Foundations of Cryptography Lecture 7

1. Foundations of CryptographyLecture 7 Lecturer:Danny Harnik

2. Maurer’s Bounded Storage Model • Most Cryptographic tasks are only possible when parties are known to be bounded. • “Mainstream Cryptography”: Assume parties are time bounded (run in polynomial time). • Maurer’s model: Assume parties have bounded storage. • Remark: Bounded Storage ≠ Bounded Space. • Measures only the storage capacity at one point of the process.

3. Alice Bob Malicious party The bounded storage model: The setting • A long random string R is transmitted. • Honest parties store small portions of R. • Parties interact. • Protocol is secure even against dishonest parties which store almost all of R. A long random string R of length N Stores ¾N bits Stores N½ Stores N½ (Arbitrary function of R)

4. public channel Alice Bob key key Eavesdropper Example: Key-Agreement Alice and Bob interact over a public channel (with no initial secret key). They want to agree on a secret key. ??

5. Alice Bob Eavesdropper Protocol: Key-Agreement [CM97] • A long random string R is transmitted. • Alice and Bob store random subsets of size ~N½. • Send position of subsets and agree on content of intersection. • Next, we show that an eavesdropper which stores ¾N bits has a lot of entropy on the key. A long random string R of length N key Stores N½ Stores N½ Does not know the key!

6. random set Eavesdropper The view of the adversary • Simplifying assumption: The adversary stores a subset bits of R of size ¾N. • The sets chosen by the players are random. • The set which defines the key is a random set. • The adversary does not remember ~ ¼N bits. ¾N bits key ¾ known ¼ unknown From my point of view the key is a high-entropy source! * This holds even when the adversary stores an arbitrary function of R [NZ93].

7. Extract randomness from arbitrary distributions which contain sufficient (min)-entropy. Use a short seed of truly random bits. Output is (close to) uniform even when the adversary knows the seed. Relation to BSM pointed out by [Lu02,Vad03] Extractor seed random output Randomness Extractors [NZ93] high entropy distribution

8. Extractor seed Alice Bob random key Key-Agreement using extractors • A long random string R is transmitted. • Alice and Bob store random subsets of size ~N½. • Send position of subsets and agree on content of intersection. • Alice randomly chooses a seed and sends it to Bob. Both apply an extractor To receive the key. A long random string R of length N Stores N½ Stores N½

9. Further Improvements • Instead of random subsets, Alice & Bob remember pairwise independent locations • Eavesdropper still has high min-entropy [NZ]. • Saves communication when finding the intersection of both sides. • Can further use better “Samplers” to choose these locations. • Only need to send seed to the sampler in order to agree on intersection.

10. The Secret Key Setting • Seed to sampler is used as the secret key. • Alice & Bob only store the bits at the locations the sampler chooses. • Can use small set for Alice and Bob. • For the Eavesdropper this set is a high min-entropy source. • By applying extractor, receive a long key that is close to uniform from Eavesdropper’s point of view. • Best result so far for message of length m [Vad03]: • Alice & Bob store only O(m + log 1/ ε ) • Secret Key length: O(log N + log 1/ ε )

11. The bounded storage model • Practical? Depends on ratio between price of memory and speed of broadcast. • Most of the research so far focused on: • Key agreement [Mau93,CM97]. • Secret-key encryption [Mau93,CM97,AR99,ADR02,DR02,DM02,Lu02,Vad03]. Advantages: • Clean model. • Security does not require unproven assumptions. • Everlasting security: The security is guaranteed even if at a later stage the adversary gains more memory.