An interesting challenge for the cryptography community is to design
authentication protocols that are so simple that a human can execute them
without relying on a fully trusted computer. We propose several candidate
authentication protocols for a setting in which the human user can only receive
assistance from a semi-trusted computer --- a computer that stores information
and performs computations correctly but does not provide confidentiality. Our
schemes use a semi-trusted computer to store and display public challenges
Ci∈[n]k. The human user memorizes a random secret mapping
σ:[n]→Zd and authenticates by computing responses
f(σ(Ci)) to a sequence of public challenges where
f:Zdk→Zd is a function that is easy for the
human to evaluate. We prove that any statistical adversary needs to sample
m=Ω~(ns(f)) challenge-response pairs to recover σ, for
a security parameter s(f) that depends on two key properties of f. To
obtain our results, we apply the general hypercontractivity theorem to lower
bound the statistical dimension of the distribution over challenge-response
pairs induced by f and σ. Our lower bounds apply to arbitrary
functions f (not just to functions that are easy for a human to evaluate),
and generalize recent results of Feldman et al. As an application, we propose a
family of human computable password functions fk1,k2 in which the user
needs to perform 2k1+2k2+1 primitive operations (e.g., adding two digits or
remembering σ(i)), and we show that s(f)=min{k1+1,(k2+1)/2}.
For these schemes, we prove that forging passwords is equivalent to recovering
the secret mapping. Thus, our human computable password schemes can maintain
strong security guarantees even after an adversary has observed the user login
to many different accounts.Comment: Fixed bug in definition of Q^{f,j} and modified proofs accordingl