pith. sign in

arxiv: 2509.02578 · v1 · submitted 2025-08-25 · 💻 cs.CR · cs.PF

Secure Password Generator Based on Secure Pseudo-Random Number Generator

Abel C. H. Chen This is my paper

Pith reviewed 2026-05-18 20:36 UTC · model grok-4.3

classification 💻 cs.CR cs.PF
keywords secure password generationpseudo-random number generatorMAC algorithmsHMACCMACKMACNIST SP 800-90Bentropy estimation
0
0 comments X

The pith

A password generator built from HMAC, CMAC and KMAC as a secure PRNG meets NIST entropy and IID standards.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper describes a password generation method that constructs a cryptographically secure pseudo-random number generator from message authentication code algorithms. It applies HMAC, CMAC and KMAC to produce random values intended for passwords. The generator is evaluated using NIST SP 800-90B procedures that measure entropy and check for independent and identically distributed sequences. Test results show the outputs satisfy both requirements, which the authors present as evidence of sufficient randomness and security for practical password use.

Core claim

The paper claims that a secure pseudo-random number generator implemented with HMAC, CMAC and KMAC algorithms generates password values whose entropy estimates and IID properties satisfy the criteria in NIST SP 800-90B, thereby demonstrating a high degree of randomness and security suitable for protecting accounts against leakage.

What carries the argument

Secure pseudo-random number generator constructed from MAC algorithms (HMAC, CMAC, KMAC) to produce random values for passwords.

Load-bearing premise

The MAC algorithm implementations produce outputs that are cryptographically secure and contain no hidden biases that would cause them to fail NIST statistical tests.

What would settle it

An implementation of the generator whose outputs fail the entropy estimation or IID verification steps in NIST SP 800-90B would disprove the claim that the passwords meet the required randomness standards.

Figures

Figures reproduced from arXiv: 2509.02578 by Abel C. H. Chen.

Figure 1
Figure 1. Figure 1: 本研究提出的基於 KMAC 偽隨機數產生器的安全密碼產生器 其中,在呼叫安全偽隨機數產生器時,需代入 3 個參 數:金鑰值 k、訊息值 M、輸出長度 L。在金鑰值 k 的部 分,可以採用系統當下時間或是使用者指定時間,並且 由於時間在電腦裡可能是存成long資料型態(只有64 bits), 可以採用多次雜湊函數計算來產製金鑰值 k (符合區塊長 度)。訊息值M為使用者自行指定的字串,可以是自己原 本所熟悉的密碼字串。輸出長度 L 為 nN。通過前述設定 後即可產製符合使用者指定內容產製的安全偽隨機數, 並且在該基礎上產製安全的密碼。 B. 密碼可用字元集合與密碼長度 本節首先將先定義密碼可用字元集合,再討論密碼長 度和安全性分析。 Input Key Performing Pseudo Random Number Generator (PRNG) Input Message Output Length A … view at source ↗
Figure 2
Figure 2. Figure 2: 熵驗證 表 II為各種偽隨機數產生器的獨立且同分布驗證的結 果,分別呈現獨立性檢定、適應度檢定、最長重覆子字 串長度檢定的 p-value 中位數。由實驗結果顯示,每個偽 隨機數產生器的 p-value 皆高於 NIST SP 800-90B 規範的 p-value門檻值為0.001。因此,絕大部分下都符合獨立且 同分布。 TABLE II. 獨立且同分布驗證 P-VALUE中位數 PRNG Ind. Test GF Test Length of the LRS Test LCG-Based 0.401 0.285 1.000 HMAC-Based 0.398 0.288 1.000 CMAC-Based 0.391 0.310 1.000 KMAC-Based 0.398 0.294 1.000 C. 密碼字元分布比較結果 本節主要比較運用各種偽隨機數產生器搭配本研究第 III 節所提出的方法產製的密碼字… view at source ↗
Figure 3
Figure 3. Figure 3: 密碼可用字元集合 1 的各種密碼產生器計算時間比較結果 [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: 密碼可用字元集合 2 的各種密碼產生器計算時間比較結果 [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: 密碼可用字元集合 3 的各種密碼產生器計算時間比較結果 E. 小結與討論 由第 IV.B 節和第 IV.C 節的實驗結果表示各種偽隨機 產生器都能產製足夠隨機性的隨機數,並且密碼字元也 能服從均勻分布。在第 IV.D 節的實驗結果表示基於線性 同餘產生器的偽隨機數產生器的計算時間最短,而基於 KECCAK 訊息鑑別碼的偽隨機數產生器的計算時間次之。 值得注意的是,雖然實驗結果表示基於線性同餘產生 器的偽隨機數產生器可以產製足夠隨機性的隨機數,並 且有較高的效率。然而,線性同餘產生器具有可逆的特 性,所以將會被破解。另外,由於 KECCAK訊息鑑別碼 是建構在雜湊函數的基礎上,具有不可逆的特性,所以 可以提供更安的偽隨機數。因此,建議未來主要可以採 用基於 KECCAK訊息鑑別碼的偽隨機數產生器的安全密 碼產生器。 V. 結論與未來研究 本研究提出基於安全偽隨機數產生器的安全密碼產生 器,並且分別探索 4 種… view at source ↗
read the original abstract

In recent years, numerous incidents involving the leakage of website accounts and text passwords (referred to as passwords) have raised significant concerns regarding the potential exposure of personal information. These events underscore the critical importance of both information security and password protection. While many of these breaches are attributable to vulnerabilities within website infrastructure, the strength and security of the passwords themselves also play a crucial role. Consequently, the creation of secure passwords constitutes a fundamental aspect of enhancing overall system security and protecting personal data. In response to these challenges, this study presents a secure password generation approach utilizing a cryptographically secure Pseudo-Random Number Generator (PRNG). The generator is implemented using a range of Message Authentication Code (MAC) algorithms, including the Keyed-Hash Message Authentication Code (HMAC), Cipher-based Message Authentication Code (CMAC), and KECCAK Message Authentication Code (KMAC), to produce robust random values suitable for password generation. To evaluate the proposed method, empirical assessments were conducted in accordance with the guidelines provided in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-90B. The evaluation focused on two primary aspects: entropy estimation and verification of independent and identically distributed (IID) properties. Experimental results indicate that the proposed method satisfies both entropy and IID requirements, thereby demonstrating its ability to generate passwords with a high degree of randomness and security.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes a secure password generator that constructs a PRNG from MAC algorithms (HMAC, CMAC, KMAC) and evaluates the outputs via NIST SP 800-90B entropy estimation and IID verification, claiming that the results demonstrate high randomness and security suitable for passwords.

Significance. If the construction and evaluation were shown to be sound, the work would offer a practical, standards-based method for generating passwords from established cryptographic primitives. The current presentation, however, provides no quantitative test outcomes or security reduction, limiting its contribution to the literature on secure random generation.

major comments (2)
  1. [Abstract] Abstract: the claim that 'experimental results indicate that the proposed method satisfies both entropy and IID requirements' is unsupported by any reported numerical values, confidence intervals, test parameters (e.g., sample size, min-entropy threshold), or description of the test suite configuration. Without these data it is impossible to assess whether the generator actually meets the claimed properties or whether post-hoc selection occurred.
  2. [Evaluation] Evaluation section: NIST SP 800-90B is intended for non-deterministic entropy sources and does not address the backtracking resistance, prediction resistance, or state-compromise extension properties required of a DRBG under SP 800-90A. The manuscript provides no reduction showing that the MAC-based construction inherits pseudorandomness from the underlying primitives, nor does it test the specific password-byte mapping for algorithmic bias.
minor comments (2)
  1. Clarify the exact procedure for converting MAC output bytes into printable password characters, including the character set and any rejection sampling used to avoid bias.
  2. Specify the concrete implementations, key lengths, and block sizes employed for HMAC, CMAC, and KMAC, and state whether the same key is reused across multiple password generations.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive comments on our manuscript. We address each of the major comments below and have made revisions to improve the presentation of our results and clarify the scope of our evaluation.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the claim that 'experimental results indicate that the proposed method satisfies both entropy and IID requirements' is unsupported by any reported numerical values, confidence intervals, test parameters (e.g., sample size, min-entropy threshold), or description of the test suite configuration. Without these data it is impossible to assess whether the generator actually meets the claimed properties or whether post-hoc selection occurred.

    Authors: We agree that additional details are necessary to support the claims in the abstract. In the revised manuscript, we have included the specific numerical results from the NIST SP 800-90B tests, including the min-entropy estimates, associated confidence intervals, the sample sizes used, and the exact configuration of the test suite. These updates provide the transparency needed to evaluate the experimental outcomes and address concerns about post-hoc selection. revision: yes

  2. Referee: [Evaluation] Evaluation section: NIST SP 800-90B is intended for non-deterministic entropy sources and does not address the backtracking resistance, prediction resistance, or state-compromise extension properties required of a DRBG under SP 800-90A. The manuscript provides no reduction showing that the MAC-based construction inherits pseudorandomness from the underlying primitives, nor does it test the specific password-byte mapping for algorithmic bias.

    Authors: We acknowledge the distinction between entropy sources and DRBGs. Our construction is a practical method for password generation using MAC algorithms to derive pseudorandom bytes. We have revised the manuscript to clarify that the NIST SP 800-90B tests were applied to evaluate the statistical randomness and entropy of the output sequences, not to certify it as a DRBG. We have added a note on the reliance on the security properties of the MAC primitives (HMAC, CMAC, KMAC) for pseudorandomness. However, we have not included a formal security reduction, as the paper's focus is on implementation and empirical assessment rather than theoretical proofs. We have also performed and reported tests on the byte mapping to confirm lack of bias. A full formal analysis could be considered for future extensions. revision: partial

standing simulated objections not resolved
  • A formal cryptographic security reduction demonstrating that the proposed MAC-based PRNG satisfies the full requirements of a DRBG under SP 800-90A.

Circularity Check

0 steps flagged

No significant circularity; claims rest on external NIST validation and standard MAC primitives

full rationale

The paper implements a password generator by feeding standard MAC algorithms (HMAC, CMAC, KMAC) into a PRNG construction and then subjects the outputs to independent NIST SP 800-90B entropy estimation and IID tests. No equations, fitted parameters, or self-referential definitions appear that would reduce the claimed randomness or security to the inputs by construction. The derivation chain treats the cryptographic security of the underlying MACs as given and relies on externally defined statistical suites rather than any self-citation load-bearing step or ansatz smuggled from prior author work. This is the normal case of a self-contained empirical evaluation.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on the unexamined security properties of standard MAC constructions and the adequacy of NIST statistical tests for password-grade randomness. No new entities or fitted constants are introduced in the abstract.

axioms (2)
  • domain assumption MAC algorithms such as HMAC, CMAC, and KMAC produce outputs suitable for cryptographically secure random number generation when used as described.
    This premise underpins the entire construction and is invoked when the paper states the generator is implemented using these algorithms.
  • domain assumption Passing NIST SP 800-90B entropy estimation and IID verification is sufficient evidence of high randomness and security for password use.
    The evaluation section relies on this standard without additional justification or comparison to other randomness measures.

pith-pipeline@v0.9.0 · 5769 in / 1375 out tokens · 45479 ms · 2026-05-18T20:36:55.243598+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

30 extracted references · 30 canonical work pages

  1. [1]

    (4) 由於基於雜湊訊息鑑別碼每次產製的訊息鑑別碼長度 為 lh bits,所以欲產製長度 L bits 的隨機數時,則需要產 製⌈ 𝐿 𝑙ℎ ⌉個訊息鑑別碼。 為產製⌈ 𝐿 𝑙ℎ ⌉個不同的訊息鑑別碼, 本研究參考 NIST SP 800 -108 Rev

    基於雜湊訊息鑑別碼 基於雜湊訊息鑑別碼的安全性主要建構在雜湊函數不 可逆的特性,可以結合安全雜湊演算法 2 (Secure Hash Algorithm-2, SHA2)[17]和安全雜湊演算法 3 (Secure Hash Algorithm-3, SHA3)[20]來提供訊息鑑別碼 。其中,輸入 變數有已經過前處理後的金鑰值 k (金鑰位元長度為雜湊 函數區塊(block)的位元長度 lh)和訊息值 M,通過與填充 值 ipad ( 重覆‘00110110’位元直到雜湊函數區塊的位元長 度 lh)和 opad (重覆‘01011100’位元直到雜湊函數區塊的位 元長度 lh)進行邏輯互斥或 (Exclusive-OR) ⨁ 計算,並且 選擇合適的雜湊函數 h,運用公式(4)計算得到訊息鑑別 碼𝑟ℎ𝑚𝑎...

    work page

  2. [2]

    (7) 𝑐𝑖+1 = 𝐴𝐸𝑆(𝑘, 𝑐𝑖⨁𝑀𝑖+1 ′ ), where 𝑐0 = 𝑃𝑎𝑑0(0) and 0 ≤ 𝑖 < ⌈𝐿𝑒𝑛𝑔𝑡ℎ(𝑀) 𝑙𝑎 ⌉

    基於密文訊息鑑別碼 基於密文訊息鑑別碼的安全性主要建構在進階加密標 準的安全性,可以結合 AES-128 和 AES-256 [19] 並且採 用 密 文 區 塊 鏈 模 式(Chiper Block Chaining Mode, CBC Mode)來提供訊息鑑別碼。其中,輸入變數有已經過前 處理後的金鑰值 k (金鑰位元長度為進階加密標準區塊的 位元長度 la)和訊息值 M,並且根據在進階加密標準區塊 的位元長度 la 對切割成⌈ 𝐿𝑒𝑛𝑔𝑡ℎ(𝑀) 𝑙𝑎 ⌉個區塊(如公式(7)所示)。 之後根據密文區塊鏈模式的計算方法,把第 i 個區塊密 文和第 i + 1 區塊明文進行邏輯互斥或(Exclusive-OR) ⨁ 計算,然後再用金鑰值 k 執行 AES 函數得到第 i + 1 區塊 密文(如公式(8)...

    work page

  3. [3]

    (11) 𝑟𝑘𝑚𝑎𝑐(𝑘, 𝑀, 𝐿, 𝑆) = 𝐶𝑆𝐻𝐴𝐾𝐸(𝑀∗, 𝐿, "𝐾𝑀𝐴𝐶", 𝑆)

    基於 KECCAK 訊息鑑別碼 基於 KECCAK 訊息鑑別碼的安全性主要建構在安全 雜湊演算法 KECCAK (Secure Hash Algorithm KECCAK, SHAKE)雜湊函數不可逆的特性[20]來提供訊息鑑別碼。 其中, 美國國家標準暨技術研究院在安全雜湊演算法 KECCAK 基礎上設計可客製化安全雜湊演算法KECCAK (customizable Secure Hash Algorithm Keccak, cSHAKE) 方 法。輸入變數有已經過前處理後的金鑰值 k (金鑰位元長 度為雜湊函數區塊的位元長度 lk)、訊息值 M、輸出長度 L,通過公式(11)把訊息值𝑀修改為𝑀∗,然後再搭配字串 S 代入可客製化安全雜湊演算法 KECCAK ( 如公式(12)所 示)計算得到訊息鑑別碼...

    work page

  4. [4]

    熵驗證 為驗證隨機數的熵,本研究參考 NIST SP 800 -90B 所 述驗證方法[22]建立 1000×1000 大小的 restart 矩陣,運用 隨機數產生器每次產製 1000 個隨機位元值,並且重新啟 動 1000 次。其中,第 i 次第 j 個隨機位元值是 restart 矩 陣第 i 列第 j 欄元素值。再計算 restart 矩陣的每一行和每 一列的 0 和 1 發生的次數,以及取得最高次數作為 Most Common Value (MCV) , 再 根 據 MCV 換算為最小熵 (mini_entropy)和運用二項式分布檢定得到 p-value。並且 根據 NIST SP 800 -90B 定義的 p-value 門檻值為 0.000005 [22],進行驗證是否高於門檻值。

    work page

  5. [5]

    Test)、適應度檢定(Goodness-of-fit Test, GF Test)、 以 及 最 長 重 覆 子 字 串 長 度 檢 定(Length of the Longest Repeated Substring Test, Length of the LRS Test)[22]三個面 向進行驗證,分述如下。 (1)

    獨立且同分布驗證 為驗證隨機數的獨立且同分布,本研究參考 NIST SP 800-90B 所述驗證方法,分別從獨立性檢定(Independence Test, Ind. Test)、適應度檢定(Goodness-of-fit Test, GF Test)、 以 及 最 長 重 覆 子 字 串 長 度 檢 定(Length of the Longest Repeated Substring Test, Length of the LRS Test)[22]三個面 向進行驗證,分述如下。 (1). 獨立性檢定(Ind. Test):把 restart 矩陣每一列資料 (即 1000 個隨機位元值)各別切割為 10 等份,每一等份裡 各有 100 個隨機位元值,所以如果 0 和 1 在均勻分布下 期望值為各 5...

    work page

  6. [6]

    密碼可用字元集合 密碼可用字元集合主要取決於網路平台的設定,不同 的網路平台可能採用不同的密碼可用字元集合,所以本 研究採用下面種密碼可用字元集合進行討論。 後續將分 別從不同密碼可用字元集合深入討論和比較。 • 密碼可用字元集合 1:僅採用英文字母小寫和英 文字母大寫,即 𝑄1 = {'a', 'b', …, 'z', 'A','B', …, 'Z'}。 因此,可用字元集合𝑄1大小為𝑞1 = 52。 • 密 碼 可 用 字 元 集 合 2 : 𝑄1 和 數 字 , 即 𝑄2 = {𝑄1, '0','1', …, '9'}。因此,可用字元集合 𝑄2大小為 𝑞2 = 62。 • 密碼可用字元集合 3:𝑄2 和特殊字元 ,即 𝑄3 = {𝑄2, '~','!', '@', '#', '$', '%', '^'...

    work page

  7. [7]

    各種密碼可用字元集合所需的密碼長度 密碼可用字元集合 集合大小 密碼長度 n 𝑄1 𝑞1 = 52 ⌈ 128 log2 52⌉ = ⌈22.45⌉ = 23 𝑄2 𝑞2 = 62 ⌈ 128 log2 62⌉ = ⌈21.50⌉ = 22 𝑄3 𝑞3 = 72 ⌈ 128 log2 72⌉ = ⌈20.75⌉ = 21 IV

    密碼長度及其安全性分析 本節以 AES-128 安全強度的情況下,著重討論在不同 密碼可用字元集合的情況下適合的密碼長度 n。其中, 由於 AES-128 主要建構在 128 bits 的 0 或 1 的均勻分佈 下,所以可用字元集合 Q 大小為 q 時每個字元約為log2 𝑞 bits,所以 128 bits 需要 128 log2 𝑞個字元以上。因此,對比 AES-128 安全強度,每種密碼可用字元集合所對應的密 碼長度如表 I 所示。例如,當採用英文字母小寫、英文 字母大寫、數字、特殊字元的集合(即密碼可用字元集合 3)時,仍需要密碼長度仍應達 21 個字元以上才等價於 AES-128 安全強度,並且是建構在均勻分布下。如果密 碼字元組成不是均勻分布,則可能不夠安全。 TABLE I. 各種密碼可用...

    work page

  8. [8]

    Understanding the difference in malicious activity between Surface Web and Dark Web,

    D. A. Bermudez Villalva, "Understanding the difference in malicious activity between Surface Web and Dark Web," Doctoral thesis (Ph.D), UCL (University College London) , 2022. [Online]. Available: https://discovery.ucl.ac.uk/id/eprint/10147915

    work page arXiv 2022

  9. [9]

    Advancing Passwordless Authentication: A Systematic Review of Methods, Challenges, and Future Directions for Secure User Identity,

    M. I. M. Yusop, N. H. Kamarudin, N. H. S. Suhaimi and M. K. Hasan, "Advancing Passwordless Authentication: A Systematic Review of Methods, Challenges, and Future Directions for Secure User Identity," in IEEE Access , vol. 13, pp. 13919 -13943, 2025, doi: 10.1109/ACCESS.2025.3528960

    work page doi:10.1109/access.2025.3528960 2025

  10. [10]

    Understanding User Passwords through Parsing Tree,

    D. Wang, X. Shan, Y. Wu and C. Jia, "Understanding User Passwords through Parsing Tree," in IEEE Transactions on Dependable and Secure Computing, doi: 10.1109/TDSC.2025.3552583

    work page doi:10.1109/tdsc.2025.3552583 2025

  11. [11]

    An Efficient Privacy- Preserving Scheme for Weak Password Collection in Internet of Things Against Perpetual Leakage,

    C. Jiang, C. Xu, X. Dong, K. Chen and G. Yang, "An Efficient Privacy- Preserving Scheme for Weak Password Collection in Internet of Things Against Perpetual Leakage," in IEEE Transactions on Information Forensics and Security , vol. 20, pp. 1405 -1420, 2025, doi: 10.1109/TIFS.2024.3523202

    work page doi:10.1109/tifs.2024.3523202 2025

  12. [12]

    A Novel Password Policy Focusing on Altering User Password Selection Habits: A Statistical Analysis on Breached Data,

    E. Y. Güven, A. Boyaci and M. A. Aydin, "A Novel Password Policy Focusing on Altering User Password Selection Habits: A Statistical Analysis on Breached Data," in Computers & Security, vol. 113, article no. 102560, 2022, doi: 10.1016/j.cose.2021.102560

    work page doi:10.1016/j.cose.2021.102560 2022

  13. [13]

    Level of Password Vulnerability,

    I. Mannuela, J. Putri, Michael and M. S. Anggreainy, "Level of Password Vulnerability," Proceedings of 2021 1st International Conference on Computer Science and Artificial Intelligence (ICCSAI), Jakarta, Indonesia, 2021, pp. 351 -354, doi: 10.1109/ICCSAI53272.2021.9609778

    work page doi:10.1109/iccsai53272.2021.9609778 2021

  14. [14]

    ADD 2022: The first audio deep synthesis detection challenge,

    X. He, H. Cheng, J. Xie, P. Wang and K. Liang, "Passtrans: An Improved Password Reuse Model Based on Transformer," Proceedings of ICASSP 2022 - 2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Singapore, Singapore, 2022, pp. 3044-3048, doi: 10.1109/ICASSP43922.2022.9746731

    work page doi:10.1109/icassp43922.2022.9746731 2022

  15. [15]

    OPSEC VS Leaked Credentials: Password reuse in Large -Scale Data Leaks,

    D. G. Uzonyi, N. Pitropakis, S. McKeown and I. Politis, "OPSEC VS Leaked Credentials: Password reuse in Large -Scale Data Leaks," Proceedings of 2023 IEEE 28th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), Edinburgh, United Kingdom, 2023, pp. 74 -79, doi: 10.1109/CAMAD59638.2023.10478420

    work page doi:10.1109/camad59638.2023.10478420 2023

  16. [16]

    Data-driven process- ing using parametric neural network for improved Bluetooth Channel Sounding distance estimation,

    J. Yang, W. Li, H. Cheng and P. Wang, "Targeted Password Guessing Using Neural Language Models," Proceedings of ICASSP 2025 - 2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP) , Hyderabad, India, 2025, pp. 1 -5, doi: 10.1109/ICASSP49660.2025.10888919

    work page doi:10.1109/icassp49660.2025.10888919 2025

  17. [17]

    Data-driven process- ing using parametric neural network for improved Bluetooth Channel Sounding distance estimation,

    W. Zhang, H. Cheng, M. Zheng, J. Yang and P. Wang, "Adaptive Password Guessing Framework Using Various Datasets," Proceedings of ICASSP 2025 - 2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Hyderabad, India, 2025, pp. 1-5, doi: 10.1109/ICASSP49660.2025.10888391

    work page doi:10.1109/icassp49660.2025.10888391 2025

  18. [18]

    Dynamic Group Time-Based One-Time Passwords,

    X. Cao et al., "Dynamic Group Time-Based One-Time Passwords," in IEEE Transactions on Information Forensics and Security, vol. 19, pp. 4897-4913, 2024, doi: 10.1109/TIFS.2024.3386350

    work page doi:10.1109/tifs.2024.3386350 2024

  19. [19]

    A Novel Verification Scheme to Resist Online Password Guessing Attacks,

    A. Guan and C. -M. Chen, "A Novel Verification Scheme to Resist Online Password Guessing Attacks," in IEEE Transactions on Dependable and Secure Computing , vol. 19, no. 6, pp. 4285 -4293, 1 Nov.-Dec. 2022, doi: 10.1109/TDSC.2022.3174576

    work page doi:10.1109/tdsc.2022.3174576 2022

  20. [20]

    A Secure Two -Factor Authentication Scheme From Password-Protected Hardware Tokens,

    S. Li, C. Xu, Y. Zhang and J. Zhou, "A Secure Two -Factor Authentication Scheme From Password-Protected Hardware Tokens," in IEEE Transactions on Information Forensics and Security, vol. 17, pp. 3525-3538, 2022, doi: 10.1109/TIFS.2022.3209886

    work page doi:10.1109/tifs.2022.3209886 2022

  21. [21]

    Hardening Password -Based Credential Databases,

    Y. Song, C. Xu, Y. Zhang and S. Li, "Hardening Password -Based Credential Databases," in IEEE Transactions on Information Forensics and Security , vol. 19, pp. 469 -484, 2024, doi: 10.1109/TIFS.2023.3324326

    work page doi:10.1109/tifs.2023.3324326 2024

  22. [22]

    A Study on Password Protection and Encryption in the era of Cyber Attacks,

    S. Chakraborty, C. Jackson, M. Frazier and K. Clark, "A Study on Password Protection and Encryption in the era of Cyber Attacks," Proceedings of SoutheastCon 2024, Atlanta, GA, USA, 2024, pp. 460- 465, doi: 10.1109/SoutheastCon52093.2024.10500214

    work page doi:10.1109/southeastcon52093.2024.10500214 2024

  23. [23]

    The Keyed -Hash Message Authentication Code (HMAC),

    National Institute of Standards and Technology, "The Keyed -Hash Message Authentication Code (HMAC)," in Federal Information Processing Standards , FIPS 198 -1, pp. 1 -7, July 2008 , doi: 10.6028/NIST.FIPS.198-1

    work page doi:10.6028/nist.fips.198-1 2008

  24. [24]

    Secure Hash Standard (SHS),

    National Institute of Standards and Technology, " Secure Hash Standard (SHS)," in Federal Information Processing Standards, FIPS 180-4, pp. 1-31, August 2015, doi: 10.6028/NIST.FIPS.180-4

    work page doi:10.6028/nist.fips.180-4 2015

  25. [25]

    Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication,

    M. Dworkin, "Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication," in NIST Special Publications, NIST SP 800 -38B, pp. 1 -16, May 2005, doi: 10.6028/NIST.SP.800- 38B

    work page doi:10.6028/nist.sp.800- 2005

  26. [26]

    Advanced Encryption Standard (AES),

    National Institute of Standards and Technology, "Advanced Encryption Standard (AES)," in Federal Information Processing Standards, FIPS 197, pp. 1-38, May 2023, doi: 10.6028/NIST.FIPS.197-upd1

    work page doi:10.6028/nist.fips.197-upd1 2023

  27. [27]

    SHA -3 Standard: Permutation-Based Hash and Extendable -Output Functions,

    National Institute of Standards and Technology, "SHA -3 Standard: Permutation-Based Hash and Extendable -Output Functions," in Federal Information Processing Standards, FIPS 202, pp. 1-29, August 2015, doi: 10.6028/NIST.FIPS.202

    work page doi:10.6028/nist.fips.202 2015

  28. [28]

    Recommendation for Key Derivation Using Pseudorandom Functions,

    L. Chen, "Recommendation for Key Derivation Using Pseudorandom Functions," in NIST Special Publications, NIST SP 800-108 Rev. 1, pp. 1-26, February 2024, doi: 10.6028/NIST.SP.800-108r1-upd1

    work page doi:10.6028/nist.sp.800-108r1-upd1 2024

  29. [29]

    Recommendation for the Entropy Sources Used for Random Bit Generation,

    M. S. Turan et al., "Recommendation for the Entropy Sources Used for Random Bit Generation," in NIST Special Publications, NIST SP 800- 90B, pp. 1-76, January 2018, doi: 10.6028/NIST.SP.800-90B

    work page doi:10.6028/nist.sp.800-90b 2018

  30. [30]

    Pseudo Random Number Generator-Based One-Time Signature,

    A. C. H. Chen, "Pseudo Random Number Generator-Based One-Time Signature," Proceedings of 2025 3rd International Conference on Smart Systems for applications in Electrical Sciences (ICSSES) , Tumakuru, India, 2025, pp. 1 -6, doi: 10.1109/ICSSES64899.2025.11010000

    work page doi:10.1109/icsses64899.2025.11010000 2025