Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model

Protocols for password-only authenticated key exchange (PAKE) in the three-party setting allow two clients registered with the same authentication server to derive a common secret key from their individual password shared with the server. Existing three-party PAKE protocols were proven secure under the assumption of the existence of random oracles or in a model that does not consider insider attacks. Therefore, these protocols may turn out to be insecure when the random oracle is instantiated with a particular hash function or an insider attack is mounted against the partner client. The contribution of this paper is to present the first three-party PAKE protocol whose security is proven without any idealized assumptions in a model that captures insider attacks. The proof model we use is a variant of the indistinguishability-based model of Bellare, Pointcheval, and Rogaway (2000), which is one of the most widely accepted models for security analysis of password-based key exchange protocols. We demonstrated that our protocol achieves not only the typical indistinguishability-based security of session keys but also the password security against undetectable online dictionary attacks.


Introduction
Authenticated key exchange is one of the most fundamental problems in cryptography and network security. In 1992, Bellovin and Merritt [1] introduced encrypted key exchange (or EKE) protocols, which allow arbitrary two parties, who share only a lowentropy password, to establish a common highentropy secret key (called a session key) over an insecure public network.
Since the work of Bellovin and Merritt [1], password-only authenticated key exchange (PAKE) protocols have attracted much greater attention mainly due to the persistent popularity of passwords as a practical (and cheap) authentication method [2]. Since the publication of the first EKE protocol (with only heuristic security arguments), many provably secure PAKE protocols have been published. Recent examples include the protocol of Katz and Vaikuntanathan [3], which enjoys both round optimality and provable security in the standard model (i.e., without random oracles and ideal ciphers).
A major challenge in designing PAKE protocols is to protect passwords from a dictionary attack, in which an adversary enumerates all possible passwords while testing each one against known password verifiers in order to determine the correct one. The design of two-party PAKE protocols secure against dictionary attacks has been extensively studied over the past two decades and is now fairly well understood. However, three-party PAKE protocols have received far less attention and preventing dictionary attacks is more challenging in the three-party setting. Unlike the two-party setting that assumes the same password is shared 2 The Scientific World Journal between the two parties, the three-party setting assumes that the two parties (commonly known as clients) wishing to establish a session key do not share the same password but hold their individual password shared only with a trusted server. This implies that in the three-party setting, a malicious client can attempt to mount an insider dictionary attack against its partner client. Indeed, many published three-party PAKE protocols were subsequently found to be vulnerable to an insider online/offline dictionary attack (e.g., [4][5][6][7][8][9][10]).
It is widely regarded that the design of key exchange protocols (including PAKE protocols) is notoriously hard, and conducting security analysis for such protocols is timeconsuming and error-prone [11][12][13]. The many flaws discovered in published protocols have promoted the use of formal models and rigorous security proofs [14][15][16]. In the provable security paradigm for protocol analysis, a deductive reasoning process is adopted whereby emphasis is placed on a proven reduction from the problem of breaking the protocol to another problem believed to be computationally hard. A complete mathematical proof with respect to cryptographic definitions provides a strong assurance that a protocol is behaving as desired. It is now standard practice for protocol designers to provide security proofs in a well-defined formal model in order to assure protocol implementers about the security properties of protocols.
Over the past decade, we have seen a number of PAKE protocols proposed in the three-party setting [4][5][6][7][8][17][18][19][20][21][22][23][24][25][26][27][28][29]. Many of these published protocols either did not have a proof of security [5,6,17,[22][23][24][25] or were subsequently found to be flawed [4-10, 12, 23, 24, 27, 30-36]. There are only a handful of provably secure three-party PAKE protocols [4,7,8,21] whose claimed security properties have not been invalidated. However, there are limitations in the security proof of these protocols. For example, the protocols of [7,8] are proven secure in the random oracle model. Although a proof of security in the random oracle model is definitely better than having no proof, it may not guarantee security in the real world (currently an open question). The protocols of [4,21] are proven secure in a restricted model where the adversary is not allowed to corrupt protocol participants. Note that a protocol proven secure in such a restricted model cannot guarantee its security against attacks by malicious clients including insider online/offline dictionary attacks. (Readers who are unfamiliar with formal security models are referred to Section 2.1.) Although Yang and Cao [37] proposed a new three-party key exchange protocol that was proven secure in the standard model, the protocol is based on the ElGamal encryption scheme and thus requires a server's public key as well as clients' passwords to be preestablished before the protocol is ever executed. We refer the readers to [33,[38][39][40][41][42][43][44] for other recently published protocols designed to work in a "hybrid" setting where a cryptographic key is required in addition to passwords.
To the best of our knowledge, there is no published threeparty PAKE protocol whose security is proven secure in the standard model that allows an adversary to corrupt protocol participants. In this work, we present the first three-party PAKE protocol that achieves provable security in the standard model against an active adversary with the corruption capability. We prove the security of session keys for our protocol in the widely accepted indistinguishability-based model of Bellare, Pointcheval, and Rogaway [14]-this model is, probably, one of the most popular proof models in the provable security paradigm for key exchange protocols. However, the indistinguishability-based security of session keys proven in the Bellare-Pointcheval-Rogaway model (and several other standard models) does not imply the security of passwords against undetectable online dictionary attacks, in which each guess on the password is checked undetectably via an online transaction with the server (see Section 2.3 for more details). We address this problem by providing a separate proof of security for the protocol against undetectable online dictionary (UDOD) attacks. This second proof is compact and elegant and does not rely upon idealized assumptions about the cryptographic primitives. Table 1 compares our protocol against other provably secure three-party PAKE protocols in terms of security proofs.
The remainder of this paper is structured as follows. Section 2 describes a formal proof model along with the associated definitions of security. Section 3 presents our proposed three-party PAKE protocol. In Section 4, we prove that the proposed protocol achieves not only the typical indistinguishability-based security of session keys but also the password security against undetectable online dictionary attacks. We conclude the paper in Section 5.

Formal Setting
In this section, we (1) first describe a security model adapted from the Bellare-Pointcheval-Rogaway 2000 model [14], (2) define a typical indistinguishability-based security of session keys, which we call the SK security, (3) provide a simple and intuitive definition of security against undetectable online dictionary attacks.

The Security Model
Protocol Participants. Let C be the set of all clients registered with the trusted authentication server . Clients , ∈ C who are both registered with may run a three-party PAKE protocol at any point in time to establish a session key. Let U = C ∪ { }. A party ∈ U may have several instances involved in distinct, possibly concurrent, executions of protocol . We use Π to denote the th instance of party . A client instance Π is said to accept when it successfully computes its session key sk in a protocol execution.
Long-Term Keys. Each client ∈ C chooses a password pw from a fixed dictionary PW and shares it with the server via a secure channel. Accordingly, holds all the passwords {pw | ∈ C}. Each password pw is used as the long-term secret key of and .
The Scientific World Journal 3 Table 1: Security proof comparison.

Protocol
Idealized assumption Adversary capability Resistance to UDOD attacks † Our protocol None Not restricted Proven GPAKE [21] N o n e Restricted from corrupting parties No [4] NGPAKE [4] None Not proven Lin and Hwang [7] Random oracles Not restricted Not proven Wu et al. [8] Random oracles Not restricted Not proven † Resistance to undetectable online dictionary attacks.
Partnership. The notion of partnership is a key element in defining the security of the protocol. Two instances are partners if both participate in a protocol execution and establish a (shared) session key. We define the partnership relations between instances using the notions of session identifiers and partner identifiers (see [45] on the role and the possible construct of session and partner identifiers as a form of partnering mechanism that enables the right session key to be identified in concurrent protocol executions.). A session identifier (sid) is a unique identifier of a protocol session and is defined as a function of the messages transmitted in the protocol session. We use sid to denote the sid of instance Π . A partner identifier (pid) is the set of participants of a specific protocol session. Instances should receive as input a pid before they can run the protocol. By pid , we denote the pid given to instance Π . Notice that pid consists of three participants: server , client , and another client with whom Π believes it runs the protocol. We say that any two instances Π and Π are partners if (1) both Π and Π have accepted, (2) sid = sid , and (3) pid = pid .
Adversary. In the model, the probabilistic polynomial-time (ppt) adversary, A, controls all the communications that take place between parties via a predefined set of oracle queries. For example, the adversary can ask participants to reveal session keys and passwords using Reveal and Corrupt queries as described below.
(i) Execute(Π , Π , Π ). This query models passive eavesdropping of a protocol execution. It prompts an honest execution of the protocol between the instances Π , Π and Π . The transcript of the protocol execution is returned as the output of the query.
(ii) Send(Π , ). This query models active attacks against the protocol. It sends message to instance Π and returns the message that Π sends out in response to . A query of the form Send(Π , start : ( , , )) prompts Π to initiate the protocol with pid = ( , , ).
This query captures the notion of known key security (and it is often reasonable to assume that the adversary will be able to obtain session keys from any session different from the one under attack). Any client, Π , upon receiving such a query and if it has accepted and holds some session key, will send this session key back to A. However, the adversary is not allowed to ask this query if it has already made a Test query to the instance Π or its partner instance (see below for explanation of the Test oracle).
(iv) Corrupt( ). This query captures not only the notion of forward secrecy but also unknown key share attacks and insider attacks. The query provides the adversary with 's password pw . Notice that a Corrupt query does not result in the release of the session keys since the adversary already has the ability to obtain session keys through Reveal queries. If = (i.e., the server is corrupted), all clients' passwords stored by the server will be returned.
(v) Test(Π ). This query is the only oracle query that does not correspond to any of the adversary's abilities. If Π has accepted with some session key and is being asked a Test(Π ) query, then depending on a randomly chosen bit , the adversary is given either the actual session key (when = 1) or a session key drawn randomly from the session key distribution (when = 0). The adversary can access the Test oracle as many times as necessary. All the queries to the oracle are answered using the same value of the hidden bit . Namely, the keys returned by the Test oracle are either all real or all random. But, we require that for each different set of partners, the adversary should access the Test oracle only once.
We represent the number of queries used by an adversary as an ordered sequence of five nonnegative integers, = ( ex , se , re , co , te ), where the five elements refer to the numbers of queries that the adversary made, respectively, to its Execute, Send, Reveal, Corrupt, and Test oracles. We call this usage of queries by an adversary the query complexity of the adversary.

Session Key (SK) Security.
We now define the basic security, called the SK security, of a 3-party PAKE protocol. As usual, we define the SK security via the notion of freshness. Intuitively, a fresh instance is one that holds a session key which should not be known to the adversary A, and an unfresh instance is one whose session key (or some information about the key) can be known by trivial means. The formal definition of freshness is explained in Definition 1.

4
The Scientific World Journal Definition 1. An instance Π is fresh if none of the following occurs: (1) A queries Reveal(Π ) or Reveal(Π ), where Π is the partner of Π and (2) A queries Corrupt( ), for some ∈ pid , before Π or its partner Π accepts.
The SK security of a 3-party PAKE protocol is defined in the context of the following two-stage experiment.

Stage 1.
A makes any oracle queries at will except that: (i) A is not allowed to ask the Test(Π ) query if the instance Π is unfresh.
(ii) A is not allowed to ask the Reveal(Π ) query if it has already made a Test query to Π or Π , where Π is the partner of Π .

Stage 2.
Once A decides that Phase 1 is over, it outputs a bit as a guess on the hidden bit chosen by the Test oracle. A is said to succeed if = .
Let Succ be the event that A succeeds in this experiment. Then we define the advantage of A in breaking the SK security of protocol as where the maximum is over all ppt adversaries A with time complexity at most and query complexity at most .

Definition 2. A 3-party PAKE protocol
is SK-secure if, for any ppt adversary A asking at most se Send queries, Adv sk (A) is only negligibly larger than ⋅ se /|PW|, where is a very small constant (usually around 2 or 4) when compared with |PW|.

Modelling Undetectable Online Dictionary
Attacks. The SK security does not imply security against undetectable online dictionary attacks. In other words, a 3-party PAKE protocol that is not secure against an undetectable online dictionary attack may be rendered SK-secure. To see this, suppose that a 3-party PAKE protocol is susceptible to undetectable online dictionary attacks whereby an attacker can find out the password of any registered client . Then, we can construct an adversary A who attacks protocol with advantage 1 as follows.
Corruption. If is a registered client, A queries Corrupt( ) to obtain the password pw . Otherwise, A skips this step.
Undetectable Online Dictionary Attacks. Next, A runs the protocol in the same way as conducts its undetectable online dictionary attacks against client . Note that A can perfectly simulate 's attack by using the disclosed password pw and by asking oracle queries appropriately. At the end of this step, A will obtain the password pw as a result of the attacks.

Impersonation.
A then initiates a new protocol session by querying Send(Π , start: ( , , )), where Π is an unused instance of an uncorrupted client . A runs this session as per the protocol specification, but simulating by itself all the actions of (by using pw ). At the end of the session, the instance Π will accept with its session key sk .
Test. The instance Π is fresh as (1) no Reveal query has been made on Π or its partner (which does not exist) and (2) no Corrupt query has been made against any of , , and . Thus, A may ask the Test(Π ) query. Since A can compute the session key sk by itself, it follows that Pr ,A [Succ] = 1 and thus Adv sk (A) = 1.
Since verifying the correctness of a password guess may require more than one Send queries to be asked, A may have to ask Send queries as many times as ⋅ |PW|, for some integer ≥ 1, to correctly determine the password pw . Then, even if Adv sk (A) = 1, the following holds for some ≥ 1: and the protocol is rendered SK-secure by Definition 2. This result is not surprising since we call a protocol SK-secure if mounting an online dictionary attack by asking Send queries is the best an adversary can do. However, we want to be able to distinguish undetectable online dictionary attacks from detectable online dictionary attacks, and ensure that the best an adversary can do is to mount a detectable online dictionary attack. The following new definitions together provide a simple and intuitive way of capturing security against undetectable online dictionary attacks.
Definition 3. The Send(Π , ) query models an online dictionary attack if both the following are true at the time of the termination of instance Π : (1) was not output by a previous Send query asked to an instance of by which, Π believes, was sent and (2) the adversary A queried neither Corrupt( ) nor Corrupt( ).
In Definition 3, the first condition implies that a straightforward delivery of a message between instances is not considered as an online dictionary attack while the second condition implies that, when is the (assumed) peer of client , the adversary A can corrupt the peer client to mount an (insider) online dictionary attack. Note that our definition of an online dictionary attack does not impose any restriction on asking Reveal queries.
Consider the two-stage experiment described in the previous section. Let Undet be the event that in the experiment, a server instance terminates normally when an online dictionary attack was mounted against the instance. We say that the adversary A succeeds in mounting an undetectable online dictionary attack if the event Undet occurs.

Our Proposed Protocol
As we have earlier claimed, our proposed protocol presented in this section is the first three-party PAKE protocol proven secure in the standard model against an active adversary who has the corruption ability.

Preliminaries.
We begin by reviewing some cryptographic primitives which underlie the security of our protocol.
Decisional Diffie-Hellman (DDH) Assumption. Let G be a cyclic (multiplicative) group of prime order . Since the order of G is prime, all the elements of G, except 1, are generators of G. Let be a random fixed generator of G and let , , be randomly chosen elements in Z where ̸ = .
Informally stated, the DDH problem for G is to distinguish between the distributions of ( , , ) and ( , , ), and the DDH assumption is said to hold in G if it is computationally infeasible to solve the DDH problem for G. More formally, we define the advantage of D in solving the DDH problem for G as Adv Two-Party PAKE Protocols. Let 2PAKE be a two-party PAKE protocol that outputs session keys distributed in {0, 1} ℓ . We assume that 2PAKE is SK-secure against an adversary who is given access to all the oracles: Send, Execute, Reveal, Corrupt, and Test. Let Adv sk 2PAKE (A) be the advantage of an adversary A in breaking the SK security of 2PAKE. We require that, for all ppt adversaries A making at most se Send queries, Adv sk 2PAKE (A) is only negligibly larger than se /|PW|. We denote by ADV sk 2PAKE ( , ) the maximum value of Adv sk 2PAKE (A) over all ppt adversaries A with time complexity at most and query complexity at most .

Protocol Description.
Let and be two clients who wish to establish a session key, and let be a trusted server with which and have secretly shared their respective passwords pw and pw . Our protocol proceeds as follows.
Step 1. and establish a shared secret key by running the two-party protocol 2PAKE. Likewise, and establish a shared secret key .
The operation of this protocol is illustrated in Figure 1.
Steps 1 and 2 of the protocol are independent and can be performed in parallel. The session-key computation in the protocol is the same as in the Diffie-Hellman key exchange protocol (i.e., sk = ). Hence, it is straightforward to verify the correctness of the protocol.

Security Proofs
In this section we prove that our three-party PAKE protocol is SK-secure and is resistant to undetectable online dictionary attacks. The proofs of both properties rely on neither random oracles nor ideal ciphers. Therefore, if 2PAKE is instantiated with a protocol proven secure in the standard model (e.g., [3,49]), our three-party PAKE protocol would also be provably secure in the standard model. Hereafter, we denote our protocol by 3PAKEsm ("sm" for "standard model").

Proof of SK Security.
We first claim that, if the underlying two-party protocol 2PAKE is SK-secure, then the 3PAKEsm protocol is SK-secure as well under the DDH assumption in G and the security of the MAC scheme Σ.
where = (2 ex , se , 0, co , 2 ex + se ) and is the maximum time required to perform an entire experiment involving an adversary who attacks protocol 3PAKEsm with time complexity .
Proof. Assume an adversary A attacking protocol 3PAKEsm with time complexity and query complexity = ( ex , se , re , co , te ). We prove Theorem 5 by introducing a sequence of experiments Expr 0 , . . . , Expr 5 and bounding the difference in A's advantage between two consecutive experiments. Expr 0 is the original experiment (described in Section 2.2) in which A attacks the actual protocol, and Expr 5 is the experiment in which the advantage of A is 0. Let Succ be the event that A correctly guesses the hidden bit (chosen by the Test oracle) in experiment Expr . By definition, we get Adv sk 3PAKEsm (A) = 2 ⋅ Pr[Succ 0 ] − 1. Before providing details of the proof, we first define the notion of an uncorrupted instance. Definition 6. We say an instance Π is clean if no one in pid has been asked a Corrupt query. Otherwise, we say it is unclean.
Experiment Expr 1 . We modify the experiment so that each different MAC key is chosen uniformly at random from {0, 1} ℓ for all clean instances. The difference in A's success probability between Expr 0 and Expr 1 is bounded by Claim 1.
Proof. Assume that the advantage of A in attacking protocol 3PAKEsm is different between two experiments Expr 0 and Expr 1 . Then we prove the claim by constructing, from A, an adversary A 2PAKE attacking protocol 2PAKE with time complexity and query complexity . A 2PAKE begins by choosing a bit uniformly at random. A 2PAKE then invokes A as a subroutine and answers the oracle queries of A on its own as follows.
Execute Queries. A 2PAKE answers Execute queries of A by making Execute and Test queries to its own oracles. Specifically, A 2PAKE handles each Execute(Π , Π , Π ) query as follows.
(i) If anyone in { , , } has been corrupted, then A 2PAKE answers the Execute query as in experiment Expr 0 .
(ii) Otherwise, A 2PAKE first makes two queries Execute(Π , Π ) and Execute(Π , Π ). Let T 2PAKE and T 2PAKE be two transcripts returned in response to the Execute queries. Next, A 2PAKE makes the queries Test(Π ) and Test(Π ) and receives in return two keys and (either real or random). A 2PAKE then generates the messages of Steps 2-4 of protocol 3PAKEsm, using and as the MAC keys. Finally, A 2PAKE returns these messages prepended by T 2PAKE and T 2PAKE .
Send Queries. At a high level, the simulation of the Send oracle is similar to that of the Execute oracle. Specifically, A 2PAKE handles each Send(Π , ) query as follows.
(i) If the instance Π is clean or the message belongs to Step 2 or later steps, then A 2PAKE answers the query as in experiment Expr 0 .
(ii) Otherwise, A 2PAKE answers it by making the same query to its own Send oracle. If the query causes Π to accept, then A 2PAKE also makes a Test(Π ) query (if it had not previously asked a Test query to the partner of Π ). As in the simulation of the Execute oracle, A 2PAKE uses the output of this Test query as the MAC key in generating the messages of Steps 2-4 of protocol 3PAKEsm.
Reveal Queries. These queries are answered in the obvious way. Namely, A 2PAKE responds to the query Reveal(Π ) by returning the session key sk .
Corrupt Queries. When A queries Corrupt( ), A 2PAKE makes the same query to its own Corrupt oracle and simply forwards the output to A.
Test Queries. A 2PAKE answers these queries according to the bit chosen at the beginning of the simulation. That is, A 2PAKE returns real session keys, which it has computed on its own, if = 1, and otherwise returns random keys chosen uniformly at random from G. Now at some point in time, when A terminates and outputs its guess , A 2PAKE outputs 1 if = and outputs 0 otherwise. From the simulation above, it is easy to see that A 2PAKE has at most time complexity and query complexity . The advantage of A 2PAKE in attacking protocol 2PAKE is immediate if we notice the following.
(i) The probability that A 2PAKE outputs 1 when its Test oracle returns real session keys is equal to Pr[Succ 0 ], the probability that A correctly guesses the bit in experiment Expr 0 .
(ii) The probability that A 2PAKE outputs 1 when its Test oracle returns random keys is equal to Pr[Succ 1 ], the probability that A correctly guesses the bit in experiment Expr 1 .
This means that Adv sk 2PAKE (A 2PAKE ) =|Pr[Succ 1 ] − Pr[Succ 0 ]|. Claim 1 then follows. Experiment Expr 2 . Let Repeat be the event that a nonce selected by an instance of a party is selected again by another instance of the same party. The experiment Expr 2 is aborted, and the adversary does not succeed, if the event Repeat occurs. This is the only difference between Expr 1 and Expr 2 . By a straightforward calculation, we get the following.

Claim 2.
Experiment Expr 3 . Let Forge be the event that the adversary A makes a Send query of the form Send(Π , ‖ * ‖ ) before querying Corrupt( ), for some ∈ pid , such that (1) is a valid tag on ‖ * ‖ sid and (2) no oracle had not previously generated a tag on ‖ * ‖ sid . If Forge occurs, this experiment is aborted and the adversary does not succeed. Then we have the following. Proof. Assuming that the event Forge occurs, we construct, from A, an algorithm F who outputs, with a nonnegligible probability, a forgery against the MAC scheme Σ. The algorithm F is given oracle access to Mac (⋅) and Ver (⋅). The goal of F is to produce a message/tag pair ( , ) such that (1) is a valid tag on the message (i.e., Ver ( , ) = 1) and (2) F had not previously queried its oracle Mac (⋅) on the message .
Let be the number of all active sessions that A initiates by asking a Send query. First, F chooses a random ∈ {1, . . . , }. F then simulates the oracle calls of A as in experiment Expr 2 ; except that in the th session, it answers Send queries by accessing its MAC generation and verification oracles. If Forge occurs in the th session, F halts and outputs the message/tag pair generated by A as its forgery. Otherwise, F halts and outputs a failure indication. This simulation is perfect unless the adversary A makes a Corrupt query against a participant of the th session. Experiment Expr 4 . This experiment is different from Expr 3 in that the session key sk of each pair of instances partnered via an Execute query is chosen uniformly at random from G instead of being computed as sk = = = . As the following claim states, the difference in A's advantage between Expr 3 and Expr 4 is negligible if the DDH assumption holds in G.

Claim 4.
Proof. Assume that the advantage of A is nonnegligibly different between Expr 3 and Expr 4 . We prove the claim by constructing, from A, a distinguisher D that solves the DDH problem in G. Let ( 1 , 2 , 3 ) ∈ G 3 be an instance of the DDH problem given as input to D. D begins by choosing a bit uniformly at random. D then invokes A as a subroutine and proceeds to simulate the oracles. D answers all the oracle queries of A as in experiment Expr 3 , except that it handles each Execute(Π , Π , Π ) query by (1) selecting two random , ∈ Z , (2) computing = 1 and = 2 , (3) returning a transcript generated with and in place of and , (4) then setting sk = sk = 3 .
Let be the output of A. D outputs 1 if = and outputs 0, otherwise.
Then, the following is clear: (i) The probability that D outputs 1 on a true Diffie-Hellman triple is exactly the probability that A correctly guesses the bit in experiment Expr 3 .

8
The Scientific World Journal (ii) The probability that D outputs 1 on a random triple is exactly the probability that A correctly guesses the bit in experiment Expr 4 .
This completes the proof of Claim 4.
Experiment Expr 5 . In this experiment, the session key sk of each instance Π activated by a Send query is chosen uniformly at random from G if no one in pid has been corrupted before Π determines its session identifier sid . The difference in A's advantage between Expr 4 and Expr 5 is bounded by the following.
Proof. The proof of this claim is essentially similar to that of Claim 4. From the adversary A whose advantage is nonnegligibly different between Expr 4 and Expr 5 , we construct a distinguisher D that solves the DDH problem in G. Let ( 1 , 2 , 3 ) ∈ G 3 be an instance of the DDH problem given as input to D. D begins by selecting a bit uniformly at random and generating a list DDHList which is used to link an instance of the DDH problem to a session identifier, D then runs A as a subroutine and simulates the oracles. It handles all the queries of A as in experiment Expr 4 except for Send queries. Consider a query of the form Send(Π , ‖ ) which delivers a random nonce to instance Π . Whenever such a query is made, D answers it as follows.
(i) If is not the last nonce that Π is expected to receive, D simply waits for the next nonce.
(ii) Otherwise, D defines sid and checks that anyone in pid was corrupted. (1) If it does, D computes CS = Mac CS ( ‖ ‖ sid ) and returns ‖ ‖ CS in response to the query.
When A makes a Send query that causes an instance Π to accept, D checks if DDHList contains an entry of the form (sid , , , ). If so, D sets sk = . Otherwise, D computes sk as in experiment Expr 4 . For all other Send queries of A, D answers them as in experiment Expr 4 . Now when A terminates and outputs its guess , D outputs 1 if = and outputs 0 otherwise. One can easily see the following.
(i) The probability that D outputs 1 on a true Diffie-Hellman triple is exactly the probability that A correctly guesses the bit in experiment Expr 4 .
(ii) The probability that D outputs 1 on a random triple is exactly the probability that A correctly guesses the bit in experiment Expr 5 .
This implies Claim 5.
In experiment Expr 5 , the session keys of all fresh instances are chosen uniformly at random from G and thus the adversary A obtains no information on the bit chosen by the Test oracle. Therefore, it follows that Pr[Succ 5 ] = 1/2. This result combined with the previous claims yields the statement of Theorem 5.

Proof of Resistance to Undetectable Online Dictionary
Attacks. We now claim that 3PAKEsm is secure against undetectable online dictionary attacks as long as the 2PAKE protocol is SK-secure. Proof. Let A be a ppt adversary who asks se Send queries in mounting an undetectable online dictionary attack against 3PAKEsm. Consider the experiment Expr 1 described in the proof of Theorem 5 (see Section 4.1). By Undet 1 (resp., Undet 0 ), we denote the event Undet defined in experiment Expr 1 (resp., Expr 0 ). We prove Theorem 7 by first proving Claim 6 and then Claim 7. A chooses a random bit ∈ {0,1} and invokes the adversary A as a subroutine. A then simulates the oracles for A in the exactly same way as in the simulation for the proof of Claim 1. A outputs 1 if Undet occurs and 0 otherwise. From the way the oracles are simulated, it is easy to see the following.
(i) The probability that A outputs 1 when its Test oracle returns real session keys is equal to the probability that the event Undet occurs in experiment Expr 0 .
The Scientific World Journal 9 (ii) The probability that A outputs 1 when its Test oracle returns random keys is equal to the probability that the event Undet occurs in experiment Expr 1 .
Since A makes at most se Send queries, we obtain the statement of Claim 6.
Proof of Claim 7. Assume that Pr 3PAKEsm,A [Undet 1 ] is nonnegligibly larger than se /|PW|. Given the adversary A, we construct an adversary A against 2PAKE who asks at most se Send queries but has an advantage nonnegligibly larger than se /|PW|.
A runs A as a subroutine while simulating the oracles on its own. A handles all the oracle queries of A as in the experiment Expr 1 except for Send queries. When A makes a Send(Π , ) query, A checks if is a message for initiating a new session (of 3PAKEsm) or the Send query belongs to an execution of 2PAKE.
(1) If both are untrue, A responds to the query as in experiment Expr 1 . (2) Otherwise, A answers it by making the same query to its own Send oracle. If the query prompts Π to accept, then A checks if Π is clean.
(a) If so, A sets the MAC key of Π to be a random key drawn uniformly from {0, 1} ℓ . (b) Otherwise, A makes a Reveal(Π ) query and sets the MAC key of Π to be the output of this Reveal query.
Let Π be any server instance against which A has mounted an online dictionary attack. Let be the session key (i.e., the MAC key) that the instance Π has computed in its execution of 2PAKE. In order for the instance Π to terminate normally, the adversary A has to make a query of the form Send(Π , ‖ * ‖ CS ) such that Ver ( ‖ * ‖ sid , CS ) = 1. When A makes such a Send query (i.e., when the event Undet 1 occurs), A makes a Test query against the instance Π . Note that the instance Π is fresh as (1) it is partnered with no instance and (2) and must have not been corrupted. Let be the key returned in response to the Test query. A outputs 1 if Ver ( ‖ * ‖ sid , CS ) = 1 and outputs 0, otherwise. If Undet 1 does not occur, A outputs a random bit. Then, it is not hard to see that This completes the proof of Claim 7.
Theorem 7 immediately follows from Claims 6 and 7.

Conclusion
In this work, we have presented a three-party PAKE protocol whose security does not rely on the existence of random oracles. The model that we used to prove the security of our protocol allows the adversary to ask Corrupt queries and thus captures insider attacks as well as forward secrecy. It is a known fact that proving the security of protocols in such a model is of particular importance in the threeparty setting as insider dictionary attacks are most serious threats to three-party PAKE protocols. To the best of our knowledge, our protocol is the first three-party PAKE protocol proven secure against insider, active adversaries in the standard model (i.e., without random oracles and ideal ciphers). Another advantage our protocol has over previously published protocols is that it also achieves provable security against undetectable online dictionary attacks. The latter property is also significant as designing three-party PAKE protocol secure against undetectable online dictionary attacks is an ongoing challenge (as evidenced by the number of three-party PAKE protocols found to be vulnerable to an undetectable online dictionary attack). We leave it as a future work to design a three-party PAKE protocol that achieves not only provable security in the standard model but is more efficient than our protocol.