On Forward-Secure Storage

We study a problem of secure data storage in a recently introduced Limited Communication Model. We propose a new cryptographic primitive that we call a Forward-Secure Storage (FSS). This primitive is a special kind of an encryption scheme, which produces huge (5 GB, say) ciphertexts, even from small plaintexts, and has the following non-standard security property. Suppose an adversary gets access to a ciphertext C = E(K,M) and he is allowed to compute any function h of C, with the restriction that |h(C)| ≪|C| (say: |h(C)| = 1 GB). We require that h(C) should give the adversary no information about M, even if he later learns K. A practical application of this concept is as follows. Suppose a ciphertext C is stored on a machine on which an adversary can install a virus. In many cases it is completely infeasible for the virus to retrieve 1 GB of data from the infected machine. So if the adversary (at some point later) learns K, then M remains secret. We provide a formal definition of the FSS, propose some FSS schemes, and show that FSS can be composed sequentially in a secure way. We also show connections of the FSS to the theory of compressibility of NP-instances (recently developed by Harnik and Naor).

[1]  Yuval Ishai,et al.  On the randomness complexity of efficient sampling , 2006, STOC '06.

[2]  Ueli Maurer,et al.  On Generating the Initial Key in the Bounded-Storage Model , 2004, EUROCRYPT.

[3]  Ueli Maurer Conditionally-perfect secrecy and a provably-secure randomized cipher , 2004, Journal of Cryptology.

[4]  Moni Naor,et al.  On the Compressibility of NP Instances and Cryptographic Applications , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[5]  Richard J. Lipton,et al.  Protecting Secret Data from Insider Attacks , 2005, Financial Cryptography.

[6]  Salil P. Vadhan,et al.  Constructing Locally Computable Extractors and Cryptosystems in the Bounded-Storage Model , 2003, Journal of Cryptology.

[7]  Claude Crépeau,et al.  Oblivious transfer with a memory-bounded receiver , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[8]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[9]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[10]  Ueli Maurer,et al.  Optimal Randomizer Efficiency in the Bounded-Storage Model , 2003, Journal of Cryptology.

[11]  Ronen Shaltiel,et al.  Constant-Round Oblivious Transfer in the Bounded Storage Model , 2004, Journal of Cryptology.

[12]  Amnon Ta-Shma,et al.  Non-interactive Timestamping in the Bounded Storage Model , 2004, CRYPTO.

[13]  Rafail Ostrovsky,et al.  Single Database Private Information Retrieval Implies Oblivious Transfer , 2000, EUROCRYPT.

[14]  Krzysztof Pietrzak Composition Implies Adaptive Security in Minicrypt , 2006, EUROCRYPT.

[15]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[16]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[17]  Giovanni Di Crescenzo,et al.  Perfectly Secure Password Protocols in the Bounded Retrieval Model , 2006, TCC.

[18]  Bruce Schneier,et al.  Authenticating Secure Tokens Using Slow Memory Access , 1999, Smartcard.

[19]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[20]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[21]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[22]  Stefan Dziembowski,et al.  Intrusion-Resilience Via the Bounded-Storage Model , 2006, TCC.

[23]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[24]  Rafail Ostrovsky,et al.  Replication is not needed: single database, computationally-private information retrieval , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[25]  Rafail Ostrovsky,et al.  One-Way Trapdoor Permutations Are Sufficient for Non-trivial Single-Server Private Information Retrieval , 2000, EUROCRYPT.

[26]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[27]  Richard J. Lipton,et al.  Intrusion-Resilient Authentication in the Limited Communication Model , 2005, IACR Cryptol. ePrint Arch..

[28]  Chi-Jen Lu Encryption against Storage-Bounded Adversaries from On-Line Strong Extractors , 2003, Journal of Cryptology.

[29]  Yonatan Aumann,et al.  Everlasting security in the bounded storage model , 2002, IEEE Trans. Inf. Theory.

[30]  Moni Naor,et al.  On Everlasting Security in the Hybrid Bounded Storage Model , 2006, ICALP.

[31]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[32]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[33]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[34]  Ueli Maurer,et al.  Unconditional Security Against Memory-Bounded Adversaries , 1997, CRYPTO.