Paper 2015/006

Two-Server Password-Authenticated Secret Sharing UC-Secure Against Transient Corruptions

Jan Camenisch, Robert R. Enderlein, and Gregory Neven


Protecting user data entails providing authenticated users access to their data. The most prevalent and probably also the most feasible approach to the latter is by username and password. With password breaches through server compromise now reaching billions of affected passwords, distributing the password files and user data over multiple servers is not just a good idea, it is a dearly needed solution to a topical problem. Threshold password-authenticated secret sharing (TPASS) protocols enable users to share secret data among a set of servers so that they can later recover that data using a single password. No coalition of servers up to a certain threshold can learn anything about the data or perform an offline dictionary attack on the password. Several TPASS protocols have appeared in the literature and one is even available commercially. Although designed to tolerate corrupted servers, unfortunately none of these protocols provide details let alone security proofs about the steps that need to be taken when a compromise actually occurs and how to proceed. Indeed, they consider static corruptions only which for instance does not model real world attacks by hackers. We provide the first TPASS protocol that is provably secure against adaptive server corruptions. Moreover, our protocol contains an efficient recovery procedure allowing one to re-initialize servers to recover from corruption. We prove our protocol secure in the universal composability model where servers can be corrupted adaptively at any time; the users' passwords and secrets remain safe as long as both servers are not corrupted at the same time. Our protocol does not require random oracles but does assume that servers have certified public keys.

Note: This is the full version of a paper due to appear at the 18th International Conference on Practice and Theory in Public-Key Cryptography (PKC 2015).

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in PKC 2015
Universal composabilitythreshold cryptographypasswordstransient corruptions
Contact author(s)
eprint @ e7n ch
2016-01-07: last of 2 revisions
2015-01-05: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jan Camenisch and Robert R.  Enderlein and Gregory Neven},
      title = {Two-Server Password-Authenticated Secret Sharing UC-Secure Against Transient Corruptions},
      howpublished = {Cryptology ePrint Archive, Paper 2015/006},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.