{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:12Z","timestamp":1777806072413,"version":"3.51.4"},"reference-count":30,"publisher":"SAGE Publications","issue":"1","license":[{"start":{"date-parts":[[2018,9,10]],"date-time":"2018-09-10T00:00:00Z","timestamp":1536537600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2019,1,11]]},"abstract":"<jats:p>Cryptographic security is usually defined as a guarantee that holds except when a bad event with negligible probability occurs, and nothing is guaranteed in that bad case. However, in settings where such failure can happen with substantial probability, one needs to provide guarantees even for the bad case. A\u00a0typical example is where a (possibly weak) password is used instead of a secure cryptographic key to protect a session, the bad event being that the adversary correctly guesses the password. In a situation with multiple such sessions, a per-session guarantee is desired: any session for which the password has not been guessed remains secure, independently of whether other sessions have been compromised. A\u00a0new formalism for stating such gracefully degrading security guarantees is introduced and applied to analyze the examples of password-based message authentication and password-based encryption. While a natural per-message guarantee is achieved for authentication, the situation of password-based encryption is more delicate: a per-session confidentiality guarantee only holds against attackers for which the distribution of password-guessing effort over the sessions is known in advance. In contrast, for more general attackers without such a restriction, a strong, composable notion of security cannot be achieved.<\/jats:p>","DOI":"10.3233\/jcs-181131","type":"journal-article","created":{"date-parts":[[2018,9,11]],"date-time":"2018-09-11T17:38:30Z","timestamp":1536687510000},"page":"75-111","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":2,"title":["Per-session security: Password-based cryptography revisited"],"prefix":"10.1177","volume":"27","author":[{"given":"Gr\u00e9gory","family":"Demay","sequence":"first","affiliation":[{"name":"Ergon Informatik AG, Z\u00fcrich, Switzerland. E-mail:\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Peter","family":"Ga\u017ei","sequence":"additional","affiliation":[{"name":"IOHK Research, Hong Kong. E-mail:\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ueli","family":"Maurer","sequence":"additional","affiliation":[{"name":"Department of Computer Science, ETH Z\u00fcrich, Z\u00fcrich, Switzerland. E-mail:\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bj\u00f6rn","family":"Tackmann","sequence":"additional","affiliation":[{"name":"IBM Research\u00a0\u2013 Zurich, R\u00fcschlikon, Switzerland. E-mail:\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","published-online":{"date-parts":[[2018,9,10]]},"reference":[{"key":"ref001","doi-asserted-by":"crossref","unstructured":"M.\u00a0Abadi and B.\u00a0Warinschi, Password-based encryption analyzed, in: ICALP 2005, L.\u00a0Caires, G.F.\u00a0Italiano, L.\u00a0Monteiro, C.\u00a0Palamidessi and M.\u00a0Yung, eds, LNCS, Vol.\u00a03580, Springer, Heidelberg, 2005, pp.\u00a0664\u2013676.","DOI":"10.1007\/11523468_54"},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"J.\u00a0Alwen and V.\u00a0Serbinenko, High parallel complexity graphs and memory-hard functions, in: 47th ACM STOC, R.A.\u00a0Servedio and R.\u00a0Rubinfeld, eds, ACM Press, 2015, pp.\u00a0595\u2013603.","DOI":"10.1145\/2746539.2746622"},{"key":"ref003","doi-asserted-by":"crossref","unstructured":"M.\u00a0Bellare, A.\u00a0Desai, E.\u00a0Jokipii and P.\u00a0Rogaway, A\u00a0concrete security treatment of symmetric encryption, in: 38th FOCS, IEEE Computer Society Press, 1997, pp.\u00a0394\u2013403.","DOI":"10.1109\/SFCS.1997.646128"},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"M.\u00a0Bellare and A.\u00a0O\u2019Neill, Semantically-secure functional encryption: Possibility results, impossibility results and the quest for a general definition, in: CANS 13, M.\u00a0Abdalla, C.\u00a0Nita-Rotaru and R.\u00a0Dahab, eds, LNCS, Vol.\u00a08257, Springer, Heidelberg, 2013, pp.\u00a0218\u2013234.","DOI":"10.1007\/978-3-319-02937-5_12"},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"M.\u00a0Bellare, D.\u00a0Pointcheval and P.\u00a0Rogaway, Authenticated key exchange secure against dictionary attacks, in: EUROCRYPT 2000, B.\u00a0Preneel, ed. LNCS, Vol.\u00a01807, Springer, Heidelberg, 2000, pp.\u00a0139\u2013155. doi:10.1007\/3-540-45539-6_11.","DOI":"10.1007\/3-540-45539-6_11"},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"M.\u00a0Bellare, T.\u00a0Ristenpart and S.\u00a0Tessaro, Multi-instance security and its application to password-based cryptography, in: CRYPTO 2012, R.\u00a0Safavi-Naini and R.\u00a0Canetti, eds, LNCS, Vol.\u00a07417, Springer, Heidelberg, 2012, pp.\u00a0312\u2013329. doi:10.1007\/978-3-642-32009-5_19.","DOI":"10.1007\/978-3-642-32009-5_19"},{"key":"ref007","doi-asserted-by":"crossref","unstructured":"M.\u00a0Bellare and P.\u00a0Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in: EUROCRYPT 2006, S.\u00a0Vaudenay, ed. LNCS, Vol.\u00a04004, Springer, Heidelberg, 2006, pp.\u00a0409\u2013426. doi:10.1007\/11761679_25.","DOI":"10.1007\/11761679_25"},{"key":"ref008","doi-asserted-by":"crossref","unstructured":"D.\u00a0Boneh, A.\u00a0Sahai and B.\u00a0Waters, Functional encryption: Definitions and challenges, in: TCC 2011, Y.\u00a0Ishai, ed. LNCS, Vol.\u00a06597, Springer, Heidelberg, 2011, pp.\u00a0253\u2013273.","DOI":"10.1007\/978-3-642-19571-6_16"},{"key":"ref009","unstructured":"R.\u00a0Canetti, Universally composable security: A new paradigm for cryptographic protocols, Report 2000\/067, Cryptology ePrint Archive, 2000. http:\/\/eprint.iacr.org\/2000\/067."},{"key":"ref010","doi-asserted-by":"crossref","unstructured":"R.\u00a0Canetti, S.\u00a0Halevi, J.\u00a0Katz, Y.\u00a0Lindell and P.D.\u00a0MacKenzie, Universally composable password-based key exchange, in: EUROCRYPT 2005, R.\u00a0Cramer, ed. LNCS, Vol.\u00a03494, Springer, Heidelberg, 2005, pp.\u00a0404\u2013421. doi:10.1007\/11426639_24.","DOI":"10.1007\/11426639_24"},{"key":"ref011","unstructured":"H.\u00a0Corrigan-Gibbs, D.\u00a0Boneh and S.\u00a0Schechter, Balloon hashing: Provably space-hard hash functions with data-independent access patterns, 2016."},{"key":"ref012","unstructured":"I.\u00a0Damg\u00e5rd, A\u00a0\u201cproof-reading\u201d of some issues in cryptography (invited lecture), in: ICALP 2007, L.\u00a0Arge, C.\u00a0Cachin, T.\u00a0Jurdzinski and A.\u00a0Tarlecki, eds, LNCS, Vol.\u00a04596, Springer, Heidelberg, 2007, pp.\u00a02\u201311."},{"key":"ref013","doi-asserted-by":"crossref","unstructured":"G.\u00a0Demay, P.\u00a0Gazi, U.\u00a0Maurer and B.\u00a0Tackmann, Query-complexity amplification for random oracles, in: ICITS 15, A.\u00a0Lehmann and S.\u00a0Wolf, eds, LNCS, Vol.\u00a09063, Springer, Heidelberg, 2015, pp.\u00a0159\u2013180.","DOI":"10.1007\/978-3-319-17470-9_10"},{"key":"ref014","doi-asserted-by":"crossref","unstructured":"G.\u00a0Demay, P.\u00a0Gazi, U.\u00a0Maurer and B.\u00a0Tackmann, Per-session security: Password-based cryptography revisited, in: ESORICS 2017, Part\u00a0I, S.N.\u00a0Foley, D.\u00a0Gollmann and E.\u00a0Snekkenes, eds, LNCS, Vol.\u00a010492, Springer, Heidelberg, 2017, pp.\u00a0408\u2013426.","DOI":"10.1007\/978-3-319-66402-6_24"},{"key":"ref015","doi-asserted-by":"crossref","unstructured":"R.\u00a0Gennaro and Y.\u00a0Lindell, A\u00a0framework for password-based authenticated key exchange, in: EUROCRYPT 2003, E.\u00a0Biham, ed. LNCS, Vol.\u00a02656, Springer, Heidelberg, 2003, pp.\u00a0524\u2013543, http:\/\/eprint.iacr.org\/2003\/032.ps.gz. doi:10.1007\/3-540-39200-9_33.","DOI":"10.1007\/3-540-39200-9_33"},{"key":"ref016","doi-asserted-by":"crossref","unstructured":"D.\u00a0Hofheinz, C.\u00a0Matt and U.\u00a0Maurer, Idealizing identity-based encryption, in: ASIACRYPT 2015, Part\u00a0I, T.\u00a0Iwata and J.H.\u00a0Cheon, eds, LNCS, Vol.\u00a09452, Springer, Heidelberg, 2015, pp.\u00a0495\u2013520. doi:10.1007\/978-3-662-48797-6_21.","DOI":"10.1007\/978-3-662-48797-6_21"},{"key":"ref017","doi-asserted-by":"crossref","unstructured":"B.S.\u00a0KaliskiJr., PKCS #5: Password-based cryptography specification, RFC 2898, 2000.","DOI":"10.17487\/rfc2898"},{"key":"ref018","doi-asserted-by":"crossref","unstructured":"J.\u00a0Katz, R.\u00a0Ostrovsky and M.\u00a0Yung, Efficient password-authenticated key exchange using human-memorable passwords, in: EUROCRYPT 2001, B.\u00a0Pfitzmann, ed. LNCS, Vol.\u00a02045, Springer, Heidelberg, 2001, pp.\u00a0475\u2013494. doi:10.1007\/3-540-44987-6_29.","DOI":"10.1007\/3-540-44987-6_29"},{"key":"ref019","doi-asserted-by":"crossref","unstructured":"C.\u00a0Matt and U.\u00a0Maurer, A\u00a0definitional framework for functional encryption, in: IEEE 28th IEEE CSF, 2015, pp.\u00a0217\u2013231.","DOI":"10.1109\/CSF.2015.22"},{"key":"ref020","doi-asserted-by":"crossref","unstructured":"U.\u00a0Maurer, Constructive cryptography\u00a0\u2013 a new paradigm for security definitions and proofs, in: Theory of Security and Applications, S.\u00a0M\u00f6dersheim and C.\u00a0Palamidessi, eds, LNCS, Vol.\u00a06993, Springer, Berlin, Heidelberg, 2012, pp.\u00a033\u201356. doi:10.1007\/978-3-642-27375-9_3.","DOI":"10.1007\/978-3-642-27375-9_3"},{"key":"ref021","doi-asserted-by":"crossref","unstructured":"U.\u00a0Maurer, Conditional equivalence of random systems and indistinguishability proofs, in: 2013 IEEE International Symposium on Information Theory Proceedings (ISIT), 2013, pp.\u00a03150\u20133154. doi:10.1109\/ISIT.2013.6620806.","DOI":"10.1109\/ISIT.2013.6620806"},{"key":"ref022","unstructured":"U.\u00a0Maurer and R.\u00a0Renner, Abstract cryptography, in: The Second Symposium in Innovations in Computer Science, ICS 2011, B.\u00a0Chazelle, ed. Tsinghua University Press, 2011, pp.\u00a01\u201321."},{"key":"ref023","doi-asserted-by":"crossref","unstructured":"U.M.\u00a0Maurer, Indistinguishability of random systems, in: EUROCRYPT 2002, L.R.\u00a0Knudsen, ed. LNCS, Vol.\u00a02332, Springer, Heidelberg, 2002, pp.\u00a0110\u2013132. doi:10.1007\/3-540-46035-7_8.","DOI":"10.1007\/3-540-46035-7_8"},{"key":"ref024","doi-asserted-by":"publisher","DOI":"10.1145\/359168.359172"},{"key":"ref025","doi-asserted-by":"crossref","unstructured":"J.B.\u00a0Nielsen, Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case, in: CRYPTO 2002, M.\u00a0Yung, ed. LNCS, Vol.\u00a02442, Springer, Heidelberg, 2002, pp.\u00a0111\u2013126. doi:10.1007\/3-540-45708-9_8.","DOI":"10.1007\/3-540-45708-9_8"},{"key":"ref026","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2003.819611"},{"key":"ref027","unstructured":"C.\u00a0Percival, Stronger key derivation via sequential memory-hard functions, Self-published (2009), 1\u201316."},{"key":"ref028","doi-asserted-by":"crossref","unstructured":"T.\u00a0Petsas, G.\u00a0Tsirantonakis, E.\u00a0Athanasopoulos and S.\u00a0Ioannidis, Two-factor authentication: Is the world ready? Quantifying 2FA adoption, in: Proceedings of the Eighth European Workshop on System Security, ACM, 2015, p.\u00a04.","DOI":"10.1145\/2751323.2751327"},{"key":"ref029","unstructured":"B.\u00a0Tackmann, A\u00a0theory of secure communication, PhD thesis, ETH Z\u00fcrich, 2014."},{"key":"ref030","doi-asserted-by":"crossref","unstructured":"F.F.\u00a0Yao and Y.L.\u00a0Yin, Design and analysis of password-based key derivation functions, in: CT-RSA 2005, A.\u00a0Menezes, ed. LNCS, Vol.\u00a03376, Springer, Heidelberg, 2005, pp.\u00a0245\u2013261.","DOI":"10.1007\/978-3-540-30574-3_17"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-181131","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-181131","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-181131","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:16Z","timestamp":1777495516000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-181131"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,9,10]]},"references-count":30,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2019,1,11]]}},"alternative-id":["10.3233\/JCS-181131"],"URL":"https:\/\/doi.org\/10.3233\/jcs-181131","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,9,10]]}}}