Journal of Engineering and Applied Sciences
ISSN: Online 1818-7803ISSN: Print 1816-949x
Abstract
Protocols for Password-based Authenticated Key Exchange (PAKE) allow users to generate a shared secret key from their easy-to-remember passwords but at the same time have to protect the user’s passwords from the notorious dictionary attacks. PAKE protocols often use a hash function that maps user passwords into elements of the underlying cyclic group G generated by an arbitrary fixed element g,G. Such a hash function is usually modelled as a random oracle G in proofs of security of protocols. One obvious way of instantiating the random oracle G is to use a random oracle H: {0, 1}*→Zq and then define G(.) = gH(,). However, we argue that this obvious instantiation of G is likely to result in a critical vulnerability for most of PAKE protocols. In the present research, we provide a strong evidence in support of this argument by showing that two popular protocols-Bresson two-party PAKE protocol and Abdalla and Pointcheval’s three-party PAKE protocol-become susceptible to an offline dictionary attack as soon as G is instantiated as G (.) = gH(,). Our result suggests that designers of PAKE protocols should clearly specify how G can be securely instantiated for their protocols in order to prevent protocol implementers from employing an insecure instantiation of G.
How to cite this article:
Juryon Paik. Insecure Instantiations of Random Oracles in
Password-Based Key Exchange Protocols.
DOI: https://doi.org/10.36478/jeasci.2018.6211.6219
URL: https://www.makhillpublications.co/view-article/1816-949x/jeasci.2018.6211.6219