Two-Round Password-Based Authenticated Key Exchange from Lattices

Password-based authenticated key exchange (PAKE) allows participants sharing low-entropy passwords to agree on cryptographically strong session keys over insecure networks. In this paper, we present two PAKE protocols from lattices in the two-party and three-party settings, respectively, which can resist quantum attacks and achieve mutual authentication. The protocols in this paper achieve two rounds of communication by carefully utilizing the splittable properties of the underlying primitive, a CCA (Chosen-Ciphertext Attack)-secure public key encryption (PKE) scheme with associated nonadaptive approximate smooth projection hash (NA-ASPH) system. Compared with other related protocols, the proposed two-round PAKE protocols have relatively less communication and computation overhead. In particular, the two-round 3PAKE is more practical in large-scale communication systems.


Introduction
Password-based authentication key exchange (PAKE) is theoretically fascinating, since it allows participants sharing short, low-entropy passwords to agree on cryptographically strong session keys over insecure networks [1,2]. PAKE protocols are very practical as passwords are probably the most common and widely used authentication method [3][4][5][6], and password-based authentication can avoid the dependence on public key infrastructure and secure hardware; thereby, it improves the convenience of the system. However, the use of shared short, low-entropy passwords will expose PAKE to greater security threats. This is because it must be ensured that the protocol is immune to off-line dictionary attacks, in which the adversary can exhaust all possible passwords to determine the correct one [7,8]. Another observation is that an adversary can always succeed by guessing the password as the password dictionary is relatively small (usually polynomial in the security parameter), referred to as an on-line attack. The aim of PAKE is thus to limit the adversary to such an attack only [9].
The first successful password-based authenticated key exchange agreement methods were Encrypted Key Exchange methods described by Steven M. Bellovin and Michael Merritt in 1992 [10]. Initial PAKE protocols are generally based on "hybrid" models [11,12], in which the clients need to store the public key of the server besides sharing a password with the server. The requirement of securely storing long, high-entropy public key is not friendly in multiserver environment. This motivates the study towards password-only protocols [13][14][15][16] where clients need to remember only a short password. Most PAKE protocols above provide only informal security arguments. Thus, Bellare et al. [17] and Boyko et al. [18] gave formal models of security of the password-only setting and proved security in the ideal cipher model and random oracle model, respectively. And then, Goldreich and Lindell [19] presented a provably secure password-only key exchange under standard cryptographic assumptions. Their work shows the possibility for password-based authentication under very weak assumptions, but the protocol itself is far from practical.
Later, many provably secure PAKE protocols based on various hardness assumptions were proposed. The research is mainly divided into two directions. The former is PAKE in the random oracle/ideal cipher model, which aims to achieve the highest possible levels of performance [20][21][22]. The latter is dedicated to seeking more efficient PAKE in the standard model [5,[23][24][25].
The first efficient PAKE protocol under standard model was proposed by Katz et al. [7]. They utilized CCA2 (Adaptive Chosen-Ciphertext Attack)-secure encryption system and corresponding smooth projection hash (SPH) function for key exchange to construct their scheme. Then, Gennaro and Lindell [9] abstracted their work and presented a corresponding PAKE framework, referred to as KOY/GL framework without mutual authentication. Based on KOY/GL framework, Jiang and Gong [26] showed a three-round PAKE supporting mutual authentication. Groce and Katz [5] then generalized the protocol by Jiang and Gong and gave a new PAKE framework in the common reference string model (CRS), referred to as JG/GK framework. Subsequently, based on the above two framework, a series of PAKE protocols [27][28][29] with different security are proposed for different application scenarios.
Most above schemes are two-party PAKE (2PAKE), requiring every two participants to share a password, which is not adaptable to large communication systems. In contrast, three-party PAKE (3PAKE) enables each client to share a password with the server for authentication, thereby avoiding the limitation of 2PAKE. Abdalla et al. [30] gave a general structure of the 3PAKE protocol for the first time. Subsequently, cryptographers designed a series of 3PAKE protocols with different efficiency and security [31,32].
The security of most protocols above relies on traditional difficult problems (such as large integer factorization and discrete logarithm problems), so they cannot resist quantum attacks. However, the public-key cryptosystem based on the lattice assumption can resist quantum attacks. In addition, the operation on the lattice is matrix-vector multiplication which can be practically implemented by parallel computing. Therefore, the public-key cryptosystem from lattices will be more secure and efficient.
In lattice-based cryptosystem, the research on PAKE is relatively insufficient. In 2009, Katz et al. [33] presented the first lattice-based 2PAKE protocol based on KOY/GL framework. They proposed their protocol by constructing the first lattice-based CCA-secure encryption system and its corresponding approximate smooth projected hash (ASPH) function. Ding et al. [34] then applied the encryption system and ASPH function from Katz et al. [33] to JG/GK framework, and a more efficient protocol is given in the standard model.
Ye et al. [35] proposed the first 3PAKE protocol based on the JG/GK framework from lattices, and they proved its security under the standard model. This is a three-round protocol that implements explicit mutual authentication between the client and the server. In 2017, Xu et al. [36] proposed a provably secure 3PAKE protocol based on the R-LWE (ring learning with error) problem according to the idea of DH, but this protocol suffers from low efficiency.
Zhang et al. [1] applied a splittable public key encryption system to the KOY/GL framework and proposed a lattice-based PAKE, requiring only two-round communication, so it is more efficient. However, Zhang's 2PAKE cannot be directly applied to the 3PAKE protocol, because another function is needed to compute the client-side information.
In this paper, we present efficient new constructions of 2PAKE and 3PAKE based on the learning with error (LWE) problem based on ideas of [1,34,35]. We then prove the security of the proposed protocols in the random oracle model. Significant security (resistance to quantum attacks) and efficiency improvements would also be obtained when basing the protocol on lattice assumption. Compared with the general structure [30], the new protocols reduce the number of communications, thereby improving efficiency. Our protocols also achieve mutual authentication between participants, so they can resist unpredictable on-line attacks. And the proposed two-round 3PAKE is adaptable to large-scale communication systems.

Preliminaries
2.1. Notations. We denote the logarithm with base 2 (resp., the natural logarithm) by lb (resp., log). Vectors are expressed in columns and bold lower-case letters (for example, x). A matrix is considered as a collection of column vectors and is represented by bold capital letter (such as X). We denote the concatenation of X and Y as ðXjjYÞ. Let x⟵ r K denote the random sampling of variable x from the distribution K. For any string x, y ∈ f0, 1g ℓ , Hamðx, yÞ represents the Hamming distance between x and y. Table 1 summarizes the description of other symbols used in this paper.

Security Model
2.2.1. Participants. Participants include honest clients A, B, D, ⋯ ∈ U, malicious clients A, M, ⋯ ∈ E and trusted server C ∈ S. For simplicity, we assume that the server set S contains only one element C. For each distinct A, B ∈ Client, assume that A and B share a long-term key called password pw AB . We simply assume that pw AB is independently and uniformly chosen at random from the password dictionary D. But our proof of security extends to more general cases. In the following, we refer to honest clients directly as clients, and the malicious clients as adversaries.
Each participant can execute multiple protocols with different partners at the same time. We call the execution of a protocol an instance. Denote the instance i of client A and the instance j of server C by Π i A , and Π The "splittable" attribute is also reflected in the security of the public-key cryptosystem. When proving the CCA security of the splittable cryptosystem, the challenge phase of the CCA game should be modified as follows: (1) the adversary M first sends two plaintexts pw 0 , pw 1 ∈ D of equal length. (2) The challenger CL randomly chooses b * ⟵ r f0, 1g and r * ⟵ r f0, 1g * . Then, CL computes u * = fðpk, pw b * , r * Þ and returns u * to M.  In this paper, we denote the splittable labeled CCAsecure PKE based on LWE problem [1] by Σ = ðKeyGen, Enc, DecÞ, and we will use it to construct two-round PAKEs. The definitions of the cryptographic primitives (TrapGen, CRSGen, Prove, Verify, and Solve) on which Σ is based can be found in [1]. TrapGen is a trapdoor generation algorithm for generating public keys and corresponding trapdoors; CRSGen is a common reference string generator, usually implemented by hardware; the Proof/Verify algorithm is similar to the signature/verification algorithm to ensure the integrity of ðA 0 , A 1 , u, v, βÞ; Solve is a trapdoor solving algorithm corresponding to TrapGen. [1]. Suppose n 1 , n 2 ∈ ℤ and prime q is polynomial with respect to the security parameter κ. Let n = n 1 + n 2 + 1, m = OðnlogqÞ ∈ ℤ. α, β ∈ ℝ are the parameters of the systems. The splittable labeled PKE from lattices Σ = ðKeyGen, Enc, DecÞ is defined as follows:

Nonadaptive
Based on Σ ðGen, Enc, DecÞ, we introduce the ϵ-NA-ASPH function defined by the sampling algorithm, which outputs ðK, ℓ, ℍ = fH k : X ⟶ f0, 1g ℓ g, S, α : K ⟶ SÞ given the public key pk of Σ (where K is the hash key space and k ∈ K, α is the key projection function from K to S, and S is the projection key space; the domain and value range of the ϵ-NA-ASPH are X and f0, 1g ℓ , respectively), such that (1) There exist efficient algorithms for sampling a hash key k⟵ r K, computing H k ðxÞ = H k ðu, pwÞ for all x = ðlabel, ðu, vÞ, pwÞ ∈ X and computing s = αðkÞ for all k ∈ K (2) For all k⟵ r K, x = ðlabel, ðu, vÞ, pwÞ ∈ L and randomness r, there are efficient algorithms for computing Hashðs, x, rÞ = Hashðs, ðu, pwÞ, rÞ given u = f ðpk, pw, rÞ and v = gðpk, label, pw, rÞ.
(ii) Smoothness. For any (even unbounded) function h: S ⟶ X \ L, k⟵ r K, s = αðkÞ, x = hðsÞ and γ⟵ r f0, 1g ℓ , the distributions ðs, H k ðxÞÞ and ðs, γÞ are statistically indistinguishable in the security parameter κ NA-ASPH has three modifications compared with ASPH in [33]: (1) the projection function α depends only on the hash key k; (2) H k ðxÞ = H k ðu, pwÞ is determined by the hash key k, the first part of the ciphertext c = ðu, vÞ and the plaintext pw; (3) for all x = hðsÞ ∉ L, the smoothness holds. The first modification here enables the protocol proposed to achieve two rounds of communication, and the latter two are prepared to prove the security of the proposed protocol.

A Two-Round 2PAKE Protocol
We now describe the proposed two-round 2PAKE, which is based on the protocol by Groce and Katz [9] and the splittable PKE scheme by Zhang and Yu [1].

Initialization.
The proposed protocol requires the public key pk of the scheme Σ, also known as the common reference string (CRS). We want to emphasize that during the execution of the entire protocol, no participant needs to know the private key corresponding to the public key.

Protocol Execution.
A high-level depiction of the tworound 2PAKE protocol is given in Table 2. We assume that the execution of the protocol is between client A and server C. Client A and server C share a password pw A ∈ D. When client A wants to initialize an authentication with the server C, A chooses a random tape r 1 ⟵ r f0, 1g * for encryption and a hash key k 1 ⟵ r K for the NA-ASPH. Then, client A computes the projection key s 1 = αðk 1 Þ, sets label 1 = AkCks 1 . And A computes where u 1 = f ðpk, pw A , r 1 Þ and v 1 = gðpk, label 1 , pw A , r 1 Þ. Finally, client A sends the message ðAks 1 kc 1 = ðu 1 , v 1 ÞÞ to server C.
Upon receiving ðs 2 ks * 2 kΔkc 2 Þ from server C, client A checks whether c 2 is a valid ciphertext with respect to pk and label 2 = CkAks 1 ks 2 ks * 2 kΔkc 1 . If not, client A rejects and the protocol aborts. Otherwise, client A computes tk′ = H k 1 ðu 2 , pw A Þ ⊕ Hashðs 2 , ðu 1 , pw A Þ, r 1 Þ, H′ = ECC −1 ðtk′ ⊕ ΔÞ. Then it checks whether the Hamming distance between H ′ and Hashðs * 2 , ðu 1 , pw A Þ, r 1 Þ is less than 2ε/ℓ. If not, client A rejects and the protocol aborts. Otherwise, client A sets r i kτ i ksk i ⟵ H ′ and outputs sk A = sk i .

Correctness.
After honestly executing the protocol, participants can obtain different session keys with negligible probability. First, according to the smoothness of NA-ASPH, we can conclude that both H k 1 ðu 2 , pw A Þ ⊕ Hashðs 2 , ðu 1 , Table 2: An honest execution of the two-round 2PAKE protocol.
3.5. Security. We now show that the above two-round 2PAKE is secure through the proof of the following theorem. Theorem 1. If ΣðGen, Enc, DecÞ is a splittable CCA-secure PKE scheme associated with an ϵ-NA-ASPH ðK, ℓ, ℍ = fH k : X ⟶ f0, 1g ℓ g, S, α : K ⟶ SÞ and ECC : f0, 1g κ ⟶ f0, 1g ℓ is an error-correcting code which can correct 2ϵ-fraction of errors, then the protocol in Table 2 is a secure PAKE protocol.
Proof. Suppose A is a PPT attacker targeting this protocol. We estimate the advantage of adversary A through a series of experiments T 0 , T 1 , T 2 , ⋯, where T 0 represents the experiment in the real protocol. By analyzing the difference of adversary's advantage between two adjacent experiments and defining the adversary's advantage in the final experiment, we can finally get the adversary's advantage in experiment T 0 , that is, the adversary's advantage when attacking the real protocol. In experiment T i , the event Success i indicates that adversary A succeeds, and the adversary's advantage is defined as Adv A,i ðκÞ = 2 Pr ½Success i − 1.
Experiment T 0 . This experiment corresponds to the security experiment of the real protocol. Attackers can send all queries according to the regulations of the secure model, and the instance being queried will respond according to the actual protocol specifications.
Proof. Since the simulator knows k 1 and k 2 , it is easy to know that Lemma 1 holds according to the approximate correctness of NA-ASPH and the correctness of ECC. Experiment T 2 . Compared with experiment T 1 , we modify the response to the Execute query as shown below. The ciphertext c 1 is replaced by the encryption of the illegal password pw A ′ ∉ D, and tk ′ calculated by the client A is forced to be equal to the tk calculated by the server C, and other calculations remain unchanged.
Proof. We use standard hybrid argument to analyze the impact of replacing pw A with pw A ′ on the adversary's advantage. We set the number of queries to q exe and define a series of intermediate experiments. The first η queries in the experiment are same as those in T 2 , the remaining ðq exe − ηÞ queries are same as those in T 1 . The Send query conforms to the security model. It can be seen that experiments T are completely consistent with the experiments T 1 and T 2 , respectively. If the lemma is not true, that is, the difference of A's advantage between experiments T 1 and T 2 is not negligible, there must be some η such that the difference of A's advantage between T ðη−1Þ 1 and T ðηÞ 1 cannot be ignored. Then, we can construct an attacker M for the security of the encryption system Σ so that it can successfully attack Σ with nonnegligible probability.
We now construct an adversary M who attacks the CCAsecure PKE scheme Σ in the following way: given the public key pk, the adversary M simulates the entire experiment for A according to the experiment T Wireless Communications and Mobile Computing According to the CCA security of encryption system Σ, the lemma holds. We emphasize that only the CPA security of Σ is actually used here.
Experiment T 3 . We change the response to the Execute query: (1) change the calculation method of tk to tk = H k 1 ðu 2 , pw A Þ ⊕ H k 2 ðu 1 , pw A Þ. (2) Replace the ciphertext c 2 with the encryption of an illegal password pw A ′ ∉ D.
Proof. This lemma is shown through a series of experiments similar to T 1 , T 2 , and T 3 . In addition, this experiment utilizes the modified CCA security experiment shown in Section 2.3 instead of the standard CCA security experiment. Experiment T 4 . We continue to modify the response to the Execute query as follows. We set r j kτ j ksk j to a random string of the appropriate length and the r i kτ i ksk i calculated by client A to be equal to the r j kτ j ksk j calculated by server C. Proof. This comes from the smoothness of NA-ASPH, because when responding to an Execute query in T 3 , the hash function H k is always applied to pw A ′ ∉ D n , so even if s is given, the output is statistically close to uniform. In addition, in T 3 and T 4 the string r i kτ i ksk i used by the client is equal to the string r j kτ j ksk j computed by the server.
Note that the Execute query in T 4 will generate a random session key and random transcripts, which have nothing to do with the actual password of any participant. In the following experiment, we begin to modify the responses to the Send queries. Let Send 0 ðA, i, CÞ represent the "start" message, which enables the client instance Π i A to initiate authentication with the server S. Note that when calculating the number of communication rounds, we ignore the "start" message like other related research. Let Send 1 ðC, j, msg1 = ðs 1 kc 1 = ðu 1 , v 1 ÞÞÞ represent the first message of the protocol sent to the server instance Π j c . Let Send 2 ðA, i, msg2 = ðs 2 ks * 2 kΔkc 2 = ð u 1 , v 1 ÞÞÞ denote the second message of the protocol sent to the client instance Π i A . We also record the secret key sk pk , corresponding to the public key in the generated CRS. Now, we make some explanations for msg1 and msg2. The output of send 0 oracle or the input of send 1 oracle are msg1. Similarly, msg2 may be the output of send 1 oracle or the output of send 2 oracle. If msg1/msg2 is output by a previous send 0 /send 1 oracle, then we call msg1/msg2 oraclegenerated.
Experiment T 5 . In experiment T 5 , we change the response to send 1 queries. If msg1 is oracle-generated, the experiment is the same as T 4 . Otherwise, we set label 1 = AkCks 1 . We check the validity of c 1 according to label 1 and pk.
(i) If c 1 is invalid, the experiment just aborts as the real protocol (ii) Else, we can get pw ad A by decrypting c 1 , because we have sk pk . If pw ad A = pw A , we just declare that adversary A succeeds, and the experiment is terminated. If pw ad A ≠ pw A , we set tk and H k * 2 ðu 1 , pw A Þ computed by the server as random tapes of the appropriate length Lemma 5. If ðK, ℓ, ℍ = fH k : X ⟶ f0, 1g ℓ g, S, α : K ⟶ SÞ is an ϵ-NA-ASPH, then Adv A,4 ðκÞ ≤ Adv A,5 ðκÞ + neglðκÞ.
Proof. In the actual protocol, server C simply refuses, and the protocol terminates when c 1 is invalid. Therefore, if msg1 is oracle-generated, or msg1 is not oracle-generated and c 1 is invalid, then experiment T 5 is consistent with experiment T 4 . Now, we only need to consider the case where msg1 is not oracle-generated and c 1 is valid.
(i) If pw ad A = pw A , adversary A succeeds. Note that this only improves the adversary's advantage (ii) If pw ad A ≠ pw A , tk and H k * 2 ðu 1 , pw A Þ computed by the server are both set to random tapes. From the view of adversary A, there is no difference between these changes. First, as ðc 1 , pw ad A Þ ∉ L, in the view of A, both tk = Hashðs 1 , ðu 2 , pw A Þ, r j Þ ⊕ H k 2 ðu 1 , pw A Þand Δ = tk ⊕ ECCðH k * 2 ðu 1 , pw ad A ÞÞ are statistically indistinguishable from random uniform distribution. This can be derived directly from the smoothness of NA-ASPH. Similarly, from the view of A, r j kτ j ksk j = H k * 2 ðu 1 , pw ad A Þ is also statistically indistinguishable from random uniform distribution. Therefore, pw ad A ≠ pw A only introduces a negligible difference in experiment T 5 .
Finally, we obtain that Adv A,4 ðκÞ ≤ Adv A,5 ðκÞ + neglðκÞ. Experiment T 6 . In experiment T 6 , let msg1 be the output from a previous Send 0 query ðA, i, CÞ (note that such a query must exist). Send 2 query is handled as follows: If msg2 is oracle-generated by a previous Send 1 query, the experiment is similar to T 5 except for (1) computing tk ′ as tk ′ = H k 1 ðu 2 , pw A Þ ⊕ H k 2 ðu 1 , pw A Þ and (2) setting r i kτ i ksk i 7 Wireless Communications and Mobile Computing = r j kτ j ksk j . Otherwise, we set label 2 = CkAks 1 ks 2 ks * 2 kΔkc 1 . We check the validity of c 2 according to label 2 and pk.
(i) If c 2 is invalid, the experiment just aborts as the real protocol (ii) Else, we can obtain pw ad A similar to T 5 . If pw ad A = pw A , we declare that A succeeds and the experiment terminates. Otherwise, if Π i A is accepted, let r i kτ i ksk i to be a random tape of appropriate length Lemma 6. If ðK, ℓ, ℍ = fH k : X ⟶ f0, 1g ℓ g, S, α : K ⟶ SÞ is an ϵ-NA-ASPH, and ECC:f0, 1g κ ⟶ f0, 1g ℓ is an errorcorrecting code which can correct 2ϵ-fraction of errors, then Adv A,5 ðκÞ ≤ Adv A,6 ðκÞ + neglðκÞ.
Proof. We prove different situations separately. First, if both msg1 and msg2 are oracle-generated, the simulator will know the hash keys k 1 and k 2 . According to the smoothness of the NA-ASPH, the changes in computing tk ′ andr i kτ i ksk i are just conceptual (in this case, it holds that r i kτ i ksk i = r j kτ j k sk j in both T 5 and T 6 ). Second, if msg2 is not oracle-generated, the simulator sets label 2 = CkAks 1 ks 2 ks * 2 kΔkc 1 and then uses label 2 and pk to check whether c 2 is valid. If not, T 5 and T 6 are the same as the real protocol. Otherwise, the simulator uses sk pk to decrypt c 2 and obtains pw ad A .
(i) If pw ad A = pw A , adversary A succeeds. Note that this just improves the adversary advantage (ii) If pw ad A ≠ pw A , according to section 2.4, ðlabel 2 , c 2 , pw ad A Þ does not belong to L. Then, by the smoothness of NA-ASPH, H k 1 ðu 2 , pw A Þ and thus tk ′ = H k 1 ðu 2 , pw A Þ ⊕ H k 2 ðu 1 , pw A Þ are both statistically close to uniform over f0, 1g ℓ . Furthermore, we have r i kτ i k sk i ðr i kτ i ksk i ⟵ H ′ = ECC −1 ðtk ′ ⊕ ΔÞÞ is statistically close to uniform over f0, 1g κ . Therefore, the modifications of pw ad A ≠ pw A bring a negligible statistical difference. Note that the output of ECC −1 ðtk ′ ⊕ ΔÞ may be ⊥. In this case, client A rejects Experiment T 7 . Compared with experiment T 6 , we modify the response to a Send 0 query. The only difference is that we use pw A ′ ∉ D to compute c 1 .
Proof. We analyze the impact of replacing pw A with pw A ′ ∉ D on the adversary's advantage similar to T 2 . But for the sake of simplicity, we consider that A only executes a single Send 0 query. The correctness still holds according to standard hybrid argument. If the lemma is not true, that is, the difference of A's advantage between experiments T 6 and T 7 is not negligible, then an attacker M can be constructed for the security experiment of the encryption system Σ, which can successfully attack Σ with nonnegligible probability.
We now construct an adversary M who attacks the CCAsecure PKE scheme Σ in the following way: given the public key pk, the adversary M simulates the entire experiment for A according to experiment T 7 , including selecting random passwords for the participants and selecting the random bit b for A in the Test query. When answering the Send 0 query, M will send ðpw A , pw A ′ Þ as its challenge plaintext pair to M's own challenger. After receiving the challenge ciphertext c 1 ′ , M replaces c 1 with c 1 ′ in the Send 0 query. Finally, M checks whether A guesses the random bit in the Test query. If A succeeds, M outputs 1; otherwise, M outputs 0.
Let Event pw A Σ ðMÞ denote that M gets the challenge ciphertext of the real password pw A and outputs 1 at the end of the experiment. Let Event pw A Σ ′ ðMÞ represent that M gets the challenge ciphertext of the invalid password pw A ′ and outputs 1 at the end of the experiment. If M gets the challenge ciphertext of the real password pw A , the environment provided by M for the protocol adversary A is the same as experiment T 6 . Therefore, the probability that M outputs 1 is exactly the same as A's success probability (Pr ½Success T 6 ) in experiment T 6 , i.e., Pr ½Event ðκÞ be M's advantage in attacking the encryption system Σ, then According to the CCA security of the encryption system Σ, the lemma holds.
Experiment T 8 . Experiment T 8 is similar to T 7 except that if msg1 is oracle-generated: (1) tk computed by the server is set to be H k 1 ðu 2 , pw A Þ ⊕ H k 2 ðu 1 , pw A Þ; (2) a random string r j kτ j ksk j of appropriate length is set for Π j C .
Proof. First, if msg1 is oracle-generated, the simulator has hash keys k 1 and k 2 ; thus, it can compute tk = H k 1 ðu 2 , pw A Þ ⊕ H k 2 ðu 1 , pw A Þ.Secondly, since the ciphertext c 1 is the encryption of pw A ′ ∉ D, H k 2 ðu 1 , pw A Þ and tk are statistically close to uniform. Similarly, r j kτ j ksk j (r j kτ j ksk j ⟵ H k * 2 ðu 1 , pw A Þ) is also statistically close to uniform. Thus, we have that 8 Wireless Communications and Mobile Computing the modifications here introduce only a statistically negligible difference. Therefore, jAdv A,8 ðκÞ − Adv A,7 ðκÞj ≤ neglðκÞ.
Experiment T 9 . For the final experiment, we again modify the response to the Send 1 queries. If msg1 is oracle-generated, the ciphertext c 2 is now computed as the encryption of pw A ′ ∉ D.
Proof. We analyze the impact of replacing pw A with pw A ′ ∉ D on the adversary's advantage. We consider that A only executes a single Send 1 query similar to T 7 . Now, we show that if any PPT adversary A can distinguish these two experiments, then we can construct an attacker M breaking the CCA security experiment (in Section 2.3) of the CCA encryption system Σ with a nonnegligible probability.
We now construct an adversary M interacting with A in T 8 to attack the CCA-secure PKE scheme Σ in the following way: given the public key pk, the adversary M simulates the entire experiment, including selecting random passwords for the participants and selecting the random bit b for A in the Test query. When answering the Send 1 query, M will send ðpw A , pw A ′ Þ as its challenge plaintext pair to M's own challenger. After receiving the challenge ciphertext c 1 ′ , M replaces c 1 with c 1 ′ in the Send 1 query. When M needs to decrypt some valid ciphertext c 2 ′ , it will send ðlabel 2 ′ , c 2 ′ Þ to its own challenger to obtain the corresponding pw A ′ . Finally, M checks whether A guesses the random bit correctly in the Test query. If A succeeds, M outputs 1; otherwise, M outputs 0.
Let Event pw A Σ ðMÞ/Event pw A Σ ′ ðMÞ denote that M gets the challenge ciphertext of the password pw A /pw A ′ and outputs 1. If M gets the challenge ciphertext of pw A /pw A ′ , the environment provided by M for the protocol adversary A is the same as experiment T 8 /T 9 . Therefore, we have Pr ½Event ðκÞ be M's advantage in attacking the encryption system Σ, then According to the CCA security of encryption system Σ, the lemma holds.
So far, we have completed the modification of Send query. We now analyze the adversary's advantage in the final experiment T 9 . If adversary A cannot guess the correct password, A can only rely on guessing the random bit b in the Test query to succeed. Note that all session keys are replaced with random tapes, so the probability of A guessing b is only 1/2. At the same time, as described in experiments T 5 and T 6 , the adversary A can succeed by guessing the password, and the probability of each correct guess is at most 1/jDj, so the ultimate advantage of adversary A is at most q send / jDj. Combining the conclusions of Lemma 1 to Lemma 9, we can see that Adv T 0 ðnÞ ≤ q send /jDj + neglðκÞ, that is, the conclusion of Theorem 1 is established.

A Two-Round 3PAKE Protocol
In this section, we propose a two-round 3PAKE protocol based on the two-round 2PAKE protocol in Section 3. Client A and server C share the password pw A , and client B and server C share the password pw B . The primitives and the initialization process here are the same as the two-round 2PAKE protocol above. The clients and server implement the honest 3PAKE protocol on lattice, as shown in Table 3.

Protocol Execution.
Clients A and B, respectively, choose random tapes r 1A ⟵ r f0, 1g * and r 1B ⟵ r f0, 1g * for encryption hash keys k 1A , k 1B ⟵ r K. Then, A/B computes the projection key s 1A = αðk 1A Þ/s 1B = αðk 1B Þ and sets label 1A = AkBkSks 1A /label 1B BkAkSks 1B . A/B continues to compute After receiving ðAkBkSks 1A kc 1A Þ and ðBkAkSks 1B kc B1 Þ from clients A and B, the server C checks whether c 1A and c 1B are valid ciphertexts with respect to pk, label 1A and label 1B . If not, C refuses and the protocol is terminated. Otherwise, C chooses hash keys k 2A , k 2B ⟵ r K and k * 2A , k * 2B ⟵ r K.

Correctness.
After the protocol is executed honestly, the probability of a mismatch between the session keys obtained by the two clients A and B is negligible. From the approximate correctness of the NA-ASPH, the probability that the Hamming distance between tk A ðtk B Þ calculated by client A (B) and tk A ′ ðtk B ′ Þ calculated by the clients is greater than ðεðnÞ•nÞ can be neglected. Then, from the definition of error correction code ECC, client A (B) and server C can obtain the same r iA kτ iA ksk iA (r jB kτ jB ksk jB ), so A and B can get the same session key, 4.3. Security. Since the protocol here is symmetrical with respect to the clients, the proof usually can only take one client as an example. The security proof of the protocol follows Section 3 closely. We outline the main ideas. First, based on the CCA security of the underlying primitive Σ, the adversary cannot obtain any useful information about the real password through Execute query. In the Execute query, if the simulator replaces the valid password with an illegal one, guaranteed by the smoothness of NA-ASPH, the adversary cannot distinguish the corresponding two experiments computationally. Second, if the adversary simply replays the messages between participants, the proof is the same as the Execute query. Third, if the adversary modifies the output message of some instances (that is, it modifies (label, c)), the simulator can obtain the corresponding plaintext pw ad A/B through the decryption oracle provided by CCA security. If pw ad A/B = pw A/B holds, the corresponding attack is successful, which will increase the adversary's advantage. Using the CCA security of Σ, pw A/B is uniformly sampled from the password dictionary D, so Pr ½pw ad A/B = pw A/B ≤ 1/jDj. Assuming that the adversary can perform at most Q(κ) online attacks, then the adversary's advantage is at most QðκÞ /jDj. And if pw ad A/B ≠ pw A/B holds, then from the adversary's view, the session key obtained is indistinguishable from the uniform distribution (according to the smoothness of NA-ASPH).

Protocol Performance Analysis
In this section, we will compare the performance of the two proposed protocols with other related protocols in terms of safety and efficiency. The comparison results are shown in Table 4, where Type represents the protocol type, M-Auth indicates whether the protocol can provide mutual authentication, Round denotes the number of communication rounds required by the protocol, Anti-Qu represents whether the protocol can resist quantum attacks, C-method indicates the operation method of the protocol, C-cost represents the communication cost of the protocol, V-mul denotes vector multiplication, Exp indicates exponentiation, and n = n 1 + n 2 .
In terms of security, we mainly compare with other protocols in (1) whether it can resist quantum attacks; (2) whether it can achieve mutual authentication. In terms of efficiency, we mainly compare from the following three aspects: (1) the selection of cryptographic primitives, (2) the calculation method, and (3) the communication overhead. Note that the calculation method adopted is used to roughly measure the computational cost of the corresponding protocol. Moreover, the computational cost of modular exponential operations is much greater than linear operations on matrices and vectors.
Compared with the K-PAKE [33] and D-PAKE [34], the advantage of the 2PAKE is that mutual authentication and key exchange can be achieved within two rounds of transmission. And the size of the ciphertext of K-PAKE and D-PAKE are O (n) larger than 2PAKE. The size of the projection key of K-PAKE and D-PAKE is determined by the ciphertext and the hash key, larger than that of 2PAKE.
Compared with the typical three-party PAKE, A-3PAKE [30], the 3PAKE in this paper is lattice-based and can resist quantum attacks. The proposed 3PAKE can achieve mutual authentication within two rounds of transmission. In addition, A-3PAKE uses exponential operation, while the 3PAKE protocol uses vector multiplication, which has higher computational efficiency.
Compared with Y-3PAKE [35] and X-3PAKE [36] protocols, 3PAKE only requires 2 rounds of transmission. The communication cost of Y-3PAKE protocol mainly depends on the size of the ciphertext, the projection key, and the message authentication code. The size of the ciphertext is O (n) larger than 3PAKE. The size of the projection key of Y-3PAKE is determined by the ciphertext and the hash key, larger than that of 3PAKE. In addition, the Y-PAKE protocol needs to calculate and send a message authentication code for mutual authentication, while 3PAKE performs mutual authentication by verifying the validity of the ciphertext. The amount of messages that needs to be transmitted in X-PAKE is large, resulting in increased communication overhead. Therefore, the communication overhead of the Y-3PAKE and X-PAKE protocols is greater than 3PAKE in this paper.
Z-PAKE [1] is also a two-round protocol, but it is designed for two parties. Compared with the Z-PAKE protocol, 2PAKE adds a projection key to the communication overhead. However, if the three-party PAKE based on Z-PAKE is implemented in a traditional way, at least 4 rounds of communication, that is, 8 message transmissions, are required. But the 3PAKE in this paper only needs 2 rounds of communication, namely 4 message transmissions.
The protocols in this paper have advantages of efficiency and security over traditional protocols based on finite fields, since lattice operations (vector multiplication) are more efficient than exponentiation and lattice problems remain hard for quantum attacks and subexponential-time adversaries. Both protocols in this article can achieve mutual authentication; thus, they can resist imperceptible on-line dictionary attacks. Besides, they are both tworound protocols with less number of transmissions. And the underlying primitive is an improved lattice-based CCA-secure PKE, which can reduce encryption parameters and further reduce computational overhead. In particular, compared with other three-party protocols, the two-round 3PAKE protocol proposed has smaller communication and computation overhead, so it is adaptable to large-scale communication systems.

Conclusions
This paper proposes two password-based authenticated key exchange protocols based on the LWE problem from lattices, which can resist quantum attacks and have high efficiency. In the random oracle model, this paper gives a strict security proof of the proposed protocols. In addition, the proposed PAKE protocols can achieve mutual authentication in two rounds of transmission. And the 3PAKE protocol is practical for large-scale communication systems. Compared with the existing related protocols, the protocols in this paper have higher security and lower communication and computing overhead. In our protocols, the client's password is stored on a single server, so the proposed protocols are not resistant to hacker attacks. In the future, we will study the multiserver PAKE protocol that can resist hacker attacks.