Cryptanalysis of simple three-party key exchange protocol (S-3PAKE)

Abstract

Password-authenticated key exchange (PAKE) protocols allow parties to share secret keys in an authentic manner based on an easily memorizable password. Recently, Lu and Cao proposed a three-party password-authenticated key exchange protocol, so called S-3PAKE, based on ideas of the Abdalla and Pointcheval two-party SPAKE extended to three parties. S-3PAKE can be seen to have a structure alternative to that of another three-party PAKE protocol (3PAKE) by Abdalla and Pointcheval. Furthermore, a simple improvement to S-3PAKE was proposed very recently by Chung and Ku to resist the kind of attacks that applied to earlier versions of 3PAKE. In this paper, we show that S-3PAKE falls to unknown key-share attacks by any other client, and undetectable online dictionary attacks by any adversary. The latter attack equally applies to the recently improved S-3PAKE. Indeed, the provable security approach should be taken when designing PAKEs; and furthermore our results highlight that extra cautions still be exercised when defining models and constructing proofs in this direction.