SAE+: One-Round Provably Secure Asymmetric SAE Protocol for Client-Server Model

SAE, short for Simultaneous Authentication of Equals, is a password-authenticated key exchange (PAKE) protocol, by which the two involved parties can achieve mutual authentication and derive high-entropy keys via a memorable password. Currently, the SAE protocol has been standardized and integrated into the latest WPA3 (Wi-Fi Protected Access 3) specifications for protecting Wi-Fi network access. Whereas, SAE is a symmetric PAKE protocol unable to resist the server compromise attacks, and it involves explicit key confirmation flows which may be redundant for usage in existing protocols such as the TLS 1.3, etc. So, we naturally wonder that if we can construct a provably secure one-round asymmetric PAKE from the distinguished SAE. This paper affirms this by presenting an efficient asymmetric variant of SAE, called SAE+, and backing it up with a formal security proof under the widely accepted BPR security model. The new SAE+ is designed to enable a single round-trip execution, with the client initiating the communication, making it an ideal fit for integration into IETF protocols such as TLS 1.3. This feature aligns with the requirements set forth in the "Usage of PAKE with TLS 1.3" document. The SAE+ is secure against the off-line dictionary and server compromise attacks, and supports the desired forward secrecy, i.e., compromising the long-term secret password does not compromise the secrecy of the previously established session keys. In addition, the performance evaluation results presented in this paper demonstrate that the new SAE+ has comparable computational efficiency with some existing outstanding PAKE protocols while outperforms many of them in terms of communication flows.