Augmented Password-Authenticated Key Exchange (AugPAKE)

Document Type Expired Internet-Draft (cfrg RG)
Last updated 2018-07-22 (latest revision 2018-01-18)
Stream IRTF
Intended RFC status Informational
Expired & archived
pdf htmlized bibtex
Stream IRTF state (None)
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document describes a secure and highly-efficient augmented password-authenticated key exchange (AugPAKE) protocol where a user remembers a low-entropy password and its verifier is registered in the intended server. In general, the user's password is chosen from a small set of dictionary, making the password susceptible to offline dictionary attacks. The AugPAKE protocol described here is secure against passive attacks, active attacks and offline dictionary attacks (on the obtained messages with passive/active attacks). Also, this protocol provides resistance to server compromise in the context that an attacker, who obtained the password verifier from the server, must at least perform offline dictionary attacks to gain any advantage in impersonating the user. The AugPAKE protocol is not only provably secure in the random oracle model but also the most efficient over the previous augmented PAKE protocols (SRP and AMP).


SeongHan Shin (
Kazukuni Kobara (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)