Human Computable Passwords

An interesting challenge for the cryptography community is to design authentication protocols that are so simple that a human can execute them without relying on a fully trusted computer. We propose several candidate authentication protocols for a setting in which the human user can only receive assistance from a semi-trusted computer --- a computer that stores information and performs computations correctly but does not provide confidentiality. Our schemes use a semi-trusted computer to store and display public challenges $C_i\in[n]^k$. The human user memorizes a random secret mapping $\sigma:[n]\rightarrow\mathbb{Z}_d$ and authenticates by computing responses $f(\sigma(C_i))$ to a sequence of public challenges where $f:\mathbb{Z}_d^k\rightarrow\mathbb{Z}_d$ is a function that is easy for the human to evaluate. We prove that any statistical adversary needs to sample $m=\tilde{\Omega}(n^{s(f)})$ challenge-response pairs to recover $\sigma$, for a security parameter $s(f)$ that depends on two key properties of $f$. To obtain our results, we apply the general hypercontractivity theorem to lower bound the statistical dimension of the distribution over challenge-response pairs induced by $f$ and $\sigma$. Our lower bounds apply to arbitrary functions $f $ (not just to functions that are easy for a human to evaluate), and generalize recent results of Feldman et al. As an application, we propose a family of human computable password functions $f_{k_1,k_2}$ in which the user needs to perform $2k_1+2k_2+1$ primitive operations (e.g., adding two digits or remembering $\sigma(i)$), and we show that $s(f) = \min\{k_1+1, (k_2+1)/2\}$. For these schemes, we prove that forging passwords is equivalent to recovering the secret mapping. Thus, our human computable password schemes can maintain strong security guarantees even after an adversary has observed the user login to many different accounts.

[1]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[2]  Hilary Putnam,et al.  A Computing Procedure for Quantification Theory , 1960, JACM.

[3]  W. A. Wagenaar Generation of random sequences by human subjects: A critical survey of literature. , 1972 .

[4]  L. Standing Learning 10000 pictures , 1973 .

[5]  L. Standing Learning 10,000 pictures. , 1973, The Quarterly journal of experimental psychology.

[6]  D. Rubin,et al.  Maximum likelihood from incomplete data via the EM - algorithm plus discussions on the paper , 1977 .

[7]  G. Hitch The role of short-term working memory in mental arithmetic , 1978, Cognitive Psychology.

[8]  A. Baddeley Human Memory: Theory and Practice, Revised Edition , 1990 .

[9]  Adrian F. M. Smith,et al.  Sampling-Based Approaches to Calculating Marginal Densities , 1990 .

[10]  E. Gorzelańczyk,et al.  Optimization of repetition spacing in the practice of learning. , 1994, Acta neurobiologiae experimentalis.

[11]  Moni Naor,et al.  Visual Cryptography , 1994, Encyclopedia of Multimedia.

[12]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[13]  Umesh V. Vazirani,et al.  An Introduction to Computational Learning Theory , 1994 .

[14]  Moni Naor,et al.  Visual Authentication and Identification , 1997, CRYPTO.

[15]  Noga Alon,et al.  The Space Complexity of Approximating the Frequency Moments , 1999 .

[16]  S. Boztaş Entropies, Guessing and Cryptography , 1999 .

[17]  Oded Goldreich,et al.  Candidate One-Way Functions Based on Expander Graphs , 2011, Studies in Complexity and Cryptography.

[18]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[19]  John O. Pliam On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks , 2000, INDOCRYPT.

[20]  Peter Bro Miltersen,et al.  On Pseudorandom Generators in NC , 2001, MFCS.

[21]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[22]  Abe Singer,et al.  No Plaintext Passwords , 2001, login Usenix Mag..

[23]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[24]  Matthew J. B. Robshaw,et al.  An Active Attack Against HB +-A Provably Secure Lightweight Authentication Protocol , 2022 .

[25]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[26]  Cynthia Dwork,et al.  Practical privacy: the SuLQ framework , 2005, PODS.

[27]  Julien Bringer,et al.  HB^+^+: a Lightweight Authentication Protocol Secure against Some Attacks , 2006, Second International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU'06).

[28]  Ran Canetti,et al.  Mitigating Dictionary Attacks on Password-Protected Local Storage , 2006, CRYPTO.

[29]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[30]  Thomas Hofmann,et al.  Map-Reduce for Machine Learning on Multicore , 2007 .

[31]  Kamil Kulesza,et al.  Humans cannot consciously generate random numbers sequences: Polemic study. , 2008, Medical hypotheses.

[32]  Lynette Drevin,et al.  An Empirical Assessment of Factors Impeding Effective Password Management , 2008 .

[33]  L. Maanen,et al.  Passing the test: Improving Learning Gains by Balancing Spacing and Testing Effects , 2009 .

[34]  Jonathan Katz,et al.  Parallel and Concurrent Security of the HB and HB+ Protocols , 2006, Journal of Cryptology.

[35]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[36]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[37]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[38]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[39]  Manuel Blum,et al.  GOTCHA password hackers! , 2013, AISec.

[40]  Manuel Blum,et al.  Naturally Rehearsing Passwords , 2013, ASIACRYPT.

[41]  Ariel D. Procaccia,et al.  Optimizing password composition policies , 2013, EC.

[42]  Ryan O'Donnell,et al.  Analysis of Boolean Functions , 2014, ArXiv.

[43]  Santosh S. Vempala,et al.  University of Birmingham On the Complexity of Random Satisfiability Problems with Planted Solutions , 2018 .

[44]  Lorrie Faith Cranor,et al.  Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords , 2015, NDSS.

[45]  S. Halevi,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for All Circuits , 2016, SIAM J. Comput..