1 / 11

Foundations of Cryptography Lecture 7

Foundations of Cryptography Lecture 7. Lecturer:Danny Harnik. Maurer ’ s Bounded Storage Model. Most Cryptographic tasks are only possible when parties are known to be bounded. “ Mainstream Cryptography ” : Assume parties are time bounded (run in polynomial time).

sezja
Download Presentation

Foundations of Cryptography Lecture 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Foundations of CryptographyLecture 7 Lecturer:Danny Harnik

  2. Maurer’s Bounded Storage Model • Most Cryptographic tasks are only possible when parties are known to be bounded. • “Mainstream Cryptography”: Assume parties are time bounded (run in polynomial time). • Maurer’s model: Assume parties have bounded storage. • Remark: Bounded Storage ≠ Bounded Space. • Measures only the storage capacity at one point of the process.

  3. Alice Bob Malicious party The bounded storage model: The setting • A long random string R is transmitted. • Honest parties store small portions of R. • Parties interact. • Protocol is secure even against dishonest parties which store almost all of R. A long random string R of length N Stores ¾N bits Stores N½ Stores N½ (Arbitrary function of R)

  4. public channel Alice Bob key key Eavesdropper Example: Key-Agreement Alice and Bob interact over a public channel (with no initial secret key). They want to agree on a secret key. ??

  5. Alice Bob Eavesdropper Protocol: Key-Agreement [CM97] • A long random string R is transmitted. • Alice and Bob store random subsets of size ~N½. • Send position of subsets and agree on content of intersection. • Next, we show that an eavesdropper which stores ¾N bits has a lot of entropy on the key. A long random string R of length N key Stores N½ Stores N½ Does not know the key!

  6. random set Eavesdropper The view of the adversary • Simplifying assumption: The adversary stores a subset bits of R of size ¾N. • The sets chosen by the players are random. • The set which defines the key is a random set. • The adversary does not remember ~ ¼N bits. ¾N bits key ¾ known ¼ unknown From my point of view the key is a high-entropy source! * This holds even when the adversary stores an arbitrary function of R [NZ93].

  7. Extract randomness from arbitrary distributions which contain sufficient (min)-entropy. Use a short seed of truly random bits. Output is (close to) uniform even when the adversary knows the seed. Relation to BSM pointed out by [Lu02,Vad03] Extractor seed random output Randomness Extractors [NZ93] high entropy distribution

  8. Extractor seed Alice Bob random key Key-Agreement using extractors • A long random string R is transmitted. • Alice and Bob store random subsets of size ~N½. • Send position of subsets and agree on content of intersection. • Alice randomly chooses a seed and sends it to Bob. Both apply an extractor To receive the key. A long random string R of length N Stores N½ Stores N½

  9. Further Improvements • Instead of random subsets, Alice & Bob remember pairwise independent locations • Eavesdropper still has high min-entropy [NZ]. • Saves communication when finding the intersection of both sides. • Can further use better “Samplers” to choose these locations. • Only need to send seed to the sampler in order to agree on intersection.

  10. The Secret Key Setting • Seed to sampler is used as the secret key. • Alice & Bob only store the bits at the locations the sampler chooses. • Can use small set for Alice and Bob. • For the Eavesdropper this set is a high min-entropy source. • By applying extractor, receive a long key that is close to uniform from Eavesdropper’s point of view. • Best result so far for message of length m [Vad03]: • Alice & Bob store only O(m + log 1/ ε ) • Secret Key length: O(log N + log 1/ ε )

  11. The bounded storage model • Practical? Depends on ratio between price of memory and speed of broadcast. • Most of the research so far focused on: • Key agreement [Mau93,CM97]. • Secret-key encryption [Mau93,CM97,AR99,ADR02,DR02,DM02,Lu02,Vad03]. Advantages: • Clean model. • Security does not require unproven assumptions. • Everlasting security: The security is guaranteed even if at a later stage the adversary gains more memory.

More Related