Memento: How to Reconstruct Your Secrets from a Single Password in a Hostile Environment

Passwords are inherently vulnerable to dictionary attacks, but are quite secure if guessing attempts can beslowed down, for example by an online server. If this server gets compromised, however, the attacker can againperform an offline attack. The obvious remedy is to distribute the password verification process over multipleservers, so that the password remains secure as long as no more than a threshold of the servers are compromised.By letting these servers additionally host shares of a strong secret that the user can recover upon entering the cor-rect password, the user can perform further cryptographic tasks using this strong secret as a key, e.g., encryptingdata in the cloud. Threshold password-authenticated secret sharing (TPASS) protocols provide exactly this func-tionality, but the two only known schemes by Bagherzandi et al. (CCS 2011) and Camenisch et al. (CCS 2012)leak the password if a user mistakenly executes the protocol with malicious servers. Authenticating to the wrongservers is a common scenario when users are tricked in phishing attacks. We propose the first t-out-of-n TPASSprotocol for any n > t that does not suffer from this shortcoming. We prove our protocol secure in the UC frame-work, which for the particular case of password-based protocols offers important advantages over property-baseddefinitions, e.g., by correctly modeling typos in password attempts.