Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik

Maurer ’ s Bounded Storage Model Most Cryptographic tasks are only possible when parties are known to be bounded. “ Mainstream Cryptography ” : Assume parties are time bounded (run in polynomial time). Maurer ’ s model: Assume parties have bounded storage. Remark: Bounded Storage ≠ Bounded Space. Measures only the storage capacity at one point of the process.

The bounded storage model: The setting A long random string R is transmitted. Honest parties store small portions of R. Parties interact. Protocol is secure even against dishonest parties which store almost all of R. A long random string R of length N Alice Bob Malicious party Stores ¾N bits Stores N ½ (Arbitrary function of R)

Example: Key-Agreement Alice and Bob interact over a public channel (with no initial secret key). They want to agree on a secret key. Alice Bob Eavesdropper public channel key ??

A long random string R of length N Protocol: Key-Agreement [CM97] A long random string R is transmitted. Alice and Bob store random subsets of size ~N ½. Send position of subsets and agree on content of intersection. Next, we show that an eavesdropper which stores ¾N bits has a lot of entropy on the key. Alice Bob Eavesdropper Stores N ½ key Does not know the key!

¾N bits key The view of the adversary Simplifying assumption: The adversary stores a subset bits of R of size ¾N. The sets chosen by the players are random. The set which defines the key is a random set. The adversary does not remember ~ ¼N bits. Eavesdropper random set From my point of view the key is a high- entropy source! * This holds even when the adversary stores an arbitrary function of R [NZ93]. ¾ known ¼ unknown

Randomness Extractors [NZ93] Extract randomness from arbitrary distributions which contain sufficient (min)-entropy. Use a short seed of truly random bits. Output is (close to) uniform even when the adversary knows the seed. Relation to BSM pointed out by [Lu02,Vad03] high entropy distribution Extractor seed random output

A long random string R of length N Key-Agreement using extractors A long random string R is transmitted. Alice and Bob store random subsets of size ~N ½. Send position of subsets and agree on content of intersection. Alice randomly chooses a seed and sends it to Bob. Both apply an extractor To receive the key. Alice Bob Stores N ½ Extractor seed random key

Further Improvements Instead of random subsets, Alice & Bob remember pairwise independent locations Eavesdropper still has high min-entropy [NZ]. Saves communication when finding the intersection of both sides. Can further use better “ Samplers ” to choose these locations. Only need to send seed to the sampler in order to agree on intersection.

The Secret Key Setting Seed to sampler is used as the secret key. Alice & Bob only store the bits at the locations the sampler chooses. Can use small set for Alice and Bob. For the Eavesdropper this set is a high min-entropy source. By applying extractor, receive a long key that is close to uniform from Eavesdropper ’ s point of view. Best result so far for message of length m [Vad03]: Alice & Bob store only O(m + log 1/ ε ) Secret Key length: O(log N + log 1/ ε )

The bounded storage model Practical? Depends on ratio between price of memory and speed of broadcast. Most of the research so far focused on: Key agreement [Mau93,CM97]. Secret-key encryption [Mau93,CM97,AR99,ADR02,DR02,DM02,Lu02,Vad03]. Advantages: Clean model. Security does not require unproven assumptions. Everlasting security: The security is guaranteed even if at a later stage the adversary gains more memory.