Protecting Passwords with Oblivious Cryptography

Adam Everspaugh

Adam Everspaugh

Speaker Bio

Adam Everspaugh is a PhD student at the Univ of Wisconsin researching cryptography and computer security applications for cloud computing. His research focuses on usable and sophisticated computer security designs. Adam graduates in 2017 and is currently seeking a role as a security and software engineer at a forward-looking technology company.


Current schemes to protect user passwords like bcrypt, scrypt, and iterative hashing are insufficient to resist attacks when password digests are stolen. We present a modern cloud service, called Pythia, which protects passwords using a cryptographically keyed pseudorandom function (PRF). Unlike existing schemes like HMAC, Pythia permits key updates as a response to compromises. Key updates nullify stolen password digests, enable digests to be updated to the new key, and don’t require users to change their passwords. The keystone of Pythia is a new cryptographic construction called a partially-oblivious PRF that provides these new features.