Exposure-Resilient Functions and All-or-Nothing Transforms

We study the problem of partial key exposure. Standard cryptographic definitions and constructions do not guarantee any security even if a tiny fraction of the secret key is compromised. We show how to build cryptographic primitives that remain secure even when an adversary is able to learn almost all of the secret key. The key to our approach is a new primitive of independent interest, which we call an Exposure-Resilient Function (ERF) - a deterministic function whose output appears random (in a perfect, statistical or computational sense) even if almost all the bits of the input are known. ERF's by themselves efficiently solve the partial key exposure problem in the setting where the secret is simply a random value, like in private-key cryptography. They can also be viewed as very secure pseudorandom generators, and have many other applications. To solve the general partial key exposure problem, we use the (generalized) notion of an All-Or-Nothing Transform (AONT), an invertible (randomized) transformation T which, nevertheless, reveals "no information" about x even if almost all the bits of T(x) are known. By applying an AONT to the secret key of any cryptographic system, we obtain security against partial key exposure. To date, the only known security analyses of AONT candidates were made in the random oracle model. We show how to construct ERF's and AONT's with nearly optimal parameters. Our computational constructions are based on any one-way function. We also provide several applications and additional properties concerning these notions.

[1]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[2]  Ran Raz,et al.  Error reduction for extractors , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[3]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[4]  Noam Nisan,et al.  Extracting randomness: how and why. A survey , 1996, Proceedings of Computational Complexity (Formerly Structure in Complexity Theory).

[5]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[6]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[7]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[8]  Sang-Uk Shin,et al.  Hash Functions and the MAC Using All-or-Nothing Property , 1999, Public Key Cryptography.

[9]  Oded Goldreich,et al.  The bit extraction problem or t-resilient functions , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[10]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[11]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[12]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[13]  Oded Goldreich,et al.  Foundations of Cryptography (Fragments of a Book) , 1995 .

[14]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[15]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[16]  Adi Shamir,et al.  Playing "Hide and Seek" with Stored Keys , 1999, Financial Cryptography.

[17]  Oded Goldreich,et al.  A Note on Computational Indistinguishability , 1990, Inf. Process. Lett..

[18]  Hugo Krawczyk,et al.  Secret Sharing Made Short , 1994, CRYPTO.

[19]  Moni Naor,et al.  Small-Bias Probability Spaces: Efficient Constructions and Applications , 1993, SIAM J. Comput..

[20]  G. R. Blakley,et al.  Safeguarding cryptographic keys , 1899, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[21]  Oded Goldreich,et al.  The Bit Extraction Problem of t-Resilient Functions (Preliminary Version) , 1985, FOCS.

[22]  Luca Trevisan,et al.  Construction of extractors using pseudo-random generators (extended abstract) , 1999, STOC '99.

[23]  T. Scharping Hide-and-seek: China's elusive population data , 2001 .

[24]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[25]  Douglas Stinson Some Observations on All-Or-Nothing Transforms , 1998 .

[26]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[27]  Avi Wigderson,et al.  Tiny Families of Functions with Random Properties: A Quality-Size Trade-off for Hashing , 1997, Electron. Colloquium Comput. Complex..

[28]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[29]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[30]  Douglas R. Stinson,et al.  Something About All or Nothing (Transforms) , 2001, Des. Codes Cryptogr..

[31]  Moni Naor,et al.  Small-bias probability spaces: efficient constructions and applications , 1990, STOC '90.

[32]  Victor Boyko,et al.  On the Security Properties of OAEP as an All-or-Nothing Transform , 1999, CRYPTO.

[33]  Markus Jakobsson,et al.  Scramble All, Encrypt Small , 1999, FSE.

[34]  F. MacWilliams,et al.  The Theory of Error-Correcting Codes , 1977 .

[35]  Aravind Srinivasan,et al.  Computing with very weak random sources , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[36]  Ueli Maurer,et al.  Generalized privacy amplification , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.