Hyper-Encryption and Everlasting Security

Yan Zong Ding,Michael O Rabin

doi:10.1007/3-540-45841-7_1

Yan Zong Ding, Michael O Rabin

https://doi.org/10.1007/3-540-45841-7_1

Copy DOI

Export

Save

Cite

Abstract
Full-Text
Similar Papers

Abstract

Listen

We present substantial extensions of works [1], [2], and all previous works, on encryption in the bounded storage model introduced by Maurer in [25]. The major new result is that the shared secret key employed by the sender Alice andthe receiver Bob can be re-used to send an exponential number of messages, against strong adaptive attacks. This essential step enhances the usability of the encryption method, and also allows strong authentication andnon-malleability described below. We give an encryption scheme that is provably secure against adaptive attacks by a computationally unbounded adversary in the bounded storage model. In the model, a sender Alice and a receiver Bob have access to a public random string α, and share a secret key s. Alice and Bob observe α on the fly, andb y use of s extract bits from which they create a one-time pad X used to encrypt M as C = X⊕M. The size of the secret key s is ∣s∣ = klog2 ∣α∣, where k is a security parameter. An Adversary AD can compute andstore any function A 1(α) = η, subject to the bound on storage ∣η∣ ≤γ. ·∣α∣, γ < 1, and captures C. Even if AD later gets the key s and is computationally unbounded, the encryption is provably secure. Assume that the key s is repeatedly used with successive strings α1, α2, ... to produce encryptions C 1, C 2, ... of messagesM 1,M 2, .... AD computes η1 = A 1(α1), obtains C 1, and gets to see the first message M 1. Using these he computes andstores η2 = A 1(α2, α1, C 1,M 1), and so on. When he has stored ηl andcaptured C l, he gets the key s (but not M l). The main result is that the encryption C l is provably secure against this adaptive attack, where l, the number of time the secret key s is re-used, is exponentially large in the security parameter k. On this we base non-interactive protocols for authentication and non-malleability. Again, the shared secret key used in these protocols can be securely re-usedan exponential number of times against adaptive attacks. The method of proof is stronger than the one in [1], [2], and yields ergodic results of independent interest. We discuss in the Introduction the feasibility of the bounded storage model, and outline a solution. Furthermore, the existence of an encryption scheme with the provable strong security properties presented here, may prompt other implementations of the bounded storage model.

Full Text