Hardware security without secure hardware: How to decrypt with a password and a server

Hardware security tokens have now been used for several decades to store cryptographic keys. When deployed, the of corresponding schemes fundamentally relies on tamper-resistance – a very strong assumption in practice. Moreover, even secure tokens, which are expensive and cumbersome, can often be subverted. We introduce new primitive called Encryption with Password-protected Assisted Decryption (EPAD schemes), user's decryption key is shared between user device (or token) no made, an online server. The shares human-memorizable password To decrypt ciphertext, launches, from public computer, distributed protocol server, authenticating herself server her (unknown device); such way that secret never reconstructed during interaction. propose model guarantees (1) efficient adversary infer any information about plaintexts, it must know corrupted (secrecy guaranteed if only one two conditions fulfilled), (2) unable ciphertexts they help (even though could together reconstruct key), (3) able verify both performed expected computations. These EPAD password-only model, meaning not required remember trusted key, remains safe she led interact wrong malicious device. then give practical pairixng-based scheme. Our construction provably under standard computational assumptions, using non-interactive proof systems efficiently instantiated i.e., without relying random oracle heuristic.