LAUSR

Two-server password-authenticated key exchange allows the client to split a low-entropy password into two pieces and store them in two servers, respectively, and the two servers collaboratively authenticate the client and establish session keys. Even though either server has been corrupted, it guarantees that the password still remains secure. In 2014, Yi et al. proposed a compiler that transforms any two-party PAKE protocol to a two-server PAKE protocol by dint of the ID-based public-key encryption system under the standard model. Moreover, it is claimed that the scheme is provably secure in a relevant formal model. In this letter, we point out an existing related-key attack to their scheme so that when one server is corrupted, the adversary can subtly derive the fresh key shared by the remaining two honest parties. In addition, we suggest a simple patch to avoid this concern.