Post-quantum anonymous password authenticated key exchange with indirect public key validation

Abstract

As mobile devices become integral to daily life, ensuring secure communication between these devices and servers is crucial for protecting sensitive information and preventing unauthorized access. Password Authenticated Key Exchange (PAKE) protocols are widely used for secure authentication and key exchange in such environments. However, the advent of quantum computing has made classical PAKE schemes susceptible to quantum attacks. To overcome this, we introduce a post-quantum anonymous PAKE (APAKE) protocol tailored for mobile devices, which is secure against Key Compromise Impersonation (KCI) attacks and provides forward secrecy. This protocol utilizes lattice-based cryptography and incorporates indirect public key validation to provide robust security in the post-quantum era. Our protocol mitigates vulnerabilities, including signal leakage and key mismatch attacks, and enables secure key reuse. Experimental results demonstrate the balance between strong security and computational efficiency, supported by a formal security proof in the Random Oracle Model and an informal security analysis that further substantiates its resilience. © The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2025.