Privacy-preserving password-based authentication using zero-knowledge proofs

Abstract

Passwords remain fundamental to user authentication, including handheld devices, wearables, personal computers, and network devices. Privacy concerns have led to the development of new password guidelines and alternatives, yet these have not seen widespread adoption among users. Increasing skepticism towards the service providers has made users reluctant to share sensitive information, including passwords. While current security protocols ensure data protection in transit, assurances regarding the security and privacy of data at rest are often assumed without verification. Traditional best practices for password storage involve hashing, which still requires the original password to be shared as plaintext or as a hash. Each of these methods has its vulnerabilities. For instance, an adversary can sniff network packets to capture the original password or the hash value, potentially compromising the authentication system. To address these issues, we propose a framework for password-based authentication using graph isomorphism as a zero-knowledge proof technique. This framework aims to replace conventional authentication methods and enhance password privacy. The results demonstrate the proposed framework's effectiveness in ensuring secure and private password authentication.