Exposure-resilient cryptography

We develop the notion of Exposure-Resilient Cryptography. While standard cryptographic definitions and constructions do not guarantee any security even if a tiny fraction of the secret entity (e.g., cryptographic key) is compromised, the objective of Exposure-Resilient Cryptography is to build information structures such that almost complete (intentional or unintentional) exposure of such a structure still protects the secret information embedded in this structure. The key to our approach is a new primitive of independent interest, which we call an Exposure-Resilient Function (ERF)—a deterministic function whose output appears random (in a perfect, statistical or computational sense) even if almost all the bits of the input are known. ERF's by themselves efficiently solve the partial exposure of secrets in the setting where the secret is simply a random value, like in the private-key cryptography. They can also be viewed as very secure pseudorandom generators and have many other applications. To solve the general partial exposure of secrets, we use the (generalized) notion of an All-Or-Nothing Transform (AONT) introduced by Rivest [51] and refined by Boyko [16]: an invertible (randomized) transformation T which, nevertheless, reveals “no information” about x even if almost all the bits of T(x) are known. By applying an AONT to the secret entity (of arbitrary structure), we obtain security against almost total exposure of secrets. AONT's have also many other diverse applications in the design of block ciphers, secret sharing and secure communication. To date, however, the only known analyses of AONT candidates were made in the random oracle model (by Boyko [16]). In this thesis we construct ERF's and AONT's with nearly optimal parameters in the standard model (without random oracles), in the perfect, statistical and computational settings (the latter based only on one-way functions). We also show close relationship between and examine many additional properties of what we hope will become important cryptographic primitives—Exposure-Resilient Functions and All-Or-Nothing Transforms. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)

[1]  R. Nicoll,et al.  Invited lecture , 1997, Neuroscience Research.

[2]  Anand Desai,et al.  The Security of All-or-Nothing Encryption: Protecting against Exhaustive Key Search , 2000, CRYPTO.

[3]  Avi Wigderson,et al.  Tiny Families of Functions with Random Properties: A Quality-Size Trade-off for Hashing , 1997, Electron. Colloquium Comput. Complex..

[4]  Umesh V. Vazirani Towards a strong communication complexity theory or generating quasi-random sequences from two communicating slightly-random sources , 1985, STOC '85.

[5]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[6]  Noam Nisan,et al.  Extracting randomness: how and why. A survey , 1996, Proceedings of Computational Complexity (Formerly Structure in Complexity Theory).

[7]  Aravind Srinivasan,et al.  Computing with very weak random sources , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[8]  Joel Friedman,et al.  On the bit extraction problem , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[9]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[10]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[11]  Kaoru Kurosawa,et al.  Almost k -Wise Independent Sample Spaces and Their Cryptologic Applications , 2001, Journal of Cryptology.

[12]  Douglas R. Stinson,et al.  Orthogonal Arrays, Resilient Functions, Error-Correcting Codes, and Linear Programming Bounds , 1996, SIAM J. Discret. Math..

[13]  Eyal Kushilevitz,et al.  Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[14]  F. MacWilliams,et al.  The Theory of Error-Correcting Codes , 1977 .

[15]  Sang-Uk Shin,et al.  Hash Functions and the MAC Using All-or-Nothing Property , 1999, Public Key Cryptography.

[16]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[17]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[18]  David Zuckerman Randomness-optimal oblivious sampling , 1997, Random Struct. Algorithms.

[19]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[20]  Silvio Micali,et al.  The Notion of Security for Probabilistic Cryptosystems , 1986, CRYPTO.

[21]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[22]  Douglas R. Stinson,et al.  Something About All or Nothing (Transforms) , 2001, Des. Codes Cryptogr..

[23]  Moni Naor,et al.  Small-bias probability spaces: efficient constructions and applications , 1990, STOC '90.

[24]  Victor Boyko,et al.  On the Security Properties of OAEP as an All-or-Nothing Transform , 1999, CRYPTO.

[25]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[26]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[27]  Oded Goldreich,et al.  Foundations of Cryptography (Fragments of a Book) , 1995 .

[28]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[29]  Oded Goldreich,et al.  The bit extraction problem or t-resilient functions , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[30]  Luca Trevisan,et al.  Extracting randomness from samplable distributions , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[31]  Ran Raz,et al.  Extracting all the randomness and reducing the error in Trevisan's extractors , 1999, STOC '99.

[32]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[33]  Mihir Bellare,et al.  Randomness-efficient oblivious sampling , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[34]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[35]  Ran Raz,et al.  Error reduction for extractors , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[36]  Matt Blaze,et al.  High-Bandwidth Encryption with Low-Bandwidth Smartcards , 1996, FSE.

[37]  Gilles Brassard,et al.  Privacy Amplification by Public Discussion , 1988, SIAM J. Comput..

[38]  Leonid Reyzin,et al.  A New Forward-Secure Digital Signature Scheme , 2000, ASIACRYPT.

[39]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[40]  Chanathip Namprempre,et al.  Forward Security in Threshold Signature Schemes , 2000, IACR Cryptol. ePrint Arch..

[41]  Sarvar Patel,et al.  SQUARE HASH: Fast Message Authenication via Optimized Universal Hash Functions , 1999, CRYPTO.

[42]  Markus Jakobsson,et al.  Scramble All, Encrypt Small , 1999, FSE.

[43]  Jaikumar Radhakrishnan,et al.  Tight bounds for depth-two superconcentrators , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[44]  Mihir Bellare,et al.  The Security of Chaffing and Winnowing , 2000, ASIACRYPT.

[45]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[46]  Adi Shamir,et al.  Playing "Hide and Seek" with Stored Keys , 1999, Financial Cryptography.

[47]  Oded Goldreich,et al.  A Note on Computational Indistinguishability , 1990, Inf. Process. Lett..

[48]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[49]  G. R. Blakley,et al.  Safeguarding cryptographic keys , 1899, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[50]  Hugo Krawczyk,et al.  Secret Sharing Made Short , 1994, CRYPTO.

[51]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[52]  Noam Nisan,et al.  Randomness is Linear in Space , 1996, J. Comput. Syst. Sci..