Per-Session Security: Password-Based Cryptography Revisited

  • Grégory Demay
  • Peter Gaži
  • Ueli Maurer
  • Björn Tackmann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


Cryptographic security is usually defined as a guarantee that holds except when a bad event with negligible probability occurs, and nothing is guaranteed in that case. However, in settings where a failure can happen with substantial probability, one needs to provide guarantees even for the bad case. A typical example is where a (possibly weak) password is used instead of a secure cryptographic key to protect a session, the bad event being that the adversary correctly guesses the password. In a situation with multiple such sessions, a per-session guarantee is desired: any session for which the password has not been guessed remains secure, independently of whether other sessions have been compromised.

Our contributions are two-fold. First, we provide a new, general technique for stating security guarantees that degrade gracefully and which could not be expressed with existing formalisms. Our method is simple, does not require new security definitions, and can be carried out in any simulation-based security framework (thus providing composability). Second, we apply our approach to revisit the analysis of password-based message authentication and of password-based (symmetric) encryption (PBE), investigating whether they provide strong per-session guarantees.

In the case of PBE, one would intuitively expect a weak form of confidentiality, where a transmitted message only leaks to the adversary once the underlying password is guessed. Indeed, we show that PBE does achieve this weak confidentiality if an upper-bound on the number of adversarial password-guessing queries is known in advance for each session. However, such local restrictions appear to be questionable in reality and, quite surprisingly, we show that in a more realistic scenario the desired per-session confidentiality is unachievable.


  1. 1.
    Abadi, M., Warinschi, B.: Password-based encryption analyzed. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 664–676. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  2. 2.
    Alwen, J., Serbinenko, V.: High parallel complexity graphs and memory-hard functions. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th ACM STOC, pp. 595–603. ACM Press, June 2015Google Scholar
  3. 3.
    Bellare, M., O’Neill, A.: Semantically-secure functional encryption: possibility results, impossibility results and the quest for a general definition. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 218–234. Springer, Cham (2013).  10.1007/978-3-319-02937-5_12 CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000).  10.1007/3-540-45539-6_11 CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Ristenpart, T., Tessaro, S.: Multi-instance security and its application to password-based cryptography. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 312–329. Springer, Heidelberg (2012).  10.1007/978-3-642-32009-5_19 CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011).  10.1007/978-3-642-19571-6_16 CrossRefGoogle Scholar
  7. 7.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 (2000).
  8. 8.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005).  10.1007/11426639_24 CrossRefGoogle Scholar
  9. 9.
    Corrigan-Gibbs, H., Boneh, D., Schechter, S.: Balloon hashing: Provably space-hard hash functions with data-independent access patterns (2016)Google Scholar
  10. 10.
    Damgård, I.: A “proof-reading” of some issues in cryptography. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 2–11. Springer, Heidelberg (2007).  10.1007/978-3-540-73420-8_2 CrossRefGoogle Scholar
  11. 11.
    Demay, G., Gaži, P., Maurer, U., Tackmann, B.: Query-complexity amplification for random oracles. In: Lehmann, A., Wolf, S. (eds.) ICITS 2015. LNCS, vol. 9063, pp. 159–180. Springer, Cham (2015).  10.1007/978-3-319-17470-9_10 Google Scholar
  12. 12.
    Demay, G., Gaži, P., Maurer, U., Tackmann, B.: Per-session security: Password-based cryptography revisited. Cryptology ePrint Archive, Report 2016/166, February 2016Google Scholar
  13. 13.
    Gennaro, R., Lindell, Y.: A framework for password-based authenticated key exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 524–543. Springer, Heidelberg (2003).  10.1007/3-540-39200-9_33 CrossRefGoogle Scholar
  14. 14.
    Hofheinz, D., Matt, C., Maurer, U.: Idealizing identity-based encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 495–520. Springer, Heidelberg (2015).  10.1007/978-3-662-48797-6_21 CrossRefGoogle Scholar
  15. 15.
    Kaliski, B.: PKCS #5: Password-based cryptography specification. RFC 2898, September 2000Google Scholar
  16. 16.
    Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001).  10.1007/3-540-44987-6_29 CrossRefGoogle Scholar
  17. 17.
    Matt, C., Maurer, U.: A definitional framework for functional encryption. In: IEEE 28th IEEE CSF, pp. 217–231, July 2015Google Scholar
  18. 18.
    Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002).  10.1007/3-540-46035-7_8 CrossRefGoogle Scholar
  19. 19.
    Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012).  10.1007/978-3-642-27375-9_3 CrossRefGoogle Scholar
  20. 20.
    Maurer, U., Renner, R.: Abstract cryptography. In: Chazelle, B. (ed.) The Second Symposium in Innovations in Computer Science, ICS 2011, pp. 1–21. Tsinghua University Press, January 2011Google Scholar
  21. 21.
    Morris, R., Thompson, K.: Password security: A case history. Commun. ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
  22. 22.
    Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002).  10.1007/3-540-45708-9_8 CrossRefGoogle Scholar
  23. 23.
    O’Gorman, L.: Comparing passwords, tokens, and biometrics for user authentication. Proc. IEEE 91(12), 2021–2040 (2003)CrossRefGoogle Scholar
  24. 24.
    Percival, C.: Stronger key derivation via sequential memory-hard functions. Self-published, pp. 1–16 (2009)Google Scholar
  25. 25.
    Petsas, T., Tsirantonakis, G., Athanasopoulos, E., Ioannidis, S.: Two-factor authentication: is the world ready? Quantifying 2FA adoption. In: Proceedings of the Eighth European Workshop on System Security, p. 4. ACM (2015)Google Scholar
  26. 26.
    Tackmann, B.: A Theory of Secure Communication. Ph.D. thesis, ETH Zürich, August 2014Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Grégory Demay
    • 1
  • Peter Gaži
    • 2
  • Ueli Maurer
    • 3
  • Björn Tackmann
    • 4
  1. 1.Ergon Informatik AGZürichSwitzerland
  2. 2.IOHK ResearchViennaAustria
  3. 3.Department of Computer ScienceETH ZürichZürichSwitzerland
  4. 4.IBM Research - ZurichRüschlikonSwitzerland

Personalised recommendations