Permutation-Based Hash Chains with Application to Password Hashing

• Published in: IACR Transactions on Symmetric Cryptology Vol. 2024; no. 4; pp. 249 - 286
• Main Authors: Lefevre, Charlotte, Mennink, Bart
• Format: Journal Article
• Language: English
• Published: Ruhr-Universität Bochum 01.01.2024
• Subjects: hash chain; one-time passwords; security model; sponge; T/Key; U/Key
• ISSN: 2519-173X; 2519-173X
• DOI: 10.46586/tosc.v2024.i4.249-286

Hash chain based password systems are a useful way to guarantee authentication with one-time passwords. The core idea dates back to Lamport, and is specified in RFC 1760 as S/Key. At CCS 2017, Kogan et al. introduced T/Key, an improved password system where one-time passwords are only valid for a limited time period. They proved security of their construction in the random oracle model under a basic modeling of the adversary. In this work, we make various advances in the analysis and instantiation of hash chain based password systems. Firstly, we describe a slight abstraction called U/Key that allows for more flexibility in the instantiation and analysis, and we develop a security model that refines the adversarial strength into offline and online complexity, that can be used beyond the random oracle model, and that allows to argue multi-user security directly. Secondly, we derive a new security proof of U/Key in the random oracle model, as well as dedicated and tighter security proofs of U/Key instantiated with a sponge construction and a truncated permutation. These dedicated security proofs, in turn, solve a problem of understanding the preimage resistance of a cascaded evaluation of the sponge construction. When applied to T/Key, these results improve significantly over the earlier results: whereas the originally suggested instantiation using SHA-256 uses a compression function that maps 768 bits into 256 bits, with a truncated permutation construction one can generically achieve 128 bits of security already with a permutation of size 256 bits.