Foundations of Cryptography Lecture 7

1
Foundations of CryptographyLecture 7

• LecturerDanny Harnik

2
Maurers Bounded Storage Model

• Most Cryptographic tasks are only possible when
  parties are known to be bounded.
• Mainstream Cryptography Assume parties are
  time bounded (run in polynomial time).
• Maurers model Assume parties have bounded
  storage.
• Remark Bounded Storage ? Bounded Space.
• Measures only the storage capacity at one point
  of the process.

3
The bounded storage model The setting

• A long random string R is transmitted.
• Honest parties store small portions of R.
• Parties interact.
• Protocol is secure even against dishonest parties
  which store almost all of R.

A long random string R of length N
Stores ¾N bits
Stores N½
Stores N½
(Arbitrary function of R)
4
Example Key-Agreement

• Alice and Bob interact over a public channel
  (with no initial secret key).
• They want to agree on a secret key.

??
5
Protocol Key-Agreement CM97

• A long random string R is transmitted.
• Alice and Bob store random subsets of size N½.
• Send position of subsets and agree on content of
  intersection.
• Next, we show that an eavesdropper which stores
  ¾N bits has a lot of entropy on the key.

A long random string R of length N
Stores N½
Stores N½


key
Does not know the key!
6
The view of the adversary

• Simplifying assumption The adversary stores a
  subset bits of R of size ¾N.
• The sets chosen by the players are random.
• The set which defines the key is a random set.
• The adversary does not remember ¼N bits.

¾N bits
key


¾ known
¼ unknown
From my point of view the key is a high-entropy
source!
This holds even when the adversary stores an
arbitrary function of R NZ93.
7
Randomness Extractors NZ93

• Extract randomness from arbitrary distributions
  which contain sufficient (min)-entropy.
• Use a short seed of truly random bits.
• Output is (close to) uniform even when the
  adversary knows the seed.
• Relation to BSM pointed out by Lu02,Vad03

high entropy distribution
8
Key-Agreement using extractors

• A long random string R is transmitted.
• Alice and Bob store random subsets of size N½.
• Send position of subsets and agree on content of
  intersection.
• Alice randomly chooses a seed and sends it to
  Bob. Both apply an extractor To receive the key.

A long random string R of length N
Stores N½
Stores N½



9
Further Improvements

• Instead of random subsets, Alice Bob remember
  pairwise independent locations
• Eavesdropper still has high min-entropy NZ.
• Saves communication when finding the intersection
  of both sides.
• Can further use better Samplers to choose these
  locations.
• Only need to send seed to the sampler in order to
  agree on intersection.

10
The Secret Key Setting

• Seed to sampler is used as the secret key.
• Alice Bob only store the bits at the locations
  the sampler chooses.
• Can use small set for Alice and Bob.
• For the Eavesdropper this set is a high
  min-entropy source.
• By applying extractor, receive a long key that
  is close to uniform from Eavesdroppers point of
  view.
• Best result so far for message of length m
  Vad03
• Alice Bob store only O(m log 1/ e )
• Secret Key length O(log N log 1/ e )

11
The bounded storage model

• Practical? Depends on ratio between price of
  memory and speed of broadcast.
• Most of the research so far focused on
• Key agreement Mau93,CM97.
• Secret-key encryption Mau93,CM97,AR99,ADR02,DR02,
  DM02,Lu02,Vad03.
• Advantages
• Clean model.
• Security does not require unproven assumptions.
• Everlasting security The security is guaranteed
  even if at a later stage the adversary gains more
  memory.