Two CySec Papers Accepted for Presentation at ASIACRYPT 2025

International research teams including Dominique Schröder will present two papers at ASIACRYPT 2025, highlighting advances in password-hardened cryptography and its security foundations.

Password-Hardened Encryption Revisited by Ruben Baecker (Friedrich-Alexander-Universität Erlangen-Nürnberg), Paul Gerhart (TU Wien), and Dominique Schröder (CySec, TU Wien) re-examines password-hardened encryption in today’s password-centric landscape and identifies a critical weakness in the original design that enables offline brute-force attacks—the very threat this line of work seeks to prevent. The weakness arises from an idealized security model that overlooks real-world interactions, particularly key rotation. The authors demonstrate practical exploitability by recovering passwords in seconds from a commercially used, open-source implementation, and they introduce a new, efficient construction with a refined, realistic security model, prove security for the design, and report robust performance.

Universally Composable Password-Hardened Encryption by Behzad Abdolmaleki (University of Sheffield), Ruben Baecker (Friedrich-Alexander-Universität Erlangen-Nürnberg), Paul Gerhart (TU Wien), Mike Graf (University of Stuttgart), Mojtaba Khalili (Isfahan University of Technology), Daniel Rausch (University of Stuttgart), and Dominique Schröder (TU Wien, CySec) provides a rigorous basis for this approach and for a threshold, multi-party design in which several independent servers share the rate-limiting role. The work uncovers a flaw in a prior security proof, provides the first Universal Composability (UC) formalization with support for key rotation and related primitives such as updatable encryption, and presents a round-optimal, UC-secure protocol. An implementation and evaluation demonstrate practical efficiency that outperforms previous approaches under realistic network conditions.