Abstract
In the bounded-storage model (BSM) for information-theoretically secure encryption and key-agreement one uses a random string R whose length t is greater than the assumed bound s on the adversary Eve’s storage capacity. The legitimate parties Alice and Bob share a short initial secret key K which they use to select and combine certain bits of R to obtain a derived key X which is much longer than K. Eve can be proved to obtain essentially no information about X even if she has infinite computing power and even if she learns K after having performed the storage operation and lost access to R.
This paper addresses the problem of generating the initial key K and makes two contributions. First, we prove that without such a key, secret key agreement in the BSM is impossible unless Alice and Bob have themselves very high storage capacity, thus proving the optimality of a scheme proposed by Cachin and Maurer. Second, we investigate the hybrid model where K is generated by a computationally secure key agreement protocol. The motivation for the hybrid model is to achieve provable security under the sole assumption that Eve cannot break the key agreement scheme during the storage phase, even if afterwards she may gain infinite computing power (or at least be able to break the key agreement scheme). In earlier work on the BSM, it was suggested that such a hybrid scheme is secure because if Eve has no information about K during the storage phase, then she has missed any opportunity to know anything about X, even when later learning K. We show that this very intuitive and apparently correct reasoning is false by giving an example of a secure (according to the standard definition) computational key-agreement scheme for which the BSM-scheme is nevertheless completely insecure. One of the surprising consequences of this example is that existing definitions for the computational security of key-agreement and encryption are still too weak and therefore new, stronger definitions are needed.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Aumann, Y., Ding, Y.Z., Rabin, M.O.: Everlasting security in the bounded storage model. IEEE Transactions on Information Theory 48(6), 1668–1680 (2002)
Aumann, Y., Rabin, M.O.: Information theoretically secure communication in the limited storage space model. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 65–79. Springer, Heidelberg (1999)
Cachin, C., Maurer, U.: Unconditional security against memory-bounded adversaries. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 292–306. Springer, Heidelberg (1997)
Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. Journal of the ACM 45(6), 965–981 (1998)
Cover, T.M., Thomas, J.A.: Elements of Information Theory. John Wiley and Sons, Inc., Chichester (1991)
Di Crescenzo, G., Malkin, T., Ostrovsky, R.: Single database private information retrieval implies oblivious transfer. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 122–138. Springer, Heidelberg (2000)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)
Ding, Y.Z.: Oblivious transfer in the bounded storage model. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 155–170. Springer, Heidelberg (2001)
Ding, Y.Z.: Provable Everlasting Security in the Bounded Storage Model. PhD thesis, Harvard University (2001)
Ding, Y.Z., Rabin, M.O.: Hyper-encryption and everlasting security. In: Alt, H., Ferreira, A. (eds.) STACS 2002. LNCS, vol. 2285, pp. 1–26. Springer, Heidelberg (2002)
Dziembowski, S., Maurer, U.: Tight security proofs for the bounded-storage model. In: Proceedings of the 34th Annual ACM Symposium on Theory of Computing, pp. 341–350 (2002)
Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: Relationship between public key encryption and oblivious transfer. In: 41st Annual Symposium on Foundations of Computer Science, pp. 325–339 (2000)
Kushilevitz, E., Ostrovsky, R.: Replication is not needed: Single database, computationally-private information retrieval. In: 38th Annual Symposium on Foundations of Computer Science, pp. 364–373 (1997)
Lu, C.: Hyper-encryption against space-bounded adversaries from on-line strong extractors. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 257–271. Springer, Heidelberg (2002)
Maurer, U.: Conditionally-perfect secrecy and a provably-secure randomized cipher. Journal of Cryptology 5(1), 53–66 (1992)
Maurer, U.: Secret key agreement by public discussion. IEEE Transactions on Information Theory 39(3), 733–742 (1993)
Vadhan, S.: On constructing locally computable extractors and cryptosystems in the bounded storage model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 61–77. Springer, Heidelberg (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dziembowski, S., Maurer, U. (2004). On Generating the Initial Key in the Bounded-Storage Model. In: Cachin, C., Camenisch, J.L. (eds) Advances in Cryptology - EUROCRYPT 2004. EUROCRYPT 2004. Lecture Notes in Computer Science, vol 3027. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24676-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-540-24676-3_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-21935-4
Online ISBN: 978-3-540-24676-3
eBook Packages: Springer Book Archive