Password-only authenticated three-party key exchange with provable security in the standard model.

Protocols for password-only authenticated key exchange (PAKE) in the three-party setting allow two clients registered with the same authentication server to derive a common secret key from their individual password shared with the server. Existing three-party PAKE protocols were proven secure under the assumption of the existence of random oracles or in a model that does not consider insider attacks. Therefore, these protocols may turn out to be insecure when the random oracle is instantiated with a particular hash function or an insider attack is mounted against the partner client. The contribution of this paper is to present the first three-party PAKE protocol whose security is proven without any idealized assumptions in a model that captures insider attacks. The proof model we use is a variant of the indistinguishability-based model of Bellare, Pointcheval, and Rogaway (2000), which is one of the most widely accepted models for security analysis of password-based key exchange protocols. We demonstrated that our protocol achieves not only the typical indistinguishability-based security of session keys but also the password security against undetectable online dictionary attacks.

1. Introduction

Authenticated key exchange is one of the most fundamental problems in cryptography and network security. In 1992, Bellovin and Merritt [1] introduced encrypted key exchange (or EKE) protocols, which allow

arbitrary two parties, who share only a low-entropy password, to establish a common high-entropy secret key (called a session key) over an insecure public network.

Since the work of Bellovin and Merritt [1], password-only authenticated key exchange (PAKE) protocols have attracted much greater attention mainly due to the persistent popularity of passwords as a practical (and cheap) authentication method [2]. Since the publication of the first EKE protocol (with only heuristic security arguments), many provably secure PAKE protocols have been published. Recent examples include the protocol of Katz and Vaikuntanathan [3], which enjoys both round optimality and provable security in the standard model (i.e., without random oracles and ideal ciphers).

A major challenge in designing PAKE protocols is to protect passwords from a dictionary attack, in which an adversary enumerates all possible passwords while testing each one against known password verifiers in order to determine the correct one. The design of two-party PAKE protocols secure against dictionary attacks has been extensively studied over the past two decades and is now fairly well understood. However, three-party PAKE protocols have received far less attention and preventing dictionary attacks is more challenging in the three-party setting. Unlike the two-party setting that assumes the same password is shared between the two parties, the three-party setting assumes that the two parties (commonly known as clients) wishing to establish a session key do not share the same password but hold their individual password shared only with a trusted server. This implies that in the three-party setting, a malicious client can attempt to mount an insider dictionary attack against its partner client. Indeed, many published three-party PAKE protocols were subsequently found to be vulnerable to an insider online/offline dictionary attack (e.g., [4-10]).

It is widely regarded that the design of key exchange protocols (including PAKE protocols) is notoriously hard, and conducting security analysis for such protocols is time-consuming and error-prone [11-13]. The many flaws discovered in published protocols have promoted the use of formal models and rigorous security proofs [14-16]. In the provable security paradigm for protocol analysis, a deductive reasoning process is adopted whereby emphasis is placed on a proven reduction from the problem of breaking the protocol to another problem believed to be computationally hard. A complete mathematical proof with respect to cryptographic definitions provides a strong assurance that a protocol is behaving as desired. It is now standard practice for protocol designers to provide security proofs in a well-defined formal model in order to assure protocol implementers about the security properties of protocols.

Over the past decade, we have seen a number of PAKE protocols proposed in the three-party setting [4–8, 17–29]. Many of these published protocols either did not have a proof of security [5, 6, 17, 22–25] or were subsequently found to be flawed [4–10, 12, 23, 24, 27, 30–36]. There are only a handful of provably secure three-party PAKE protocols [4, 7, 8, 21] whose claimed security properties have not been invalidated. However, there are limitations in the security proof of these protocols. For example, the protocols of [7, 8] are proven secure in the random oracle model. Although a proof of security in the random oracle model is definitely better than having no proof, it may not guarantee security in the real world (currently an open question). The protocols of [4, 21] are proven secure in a restricted model where the adversary is not allowed to corrupt protocol participants. Note that a protocol proven secure in such a restricted model cannot guarantee its security against attacks by malicious clients including insider online/offline dictionary attacks. (Readers who are unfamiliar with formal security models are referred to Section 2.1.) Although Yang and Cao [37] proposed a new three-party key exchange protocol that was proven secure in the standard model, the protocol is based on the ElGamal encryption scheme and thus requires a server's public key as well as clients' passwords to be preestablished before the protocol is ever executed. We refer the readers to [33, 38–44] for other recently published protocols designed to work in a “hybrid” setting where a cryptographic key is required in addition to passwords.

To the best of our knowledge, there is no published three-party PAKE protocol whose security is proven secure in the standard model that allows an adversary to corrupt protocol participants. In this work, we present the first three-party PAKE protocol that achieves provable security in the standard model against an active adversary with the corruption capability. We prove the security of session keys for our protocol in the widely accepted indistinguishability-based model of Bellare, Pointcheval, and Rogaway [14]—this model is, probably, one of the most popular proof models in the provable security paradigm for key exchange protocols. However, the indistinguishability-based security of session keys proven in the Bellare-Pointcheval-Rogaway model (and several other standard models) does not imply the security of passwords against undetectable online dictionary attacks, in which each guess on the password is checked undetectably via an online transaction with the server (see Section 2.3 for more details). We address this problem by providing a separate proof of security for the protocol against undetectable online dictionary (UDOD) attacks. This second proof is compact and elegant and does not rely upon idealized assumptions about the cryptographic primitives. Table 1 compares our protocol against other provably secure three-party PAKE protocols in terms of security proofs.

Table 1

Security proof comparison.

Protocol	Idealized assumption	Adversary capability	Resistance to UDOD attacks†
Our protocol	None	Not restricted	Proven
GPAKE [21]	None	Restricted from corrupting parties	No [4]
NGPAKE [4]	None		Not proven
Lin and Hwang [7]	Random oracles	Not restricted	Not proven
Wu et al. [8]	Random oracles	Not restricted	Not proven

†Resistance to undetectable online dictionary attacks.

The remainder of this paper is structured as follows. Section 2 describes a formal proof model along with the associated definitions of security. Section 3 presents our proposed three-party PAKE protocol. In Section 4, we prove that the proposed protocol achieves not only the typical indistinguishability-based security of session keys but also the password security against undetectable online dictionary attacks. We conclude the paper in Section 5.

2. Formal Setting

In this section, we

first describe a security model adapted from the Bellare-Pointcheval-Rogaway 2000 model [14],

define a typical indistinguishability-based security of session keys, which we call the SK security,

provide a simple and intuitive definition of security against undetectable online dictionary attacks.

2.1. The Security Model

Protocol Participants. Let 𝒞 be the set of all clients registered with the trusted authentication server S. Clients C, C′ ∈ 𝒞 who are both registered with S may run a three-party PAKE protocol P at any point in time to establish a session key. Let 𝒰 = 𝒞 ∪ {S}. A party U ∈ 𝒰 may have several instances involved in distinct, possibly concurrent, executions of protocol P. We use Π to denote the ith instance of party U. A client instance Π is said to accept when it successfully computes its session key sk in a protocol execution.

Long-Term Keys. Each client C ∈ 𝒞 chooses a password pw from a fixed dictionary   PW and shares it with the server S via a secure channel. Accordingly, S holds all the passwords {pw | C ∈ 𝒞}. Each password pw is used as the long-term secret key of C and S.

Partnership. The notion of partnership is a key element in defining the security of the protocol. Two instances are partners if both participate in a protocol execution and establish a (shared) session key. We define the partnership relations between instances using the notions of session identifiers and partner identifiers (see [45] on the role and the possible construct of session and partner identifiers as a form of partnering mechanism that enables the right session key to be identified in concurrent protocol executions.). A session identifier (sid) is a unique identifier of a protocol session and is defined as a function of the messages transmitted in the protocol session. We use sid to denote the  sid of instance Π . A partner identifier (pid) is the set of participants of a specific protocol session. Instances should receive as input a  pid before they can run the protocol. By pid, we denote the  pid given to instance Π . Notice that pid consists of three participants: server S, client C, and another client C′ with whom Π believes it runs the protocol. We say that any two instances Π and Π are partners if (1) both Π and Π have accepted, (2)  sid = sid , and (3)  pid = pid .

Adversary. In the model, the probabilistic polynomial-time (ppt) adversary, 𝒜, controls all the communications that take place between parties via a predefined set of oracle queries. For example, the adversary can ask participants to reveal session keys and passwords using  Reveal and  Corrupt queries as described below.We represent the number of queries used by an adversary as an ordered sequence of five nonnegative integers, Q = (q ex, q se, q re, q co⁡, q te), where the five elements refer to the numbers of queries that the adversary made, respectively, to its  Execute,   Send,   Reveal,   Corrupt, and   Test oracles. We call this usage of queries by an adversary the query complexity of the adversary.

Execute(Π , Π , Π ). This query models passive eavesdropping of a protocol execution. It prompts an honest execution of the protocol between the instances Π , Π and Π . The transcript of the protocol execution is returned as the output of the query.

Send(Π , m). This query models active attacks against the protocol. It sends message m to instance Π and returns the message that Π sends out in response to m. A query of the form  Send(Π ,  start : (C, C′, S)) prompts Π to initiate the protocol with pid = (C, C′, S).

Reveal(Π ). This query returns the session key sk . This query captures the notion of known key security (and it is often reasonable to assume that the adversary will be able to obtain session keys from any session different from the one under attack). Any client, Π , upon receiving such a query and if it has accepted and holds some session key, will send this session key back to 𝒜. However, the adversary is not allowed to ask this query if it has already made a  Test query to the instance Π or its partner instance (see below for explanation of the  Test oracle).

Corrupt(U). This query captures not only the notion of forward secrecy but also unknown key share attacks and insider attacks. The query provides the adversary with U's password pw. Notice that a  Corrupt query does not result in the release of the session keys since the adversary already has the ability to obtain session keys through  Reveal queries. If U = S (i.e., the server is corrupted), all clients' passwords stored by the server will be returned.

Test(Π ). This query is the only oracle query that does not correspond to any of the adversary's abilities. If  Π has accepted with some session key and is being asked a  Test(Π ) query, then depending on a randomly chosen bit b, the adversary is given either the actual session key (when b = 1) or a session key drawn randomly from the session key distribution (when b = 0). The adversary can access the  Test oracle as many times as necessary. All the queries to the oracle are answered using the same value of the hidden bit b. Namely, the keys returned by the  Test oracle are either all real or all random. But, we require that for each different set of partners, the adversary should access the  Test oracle only once.

2.2. Session Key (SK) Security

We now define the basic security, called the SK security, of a 3-party PAKE protocol. As usual, we define the SK security via the notion of freshness. Intuitively, a fresh instance is one that holds a session key which should not be known to the adversary 𝒜, and an unfresh instance is one whose session key (or some information about the key) can be known by trivial means. The formal definition of freshness is explained in Definition 1.

Definition 1

An instance Π is fresh if none of the following occurs: (1) 𝒜 queries   Reveal(Π ) or   Reveal(Π ), where Π is the partner of Π and (2) 𝒜 queries Corrupt(U), for some U ∈ pid , before Π or its partner Π accepts.

The SK security of a 3-party PAKE protocol P is defined in the context of the following two-stage experiment.

Stage 1

𝒜 makes any oracle queries at will except that:

𝒜 is not allowed to ask the  Test(Π ) query if the instance Π is unfresh.

𝒜 is not allowed to ask the  Reveal(Π ) query if it has already made a  Test query to Π or Π , where Π is the partner of Π .

Stage 2

Once 𝒜 decides that Phase 1 is over, it outputs a bit b′ as a guess on the hidden bit b chosen by the   Test oracle. 𝒜 is said to succeed if b = b′.

Let   Succ be the event that 𝒜 succeeds in this experiment. Then we define the advantage of 𝒜 in breaking the SK security of protocol P as where the maximum is over all   ppt adversaries 𝒜 with time complexity at most t and query complexity at most Q.

Definition 2

A 3-party PAKE protocol P is SK-secure if, for any ppt adversary 𝒜 asking at most q se   Send queries, Adv sk(𝒜) is only negligibly larger than c · q se/|PW|, where c is a very small constant (usually around 2 or 4) when compared with |PW|.

2.3. Modelling Undetectable Online Dictionary Attacks

The SK security does not imply security against undetectable online dictionary attacks. In other words, a 3-party PAKE protocol that is not secure against an undetectable online dictionary attack may be rendered SK-secure. To see this, suppose that a 3-party PAKE protocol P is susceptible to undetectable online dictionary attacks whereby an attacker A can find out the password of any registered client B. Then, we can construct an adversary 𝒜 who attacks protocol P with advantage 1 as follows.

Corruption. If A is a registered client, 𝒜 queries   Corrupt(A) to obtain the password pw. Otherwise, 𝒜 skips this step.

Undetectable Online Dictionary Attacks. Next, 𝒜 runs the protocol P in the same way as A conducts its undetectable online dictionary attacks against client B. Note that 𝒜 can perfectly simulate A's attack by using the disclosed password pw and by asking oracle queries appropriately. At the end of this step, 𝒜 will obtain the password pw as a result of the attacks.

Impersonation. 𝒜 then initiates a new protocol session by querying   Send(Π ,   start:(B, C, S)), where Π is an unused instance of an uncorrupted client C. 𝒜 runs this session as per the protocol specification, but simulating by itself all the actions of B (by using pw). At the end of the session, the instance Π will accept with its session key sk .

Test. The instance Π is fresh as (1) no   Reveal query has been made on Π or its partner (which does not exist) and (2) no   Corrupt query has been made against any of B, C, and S. Thus, 𝒜 may ask the   Test(Π ) query. Since 𝒜 can compute the session key sk by itself, it follows that Pr[Succ] = 1 and thus Adv sk(𝒜) = 1.

Since verifying the correctness of a password guess may require more than one   Send queries to be asked, 𝒜 may have to ask   Send queries as many times as d · |PW|, for some integer d ≥ 1, to correctly determine the password pw. Then, even if Adv sk(𝒜) = 1, the following holds for some c ≥ 1: and the protocol P is rendered SK-secure by Definition 2.

This result is not surprising since we call a protocol SK-secure if mounting an online dictionary attack by asking   Send queries is the best an adversary can do. However, we want to be able to distinguish undetectable online dictionary attacks from detectable online dictionary attacks, and ensure that the best an adversary can do is to mount a detectable online dictionary attack. The following new definitions together provide a simple and intuitive way of capturing security against undetectable online dictionary attacks.

Definition 3

The   Send(Π , m) query models an online dictionary attack if both the following are true at the time of the termination of instance Π : (1) m was not output by a previous   Send query asked to an instance of C by which, Π believes, m was sent and (2) the adversary 𝒜 queried neither   Corrupt(S) nor   Corrupt(C).

In Definition 3, the first condition implies that a straightforward delivery of a message between instances is not considered as an online dictionary attack while the second condition implies that, when C′ is the (assumed) peer of client C, the adversary 𝒜 can corrupt the peer client C′ to mount an (insider) online dictionary attack. Note that our definition of an online dictionary attack does not impose any restriction on asking   Reveal queries.

Consider the two-stage experiment described in the previous section. Let   Undet be the event that in the experiment, a server instance terminates normally when an online dictionary attack was mounted against the instance. We say that the adversary 𝒜 succeeds in mounting an undetectable online dictionary attack if the event   Undet occurs.

Definition 4

A 3-party PAKE protocol P is secure against an undetectable online dictionary attack if, for any ppt adversary 𝒜 asking at most q se   Send queries, Pr[Undet] is only negligibly larger than c · q se/|PW|, where c is as in Definition 2.

3. Our Proposed Protocol

As we have earlier claimed, our proposed protocol presented in this section is the first three-party PAKE protocol proven secure in the standard model against an active adversary who has the corruption ability.

3.1. Preliminaries

We begin by reviewing some cryptographic primitives which underlie the security of our protocol.

Decisional Diffie-Hellman (DDH) Assumption. Let 𝔾 be a cyclic (multiplicative) group of prime order q. Since the order of 𝔾 is prime, all the elements of 𝔾, except 1, are generators of 𝔾. Let g be a random fixed generator of 𝔾 and let x, y, z be randomly chosen elements in ℤ where z ≠ xy. Informally stated, the DDH problem for 𝔾 is to distinguish between the distributions of (g , g , g ) and (g , g , g ), and the DDH assumption is said to hold in 𝔾 if it is computationally infeasible to solve the DDH problem for 𝔾. More formally, we define the advantage of 𝒟 in solving the DDH problem for 𝔾 as Adv ddh(𝒟) = |Pr[𝒟(𝔾, g, g , g , g ) = 1] − Pr[𝒟(𝔾, g, g , g , g ) = 1]|. We say that the DDH assumption holds in 𝔾 if Adv ddh(𝒟) is negligible for all ppt algorithms 𝒟. We denote by Adv ddh(t) the maximum value of Adv ddh(𝒟) over all algorithms 𝒟 running in time at most t.

Message Authentication Codes. Let Σ = (Gen, Mac, Ver) be a message authentication code (MAC) scheme. The key generation algorithm   Gen takes as input a security parameter 1 and outputs a key k chosen uniformly at random from {0,1}. The MAC generation algorithm   Mac takes as input a key k and a message m and outputs a MAC (also known as a tag) σ. The MAC verification algorithm   Ver takes as input a key k, a message m, and a MAC σ and outputs 1 if σ is valid for m under k or outputs 0 if σ is invalid. Let Adv Σ euf-cma(𝒜) be the probability that an adversary 𝒜 succeeds in breaking the existential unforgeability of Σ under adaptive chosen message attacks. We say that the MAC scheme Σ is secure if Adv Σ euf-cma(𝒜) is negligible for every  ppt adversary 𝒜. We use Adv Σ euf-cma(t, q mac, q ver) to denote the maximum value of Adv Σ euf-cma(𝒜) over all  ppt adversaries 𝒜 running in time at most t and asking at most q mac and q ver queries to its MAC generation and verification oracles, respectively.

Two-Party PAKE Protocols. Let  2PAKE be a two-party PAKE protocol that outputs session keys distributed in {0,1}. We assume that  2PAKE is SK-secure against an adversary who is given access to all the oracles:   Send,   Execute, Reveal,   Corrupt, and   Test. Let   be the advantage of an adversary 𝒜 in breaking the SK security of  2PAKE. We require that, for all  ppt adversaries 𝒜 making at most q se   Send queries,   is only negligibly larger than . We denote by ADV the maximum value of Adv over all  ppt adversaries 𝒜 with time complexity at most t and query complexity at most Q.

3.2. Protocol Description

Let A and B be two clients who wish to establish a session key, and let S be a trusted server with which A and B have secretly shared their respective passwords pw and pw. Our protocol proceeds as follows.

Step 1

A and S establish a shared secret key k by running the two-party protocol  2PAKE. Likewise, B and S establish a shared secret key k .

Step 2

A (resp., B and S) selects a nonce n (resp., n and n ) at random from ℤ and sends A||n (resp., B||n and S||n ) to the other two parties. All the parties (A, B, and S) define their session identifiers as  sid.

Step 3

A chooses a random x ∈ ℤ , computes X = g and  , and sends A||X||σ to S. Meanwhile, B chooses a random y ∈ ℤ , computes Y = g and  , and sends B||Y||σ to S.

Step 4

S checks that  Ver and  Ver = 1. If either of these is untrue, S aborts the protocol. Otherwise, S computes   and   and sends S||Y||σ and S||X||σ to A and B, respectively.

Step 5

A computes the session key sk = Y if  Ver, while B computes the session key sk = X if  Ver. A and B abort the protocol if their verification fails.

The operation of this protocol is illustrated in Figure 1. Steps 1 and 2 of the protocol are independent and can be performed in parallel. The session-key computation in the protocol is the same as in the Diffie-Hellman key exchange protocol (i.e., sk = g ). Hence, it is straightforward to verify the correctness of the protocol.

Figure 1

The proposed three-party PAKE protocol.

4. Security Proofs

In this section we prove that our three-party PAKE protocol is SK-secure and is resistant to undetectable online dictionary attacks. The proofs of both properties rely on neither random oracles nor ideal ciphers. Therefore, if   2PAKE is instantiated with a protocol proven secure in the standard model (e.g., [3, 49]), our three-party PAKE protocol would also be provably secure in the standard model. Hereafter, we denote our protocol by   3PAKEsm (“sm” for “standard model”).

4.1. Proof of SK Security

We first claim that, if the underlying two-party protocol   2PAKE is SK-secure, then the   3PAKEsm protocol is SK-secure as well under the DDH assumption in 𝔾 and the security of the MAC scheme Σ.

Theorem 5

Let Q = (q ex, q se, q re, q co⁡, q te). For any adversary with query complexity at most Q and time complexity at most t, its advantage in attacking protocol   3PAKEsm is bounded by where Q′ = (2q ex, q se, 0, q co⁡, 2q ex + q se) and t′ is the maximum time required to perform an entire experiment involving an adversary who attacks protocol  3PAKEsm with time complexity t.

Proof

Assume an adversary 𝒜 attacking protocol   3PAKEsm with time complexity t and query complexity Q = (q ex, q se, q re, q co⁡, q te). We prove Theorem 5 by introducing a sequence of experiments E x p r 0,…, E x p r 5 and bounding the difference in 𝒜's advantage between two consecutive experiments. Exp r 0 is the original experiment (described in Section 2.2) in which 𝒜 attacks the actual protocol, and E x p r 5 is the experiment in which the advantage of 𝒜 is 0. Let  Succ be the event that 𝒜 correctly guesses the hidden bit b (chosen by the  Test oracle) in experiment E x p r . By definition, we get  Adv.

Before providing details of the proof, we first define the notion of an uncorrupted instance.

Definition 6

We say an instance Π is clean if no one in  pid has been asked a   Corrupt query. Otherwise, we say it is unclean.

Experiment E x p r 1. We modify the experiment so that each different MAC key is chosen uniformly at random from {0,1} for all clean instances. The difference in 𝒜's success probability between E x p r 0 and E x p r 1 is bounded by

Claim 1

Assume that the advantage of 𝒜 in attacking protocol   3PAKEsm is different between two experiments E x p r 0 and E x p r 1. Then we prove the claim by constructing, from 𝒜, an adversary   attacking protocol   2PAKE with time complexity t′ and query complexity Q′.

begins by choosing a bit b uniformly at random.   then invokes 𝒜 as a subroutine and answers the oracle queries of 𝒜 on its own as follows.

Execute Queries.   answers   Execute queries of 𝒜 by making   Execute and   Test queries to its own oracles. Specifically,   handles each   Execute(Π , Π , Π ) query as follows.

If anyone in {A, B, S} has been corrupted, then   answers the   Execute query as in experiment E x p r 0.

Otherwise,   first makes two queries   Execute(Π , Π ) and   Execute(Π , Π ). Let   T and  T be two transcripts returned in response to the   Execute queries. Next,   makes the queries   Test(Π ) and   Test(Π ) and receives in return two keys and (either real or random).   then generates the messages of Steps 2–4 of protocol   3PAKEsm, using and as the MAC keys. Finally,   returns these messages prepended by   T and  T.

Send Queries. At a high level, the simulation of the   Send oracle is similar to that of the   Execute oracle. Specifically,   handles each   Send(Π , m) query as follows.

If the instance Π is clean or the message m belongs to Step 2 or later steps, then   answers the query as in experiment E x p r 0.

Otherwise,   answers it by making the same query to its own   Send oracle. If the query causes Π to accept, then   also makes a   Test(Π ) query (if it had not previously asked a   Test query to the partner of Π ). As in the simulation of the   Execute oracle,   uses the output of this   Test query as the MAC key in generating the messages of Steps 2–4 of protocol   3PAKEsm.

Reveal Queries. These queries are answered in the obvious way. Namely,   responds to the query   Reveal(Π ) by returning the session key sk .

Corrupt Queries. When 𝒜 queries   Corrupt(U),   makes the same query to its own   Corrupt oracle and simply forwards the output to 𝒜.

Test Queries.   answers these queries according to the bit b chosen at the beginning of the simulation. That is,   returns real session keys, which it has computed on its own, if b = 1, and otherwise returns random keys chosen uniformly at random from 𝔾.

Now at some point in time, when 𝒜 terminates and outputs its guess b′,   outputs 1 if b = b′ and outputs 0 otherwise.

From the simulation above, it is easy to see that   has at most time complexity t′ and query complexity Q′. The advantage of   in attacking protocol   2PAKE is immediate if we notice the following. This means that  Adv =|Pr[Succ. Claim 1 then follows.

The probability that   outputs 1 when its   Test oracle returns real session keys is equal to Pr[Succ, the probability that 𝒜 correctly guesses the bit b in experiment E x p r 0.

The probability that   outputs 1 when its   Test oracle returns random keys is equal to Pr[Succ, the probability that 𝒜 correctly guesses the bit b in experiment E x p r 1.

Experiment E x p r 2. Let   Repeat be the event that a nonce selected by an instance of a party is selected again by another instance of the same party. The experiment E x p r 2 is aborted, and the adversary does not succeed, if the event   Repeat occurs. This is the only difference between E x p r 1 and E x p r 2. By a straightforward calculation, we get the following.

Claim 2

Experiment E x p r 3. Let   Forge be the event that the adversary 𝒜 makes a   Send query of the form   Send(Π , V||∗||σ) before querying   Corrupt(W), for some  , such that (1) σ is a valid tag on  and (2) no oracle had not previously generated a tag on . If  Forge occurs, this experiment is aborted and the adversary does not succeed. Then we have the following.

Claim 3

Assuming that the event   Forge occurs, we construct, from 𝒜, an algorithm ℱ who outputs, with a nonnegligible probability, a forgery against the MAC scheme Σ. The algorithm ℱ is given oracle access to  Mac and  Ver. The goal of ℱ is to produce a message/tag pair (m, σ) such that (1) σ is a valid tag on the message m (i.e.,  Ver and (2) ℱ had not previously queried its oracle  Mac on the message m.

Let n be the number of all active sessions that 𝒜 initiates by asking a   Send query. First, ℱ chooses a random α ∈ {1,…, n}. ℱ then simulates the oracle calls of 𝒜 as in experiment E x p r 2; except that in the αth session, it answers   Send queries by accessing its MAC generation and verification oracles. If   Forge occurs in the αth session, ℱ halts and outputs the message/tag pair generated by 𝒜 as its forgery. Otherwise, ℱ halts and outputs a failure indication. This simulation is perfect unless the adversary 𝒜 makes a   Corrupt query against a participant of the αth session. But note that the event of 𝒜 making such a   Corrupt query should not happen if   Forge occurs in the αth session.

From the simulation, it is immediate that  Adv Σ euf-cma(ℱ) = Pr⁡[Forge]/n. Since n ≤ q se, we get   Pr[Forge] ≤ q se · Adv Σ euf-cma(ℱ). Then, Claim 3 follows by noticing that ℱ has at most time complexity t′ and makes at most 4 queries to   Mac (·) and   Ver (·).

Experiment E x p r 4. This experiment is different from E x p r 3 in that the session key sk of each pair of instances partnered via an   Execute query is chosen uniformly at random from 𝔾 instead of being computed as sk = g = X = Y . As the following claim states, the difference in 𝒜's advantage between E x p r 3 and E x p r 4 is negligible if the DDH assumption holds in 𝔾.

Claim 4

Assume that the advantage of 𝒜 is nonnegligibly different between E x p r 3 and E x p r 4. We prove the claim by constructing, from 𝒜, a distinguisher 𝒟 that solves the DDH problem in 𝔾. Let (g 1, g 2, g 3) ∈ 𝔾 3 be an instance of the DDH problem given as input to 𝒟. 𝒟 begins by choosing a bit b uniformly at random. 𝒟 then invokes 𝒜 as a subroutine and proceeds to simulate the oracles. 𝒟 answers all the oracle queries of 𝒜 as in experiment E x p r 3, except that it handles each   Execute(Π , Π , Π ) query by Let b′ be the output of 𝒜. 𝒟 outputs 1 if b = b′ and outputs 0, otherwise.

selecting two random a , b ∈ ℤ ,

computing X′ = g 1 and Y′ = g 2 ,

returning a transcript generated with X′ and Y′ in place of X and Y,

then setting sk = sk = g 3 .

Then, the following is clear: This completes the proof of Claim 4.

The probability that 𝒟 outputs 1 on a true Diffie-Hellman triple is exactly the probability that 𝒜 correctly guesses the bit b in experiment E x p r 3.

The probability that 𝒟 outputs 1 on a random triple is exactly the probability that 𝒜 correctly guesses the bit b in experiment E x p r 4.

Experiment E x p r 5. In this experiment, the session key sk of each instance Π activated by a   Send query is chosen uniformly at random from 𝔾 if no one in  pid has been corrupted before Π determines its session identifier   sid . The difference in 𝒜's advantage between E x p r 4 and E x p r 5 is bounded by the following.

Claim 5

The proof of this claim is essentially similar to that of Claim 4. From the adversary 𝒜 whose advantage is nonnegligibly different between E x p r 4 and E x p r 5, we construct a distinguisher 𝒟 that solves the DDH problem in 𝔾. Let (g 1, g 2, g 3) ∈ 𝔾 3 be an instance of the DDH problem given as input to 𝒟. 𝒟 begins by selecting a bit b uniformly at random and generating a list   DDHList which is used to link an instance of the DDH problem to a session identifier, 𝒟 then runs 𝒜 as a subroutine and simulates the oracles. It handles all the queries of 𝒜 as in experiment E x p r 4 except for   Send queries.

Consider a query of the form   Send(Π , U||n ) which delivers a random nonce n to instance Π . Whenever such a query is made, 𝒟 answers it as follows.

If n is not the last nonce that Π is expected to receive, 𝒟 simply waits for the next nonce.

Otherwise, 𝒟 defines   sid and checks that anyone in   pid was corrupted.

If so, 𝒟 responds to the query as in experiment E x p r 4.

If not, 𝒟 checks if the list   DDHList contains an entry of the form   (sid , X′, Y′, Z′), where X′, Y′, Z′ ∈ 𝔾.

If it does, 𝒟 computes   σ CS = Mac (C||Y′||sid ) and returns C||Y′||σ CS in response to the query.

Otherwise, 𝒟 selects two random a , b ∈ ℤ , computes X′ = g 1 , Y′ = g 2 , Z′ = g 3 , and   σ CS = Mac (C||X′||sid ), returns C||X′||σ CS to 𝒜, and finally adds the tuple   (sid , X′, Y′, Z′) to   DDHList.

When 𝒜 makes a  Send query that causes an instance Π to accept, 𝒟 checks if   DDHList contains an entry of the form  (sid. If so, 𝒟 sets sk = Z′. Otherwise, 𝒟 computes sk as in experiment E x p r 4. For all other  Send queries of 𝒜, 𝒟 answers them as in experiment E x p r 4. Now when 𝒜 terminates and outputs its guess b′, 𝒟 outputs 1 if b = b′ and outputs 0 otherwise.

One can easily see the following. This implies Claim 5.

The probability that 𝒟 outputs 1 on a true Diffie-Hellman triple is exactly the probability that 𝒜 correctly guesses the bit b in experiment E x p r 4.

The probability that 𝒟 outputs 1 on a random triple is exactly the probability that 𝒜 correctly guesses the bit b in experiment E x p r 5.

In experiment E x p r 5, the session keys of all fresh instances are chosen uniformly at random from 𝔾 and thus the adversary 𝒜 obtains no information on the bit b chosen by the   Test oracle. Therefore, it follows that   Pr[Succ 5] = 1/2. This result combined with the previous claims yields the statement of Theorem 5.

4.2. Proof of Resistance to Undetectable Online Dictionary Attacks

We now claim that   3PAKEsm is secure against undetectable online dictionary attacks as long as the   2PAKE protocol is SK-secure.

Theorem 7

Let   Undet be as defined in Section 2.3 and assume that for any ppt adversary 𝒜′ asking at most q se    Send queries,  Adv is only negligibly larger than  . Then, for any   ppt adversary 𝒜 asking at most q se   Send queries,  Pr is only negligibly larger than  2 · .

Let 𝒜 be a  ppt adversary who asks q se   Send queries in mounting an undetectable online dictionary attack against   3PAKEsm. Consider the experiment E x p r 1 described in the proof of Theorem 5 (see Section 4.1). By  Undet (resp.,  Undet), we denote the event   Undet defined in experiment E x p r 1 (resp., E x p r 0). We prove Theorem 7 by first proving Claim 6 and then Claim 7.

Claim 6

|Pr is only negligibly larger than  .

Claim 7

Pr is only negligibly larger than  .

We prove the claim by constructing an adversary 𝒜′ who attacks the SK security of   2PAKE witfh advantage equal to  |Pr.

𝒜′ chooses a random bit b ∈ {0,1} and invokes the adversary 𝒜 as a subroutine. 𝒜′ then simulates the oracles for 𝒜 in the exactly same way as in the simulation for the proof of Claim 1. 𝒜′ outputs 1 if  Undet occurs and 0 otherwise. From the way the oracles are simulated, it is easy to see the following. Since 𝒜′ makes at most q se   Send queries, we obtain the statement of Claim 6.

The probability that 𝒜′  outputs 1 when its   Test oracle returns real session keys is equal to the probability that the event   Undet occurs in experiment E x p r 0.

The probability that 𝒜′ outputs 1 when its   Test oracle returns random keys is equal to the probability that the event   Undet occurs in experiment E x p r 1.

Assume that  Pr is nonnegligibly larger than  . Given the adversary 𝒜, we construct an adversary 𝒜′ against   2PAKE who asks at most q se   Send queries but has an advantage nonnegligibly larger than  .

𝒜′ runs 𝒜 as a subroutine while simulating the oracles on its own. 𝒜′ handles all the oracle queries of 𝒜 as in the experiment E x p r 1 except for   Send queries. When 𝒜 makes a   Send(Π , m) query, 𝒜′ checks if m is a message for initiating a new session (of   3PAKEsm) or the   Send query belongs to an execution of   2PAKE.

If both are untrue, 𝒜′ responds to the query as in experiment E x p r 1.

Otherwise, 𝒜′ answers it by making the same query to its own   Send oracle. If the query prompts Π to accept, then 𝒜′ checks if Π is clean.

If so, 𝒜′ sets the MAC key of Π to be a random key drawn uniformly from {0,1}.

Otherwise, 𝒜′ makes a   Reveal(Π ) query and sets the MAC key of Π to be the output of this   Reveal query.

Let Π be any server instance against which 𝒜 has mounted an online dictionary attack. Let k be the session key (i.e., the MAC key) that the instance Π has computed in its execution of   2PAKE. In order for the instance Π to terminate normally, the adversary 𝒜 has to make a query of the form   Send(Π , C||∗||σ CS) such that   Ver (C||∗||sid , σ CS) = 1. When 𝒜 makes such a    Send query (i.e., when the event Undet occurs), 𝒜′ makes a   Test query against the instance Π . Note that the instance Π is fresh as (1) it is partnered with no instance and (2)  S and C must have not been corrupted. Let be the key returned in response to the   Test query. 𝒜′ outputs 1 if    and outputs 0, otherwise. If  Undet does not occur, 𝒜′ outputs a random bit. Then, it is not hard to see that This completes the proof of Claim 7.

Theorem 7 immediately follows from Claims 6 and 7.

5. Conclusion

In this work, we have presented a three-party PAKE protocol whose security does not rely on the existence of random oracles. The model that we used to prove the security of our protocol allows the adversary to ask    Corrupt queries and thus captures insider attacks as well as forward secrecy. It is a known fact that proving the security of protocols in such a model is of particular importance in the three-party setting as insider dictionary attacks are most serious threats to three-party PAKE protocols. To the best of our knowledge, our protocol is the first three-party PAKE protocol proven secure against insider, active adversaries in the standard model (i.e., without random oracles and ideal ciphers). Another advantage our protocol has over previously published protocols is that it also achieves provable security against undetectable online dictionary attacks. The latter property is also significant as designing three-party PAKE protocol secure against undetectable online dictionary attacks is an ongoing challenge (as evidenced by the number of three-party PAKE protocols found to be vulnerable to an undetectable online dictionary attack). We leave it as a future work to design a three-party PAKE protocol that achieves not only provable security in the standard model but is more efficient than our protocol.