Paper 2018/976

Distributed Single Password Protocol Framework

Devriş İşler and Alptekin Küpçü


Passwords are the most widely used factor in various areas such as secret sharing, key establishment, and user authentication. Single password protocols are proposed (starting with Belenkiy et. al [4]) to overcome the challenges of traditional password protocols and provide provable security against offline dictionary, man-in-the-middle, phishing, and honeypot attacks. While they ensure provable security, they allow a user securely to use a single \textit{low-entropy human memorable} password for all her accounts. They achieve this with the help of a cloud or mobile storage device. However, an attacker corrupting both the login server and storage can mount an offline dictionary attack on user's single password. In this work, we introduce a framework for distributed single password protocols (DiSPP) that analyzes existing protocols, improves upon them regarding novel constructions and distributed schemes, and allows exploiting alternative cryptographic primitives to obtain secure distributed single password protocols with various trade-offs. Previous single password solutions can be instantiated as part of our framework. We further introduce a secure DiSPP instantiation derived from our framework enforcing the adversary to corrupt several cloud and mobile storage devices in addition to the login server in order to perform a successful offline dictionary attack. We also provide a comparative analysis of different solutions derived from our framework.

Available format(s)
Publication info
Passwordauthenticationoffline dictionary attack.
Contact author(s)
disler15 @ ku edu tr
akupcu @ ku edu tr
2018-10-15: received
Short URL
Creative Commons Attribution


      author = {Devriş İşler and Alptekin Küpçü},
      title = {Distributed Single Password Protocol Framework},
      howpublished = {Cryptology ePrint Archive, Paper 2018/976},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.