TY - JOUR
T1 - Insecure Instantiations of Random Oracles in
Password-Based Key Exchange Protocols
AU - Paik, Juryon
JO - Journal of Engineering and Applied Sciences
VL - 13
IS - 15
SP - 6211
EP - 6219
PY - 2018
DA - 2001/08/19
SN - 1816-949x
DO - jeasci.2018.6211.6219
UR - https://makhillpublications.co/view-article.php?doi=jeasci.2018.6211.6219
KW - prevent protocol implementers
KW -dictionary attack
KW -random oracle
KW -password
KW -Authenticated key exchange
KW -PAKE protocols
KW -pointchevals
AB - Protocols for Password-based Authenticated Key Exchange (PAKE) allow users to generate a shared
secret key from their easy-to-remember passwords but at the same time have to protect the user’s passwords
from the notorious dictionary attacks. PAKE protocols often use a hash function that maps user passwords
into elements of the underlying cyclic group G generated by an arbitrary fixed element g,G. Such a hash
function is usually modelled as a random oracle G in proofs of security of protocols. One obvious way of
instantiating the random oracle G is to use a random oracle H: {0, 1}*→Zq and then define G(.) = gH(,). However,
we argue that this obvious instantiation of G is likely to result in a critical vulnerability for most of PAKE
protocols. In the present research, we provide a strong evidence in support of this argument by showing that
two popular protocols-Bresson two-party PAKE protocol and Abdalla and Pointcheval’s three-party PAKE
protocol-become susceptible to an offline dictionary attack as soon as G is instantiated as G (.) = gH(,). Our result suggests that designers of PAKE protocols should clearly specify how G can be securely instantiated for their
protocols in order to prevent protocol implementers from employing an insecure instantiation of G.
ER -