Until now, it is still an open problem to provide a provably secure and efficient protocol for treating the case in which
communication parties can authenticate each other and establish a secure session key with their respective passwords shared with a trusted server. Accordingly, in this paper we propose a solution in a formal way. Firstly, we review the strengthened EKE-M protocol—a maiden attempt to resolve the setting above and point out a subtle flaw in it that may cause unknown key sharing attacks. Next, based on previous work in the adversary model for key establishment protocols, we provide an extended one for the
-party setting. Finally, we propose a constant-round and provably secure generic construction of
-party different password-authentication (DPWA) key exchange protocols in the multicast setting.