Universally composable password-hardened encryption

Abdolmaleki, B. orcid.org/0009-0008-8335-2787, Baecker, R. orcid.org/0009-0008-9310-8964, Gerhart, P. orcid.org/0000-0002-0164-0187 et al. (4 more authors) (2025) Universally composable password-hardened encryption. In: Hanaoka, G. and Yang, B.-Y., (eds.) Advances in Cryptology – ASIACRYPT 2025: 31st International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, VIC, Australia, December 8–12, 2025, Proceedings, Part VI. 31st International Conference on the Theory and Application of Cryptology and Information Security, 08-12 Dec 2025, Melbourne, VIC, Australia. Lecture Notes in Computer Science, LNCS 16250. Springer Singapore, pp. 235-267. ISBN: 9789819551187. ISSN: 0302-9743. EISSN: 1611-3349.

Abstract

Password-Hardened Encryption (PHE) protects against offline brute-force attacks by involving an external ratelimiter that enforces rate-limited decryption without learning passwords or keys. Threshold Password-Hardened Encryption (TPHE), introduced by Brost et al. (CCS’20), distributes this trust among multiple ratelimiters. Despite its promise, the security foundations of TPHE remain unclear. We make three contributions:

(1) We uncover a flaw in the proof of Brost et al.’s TPHE scheme, which invalidates its claimed security and leaves the guarantees of existing constructions uncertain;

(2) We provide the first universal composability (UC) formalization of PHE and TPHE, unifying previous fragmented models and supporting key rotation, an essential feature for long-term security and related primitives such as updatable encryption;

(3) We present the first provably secure TPHE scheme, which is both round-optimal and UC-secure, thus composable in real-world settings; and we implement and evaluate our protocol, demonstrating practical efficiency that outperforms prior work in realistic WAN scenarios.

Metadata

Item Type:	Proceedings Paper
Authors/Creators:	Abdolmaleki, B. https://orcid.org/0009-0008-8335-2787 Baecker, R. https://orcid.org/0009-0008-9310-8964 Gerhart, P. https://orcid.org/0000-0002-0164-0187 Graf, M. https://orcid.org/0000-0003-3191-7711 Khalili, M. https://orcid.org/0009-0006-9150-5005 Rausch, D. https://orcid.org/0000-0002-1901-3659 Schröder, D. https://orcid.org/0000-0001-6943-8914
Editors:	Hanaoka, G. Yang, B.-Y.
Copyright, Publisher and Additional Information:	© 2026 The Authors. Except as otherwise noted, this author-accepted version of a conference paper published in Advances in Cryptology – ASIACRYPT 2025: 31st International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, VIC, Australia, December 8–12, 2025, Proceedings, Part VI is made available via the University of Sheffield Research Publications and Copyright Policy under the terms of the Creative Commons Attribution 4.0 International License (CC-BY 4.0), which permits unrestricted use, distribution and reproduction in any medium, provided the original work is properly cited. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/
Keywords:	Information and Computing Sciences; Cybersecurity and Privacy; Generic health relevance
Dates:	Published (online): 7 December 2025 Published: 7 December 2025
Institution:	The University of Sheffield
Academic Units:	The University of Sheffield > Faculty of Engineering (Sheffield) > Department of Computer Science (Sheffield)
Date Deposited:	14 Jan 2026 16:39
Last Modified:	14 Jan 2026 16:39
Status:	Published
Publisher:	Springer Singapore
Series Name:	Lecture Notes in Computer Science
Refereed:	Yes
Identification Number:	10.1007/978-981-95-5119-4_8
Open Archives Initiative ID (OAI ID):	oai:eprints.whiterose.ac.uk:236546

Download

Accepted Version

Filename: 2025-1647.pdf

Licence: CC-BY 4.0

CLICK TO DOWNLOAD

CORE (COnnecting REpositories)

Universally composable password-hardened encryption

Abstract

Metadata

Download

Accepted Version

Export

Statistics