coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9be4bcaf7de35dcfb92a3e2195183b7a488ef6ad
opaque-lattice/papers_txt/Post-quantum-PAKE-over-lattices-revised--Smaug-T-_2026_Computer-Standards---.txt
Cole Leavitt dfa968ec7d initial
2026-01-06 12:49:26 -07:00

1062 lines
126 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Computer Standards & Interfaces 97 (2026) 104118
Contents lists available at ScienceDirect
Computer Standards & Interfaces
journal homepage: www.elsevier.com/locate/csi
Post-quantum PAKE over lattices revised: Smaug-T.PAKE for mobile devices
Kübra Seyhan a ,, Sedat Akleylek b,c , Ahmet Faruk Dursun a
a
Department of Computer Engineering, Ondokuz Mayis University, Faculty of Engineering, Samsun, 55139, Turkiye
b
Chair of Security and Theoretical Computer Science, University of Tartu, Institute of Computer Science, Tartu, 50090, Estonia
c Department of Software Engineering, Istinye University, Faculty of Engineering and Natural Sciences, Istanbul, 34396, Turkiye
ARTICLE INFO ABSTRACT
Keywords: In this paper, an efficient post-quantum secure password-authenticated key exchange (PAKE) scheme from
Post-quantum cryptography a well-structured lattice-based key encapsulation mechanism (KEM) is proposed. The generic KEM to PAKE
Lattice-based cryptography idea, OCAKE, is modified by considering hybrid module learning with errors (MLWE) + module learning
SMAUG-T
with rounding (MLWR) assumptions to obtain explicit password-based authentication from SMAUG-T.KEM
Password-authenticated key exchange
procedures. As a KEM primitive, SMAUG-T.KEM is chosen due to its performance against the National Institute
of Standards and Technology (NIST) standard Crystals-Kyber (Kyber) to obtain an efficient and post-quantum
secure PAKE scheme. Firstly, the anonymity and fuzziness properties of SMAUG-T.KEM are proven to fit
the OCAKE approach in constructing the PAKE version of Smaug.KEM. Then, the post-quantum security of
the proposed SMAUG-T.PAKE is analyzed in the universal composability (UC) model based on the hybrid
security assumptions and proved properties. The reference C and JAVA codes are written to evaluate whether
the targeted efficiency is achieved in different platforms. Based on the central processing unit (CPU) and
memory usage, run time, and energy consumption metrics, the proposed solution is compared with current
PAKE proposals. The performance results showed that SMAUG-T.PAKE, with two optional encryption modes,
Advanced Encryption Standard (AES) or Ascon, presents better performance than the other module-based PAKE
solutions from lattices in terms of both reference and mobile results.
1. Introduction The computational hardness of traditional PAKEs was basically
captured by following the hardness of discrete logarithm problem
A PAKE protocol provides secure key sharing on an insecure channel (DLP). In the pre-quantum era, the security of PAKEs is maintained
by using a pre-shared password as an authentication component [1]. as there is no efficient and polynomial-time algorithm to solve DLP
In recent years, PAKE protocols have been preferred in wireless com- if the suitable parameter set is selected. The first appearance of the
munication, e-passports, and the Internet of Things, where efficiency, Shor algorithm [7] changed this situation and started a new challenge
portability, simplicity, and independence are essential [2,3]. PAKE for public key cryptography (PKC) in the age of large-scale quantum
usage in resource-limited communication models establishes indepen- computers. NIST announced a call to be ready for the post-quantum
dent, secure, and portable authenticated communication without extra era by determining PKC standard(s) in 2016. In this period, it was
public key infrastructure, complex components, or central authority. aimed to select the quantum-resistant digital signature and public-key
The main trade-off in the PAKE protocols arises between efficiency encryption&key-establishment algorithms. The NIST standardization
and security since they use low-entropy pre-shared passwords to de- process was finalized in 2024 and 2025, and lattice-based CRYSTALS-
rive high-entropy shared keys. The first introduction of PAKEs to the KYBER and code-based HQC were determined as the post-quantum
literature was given with encrypted key exchange (EKE) by Bellovin KEM standard, while lattice-based CRYSTALS-Dilithium and Falcon,
and Merritt in 1992 [4]. After this first attempt, several PAKE solutions and hash-based SPHINCS+ were determined as digital signature stan-
were proposed, and standardization attempts were started by covering dards [8]. In addition to the international call of the NIST, China,
different design settings, primitives, properties, and usage areas. The Korea, Ukraine, and Russia also started initiatives to determine their
recent standardization effort was made by the Internet Engineering standards for post-quantum cryptography (PQC). Even if there has
Task Force (IETF) in 2020, and Cpace and OPAQUE were announced not been started a standardization process specific to PAKEs, there
as standard traditional PAKE protocols [5,6]. is ongoing research on the post-quantum secure PAKE design process
Corresponding author.
E-mail address: kubra.seyhan@bil.omu.edu.tr (K. Seyhan).
https://doi.org/10.1016/j.csi.2025.104118
Received 25 August 2025; Received in revised form 29 October 2025; Accepted 12 December 2025
Available online 15 December 2025
0920-5489/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies.
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
in the literature and industry. In particular, PQC algorithms have • In order to evaluate the effect of KEM and encryption/decryp-
higher key and cipher sizes compared to traditional cryptosystems, tion operations on PAKE security analysis, MLWE+MLWR-based
and they require high bandwidth and system resource usage, making adaptations are also followed in the UC model.
efficient PQC protocol design difficult. As it is known, after standard • Detailed security analysis of the proposed PAKE based on the
cryptographic principles are determined, the needs are met by adapting modified security definitions shows that SMAUG-T.PAKE main-
them to different purposes and application areas as a black box in tains post-quantum security even with the additional components
design. So, proposing a post-quantum secure PAKE based on a well- it includes.
studied algorithm will be one of the appropriate candidates for the • The efficiency analysis of the proposed PAKE is done by con-
future security of PKCs. It is necessary to provide the required security sidering different application areas and additional primitive us-
definitions for the combination of different cryptographic principles in ages. Additionally, detailed performance analyses are provided
PAKE design, to present evidence on ensuring post-quantum security, to demonstrate that more efficient structures can be constructed
and to perform performance evaluations on different platforms. Ad- compared to PAK-based PAKE construction models.
ditionally, comparative performance and efficiency analysis with the • The constructed SMAUG-T.PAKE is implemented in C for gen-
methods used for PAKE design in the literature and the effect of using eral use-case performance and also in JAVA for mobile appli-
different models in cryptographic primitives used as black boxes should cation usage. To make a meaningful comparison, NIST standard
be examined to evaluate post-quantum secure PAKE protocols. CRYSTALS-Kyber is also implemented in C, based on the same
construction idea.
1.1. Motivation • The efficiency of SMAUG-T.PAKE is analyzed in terms of CPU
usage, memory usage, and energy consumption.
PQC has received tremendous interest in industry and academic • According to the comparison, the constructed PAKE provides bet-
research due to the increasing work to build a sufficiently powerful ter performance results than other module-based PAKE solutions.
quantum computer. To be ready for the post-quantum era, active work Moreover, the proposed SMAUG-T.PAKE gives the best results
is being carried out with various attempts, such as standardization when using the lightweight cipher Ascon.
efforts, literature research, and industrial initiatives, specifically re-
garding the essential key agreement requirement. Among key sharing 1.3. Related work
schemes, PAKEs stand out with their simple operations and strong
security based on passwords. While studies on standardization and im- In the literature, different PAKE design methodologies have been
provement of traditional PAKE protocols continue, the need to evaluate proposed to be ready for the post-quantum era. The presented lattice-
the post-quantum effect has also emerged. Although standardization based solutions were generally constructed by combining different
efforts have been initiated to determine post-quantum secure standards projective hash functions (PHF), reconciliation structures, password-
for basic public key cryptosystems, no attempt has yet been made for related computations, etc., according to the selected design idea. The
specialized primitives like PAKEs. Although there has been increasing proposed solutions can be divided into three categories: Use projective
interest in developing quantum-safe PAKEs in recent years, little work hash functions to convert an encryption scheme to a PAKE [1420],
has yet been done on building PAKEs by integrating standard PQC build a PAKE from a key exchange (KE) idea by adding password-based
algorithms. The main motivation for this paper comes from [2,9,10], authentication [2129], and convert a KEM to PAKE [12,13,3034]. In
which identified the design, security, and performance analysis of a Table 1, a snapshot of lattice-based PAKE literature is given.
post-quantum secure, relatively efficient PAKE derived from standard It is known that KEM schemes contain some extra encryption/
primitives as an open problem. The cryptographic primitives in con- decryption procedures, functionalities, and computations to ensure
structing the efficient post-quantum secure PAKE solution must be strong security properties. So, the nature of KEM-based PAKE schemes
evaluated for their effects on security analysis and performance. tends to show poor performance results and strong security features.
In the lattice-based PAKE literature, two basic models for converting
1.2. Contribution a KEM to PAKE exist. The first model combines traditional PAKE de-
sign [1] and well-structured KEM to add password-based authentication
In this paper, we focus on the problem of whether it is possi- to the KEM idea. It uses KEM procedures as a black box and adds
ble to construct efficient and post-quantum PAKE using well-defined password-related primitives to provide password-based authentication
post-quantum KEM algorithms and additional primitives. To obtain an in the KEM. In the second model, four generic KEM to PAKE construc-
efficient PAKE, the SMAUG-T [11] algorithm, which is the Korean PQC tions were provided in the sight of traditional PAKE designs. These
KEM standard and has been shown to be more efficient than the NIST generic PAKE models contain extra ideal cipher operations and use
KEM standards, was used to improve efficiency. With the focus on KEM procedures to ensure explicit or implicit authentication.
efficiency, the idea of OCAKE [12] is adopted into the proposed model As the main focus of this paper, one-round lattice-based PAKE pro-
to capture explicit password-based authentication. The proposed PAKE, posals that were constructed using KE and KEM approaches by adding
SMAUG-T.PAKE, is the first MLWR+MLWE-based PAKE scheme that password-related components will be summarized as follows. Note that
provides efficiency and post-quantum security. The contributions of this to analyze the performance of the proposed PAKE, MLWE/MLWR-
paper to the literature can be summarized as follows. based PAKE construction will be used. In the following part, the main
construction idea of these PAKEs will be briefly summarized.
• The first MLWE+MLWR-based PAKE protocol that provides ex- In [35], the first lattice-based construction of conventional
plicit authentication, anonymity, fuzziness, and efficiency for password-authenticated key exchange (PAK) PAKE [1] was presented
post-quantum era security is proposed. in the literature regarding ring learning with errors (RLWE) hardness
• As an extended and modified version of [13], more efficient assumptions. The proposed PAKE provided a password-authenticated
lattice-based PAKE with reduced encryption/decryption and shared key generation for the two-party communication model. The
Smaug.KEM operations are constructed. Unlike [13], MLWE+ security of this scheme was analyzed using the ROM assumptions.
MLWR-based security definitions are defined in the UC model to In [23], an efficient MLWE-based PAKE scheme, MLWE.PAK.PAKE,
capture explicit authentication. was proposed by considering the traditional PAK design idea [1].
• Firstly, the anonymity and fuzziness properties analysis of MLWE.PAK.PAKE scheme consists of one round and was designed for
SMAUG-T.KEM are defined and provided to build modified the two-party communication model. The security analysis against
MLWR+MLWE-based PAKE construction. password dictionary attacks was performed on the ROM. In [25],
2
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
Table 1
Outlook on lattice-based PAKEs.
PAKE construction Literature Hardness Security Additional
model proposals model primitives
[21] RLWE ROM X
[22] RLWE ROM X
[23] MLWE ROM X
[24] RLWE ROR X
PAKE from KE
[25] MLWR ROM X
[26] RLWE ROM X
[27] RLWE ROR X
[28] RLWE ROM X
[29] MLWE ROM X
[30] MLWE ROM X
[31] MLWE UC Feistel
construction
[32] MLWE ROM Oneway
PAKE from KEM
plaintext-checking
[12] MLWE UC Ideal cipher
[13] MLWE UC Two Cipher
+ MLWR
[33] Non-uniform LWE ROM Ideal Cipher
XOR
[34] X ROM SPHF
XOR
Encryption
Ours MLWE UC Cipher
+ MLWR
[14] LWE ROM SPHF
encryption
PAKE with PHF [15] RLWE UC Oblivious Pseudorandom
function
NIZK
[17] LWE Standard model ASPHF
Encryption
ECC
[18] LWE ROM ASPHF
[20] LWE+LWR ROM SPHF
Password hashing scheme
[19] LWE ROM SPHF
NIZK
ROM: Random Oracle Model ECC: Error Correction Code ROR: Real or Random NIZK: Non-Interactive Zero Knowledge
UC: Universal Composability SPHF: Smooth PHF ASPHF: Approximate SPHF.
MLWR-based PAKE was constructed by considering NISTs Saber [36] idea was analyzed using the ROM assumptions. In [33], KEMs PAKE
KE idea and traditional PAKE approach [1]. Even if the design structure design utilizes public-key authentication using XOR instead of public-
of the proposed Saber.PAK.PAKE is the same as MLWE.PAK.PAKE, it key symmetric encryption. The goal is to create perfect privacy schemes
presented better performance results due to the efficient structure of the by eliminating the need for ideal passwords. In [34], the definitions
MLWR problem. In [30], the PAKE version of the NIST KEM standard, for PAKE models based on post-quantum KEM and traditional PAKE
Kyber, was proposed using KEM functionalities and basic password assumptions were provided. Details on the security analysis of the
components. The core construction of Kyber.PAK.PAKE is based on proposed hybrid PAKE models in the UC-model were also presented.
the traditional PAK approach to capture password-authenticated shared In [12], Beguinet et al. proposed two different PAKE construction
key generation. In [29], a MLWE-based three-party PAKE protocol was models that include KEM as a black box. According to the provided
proposed by following the KE to PAKE design idea. In the security generic models, the CAKE version presents password-based implicit
analysis, ROM-based assumptions were followed to provide the formal authentication with strong security proofs based on adaptive corrup-
security. tions even if the receiver is unsure that he/she can receive the session
In recent years, researchers have been working on how to convert key. The OCAKE approach captures explicit authentication using a
a well-structured KEM into a PAKE. The main reason behind this idea key-confirmation tag without extra encryption. These two construc-
is to create PAKE versions of standard KEMs for different applications tions require a KEM that provides fuzziness and anonymity properties
or usage areas. Different models, [12,3134], have been proposed in for the public key and ciphertext, respectively. The security analysis
the literature considering the lattice assumptions. In [31], a compact was provided based on Kybers assumption by considering password
PAKE construction, which requires the underlying KEMs one-wayness authenticated-based ideal functionality in the UC model.
and anonymity, and the public keys uniformity, was defined. As a
case example, Kyber-based PAKE was proposed and analyzed in the 1.4. Outline
UC model. In [32], a generic PAKE model from a one-way secure
against checkable attack secure KEM was introduced. The proposed In Section 2, the mathematical background is summarized. In Sec-
construction also required that underlying KEMs anonymity and fuzzi- tion 3, the constructed SMAUG-T.PAKE is defined, and the correctness
ness. By considering Kyber KEM functions, the security of the proposed analysis is given. In Section 4, the proof of security is detailed under the
3
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
Table 2
Notation.
𝑞, 𝑝 : Positive integers modulo, power of 2.
Z𝑞 : The quotient ring of integers in modulo 𝑞.
Z𝑞 [𝑥] : Polynomials with coefficients in Z𝑞 .
𝑞 = Z𝑞 [𝑥](𝑥𝑛 + 1) : Quotient ring.
𝑘×𝑘
𝑞
: Ring of 𝑘 × 𝑘 matrices on 𝑞 .
𝜒 : Discrete Gaussian distribution with 𝜎 = 1.0625 standard deviation.
𝑆𝜂 : SMAUG-T.KEM secret key and error term distribution.
For 𝜂 ∈ Z, 𝑆𝜂 denotes the set of polynomials of degree less than n with coefficients in [−𝜂, 𝜂] ∩ Z.
𝑇 : Transpose.
XOF : Extendable function. Utilized to generate the seed of A and set as Shake-128.
expandA : Sampling function for SMAUG-T.KEMs general public key.
expandA(⋅): 𝑝 ∈ {0, 1}256 → 𝐴𝑘×𝑘 𝑞
.
𝑤𝑡 : Sampling function of SMAUG-T.KEMs sparse polynomials with hamming weight .
𝑤𝑡 (⋅) → 𝑆𝜂𝑘 .
𝑠, 𝑟 : Non-zero coefficients of sparse polynomials, where
𝑠 = {140, 150, 145} and 𝑟 = {132, 147, 140} for 128, 192, 256-bit security.
𝑡 : Constant rounding component, where 𝑡 = 2.
𝐻 : {0, 1}256 → {0, 1}256 . Set as SHA3-256.
𝐺, 𝑘𝑑𝑓 : {0, 1}256 × {0, 1}256 → {0, 1}256 . Set as SHA3-512 and Shake-256, respectively.
⌊⋅⌉ : Rounding operator.
𝑥 ←𝑟 𝑋 : 𝑥 is selected uniformly random from 𝑋 distribution.
sk-pk-ssk-ct-pw : Secret key-public key-shared secret key-ciphertext-password.
𝛿 : Decryption failure probability of SMAUG-T.KEM.
|| ⋅ ||∞ : Infinity norm.
negl(⋅) : Negligible function
𝐻1 , 𝐻2 : {0, 1} → {0, 1}256 . Set as SHA3-256.
Table 3
Algorithms for SMAUG-T.KEM.
SMAUG-T.PKE.KeyGen SMAUG-T.PKE.Enc SMAUG-T.PKE.Dec
seed← {0, 1}256 Input: pk: (𝑝, 𝑏) Input: sk: 𝑠
(𝑝, 𝜏) ←XOF(seed) Input: Message 𝜇 ∈ {0, 1}256 Input: 𝑘
ct: (𝑐1 , 𝑐2 ) ∈ 𝑝 × 𝑝
𝐴 ←expandA(𝑝)∈ 𝑘×𝑘 𝑞 Input: Seed 𝑝 ∈ {0, 1}256 𝜇 = ⌊ 𝑝𝑡 (𝑐2 + 𝑐1𝑇 𝑠)⌉ ∈ 𝑝
sk: 𝑠 ←ℎ𝑤𝑡ℎ𝑠 (𝜏)∈ 𝑆𝜂𝑘 𝑟 ←ℎ𝑤𝑡ℎ𝑟 (𝑝 )∈ 𝑆𝜂𝑘 Message: Return (𝜇 )
𝑒 ←𝜒(𝜏)∈ 𝑘 𝑐1 = ⌊ 𝑞𝑝 𝐴𝑟⌉ ∈ 𝑘𝑝
𝑏 = 𝐴𝑇 𝑠 + 𝑒 mod 𝑞 𝑐2 = ⌊ 𝑞𝑝 (𝑏𝑇 𝑟 + 𝑞𝑡 𝜇)⌉ ∈ 𝑝
pk: (𝑝, 𝑏) ∈ {0, 1}256 × 𝑘𝑞 ct: Return ((𝑐1 , 𝑐2 ))
Return ((𝑝, 𝑏), 𝑠)
SMAUG-T.KEM.KeyGen() SMAUG-T.KEM.Encap(𝑝𝑘 = (𝑝, 𝑏)) SMAUG-T.KEM.Decap(𝑝𝑘 = (𝑝, 𝑏), 𝑠𝑘 = (𝑠 , 𝑑), 𝑐𝑡 = (𝑐1 , 𝑐2 ))
((𝑝, 𝑏), 𝑠 )= SMAUG-T.PKE.KeyGen() 𝜇 ← {0, 1}256 𝑚′ =SMAUG-T.PKE.Dec(𝑠 , (𝑐1 , 𝑐2 ))
d← {0, 1}256 (𝑐1 , 𝑐2 )=SMAUG-T.PKE.Enc((𝑝, 𝑏), 𝜇; 𝐺(𝜇, 𝐻((𝑝, 𝑏)))) (𝑐1 , 𝑐2 )=SMAUG-T.PKE.Enc((𝑝, 𝑏), 𝜇 ; 𝐺(𝜇 , 𝐻((𝑝, 𝑏))))
sk: 𝑠 = (𝑠 , 𝑑) ∈ 𝑆𝜂𝑘 × {0, 1}256 𝐾 = 𝑘𝑑𝑓 (𝜇, 𝐻((𝑐1 , 𝑐2 ))) ∈ {0, 1}256 if (𝑐1 , 𝑐2 )≠(𝑐1 , 𝑐2 )
Return ((𝑝, 𝑏), 𝑠) ssk: Return ((𝑐1 , 𝑐2 ), 𝐾) ssk: Return 𝐾 = 𝑘𝑑𝑓 (𝑑, 𝐻((𝑐1 , 𝑐2 )) ∈ {0, 1}256
else
ssk: Return 𝐾 = 𝑘𝑑𝑓 (𝜇, 𝐻((𝑐1 , 𝑐2 )) ∈ {0, 1}256
UC framework. In Section 5, the implementation results and detailed As summarized in Table 3, SMAUG-T KeyGen processes follow
discussion are presented. Finally, in Section 6, the conclusion and MLWE assumptions to generate public and secret key pairs.
future works are explained.
Definition 1 (MLWE Problem [37]). Let {𝑞, 𝜂, 𝑘} ∈ Z+ , general public
2. Preliminaries key 𝐴 ←𝑟 𝑘×𝑘 𝑘 𝑘
𝑞 , secret key 𝑠 ←𝑟 𝑆𝜂 , and error term 𝑒 ←𝑟 𝑆𝜂 . MLWE
𝑘×𝑘 𝑘×1
distribution is generated with (𝐴, 𝑏 = 𝐴𝑠 + 𝑒) ∈ 𝑞 × 𝑞 .
In this section, we recall the underlying primitives basics and
security-related details. The specific symbols and abbreviations are The hardness of MLWE is defined by the advantage (Adv) of adver-
given in Table 2. sary (𝐀) to solve decisional-MLWE;
|
2.1. SMAUG-T primitives AdvMLWE 𝑘×𝑘 𝑘
𝑛,𝑞,𝑘,𝜂 (𝐀) = ||Pr[𝐛 = 1|𝐴 ←𝑟 𝑞 ; 𝑏 ←𝑟 𝑞 ;
𝐛𝐀(𝐴, 𝑏)]
In the proposed PAKE, generic OCAKE KEM to PAKE construc-
Pr[𝐛 = 1|𝐴 ←𝑟 𝑘×𝑘 𝑘 𝑘
𝑞 ; 𝑠 ← 𝑆𝜂 ; 𝑒 ← 𝑆𝜂 ; 𝑏𝐴𝑠 + 𝑒;
tion [12] is followed to obtain an efficient PAKE version of SMAUG-
|
T.KEM [11], a Korean PQC standardization algorithm. Based on MLWR 𝐛𝐀(𝐴, 𝑏 = 𝐴𝑠 + 𝑒)]| < 𝑛𝑒𝑔𝑙(𝑛)
|
and MLWE assumptions, SMAUG-T.KEM scheme satisfies
In SMAUG-Ts Enc and Dec procedures, given in Table 3 the ciphertexts
indistinguishability under chosen plaintext attacks (IND-CPA) and in-
are generated according to the MLWR assumption to reduce the key
distinguishability under adaptive chosen ciphertext attacks (IND-CCA2)
sizes.
security. Due to the module variants of selected problems and the
efficiency of MLWR structure in encryption, SMAUG-T.KEM presents
reduced public key and ciphertext sizes and running time results. Definition 2 (MLWR Problem [36]). Let {𝑝, 𝑞, 𝜂, 𝑘} ∈ Z+ such that
The main procedures of SMAUG-T.KEM [11] are remembered in 𝑞𝑝 ≥ 2, general public key 𝐴 ←𝑟 𝑘×𝑘 𝑘
𝑞 , and secret key 𝑠 ←𝑟 𝑆𝜂 .
Table 3. MLWR distribution is defined by (𝐴, 𝑏 = ⌊ 𝑞𝑝 𝐴𝑠⌉) ∈ 𝑘×𝑘
𝑞 × 𝑘×1
𝑝 .
4
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
The hardness of MLWR is determined by the Adv of 𝐀 to solve • new-session: It allows one of the communicating parties to ini-
decisional-MLWR: tiate a connection with the other party utilizing a shared pass-
| word. The built connection and password of the first party are
AdvMLWR 𝑘×𝑘
𝑛,𝑞,𝑝,𝑘,𝜂 (𝐀) = ||Pr[𝐛 = 1|𝐴 ←𝑟 𝑞 ; 𝑏 ←𝑟 𝑞 ;
𝑘
transcribed by using this query in the functionality.
𝐛𝐀(𝐴, 𝑏)]
• test-pw: Online dictionary attacks are modeled with this query.
𝑝
Pr[𝐛 = 1|𝐴 ←𝑟 𝑘×𝑘 𝜂 ; 𝑏 ← ⌊ 𝑞 𝐴𝑠⌉
𝑘
𝑞 ; 𝑠𝑆 When test-pw is queried, it also changes the appearance of ideal
𝑝 | functionality during the key exchange, as the behavior of the
𝐛𝐀(𝐴, 𝑏 = ⌊ 𝐴𝑠⌉)]| < 𝑛𝑒𝑔𝑙(𝑛) next query is altered based on guessing the correct or incorrect
𝑞 |
password.
The proposed PAKE mainly aims to obtain an efficient PAKE solu-
tion, even if it has complex KEM structures, additional encryption, or • new-key: This query, modeled as an interface, allows the con-
primitives. To achieve, the currently proposed generic PAKE construc- nected parties to be given session keys consistent with their
tion from a well-structured KEM named as OCAKE was selected. records if the fresh parties utilize the same password.
Definition 3 (OCAKE Construction [12]). OCAKE-based PAKE is one of The explicit authentication of the server is analyzed under the pass-
the KEM to PAKE solutions in the literature that was built by consider- word authentication-based ideal functionality assumptions described in
ing the traditional one-way encrypted key exchange idea [38]. It stands Algorithm 1.
out with its ability to provide explicit password-based authentication
with single encryption. In addition to capture security in the relaxed Algorithm 1 Ideal Functionality Definitions of a PAKE that Provide
model with static corruptions, it is a model to build efficient KEM to Explicit Server Authentication
PAKE designs. procedure Session-Initialization
For (new-session, s-sid, Ŕ, pw, 𝐂𝑖 , 𝐒𝑗 ) in 𝐂𝑖 ;
In the OCAKE construction, selected KEM needs to satisfy the fuzzi-
ness and anonymity properties that define the randomness of public • (new-session, s-sid, Ŕ, 𝐂𝑖 , 𝐒𝑗 ) is sent to 𝐀.
keys and encapsulation, respectively. • If this is the first or second new-session query and there is a record
̄ ⋅, ⋅) ∈ L, (s-sid, 𝐂𝑖 , 𝐒𝑗 , pw, fresh, Ŕ) is recorded to L.
(s-sid, 𝐂𝑖 , 𝐒𝑗 , pw,
Definition 4 (Anonymity of a KEM [12,32]). The anonymity of a KEM end procedure
scheme is defined by analyzing the randomness of ciphertext distri- procedure Active-Attack
̄
If a record (s-sid, 𝐂𝑖 , 𝐒𝑗 , pw, fresh, Ŕ) ∈ L exists when 𝐀 queries (test-pw, s-sid, 𝐂𝑖 , pw),
bution. If the ciphertext distribution obtained by the encapsulation the following reactions are done.
function of the KEM scheme is computationally indistinguishable from
• If pw = pw,
̄ the record is marked as compromised. The answer is labeled as
the uniform ciphertext distribution, it satisfies the anonymity property.
correct-guess and returned to 𝐀.
• Otherwise, the record is marked as interrupted. The answer is tagged as
Definition 5 (Fuzziness of a KEM [12,32]). Fuzziness is specified as incorrect-guess and returned to 𝐀.
a measure of the properties of the public key distribution. More pre- end procedure
cisely, if the distribution of public keys cannot be computationally procedure Key-Generation
distinguished from the uniform distribution, the KEM is said to be When a query (new-key, s-sid, 𝐂𝑖 , ssk) is received from §, where ssk ∈ {shared-keys}.
fuzzy. • In order to be the first new-key query for 𝐂𝑖 , there must be a record of the form
(s-sid, 𝐂𝑖 , 𝐒𝑗 , pw, stt, Ŕ) for any stt.
2.2. Security model
If Ŕ=𝐂,
In the literature, there have been used two different models, Bellare If stt=compromised, or one of the parties 𝐂𝑖 or 𝐒𝑗 is cor-
PointchevalRogaway (BPR) [39] and UC [40] to analyze the security rupted, and there are two records such as (s-sid, 𝐂𝑖 , 𝐒𝑗 , pw, 𝐂) and
(s-sid, 𝐒𝑗 , 𝐂𝑖 , pw, 𝐒), then (s-sid, ssk) values are sent to 𝐂𝑖 .
of PAKE schemes. In the BPR model, game-based analysis was pre- Else If stt=fresh,
sented, which includes the adversarys protocol breaking capabilities.
With the UC model, there was a simulation-based approach where · For pw=pw, ̄ 𝐂 ) and as ssk
̄ if there is a record (s-sid, 𝐒𝑗 , 𝐂𝑖 , pw, ̄
has already been transferred to fresh 𝐒𝑗 , (s-sid, ssk)̄ values are
the security guarantee is more certain. Due to the selected PAKE sent to 𝐂𝑖 .
construction, in this paper, UC model is used to analyze the security · For pw≠ pw, ̄ ← {0, 1}𝑘 is chosen and (s-sid, ssk)
̄ an ssk 𝑟
̄ are
of proposed PAKE to present strictly better guarantees. Let us define transferred to 𝐂𝑖 .
UC-related security terms [12,40]. Else If stt=fresh,
• -𝐀-§-Ŕ-𝐂-𝐒: Protocol-Adversary-Simulation-Role component- · For this s-sid, if there is no completed record for 𝐒𝑗 , nothing
Client-Server is done.
𝐅: Ideal functionality is considered as a honest trusted party that Else If stt=interrupted.
unconditionally answers to queries.
· (s-sid, error) values are sent to 𝐂𝑖 .
• sid-stt: Session identifier-Status component
• s-sid = (sid, s-sid): Unique sub-session identifier If Ŕ=𝐒,
• L: A List for session record, where L = (s-sid, 𝐂𝑖 , 𝐒𝑗 , pw, stt, Ŕ) If stt=compromised, or one of the parties 𝐂𝑖 or 𝐒𝑗 is corrupted.
• Real world: The execution of the protocol are run between parties · (s-sid, ssk) values are sent to 𝐂𝑖 .
in the presence of an 𝐀.
Else If stt=fresh, or stt=interrupted,
• Ideal world: Dummy actors and an ideal adversary/simulator in-
teract only with an 𝐅 to determine the output of special function. · An ssk̄ ̄
←𝑟 {shared-keys} is chosen and (s-sid, ssk) are
transferred to 𝐂𝑖 .
The main aim of UC analysis is to imitate a protocol ( ) by utilizing
end procedure
ideal functionality (𝐅). If the emulation cannot distinguish the outputs The record is updated as completed.
of protocol in the presence of feasible adversary interactions from the
outputs of dummy actors and simulator (§) in the interaction of ideal
functionality, is considered UC-emulation functionality.
Three different queries describe the ideal functionality of a PAKE • The role component, Ŕ= {𝐂, 𝐒}, is added to the session-related
protocol [40]. records kept in L.
5
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
• On the same session s-sid, if the client queries new-key at a time After showing the anonymity and fuzziness of SMAUG-T.KEM, the
when the server is not still querying new-key, nothing is done. proposed OCAKE-based SMAUG-T.PAKE scheme is detailed in Fig. 1.
• The client is cancelled regardless of the status if the parties, 𝐂𝑖 In the constructed PAKE, four sub-processes are performed on the
and 𝐒𝑗 , do not share the same password. client and server sides. In these processes, SMAUG-T.KEM procedures,
given in Table 3, symmetric encryption and decryption, and two dif-
In the security analysis, it is proved that the proposed PAKE is a ferent hash functions are used to obtain password-authenticated key
UC-emulation in password-based functionality model. When examining sharing with explicit authentication. Note that in the implementation,
the protocols security, static corruptions are considered in the erasure two symmetric encryption techniques, AES and Ascon, are used to cap-
model during the simulation, where the simulator knows which sides ture the best efficiency. The step-by-step explanation of the proposed
PAKE can be summarized as follows.
are corrupted. Note that in the theoretical security analysis, password
security is not the main concern. In the PAKE protocols, passwords are • Process 𝐂0 : The public key and secret key are determined by using
assumed to be securely shared between the parties by adding some SMAUG-T.KEM key generation, defined in Table 3. s-sid∥𝑝𝑤𝐂
boundaries to the selection and usage of passwords and multi-factor concatenation and pk components are provided as the actual
authentication solutions. inputs of symmetric encryption. Finally, password encrypted 𝑝𝑘
is sent to the server.
• Process 𝐒0 : Firstly, server decrypts 𝑝𝑘 to obtain actual 𝑝𝑘 by
3. Proposed SMAUG-T.PAKE
using s-sid and 𝑝𝑤𝐶 . Then, the recovered 𝑝𝑘 is used to obtain
ciphertext 𝑐𝑡 and capsulated key 𝐾 with the help of SMAUG-Ts
The proposed protocol focused on how a KEM scheme containing encapsulation procedure. Ultimately, server generates a key, 𝐾̄ as
performance-efficient components can be converted into an efficient an authentication tag and sends (𝑐𝑡, 𝐾) ̄ pairs to the client.
PAKE. For this purpose, SMAUG-T.KEM [11], whose security is defined • Process 𝐂1 : As soon as the client receives the parameters from the
under MLWE and MLWR assumptions, is chosen as the KEM scheme. server, it generates the key 𝐾 by recovering the ciphertext with
To add password-based authentication, the OCAKE model [12], which SMAUG-Ts decapsulation procedure. Then, it generates the au-
allows efficient and explicit authentication with single encryption, is thentication check component with
followed. This model requires the KEM on which it is based to provide 𝐾̄ = 𝐻1 (s-sid∥𝐂𝐒𝑝𝑤𝐂 ∥𝑝𝑘′ ∥𝑐𝑡∥𝐾 ). Finally, client computes it is
anonymity and fuzziness properties. Before giving the main protocol shared key with the help of computed {s-sid, 𝐂, 𝐒, 𝑝𝑘 , 𝑐𝑡, 𝐾̄ , 𝐾 }
flow, let us prove the anonymity and fuzziness of SMAUG-T.KEM in if 𝐾̄ == 𝐾̄ is hold.
Lemma 1. • Process 𝐒1 : Server generates its shared key by using
̄ 𝐾}.
{s-sid, 𝐂, 𝐒, 𝑝𝑘 , 𝑐𝑡, 𝐾,
Lemma 1. The most fundamental components that affect the correctness of
(i) We refer to [11] to check the detailed proofs of indistinguishability. the proposed scheme are {𝐾 , 𝐾} such that 𝐾 = 𝐾. As seen in Fig. 1,
these components are generated by using SMAUG-Ts encapsulation and
Smaug.KEM on parameters (𝑛, 𝑝, 𝑞, 𝑘, 𝜂, 𝑠, 𝑟) holds this property if
decapsulation procedures that were remembered in Table 3. In [11],
the decryption failure of SMAUG-T.KEM is defined with 𝛿 = Pr[‖𝑟𝑇 ⋅
Advind
SMAUG-T
(𝐀) ≤AdvPRF
expandA
(𝑡) + AdvMLWE
𝑛,𝑞,𝑘,𝑘,𝜂,𝑠 (𝑡)+ 𝑒 + 𝑠𝑇𝑒1 + 𝑒2 ‖∞ < 2𝑡𝑞 ] probability. The analysis showed that if the
(1) parameter set is selected by considering this condition, SMAUG-T.KEM
AdvMLWR
𝑛,𝑞,𝑝,𝑘+1,𝑘,𝜂,𝑟 (𝑡)
and SMAUG-T.PAKE will be run correctly with less than 𝛿 probability.
(ii) To adapt OCAKE model into SMAUG-T.KEM, we proved that
4. Security analysis
SMAUG-T.KEM satisfies the anonymity property in 𝑘𝑝 × 𝑝 :
Advano (𝐀) ≤AdvPRF (𝑡) + AdvMLWE In constructing SMAUG-T.PAKE, the explicitly authenticated generic
SMAUG-T expandA 𝑛,𝑞,𝑘,𝑘,𝜂,𝑠 (𝑡)+
(2) OCAKE model is integrated into the SMAUG-T.KEM algorithm to gen-
AdvMLWR
𝑛,𝑝,𝑞,𝑘+1,𝑘,𝜂,𝑟 (𝑡) erate an efficient password-authenticated version. OCAKE structure
assumes the adversary can obtain the partys password before the exe-
Proof. Let a public key sample of SMAUG-T, (𝐴𝑇 |𝑏𝑇 )𝑇 ←𝑟 (𝑘+1)×𝑘
𝑞 , cution. So, the simulator is aware of which party is broken or corrupted.
is given. By rewriting the ciphertext 𝑐 = (𝑐1𝑇 , 𝑐2 ) ∈ 𝑘+1
𝑝 , The semantic security is ensured in the UC model with static corrup-
𝑀𝐿𝑊 𝑅 tions if the underlying KEM provides fuzziness, indistinguishability, and
⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞ anonymity.
[ ] [ ] [ ]
𝑐1 𝑝 𝐴 𝑝 0 The security of the SMAUG-T.PAKE model is analyzed under the
𝑐= = ⌊ ⋅ 𝑇 ⋅ 𝑟⌉ + ⋅ (3)
𝑐2 𝑞 𝑏 𝑡 𝜇 password authenticated-based ideal functionality assumptions, defined
in Algorithm 1 by making adaptations to MLWE+MLWR assumptions.
is obtained, where 𝑡|𝑝|𝑞. As long as the hardness of MLWR is
The advantage of an adversary against OCAKE-based SMAUG-T.PAKE
satisfied, the distribution of 𝑐 is computationally indistinguishable
[ ] is analyzed in Theorem 1.
𝑝 0
from uniformly random sample in 𝑘+1 𝑝 since the added 𝑡
⋅ is
𝜇
𝑘+1 Theorem 1. Let (Enc, Dec) and (𝐻1 , 𝐻2 ) be ideal ciphers and random
also a random vector in 𝑝 . □
oracle pairs, respectively. Let 𝑚𝐸 and 𝑚𝐷 be the maximum query numbers
(iii) Like anonymity, we also show that SMAUG-T.KEM provides fuzzi- for encryption (Enc) and decryption (Dec) oracles and 𝑚𝑆 as the number
ness in 𝑘𝑞 : of sessions. The semantic security of the proposed SMAUG-T.PAKE in the
UC model is specified by Eq. (5), based on the fuzziness, anonymity, and
fuz
AdvSMAUG-T (𝐀) ≤ AdvMLWE
𝑛,𝑞,𝑘,𝑘,𝜂,𝑠 (𝑡)
(4) indistinguishability properties of underlying KEM.
Proof. As stated in Table 3, the public key of SMAUG-T.KEM is AdvSMAUG-T.KEM
SMAUG-T.PAKE
(𝐀) ≤ AdvSMAUG-T.KEM
fuzz
(𝑡) ⋅ (𝑚𝐷 + 𝑚𝑆 )+
generated with SMAUG-T.PKE.KeyGen algorithm. Since pk = (𝑝, 𝑏), AdvSMAUG-T.KEM (𝑡) ⋅ 𝑚𝐷 +
ano
where 𝑏 = 𝐴𝑇 𝑠 + 𝑒 mod 𝑞 and (𝑝, 𝜏) ←XOF(seed) is generated by
AdvSMAUG-T.KEM (𝑡) ⋅ (𝑚𝑆 + 𝑚𝐷 + 1)+ (5)
following MLWE assumption, the distribution of pk is computation- ind
ally indistinguishable from uniformly random sample in {0, 1}256 × (𝑚𝐻1 + 𝑚𝐻2 ) ⋅ 𝑚𝑆 ⋅ 2𝑛 +
𝑘𝑞 . □ 𝑚2𝐸 ⋅ 2𝜅 + 𝑚𝐻1 ⋅ 2𝑛
6
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
Fig. 1. Proposed OCAKE-based SMAUG-T.PAKE scheme.
achieved in either scenario, the probability of environment in
Proof. For the sketch of proof, the simulated game sequence Game𝑖 Game5 is defined by Eq. (10).
is defined, where 𝑖 = {0, … , 8}. The game series starts with real
|Pr[Game5 ] Pr[Game4 ]| = 0 (10)
game Game0 and ends with ideal game Game8 that uses only its ideal
functionality defined in Algorithm 1. • Game6 In Game6 , clients second reaction is simulated. In the
simulation, § simulates the answer of honest client when it gets
• Game0 Game0 that defines the real-world protocol is identified ̄ Since these components can come either from an honest
(𝑐𝑡, 𝐾).
by considering indistinguishable, anonymous, and fuzzy KEM un- server or from an adversary who corrupts the server, §s behavior
der the random oracle, erasure, ideal cipher, and static corruption is determined accordingly. In the first case, there is no difference
assumptions. from Game5 since the honest version is evaluated. In the second
• Game1 The ideal cipher and two random oracle simulations are scenario, the cancellation situation will occur due to the 𝐾̄ 𝐾.
̄
modeled with this game. Let 𝑃 𝑟[Game1 ] be the probability of the So, there will be no difference from Game5 , and the probability
environment for outputting 1 in the simulated Game1 . Under the of environment in Game6 is presented in Eq. (11).
assumptions of random oracles 𝐻1 and 𝐻2 and ideal cipher Enc,
|Pr[Game6 ] Pr[Game5 ]| = 0 (11)
given in Algorithm 1, the environment can differentiate the real
protocol execution from Game1 when § aborts. The probability of • Game7 In Game7 , ciphertext (𝑐𝑡), authentication tag compo-
environment in Game1 is given in Eq. (6). nents (𝐾, 𝐾 ), and shared keys ({ssk𝐂 , ssk𝐒 }) are replaced with
random values. Three situations arise.
|Pr[Game1 ] Pr[Game0 ]| ≤ 𝑚2𝐸 ⋅ 2𝜅1 + 𝑚2𝐻 ⋅ 2𝑛1 (6)
1
Randomization of 𝑐𝑡:
• Game2 The random secret keys are embedded during the
simulation of decryption oracle Dec. So, the probability of en- By utilizing indistinguishability of the SMAUG-T.KEM,
vironment in Game2 is associated with fuzziness property of AdvSMAUG-T.KEM
ind
(𝑡) ⋅ 𝑚𝐷 is defined the bound in the
servers computations since 𝑝𝑘 comes from decryption
underlying KEM, proved in Lemma 1, since the difference of real
Dec is obtained.
and random public key is defined with the this property and given
On the clients part, the indistinguishability of the
in Eq. (7).
Smaug.KEM builds the bound without any other com-
|Pr[Game2 ] Pr[Game1 ]| ≤ AdvSMAUG-T.KEM (𝑡) ⋅ 𝑚𝐷 (7) ponents due to the randomization of 𝐾 . So, the bound
fuzz
is AdvSMAUG-T.KEM
ind
(𝑡).
• Game3 In Game3 , the adversarys capacity to estimate 𝐾̄ with-
out asking the correct query to 𝐻1 is modeled. If this case hap- Randomization of authentication checks: The environment
pens, the § will be cancelled. So, the probability of environment with random components can fail the game in two ways.
in Game3 is defined by Eq. (8). Servers side: 𝑐𝑡 is selected randomly from
|Pr[Game3 ] Pr[Game2 ]| ≤ 𝑚𝑆 ⋅ 2𝑛
(8) ciphertext distribution instead of (𝑐𝑡, 𝐾) ←
SMAUG-T.KEM.EnCap(𝑝𝑘) computation. Since this
• Game4 In Game4 , the clients initialization is simulated by uti- case is also associated with anonymity, 𝐀 can distin-
lizing Dec rather than Enc. In the simulation, § selects a random guish this simulation by querying 𝑚𝐷 times decryption
𝑝𝑘 ←𝑟 2|𝐸| , requests 𝑝𝑘 = Dec(s-sid∥𝑝𝑤𝐂 , 𝑝𝑘 ), and forwards 𝑝𝑘 to Dec to break the anonymity. So, AdvSMAUG-T.KEM
ano (𝑡) ⋅
server. These changes do not reveal any difference from Game3 , 𝑚𝐷 .
the probability of environment in Game4 is defined by Eq. (9). Clients side: Since the simulator can try to query 𝐻1
and K was truly random in the previous game, 𝑚𝐻1 ⋅
|Pr[Game4 ] Pr[Game3 ]| = 0 (9) 𝑚𝑆 ⋅ 2𝑛 is obtained.
• Game5 In Game5 , servers answer, (𝑐𝑡, 𝐾),
̄ is simulated. In the Randomization of shared keys (ssk𝐂 , ssk𝐒 ←𝑟 {0, 1}𝜅 ): The
simulation, § simulates the answer of the honest server when only way the environment can detect the difference is
it gets 𝑝𝑘 . Since 𝑝𝑘 can come either from an honest client or through 𝐻2 oracle calls. Since 𝐾 is truly random in the
an adversary who corrupts the client, §s behavior is determined previous game and there are at most 𝑚𝑆 changes, 𝑚𝐻2 ⋅ 𝑚𝑆 ⋅
accordingly. Since no difference from the previous game can be 2𝑛 is procured.
7
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
Finally, the probability of environment in Game7 is defined by Eq. SMAUG-T functions used in the reference SMAUG-T.PAKE and pre-
(12). sented the comparative results in Table 6. The codes are written in C
and given in [41].
|Pr[Game7 ] Pr[Game6 ]| ≤AdvSMAUG-T.KEM
ind
(𝑡) ⋅ (𝑚𝐷 + 1)+
Table 6 implies that in both encryption modes, the SMAUG-T.PAKE
AdvSMAUG-T.KEM
ano (𝑡) ⋅ 𝑚𝐷 + (12) scheme gives better results in terms of CPU cycle and runtime than
(𝑚𝐻1 + 𝑚𝐻2 ) ⋅ 𝑚𝑆 ⋅ 2𝑛 the generic Kyber.PAKE scheme since SMAUG-T.PAKE benefits from the
efficient algebraic structure of SMAUG-T.KEM.
• Game8 In Game8 , the ideal world is modeled by adding ideal We also compared the performance of proposed PAKE with the
functionality assumptions. According to Algorithm 1, there are lattice-based PAKE protocols in the literature and whose accessible
two possible fresh session cases. codes were found. In order for the comparison to be meaningful,
one-stage PAKE protocols were chosen based on the same hard lat-
If honest parties use the same password, stt = success will
tice problem. Since the main security of SMAUG-T.PAKE is based on
allow the same session keys to be obtained.
MLWE+MLWR problems, MLWR-based Saber.PAK.PAKE [25], MLWE-
When honest parties use the same password, abort in ideal
based MLWE.PAK.PAKE [23], MLWE-based Kyber.PAK.PAKE [30] are
functionality is achieved. A random session key is returned
selected to determine the efficiency of PAKE construction models.
due to the stt = fail situation.
The performance results of these schemes are obtained by using
the provided C codes, [23,25,30] and run on the same computer. The
performances of selected module-based PAKEs with lattice assumptions
Finally, the total bound of the environment is given in Eq. (13). are evaluated in terms of running times and consumed CPU cycles and
|Pr[Game8 ] Pr[Game0 ]| = are given in Table 7.
Table 7 shows that the proposed SMAUG-T.PAKE shows the best
|Pr[Game8 ] Pr[Game7 ]|+
results among other module-based schemes, even if it has additional
|Pr[Game7 ] Pr[Game6 ]|+ ideal cipher usage and KEM components. The reason for this is the
|Pr[Game6 ] Pr[Game5 ]|+ KEM selection, which consists of efficient arithmetic operations, and
|Pr[Game5 ] Pr[Game4 ]|+ the generic model in the PAKE design.
|Pr[Game4 ] Pr[Game3 ]|+ 5.2. Case scenario: Reference implementation on mobile environment
|Pr[Game3 ] Pr[Game2 ]|+
(13) The efficient implementation of SMAUG-T.PAKE shows that it can
|Pr[Game2 ] Pr[Game1 ]|+
be one of the best options for providing post-quantum secure PAKE
|Pr[Game1 ] Pr[Game0 ]|
for mobile environments. To analyze mobile compatibility, the JAVA
≤AdvSMAUG-T.KEM
fuzz
(𝑡) ⋅ (𝑚𝐷 + 𝑚𝑆 )+ codes of SMAUG-T.PAKE is also generated [41]. A computer with
AdvSMAUG-T.KEM
ano (𝑡) ⋅ 𝑚𝐷 + 32 GB RAM and a hexa-core AMD Ryzen 5 5500 processor running
at 3.60 GHz is used as a server while Samsung Galaxy A51 (8 Cores)
AdvSMAUG-T.KEM
ind
(𝑡) ⋅ (𝑚𝑆 + 𝑚𝐷 + 1)+
with 4x 1.7 GHz ARM Cortex-A53 397 co-processor with 2.3 GHz and
(𝑚𝐻1 + 𝑚𝐻2 ) ⋅ 𝑚𝑆 ⋅ 2𝑛 + 4x 2.3 GHz ARM Cortex-A73 main processor is used as mobile device.
𝑚2𝐸 ⋅ 2𝜅 + 𝑚𝐻1 ⋅ 2𝑛 □ The mobile performance results are obtained in terms of running time,
memory and CPU usages and presented in Table 8.
5. Implementation details and discussion To compare the efficiency of these mobile-based one round PAKE
schemes, [30] is also examined under the same operating conditions
In this section, performance comparison results are presented with and the results are presented in Table 9 and visualized in Fig. 2. In
reference and mobile implementations to show the effectiveness of the Fig. 2, mobile device performance metrics such as CPU usage, energy
proposed PAKE. consumption and memory usage are analyzed using the integrated
Android Profiler in Android Studio. Each scheme is run in real-time
5.1. Performance analysis of the proposed PAKE on a mobile device, and the collected performance data is visually
recorded. These recordings are obtained through the graphical interface
For the performance analysis of constructed generic PAKE, we provided by Android Profiler, capturing the execution of each stage
optionally adapted Ascon or AES instead of external encryption to over a specified time interval.
check the different performance options. By using reference C codes Table 9 and Fig. 2 show that for the mobile environment, the
of SMAUG-T.KEM and making adaptations to explicit generic PAKE AES version of SMAUG-T.PAKE has the best performance. In other
additions, the implementation of SMAUG-T.PAKE is written in C and application results, it is known that the Ascon module comes to the
can be found in [41]. Performance results are obtained on a computer fore in performance. This result is explained by the fact that AES
with 32 GB RAM and a hexa-core (6 Core) AMD Ryzen 5 5500 proces- consists of mobile-optimized generic codes in the JAVA library. Ascons
sor running at 3.60 GHz. Processor cycles (median and average) and JAVA codes were not optimized for mobile, resulting in lower perfor-
runtime results are determined by averaging 10,000 runs. For three mance. As a result, the recommended SMAUG-T.PAKE is the PAKE that
different security levels, performance results are obtained according provides the best efficient application results for the mobile world.
to the parameter set in Table 4. The reference SMAUG-T.PAKE im-
plementation results in terms of two-different encryption methods are 5.3. Discussion
presented in Table 5.
Table 5 shows that, as expected, lightweight Ascon presents better The main focus of this paper is the design of a new PQC PAKE
results for three different security levels when used as the encryption protocol using a combination of different cryptographic principles, such
method. Therefore, it is recommended that SMAUG-T.PAKE at Ascon as KEM and encryption/decryption primitives. It is aimed to evaluate
mode can be suitable for resource-constrained devices, while in other the post-quantum security and efficiency effects of different primitives
applications both AES and Ascon can be used. in the post-quantum secure PAKE design. Contributions are made to the
We also analyzed how much the KEM selected in the PAKE design design of the post-quantum secure PAKE protocol, theoretical security
model affects the performance. We integrated Kyber instead of the analysis, and practical performance results. In order to make a fair
8
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
Table 4
Parameter set.
Scheme Saber.PAK.PAKE MLWE.PAK.PAKE Kyber.PAK.PAKE SMAUG-T.PAKE
[25] [23] [30]
Security 128 192 256 116 177 239 128 192 256 128 192 256
level
Module k 2 3 4 2 3 4 2 3 4 2 3 5
dimension
Lattice n 256 256 256 256 256 256 256 256 256 256 256 256
dimension
q 8192 8192 8192 7681 7681 7681 3329 3329 3329 1024 2048 2048
Module
p 1024 1024 1024 x x x x x x 256 256 256
𝜂 10 8 6 13 8 6 x x x x x x
Distribution
𝜂1 x x x x x x 3 2 2 x x x
parameter
𝜂1 x x x x x x 2 2 2 x x x
Failure 𝛿 2120 2136 2165 253.4 297.4 2131.6 2131 2164 2174 2120 2136 2167
rate
Table 5
Performance results of SMAUG-T.PAKE.
Security level 128 192 256
Cipher option ASCON AES ASCON AES ASCON AES
Metrics M A ET M A ET M A ET M A ET M A ET M A ET
𝐂0 67 571 68 345 17 981 95 975 97 996 26 083 115 703 110 159 31 360 164 879 168 750 45 128 207 971 209 150 58 048 283 031 284 934 78 111
𝐒0 70 991 71 489 18 857 117 359 117 824 31 730 110 159 110 602 29 717 199 223 200 136 52 988 218 879 220 093 61 119 350 675 352 776 96 950
Phases
𝐂1 91 367 91 825 24 507 90 683 90 859 24 234 141 299 142 489 38 547 141 263 141 123 44 128 259 739 261 757 72 709 259 523 261 267 71 542
𝐒1 12 491 12 794 2554 12 491 12 484 2468 17 891 18 004 3996 17 891 17 917 3977 26 927 27 118 7533 26 891 27 048 6509
Total 𝐂 158 938 160 170 42 488 186 658 188 855 50 317 257 002 252 648 69 907 306 142 309 873 89 256 467 710 470 907 130 757 542 554 546 201 149 653
Total 𝐒 83 482 84 283 21 411 129 850 130 308 34 198 128 050 128 606 33 713 217 114 218 053 56 965 245 806 247 211 68 652 377 566 379 824 103 459
Total 242 420 244 453 63 899 316 508 319 163 84 515 385 052 381 254 103 620 523 256 527 926 146 221 713 516 718 118 199 409 920 120 926 025 253 112
Table 6
Generic Kyber.PAKE vs. Proposed generic SMAUG-T.PAKE.
Security level 128 192 256
Ideal Cipher ASCON AES ASCON AES ASCON AES
Metrics M A ET M A ET M A ET M A ET M A ET M A ET
Total 𝐂 299 374 300 007 83,336 299 590 300 541 83,484 460 618 466 529 129,592 466 314 467 893 129,961 669 562 670 785 186,329 673 522 675 909 187,752
Generic
Total 𝐒 180 610 180 929 50,259 189 682 190 498 52,916 268 846 272 226 75,619 285 370 286 199 79,500 384 874 385 520 107,089 405 214 406 273 112,854
Kyber.PAKE
Total 479 984 480 936 133,595 489 272 491 039 136,400 729 464 738 755 205,211 751 684 754 092 209,461 1054 436 1056 305 293,418 1078 736 1082 182 300,606
Total 𝐂 158 938 160 170 42,488 186 658 188 855 50,317 257 002 252 648 69,907 306 142 309 873 89,256 467 710 470 907 130,757 542 554 546 201 149,653
SMAUG-T.PAKE Total 𝐒 83 482 84 283 21,411 129 850 130 308 34,198 128 050 128 606 33,713 217 114 218 053 56,965 245 806 247 211 68,652 377 566 379 824 103,459
Total 242 420 244 453 63,899 316 508 319 163 84,515 385 052 381 254 103,620 523 256 527 926 146,221 713 516 718 118 199,409 920 120 926 025 253,112
Table 7
A performance comparison for module-based PAKE schemes.
Generic Kyber.PAKE SMAUG-T.PAKE
Saber.PAK.PAKE MLWE.PAK.PAKE Kyber.PAK.PAKE
Security [25] [23] [30] AES ASCON AES ASCON
Metrics
Level
𝐂 𝐒 Total 𝐂 𝐒 Total 𝐂 𝐒 Total 𝐂 𝐒 Total 𝐂 𝐒 Total 𝐂 𝐒 Total 𝐂 𝐒 Total
M 186 226 116 314 302 540 207 784 217 561 425 345 314 566 172 690 487 256 299 590 189 682 489 272 299 374 180 610 479 984 186 658 129 850 316 508 158 938 83 482 242 420
128 A 188 351 117 389 305 740 208 697 218 861 427 558 315 632 173 564 489 196 300 541 190 498 491 039 300 007 180 929 480 936 188 855 130 308 319 163 160 170 84 283 244 453
ET 52,320 32,559 84,879 62,549 61,921 124,470 87,677 48,213 135,890 83,484 52,916 136,400 83,336 50,259 133,595 50,317 34,198 84,515 42,488 21,411 63,899
M 309 652 184 678 494 330 319 104 318 672 637 776 498 994 271 654 770 648 466 314 285 370 751 684 460 618 268 846 729 464 306 142 217 114 523 256 257 002 128 050 385 052
192 A 310 952 185 318 496 270 319 321 318 349 637 670 504 388 273 281 777 669 467 893 286 199 754 092 466 529 272 226 738 755 309 873 218 053 527 926 252 648 128 606 381 254
ET 86,376 51,478 137,854 84,230 84,927 169,157 140,130 75,912 216,042 129,961 79,500 209,461 129,592 75,619 205,211 89,256 56,965 146,221 69,907 33,713 103,620
M 465 478 267 838 733 316 449 640 428 235 877 875 696 490 373 030 1069 520 673 522 405 214 1078 736 669 562 384 874 1054 436 542 554 377 566 920 120 467 710 245 806 713 516
256 A 469 478 270 625 740 103 445 296 422 208 867 504 699 656 374 171 1073 827 675 909 406 273 1082 182 670 785 385 520 1056 305 546 201 379 824 926 025 470 907 247 211 718 118
ET 130,411 75,174 205,585 119,605 117,116 236,721 194,349 103,937 298,286 187,752 112,854 300,606 186,329 107,089 293,418 149,653 103,459 253,112 130,757 68,652 199,409
comparison, PAKE protocols defined on the same algebraic structure, would be ideal to compare protocols using the same design idea and
module, were selected even though they contain different design ideas. methodology, each protocol often differs from the other due to the
To highlight the performance differences, firstly, the properties of targeted additional features. For example, the compromise structure,
selected module-based PAKEs are presented in Table 10. The main the difficulty problem, and additional principles used lead to different
evaluations. In this paper, we contribute to the literature by defining
characteristics of those schemes that reveal the differences regarding
security analysis in the UC model using hybrid hardness assumptions
performances appear to be due to the design model, main security,
for KEM to PAKE design methods, and by evaluating performance
reconciliation idea, and additional primitives such as ideal cipher and
in different encryption modes. We present in-depth security analysis
KEM usage. evaluations by updating the defined methods under different security
As summarized in Table 10, the PAKE protocol design incorporates assumptions. We also evaluate usability and applicability by imple-
different components and design ideas. This leads to different scenar- menting the results in different modes on different platforms. We
ios in both security analysis and performance evaluations. While it present theoretical and practical analyses on whether security and
9
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
Table 8
Mobile implementation results of SMAUG-T.PAKE.
Security Used AES ASCON
levels encryption
Metrics 𝐂0 𝐒0 𝐂1 𝐒1 Total 𝐂 Total 𝐒 𝐂0 𝐒0 𝐂1 𝐒1 Total 𝐂 Total 𝐒
ET 640,772 611,31 491,996 76,133 1132,768 687,443 994,023 1032,032 527,931 82,921 1521,954 1114,953
128 MU 58,2 47,2 57,4 3,5 115,6 50,7 337,2 344,4 57,3 3,5 394,5 347,9
CPU 8% 6% 8% 2% 16% 8% 12% 10% 8% 2% 20% 12%
ET 826,574 766,036 710,122 105,035 1536,696 871,071 1495,424 1426,737 732,831 107,363 2228,255 1534,1
192 MU 93,1 81,5 96,5 4,9 189,6 86,4 481,8 408,6 96,7 4,9 578,5 413,5
CPU 9% 8% 10% 3% 19% 11% 16% 14% 11% 3% 27% 17%
ET 1111,587 1100,146 1115,541 146,240 2227,128 1246,386 2326,828 2363,742 1225,591 157,287 3552,419 2521,029
256 MU 185,1 174,5 198,3 7,2 383,4 181,7 840,1 690,1 198,5 7,2 1038,6 697,3
CPU 12% 10% 13% 4% 25% 14% 25% 21% 12% 4% 37% 25%
ET: Elapsed time in microsecond MU: Memory usage in kilobayt CPU: CPU usage
The source codes is given in [41].
Table 9
A comparison for lattice-based PAKE schemes for mobile environment.
Security Used Kyber.PAK.PAKE SMAUG-T.PAKE
levels encryption [30]
x AES ASCON
Metrics Total 𝐂 Total 𝐒 Total Total 𝐂 Total 𝐒 Total Total 𝐂 Total 𝐒 Total
ET 1645,489 1249,074 2894,563 1088,904 680,411 1768,508 1448,841 1089,582 2538,423
128 MU 274,5 90,2 364,7 113,1 45,8 158,9 264,3 89,1 353,4
CPU 16% 17% 33% 14% 8% 22% 16% 17% 33%
ET 2015,363 1498,580 3513,943 1517,179 879,821 2397,000 2193,568 1591,124 3784,692
192 MU 361,6 135,3 496,9 186,1 84,4 270,5 359,1 134,4 493,5
CPU 22% 19% 41% 17% 10% 27% 22% 19% 41%
ET 2825,102 1965,160 4790,262 2234,221 1282,773 3516,994 2825,102 1965,16 4790,262
256 MU 477,1 173,8 650,9 377,9 178,6 556,5 477,1 173,8 650,9
CPU 25% 23% 48% 22% 12% 35% 25% 23% 48%
Table 10
The basic characteristics of module-based PAKEs.
Saber.PAK.PAKE MLWE.PAK.PAKE Kyber.PAK.PAKE Generic Proposed generic
[25] [23] [30] Kyber.PAKE+ Smaug.PAKE
Construction Traditional PAK PAKE Traditional PAK PAKE Traditional PAK PAKE Generic PAKE from Generic PAKE from
model [1] from [1] [1] from KEM with the usage of KEM with the usage of
well-structured KE well-structured KEM ideal cipher [12] ideal cipher [12]
Password Password is added as a Password is added as a Password is added as a The password is used The password is used
usage component of public component of public component of public as a parameter to as a parameter to
key to provide key to provide key to provide encrypt public key and encrypt public key and
authentication. authentication. authentication. generate the shared generate the shared
key component to help key component to help
authentication. authentication.
Main MLWR MLWE MLWE MLWE MLWE+MLWR
security
Reconciliation bits OKCN Compress-Decompress Compress-Decompress Rounding function
Additional X X KEM KEM KEM
Primitives Ideal Cipher Ideal Cipher
Ideal X X X AES AES
Cipher ASCON ASCON
Additional X X X Anonymity Anonymity
requirements fuzziness fuzziness
Number of Hash 4 4 3 + 3 2 + 3 2 + 3
Security ROM ROM ROM UC UC
model
*: The number of hash functions that were used as a component of KEM.+ : The implementation of generic Kyber PAKE is written in C to make a comparison.
OKCN: Optimally-balanced key consensus with noise.
10
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
performance in the lightweight encryption mode, even if it includes
additional encryption and hash functions.
To demonstrate the efficiency of the proposed model, we also
examined the performance of generic PAKE using Kyber.KEM instead of
SMAUG-T.KEM. The results in Table 7 show that SMAUG-T is more ef-
ficient than Kyber even when converted to PAKE. The security analysis
presented in Section 4 demonstrates that the post-quantum security is
maintained in the situation of KEM-to-PAKE transformation. The results
presented in Table 9 also provide an analysis of the usability of lattice-
based PAKE protocols on the mobile platform. These analyses show
that the proposed PAKE can provide good performance in the standard
algorithm mode even if it includes additional cryptographic primitives.
While it is normally expected to provide more efficient results with
lightweight algorithms such as Ascon, it has been evaluated that the
reason why it provides more efficient results with AES is due to AESs
optimizations in the library functions used in the application.
This paper primarily presents evidence for the properties of
anonymity and fuzziness associated with the conversion of a crypto-
graphic principle designed as an efficient KEM for the post-quantum
world to PAKE. It then analyzes the post-quantum security with hybrid
security definitions created in the UC model, where the PAKE trans-
formation retains its post-quantum security. Subsequently, we present
usability and applicability analyses, comparing application results with
literature solutions on various platforms. In addition to the theoretical
and practical focus, efficient hardware-based implementations can also
be implemented. For example, hardware-based analyses and imple-
mentations for efficient implementations of PQC KEM algorithms have
been carried out in studies such as [10,4245]. Therefore, investigating
more efficient versions of the SMAUG-T.PAKE protocol using different
architectures and PUF-like hardware-based solutions will be conducted
as future work.
6. Conclusion
The design of post-quantum secure key-sharing schemes is one
of the challenging issues in the literature. The simple structured au-
thentication idea of PAKE schemes in real-world scenarios has also
revealed the need to ensure post-quantum security of PAKE protocols.
Therefore, PAKE schemes, which stand out with their strong security
and efficiency features, are one of the necessary primitives for the post-
quantum security of resource-limited devices. In this paper, we con-
struct an efficient PAKE adaptation from well-structured lattice-based
KEM procedures and additional primitives. The constructed SMAUG-
T.PAKE, benefits the underlying KEMs efficiency and simple structured
KEM to PAKE construction. It is the first MLWE+MLWR-based KEM
to PAKE design that provides explicit password-based anonymous and
fuzziness authentication. Unlike the lattice-based PAKE protocols in the
literature, the security analysis is performed under hybrid assumptions.
Fig. 2. Energy, CPU, and memory usage comparison diagrams for mobile MLWE+MLWR-based password-authenticated key ideal functionality
compatible PAKEs. under the UC model are constructed to analyze the security of the
proposed PAKE. The detailed performance analysis with other module-
based, KEM-based, and mobile-based PAKE schemes shows that the
performance objectives can be maintained while creating new crypto- proposed PAKE provides the best results in terms of consumed CPU
graphic primitives from known efficient ones, with the design of the cycles and elapsed times, even if it contains additional encryption
post-quantum secure PAKE protocol. usage. To the best of our knowledge, the proposed SMAUG-T.PAKE is
A comparison is made with protocols based on the hardness as- one of the best candidates for efficient password-based authentication
sumption of the MLWE and MLWR problem defined on the module for the post-quantum security of general purposes and mobile usage.
algebraic structure. The performance analyses for five different PAKE
protocols, based on the PAK-PAKE [1] and KEM-to-PAKE [12] design CRediT authorship contribution statement
ideas, are presented in Table 7. Note that the performance evaluations
were conducted only with lattice-based PAKE protocols for which the Kübra Seyhan: Writing review & editing, Writing original
source code is available, since the source code for other KEM to draft, Validation, Methodology, Investigation, Conceptualization. Sedat
PAKE frameworks [12,3134] in the literature is not shared. For fair Akleylek: Writing review & editing, Validation, Supervision, Project
evaluation, all code was obtained by running on the platforms. The administration, Methodology. Ahmet Faruk Dursun: Writing review
results show that, unlike [23,25,30], SMAUG-T.PAKE offers the best & editing, Software.
11
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
Declaration of competing interest [17] J. Zhang, Y. Yu, Two-round PAKE from approximate SPH and instantiations from
lattices, in: International Conference on the Theory and Application of Cryptology
and Information Security, Springer, 2017, pp. 3767, http://dx.doi.org/10.1007/
The authors declare the following financial interests/personal rela- 978-3-319-70700-6_2.
tionships which may be considered as potential competing interests: [18] Z. Zhao, S. Ma, P. Qin, Password authentication key exchange based on key
Sedat Akleylek reports financial support was provided by Estonian consensus for iot security, Clust. Comput. 26 (1) (2023) 112, http://dx.doi.
Research Council. If there are other authors, they declare that they have org/10.1007/s10586-022-03665-5.
[19] L. Chen, T. Qu, A. Yin, Quantum-safe multi-server password-based authenticated
no known competing financial interests or personal relationships that
key exchange protocol, Multimedia Tools Appl. 83 (24) (2024) 6501165038,
could have appeared to influence the work reported in this paper. http://dx.doi.org/10.1007/s11042-023-17984-1.
[20] Z. Li, D. Wang, E. Morais, Quantum-safe round-optimal password authentication
Acknowledgments for mobile devices, IEEE Trans. Dependable Secur. Comput. 19 (3) (2020)
18851899, http://dx.doi.org/10.1109/TDSC.2020.3040776.
[21] A. Singh, H. Chandra, S. Rana, A robust lattice-based post-quantum three-party
The authors would like to express their gratitude to the anonymous key exchange scheme for mobile devices, Concurr. Comput.: Pr. Exp. 37 (68)
reviewers for their invaluable suggestions in putting the present study (2025) e70036, http://dx.doi.org/10.1002/cpe.70036.
into its final form. Sedat Akleylek was supported by the Estonian [22] D. Mishra, K. Pursharthi, M. Singh, A. Mishra, Construction of post quantum
secure authenticated key agreement protocol for dew-assisted IoT systems, Int.
Research Council Grant PRG2531 and Estonian Ministry of Defence
J. Inf. Secur. 24 (1) (2025) 19, http://dx.doi.org/10.1007/s10207-024-00932-x.
Grant 2-2/24/541-1. [23] P. Ren, X. Gu, Z. Wang, Efficient module learning with errors-based post-
quantum password-authenticated key exchange, IET Inf. Secur. 17 (1) (2023)
Data availability 317, http://dx.doi.org/10.1049/ise2.12094.
[24] R. Ding, C. Cheng, Y. Qin, Further analysis and improvements of a lattice-
based anonymous pake scheme, IEEE Syst. J. 16 (3) (2022) 50355043, http:
No data was used for the research described in the article. //dx.doi.org/10.1109/JSYST.2022.3161264.
[25] K. Seyhan, S. Akleylek, A new password-authenticated module learning with
rounding-based key exchange protocol: Saber. PAKE, J. Supercomput. 79 (16)
References (2023) 1785917896, http://dx.doi.org/10.1007/s11227-023-05251-x.
[26] C. Liu, Z. Zheng, K. Jia, Q. You, Provably secure three-party password-based
authenticated key exchange from RLWE, in: International Conference on In-
[1] P. MacKenzie, The PAK suite: Protocols for password-authenticated key exchange,
formation Security Practice and Experience, Springer, 2019, pp. 5672, http:
Contrib. To IEEE P 1363 (2) (2002).
//dx.doi.org/10.1007/978-3-030-34339-2_4.
[2] F. Hao, P.C. van Oorschot, Sok: password-authenticated key exchangetheory,
[27] V. Dabra, A. Bala, S. Kumari, LBA-PAKE: Lattice-based anonymous password
practice, standardization and real-world lessons, in: Proceedings of the 2022
authenticated key exchange for mobile devices, IEEE Syst. J. 15 (4) (2020)
ACM on Asia Conference on Computer and Communications Security, 2022, pp.
50675077, http://dx.doi.org/10.1109/JSYST.2020.3023808.
697711, http://dx.doi.org/10.1145/3488932.3523256.
[28] V. Dabra, S. Kumari, A. Bala, S. Yadav, SL3PAKE: simple lattice-based three-party
[3] J. Jiang, D. Wang, Qpase: Quantum-resistant password-authenticated searchable
password authenticated key exchange for post-quantum world, J. Inf. Secur. Appl.
encryption for cloud storage, IEEE Trans. Inf. Forensics Secur. 19 (2024)
84 (2024) 103826, http://dx.doi.org/10.1016/j.jisa.2024.103826.
42314246.
[29] S. Guo, Y. Song, S. Guo, Y. Yang, S. Song, Three-party password authentication
[4] S.M. Bellovin, M. Merritt, Encrypted key exchange: Password-based protocols
and key exchange protocol based on mlwe, Symmetry 15 (9) (2023) 1750,
secure against dictionary attacks, 1992, http://dx.doi.org/10.7916/D8833ZSK.
http://dx.doi.org/10.3390/sym15091750.
[5] F. Hao, Prudent practices in security standardization, IEEE Commun. Stand. Mag.
[30] K. Seyhan, S. Akleylek, A.F. Dursun, Password authenticated key exchange-
5 (3) (2021) 4047, http://dx.doi.org/10.1109/MCOMSTD.121.2100005.
based on kyber for mobile devices, PeerJ Comput. Sci. 10 (2024) e1960, http:
[6] K. Seyhan, S. Akleylek, A comprehensive comparison of lattice-based password
//dx.doi.org/10.7717/peerj-cs.1960.
authenticated key exchange protocols defined on modules, in: International
[31] A. Arriaga, M. Barbosa, S. Jarecki, M. Škrobot, Cest très CHIC: A compact
Conference on Information Technologies and their Applications, Springer, 2024,
password-authenticated key exchange from lattice-based KEM, in: International
pp. 91105, http://dx.doi.org/10.1007/978-3-031-73417-5_8.
Conference on the Theory and Application of Cryptology and Information
[7] P.W. Shor, Algorithms for quantum computation: discrete logarithms and fac- Security, Springer, 2024, pp. 333, http://dx.doi.org/10.1007/978-981-96-0935-
toring, in: Proceedings 35th Annual Symposium on Foundations of Computer 2_1.
Science, IEEE, 1994, pp. 124134, http://dx.doi.org/10.1109/SFCS.1994.365700. [32] J. Pan, R. Zeng, A generic construction of tightly secure password-based authen-
[8] National Institute of Standards and Technology (NIST), NIST post-quantum ticated key exchange, in: International Conference on the Theory and Application
cryptography standardization project, 2025, (Accessed: 24 October 2025) https: of Cryptology and Information Security, Springer, 2023, pp. 143175, http:
//csrc.nist.gov/projects/post-quantum-cryptography. //dx.doi.org/10.1007/978-981-99-8742-9_5.
[9] D. Ott, C. Peikert, et al., Identifying research challenges in post quantum [33] N. Alnahawi, J. Alperin-Sheriff, D. Apon, G.T. Davies, A. Wiesmaier, NICE-
cryptography migration and cryptographic agility, 2019, https://arxiv.org/abs/ PAKE: On the security of KEM-based PAKE constructions without ideal ciphers,
1909.07353. 2024, URL https://eprint.iacr.org/2024/1957 Cryptology ePrint Archive, Paper
[10] N. Alnahawi, D. Haas, E. Mauß, A. Wiesmaier, SoK: PQC PAKEs - design, security 2024/1957.
and performance, 2025, URL https://eprint.iacr.org/2025/119 Cryptology ePrint [34] J. Vos, S. Jarecki, C.A. Wood, C. Yun, S. Myers, Y. Sierra, A hybrid asymmetric
Archive, Paper 2025/119. password-authenticated key exchange in the random oracle model, 2025, URL
[11] J. Cheon, H. Choe, J. Choi, D. Hong, J. Hong, C. Jung, H. Kang, J. Lee, S. https://eprint.iacr.org/2025/1343 Cryptology ePrint Archive, Paper 2025/1343.
Lim, A. Park, S. Park, J. Seo, H. Seong, J. Shin, SMAUG-T: The Key Exchange [35] J. Ding, S. Alsayigh, J. Lancrenon, S. Rv, M. Snook, Provably secure password
Algorithm Based on Module-LWE and Module-LWR, Algorithm specifications, authenticated key exchange based on RLWE for the post-quantum world, in:
K-PQC Consortium, 2024, (Accessed: 24 October 2025). Cryptographers Track At the RSA Conference, Springer, 2017, pp. 183204,
[12] H. Beguinet, C. Chevalier, D. Pointcheval, T. Ricosset, M. Rossi, GeT a CAKE: http://dx.doi.org/10.1007/978-3-319-52153-4_11.
Generic transformations from key encaspulation mechanisms to password authen- [36] J.-P. DAnvers, A. Karmakar, S. Sinha Roy, F. Vercauteren, Saber: Module-
ticated key exchanges, in: International Conference on Applied Cryptography and LWR based key exchange, CPA-secure encryption and CCA-secure KEM, in:
Network Security, Springer, 2023, pp. 516538, http://dx.doi.org/10.1007/978- International Conference on Cryptology in Africa, Springer, 2018, pp. 282305,
3-031-33491-7_19. http://dx.doi.org/10.1007/978-3-319-89339-6_16.
[13] K. Seyhan, S. Akleylek, Smaug kem to smaug-pake: a generic lattice-based pass- [37] J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J.M. Schanck, P. Schwabe,
word authenticated key exchange, Central European Conference on Cryptology G. Seiler, D. Stehlé, CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM,
CECC-2024 (2024) 38-41. in: 2018 IEEE European Symposium on Security and Privacy (EuroS&P), IEEE,
[14] Z. Li, D. Wang, Achieving one-round password-based authenticated key exchange 2018, pp. 353367, http://dx.doi.org/10.1109/EuroSP.2018.00032.
over lattices, IEEE Trans. Serv. Comput. 15 (1) (2019) 308321, http://dx.doi. [38] E. Bresson, O. Chevassut, D. Pointcheval, Security proofs for an efficient
org/10.1109/TSC.2019.2939836. password-based key exchange, in: Proceedings of the 10th ACM Conference on
[15] Z. Li, H. Zhu, G. Liao, M. Wang, P. Li, P. Gope, QT-PAKE: Secure messaging via Computer and Communications Security, 2003, pp. 241250, http://dx.doi.org/
quantum-safe threshold PAKE, IEEE Trans. Consum. Electron. (2025). 10.1145/948109.948142.
[16] J. Katz, V. Vaikuntanathan, Smooth projective hashing and password-based [39] M. Bellare, D. Pointcheval, P. Rogaway, Authenticated key exchange secure
authenticated key exchange from lattices, in: International Conference on the against dictionary attacks, in: International Conference on the Theory and
Theory and Application of Cryptology and Information Security, Springer, 2009, Applications of Cryptographic Techniques, Springer, 2000, pp. 139155, http:
pp. 636652, http://dx.doi.org/10.1007/978-3-642-10366-7_37. //dx.doi.org/10.1007/3-540-45539-6_11.
12
K. Seyhan et al. Computer Standards & Interfaces 97 (2026) 104118
[40] R. Canetti, S. Halevi, J. Katz, Y. Lindell, P. MacKenzie, Universally composable [44] A. Jati, N. Gupta, A. Chattopadhyay, S.K. Sanadhya, A configurable crystals-kyber
password-based key exchange, in: Annual International Conference on the Theory hardware implementation with side-channel protection, ACM Trans. Embed.
and Applications of Cryptographic Techniques, Springer, 2005, pp. 404421, Comput. Syst. 23 (2) (2024) 125, http://dx.doi.org/10.1145/3587037.
http://dx.doi.org/10.1007/11426639_24. [45] S. Aghapour, K. Ahmadi, M. Anastasova, M.M. Kermani, R. Azarderakhsh, PUF-
[41] A.F. Dursun, Smaug.PAKE for Mobile Devices, 2025, (Accessed: 24 October 2025) kyber: Design of a PUF-based kyber architecture benchmarked on diverse ARM
https://github.com/afDursun/lattice-based-pakes. processors, IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 43 (12) (2024)
[42] S. Aghapour, K. Ahmadi, M. Anastasova, R. Azarderakhsh, M. Mozaffari Kermani, 44534462, http://dx.doi.org/10.1109/TCAD.2024.3399669.
PUF-dilithium: Design of a PUF-based dilithium architecture benchmarked on
ARM processors, ACM Trans. Embed. Comput. Syst. 24 (2) (2025) 120, http:
//dx.doi.org/10.1145/3715328.
[43] K. Ahmadi, S. Aghapour, M.M. Kermani, R. Azarderakhsh, Efficient error detec-
tion cryptographic architectures benchmarked on FPGAs for montgomery ladder,
IEEE Trans. Very Large Scale Integr. (VLSI) Syst. 32 (11) (2024) 21542158,
http://dx.doi.org/10.1109/TVLSI.2024.3419700.
13
Reference in New Issue View Git Blame Copy Permalink