Abstract
Consider a state-level adversary who observes and stores large amounts of encrypted data from all users on the Internet, but does not have the capacity to store it all. Later, it may target certain “persons of interest” in order to obtain their decryption keys. We would like to guarantee that, if the adversary’s storage capacity is only (say) \(1\%\) of the total encrypted data size, then even if it can later obtain the decryption keys of arbitrary users, it can only learn something about the contents of (roughly) \(1\%\) of the ciphertexts, while the rest will maintain full security. This can be seen as an extension of incompressible cryptography (Dziembowski CRYPTO’06, Guan, Wichs and Zhandry EUROCRYPT’22) to the multi-user setting. We provide solutions in both the symmetric key and public key setting with various trade-offs in terms of computational assumptions and efficiency.
As the core technical tool, we study an information-theoretic problem which we refer to as “multi-instance randomness extraction”. Suppose \(X_1, \ldots , X_t\) are correlated random variables whose total joint min-entropy rate is \(\alpha \), but we know nothing else about their individual entropies. We choose t random and independent seeds \(S_1,\ldots ,S_t\) and attempt to individually extract some small amount of randomness \(Y_i = \textsf{Ext}(X_i;S_i)\) from each \(X_i\). We’d like to say that roughly an \(\alpha \)-fraction of the extracted outputs \(Y_i\) should be indistinguishable from uniform even given all the remaining extracted outputs and all the seeds. We show that this indeed holds for specific extractors based on Hadamard and Reed-Muller codes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The work of [1] studied a notion of extractors for “Somewhere Honest Entropic Look Ahead” (SHELA) sources. The notions are largely different and unrelated. In particular: (i) in our work X is an arbitrary source of sufficient entropy while [1] places additional restrictions, (ii) we use a seeded extractor while [1] wants a deterministic extractor, (iii) we apply the seeded extractor separately on each \(X_i\) while [1] applies it jointly on the entire X, (iv) we guarantee that a large fraction of extracted outputs is uniform even if the adversary sees the rest, while in [1] the adversary cannot see the rest.
- 3.
One subtlety is that, for all of our rate-1 constructions, we need a PRG secure against non-uniform adversaries, whereas the prior work could have used a PRG against uniform adversaries.
- 4.
[6] explores CCA security, but in this work for simplicity we focus only on CPA security.
- 5.
This strategy would allow us to only prove a very weak version of multi-instance extraction when the number of blocks t is sufficiently small. In this case we can afford to lose the t extracted output bits from the entropy of each block. However, in our setting, we think of the number of blocks t as huge, much larger than the size/entropy of each individual block.
- 6.
We were initially convinced that the general result does hold and invested much effort trying to prove it via some variant of the above approach without success. We also mentioned the problem to several experts in the field who had a similar initial reaction, but were not able to come up with a proof.
- 7.
For the sake of exposition, here we only show the case where the extractor output is a single bit. In Sect. 3, we construct extractors with multiple-bit outputs.
- 8.
Think of the above as a 2 player game where one player chooses \(I_X\), the other chooses the distinguisher and the payout is the distinguishing advantage; the minimax theorem says that the value of the game is the same no matter which order the players go in.
- 9.
Since the the input to the extractor is interpreted as a polynomial, we will denote it by f rather than the usual x to simplify notation.
- 10.
Here we assume \(\textsf{SKE}\)’s keys are uniformly random n-bit strings. This is without loss of generality since we can always take the key to be the random coins for \(\textsf{Gen}\).
- 11.
For the ease of syntax, we imagine the security parameters to be part of the public parameters always accessible to the adversary.
References
Aggarwal, D., Obremski, M., Ribeiro, J., Siniscalchi, L., Visconti, I.: How to extract useful randomness from unreliable sources. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 343–372. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_13
Albrecht, M., Cid, C., Paterson, K.G., Tjhai, C.J., Tomlinson, M.: Nts-kem. NIST Submissions 2, 4–13 (2019)
Bardet, M., et al.: Big quake binary goppa quasi-cyclic key encapsulation. NIST Submissions (2017)
Barnett Jr., T.: The zettabyte era officially begins (how much is that?). https://blogs.cisco.com/sp/the-zettabyte-era-officially-begins-how-much-is-that
Bernstein, D.J., et al.: Classic mceliece: conservative code-based cryptography. NIST Submissions (2017)
Branco, P., Döttling, N., Dujmovic, J.: Rate-1 incompressible encryption from standard assumptions. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, Part II. LNCS, vol. 13748, pp. 33–69. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22365-5_2
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
Damgård, I.B., Fehr, S., Renner, R., Salvail, L., Schaffner, C.: A tight high-order entropic quantum uncertainty relation with applications. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 360–378. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_20
Damgård, I., Jurik, M.: A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_9
Department, S.R.: Data center storage capacity worldwide from 2016 to 2021, by segment. https://www.statista.com/statistics/638593/worldwide-data-center-storage-capacity-cloud-vs-traditional/
Dinur, I., Stemmer, U., Woodruff, D.P., Zhou, S.: On differential privacy and adaptive data analysis with bounded space. Cryptology ePrint Archive, Report 2023/171 (2023). https://eprint.iacr.org/2023/171
Dodis, Y., Quach, W., Wichs, D.: Authentication in the bounded storage model. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part III. LNCS, vol. 13277, pp. 737–766. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07082-2_26
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_31
Dziembowski, S.: On forward-secure storage. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 251–270. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_15
Dziembowski, S., Kazana, T., Zdanowicz, M.: Quasi chain rule for min-entropy. Inf. Process. Lett. 134, 62–66 (2018). https://doi.org/10.1016/j.ipl.2018.02.007. https://www.sciencedirect.com/science/article/pii/S002001901830036X
Guan, J., Wichs, D., Zhandry, M.: Incompressible cryptography. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, vol. 13275, pp. 700–730. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-06944-4_24
Guan, J., Wichs, D., Zhandry, M.: Multi-instance randomness extraction and security against bounded-storage mass surveillance. Cryptology ePrint Archive (2023)
Günther, C.G.: An identity-based key-exchange protocol. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_5
Guruswami, V.: List Decoding of Error-Correcting Codes. LNCS, vol. 3282. Springer, Heidelberg (2005). https://doi.org/10.1007/b104335
Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 78–95. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_5
Moran, T., Wichs, D.: Incompressible encodings. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 494–523. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_17
Nisan, N.: Psuedorandom generators for space-bounded computation. In: 22nd ACM STOC, pp. 204–212. ACM Press (1990). https://doi.org/10.1145/100216.100242
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press (2005). https://doi.org/10.1145/1060590.1060603
Vadhan, S.P., et al.: Pseudorandomness. Found. Trends® Theor. Comput. Sci. 7(1–3), 1–336 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Guan, J., Wichs, D., Zhandry, M. (2023). Multi-instance Randomness Extraction and Security Against Bounded-Storage Mass Surveillance. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14371. Springer, Cham. https://doi.org/10.1007/978-3-031-48621-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-48621-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48620-3
Online ISBN: 978-3-031-48621-0
eBook Packages: Computer ScienceComputer Science (R0)