Practical password-authenticated three-party key exchange

Jeong Ok Kwon, Ik Rae Jeong, Dong Hoon Lee

Research output: Contribution to journalArticlepeer-review

5 Citations (Scopus)


Password-based authentication key exchange (PAKE) protocols in the literature typically assume a password that is shared between a client and a server. PAKE has been applied in various environments, especially in the "client-server" applications of remotely accessed systems, such as e-banking. With the rapid developments in modern communication environments, such as ad-hoc networks and ubiquitous computing, it is customary to construct a secure peer-to-peer channel, which is quite a different paradigm from existing paradigms. In such a peer-to-peer channel, it would be much more common for users to not share a password with others. In this paper, we consider password-based authentication key exchange in the three-party setting, where two users do not share a password between themselves but only with one server. The users make a session-key by using their different passwords with the help of the server. We propose an efficient password-based authentication key exchange protocol with different passwords that achieves forward secrecy in the standard model. The protocol requires parties to only memorize human-memorable passwords; all other information that is necessary to run the protocol is made public. The protocol is also light-weighted, i.e., it requires only three rounds and four modular exponentiations per user. In fact, this amount of computation and the number of rounds are comparable to the most efficient password-based authentication key exchange protocol in the random-oracle model. The dispensation of random oracles in the protocol does not require the security of any expensive signature schemes or zero-knowlegde proofs.

Original languageEnglish
Pages (from-to)312-332
Number of pages21
JournalKSII Transactions on Internet and Information Systems
Issue number6
Publication statusPublished - 2008 Dec


  • Cryptography
  • Dictionary attacks
  • Key exchange
  • Provably security
  • Three-party setting
  • Undetectable dictionary attacks

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications


Dive into the research topics of 'Practical password-authenticated three-party key exchange'. Together they form a unique fingerprint.

Cite this