Revolutionizing Authentication with Oblivious Cryptography

Revolutionizing Authentication with Oblivious Cryptography – Dr Adam Everspaugh


Current schemes to protect user passwords like bcrypt, scrypt, and iterative hashing are insufficient to resist offline dictionary attacks when password databases are stolen. We present a modern cloud service, called Pythia, which protects passwords using a cryptographically keyed pseudorandom function (PRF). Unlike existing schemes like HMAC, Pythia permits key updates as a response to compromises. Key updates nullify stolen password digests, enable digests to be updated to the new key, and don’t require users to change their passwords. The keystone of is a new cryptographic construction called a partially-oblivious PRF that provides these new features.

Pythia was originally unveiled at Usenix Security 2015. In 2018, a production implementation of Pythia was created and open sourced via GitHub by Virgil Security. In addition to a presenting the Pythia construction, and demonstrating it’s unique security features and performance advantage over the state of the art, we will provide a live demonstration of Virgil Security’s Pythia client tool from installation through protecting and checking passwords.


Dr Adam Everspaugh is a principal engineer and cryptographer for Uptake Technologies, an industrial predictive analytics company in Chicago. He holds a PhD in computer science from the University of Wisconsin where he researched applied cryptography for internet-scale systems.