Improvement of a Three-Party Password-Based Key Exchange Protocol with Formal Verification

  • Qi Xie Hangzhou Normal University
  • Na Dong Hangzhou Normal University
  • Xiao Tan City University of Hong Kong
  • Duncan S. Wong City University of Hong Kong
  • Guilin Wang University of Wollongong
Keywords: Key Exchange, Password Based Authenticated Key Exchange (PAKE), Three-Party PAKE, ProVerif


A Three-party Password-based Authenticated Key Exchange (3PAKE) protocol allows two users to establish a secure session key over an insecure communication channel with the help of a third party, which is a trusted server. Recently, Lou and Huang proposed a 3PAKE which is efficient and suitable for running on resource-constrained devices such as smart cards and mobile phones. In this paper, we show that their scheme is vulnerable to off-line password guessing attack and partition attack. We then propose an efficient method to fix these problems. Additionally, the mutual authentication and session key secrecy of the proposed protocol are verified using a formal verification tool.