One mechanism for resisting “replay” attacks in password authentication is to use one-time passwords: a list of passwords is prepared, and once password[N] has been accepted, the server decrements N and prompts for password[N − 1] next time. At N = 0, a new list is needed. Outline a mechanism by which the user and server need only remember one master password mp and have available locally a way to compute password[N] = f (mp, N ).

Hint: Let g be an appropriate one-way function (e.g., MD5) and let password[N] = g^N (mp) = g applied N times to mp. Explain why knowing password[N] does not help reveal password[N − 1].