S) with X′.Upon receipt of the “replaced” message, S will compute $\overline{X}$ as $\overline{X}={{X}^{\prime}}^{z}$, and therefore, B’s session key sk

_{B}will be set to g^{x′yz}.C intercepts the message $\langle \overline{Y},{\rho}_{A}\rangle $ sent by S to A and then computes $s{k}_{C}={\overline{Y}}^{{x}^{\prime}}={g}^{{x}^{\prime}yz}=s{k}_{B}$. In other words, C is able to compute B’s session key even though C is not B’s partner.

The design flaw exploited by the adversary is that the server S is provided with no means of authenticating the public values X and Y. Note that NWPAKE-2 exhibits a security weakness no matter which protocol is used for the instantiation of 2PAKE. Wang, Hu and Li [24] provide a proof sketch for the security of NWPAKE-2 in a model that allows Send queries. Any protocol proven secure in such a model should be secure against our above attack, and therefore, the security proof (sketch) for NWPAKE-2 is invalidated.

## 4. Our Proposed Protocol

This section presents our two-round, three-party PAKE protocol, which we denote as 2R3PAKE (“R” is for round) and proves its security in the communication model described in Section 2. The 2R3PAKE protocol can be viewed as a combined variant of the NWPAKE-2 protocol of Wang, Hu and Li [24] and the 3PKD protocol of Bellare and Rogaway [49]. 2R3PAKE is generic in the sense that it can be constructed from any secure two-party PAKE protocol. Our generic construction takes only one round of communication in addition to the number of rounds required to perform the underlying two-party protocol. Hence, applying our construction to a round-optimal two-party PAKE protocol immediately yields a three-party PAKE protocol running in two communication rounds.

#### 4.1. Preliminaries

The security of 2R3PAKE is based on the decisional Diffie–Hellman assumption, the security of a message authentication code scheme, a two-party PAKE protocol, and a symmetric encryption scheme.

#### 4.1.1. Decisional Diffie–Hellman Assumption

Consider a cyclic group
$\mathbb{G}$ having prime order q. Let g be a random generator of
$\mathbb{G}$. Informally speaking, the Decisional Diffie–Hellman (DDH) problem for G is to distinguish between two distributions (g^{a}, g^{b}, g^{ab}) and (g^{a}, g^{b}, g^{c}), where a, b and c are chosen at random from
${\mathbb{Z}}_{q}^{*}$. We say that the DDH assumption holds in
$\mathbb{G}$ if it is computationally intractable to solve the DDH problem for
$\mathbb{G}$. More formally, we define the advantage of an algorithm
$\mathcal{A}$ in solving the DDH problem for
$\mathbb{G}$ to be
${\mathrm{Adv}}_{\mathbb{G}}^{{}^{\mathrm{ddh}}}(\mathcal{A})=|\mathrm{Pr}[\mathcal{A}(\mathbb{G},\phantom{\rule{0.2em}{0ex}}g,\phantom{\rule{0.2em}{0ex}}{g}^{a},\phantom{\rule{0.2em}{0ex}}{g}^{b},\phantom{\rule{0.2em}{0ex}}{g}^{ab})=1]-\mathrm{Pr}[\mathcal{A}(\mathbb{G},\phantom{\rule{0.2em}{0ex}}g,\phantom{\rule{0.2em}{0ex}}{g}^{a},{g}^{b},\phantom{\rule{0.2em}{0ex}}{g}^{ab})=1]|$. We say that the DDH assumption holds in
$\mathbb{G}$ if
${\mathrm{Adv}}_{\mathbb{G}}^{{}^{\mathrm{ddh}}}(\mathcal{A})$ is negligible for all PPT algorithms
$\mathcal{A}$.
${\mathrm{Adv}}_{\mathbb{G}}^{{}^{\mathrm{ddh}}}(t)$ denotes the maximum value of
${\mathrm{Adv}}_{\mathbb{G}}^{{}^{\mathrm{ddh}}}(\mathcal{A})$ over all algorithms
$\mathcal{A}$ running in time at most t. A typical way of generating
$\mathbb{G}$ where the DDH assumption is believed to hold is to select two primes p, q, such that p = δq + 1 for some small δ ∈ ℕ (e.g., δ = 2), and let
$\mathbb{G}$ be the subgroup of prime order q in
${\mathbb{Z}}_{q}^{*}$.

#### 4.1.2. Message Authentication Codes

A message authentication code (MAC) scheme Σ is a triple of efficient algorithms (Gen, Mac, Ver), where: (1) the key generation algorithm Gen takes as input a security parameter 1^{ℓ} and outputs a key k chosen uniformly at random from {0, 1}^{ℓ}; (2) the MAC generation algorithm Mac takes as input a key k and a message m and outputs a MAC (also known as a tag) σ; and (3) the MAC verification algorithm Ver takes as input a key k, a message m and a MAC σ and outputs 1 if σ is valid for m under k or outputs 0 if σ is invalid. Let
${\mathrm{Adv}}_{\sum}^{{{}^{\mathrm{suf}}}^{-\mathrm{cma}}}(\mathcal{A})$ be the advantage of an adversary
$\mathcal{A}$ in violating the strong existential unforgeability of Σ under an adaptive chosen message attack. More precisely,
${\mathrm{Adv}}_{\sum}^{{{}^{\mathrm{suf}}}^{-\mathrm{cma}}}(\mathcal{A})$ is the probability that an adversary
$\mathcal{A}$, who mounts an adaptive chosen message attack against Σ with oracle access to Mac_{k}(·) and Ver_{k}(·), outputs a message/tag pair (m, σ), such that: (1) Ver_{k}(m, σ) = 1; and (2) σ was not previously output by the oracle Mac_{k}(·) as a MAC on the message m. We say that the MAC scheme Σ is secure if
${\mathrm{Adv}}_{\sum}^{{{}^{\mathrm{suf}}}^{-\mathrm{cma}}}(\mathcal{A})$ is negligible for every PPT adversary
$\mathcal{A}$. Let
${\mathrm{Adv}}_{\sum}^{{{}^{\mathrm{suf}}}^{-\mathrm{cma}}}(t,{q}_{\mathrm{mac}},{q}_{\mathrm{ver}})$ denote the maximum value of
${\mathrm{Adv}}_{\sum}^{{{}^{\mathrm{suf}}}^{-\mathrm{cma}}}(\mathcal{A})$ over all adversaries
$\mathcal{A}$ running in time at most t and asking at most q_{mac} and q_{ver} queries to Mac_{k}(·) and Ver_{k}(·), respectively.

#### 4.1.3. Two-Party PAKE Protocols

2R3PAKE takes as input a two-party PAKE protocol, 2PAKE. We assume that the given two-party protocol, 2PAKE, outputs session keys distributed in {0, 1}^{n}, where n = 2ℓ, and is AKE-secure against an adversary who is given access to all of the oracles: Execute, Send, Reveal, Corrupt and Test. Let
${\mathrm{Adv}}_{2\mathrm{PAKE}}^{\mathrm{ake}}(\mathcal{A})$ be the advantage of an adversary
$\mathcal{A}$ at breaking the AKE security of 2PAKE. We require that, for any PPT adversary
$\mathcal{A}$ asking at most q_{send} Send queries,
${\mathrm{Adv}}_{2\mathrm{PAKE}}^{\mathrm{ake}}(\mathcal{A})$ is only negligibly larger than
${q}_{\mathrm{send}}/|\mathcal{D}|$.
${\mathrm{Adv}}_{2\mathrm{PAKE}}^{\mathrm{ake}}(t,Q)$ denotes the maximum value of
${\mathrm{Adv}}_{2\mathrm{PAKE}}^{\mathrm{ake}}(\mathcal{A})$ over all adversaries
$\mathcal{A}$ with time complexity at most t and query complexity at most Q.

#### 4.1.4. Symmetric Encryption Schemes

A symmetric encryption scheme Ω is a triple of efficient algorithms (Gen, Enc, Dec) where: (1) the key generation algorithm Gen takes as input a security parameter 1^{ℓ} and outputs a key k chosen uniformly at random from {0, 1}^{ℓ}; (2) the encryption algorithm Enc takes as input a key k and a plain text message m and outputs a ciphertext c; and (3) the decryption algorithm Dec takes as input a key k and a ciphertext c and outputs a message m. We require that Dec_{k}(Enc_{k}(m)) = m holds for all k ∈ {0, 1}^{ℓ} and all m ∈ $\mathcal{M}$, where $\mathcal{M}$ is the plain text space. For an eavesdropping adversary
$\mathcal{A}$ against Ω and for a random bit b ∈_{R} {0, 1}, consider the following experiment,
${\mathrm{Exp}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{seav}}(\mathcal{A},\phantom{\rule{0.2em}{0ex}}b)$, where “ind-seav” denotes indistinguishability against single eavesdropping:

For simplicity, we assume, in this experiment, that the security parameter 1^{ℓ} is implicit in the description of Ω. Note that in the experiment, the adversary
$\mathcal{A}$ generates the plain text pair (m_{0}, m_{1}) and is given the ciphertext c, which is the encryption of either m_{0} or m_{1}. Let
${\mathrm{Adv}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{seav}}(\mathcal{A})$ be the advantage of an eavesdropper
$\mathcal{A}$ in breaking the indistinguishability of Ω, and let it be defined as:

We say that the symmetric encryption scheme Ω is secure (with respect to a single encryption) if ${\mathrm{Adv}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{seav}}(\mathcal{A})$ is negligible for every PPT adversary $\mathcal{A}$. We use ${\mathrm{Adv}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{seav}}(t)$ to denote the maximum value of ${\mathrm{Adv}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{seav}}(\mathcal{A})$ over all adversaries $\mathcal{A}$ running in time at most t.

We now claim that if a symmetric encryption scheme is secure with respect to a single encryption, then it is also secure with respect to multiple encryptions under different keys. For an integer n ≥ 1, consider the following experiment, ${\mathrm{Exp}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{seav}}(\mathcal{A},b,n)$, where “ind-meav” denotes indistinguishability against multiple eavesdropping:

Then, we define ${\mathrm{Adv}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A})$ and ${\mathrm{Adv}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{meanv}}(t)$

**Lemma 1.** For any symmetric encryption scheme Ω,

**Proof.** Let
$\mathcal{A}$ be a multiple eavesdropper attacking the indistinguishability of Ω, with advantage
${\mathrm{Adv}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A})$ and time complexity t. The proof proceeds with a standard hybrid argument [50]. Consider a sequence of n + 1 hybrid experiments
${\mathrm{Exp}}_{\mathrm{\Omega},\xi}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n),\phantom{\rule{1em}{0ex}}0\le \xi \le n$, where each
${\mathrm{Exp}}_{\mathrm{\Omega},\xi}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$ is different from
${\mathrm{Exp}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$ only in that each c_{i} is set as follows:

The experiments
${\mathrm{Exp}}_{\mathrm{\Omega},0}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$ and
${\mathrm{Exp}}_{\mathrm{\Omega},n}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$ at the extremes of the sequence are identical to
${\mathrm{Exp}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},0,n)$ and
${\mathrm{Exp}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},1,n)$, respectively. As we move from
${\mathrm{Exp}}_{\mathrm{\Omega},\xi -1}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$ to
${\mathrm{Exp}}_{\mathrm{\Omega},\xi}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$ in the sequence, we change the ξ-th ciphertext c_{ξ} from the encryption of m_{0}, _{ξ} to the encryption of m_{1},_{ξ}. Since there are n such moves from
${\mathrm{Exp}}_{\mathrm{\Omega},0}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$ to
${\mathrm{Exp}}_{\mathrm{\Omega},n}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$ the inequality of the lemma follows immediately if we prove that the difference between the probabilities that
$\mathcal{A}$ outputs 1 in any two neighboring experiments
${\mathrm{Exp}}_{\mathrm{\Omega},\xi -1}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$ and
${\mathrm{Exp}}_{\mathrm{\Omega},\xi}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$ is at most
${\mathrm{Adv}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{seav}}(t)$. To complete the proof, it suffices to show that for any
$1\le \xi \le n$,

Let $\epsilon =|\mathrm{Pr}[{\mathrm{Exp}}_{\mathrm{\Omega},\xi -1}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},\phantom{\rule{0.2em}{0ex}}b,n)=1]-\mathrm{Pr}[{\mathrm{Exp}}_{\mathrm{\Omega},\xi}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},\phantom{\rule{0.2em}{0ex}}b,n)=1]|$. We will prove Equation (1) by constructing, from $\mathcal{A}$, a single eavesdropper ${\mathcal{A}}_{\xi}$ who breaks the indistinguishability of Ω with advantage ε and time complexity t.

${\mathcal{A}}_{\xi}$ begins by invoking adversary
$\mathcal{A}$, then proceeds to simulate the indistinguishability experiment for
$\mathcal{A}$ and, finally, ends by outputting whatever bit
$\mathcal{A}$ eventually outputs. In the simulated experiment,
${\mathcal{A}}_{\xi}$ generates the ciphertexts exactly as in the hybrid experiment
${\mathrm{Exp}}_{\mathrm{\Omega},\xi}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$, except that it generates the ξ-th ciphertext c_{ξ} as follows:

When
$\mathcal{A}$ outputs the ξ-th plain text pair (m_{0}_{,ξ}, m_{1}_{,ξ}),
${\mathcal{A}}_{\xi}$ outputs this as its own plain text pair in experiment
${\mathrm{Exp}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{meanv}}({\mathcal{A}}_{\xi},b)$, receives in return a ciphertext c and sets c_{ξ} = c.

It follows that:

The probability that ${\mathcal{A}}_{\xi}$ outputs 1 when the given ciphertext c is the encryption of m

_{0}_{,ξ}is equal to the probability that $\mathcal{A}$ outputs 1 in the experiment ${\mathrm{Exp}}_{\mathrm{\Omega},\xi -1}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$.The probability that ${\mathcal{A}}_{\xi}$ outputs 1 when the given ciphertext c is the encryption of m

_{1}_{,ξ}is equal to the probability that $\mathcal{A}$ outputs 1 in the experiment ${\mathrm{Exp}}_{\mathrm{\Omega},\xi}^{\mathrm{ind}-\mathrm{meanv}}(\mathcal{A},b,n)$.

This means that:

Since A_{ξ} has time complexity t, it follows that
${\mathrm{Adv}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{seav}}({A}_{\xi})\le {\mathrm{Adv}}_{\mathrm{\Omega}}^{{}^{\mathrm{ind}-\mathrm{seav}}}(t)$ by definition. This completes the proof of Equation (1) and, hence, the proof of Lemma 1. □

#### 4.2. The 2R3PAKE Protocol

We assume that the following information has been pre-established and is known to all parties in the network: (1) a cyclic group
$\mathbb{G}$ of prime order q and a generator g of
$\mathbb{G}$; (2) a MAC scheme Σ = (Gen, Mac, Ver); (3) a two-party PAKE protocol 2PAKE; and (4) a symmetric encryption scheme Ω = (Gen, Enc, Dec). These public parameters can be determined by the server and broadcast to all registered clients. Let A and B be two clients who wish to establish a session key and S be the trusted server with which A and B have registered their passwords pw_{A} and pw_{B}, respectively. The partner identifier assigned to (an instance of) A (resp. B) is pid_{A} (resp. pid_{B}). Recall that pid is a sequence of identities of protocol participants; for simplicity, we assume that pid_{A} = pid_{B} = (A, B, S). Our 2R3PAKE protocol is depicted in Figure 2 and its description is as follows:

**Step 1.**A (resp. B) selects a random $x\in {\mathbb{Z}}_{q}^{*}(\mathrm{resp}.\phantom{\rule{0.2em}{0ex}}y\in {\mathbb{Z}}_{q}^{*})$, computes X = g^{x}(resp. Y = g^{y}) and sends 〈A, pid_{A}, X〉 (resp. 〈B, pid_{B}, Y〉) to S.**Step 2.**A and S establish a 2ℓ-bit key k_{A}by running the two-party protocol, 2PAKE. Likewise, B and S establish a 2ℓ-bit key k_{B}. Let ${k}_{A}={k}_{A}^{{}^{enc}}\Vert {k}_{A}^{mac}$ and ${k}_{B}={k}_{B}^{{}^{enc}}\Vert {k}_{B}^{mac}$.**Step 3.**A computes ${\sigma}_{A}={\mathrm{Mac}}_{{k}_{A}^{mac}}(A\Vert pi{d}_{A}\Vert X)$ and sends 〈A, σ_{A}〉 to S. Similarly, B computes ${\sigma}_{B}={\mathrm{Mac}}_{{k}_{B}^{mac}}(B\Vert pi{d}_{B}\Vert Y)$ and sends 〈B, σ_{B}〉 to S**Step 4.**S sets pid_{S}= pid_{A}, chooses a random $x\in {\mathbb{Z}}_{q}^{*}$ and computes

S then sends 〈S, α_{A}, α_{B}, ρ_{A}〉 and 〈S, α_{A}, α_{B}, ρ_{B}〉 to A and B, respectively.

**Step 5.**A sets the session identifier, sid_{A}= α_{A}||α_{B}, and verifies that ${\mathrm{Ver}}_{{k}_{A}^{mac}}(S\Vert pi{d}_{A}\Vert si{d}_{A,\rho A})=1$. If the verification fails, A aborts the protocol. Otherwise, A recovers $\overline{Y}$ as $\overline{Y}={\mathrm{Dec}}_{{k}_{A}^{enc}}({\alpha}_{A})$ and computes the session key, $s{k}_{A}={\overline{Y}}^{x}$. B proceeds correspondingly; it aborts if ${\mathrm{Ver}}_{{k}_{B}^{mac}}(S\Vert pi{d}_{B}\Vert si{d}_{B,\rho B})=0$, where sid_{B}= α_{A}║α_{B}, and, otherwise, computes $\overline{X}={\mathrm{Dec}}_{{k}_{B}^{enc}}({\alpha}_{B})$ and $s{k}_{B}={\overline{X}}^{y}$.**Step 6.**S checks that ${\mathrm{Ver}}_{{k}_{A}^{mac}}(A\Vert pi{d}_{S}\Vert X,{\sigma}_{A})=1$. If the check fails, S marks this transaction as invalid. For MAC σ_{B}, S checks its validity in the same way. (To prevent online dictionary attacks (unlike offline dictionary attacks, where password guesses can be verified offline, online dictionary attacks are the ones where the attacker verifies each password guess via an online transaction with the server), S may lock out a problematic client after a certain number of invalid transactions.)

Steps 1 and 2 constitute the first round of communication, while Steps 3 and 4 constitute the second communication round. It is trivial to note that in the presence of a passive adversary, A and B will compute session keys of the same value g^{xyz}. We do not require 2PAKE to be instantiated with a protocol that provides either unilateral or mutual authentication, as 2R3PAKE already provides mutual authentication between the server and the clients (via the MAC values exchanged in the second round). Hence, any two-party protocol that provides implicit key authentication, including one-round protocols, will be a suitable candidate to instantiate 2PAKE. We emphasize that sending
$\overline{X}$and
$\overline{Y}$ in an encrypted form is necessary for the security of the protocol, as evidenced by the flaws discovered in previous two-round PAKE protocols (see Section 3 and [32]).

#### 4.3. Security Proof

**Theorem 1.** For any adversary who has time complexity at most t and query complexity at most Q = (q_{exec}, q_{send}, q_{reve}, q_{corr}, q_{test}), its advantage in breaking the AKE security of 2R3PAKE is bounded by:

_{exec}, q

_{send}, q

_{send}, q

_{corr}, 2q

_{exec}+ q

_{send}) and t′ is the maximum time required to perform the experiment Exp

_{0}involving an adversary who attacks 2R3PAKE with time complexity t.

**Proof.** Let
$\mathcal{A}$ be a PPT adversary who attacks the AKE security of 2R3PAKE with time complexity t and query complexity Q = (q_{exec}, q_{send}, q_{reve}, q_{corr}, q_{test}). We prove the theorem by making a series of modifications to the experiment **Exp _{0}**, bounding the difference in
$\mathcal{A}\u2019\mathrm{s}$ success probability between two consecutive (modified) experiments and ending up with an experiment in which
$\mathcal{A}$ has a success probability of 1/2 (i.e.,
$\mathcal{A}$ has no advantage). By Succ

_{i}, we denote the event that $\mathcal{A}$ correctly guesses the hidden bit b in experiment

**Exp**

_{i}.

Before presenting the first modified experiment, we define the notion of a clean instance.

**Definition 3.** We say an instance${\prod}_{U}^{i}$ is unclean if$\mathcal{A}$ has queried Corrupt(U′) for some${U}^{\prime}\in pi{d}_{U}^{i}$. Otherwise, we say it is clean.

**Experiment Exp _{1}.** We modify the experiment by replacing each different 2ℓ-bit key (established by an execution of 2PAKE) with a random key drawn uniformly from {0, 1}

^{2ℓ}for all clean instances. The difference in $\mathcal{A}\u2019\mathrm{s}$ success probability between

**Exp**and

_{0}**Exp**is bounded by:

_{1}**Claim 1.**$|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{1}]-{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{0}]|\phantom{\rule{0.2em}{0ex}}\le {\mathrm{Adv}}_{2\mathrm{PAKE}}^{\mathrm{ake}}({t}^{\prime},{Q}^{\prime})$**.**

**Proof.** We prove the claim by constructing an adversary
${\mathcal{A}}^{\prime}$ who attacks the AKE security of 2PAKE with advantage equal to
$|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{1}]-{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{0}]|$_{.} Let
${k}_{U}^{i}$denote the 2ℓ-bit key held by instance
${\prod}_{U}^{i}$.

${\mathcal{A}}^{\prime}$ chooses a random bit b ∈ {0, 1} and invokes the adversary $\mathcal{A}$. ${\mathcal{A}}^{\prime}$ then simulates the oracles for $\mathcal{A}$ as follows:

Execute queries. When an Execute( ${\prod}_{A}^{i}$, ${\prod}_{B}^{j}$, ${\prod}_{S}^{k}$) query is asked, ${\mathcal{A}}^{\prime}$ first checks if A, B or S was previously corrupted.

If so, ${\mathcal{A}}^{\prime}$ answers the Execute query as in experiment

**Exp**._{0}Otherwise, ${\mathcal{A}}^{\prime}$ answers the query using its own oracles. ${\mathcal{A}}^{\prime}$ first asks two queries Execute( ${\prod}_{A}^{i}$, ${\prod}_{S}^{k}$) and Execute( ${\prod}_{B}^{j}$, ${\prod}_{S}^{{k}^{\prime}}$). Let T

_{2PAKE}and T′_{2PAKE}be two transcripts returned in response to the Execute queries. Next, ${\mathcal{A}}^{\prime}$ makes the queries Test $({\prod}_{A}^{i})$ and Test $({\prod}_{B}^{j})$ and receives in return two keys ${\overline{k}}_{A}^{i}$ and ${\overline{k}}_{B}^{j}$ (either real or random). ${\mathcal{A}}^{\prime}$ then generates the rest of the protocol messages, using ${\overline{k}}_{A}^{i}$ and ${\overline{k}}_{B}^{j}$ as ${k}_{A}^{i}$ and ${k}_{B}^{j}$, respectively. Finally, ${\mathcal{A}}^{\prime}$ returns these messages together with T_{2PAKE}and T′_{2PAKE}after ordering them properly.

Send queries. For each Send( ${\prod}_{U}^{i}$, m) query, ${\mathcal{A}}^{\prime}$ checks if m is a message for initiating a new session (of 2R3PAKE) or the Send query belongs to an execution of 2PAKE.

If both are untrue, ${\mathcal{A}}^{\prime}$ responds to the query as in experiment

**Exp**._{0}Otherwise, ${\mathcal{A}}^{\prime}$ answers it by making the same query to its own Send oracle. If the query prompts ${\prod}_{U}^{i}$ to accept, then ${\mathcal{A}}^{\prime}$ checks if ${\prod}_{U}^{i}$ is clean.

If so, ${\mathcal{A}}^{\prime}$ makes a Test $({\prod}_{U}^{i})$ query (unless the partner of ${\prod}_{U}^{i}$ has already been tested) and sets ${k}_{U}^{i}$ to be the output of this Test query.

Otherwise, ${\mathcal{A}}^{\prime}$ makes a Reveal $({\prod}_{U}^{i})$ query and sets ${k}_{U}^{i}$ to be the output of this Reveal query.

Reveal queries. ${\mathcal{A}}^{\prime}$ responds to the queries as per the protocol specification.

Corrupt queries. ${\mathcal{A}}^{\prime}$ answers these queries using its own Corrupt oracle.

Test queries. ${\mathcal{A}}^{\prime}$ responds to these queries based on the randomly chosen bit b at the beginning of the simulation. ${\mathcal{A}}^{\prime}$ will return the real session key if b = 1 and a random key chosen uniformly at random from $\mathbb{G}$ if b = 0.

At some point in time, $\mathcal{A}$ will terminate and output its guess b′. When this happens, ${\mathcal{A}}^{\prime}$ outputs 1 if b = b′ and 0 otherwise.

From the simulation, it is clear that:

The probability that ${\mathcal{A}}^{\prime}$ outputs 1 when its Test oracle returns real session keys is equal to the probability that $\mathcal{A}$ correctly guesses the bit b in experiment

**Exp**._{0}The probability that ${\mathcal{A}}^{\prime}$ outputs 1 when its Test oracle returns random keys is equal to the probability that $\mathcal{A}$ correctly guesses the bit b in experiment

**Exp**._{1}

That is,
${\mathrm{Adv}}_{2\mathrm{PAKE}}^{\mathrm{ake}}({\mathcal{A}}^{\prime})=|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{1}]-{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{0}]|$. Since
${\mathcal{A}}^{\prime}$ has at most time complexity t′ and query complexity Q′ = (2q_{exec}, q_{send}, q_{send}, q_{corr}, 2qexec + qsend), it follows, by definition, that
${\mathrm{Adv}}_{2\mathrm{PAKE}}^{\mathrm{ake}}({\mathcal{A}}^{\prime})\le {\mathrm{Adv}}_{2\mathrm{PAKE}}^{\mathrm{ake}}({t}^{\prime},{Q}^{\prime})$. This completes the proof of Claim 1.

**Experiment Exp _{2}.** This experiment is different from

**Exp**, only in that it is aborted and the adversary does not succeed if the following event Forge occurs.

_{1}Forge: The event that the adversary $\mathcal{A}$ makes a Send query of the form Send( ${\prod}_{U}^{i}$, V║msg) for uncorrupted U and V, such that msg contains a MAC forgery.

Then, we have:

**Claim 2.**$|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{2}]-{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{1}]|\phantom{\rule{0.2em}{0ex}}\le {q}_{\mathrm{send}}\cdot {\mathrm{Adv}}_{\sum}^{\mathrm{suf}-\mathrm{cma}}({t}^{\prime},2,2)$.

**Proof.** Assuming that the event Forge occurs, we construct a forger $\mathcal{F}$ who outputs, with a non-negligible probability, a forgery against the MAC scheme Σ. The forger $\mathcal{F}$ is given oracle access to Mac_{k}(·) and Ver_{k}(·). The goal of $\mathcal{F}$ is to produce a message/tag pair (m, σ), such that: (1) Ver_{k}(m, σ) = 1; and (2) σ was not previously output by the Mac_{k}(·) oracle on input m.

Let n be the number of all different MAC keys established via a Send query made by
$\mathcal{A}$. Clearly, n ≤ q_{send}. $\mathcal{F}$ begins by choosing a random α ∈ {1,…, n}. Let
${k}_{\alpha}^{mac}$ denote the α−th key among all of the n MAC keys and Send_{α} be a Send query that should be answered and/or verified using
${k}_{\alpha}^{mac}$. $\mathcal{F}$ invokes
$\mathcal{A}$ as a subroutine and handles the oracle calls of
$\mathcal{A}$ as in experiment **Exp _{1}**, except that: it answers all Send

_{α}queries by accessing its MAC generation and verification oracles. As a result, the α−th MAC key ${k}_{\alpha}^{mac}$ is never used during the simulation. If Forge occurs against an instance that holds ${k}_{\alpha}^{mac}$, $\mathcal{F}$ halts and outputs the message/tag pair generated by $\mathcal{A}$ as its forgery. Otherwise, $\mathcal{F}$ halts and outputs a failure indication.

If the guess α is correct, then the simulation is perfect, and $\mathcal{F}$ achieves its goal. Namely,
${\mathrm{Adv}}_{\sum}^{s\mathrm{uf}-\mathrm{cma}}(\mathcal{F})=\mathrm{Pr}[\text{Forge}]/n$. Since n ≤ q_{send}, we get
$\mathrm{Pr}[\text{Forge}]\le {q}_{\mathrm{send}}\cdot {\mathrm{Adv}}_{\sum}^{s\mathrm{uf}-\mathrm{cma}}(\mathcal{F})$. As $\mathcal{F}$ has at most time complexity t′ and makes at most two queries to Mac_{k}(·) and Ver_{k}(·),it follows, by definition, that
${\mathrm{Adv}}_{\sum}^{s\mathrm{uf}-\mathrm{cma}}(\mathcal{F})\le {\mathrm{Adv}}_{\sum}^{s\mathrm{uf}-\mathrm{cma}}({t}^{\prime},2,2)$. This completes the proof of Claim 2.

**Experiment Exp _{3}.** We further modify the experiment so that Execute and Send oracles are simulated as in “the

**Exp**modification” described below.

_{3} The Exp_{3} modification

When
$\mathcal{A}$ asks an Execute or Send query, the simulator answers it exactly as in experiment **Exp _{2}**, except that it modifies the way of generating the ephemeral public values (denoted as X and Y in the protocol) as follows:

The simulator chooses two random v

_{1}, ${v}_{2}\in {\mathbb{Z}}_{q}^{*}$ and computes ${V}_{1}={g}^{{v}_{1}}$ and ${V}_{2}={g}^{{v}_{2}}$.For each instance ${\prod}_{C}^{i}$, the simulator chooses a random $r\in {\mathbb{Z}}_{q}^{*}$, computes:

$$R=\{\begin{array}{l}{V}_{1}^{r}\phantom{\rule{1em}{0ex}}\text{if}\phantom{\rule{0.2em}{0ex}}C\phantom{\rule{0.2em}{0ex}}\text{appearsfirstin}\phantom{\rule{0.2em}{0ex}}pi{d}_{C}^{i}\\ {V}_{2}^{r}\phantom{\rule{1em}{0ex}}\text{if}\phantom{\rule{0.2em}{0ex}}C\phantom{\rule{0.2em}{0ex}}\text{appearssecondin}\phantom{\rule{0.2em}{0ex}}pi{d}_{C}^{i},\end{array}$$

Since the view of
$\mathcal{A}$ is identical between **Exp _{2}** and

**Exp**, it is straightforward to see that:

_{3}**Claim 3.**$|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{3}]={\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{2}].$

**Experiment Exp _{4}.** In this experiment, each
$\overline{X}$and
$\overline{Y}$ is computed as
$\overline{X}=X$ and
$\overline{Y}=Y$ (instead of as
$\overline{X}={X}^{z}$ and
$\overline{Y}={Y}^{z}$) if they are expected to be encrypted with a key held by a clean (server) instance. This is the only difference from

**Exp**.

_{3}**Claim 4.**$|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{4}]-{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{3}]|\le {q}_{\mathrm{send}}\cdot {\mathrm{Adv}}_{\sum}^{\mathrm{ind}-\mathrm{seav}}({t}^{\prime}).$

**Proof.** We prove the claim by constructing a multiple eavesdropper
${\mathcal{A}}_{\mathrm{meanv}}$ who attacks the indistinguishability of Ω with advantage equal to
$|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{4}]={\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{3}]|$.

${\mathcal{A}}_{\mathrm{meanv}}$ chooses a random bit b ∈ {0, 1} and invokes the adversary
$\mathcal{A}$.
${\mathcal{A}}_{\mathrm{meanv}}$ then handles all of the oracle queries of
$\mathcal{A}$ as in experiment **Exp _{3}**, except that it generates α

_{A}and α

_{B}for each clean server instance as follows:

${\mathcal{A}}_{\mathrm{meanv}}$ outputs (X, $\overline{X}={X}^{z}$) and (Y, $\overline{Y}={Y}^{z}$) as its own (two) plain text pairs (in the indistinguishability experiment ${\mathrm{Exp}}_{\mathrm{\Omega}}^{\text{ind-meav}}$), receives in return two ciphertexts c

_{1}and c_{2}and sets α_{A}= c_{2}and α_{B}= c_{1}. (Note, here, that c_{1}and c_{2}are encryptions of either X and Y or $\overline{X}$ and $\overline{Y}$.)

When $\mathcal{A}$ outputs its guess b′, ${\mathcal{A}}_{\mathrm{meanv}}$ outputs 1 if b = b′ and 0 otherwise. It easily follows that:

The probability that ${\mathcal{A}}_{\mathrm{meanv}}$ outputs 1 when the first plain texts are encrypted in experiment ${\mathrm{Exp}}_{\mathrm{\Omega}}^{\text{ind-meav}}$ is equal to the probability that $\mathcal{A}$ succeeds in experiment

**Exp**._{4}The probability that ${\mathcal{A}}_{\mathrm{meanv}}$ outputs 1 when the second plain texts are encrypted in experiment ${\mathrm{Exp}}_{\mathrm{\Omega}}^{\text{ind-meav}}$ is equal to the probability that $\mathcal{A}$ succeeds in experiment

**Exp**._{3}

Therefore,
${\mathrm{Adv}}_{\mathrm{\Omega}}^{\mathrm{ind}-\mathrm{meav}}({\mathcal{A}}_{\mathrm{meav}})=|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{4}]-{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{3}]|$. Since
${\mathcal{A}}_{\mathrm{meanv}}$ eavesdrops at most q_{send} encryptions and has time complexity at most t′, Claim 4 follows immediately from Lemma 1 of Section 4.1.

**Experiment Exp _{5}.** We now modify the way session keys are computed. For each clean instance and its partner instance, the shared session key is chosen uniformly at random from
$\mathbb{G}$.

**Claim 5.**$|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{5}]-{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{4}]|\phantom{\rule{0.2em}{0ex}}\le {\mathrm{Adv}}_{\mathbb{G}}^{\mathrm{ddh}}({t}^{\prime}).$

**Proof.** We prove the claim by constructing an algorithm
${\mathcal{A}}_{\mathrm{ddh}}$ that solves the DDH problem in
$\mathbb{G}$with advantage equal to
$|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{5}]-{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{4}]|$.

On input, a DDH-problem instance (
$({W}_{1}={g}^{{w}_{1}},\phantom{\rule{0.2em}{0ex}}{W}_{2}={g}^{{w}_{2}},\phantom{\rule{0.2em}{0ex}}{W}_{3})\in {\mathbb{G}}^{3}$,
${\mathcal{A}}_{\mathrm{ddh}}$ chooses a random bit b ∈ {0, 1}, invokes the adversary
$\mathcal{A}$ and simulates the oracles on its own.
${\mathcal{A}}_{\mathrm{ddh}}$ handles all of the queries of
$\mathcal{A}$ as in experiment **Exp _{4}**, except for the following:

${\mathcal{A}}_{\mathrm{ddh}}$ uses W

_{1}and W_{2}in place of V_{1}and V_{2}(see “the**Exp**modification”)._{3}For each clean instance ${\prod}_{C}^{i}$

who sends $X={W}_{1}^{r}$ and receives $Y={W}_{2}^{{r}^{\prime}}$, or vice versa, ${\mathcal{A}}_{\mathrm{ddh}}$ sets the session key $s{k}_{C}^{i}$ to be ${W}_{3}^{r{r}^{\prime}}$.

Later, when $\mathcal{A}$ outputs its guess b′, ${\mathcal{A}}_{\mathrm{ddh}}$ outputs 1 if b = b′ and 0 otherwise.

The simulation above clearly shows that:

The probability that ${\mathcal{A}}_{\mathrm{ddh}}$ outputs 1 on a true Diffie–Hellman triple is equal to the probability that $\mathcal{A}$ correctly guesses the bit b in experiment

**Exp**._{4}The probability that ${\mathcal{A}}_{\mathrm{ddh}}$ outputs 1 on a random triple is equal to the probability that $\mathcal{A}$ correctly guesses the bit b in experiment

**Exp**._{5}

Hence, ${\mathrm{Adv}}_{\mathbb{G}}^{\mathrm{ddh}}({\mathcal{A}}_{\mathrm{ddh}})=|{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{5}]-{\mathrm{Pr}}_{2\mathrm{R}3\mathrm{PAKE},\mathcal{A}}[{\mathrm{Succ}}_{4}]|$. From this and since ${\mathrm{Adv}}_{\mathbb{G}}^{\mathrm{ddh}}({\mathcal{A}}_{\mathrm{ddh}})\le {\mathrm{Adv}}_{\mathbb{G}}^{\mathrm{ddh}}({t}^{\prime})$, we obtain the inequality of Claim 5.

In experiment **Exp _{5}**, the session keys of all fresh instances are chosen uniformly at random from
$\mathbb{G}$, and thus, the adversary
$\mathcal{A}$ obtains no information on the bit b chosen by the Test oracle. Therefore, it follows that Pr[Succ

_{5}] = 1/2. This result combined with Claims 1–5 yields the statement of Theorem 1.

#### 5. Concluding Remarks

In this paper, we have proposed an efficient and secure three-party password-only authenticated key exchange protocol that requires only two communication rounds. We have rigorously proven the security of the protocol in a widely-accepted adversary model. Since our proof of security requires no idealizing assumptions, our proposed protocol would be considered equivalent to being provably secure in the standard model, as long as the building blocks are also instantiated with schemes proven secure in the standard model. For a more efficient implementation of our proposed protocol, Steps 3 and 6 (see the protocol description in Section 4.2) can be omitted if security against undetectable online dictionary attacks is not required. This simplified protocol would still be AKE-secure in the sense of Definition 2 (i.e., Theorem 1 also holds for the simplified protocol). We finally note that it seems impossible to design an AKE-secure, one-round key exchange protocol in the password-only, three-party setting, although we are unable to prove this statement formally.

## Acknowledgments

This work was supported by Konkuk University.

## Author Contributions

S.H. and D.W. conceived and designed the experiments; S.H. and J.P. performed the experiments; J.P. and D.W. analyzed the data; J.N. and K.C. proved the security of the protocol; J.N. and K.C. wrote the paper.

## Conflicts of Interest

The authors declare no conflict of interest.

## References

- Hervey, C.; van Oorschot, P. A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv.
**2012**, 10, 28–36. [Google Scholar] - Wang, W.; Hu, L. Efficient and provably secure generic construction of three-party password-based authenticated key exchange protocols, Proceedings of the INDOCRYPT 2006—7th International Conference on Cryptology, Kolkata, India, 11–13 December 2006; 4329, pp. 118–132.
- Nam, J.; Paik, J.; Kang, H.; Kim, U.; Won, D. An off-line dictionary attack on a simple three-party key exchange protocol. IEEE Commun. Lett.
**2009**, 13, 205–207. [Google Scholar] - Lo, N.; Yeh, K. Cryptanalysis of two three-party encrypted key exchange protocols. Comput. Stand. Interfaces.
**2009**, 31, 1167–1174. [Google Scholar] - Lin, C.; Hwang, T. On a simple three-party password-based key exchange protocol. Int. J. Commun. Syst.
**2011**, 24, 1520–1532. [Google Scholar] - Wu, S.; Pu, Q.; Wang, S.; He, D. Cryptanalysis of a communication-efficient three-party password authenticated key exchange protocol. Inform. Sci.
**2012**, 215, 83–96. [Google Scholar] - Choo, K.K.R.; Boyd, C.; Hitchcock, Y. Errors in computational complexity proofs for protocols, Proceedings of the ASIACRYPT 2005—11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, 4–8 December 2005; 3788, pp. 624–643.
- Choo, K.K.R.; Boyd, C.; Hitchcock, Y. Examining indistinguishability-based proof models for key establishment protocols, Proceedings of the ASIACRYPT 2005—11th International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, 4–8 December 2005; 3788, pp. 585–604.
- Choo, K.K.R.; Boyd, C.; Hitchcock, Y. The importance of proofs of security for key establishment protocols: Formal analysis of Jan–Chen, Yang–Shen–Shieh, Kim–Huh–Hwang–Lee, Lin–Sun–Hwang, and Yeh–Sun protocols. Comput. Commun.
**2006**, 29, 2788–2797. [Google Scholar] - Bellare, M.; Rogaway, P. Entity authentication and key distribution, Proceedings of the 13th Annual International Cryptology Conference, Santa Barbara, CA, USA, 22–26 August 1993; 773, pp. 232–249.
- Abdalla, M.; Fouque, P.; Pointcheval, D. Password-based authenticated key exchange in the three-party setting, Proceedings of the Public Key Cryptography 2005, Les Diablerets, Switzerland, 23–26 January 2005; 3386, pp. 65–84.
- Abdalla, M.; Fouque, P.; Pointcheval, D. Password-based authenticated key exchange in the three-party setting. IEE Proc. Inform. Secur.
**2006**, 153, 27–39. [Google Scholar] - Lin, C.; Sun, H.; Steiner, M.; Hwang, T. Three-party encrypted key exchange without server public-keys. IEEE Commun. Lett.
**2001**, 5, 497–499. [Google Scholar] - Lee, T.; Hwang, T.; Lin, C. Enhanced three-party encrypted key exchange without server public keys. Comput. Secur.
**2004**, 23, 571–577. [Google Scholar] - Abdalla, M.; Pointcheval, D. Interactive Diffie-Hellman assumptions with applications to password-based authentication. In Financial Cryptography and Data Security; Patrick,, A.S., Yung,, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2005; pp. 341–356. [Google Scholar]
- Wen, H.; Lee, T.; Hwang, T. Provably secure three-party password-based authenticated key exchange protocol using Weil pairing. IEE Proc. Commun.
**2005**, 152, 138–143. [Google Scholar] - Lu, R.; Cao, Z. Simple three-party key exchange protocol. Comput. Secur.
**2007**, 26, 94–97. [Google Scholar] - Chung, H.; Ku, W. Three weaknesses in a simple three-party key exchange protocol. Inform. Sci.
**2008**, 178, 220–229. [Google Scholar] - Guo, H.; Li, Z.; Mu, Y.; Zhang, X. Cryptanalysis of simple three-party key exchange protocol. Comput. Secur.
**2008**, 27, 16–21. [Google Scholar] - Kim, H.; Choi, J. Enhanced password-based simple three-party key exchange protocol. Comput. Electr. Eng.
**2009**, 35, 107–114. [Google Scholar] - Huang, H. A simple three-party password-based key exchange protocol. Int. J. Commun. Syst.
**2009**, 22, 857–862. [Google Scholar] - Dongna, E.; Cheng, Q.; Ma, C. Password authenticated key exchange based on RSA in the three-party settings, Proceedings of the Provable Security Conference 2009, Guangzhou, China, 11–13 November 2009; 5848, pp. 168–182.
- Lee, T.; Hwang, T. Simple password-based three-party authenticated key exchange without server public keys. Inform. Sci.
**2010**, 180, 1702–1714. [Google Scholar] - Wang, W.; Hu, L.; Li, Y. How to construct secure and efficient three-party password-based authenticated key exchange protocols, Proceedings of The 6th China International Conference on Information Security and Cryptology, Shanghai, China, 20–24 October 2010; 6584, pp. 218–235.
- Chang, T.; Hwang, M.; Yang, W. A communication-efficient three-party password authenticated key exchange protocol. Inform. Sci.
**2011**, 181, 217–226. [Google Scholar] - Nam, J.; Lee, Y.; Kim, S.; Won, D. Security weakness in a three-party pairing-based protocol for password authenticated key exchange. Inform. Sci.
**2007**, 177, 1364–1375. [Google Scholar] - Phan, R.; Yau, W.; Goi, B. Cryptanalysis of simple three-party key exchange protocol (S-3PAKE). Inform. Sci.
**2008**, 178, 2849–2856. [Google Scholar] - Yoon, E.; Yoo, K. Cryptanalysis of a simple three-party password-based key exchange protocol. Int. J. Commun. Syst.
**2011**, 24, 532–542. [Google Scholar] - Liang, H.; Hu, J.; Wu, S. Re-attack on a three-party password-based authenticated key exchange protocol. Math. Comput. Model.
**2013**, 57, 1175–1183. [Google Scholar] - Tsai, H.; Chang, C. Provably secure three party encrypted key exchange scheme with explicit authentication. Inform. Sci.
**2013**, 238, 242–249. [Google Scholar] - Nam, J.; Choo, K.K.R.; Park, M.; Paik, J.; Won, D. On the security of a simple three-party key exchange protocol without server’s public keys. Sci. World J
**2014**, 479534:1–479534:7. [Google Scholar] - Nam, J.; Choo, K.K.R.; Paik, J.; Won, D. An offline dictionary attack against Abdalla and Pointcheval’s key exchange in the password-only three-party setting. IEICE Trans. Fundam. Electr. Commun. Comput. Sci.
**2015**. in press. [Google Scholar] - Szydlo, M. A note on Chosen-Basis Decisional Diffie-Hellman assumptions, Proceedings of the Financial Cryptography 2006, Anguilla, British West Indies, 27 February–2 March 2006; 4107, pp. 166–170.
- Yoneyama, K. Efficient and strongly secure password-based server aided key exchange, Proceedings of the INDOCRYPT 2008: 9th International Conference on Cryptology, Kharagpur, India, 14–17 December 2008; 5365, pp. 172–184.
- Zhao, J.; Gu, D. Provably secure three-party password-based authenticated key exchange protocol. Inform. Sci.
**2012**, 184, 310–323. [Google Scholar] - Lin, C.; Sun, H.; Hwang, T. Three-party encrypted key exchange: Attacks and a solution. ACM SIGOPS Oper. Syst. Rev.
**2000**, 34, 12–20. [Google Scholar] - Chang, C.; Chang, Y. A novel three-party encrypted key exchange protocol. Comput. Stand. Interfaces.
**2004**, 26, 471–476. [Google Scholar] - Chen, H.; Chen, T.; Lee, W.; Chang, C. Security enhancement for a three-party encrypted key exchange protocol against undetectable on-line password guessing attacks. Comput. Stand. Interfaces.
**2008**, 30, 95–99. [Google Scholar] - Yoon, E.; Yoo, K. Improving the novel three-party encrypted key exchange protocol. Comput. Stand. Interfaces.
**2008**, 30, 309–314. [Google Scholar] - Chien, H.; Wu, T. Provably secure password-based three-party key exchange with optimal message steps. Comput. J
**2009**, 52, 646–655. [Google Scholar] - Lou, D.; Huang, H. Efficient three-party password-based key exchange scheme. Int. J. Commun. Syst.
**2011**, 24, 504–512. [Google Scholar] - Yang, J.; Cao, T. Provably secure three-party password authenticated key exchange protocol in the standard model. J. Syst. Softw.
**2012**, 85, 340–350. [Google Scholar] - Lee, C.; Chen, S.; Chen, C. A computation-efficient three-party encrypted key exchange protocol. Appl. Math. Inform. Sci.
**2012**, 6, 573–579. [Google Scholar] - Wu, S.; Chen, K.; Pu, Q.; Zhu, Y. Cryptanalysis and enhancements of efficient three-party password-based key exchange scheme. Int. J. Commun. Syst.
**2013**, 26, 674–686. [Google Scholar] - Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated key exchange secure against dictionary attacks, Proceedings of the Eurocrypt 2000, Bruges, Belgium, 14–18 May 2000; 1807, pp. 139–155.
- Abdalla, M.; Pointcheval, D. Simple password-based encrypted key exchange protocols, Proceedings of the CT-RSA 2005, San Francisco, CA, USA, 14–18 February 2005; 3376, pp. 191–208.
- Katz, J.; Vaikuntanathan, V. Round-optimal password-based authenticated key exchange, Proceedings of the Theory of Cryptography Conference 2011, Providence, RI, USA, 28–30 March 2011; 6597, pp. 293–310.
- Choo, K.K.R. A proof of revised Yahalom protocol in the Bellare and Rogaway (1993) model. Comput. J
**2007**, 50, 591–601. [Google Scholar] - Bellare, M.; Rogaway, P. Provably secure session key distribution—The three party case, Proceedings of the 27th ACM Symposium on Theory of Computing, Las Vegas, NV, USA, May 1995; pp. 57–66.
- Goldwasser, S.; Micali, S. Probabilistic encryption. J. Comput. Syst. Sci.
**1984**, 28, 270–299. [Google Scholar]

Protocol | Major Weaknesses | Communication Model | Security Proof |
---|---|---|---|

3PAKE [15] | Vulnerable to an offline dictionary attack [32] | The adversary is restricted from corrupting protocol participants | Based on an invalid assumption [33] |

NWPAKE-2 [24] | Fails to achieve implicit key authentication (see Section 3) | Invalidated by an active attack (see Section 3) | |

S-IA-3PAKE, S-EA-3PAKE [23] | Vulnerable to an offline dictionary attack and a man-in-the-middle attack [31] | Invalidated by a passive attack (see Section 3.3 of [31]) |

© 2015 by the authors; licensee MDPI, Basel, Switzerland This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Nam, J.; Choo, K.-K.R.; Han, S.; Paik, J.; Won, D.
Two-Round Password-Only Authenticated Key Exchange in the Three-Party Setting. *Symmetry* **2015**, *7*, 105-124.
https://doi.org/10.3390/sym7010105

**AMA Style**

Nam J, Choo K-KR, Han S, Paik J, Won D.
Two-Round Password-Only Authenticated Key Exchange in the Three-Party Setting. *Symmetry*. 2015; 7(1):105-124.
https://doi.org/10.3390/sym7010105

**Chicago/Turabian Style**

Nam, Junghyun, Kim-Kwang Raymond Choo, Sangchul Han, Juryon Paik, and Dongho Won.
2015. "Two-Round Password-Only Authenticated Key Exchange in the Three-Party Setting" *Symmetry* 7, no. 1: 105-124.
https://doi.org/10.3390/sym7010105