Skip to main content

Zero-Knowledge Password Policy Checks and Verifier-Based PAKE

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8713)


Zero-Knowledge Password Policy Checks (ZKPPC), introduced in this work, enable blind registration of client passwords at remote servers, i.e., client passwords are never transmitted to the servers. This eliminates the need for trusting servers to securely process and store client passwords. A ZKPPC protocol, executed as part of the registration procedure, allows clients to further prove compliance of chosen passwords with respect to password policies defined by the servers.

The main benefit of ZKPPC-based password registration is that it guarantees that registered passwords never appear in clear on the server side. At the end of the registration phase the server only receives and stores some verification information that can later be used for authentication in a suitable Verifier-based Password Authenticated Key Exchange (VPAKE) protocol.

We give general and concrete constructions of ZKPPC protocols and suitable VPAKE protocols for ASCII-based passwords and policies that are commonly used on the web. To this end we introduce a reversible mapping of ASCII characters to integers that can be used to preserve the structure of the password string and a new randomized password hashing scheme for ASCII-based passwords.


  • Password policies
  • password registration
  • authentication
  • verification
  • password hashing
  • ASCII passwords
  • verifier-based PAKE


  1. Ur, B., Kelley, P.G., Komanduri, S., Lee, J., Maass, M., Mazurek, M.L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In: USENIX Security 2012, p. 5. USENIX Association (2012)

    Google Scholar 

  2. Inglesant, P., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: CHI, pp. 383–392. ACM (2010)

    Google Scholar 

  3. Kaliski, B.: PKCS #5: Password-Based Cryptography Specification Version 2.0. RFC 2898 (Informational) (September 2000)

    Google Scholar 

  4. Turan, M.S., Barker, E., Burr, W., Chen, L.: Recommendation for password-based key derivation, pp. 800–132. NIST Special Publication (2010)

    Google Scholar 

  5. Provos, N., Mazières, D.: A Future-Adaptable Password Scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)

    Google Scholar 

  6. Reuters: Trove of Adobe user data found on Web after breach: security firm (2014), (accessed: April 01, 2014)

  7. Cubrilovic, N.: RockYou Hack: From Bad To Worse (2014), (accessed: April 01, 2014)

  8. Reuters, T.: Microsoft India store down after hackers take user data (2014), (accessed: April 01, 2014)

  9. Goodin, D.: Hack of Cupid Media dating website exposes 42 million plaintext passwords (2014), (accessed: April 01, 2014)

  10. Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: IEEE S&P 1992, pp. 72–84. IEEE CS (1992)

    Google Scholar 

  11. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  12. Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally Composable Password-Based Key Exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  13. Pointcheval, D.: Password-Based Authenticated Key Exchange. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 390–397. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  14. Bellovin, S.M., Merritt, M.: Augmented Encrypted Key Exchange: A Password-Based Protocol Secure against Dictionary Attacks and Password File Compromise. In: ACM CCS 1993, pp. 244–250. ACM (1993)

    Google Scholar 

  15. Gentry, C., MacKenzie, P.D., Ramzan, Z.: A Method for Making Password-Based Key Exchange Resilient to Server Compromise. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 142–159. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  16. Benhamouda, F., Pointcheval, D.: Verifier-Based Password-Authenticated Key Exchange: New Models and Constructions. IACR Cryptology ePrint Archive 2013, 833 (2013)

    Google Scholar 

  17. Pedersen, T.P.: Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In: Feigenbaum, J. (ed.) Advances in Cryptology - CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)

    Google Scholar 

  18. Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)

    CrossRef  Google Scholar 

  19. Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: New smooth projective hash functions and one-round authenticated key exchange. Cryptology ePrint Archive, Report 2013/034 (2013),

  20. Camenisch, J., Chaabouni, R., Shelat, A.: Efficient Protocols for Set Membership and Range Proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  21. Cramer, R., Damgård, I., MacKenzie, P.D.: Efficient Zero-Knowledge Proofs of Knowledge Without Intractability Assumptions. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 354–373. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  22. Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) Advances in Cryptology - CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)

    Google Scholar 

  23. Kiefer, F., Manulis, M.: Distributed Smooth Projective Hashing and Its Application to Two-Server Password Authenticated Key Exchange. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 199–216. Springer, Heidelberg (2014)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations


Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Kiefer, F., Manulis, M. (2014). Zero-Knowledge Password Policy Checks and Verifier-Based PAKE. In: Kutyłowski, M., Vaidya, J. (eds) Computer Security - ESORICS 2014. ESORICS 2014. Lecture Notes in Computer Science, vol 8713. Springer, Cham.

Download citation

  • DOI:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11211-4

  • Online ISBN: 978-3-319-11212-1

  • eBook Packages: Computer ScienceComputer Science (R0)