SPEKE (Simple Password Exponential Key Exchange) is a cryptographic method for passwordauthenticated key agreement.
Description[]
The protocol consists of little more than a DiffieHellman key exchange where the DiffieHellman generator g is created from a hash of the password.
Here is one simple form of SPEKE:
 Alice and Bob agree to use an appropriately large and randomly selected safe prime p.
 Alice and Bob agree on a shared password π.
 Alice and Bob both construct g = hash(π)^{2} mod p. (Squaring makes g a generator of the prime order subgroup of the multiplicative group of integers modulo p.)
 Alice chooses a secret random integer a, then sends Bob g^{a} mod p.
 Bob chooses a secret random integer b, then sends Alice g^{b} mod p.
 Alice and Bob each abort if their received values are not in the range [2,p2], to prevent small subgroup confinement attack.
 Alice computes K = (g^{b} mod p)^{a} mod p.
 Bob computes K = (g^{a} mod p)^{b} mod p.
Both Alice and Bob will arrive at the same value for K if and only if they use the same value for π. Once Alice and Bob compute the shared secret K they can use it in a key confirmation protocol to prove to each other that they know the same password π, and to derive a shared secret encryption key for sending secure and authenticated messages to each other.
Unlike unauthenticated DiffieHellman, SPEKE prevents man in the middle attack by the incorporation of the password. An attacker who is able to read and modify all messages between Alice and Bob cannot learn the shared key K and cannot make more than one guess for the password in each interaction with a party that knows it.
In general, SPEKE can use any prime order group that is suitable for public key cryptography, including elliptic curve cryptography.
History[]
SPEKE is one of the older and wellknown protocols in the relatively new field of passwordauthenticated key exchange. It was first described by David Jablon in 1996.^{[1]} In this publication Jablon also suggested a variant where, in step 2 of the protocol, g is calculated as g = g_{q}^{S} with a constant g_{q}. However, this construction turned out to be insecure against dictionary attacks and was therefore not recommended anymore in a revised version of the paper. In 1997 Jablon refined and enhanced SPEKE with additional variations, including an augmented passwordauthenticated key agreement method called BSPEKE.^{[2]} Since 1997 no flaws have been published for SPEKE. A paper published by MacKenzie in 2001 presents a proof in the random oracle model that SPEKE is a secure PAKE protocol (using a somewhat relaxed definition) based on a variation of the Decision DiffieHellman assumption.^{[3]}
Since 1999, the protocol has been used by several companies in a variety of products, typically supplementing other cryptographic techniques.
Patents[]
Template:US patent describes several variations of the method.
Standards[]
Standards that describe SPEKE include IEEE P1363.2 and ISO/IEC Draft 117704.
See also[]
 Passwordauthenticated key agreement
 Password
 IEEE P1363
 DiffieHellman key exchange
References[]
External links[]
