International Association
for Cryptologic Research

We present the first provably-secure 3-party password-only authenticated key exchange (PAKE) protocol that can run in only two communication rounds. Our protocol is generic in the sense that it can be constructed from any 2-party PAKE protocol. The protocol is proven secure in a variant of the widely accepted model of Bellare, Pointcheval and Rogaway (2000) without any idealized assumptions on the cryptographic primitives used. We also investigate the security of the 2-round 3-party PAKE protocol of Wang, Hu and Li (2010), and demonstrate that this protocol cannot achieve implicit key authentication in the presence of an active adversary.