An anonymous password-authenticated key exchange (anonymous PAKE) protocol is designed to provide both password-only authentication and user anonymity. In this paper, we propose a
anonymous PAKE (called,
) protocol that provides the most efficiency among their kinds in terms of computation and communication costs. The
protocol guarantees semantic security of session keys in the random oracle model under the chosen target CDH problem, and unconditional user anonymity against a semi-honest server. If the pre-computation is allowed, the computation cost of the
protocol is the same as the well-known Diffie-Hellman protocol! In addition, we extend the
protocol in two ways.