Security

Recall the security requirements for PAKE protocols:

• Off-line dictionary attack resistance: No leaked information for attackers, which allows them to perform offline-exhaustive search to find the password.
• On-line dictionary attack resistance: An active attacker is allowed to test only one password per protocol.
• Forward secrecy: The session keys are still secure even when the password is later leaked.
• Known-session security: A disclosed session key doesn't affect the security of other established session.

Off-line dictionary attack resistance

Active attacker

Suppose Bob is an attacker who directly talk to Alice but he doesn't possess the shared secret $s$. The data available for Bob include $g^{x_1}, g^{x_2}, A$ and Zero Knowledge Proofs (ZKP) for the respective exponents.

By protocol definition, $x_1 \in [0, q-1], x_2 \in [1, q-1], s \in [1, q-1]$ , they are unknown for Bob when $q$ is a very large number. If $q$ is 160-bits, the probability to hit $x_1$ and $x_2, s$ are respectively $\frac{1}{2^{160}}$ and $\frac{1}{2^{160} - 1}$ for Bob. Bob is impossible to guess right.

Passive attacker

The data available for an passive attacker include $g^{x_1}, g^{x_2}, g^{x_3}, g^{x_4}, A, B$ and their Zero Knowledge Proofs(ZKP). Same as above, the probability to his all $x_1, x_2, x_3, x_4, s$ is extremely low.

On-line dictionary attack resistance

Suppose Bob is an attacker who directly talk to Alice but he doesn't possess the shared secret $s$. Bob can freely choose $x_3, x_4$ and the password $w$. Then, the $B = g^{(x_1 + x_2 + x_3) \cdot x_4 \cdot w}$ After receiving $B$, Alice computes $\begin{aligned} K &= (\frac{B}{g^{x_2 \cdot x_4 \cdot s}})^{x_2} \\ &= g^{x_1 \cdot x_2 \cdot x_4 \cdot w} \cdot g^{x_2 \cdot x_3 \cdot x_4 \cdot w} \cdot g^{x_2 \cdot x_2 \cdot x_4 \cdot (w - s)} \end{aligned}$

Therefore, without $x_1, x_2, s$, Bob is unable to compute $K$.

Forward secrecy

In this case, we consider the password is already leaked to the attacker. However, the past session key still can not be computed because the attacker at least need to get $x_1, x_2$ (if the attacker is active, then $x_3, x_4$ is hold by himself). Thus, the probability to compute a right session key is overwhelming low.

Known-session security

Assume that the attacker is powerful enough to compromise a session, and learn all data of the compromised session like raw key $K$ and all private key $x_1, x_2, x_3, x_4$.

Each session key is derived from one set of random number $x_1, x_2, x_3, x_4$, so it's different in each session. Due to the session key is ephemeral, the attacker have no chance to compute the session key of other sessions even he have already compromised one.