Hyper-Encryption and Everlasting Security

We present substantial extensions of works [1], [2], and all previous works, on encryption in the bounded storage model introduced by Maurer in [25]. The major new result is that the sharedsecret key employed by the sender Alice and the receiver Bob can be re-used to send an exponential number of messages, against strong adaptive attacks. This essential step enhances the usability of the encryption method, and also allows strong authentication andnon-malleability described below.We give an encryption scheme that is provably secure against adaptive attacks by a computationally unbounded adversary in the bounded storage model. In the model, a sender Alice and a receiver Bob have access to a public random string ?, and share a secret key s. Alice and Bob observe ? on the fly, and by use of s extract bits from which they create a one-time pad X used to encrypt M as C = X ? M. The size of the secret key s is |s| = k log2 |?|, where k is a security parameter. An Adversary AD can compute andstore any function A1(?) = ?, subject to the bound on storage |?| ? ? ? |?|, ? < 1, and captures C. Even if AD later gets the key s and is computationally unbounded, the encryption is provably secure. Assume that the key s is repeatedly used with successive strings ?1, ?2, ... to produce encryptions C1, C2, ... of messages M1, M2, ... AD computes ?1 = A1(?1), obtains C1, and gets to see the first message M1. Using these he computes andstores ?2 = A1(?2, ?1, C1,M1), and so on. When he has stored ?l and captured Cl, he gets the key s (but not Ml). The main result is that the encryption Cl is provably secure against this adaptive attack, where l, the number of time the secret key s is re-used, is exponentially large in the security parameter k. On this we base noninteractive protocols for authentication and non-malleability. Again, the shared secret key used in these protocols can be securely re-used an exponential number of times against adaptive attacks. The method of proof is stronger than the one in [1], [2], and yields ergodic results of independent interest. We discuss in the Introduction the feasibility of the bounded storage model, and outline a solution. Furthermore, the existence of an encryption scheme with the provable strong security properties presented here, may prompt other implementations of the bounded storage model.

[1]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[2]  Ueli Maurer,et al.  Towards Characterizing When Information-Theoretic Secret Key Agreement Is Possible , 1996, ASIACRYPT.

[3]  Ueli Maurer,et al.  Information-Theoretic Cryptography , 1999, CRYPTO.

[4]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[5]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[6]  Ueli Maurer,et al.  Unconditionally Secure Key Agreement and the Intrinsic Conditional Information , 1999, IEEE Trans. Inf. Theory.

[7]  Richard E. Ladner,et al.  Probabilistic Game Automata , 1986, J. Comput. Syst. Sci..

[8]  Ueli Maurer,et al.  Secret key agreement by public discussion from common information , 1993, IEEE Trans. Inf. Theory.

[9]  Ueli Maurer,et al.  Tight security proofs for the bounded-storage model , 2002, STOC '02.

[10]  Noam Nisan,et al.  Pseudorandom generators for space-bounded computations , 1990, STOC '90.

[11]  Ueli Maurer,et al.  Privacy Amplification Secure Against Active Adversaries , 1997, CRYPTO.

[12]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[13]  Ueli Maurer,et al.  Unconditional Security Against Memory-Bounded Adversaries , 1997, CRYPTO.

[14]  StockmeyerLarry,et al.  Finite state verifiers II , 1992 .

[15]  G. S. Vernam,et al.  Cipher Printing Telegraph Systems For Secret Wire and Radio Telegraphic Communications , 1926, Transactions of the American Institute of Electrical Engineers.

[16]  Ueli Maurer,et al.  Generalized privacy amplification , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[17]  Amit Sahai,et al.  Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization , 1999, CRYPTO.

[18]  Michael O. Rabin,et al.  Transaction Protection by Beacons , 1983, J. Comput. Syst. Sci..

[19]  Ueli Maurer A Unified and Generalized Treatment of Authentification Theory , 1996, STACS.

[20]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[21]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[22]  U. Vazirani Randomness, adversaries and computation (random polynomial time) , 1986 .

[23]  Jonathan Katz,et al.  Complete characterization of security notions for probabilistic private-key encryption , 2000, STOC '00.

[24]  Anne Condon,et al.  Space bounded probabilistic game automata , 1988, [1988] Proceedings. Structure in Complexity Theory Third Annual Conference.

[25]  Eyal Kushilevitz,et al.  Communication Complexity , 1997, Adv. Comput..

[26]  Yan Zong Ding,et al.  Oblivious Transfer in the Bounded Storage Model , 2001, CRYPTO.

[27]  F. MacWilliams,et al.  Codes which detect deception , 1974 .

[28]  B. Clifford Neuman,et al.  Kerberos: An Authentication Service for Open Network Systems , 1988, USENIX Winter.

[29]  Uriel Feige,et al.  On Message Proof Systems with Known Space Verifiers , 1993, CRYPTO.

[30]  Yonatan Aumann,et al.  Information Theoretically Secure Communication in the Limited Storage Space Model , 1999, CRYPTO.

[31]  Claude Crépeau,et al.  Oblivious transfer with a memory-bounded receiver , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[32]  Moni Naor,et al.  Small-bias probability spaces: efficient constructions and applications , 1990, STOC '90.

[33]  Ueli Maurer,et al.  Information-Theoretic Key Agreement: From Weak to Strong Secrecy for Free , 2000, EUROCRYPT.

[34]  Noam Nisan,et al.  Constant depth circuits, Fourier transform, and learnability , 1993, JACM.

[35]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[36]  Yonatan Aumann,et al.  Everlasting security in the bounded storage model , 2002, IEEE Trans. Inf. Theory.

[37]  Robert G. Gallager,et al.  Low-density parity-check codes , 1962, IRE Trans. Inf. Theory.

[38]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[39]  Moti Yung,et al.  One-Message Statistical Zero-Knowledge Proofs and Space-Bounded Verifier , 1992, ICALP.

[40]  Noam Nisan,et al.  Randomness is Linear in Space , 1996, J. Comput. Syst. Sci..

[41]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[42]  Cynthia Dwork,et al.  Finite state verifiers II: zero knowledge , 1992, JACM.

[43]  Cynthia Dwork,et al.  Finite state verifiers I: the power of interaction , 1992, JACM.

[44]  Joe Kilian,et al.  Zero-knowledge with log-space verifiers , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[45]  Ueli Maurer Conditionally-perfect secrecy and a provably-secure randomized cipher , 2004, Journal of Cryptology.

[46]  Ueli Maurer,et al.  Information-Theoretically Secure Secret-Key Agreement by NOT Authenticated Public Discussion , 1997, EUROCRYPT.

[47]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.