Paper 2018/977

Threshold Single Password Authentication

Devriş İşler and Alptekin Küpçü


Passwords are the most widely used form of online user authentication. In a traditional setup, the user, who has a human-memorable low entropy password, wants to authenticate with a login server. Unfortunately, existing solutions in this setting are either non-portable or insecure against many attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks. Three previous studies (Acar et al. 2013, Bicakci et al. 2011, and Jarecki et al. 2016) provide solutions secure against offline dictionary attacks by additionally employing a storage provider (either a cloud storage or a mobile device for portability). These works provide solutions where offline dictionary attacks are impossible as long as the adversary does not corrupt both the login server and the storage provider. For the first time, improving these previous works, we provide a more secure generalized solution employing multiple storage providers, where our solution is proven secure against offline dictionary attacks as long as the adversary does not corrupt the login server and threshold-many storage providers. We define ideal and real world indistinguishability for threshold single password authentication (Threshold SPA) schemes, and formally prove security of our solution via ideal-real simulation. Our solution provides security against all the above-mentioned attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks, and requires no change on the server side. Thus, our solution can immediately be deployed via a browser extension (or a mobile application) and support from some storage providers. We further argue that our protocol is efficient and scalable, and provide performance numbers where the user and storage load are only a few milliseconds.

Available format(s)
Publication info
Published elsewhere. MINOR revision.ESORICS Data Privacy Management Workshop, 2017
Password based authenticationthreshold secret sharingdictionary attackphishing
Contact author(s)
disler15 @ ku edu tr
akupcu @ ku edu tr
2018-10-15: received
Short URL
Creative Commons Attribution


      author = {Devriş İşler and Alptekin Küpçü},
      title = {Threshold Single Password Authentication},
      howpublished = {Cryptology ePrint Archive, Paper 2018/977},
      year = {2018},
      doi = {10.1007/978-3-319-67816-0_9},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.