Two-Server Password-Authenticated Secret Sharing UC-Secure Against Transient Corruptions

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9020)


Protecting user data entails providing authenticated users access to their data. The most prevalent and probably also the most feasible approach to the latter is by username and password. With password breaches through server compromise now reaching billions of affected passwords, distributing the password files and user data over multiple servers is not just a good idea, it is a dearly needed solution to a topical problem. Threshold password-authenticated secret sharing (TPASS) protocols enable users to share secret data among a set of servers so that they can later recover that data using a single password. No coalition of servers up to a certain threshold can learn anything about the data or perform an offline dictionary attack on the password. Several TPASS protocols have appeared in the literature and one is even available commercially. Although designed to tolerate server corruptions, unfortunately none of these protocols provide details, let alone security proofs, about how to proceed when a compromise actually occurs. Indeed, they consider static corruptions only, which for instance does not model real-world adaptive attacks by hackers. We provide the first TPASS protocol that is provably secure against adaptive server corruptions. Moreover, our protocol contains an efficient recovery procedure allowing one to re-initialize servers to recover from corruption. We prove our protocol secure in the universal-composability model where servers can be corrupted adaptively at any time; the users’ passwords and secrets remain safe as long as both servers are not corrupted at the same time. Our protocol does not require random oracles but does assume that servers have certified public keys.


Universal composability Threshold cryptography Passwords Transient corruptions 


  1. 1.
    Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: ACM CCS 2011, pp. 433–444 (2011)Google Scholar
  2. 2.
    Barak, B., Canetti, R., Lindell, Y., Pass, R., Rabin, T.: Secure computation without authentication. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 361–377. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  3. 3.
    Beaver, D., Haber, S.: Cryptographic protocols provably secure against dynamic. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 307–323. Springer, Heidelberg (1993) CrossRefGoogle Scholar
  4. 4.
    Brainard, J., Juels, A., Kaliski, B., Szydlo, M.: A new two-server approach for authentication with short secrets. In: USENIX SECURITY 2003, pp. 201–214 (2003)Google Scholar
  5. 5.
    Burr, W., Dodson, D., Newton, E., Perlner, R., Polk, W., Gupta, S., Nabbus, E.: Electronic authentication guideline. NIST Special Publication 800–63-1 (2011)Google Scholar
  6. 6.
    Camenisch, J., Enderlein, R.R., Neven, G.: Two-Server Password-Authenticated Secret Sharing UC-Secure Against Transient Corruptions. IACR Cryptology ePrint Archive, 2015:006Google Scholar
  7. 7.
    Camenisch, J., Enderlein, R.R., Shoup, V.: Practical and employable protocols for UC-secure circuit evaluation over \(\mathbb{Z}_{n}\). In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 19–37. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  8. 8.
    Camenisch, J., Krenn, S., Shoup, V.: A framework for practical universally composable zero-knowledge protocols. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 449–467. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  9. 9.
    Camenisch, J., Lehmann, A., Lysyanskaya, A., Neven, G.: Memento: How to reconstruct your secrets from a single password in a hostile environment. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 256–275. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  10. 10.
    Camenisch, J., Lysyanskaya, A., Neven, G.: Practical yet universally composable two-server password-authenticated secret sharing. In: ACM CCS 2012, pp. 525–536 (2012)Google Scholar
  11. 11.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. IACR Cryptology ePrint Archive, 2000:67Google Scholar
  12. 12.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS 2001, pp. 136–145 (2001)Google Scholar
  13. 13.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  14. 14.
    Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  15. 15.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  16. 16.
    Di Raimondo, M., Gennaro, R.: Provably secure threshold password-authenticated key exchange. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 507–523. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  17. 17.
    EMC Corporation. RSA Distributed Credential Protection.
  18. 18.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) Google Scholar
  19. 19.
    Ford, W., Kaliski, B.: Server-assisted generation of a strong secret from a password. In: IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 2000), pp. 176–180 (2000)Google Scholar
  20. 20.
    Gosney, J.: Password cracking HPC. In: Passwords 12 Conference (2012)Google Scholar
  21. 21.
    Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M.: Proactive secret sharing or: how to cope with perpetual leakage. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 339–352. Springer, Heidelberg (1995) Google Scholar
  22. 22.
    Hofheinz, D., Shoup, V.: GNUC: A new universal composability framework. IACR Cryptology ePrint Archive, 2011:303Google Scholar
  23. 23.
    Hofheinz, D.: Possibility and impossibility results for selective decommitments. J. Cryptology 24(3), 470–516 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  24. 24.
    Jablon, D.P.: Password authentication using multiple servers. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 344–360. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  25. 25.
    Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and t-pake in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  26. 26.
    Katz, J., MacKenzie, P., Taban, G., Gligor, V.: Two-server password-only authenticated key exchange. J. of Computer and System Sciences 78(2), 651–669 (2012)CrossRefzbMATHMathSciNetGoogle Scholar
  27. 27.
    Krenn, S.: Bringing zero-knowledge proofs of knowledge to practice. PhD thesis (2012)Google Scholar
  28. 28.
    MacKenzie, P.D., Shrimpton, T., Jakobsson, M.: Threshold password-authenticated key exchange. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 385–400. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  29. 29.
    Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  30. 30.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  31. 31.
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992) Google Scholar
  32. 32.
    Provos, N., Mazières, D.: A future-adaptable password scheme. In: USENIX 1999, FREENIX Track, pp. 81–91 (1999)Google Scholar
  33. 33.
    Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992) Google Scholar
  34. 34.
    Szydlo, M., Kaliski, B.: Proofs for two-server password authentication. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 227–244. Springer, Heidelberg (2005) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.IBM Research – ZurichRüschlikonSwitzerland
  2. 2.Department of Computer ScienceETH ZürichZürichSwitzerland

Personalised recommendations