cispa_all_3697.pdf (572.49 kB)

CHIP and CRISP: Protecting All Parties Against Compromise through Identity-Binding PAKEs

Download (572.49 kB)
conference contribution
posted on 2023-11-29, 18:21 authored by Cas CremersCas Cremers, Moni Naor, Shahar Paz, Eyal Ronen
Recent advances in password-based key exchange (PAKE) protocols can offer stronger security guarantees for globally deployed security protocols. Notably, the OPAQUE protocol realizes saPAKE [Eurocrypt2018], strengthening the protection offered by aPAKE to compromised servers: after compromising an saPAKE server, the adversary still has to perform a full brute-force search to recover any passwords or impersonate users. However, (s)aPAKEs do not protect client storage, and can only be applied in the so-called asymmetric setting, in which some parties, such as servers, do not communicate with each other. Nonetheless, passwords are also widely used in symmetric settings, where a group of parties share a password and can all communicate (e.g., Wi-Fi with client devices, routers, and mesh nodes; or industrial IoT scenarios). In these settings, the (s)aPAKE techniques cannot be applied, and the state-of-the-art still involves handling plaintext passwords. In this work, we propose the notions of (strong) identity-binding PAKEs that improve this situation in two dimensions: they protect all parties from compromise, and can also be applied in the symmetric setting. We propose stronger counterparts to state-of-the-art security notions from the asymmetric setting in the UC model, and construct protocols that provably realize them. Our constructions bind the local storage of all parties to abstract identities, building on ideas from identity-based key exchange, but without requiring a third party. Our first protocol, CHIP, generalizes the security of aPAKE protocols to all parties, forcing the adversary to perform a brute-force search to recover passwords or impersonate others. Our second protocol, CRISP, additionally renders any adversarial pre-computation useless, thereby offering saPAKE-like guarantees for all parties, instead of only the server. We evaluate prototype implementations of our protocols and show that even though they offer stronger security, their performance is in line with, or even better than, state-of-the-art protocols.


Preferred Citation

Cas Cremers, Moni Naor, Shahar Paz and Eyal Ronen. CHIP and CRISP: Protecting All Parties Against Compromise through Identity-Binding PAKEs. In: Advances in Cryptology (CRYPTO). 2022.

Primary Research Area

  • Reliable Security Guarantees

Name of Conference

Advances in Cryptology (CRYPTO)

Legacy Posted Date


Open Access Type

  • Unknown


@inproceedings{cispa_all_3697, title = "CHIP and CRISP: Protecting All Parties Against Compromise through Identity-Binding PAKEs", author = "Cremers, Cas and Naor, Moni and Paz, Shahar and Ronen, Eyal", booktitle="{Advances in Cryptology (CRYPTO)}", year="2022", }

Usage metrics


    No categories selected


    Ref. manager