Cryptanalysis of Some Client-to-Client Password-Authenticated Key Exchange Protocols

Client-to-Client Password-Authenticated Key Exchange (C2C-PAKE) protocols allow two clients establish a common session key based on their passwords. In a secure C2C-PAKE protocol, there is no computationally bounded adversary learns anything about session keys shared between two clients. Especially a participating server should not learn anything about session keys. Server-compromise impersonation resilience is another desirable security property for a C2C-PAKE protocol. It means that compromising the password verifier of any client A should not enable outside adversary to share session key with A. Recently, Kwon and Lee proposed four C2C-PAKE protocols in the three-party setting, and Zhu et al. proposed a C2C-PAKE protocol in the cross-realm setting.