Abstract
Passwordauthenticated key exchange (PAKE) protocols play an important role in cryptography. Most of PAKEs are based on the Diffie–Hellman key exchange protocols or RSA encryption schemes, but their security is threatened by quantum computers. In this study, we propose the first codebased PAKE protocol based on Ouroboros, which is a codebased key exchange protocol. Our scheme enjoys high efficiency and provides mutual explicit authentication, with a security reduction to decoding random quasicyclic codes in the random oracle model.
1. Introduction
Authenticated key exchange (AKE) allows two communicating entities to establish a common and highentropy secret session key over an insecure communication network. In general, users need to store some prepared longtime secret keys with high entropy in devices such as smart cards and ID cards. However, the access to hardware devices makes AKE more inconvenient and complex.
To solve this shortcoming, passwordauthenticated key exchange (PAKE) was proposed since PAKEs only require humanmemorable passwords with low entropy, such as six to eight characters. Nowadays, more and more people tend to use handheld devices, and so PAKEs have a wide range of practical applications. Nevertheless, it is difficult to design a secure key exchange protocol based on passwords, because the low entropy of a password makes it vulnerable to dictionary attacks if an adversary can get some passworddependent data. Generally speaking, there are two types of dictionary attacks. The first one is an online dictionary attack. In this attack, an adversary actively participates the execution of a protocol. For example, an adversary runs a protocol with a guessed password and observes whether the protocol succeeds. However, this type of attack is easy to avoid by just allowing an adversary to test at most a constant number of passwords per online interaction. What we need to consider is the another dictionary attack, i.e., offline dictionary attack. In this attack, an adversary can observe the execution of a protocol or interacts with the participants of the protocol. Next, the adversary tests the correctness of a guessed password offline. To avoid this attack, session keys and protocol messages must look computationally independent from passwords to the adversary.
The first PAKE protocol was proposed by Bellovin and Merritt in [1], which is called the encrypted key exchange (EKE) protocol, but they did not give a formal security proof in the protocol. Since then, a number of PAKE protocols were proposed [2–7]. However, these protocols still have no formal security proof. Until 2000, the formal security models began with the works of Bellare et al. [8] and Boyko et al. [9]. Canetti et al. introduced the universally composable notion to PAKE security model in 2005 [10].
With the security model, plenty of protocols have been designed and analyzed. On the one hand, most of PAKEs are designed using the Diffie–Hellman (DH) key exchange protocols [9, 11–15], in which the PAK [9] and PPK [15] protocols are two efficient and simple constructions of PAKEs based on the DH key exchange protocol. The PAK protocol is threepass protocol and provides explicit authentication, and the PPK protocol is twopass protocol and provides implicit authentication. On the other hand, some PAKEs were designed using RSA encryption schemes [16–19]. In particular, Mackenzie et al. proposed the first RSAbased PAKE protocol with a formal security proof in 2000, which is called SNAPI [17]. In 2004, Zhang showed that SNAPI protocol was not practical and proposed two efficient RSAbased PAKEs [19].
Since the wellknown Shor algorithm was proposed [20], the security of the DH key exchange protocols and RSA encryption schemes encounters great challenges. Fortunately, latticebased cryptosystems and codebased cryptosystems are supposed to effectively resist attack on the quantum computers. Based on AKE protocols [21–26], several simple and efficient latticebased PAKE protocols have been designed [27, 28]. The protocols in [27] can be regarded as a parallel extension of the PAK and PPK. In the codebased cryptosystem, there are no DHtype key exchange protocols. Nevertheless, Deneuville et al. proposed a secure and efficient codebased key exchange protocol, which is called Ouroboros [29]. The Ouroboros scheme gathers the best properties of the MDPCMcEliece [30] and the HQC [31] and has a simple decoding algorithm. The security of the Ouroboros is reduced to decoding random quasicyclic codes in the random oracle model. As far as we know, there is no codebased provably secure PAKE scheme.
In this study, we propose the first codebased PAKE protocol based on Ouroboros with formal security proof. The protocol is constructed by using a weightrestricted hash function and enjoys several desired features, including high efficiency, mutual explicit authentication, and quantum resistance, with a security reduction in our scheme to decoding random quasicyclic codes in the random oracle model.
The rest of this study is organized as follows. Section 2 introduces notations used throughout the study and gives needed preliminary definitions and propositions. In Section 3, we review the security model. In Section 4, we provide a detailed description of our PAKE protocol. Section 5 gives the formal security analysis of our PAKE protocol. Section 6 provides the efficiency evaluation of our scheme. Finally, Section 7 concludes the study.
2. Preliminaries
In this section, we introduce notations and needed preliminary definitions and propositions throughout the study.
2.1. Notations
In this study, the ring of integers is denoted by , and a finite field is denoted by with elements, where is a prime number. Additionally, we denote the Hamming weight of a vector by , ., the number of its nonzero coordinates. denotes a vector space of dimension over for some positive . Elements of can be considered as row vectors or polynomials in and represented by lowercase bold letters. The product of two elements is defined similarly as in , ., with
For any finite set , denotes is a uniformly random element sampled from . For an event , denotes the complementary event of .
In particular, we also use the symbol as follows:
2.2. Coding Theory
We now focus on relevant basic definitions and properties relating to coding theory.
Definition 1. (Linear Code). A linear code with length and dimension over is a subspace of .
Definition 2. (Generator Matrix). A generator matrix for a linear code is a matrix whose rows form a basis for , .,
Definition 3. (Parity Check Matrix). A parity check matrix for a linear code is a generator matrix for the dual code , .,
Definition 4. (QuasiCyclic Codes [30]). Given positive integers , , and , a linear code is quasicyclic (QC) of order if for any it holds that .
Definition 5. (Systematic QuasiCyclic Codes of Rate 1/s[30]). A systematic quasicyclic code of order is a quasicyclic code with a parity check matrix of the formwhere are circulant matrices.
Next, we define the syndrome decoding (SD) problem over in the Hamming metric.
Definition 6. (SD Distribution). Given positive integers , the SD distribution chooses and and outputs .
Definition 7. (Search SD Problem). Given from the distribution, the search SD problem decides whether there exists , such that .
Definition 8. (Decisional SD Problem) On input , the decisional SD problem DSD needs to decide with nonnegligible advantage whether came from the distribution or the uniform distribution over .
The search SD problem in the Hamming metric has been proved NP complete over binary field in the worst case [32], and the decisional SD problem has been proved to be polynomially equivalent to its search version [33].
Then, we describe relevant definitions of quasicyclic codes.
Definition 9. (QCSD Distribution). Given positive integers , the QCSD distribution chooses and , where , and outputs .
Definition 10. (Search QCSD Problem). Given positive integers , a random systematic parity check matrix of a quasicyclic code, and , the search QCSD problem decides whether there exists , where , such that .
Definition 11. (Decisional QCSD Problem). Given positive integers , a random parity check matrix of a systematic quasicyclic code and , the decisional QCSD (DQCSD) problem asks to decide with nonnegligible advantage whether came from the QCSD distribution or the uniform distribution over .
2.2.1. The sQCSD Problem Assumption [29]
The search QCSD problem is hard on average. Let be a probabilistic polynomial time adversary. The input of is a random parity check matrix and a vector . The probability of outputting vector with and by is negligible, where
Let , where the maximum is over all adversaries of time complexity at most .
2.3. WeightRestricted Hash Function
Our PAKE protocol uses a weightrestricted hash function proposed in the RaCoSS scheme[34]. We denote this weightrestricted hash function by . Although the RaCoSS scheme has been broken, is still secure under proper parameters[35]. Before giving the description of weightrestricted hash function, let us first introduce the definition of collisionresistant hash function.
Definition 12. A hash function is called collisionresistant hash function if the probability that any adversary finds two distinct values that satisfies the following condition is negligible:where is a negligible function.
Lemma 1. (see [36]). Given a collisionresistant hash function , and an encode algorithm , which encode any bit message into bit message with Hamming weight , the function is still a collisionresistant hash function.
We put the weightrestricted hash function in Algorithm 1. Simply speaking, uses a byte string message , two integers and as input. Then, SHA3512 is used to calculate the position of 1. The output is a bit string with Hamming weight . According to Lemma 1, is a collisionresistant hash function.

2.4. Ouroboros Scheme
We now recall the Ouroboros scheme from [29], which is the basic of our PAKE protocol. The Ouroboros scheme uses a function proposed in [37]. Simply speaking, giving the positions of the “1” is enough to obtain random vectors with fixed weight . For more details about this function, we refer the readers to [37]. Besides, the Ouroboros scheme uses a hash function . The decoding algorithm CE decoder is presented in Algorithm 2. In short, it puts , , , threshold value , the weight of and , and the weight of as input. The output of this algorithm is if it succeeds.

The Ouroboros scheme is presented as follows:(a) generates and . Then, she computes . Finally, she sends to Bob.(b) generates and computes . Next, he randomly generates . Then, he computes and . Finally, he sends to Alice and saves the vector as the shared secret.(c) computes when receiving and . Then, she uses the decoding algorithm CE decoder to get and . Finally, she computes the shared secret .
Theorem 1 (see [29]). The Ouroboros protocol satisfies indistinguishability under chosen plaintext attack (INDCPA) under the 2 and 3 assumptions.
3. Security Model
This section reviews the formal security model from [8]. Consider the form of a PAKE protocol with two users. Users are expected to establish and use the same keys over the network that is fully controlled by a probabilistic and polynomial time adversary . The adversary can initialize protocol communications between user instances, deliver messages to unintended recipients, and observe their reaction according to the protocol. The adversary can reveal the session keys established by user instances and enumerate all the passwords in the password space in the offline attack. In the following, we perform the formal description of the security model.
3.1. Security Game
Let P be a PAKE protocol and be the fixed set of users. A twoparty protocol in PAKE model is considered, and the users in are partitioned to two nonempty entities, called Alice and Bob ( and for short). Before the game starts, for each entity, a password is chosen uniformly at random from password space . A set of efficiently computable cryptographic functions is specified, i.e., hash functions, and the public cryptographic parameters are generated.
3.2. User Instances
During the model, there are an unlimited number of instances running the protocol simultaneously for each user. The instance of user is denoted as . An instance accepts at any time, and the same rule applies to user . When an instance accepts, it possesses a partner id , a session id , and a session key . The is the identity of the user instance that the current instance believes it is talking to. The is a string, which uniquely identifies this session. In general, the is composed of the concatenation of all messages sent and received by the instance (or ). The is the final target to be calculated.
3.3. Queries
The queries that adversary may make during the game are as follows [8]:(i)Send: the message is send to instance . The instance computes what the protocol specifies and outputs the result to the adversary. We assume whether the instance accepts or not is visible to the adversary.(ii)Execute: an honest execution between two instances and is carried out, where and and were not used before. Finally, the transcript of this execution is given to the adversary.(iii)Reveal: the session key of is returned to the adversary.(iv)Test: this query is valid if and only if the instance is fresh, as defined below. In this case, generates a random bit . If , the real session key is sent to the adversary; otherwise, a random session key chosen uniformly from the space is sent. This query is allowed only once during the game.(v)Oracle: this gives the adversary oracle access to a function , which is selected at random from some probability space.
Now, we give some definitions for the formal security model.
Definition 13. (Partnering). Let and be a pair of instances. and are partnered if both have accepted and have the same unique session id and the same session key .
Definition 14. (Freshness). is fresh if (i) it has accepted, and (ii) an adversary has not queried or , where is ’s partner, if it has.
Definition 15. (Correctness). If and are partnered and both are accepted, then they conclude with the same session key .
Definition 16. Let be the event that adversary asks a single test query on a fresh instance and outputs a bit with at the end of the game. The advantage of the adversary is defined as follows:The following is definition of secure PAKE protocol, which is the same as in [38].
Definition 17. A protocol P is called a secure PAKE protocol if for every polynomial time adversary that makes at most queries of Send type to different instances, the following inequality holds, , where means the size of the password space and is a negligible function of security parameters.
4. Our PAKE Protocol
In this section, we present an efficient Ouroborosbased PAKE protocol called OPAKE. Our protocol is described in a generic fashion in Figure 1. We use a weightrestricted hash function as mentioned earlier. Hash functions are defined as follows:, , where is a security parameter. Assume that , and are independent random functions. Let be the password space, and be the password that Alice and Bob share. Then, our protocol is shown as follows.
4.1. OPAKE
(a) generates and chooses and . Next, she computes . Then, she computes . Finally, she sends to Bob.(b) tests whether . If not, then he rejects the protocol. Otherwise, he generates and computes . Next, he randomly generates . Then, he computes . Finally, he computes and and sends to Alice.(c) computes when receiving and . Then, she uses the decoding algorithm CE decoder to get and . Then, she computes . Finally, she computes and sends to Bob.(d) tests whether is equal to . If not, then he rejects. Otherwise, he accepts and computes and a session key . Finally, he sends to Alice.(e) tests whether is equal to . If not, then she rejects. Otherwise, she accepts and computes a session key .
4.2. Correctness
To show the correctness of our protocol, it is sufficient to show that the material derived from Alice and Bob is the same, ., . Firstly, honest Alice sends reasonable to Bob, and honest Bob uses the correct password to compute . Then, Bob chooses the secret material and encrypts it into the ciphertext . Next, Alice decrypts and gets the same material according to the Ouroboros scheme. Hence, the correctness of our PAKE protocol is verified when the two participants execute the protocol honestly.
5. Formal Security Analysis of OPAKE
This section gives the formal security of OPAKE under the security model defined in Section 3. We prove that an adversary attacking the protocol OPAKE is unable to determine the of a fresh instance with advantage greater than that of an online dictionary attack.
Theorem 2. Let be an adversary, which runs in time , and the adversary’s advantage in attacking the protocol is bounded bywhere denotes the size of the password space, denotes the number of the queries of type oracle, denotes the number of the queries of the random oracle, and denotes the number of queries of type oracle.
To prove this theorem, we present a sequence of hybrid experiments by , and and denote the advantage of when attacking in the experiment by .
Protocol P_{0}: in this protocol, the adversary makes a number of oracle queries in Section 3, ., , and . Besides, the adversary has access to five independent random oracles , and . Each random oracle is simulated by a list of inputoutput pairs. When receiving a new query input , the oracle checks whether was queried before. If there exists , then the oracle returns the output in the list. Otherwise, the oracle generates a random number and returns it. Then, the oracle adds the new pair to the list.
Protocol P_{1}: this protocol is identical to except that if the oracle Execute is called between two instances and , then the session keys and are set equal to a random number selected from . Now, we prove that change in the oracle affects the advantage of in a negligible value.
Claim 1. For any polynomial time adversary , we havewhere denotes the number of the queries of typeoracle,denotes the number of the queries of random oracle, anddenotes the running time of.
. First, we show that the probability of same random numbers generated in two different Execute oracle queries is very small. In this situation, can distinguish and by making the Reveal query simplify. According to the birthday paradox, it is easy to show that the probability of this situation occurring is bounded by .
Now, we fix an oracle Execute and assume that the random numbers ) and in this oracle call are not used in previous query. Without the knowledge of , the output of is indistinguishable from a random number uniformly selected from . Thus, the adversary can distinguish and if and only if can recover the information of . We denote the probability that recovers the information of by . We give two games and to bound . : the adversary carries an honest execution between instances and :(1) generates and chooses and . Next, queries the random oracle on (). The reply of is denoted by . Then, computes . Finally, sends to .(2) generates , queries the random oracle on (), and computes . Next, randomly generates . Then, queries the random oracle on . The reply of is denoted by . Finally, computes and and sends to .(3) computes when receiving and . Next, uses the decoding algorithm CE decoder to get . Then, computes . Finally, queries the random oracle on (denoted by ) and sends to .(4)After receiving from , queries the random oracle on (denoted by ). Finally, accepts and sends to .(5)After receiving from , accepts. This game ends and adversary outputs its guess of . : this game is similar to game except that instances and do not query random oracles and :(1) generates and chooses and . Next, queries the random oracle on (). The reply of is denoted by . Then, computes . Finally, sends to .(2) generates , queries the random oracle on (), and computes . Next, randomly generates . Then, queries the random oracle on . The reply of is denoted by . Finally, computes and and sends to .(3)After receiving and from , sends a random number to .(4)After receiving from , sends a random number to and accepts.(5)After receiving from , accepts. This game ends, and adversary outputs his guess of .We denote the probability that guesses the correct in game by . Let be the event that guesses the correct on oracle or with . Then,Obviously, the probability that guesses the correct is as follows:where means the number of queries to random oracle and . By assuming , we have .
It is easy to see that and are indistinguishable from the random numbers in when is not queried in random oracle and . So, . In the following, we show that . Given a reasonable , finding the correct information such that is a 2QCSD problem. Besides, given and , we construct an algorithm to solve 3QCSD problem by running on a simulation of the game . Algorithm runs exactly as except for the change that computes the encryption of message in step (2). If returns the correct , then our algorithm can solve the 3QCSD problem. Hence,Moreover,Suppose makes queries of at all. We haveThus, the claim is desired.
Protocol P_{2}: this protocol is identical to except that when receives the message generated from , and if and both accept, they are given same random session key . If only accepts, a session key is for , while no session key is for .
Claim 2. For any polynomial time adversary , we getwhere denotes the number of queries of the type Send and denotes the running time of .
. when instance receives the message generated from , the message is sent by and got by the adversary . Since the message was generated by , has no information about the secret private key according to the 2QCSD problem. The advantage of solving the message from and by the adversary is bounded by . In conclusion, suppose that the adversary makes oracle queries of Send oracle, adversary’s advantage of distinguishing between and is bounded by . Therefore, the claim is desired.
Protocol P_{3}: in this protocol, we assume that instance receives a message generated from instance , while receives a message from . In this situation, both and accept and are given a same random session key if their session key were not replaced with a random key in protocol .
Claim 3. For any polynomial time adversary making queries of oracle to different instances, we obtain
. It is clear that and are perfectly indistinguishable for polynomial time adversary .
Protocol P_{4}: in this protocol, we assume that instance receives a message generated from adversary , or receives a message generated from adversary . In this situation, if or accepts the protocol instance, then the protocol halts and adversary succeeds automatically.
Claim 4. For any polynomial time adversary making queries of oracle to different instances, we have
. It is clear that the modification in improves the probability of winning the protocol for the adversary .
Claim 5. For any polynomial time adversary making queries of oracle, we get
. we consider two cases.
Case 1. Assume that instance receives a message generated from adversary . After receiving the message, instance computes from the message. Then, gets from the query of the random oracle on . Next, returns to the adversary. In this situation, has to generate a , which is equal to the output from random oracle on . One possibility is that guesses the correct with probability since has no knowledge of . Another possibility is that recovers the message of with probability . Obviously, is restricted by two factors. The first factor is that adversary guesses the correct password and gets the right number from the query of the random oracle . The probability of this case is . The second factor is that adversary has to generate the correct form containing and recover the message from . As analyzed before, the probability in this situation is bounded by . We use to denote the number of this kind of queries. Thus, the success probability of in this case is bounded by
Case 2. Assume that instance receives a message generated from adversary . After receiving the message, instance generates , queries the random oracle on (), and computes . Next, randomly generates . Then, queries the random oracle on . The reply of is denoted by . Finally, computes and and returns to . In this situation, has to generate a , which is equal to the output from random oracle on . Similar to the previous case, one possibility is that guesses the correct with probability since has no knowledge of . Another possibility is that guesses the correct password . We use to denote the number of this kind of queries. Thus, the success probability of in this case is bounded byHence, we getTherefore, we haveBy combining all the claims, we have the advantage for the adversary in the real attack, i.e.,Hence, Theorem 2 is desired.
6. Performance Analysis
In this section, we provide the efficiency evaluation of our scheme. The security parameters we used are adopted from the Ouroboros scheme[29]. The scheme implementation is written in C++. The program has been performed on a computer running Linux. The computer has an Intel Core i78750H [email protected] GHz and 4 GB of memory. For each parameter set, the performance of our proposed protocol is shown in Table 1. The results show that the efficiency of our scheme is considerable.
7. Conclusion
In this study, we propose a new passwordauthenticated key exchange based on Ouroboros key exchange scheme with formal security proof. Our PAKE scheme enjoys several desired properties, including (1) our scheme has considerable efficiency; (2) our scheme provides mutual explicit authentication; and (3) our scheme is resistant to quantum attacks and an attacker who gets the session key cannot use it to perform an offline dictionary attack. The security of our scheme is reduced to decoding random quasicyclic codes in the random oracle model.
Data Availability
The data used to support the findings of this study are included within the article.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
The work of L.P. Wang was supported in part by the National Natural Science Foundation of China (Grant No. 61872355) and National Key Research and Development Program of China ( No. 2018YFA0704703) and Mathematical Tianyuan foundation of National Natural Science Foundation of China (Grant No.12026427).