International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Security Analysis of CPace

Michel Abdalla , ENS Paris & CNRS & DFINITY
Björn Haase , Endress & Hauser Liquid Analysis
Julia Hesse , IBM Research, Zurich
DOI: 10.1007/978-3-030-92068-5_24
Search ePrint
Search Google
Presentation: Slides
Conference: ASIACRYPT 2021
Abstract: In response to standardization requests regarding password-authenticated key exchange (PAKE) protocols, the IRTF working group CFRG has setup a PAKE selection process in 2019, which led to the selection of the CPace protocol in the balanced setting, in which parties share a common password. In subsequent standardization efforts, the CPace protocol further developed, yielding a protocol family whose actual security guarantees in practical settings are not well understood. In this paper, we provide a comprehensive security analysis of CPace in the universal composability framework. Our analysis is realistic in the sense that it captures adaptive corruptions and refrains from modeling CPace's MapToPoint function that maps field elements to curve points as an idealized function. In order to extend our proofs to different CPace variants optimized for specific elliptic-curve ecosystems, we employ a new approach which represents the assumptions required by the proof as libraries accessed by a simulator. By allowing for the modular replacement of assumptions used in the proof, this new approach avoids a repeated analysis of unchanged protocol parts and lets us efficiently analyze the security guarantees of all the different CPace variants. As a result of our analysis, all of the investigated practical CPace variants enjoy adaptive UC security.
Video from ASIACRYPT 2021
  title={Security Analysis of CPace},
  author={Michel Abdalla and Björn Haase and Julia Hesse},