Password Protected Credentials

Password authentication is a widely used entity authentication means nowadays. In password authentication, the server needs to manage a password file containing all user passwords. This poses a tremendous threat to the safety of the passwords: if the server is compromised, all passwords are immediately disclosed. A common countermeasure to this issue of single point of failure is to deploy multiple servers for secret-sharing of the passwords. In this work, we propose an alternative approach to mitigate this issue, which does not require the deployment of multiple servers. The basic idea of our approach is that the server issues to each user a credential for authentication, and the users protect theircredentials using passwords. A crucial feature is that thepassword-protected credentials do not require secure devices for storage, thus any personal portable device can used to carry a user´s password-protected credential. This arguably retains portability of passwords. We present a concrete scheme to instantiate our approach, which is shown to be secure against off-line guessing attacks under the DDH assumption.