PRISM: Threshold Oblivious Pseudorandom Authentication | Cyber Immunity Whitepaper

Overview

PRISM is a Threshold Oblivious Pseudorandom Function (TOPRF) that replaces stored password hashes with a distributed, zero-knowledge, live computation. The password verification function cannot be constructed without real-time interaction with a threshold of independently operated nodes - eliminating the entire attack class of offline brute-force against exfiltrated credential stores.

The construction extends the OPRF primitive formalized in RFC 9497 into a threshold setting across the ORK network. The formal analysis is published in "Towards Zero Trust Authentication in Critical Industrial Infrastructures with PRISM" (Springer, CIMSS2023).

PRISM operates as one of two parallel sub-protocols within the CMK Authentication Ceremony (Protocol: CMK Authentication). Both share the same two API round-trips. This document specifies PRISM in isolation; the ceremony orchestration is described separately.

Loading diagram...

Preconditions

Established during user registration (Protocol: Account Creation / KeyGen).

Per-ORK stored state:

$s_i$ - Shamir shard of joint PRISM secret $s$ . Reconstruction requires $t$ shards; individual shards reveal nothing about the password.
$v_i = H(\mathit{mSecORK}_i \cdot (G \cdot H(Y \cdot s)))$ - PRISM verifier, derived from both the ORK's private key and the correct password-PRISM product. Unique per ORK. Rotates on password change. One compromised verifier is useless without the distributed PRISM product.
$\mathit{aesKey}_i$ - ORK's symmetric key (for self-sealing challenges).
$\mathit{mSecORK}_i$ , $\mathit{mgORK}_i$ - ORK's long-term key pair.

ORK isolation property: ORKs store no metadata about which vendors a user is associated with or how many. The PRISM shards carry no semantic information about their purpose.

Actors & Trust Assumptions

Actor	Role	Trust Assumption
Secure Web Enclave	User's browser-side cryptographic agent. Generates $j$ , sends obfuscated password, performs interpolation and challenge decryption.	Potentially adversarial. An adversary using a malicious SWE learns meaningless $Y \cdot s$ (wrong PRISM product) but not $s$ or any individual $s_i$ . Cannot offline attack passwords remotely. Honest user using a malicious SWE can get password phished - SRI is the mitigation for that.
CMK ORK Swarm (20 nodes)	Each applies its shard $s_i$ to the obfuscated input. Constructs and verifies challenges.	Malicious ORK learns $X$ (obfuscated password point) but not Y. Can't offline attack $Y$ . Up to 13 may be safely malicious/colluding. Each operated independently.
Settlement Layer	Funds each ORK call via one-time voucher.	Provides auxiliary deobfuscation values ( $Y_{\text{tag}}$ , $q_{\text{Pub}}$ , $u_{\text{DeObf}}$ ).

Protocol Flow

Convert: SWE → All $n$ ORKs

Loading diagram...

The ORK learns nothing about

Y

- it applies

s_i

to the already-obfuscated point

X

. The result

X'_i = Y \cdot j \cdot s_i

is doubly obscured by

j

(SWE) and

s_i

(this ORK).

The challenge has three nested encryption layers, each serving a distinct security function:

text

┌──────────────────────────────────────────────────────────┐
│  OUTER: AES under v_i (PRISM verifier)                   │
│  Only the correct password holder can strip this layer   │
│                                                          │
│  ┌────────────────────────────────────────────────────┐  │
│  │  MIDDLE: AES under DH(mSecORK_i, U)                │  │
│  │  Binds to this browser session                     │  │
│  │                                                    │  │
│  │  ┌──────────────────────────────────────────────┐  │  │
│  │  │  INNER: AES under aesKey_i                   │  │  │
│  │  │  Self-sealed - only this ORK can reopen      │  │  │
│  │  │                                              │  │  │
│  │  │  uid, purpose, t_i, ext_i, U                 │  │  │
│  │  └──────────────────────────────────────────────┘  │  │
│  └────────────────────────────────────────────────────┘  │
│                                                          │
│  t_i, ext_i (timing metadata)                            │
└──────────────────────────────────────────────────────────┘

The expiry window

\mathit{ext}_i

is randomized per-ORK: 1-3 hours if remember-me is set, 30-90 seconds otherwise.

SWE Processing: Threshold Reconstruction

The SWE waits up to 1 second for all

n

or 5 seconds for the first

t

responses, recording participating ORKs in a bitwise array.

The SWE learns

Y \cdot s

but not any individual

s_i

. No ORK learned

Y

. The obfuscator

j

is cleanly removed. If the password was wrong, the derived value is incorrect and all subsequent steps fail.

SWE Processing: Verifier Derivation and Challenge Decryption

Algorithm 2: Verifier Derivation and Challenge Decryption

Input:

Y \cdot s

(from Algorithm 1);

\{\mathit{mgORK}_i\}_{i=1}^{n}

;

\{\mathit{encRequest}_i\}_{i \in S}

; session private key

u

Output:

\{\mathit{selfRequest}_i\}_{i \in S}

; timing parameters

\{t_i, \mathit{ext}_i\}_{i \in S}

for $i = 1$ to $n$ do (all ORKs, not just respondents)
- $v'_i \leftarrow H(\textsf{DH}(\mathit{mgORK}_i, G \cdot H(Y \cdot s)))$
for each $i \in S$ do
- $\mathit{prkRequest}_i, t_i, \mathit{ext}_i \leftarrow \textsf{AES\_DEC}_{v'_i}(\mathit{encRequest}_i)$ - Strip outer layer
- $\mathit{selfRequest}_i \leftarrow \textsf{AES\_DEC}_{\textsf{DH}(\mathit{mgORK}_i, u)}(\mathit{prkRequest}_i)$ - Strip middle layer
return $\{\mathit{selfRequest}_i\}, \{t_i, \mathit{ext}_i\}$

By ECDH commutativity:

\textsf{DH}(\mathit{mgORK}_i, G \cdot H(Y \cdot s)) = \mathit{mSecORK}_i \cdot (G \cdot H(Y \cdot s))

, so

v'_i = v_i

when the password is correct. If the password was wrong,

v'_i \neq v_i

, the outer-layer decryption produces garbage, and all subsequent layers fail. The SWE cannot distinguish a wrong password from a corrupted response.

The inner layer (self-sealed under

\mathit{aesKey}_i

) remains opaque to the SWE - only the originating ORK can open it.

Authenticate: SWE → $I$ Participating ORKs

Loading diagram...

Each ORK retrieves and destroys its cache entry indexed by

U

, then decrypts the self-sealed capsule and verifies uid, session binding, and expiry. A wrong password means the SWE could never have correctly decrypted layers to recover the authentic

\mathit{selfRequest}_i

, so the ORK's verification fails.

Algorithms

Algorithm 4: ORK Triple-Encrypted Challenge Construction (per-ORK )

Input:

\mathit{uid}

U

(session public key),

\mathit{mSecORK}_i

\mathit{aesKey}_i

v_i

\mathit{rememberMe}

Output:

\mathit{encRequest}_i

$t_i \leftarrow \textsf{timestamp}()$
$\mathit{ext}_i \leftarrow \textsf{randBetween}(60, 180 \text{ min})$ if $\mathit{rememberMe}$ , else $\textsf{randBetween}(0.5, 1.5 \text{ min})$
$\mathit{AuthRequest} \leftarrow \{\mathit{uid}, \text{``auth''}, t_i + \mathit{ext}_i, U\}$
$\mathit{selfReq}_i \leftarrow \textsf{AES\_ENC}_{\mathit{aesKey}_i}(\mathit{AuthRequest})$ - Inner: self-sealed
$\mathit{prkReq}_i \leftarrow \textsf{AES\_ENC}_{\textsf{DH}(\mathit{mSecORK}_i, U)}(\mathit{selfReq}_i)$ - Middle: session-bound
$\mathit{encRequest}_i \leftarrow \textsf{AES\_ENC}_{v_i}(\mathit{prkReq}_i \| t_i \| \mathit{ext}_i)$ - Outer: password-gated
Create cache entry indexed by $U$ : store $\mathit{uid}$ , $\textsf{DH}(\mathit{mSecORK}_i, U)$
return $\mathit{encRequest}_i$

Notation Reference

Symbol	Description
$G$	Generator point on Curve25519
$A \cdot b$	Scalar-point multiplication (point $A$ , scalar $b$ )
$H(\cdot)$	SHA-256 unless stated otherwise
$\textsf{H2P}(\cdot)$	Hash-to-point via Elligator 2 on Curve25519
$\textsf{DH}(a, B)$	Diffie-Hellman: $B \cdot a$
$\textsf{AES\_ENC}(a, b)$	AES256 encryption of b with key $a$ (IV is omitted for simplicity)
$\textsf{AES\_DEC}(a, b)$	AES256 decryption of b with key $a$
$w$	User's password
$Y$	Password-derived curve point: $Y \leftarrow \textsf{H2P}(H(w))$
$\mathit{uid}$	User identifier: $H(\text{username})$
$s$ , $s_i$	Joint PRISM secret , ORK $i$ 's PRISM shard
$j$	Random obfuscator scalar (SWE-generated)
$X$	Obfuscated password point: $Y \cdot j$
$\mathit{mSecORK}_i$	ORK $i$ 's long-term private key
$\mathit{mgORK}_i$	ORK $i$ 's long-term public key: $G \cdot \mathit{mSecORK}_i$
$\mathit{aesKey}_i$	ORK $i$ 's symmetric key
$v_i$	Per-ORK PRISM verifier: $H(\mathit{mSecORK}_i \cdot (G \cdot H(Y \cdot s)))$
$U$ , $u$	Network session public/private key (non-extractable via WebCrypto)
$n$	Total ORKs in swarm (currently 20)
$t$	Threshold (currently 14)
$I$	Number of responding ORKs ( $t \le I \le n$ )
$L_i$	Lagrange coefficient for ORK $i$

Layer Traversal

Layer	How PRISM Engages It
Legitimacy	Voucher validates each Convert call. ECDH between $U$ and $\mathit{mgORK}_i$ qualifies the channel.
Authority	Each ORK retrieves its PRISM shard $s_i$ - undifferentiated key material, agnostic to purpose.
Agency	The TOPRF evaluation ( $X \cdot s_i$ ) and challenge construction are the purpose-specific operations.
Settlement	Voucher funds participation. Returns auxiliary values ( $Y_{\text{tag}}$ , $q_{\text{Pub}}$ , $u_{\text{DeObf}}$ ) used by the parallel CMK sub-protocol.

Security Properties

Property	Mechanism	Assumption
Password never leaves browser	$Y$ obfuscated by $j$ before transmission; ORKs see only $X = Y \cdot j$	Obfuscator cryptographically random
No party learns the password	PRISM: ORKs apply $s_i$ to obfuscated point; SWE reconstructs $Y \cdot s$ but not individual $s_i$ ; ORKs never see $Y$	Threshold ( $< t$ compromised). PRISM security
$H2P$ prevents SWE offline attack	SWE reconstructs $Y \cdot s$ but because $\textsf{H2P(password)} \gets G \cdot ?$ and the SWE doesn't know $s$ , offline attack can't be performed	DLP security
Per-ORK verifiers prevent offline attack	Each $v_i$ bound to ORK $i$ 's private key; rotates on password change; one compromised ORK yields one verifier useless without the PRISM product	DLP hardness on Curve25519. Threshold assumption
Offline brute-force inapplicable	Verification function is emergent property of live threshold interaction; cannot be replicated offline; each guess requires network round-trip to $\ge t$ nodes	Network rate limiting. Threshold assumption
Wrong password indistinguishable	Outer-layer decryption fails silently; SWE cannot determine which layer failed	AES ciphertext indistinguishability
Replay resistance	Cache entry indexed by $U$ destroyed on use; challenge triple-encrypted and time-bounded	ORK correctly destroys entries
Session binding	Middle layer encrypted under $\textsf{DH}(\mathit{mSecORK}_i, U)$ ; $u$ is non-extractable via WebCrypto	WebCrypto API integrity
Mutual password proof	SWE proves knowledge by decrypting challenges; ORKs confirm by verifying self-sealed capsule	Challenge construction integrity
14-of-20 fault tolerance	Any $t$ ORKs suffice for PRISM reconstruction	-
13-of-20 security tolerance	Up to $n - t$ ORKs may be actively malicious	Threshold assumption

Call Summary

Call	Direction	Payload (PRISM component)	State Change
Convert	SWE → all $n$ ORKs	Send: $\mathit{uid}$ , $X$ , $U$ , voucher. Receive: $X'_i$ , $\mathit{encRequest}_i$	ORK creates cache entry indexed by $U$
Authenticate	SWE → $I$ participating ORKs	Send: $\mathit{selfRequest}_i$ . Receive: ack or fail	ORK destroys cache entry

Between calls, the SWE performs all interpolation, verifier derivation, and challenge decryption client-side.

References

Wang, F., Hertzog, Y., et al. (2023). Towards Zero Trust Authentication in Critical Industrial Infrastructures with PRISM. ACNS 2023 Workshops, LNCS 13907. Springer, Cham.
RFC 9497 - Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups. IETF, 2023.
Tide Developer Documentation: docs.tidecloak.com

Overview

Preconditions

Actors & Trust Assumptions

Protocol Flow

Convert: SWE → All nn ORKs

SWE Processing: Threshold Reconstruction

SWE Processing: Verifier Derivation and Challenge Decryption

Authenticate: SWE → II Participating ORKs

Algorithms

Notation Reference

Layer Traversal

Security Properties

Call Summary

References

Convert: SWE → All $n$ ORKs

Authenticate: SWE → $I$ Participating ORKs