Paper 2025/2107

Quantum-safe Identity-binding Password Authenticated Key Exchange Protocols

Abstract

Password-based Authenticated Key Exchange (${\sf PAKE}$) is a widely acknowledged, promising security mechanism for establishing secure communication between devices. It enables two parties to mutually authenticate each other over insecure networks and generate a session key using a low-entropy password. However, the existing $\mathsf{PAKE}$ protocols encounter significant challenges concerning both security and efficiency in the context of the \textit{Internet of Things} (IoT). In response to these challenges, we contribute to the advancement of post-quantum secure $\mathsf{PAKE}$ protocols tailored for IoT applications, enriching the existing landscape. In this study, we introduce two novel protocols, $\mathsf{PAKE}$-\textup{I} and $\mathsf{PAKE}$-\textup{II}, designed to address these concerns and enhance the security standards of $\mathsf{PAKE}$ protocol. While $\mathsf{PAKE}$-\textup{I} is secure under lattice-based hardness assumptions, $\mathsf{PAKE}$-\textup{II} derives its security from isogeny-based hard problems. Our lattice-based protocol $\mathsf{PAKE}$-\textup{I} is secure based on the \textit{Pairing with Errors} ($\mathsf{PWE}$) assumption and the \textit{Decision Ring Learning with Errors} ($\mathsf{DRLWE}$) assumption and our isogeny-based protocol $\mathsf{PAKE}$-\textup{II} is secure based on the hardness of the \textit{Group Action Inverse Problem} ($\mathsf{GAIP}$) and the \textit{Commutative SuperSingular Diffie-Hellman} ($\mathsf{CSSDH}$) problem in the Random Oracle Model $(\mathsf{ROM})$. We present a comprehensive security proof in a conventional game-based indistinguishability security model that addresses offline dictionary attacks, replay attacks, compromise attacks for both parties (client and server) and perfect forward secrecy. Additionally, our proposed $\mathsf{PAKE}$ protocols are the first post-quantum secure $\mathsf{PAKE}$s that achieve identity privacy and resistance to pre-computation attacks. Through rigorous performance evaluations, the paper demonstrates that the proposed $\mathsf{PAKE}$ schemes are ultralight and exhibit notable advantages in terms of total computation cost and enhanced security properties when compared to the existing protocols. More positively, both the proposed $\mathsf{PAKE}$ are optimal in the sense that they achieve mutual authentication explicitly in only three rounds which is the least number of rounds required for acquiring mutual authentication between two parties.