EPSRC logo

Details of Grant 

EPSRC Reference: EP/V034065/1
Title: Untargeted Attacks in (Password-Based) Cryptography
Principal Investigator: Farshim, Dr P
Other Investigators:
Researcher Co-Investigators:
Project Partners:
Crypto Quantique University of Washington
Department: Computer Science
Organisation: Durham, University of
Scheme: New Investigator Award
Starts: 01 February 2022 Ends: 02 January 2025 Value (£): 265,225
EPSRC Research Topic Classifications:
Fundamentals of Computing
EPSRC Industrial Sector Classifications:
Information Technologies
Related Grants:
Panel History:
Panel DatePanel NameOutcome
23 Mar 2021 EPSRC ICT Prioritisation Panel March 2021 Announced
Summary on Grant Application Form
admin/123456; user/qwerty; root/vizxv; farshim/*********.

Passwords permeate our lives: the security and privacy of many (perhaps all) of our on-line banking, commerce, and communication deeply rely on passwords. Yet they are one of the weakest links in securing systems. Storing username-passwords in plaintext, although convenient, seriously undermines security as evidenced by frequent leaks. Hashing passwords, i.e., applying a transformation that hides them, can reduce risks while still allowing for authentication. However, "123456" may well be a password chosen by someone, and then compromised.

This proposal will address a current gap in our understanding of password-based cryptography in multi-instance environments where everyone is a target. We will investigate fundamental cryptographic techniques that are used to mitigate some of the risks associated in such environments. The novelty of our approach is that besides considering system-wide risks, we will consider preprocessing attacks which can speed up password-cracking by orders of magnitude. Our goal will be to show that the cryptanalytic effort needed to compromise users scales up well with the number of users targeted, and according to how "unguessable" system-wide passwords are.

Formulating and studying measures of unguessability will be our starting point. These metrics will be developed with the view of usage in cryptographic contexts. For example, we will ask to what extent hashing of passwords preserves their unguessability. Crucially, we will incorporate appropriate modelling of preprocessing, so that amortised adversarial resources, such as the use of "rainbow tables," are accounted for.

Alongside salting, which is a common practice to "decouple" security of users, we will consider deeper countermeasures. These include iteration, which slows down the rate of hashing, and modern memory-hard designs, which exploit uniformity of memory-access speeds across different platforms to thwart hardware-assisted attacks. In addition to unguessability, stronger notions of security that guarantee secure composition in a variety of contexts will be studied. Special attention will be paid to derive security bounds that are compatible with (real-world) parameters set according to best-known attacks. Alongside, we will also develop a solid understanding of the foundational cryptographic theory, as multi-instance security enjoys close links with amplification of hardness.

The use of passwords is widespread in the security and ITC industries and their weakness is well recognised, especially in multi-user scenarios (such as IoT environments). This project will promote the creation of cryptographic standards for password hashing that are rigorously supported by security proofs. The final outcome will be an increased confidence in the resilience of our cyberspace.

Key Findings
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Potential use in non-academic contexts
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Description This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Date Materialised
Sectors submitted by the Researcher
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Project URL:  
Further Information:  
Organisation Website: