TY  - JOUR
T1  - Insecure Instantiations of Random Oracles in
Password-Based Key Exchange Protocols
AU - Paik, Juryon 
JO  - Journal of Engineering and Applied Sciences
VL  - 13
IS  - 15
SP  - 6211
EP  - 6219
PY  - 2018
DA  - 2001/08/19
SN  - 1816-949x
DO  - jeasci.2018.6211.6219
UR  - https://makhillpublications.co/view-article.php?doi=jeasci.2018.6211.6219
KW  - prevent protocol implementers
KW  -dictionary attack
KW  -random oracle
KW  -password
KW  -Authenticated key exchange
KW  -PAKE protocols
KW  -pointchevals
AB  - Protocols for Password-based Authenticated Key Exchange (PAKE) allow users to generate a shared
secret key from their easy-to-remember passwords but at the same time have to protect the user&#146;s passwords
from the notorious dictionary attacks. PAKE protocols often use a hash function that maps user passwords
into elements of the underlying cyclic group G generated by an arbitrary fixed element g,G. Such a hash
function is usually modelled as a random oracle G in proofs of security of protocols. One obvious way of
instantiating the random oracle G is to use a random oracle H: {0, 1}*&rarr;Z<sub>q</sub> and then define G(.) = g<sup><i>H</i>(,)</sup>. However, 
we argue that this obvious instantiation of G is likely to result in a critical vulnerability for most of PAKE
protocols. In the present research, we provide a strong evidence in support of this argument by showing that
two popular protocols-Bresson two-party PAKE protocol and Abdalla and Pointcheval&#146;s three-party PAKE
protocol-become susceptible to an offline dictionary attack as soon as G is instantiated as G (.) = g<sup><i>H</i>(,)</sup>. Our result suggests that designers of PAKE protocols should clearly specify how G can be securely instantiated for their
protocols in order to prevent protocol implementers from employing an insecure instantiation of G.
ER  - 