Two-round password-only authenticated key exchange in the three-party setting (Q2406196)

Summary: We present the first provably-secure three-party password-only authenticated key exchange (PAKE) protocol that can run in only two communication rounds. Our protocol is generic in the sense that it can be constructed from any two-party PAKE protocol. The protocol is proven secure in a variant of the widely-accepted model of Bellare, Pointcheval and Rogaway [\textit{M. Bellare} et al., Eurocrypt 2000, Lect. Notes Comput. Sci. 1807, 139--155 (2000; Zbl 1082.94533)] without any idealized assumptions on the cryptographic primitives used. We also investigate the security of the two-round, three-party PAKE protocol of Wang, Hu and Li [\textit{W. Wang} et al., Inscrypt 2010, Lect. Notes Comput. Sci. 6584, 218--235 (2011; Zbl 1295.94151)] and demonstrate that this protocol cannot achieve implicit key authentication in the presence of an active adversary.