@article{MAKHILLJEAS2018131516644,
    title = {Insecure Instantiations of Random Oracles in
Password-Based Key Exchange Protocols},
    journal = {Journal of Engineering and Applied Sciences},
    volume = {13},
    number = {15},
    pages = {6211-6219},
    year = {2018},
    issn = {1816-949x},
    doi = {jeasci.2018.6211.6219},
    url = {https://makhillpublications.co/view-article.php?issn=1816-949x&doi=jeasci.2018.6211.6219},
    author = {Juryon},
    keywords = {prevent protocol implementers,dictionary attack,random oracle,password,Authenticated key exchange,PAKE protocols,pointchevals},
    abstract = {Protocols for Password-based Authenticated Key Exchange (PAKE) allow users to generate a shared
secret key from their easy-to-remember passwords but at the same time have to protect the user&#146;s passwords
from the notorious dictionary attacks. PAKE protocols often use a hash function that maps user passwords
into elements of the underlying cyclic group G generated by an arbitrary fixed element g,G. Such a hash
function is usually modelled as a random oracle G in proofs of security of protocols. One obvious way of
instantiating the random oracle G is to use a random oracle H: {0, 1}*&rarr;Z<sub>q</sub> and then define G(.) = g<sup><i>H</i>(,)</sup>. However, 
we argue that this obvious instantiation of G is likely to result in a critical vulnerability for most of PAKE
protocols. In the present research, we provide a strong evidence in support of this argument by showing that
two popular protocols-Bresson two-party PAKE protocol and Abdalla and Pointcheval&#146;s three-party PAKE
protocol-become susceptible to an offline dictionary attack as soon as G is instantiated as G (.) = g<sup><i>H</i>(,)</sup>. Our result suggests that designers of PAKE protocols should clearly specify how G can be securely instantiated for their
protocols in order to prevent protocol implementers from employing an insecure instantiation of G.}
    }