Two-Round Password-Only Authenticated Key Exchange in the Three-Party Setting

We present the first provably-secure three-party password-only authenticated key exchange (PAKE) protocol that can run in only two communication rounds. Our protocol is generic in the sense that it can be constructed from any two-party PAKE protocol. The protocol is proven secure in a variant of the widely-accepted model of Bellare, Pointcheval and Rogaway (2000) without any idealized assumptions on the cryptographic primitives used. We also investigate the security of the two-round, three-party PAKE protocol of Wang, Hu and Li (2010) and demonstrate that this protocol cannot achieve implicit key authentication in the presence of an active adversary.


Introduction
Protocols for password-only authenticated key exchange (PAKE) enable two or more parties to generate a shared, cryptographically strong key (called a session key) from their easy-toremember passwords.PAKE protocols are increasingly popular, and perhaps due to the popularity of passwords as explained by Herley and van Oorschot that ' [d]espite countless attempts to dislodge passwords [in the past 20 years], they are more widely used and firmly entrenched than ever' [1].There has been an enormous amount of research effort expended in design and analysis of PAKE protocols and yet there are still worthwhile contributions to be made even in the simple scenario of two protocol participants (also known as clients) with an online trusted server.In such a 3-party model, the server provides its registered clients with a centralized authentication service, which allows each client to remember and manage only a single password.Password guessing attacks (also known as dictionary attacks) present a more subtle threat in the 3-party model (than a 2-party model) as a malicious client can attempt to mount such an attack against another client -see [2,3,4,5,6].
It is generally regarded that the design of secure yet efficient key exchange protocols (including PAKE protocols) is notoriously hard, and conducting security analysis for such protocols is time-consuming and error-prone; see, e.g., [7,8,9].The many flaws discovered in published protocols have promoted the use of formal models and rigorous security proofs.In the provable security paradigm for key exchange protocols, a deductive reasoning process is adopted whereby emphasis is placed on a proven reduction from the problem of breaking the protocol to another problem believed to be (computationally) hard.A complete mathematical proof with respect to cryptographic definitions provides a strong assurance that a protocol is behaving as desired.It is by now standard practice for protocol designers to provide proofs of security for their protocols in widely accepted security models, in order to assure protocol implementers about the security properties of protocols.The provable security paradigm for key exchange protocols was made popular by Bellare and Rogaway [10] who provided the first formal definition for a model of adversary capabilities with an associated definition of the indistinguishability-based security.Bellare and Rogaway's model has been further revised several times, and a recent revision is the Real-Or-Random (ROR) model proposed by Abdalla, Fouque and Pointcheval [11,12] for 3-party PAKE protocols.
Reducing the number of communication rounds is an important practical consideration in designing key exchange protocols.Adopting the usual convention in the 3-party (and multiparty) setting, we let a round consist of all protocol messages that can be sent in parallel; note that messages in the same round cannot be dependent on one another.So far, there have been several 2-round key exchange protocols presented in the 3-party setting.
• The protocols of [15,24] are the only 2-round 3-party PAKE protocols published with a claimed security proof1 .However, it was later found that both protocols are not secure against an active adversary and their associated claims of provable security are invalid (see [8,34,2,33] and Section 3 of this paper).
• The protocols of [35,36] were proven secure and require only two rounds, but these protocols assume a "hybrid" 3-party setting where a server's public key is required in addition to passwords.
• The recent protocol due to Tsai and Chang [31] can run in two rounds (without key confirmation), but this protocol only works in a hyrid setting that requires both a cryptographic key and a password pre-established between each client and the server (see [37,38,39,40,41,4,42,43,26,30,44] for other protocols designed to work in a hybrid setting).
Table 1 summarizes the security properties and known weaknesses of published 2-round 3-party PAKE protocols with (claimed) proofs of security.To the best of our knowledge, there exists no (provably) secure 3-party PAKE protocol running in only two rounds.We regard our contributions of this paper to be two-fold: 1. We present the first 2-round 3-party PAKE protocol that is provably secure in a welldefined communication model -see Section 4. The communication model in which we Vulnerable to an Based on 3PAKE [15] offline dictionary an invalid attack [33] assumption [34] Fails to achieve Invalidated NWPAKE-2 [24] implicit key The adversary is by an active authentication restricted from attack (see (see Section 3) corrupting protocol Section 3) Vulnerable to an participants Invalidated S-IA-3PAKE, offline dictionary by a passive S-EA-3PAKE [23] attack and a attack (see man-in-the-middle Section 3.3 attack [32] of [32]) work allows the adversary to corrupt protocol participants and therefore, captures not only the notion of forward secrecy but also attacks by malicious clients.We make no idealizing assumptions in our security proof.Similar to the protocols of [11,12,2,19,24], our protocol is generic in the sense that it can be constructed from any 2-party PAKE protocol.If the underlying 2-party protocol is round-optimal [45,46,47], then our 3-party protocol runs in only two communication rounds.2. We also present a previously unpublished flaw in an existing 2-round 3-party PAKE protocol proposed by Wang, Hu and Li [24] -see Section 3.2.The Wang-Hu-Li protocol (named NWPAKE-2) was claimed to be provably secure in a variant of the ROR model.We reveal that the NWPAKE-2 protocol fails to achieve implicit key authentication in the presence of an active adversary who is not even registered with the server, which invalidates the "claimed" security proof.
The remainder of this paper is structured as follows: Section 2 describes a communication model along with the associated security definition.In Section 3, we revisit the NWPAKE-2 protocol of Wang, Hu and Li [24] and reveal a previously unpublished flaw in the protocol.We then present our proposed 2-round 3-party PAKE protocol and prove its security in Section 4. The last section concludes the paper.

The communication model
We now describe a communication model adapted from the widely accepted indistinguishabilitybased model of Bellare, Pointcheval and Rogaway [45].This will be the model that is used to prove the security of our proposed 3-party PAKE protocol.
Participants and long-term keys.Let S be a trusted authentication server, and C the set of all clients registered with S.During registration, each client C ∈ C selects a password pw C from dictionary D, and shares pw C with S via a secure/authenticated channel.The password pw C is used as the long-term secret key between C and S. Any two clients C, C ′ ∈ C may run a 3-party PAKE protocol P with S at any point in time to establish a session key.Let U = C ∪ {S}.A user U ∈ U may execute the protocol multiple times (including concurrent executions) with the same or different participants.Thus, at a given time, there could be many instances of a single user.We use Π i U to denote instance i of user U .We say that a client instance Π i C accepts when it successfully computes its session key sk i C in an execution of the protocol.
Partnering.Intuitively, two instances are partners if they participate in a protocol execution and establish a (shared) session key.Formally, partnering between instances is defined in terms of the notions of session identifiers and partner identifiers (see [48] on the role and the possible construct of session and partner identifiers as a form of partnering mechanism that enables the right session key to be identified in concurrent protocol executions).Session identifier (sid) is a unique identifier of a protocol session and is usually defined as a function of the messages transmitted in the session.Let sid i U denotes the sid of instance Π i U .A partner identifier (pid) is a sequence of identities of participants of a specific protocol session.Instances are given as input a pid before they can run the protocol.pid i U denotes the pid given to instance Π i U .In a typical session, there will be three participants, namely two clients C and C ′ and the server S. We say that two instances Π i C and Π j C ′ are partners if all of the following conditions are satisfied: (1) both Π i C and Π j C ′ have accepted, ( 2) Adversary capabilities.The probabilistic polynomial-time (ppt) adversary A is in complete control of all communications between users, and it's capabilities are modeled via a pre-defined set of oracle queries as described below.
This query models passive attacks against the protocol.It prompts an execution of the protocol between the instances Π i C , Π j C ′ and Π k S , and returns the transcript of the protocol execution to A.
• Send(Π i U , m): This query sends message m to instance Π i U , modelling active attacks against the protocol.Upon receiving m, the instance Π i U proceeds according to the protocol specification.The message output by Π i U , if any, is returned to A. A query of the form Send(Π i C , start:(C, C ′ , S)) prompts Π i C to initiate the protocol with pid i C = (C, C ′ , S).
• Reveal(Π i C ): This query captures the notion of known key security2 , and if Π i C has accepted, returns the session key sk i C back to A. However, this session (key) will be rendered unfresh (see Definition 1).
• Corrupt(U ): This query returns U 's password pw U to A. If U = S (i.e., the server is corrupted), all clients' passwords stored by the server are returned.This query captures not only the notion of forward secrecy but also attacks by malicious clients.
• Test(Π i C ): This query is used to define the indistinguishability-based security of the protocol.If Π i C has accepted, then depending on a randomly chosen bit b, A is given either the real session key sk i C (when b = 1) or a random key drawn from the session-key space (when b = 0).A is allowed to ask as many Test queries as it wishes.All Test queries are answered using the same value of the hidden bit b.Namely, the keys output by the Test oracle are either all real or all random.But, we require that for each different set of partners, A should access the Test oracle only once.
The number of queries asked by an adversary is referred to as the query complexity of the adversary (Q), and is represented as an ordered sequence of five non-negative integers, Q = (q exec , q send , q reve , q corr , q test ).These five non-negative integers are the numbers of queries that the adversary asked respectively to the Execute, Send, Reveal, Corrupt, and Test oracles.
Security definition.We define the security of a 3-party PAKE protocol via the notion of freshness.Intuitively, a fresh instance is one that holds a session key which should not be known to the adversary A, and an unfresh instance is one whose session key (or some information about the key) can be known by trivial means.The formal definition of freshness is explained in Definition 1.

Definition 1. An instance Π i
C is fresh if none of the following occurs: (1) The security of a 3-party PAKE protocol P is defined in the context of the following experiment: Experiment Exp 0 : Phase 1.A makes any oracle queries at will as many times as it wishes, except that: Phase 2. Once A decides that Phase 1 is over, it outputs a bit b ′ as a guess on the hidden bit b chosen by the Test oracle.
Let Succ 0 be the event that A succeeds in the experiment Exp 0 .The advantage of A in breaking the security of the authenticated key exchange protocol P is Adv ake Definition 2. A 3-party PAKE protocol P is ake-secure if, for any ppt adversary A asking at most q send Send queries, Adv ake P (A) is only negligibly larger than c • q send /|D|, where c is a very small constant (usually around 2 or 4) when compared with |D|.
To quantify the security of protocol P in terms of the amount of resources expended by adversaries, we let Adv ake P (t, Q) denote the maximum value of Adv ake P (A) over all ppt adversaries A with time complexity at most t and query complexity at most Q.

Revisiting Wang, Hu and Li (2010)'s NWPAKE-2 protocol
Implicit key authentication is the fundamental security property that any given key exchange protocol is expected to achieve.In this section, we show that the NWPAKE-2 protocol of Wang, Hu and Li [24] does not achieve implicit key authentication.

Protocol description
Let A and B be two clients who wish to establish a session key, and pw A and pw B denote the respective passwords of A and B shared with a trusted server S. The public parameters of the NWPAKE-2 protocol include: (1) a cyclic group G of prime order q, and a generator g of G, (2) a 2-party PAKE protocol 2PAKE, and (3) a pair of message authentication code (MAC) generation/verification algorithms (Mac, Ver), where Ver outputs a bit, with 1 meaning accept and 0 meaning reject.If the underlying 2-party protocol, 2PAKE, is round-optimal, NWPAKE-2 completes in 2 communication rounds as depicted in Fig. 1.The protocol description is as follows: Step 1.A and S establish a secret key k A by running the 2-party protocol 2PAKE.Likewise, B and S establish a secret key k B .
Step 2. A (resp.B) selects a random x ∈ Z * q (resp.y ∈ Z * q ) and sends X = g x (resp.Y = g y ) to S.
Step 3. S chooses a random z ∈ Z * q , computes and sends ⟨Y , ρ A ⟩ and ⟨X, ρ B ⟩ to A and B, respectively.
Step 4. A and B abort if their received MAC is invalid.Otherwise, they will compute their respective session keys, sk A = Y x and sk B = X y .
At the end of the protocol execution, A and B will compute the same session key sk A = sk B = g xyz .

Violating implicit key authentication
We now assume that there exists an adversary C who is not registered with the server, and demonstrate how C can easily violate the implicit key authentication property of NWPAKE-2.
1. C chooses a random x ′ ∈ Z * q , computes X ′ = g x ′ , and replaces X (sent by A to S) with X ′ .2. Upon receipt of the "replaced" message, S will compute X as X = X ′z and therefore, B's session key sk B will be set to g x ′ yz .
3. C intercepts the message ⟨Y , ρ A ⟩ sent by S to A, and then computes sk C = Y x ′ = g x ′ yz = sk B .In other words, C is able to compute B's session key even though C is not B's partner.
Note that NWPAKE-2 exhibits this security weakness no matter which protocol is used for the instantiation of 2PAKE.Protocols proven secure in a model that allows Send queries should be secure against the above mentioned attack.NWPAKE-2 was claimed to be provably secure in a variant of Abdalla et al.'s ROR model [11,12] where the adversary is allowed to query Execute, Send, Reveal and Test oracles.This means that the claim of provable security for NWPAKE-2 is invalid3 .

Our proposed protocol
This section presents our 2-round 3-party PAKE protocol, which we denote as 2R3PAKE ("R" is for Round), and proves its security in the communication model described in Section 2. The 2R3PAKE protocol is generic in the sense that it can be constructed from any secure 2-party PAKE protocol.Our generic construction takes only one round of communication in addition to the number of rounds required to perform the underlying 2-party protocol.Hence, applying our construction to a round-optimal 2-party PAKE protocol immediately yields a 3-party PAKE protocol running in two communication rounds.

Preliminaries
The security of 2R3PAKE is based on the decisional Diffie-Hellman assumption and the security of a message authentication code scheme, a 2-party PAKE protocol, and a symmetric encryption scheme.
Decisional Diffie-Hellman (DDH) assumption.Consider a cyclic group G having prime order q.Informally stated, the DDH problem for G is to distinguish between two distributions (g x , g y , g xy ) and (g x , g y , g z ), where g is a random generator of G and x, y, z are chosen at random from Z * q .We say that the DDH assumption holds in G if it is computationally infeasible to solve the DDH problem for G.More formally, we define the advantage of an algorithm D in solving the DDH problem for G as Adv ddh We say that the DDH assumption holds in G if Adv ddh G (D) is negligible for all ppt algorithms D. Adv ddh G (t) denotes the maximum value of Adv ddh G (D) over all algorithms D running in time at most t.A standard way of generating G where the DDH assumption is assumed to hold is to choose two primes p, q such that p = rq + 1 for some small r ∈ N (e.g., r = 2) and let G be the subgroup of order q in Z * p .

Message authentication codes.
A message authentication code (MAC) scheme Σ is a triple of efficient algorithms (Gen, Mac, Ver) where: (1) the key generation algorithm Gen takes as input a security parameter 1 ℓ and outputs a key k chosen uniformly at random from {0, 1} ℓ ; (2) the MAC generation algorithm Mac takes as input a key k and a message m, and outputs a MAC (also known as a tag) σ; and (3) the MAC verification algorithm Ver takes as input a key k, a message m, and a MAC σ, and outputs 1 if σ is valid for m under k or outputs 0 if σ is invalid.Let Adv suf−cma Σ (A) be the advantage of an adversary A in violating the strong existential unforgeability of Σ under an adaptive chosen message attack.More precisely, Adv suf−cma Σ (A) is the probability that an adversary A, who mounts an adaptive chosen message attack against Σ with oracle access to Mac k (•) and Ver k (•), outputs a message/tag pair (m, σ) such that: (1) Ver k (m, σ) = 1 and (2) σ was not previously output by the oracle Mac k (•) as a MAC on the message m.We say that the MAC scheme Σ is secure if Adv suf−cma Σ (A) is negligible for every ppt adversary A. Let Adv suf−cma Σ (t, q mac , q ver ) denotes the maximum value of Adv suf−cma Σ (A) over all adversaries A running in time at most t and asking at most q mac and q ver queries to Mac k (•) and Ver k (•) respectively.

2-party PAKE protocols.
2R3PAKE takes as input a 2-party PAKE protocol 2PAKE.We assume that the given 2-party protocol 2PAKE outputs session keys distributed in {0, 1} n , where n = 2ℓ, and is ake-secure against an adversary who is given access to all the oracles: Execute, Send, Reveal, Corrupt and Test.Let Adv ake 2PAKE (A) be the advantage of an adversary A in breaking the ake security of 2PAKE.We require that, for any ppt adversary A asking at most q send Send queries, Adv ake 2PAKE (A) is only negligibly larger than q send /|D|.Adv ake 2PAKE (t, Q) denotes the maximum value of Adv ake 2PAKE (A) over all adversaries A with time complexity at most t and query complexity at most Q.

Symmetric encryption schemes.
A symmetric encryption scheme Ω is a triple of efficient algorithms (Gen, Enc, Dec) where: (1) the key generation algorithm Gen takes as input a security parameter 1 ℓ and outputs a key k chosen uniformly at random from {0, 1} ℓ ; (2) the encryption algorithm Enc takes as input a key k and a plaintext message m, and outputs a ciphertext c; and (3) the decryption algorithm Dec takes as input a key k and a ciphertext c, and outputs a message m.We require that Dec k (Enc k (m)) = m holds for all k ∈ {0, 1} ℓ and all m ∈ M, where M is the plaintext space.For an eavesdropping adversary A against Ω and for a random bit b ∈ R {0, 1}, consider the following indistinguishability experiment: For simplicity, we assume, in this experiment, that the security parameter 1 ℓ is implicit in the description of Ω.Let Adv ind−seav Ω (A) be the advantage of a single eavesdropper A in breaking the indistinguishability of Ω, and let it be defined as We say that the symmetric encryption scheme Ω is secure (with respect to a single encryption) if Adv ind−seav Ω (A) is negligible for every ppt adversary A. We use Adv ind−seav Ω (t) to denote the maximum value of Adv ind−seav Ω (A) over all adversaries A running in time at most t.
MAC values exchanged in the second round).Hence, any 2-party protocol that provides implicit key authentication, including one-round protocols, will be suitable candidates to instantiate 2PAKE.

Security proof
Theorem 1.For any adversary with time complexity at most t and query complexity at most Q = (q exec , q send , q reve , q corr , q test ), its advantage in breaking the ake security of 2R3PAKE is bounded by: , where Q ′ = (2q exec , q send , q send , q corr , 2q exec + q send ) and t ′ is the maximum time required to perform the experiment Exp 0 involving an adversary who attacks 2R3PAKE with time complexity t.
Proof.Let A be a ppt adversary who attacks the ake security of 2R3PAKE with time complexity t and query complexity Q = (q exec , q send , q reve , q corr , q test ).We prove the theorem by making a series of modifications to the experiment Exp 0 , bounding the difference in A's success probability between two consecutive (modified) experiments, and ending up with an experiment in which A has a success probability of 1/2 (i.e., A has no advantage).By Succ i , we denote the event that A correctly guesses the hidden bit b in experiment Exp i .
Before presenting the first modified experiment, we define the notion of a clean instance.
Definition 3. We say an instance Π i U is unclean if A has queried Corrupt(U ′ ) for some U ′ ∈ pid i U .Otherwise, we say it is clean.Experiment Exp 1 .We modify the experiment by replacing each different 2ℓ-bit key (established by an execution of 2PAKE) with a random key drawn uniformly from {0, 1} 2ℓ for all clean instances.The difference in A's success probability between Exp 0 and Exp 1 is bounded by: Proof.We prove the claim by constructing an adversary A ′ who attacks the ake security of 2PAKE with advantage equal to Pr Reveal queries.A ′ responds to the queries as per protocol specification.
Corrupt queries.A ′ answers these queries using its own Corrupt oracle.
Test queries.A ′ responds to these queries based on the ranomdly chosen bit b at the beginning of the simulation.A ′ will return the real session key if b = 1, and a random key chosen uniformly at random from G if b = 0.
At some point in time, A will terminate and output its guess b ′ .When this happens, A ′ outputs 1 if b = b ′ , and 0 otherwise.From the simulation, it is clear that: • The probability that A ′ outputs 1 when its Test oracle returns real session keys is equal to the probability that A correctly guesses the bit b in experiment Exp 0 .
• The probability that A ′ outputs 1 when its Test oracle returns random keys is equal to the probability that A correctly guesses the bit b in experiment Exp 1 .
That is, Adv ake Since A ′ has at most time complexity t ′ and query complexity Q ′ = (2q exec , q send , q send , q corr , 2q exec + q send ), it follows, by definition, that Adv ake 2PAKE (A ′ ) ≤ Adv ake 2PAKE (t ′ , Q ′ ).This completes the proof of Claim 1.
Experiment Exp 2 .This experiment is different from Exp 1 only in that it is aborted and the adversary does not succeed if the following event Forge occurs.
Forge: The event that the adversary A makes a Send query of the form Send(Π i U , V ∥msg) for uncorrupted U and V such that msg contains a MAC forgery.
Then we have: Proof.Assuming that the event Forge occurs, we construct an algorithm F who outputs, with a non-negligible probability, a forgery against the MAC scheme Σ.The algorithm F is given oracle access to Mac k (•) and Ver k (•).The goal of F is to produce a message/tag pair (m, σ) such that: (1) Ver k (m, σ) = 1 and (2) σ was not previously output by the Mac k (•) oracle on input m.
Let n be the number of all different MAC keys established via a Send query made by A. Clearly, n ≤ q send .F begins by choosing a random α ∈ {1, . . ., n}.Let k mac α denote the α th key among all the n MAC keys, and Send α be a Send query that should be answered and/or verified using k mac α .F invokes A as a subroutine and handles the oracle calls of A as in experiment • The probability that A meav outputs 1 when the first plaintexts are encrypted in experiment Exp ind−meav Ω is equal to the probability that A succeeds in experiment Exp 4 .
• The probability that A meav outputs 1 when the second plaintexts are encrypted in experiment Exp ind−meav Ω is equal to the probability that A succeeds in experiment Exp 3 . Therefore, Since A meav eavesdrops at most q send encryptions and has time complexity at most t ′ , Claim 4 follows immediately from Lemma 1 of Section 4.1.
Experiment Exp 5 .We now modify the way session keys are computed.For each clean instance and its partner instance, the shared session key is chosen uniformly at random from G. On input a DDH-problem instance (W 1 = g w 1 , W 2 = g w 2 , W 3 ) ∈ G 3 , A ddh chooses a random bit b ∈ {0, 1}, invokes the adversary A, and simulates the oracles on its own.A ddh handles all the queries of A as in experiment Exp 4 except for the following: • A ddh uses W 1 and W 2 in place of V 1 and V 2 (see "the Exp 3 modification").
• For each clean instance Π i C who sends X = W 1 r and receives Y = W 2 r ′ , or vice versa, A ddh sets the session key sk i C to be W rr ′ 3 .
Later, when A outputs its guess b ′ , A ddh outputs 1 if b = b ′ , and 0 otherwise.The simulation above clearly shows that: • The probability that A ddh outputs 1 on a true Diffie-Hellman triple is equal to the probability that A correctly guesses the bit b in experiment Exp 4 .
• The probability that A ddh outputs 1 on a random triple is equal to the probability that A correctly guesses the bit b in experiment Exp 5 .
In experiment Exp 5 , the session keys of all fresh instances are chosen uniformly at random from G and thus the adversary A obtains no information on the bit b chosen by the Test oracle.Therefore, it follows that Pr[Succ 5 ] = 1/2.This result combined with Claims 1-5 yields the statement of Theorem 1.

Concluding remarks
In this paper, we have proposed an efficient and secure 3-party password-only authenticated key exchange protocol that requires only two communication rounds.We have rigorously proved the security of the protocol in a widely accepted adversary model.Since our proof of security requires no idealizing assumptions, our proposed protocol would be considered equivalent to be provably secure in the standard model as long as the building blocks are also instantiated with schemes proven secure in the standard model.For a more efficient implementation of our proposed protocol, Steps 3 & 6 (see the protocol description in Section 4.2) can be omitted if

Table 1 :
A summary of security results for existing 2-round 3-party PAKE protocols.
2R3PAKE,A [Succ 1 ] − Pr 2R3PAKE,A [Succ 0 ] .Let k i U denotes the 2ℓ-bit key held by instance Π i U .A ′ chooses a random bit b ∈ {0, 1} and invokes the adversary A. A ′ then simulates the oracles for A as follows: If so, A ′ answers the Execute query as in experiment Exp 0 .•Otherwise,A ′ answers the query using its own oracles.A ′ first asks two queries A ′ returns these messages together with T 2PAKE and T ′ Send queries.For each Send(Π i U , m) query, A ′ checks if m is a message for initiating a new session (of 2R3PAKE), or the Send query belongs to an execution of 2PAKE.1.If both are untrue, A ′ responds to the query as in experiment Exp 0 .2. Otherwise, A ′ answers it by making the same query to its own Send oracle. •