Affiliations: [a] Ergon Informatik AG, Zürich, Switzerland. E-mail: gregory.demay@ergon.ch | [b] IOHK Research, Hong Kong. E-mail: peter.gazi@iohk.io | [c] Department of Computer Science, ETH Zürich, Zürich, Switzerland. E-mail: maurer@inf.ethz.ch | [d] IBM Research – Zurich, Rüschlikon, Switzerland. E-mail: bta@zurich.ibm.com
Correspondence:
[*]
Corresponding author. E-mail: gregory.demay@ergon.ch. Work done while author was at ETH Zürich.
Note: [**] Work done while author was at ETH Zürich and IST Austria.
Note: [***] Work done while author was at ETH Zürich and UC San Diego.
Abstract: Cryptographic security is usually defined as a guarantee that holds except when a bad event with negligible probability occurs, and nothing is guaranteed in that bad case. However, in settings where such failure can happen with substantial probability, one needs to provide guarantees even for the bad case. A typical example is where a (possibly weak) password is used instead of a secure cryptographic key to protect a session, the bad event being that the adversary correctly guesses the password. In a situation with multiple such sessions, a per-session guarantee is desired: any session for which the password has not been guessed remains secure, independently of whether other sessions have been compromised. A new formalism for stating such gracefully degrading security guarantees is introduced and applied to analyze the examples of password-based message authentication and password-based encryption. While a natural per-message guarantee is achieved for authentication, the situation of password-based encryption is more delicate: a per-session confidentiality guarantee only holds against attackers for which the distribution of password-guessing effort over the sessions is known in advance. In contrast, for more general attackers without such a restriction, a strong, composable notion of security cannot be achieved.
Keywords: Password-based encryption, simulation-based security, random oracle
