Pub Date : 2022-06-26DOI: 10.48550/arXiv.2206.12970
Wenjie Bai, Jeremiah Blocki, Mohammad Hassan Ameri
In the past decade, billions of user passwords have been exposed to the dangerous threat of offline password cracking attacks. An offline attacker who has stolen the cryptographic hash of a user's password can check as many password guesses as s/he likes limited only by the resources that s/he is willing to invest to crack the password. Pepper and key-stretching are two techniques that have been proposed to deter an offline attacker by increasing guessing costs. Pepper ensures that the cost of rejecting an incorrect password guess is higher than the (expected) cost of verifying a correct password guess. This is useful because most of the offline attacker's guesses will be incorrect. Unfortunately, as we observe the traditional peppering defense seems to be incompatible with modern memory hard key-stretching algorithms such as Argon2 or Scrypt. We introduce an alternative to pepper which we call Cost-Asymmetric Memory Hard Password Authentication which benefits from the same cost-asymmetry as the classical peppering defense i.e., the cost of rejecting an incorrect password guess is larger than the expected cost to authenticate a correct password guess. When configured properly we prove that our mechanism can only reduce the percentage of user passwords that are cracked by a rational offline attacker whose goal is to maximize (expected) profit i.e., the total value of cracked passwords minus the total guessing costs. We evaluate the effectiveness of our mechanism on empirical password datasets against a rational offline attacker. Our empirical analysis shows that our mechanism can reduce significantly the percentage of user passwords that are cracked by a rational attacker by up to 10%.
{"title":"Cost-Asymmetric Memory Hard Password Hashing","authors":"Wenjie Bai, Jeremiah Blocki, Mohammad Hassan Ameri","doi":"10.48550/arXiv.2206.12970","DOIUrl":"https://doi.org/10.48550/arXiv.2206.12970","url":null,"abstract":"In the past decade, billions of user passwords have been exposed to the dangerous threat of offline password cracking attacks. An offline attacker who has stolen the cryptographic hash of a user's password can check as many password guesses as s/he likes limited only by the resources that s/he is willing to invest to crack the password. Pepper and key-stretching are two techniques that have been proposed to deter an offline attacker by increasing guessing costs. Pepper ensures that the cost of rejecting an incorrect password guess is higher than the (expected) cost of verifying a correct password guess. This is useful because most of the offline attacker's guesses will be incorrect. Unfortunately, as we observe the traditional peppering defense seems to be incompatible with modern memory hard key-stretching algorithms such as Argon2 or Scrypt. We introduce an alternative to pepper which we call Cost-Asymmetric Memory Hard Password Authentication which benefits from the same cost-asymmetry as the classical peppering defense i.e., the cost of rejecting an incorrect password guess is larger than the expected cost to authenticate a correct password guess. When configured properly we prove that our mechanism can only reduce the percentage of user passwords that are cracked by a rational offline attacker whose goal is to maximize (expected) profit i.e., the total value of cracked passwords minus the total guessing costs. We evaluate the effectiveness of our mechanism on empirical password datasets against a rational offline attacker. Our empirical analysis shows that our mechanism can reduce significantly the percentage of user passwords that are cracked by a rational attacker by up to 10%.","PeriodicalId":376645,"journal":{"name":"International Conference on Security and Cryptography for Networks","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132886002","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-09-14DOI: 10.1007/978-3-030-57990-6_30
A. Choudhuri, Vipul Goyal, Abhishek Jain
{"title":"The Round Complexity of Secure Computation Against Covert Adversaries","authors":"A. Choudhuri, Vipul Goyal, Abhishek Jain","doi":"10.1007/978-3-030-57990-6_30","DOIUrl":"https://doi.org/10.1007/978-3-030-57990-6_30","url":null,"abstract":"","PeriodicalId":376645,"journal":{"name":"International Conference on Security and Cryptography for Networks","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126639919","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-09-14DOI: 10.1007/978-3-030-57990-6_2
Thomas Dinsdale-Young, Bernardo Magri, C. Matt, J. Nielsen, Daniel Tschudi
{"title":"Afgjort: A Partially Synchronous Finality Layer for Blockchains","authors":"Thomas Dinsdale-Young, Bernardo Magri, C. Matt, J. Nielsen, Daniel Tschudi","doi":"10.1007/978-3-030-57990-6_2","DOIUrl":"https://doi.org/10.1007/978-3-030-57990-6_2","url":null,"abstract":"","PeriodicalId":376645,"journal":{"name":"International Conference on Security and Cryptography for Networks","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130387233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-09-14DOI: 10.1007/978-3-030-57990-6_8
Rishabh Bhadauria, Carmit Hazay
{"title":"Multi-clients Verifiable Computation via Conditional Disclosure of Secrets","authors":"Rishabh Bhadauria, Carmit Hazay","doi":"10.1007/978-3-030-57990-6_8","DOIUrl":"https://doi.org/10.1007/978-3-030-57990-6_8","url":null,"abstract":"","PeriodicalId":376645,"journal":{"name":"International Conference on Security and Cryptography for Networks","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132566862","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-09-14DOI: 10.1007/978-3-030-57990-6_12
Carmit Hazay, Mor Lilintal
{"title":"Gradual GRAM and Secure Computation for RAM Programs","authors":"Carmit Hazay, Mor Lilintal","doi":"10.1007/978-3-030-57990-6_12","DOIUrl":"https://doi.org/10.1007/978-3-030-57990-6_12","url":null,"abstract":"","PeriodicalId":376645,"journal":{"name":"International Conference on Security and Cryptography for Networks","volume":"64 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115812581","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-09-14DOI: 10.1007/978-3-030-57990-6_29
Julia Hesse
{"title":"Separating Symmetric and Asymmetric Password-Authenticated Key Exchange","authors":"Julia Hesse","doi":"10.1007/978-3-030-57990-6_29","DOIUrl":"https://doi.org/10.1007/978-3-030-57990-6_29","url":null,"abstract":"","PeriodicalId":376645,"journal":{"name":"International Conference on Security and Cryptography for Networks","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134416389","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-01-01DOI: 10.1007/978-3-319-10879-7_17
K. Takashima
{"title":"Expressive Attribute-Based Encryption with Constant-Size Ciphertexts from the Decisional Linear Assumption","authors":"K. Takashima","doi":"10.1007/978-3-319-10879-7_17","DOIUrl":"https://doi.org/10.1007/978-3-319-10879-7_17","url":null,"abstract":"","PeriodicalId":376645,"journal":{"name":"International Conference on Security and Cryptography for Networks","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127460364","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-09-05DOI: 10.1007/978-3-319-98113-0_4
Rupeng Yang, M. Au, Junzuo Lai, Qiuliang Xu, Zuoxia Yu
{"title":"Unforgeable Watermarking Schemes with Public Extraction","authors":"Rupeng Yang, M. Au, Junzuo Lai, Qiuliang Xu, Zuoxia Yu","doi":"10.1007/978-3-319-98113-0_4","DOIUrl":"https://doi.org/10.1007/978-3-319-98113-0_4","url":null,"abstract":"","PeriodicalId":376645,"journal":{"name":"International Conference on Security and Cryptography for Networks","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-09-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131265150","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-09-05DOI: 10.1007/978-3-319-98113-0_20
Carsten Baum, I. Damgård, Vadim Lyubashevsky, Sabine Oechsner, Chris Peikert
{"title":"More Efficient Commitments from Structured Lattice Assumptions","authors":"Carsten Baum, I. Damgård, Vadim Lyubashevsky, Sabine Oechsner, Chris Peikert","doi":"10.1007/978-3-319-98113-0_20","DOIUrl":"https://doi.org/10.1007/978-3-319-98113-0_20","url":null,"abstract":"","PeriodicalId":376645,"journal":{"name":"International Conference on Security and Cryptography for Networks","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-09-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122402249","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: