• Publications
  • Influence
SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies
This work identifies three key components of Bit coin's design that can be decoupled, and maps the design space for numerous proposed modifications, providing comparative analyses for alternative consensus mechanisms, currency allocation mechanisms, computational puzzles, and key management tools.
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
  • Joseph Bonneau
  • Computer Science
    IEEE Symposium on Security and Privacy
  • 20 May 2012
It is estimated that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits ofSecurity against an optimal offline dictionary attack, when compared with a uniform distribution which would provide equivalent security against different forms of guessing attack.
Bitcoin and Cryptocurrency Technologies - A Comprehensive Introduction
The history and development of Bitcoin and cryptocurrencies are traced, and the conceptual and practical foundations you need to engineer secure software that interacts with the Bitcoin network are given as well as to integrate ideas from Bitcoin into your own projects.
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
It is concluded that many academic proposals to replace text passwords for general-purpose user authentication on the web have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints.
Verifiable Delay Functions
The requirements for a verifiable delay function (VDF) are formalized and new candidate constructions are presented that are the first to achieve an exponential gap between evaluation and verification time.
The Tangled Web of Password Reuse
This paper investigates for the first time how an attacker can leverage a known password from one site to more easily guess that user's password at other sites and develops the first cross-site password-guessing algorithm, able to guess 30% of transformed passwords within 100 attempts.
CONIKS: Bringing Key Transparency to End Users
CONIKS builds on transparency log proposals for web server certificates but solves several new challenges specific to key verification for end users, and obviates the need for global third-party monitors and enables users to efficiently monitor their own key bindings for consistency.
Cache-Collision Timing Attacks Against AES
The most powerful attack has been shown under optimal conditions to reliably recover a full 128-bit AES key with 213 timing samples, an improvement of almost four orders of magnitude over the best previously published attacks of this type.
A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs
It is found that guessing PINs based on the victims’ birthday will enable a competent thief to gain use of an ATM card once for every 11–18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234.
The Password Thicket: Technical and Market Failures in Human Authentication on the Web
The first large-scale empirical analysis of password implementations deployed on the Internet, including 150 websites which offer free user accounts for a variety of purposes, finds a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security.