zbMATH — the first resource for mathematics

Forward secrecy of SPAKE2. (English) Zbl 1443.94045
Baek, Joonsang (ed.) et al., Provable security. 12th international conference, ProvSec 2018, Jeju, South Korea, October 25–28, 2018. Proceedings. Cham: Springer. Lect. Notes Comput. Sci. 11192, 366-384 (2018).
Summary: Currently, the simple password-based encrypted key exchange (SPAKE2) protocol of M. Abdalla and D. Pointcheval [CT-RSA 2005, Lect. Notes Comput. Sci. 3376, 191–208 (2005; Zbl 1079.94529)] is being considered by the IETF for standardization and integration in TLS 1.3. Although it has been proven secure in the find-then-guess model of Bellare, Pointcheval and Rogaway [M. Bellare et al., Eurocrypt 2000, Lect. Notes Comput. Sci. 1807, 139–155 (2000; Zbl 1082.94533)], whether it satisfies some notion of forward secrecy remains an open question.
In this work, we prove that the SPAKE2 protocol satisfies the so-called weak forward secrecy introduced by H. Krawczyk [Crypto 2005, Lect. Notes Comput. Sci. 3621, 546–566 (2005; Zbl 1145.94445)]. Furthermore, we demonstrate that the incorporation of key-confirmation codes in SPAKE2 results in a protocol that provably satisfies the stronger notion of perfect forward secrecy. As forward secrecy is an explicit requirement for cipher suites supported in the TLS handshake, we believe this work could fill the gap in the literature and facilitate the adoption of SPAKE2 in the recently approved TLS 1.3.
For the entire collection see [Zbl 1398.94007].
94A60 Cryptography
94A62 Authentication, digital signatures and secret sharing
Full Text: DOI