Sherman Chow
New York University

Authenticated Key Exchange Secure Against Dictionary Attacks 

Password-based protocols for authenticated key exchange (AKE) are designed to work 
despite the use of passwords drawn from a space so small that an adversary might
well enumerate, off line, all possible passwords.
While several such protocols have been suggested, the underlying theory has been 
lagging. We begin by defining a model for this problem, one rich enough to deal 
with password guessing, forward secrecy, server compromise, and loss of session 
keys. The one model can be used to define various goals. We take AKE (with implicit
authentication) as the basic goal, and we give definitions for it, and for 
entity-authentication goals as well. Then we prove correctness for the idea at the 
center of the Encrypted Key-Exchange (EKE) protocol of Bellovin and Merritt: we 
prove security, in an ideal-cipher model, of the two-flow protocol at the core of EKE. 

Mihir Bellare, David Pointcheval, and Phillip Rogaway