On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor
Talk Overview The Bounded Storage Model and everlasting security. The Hybrid Bounded Storage Model Negative results for encryption Positive results for encryption
The Bounded Storage Model Alternative cryptographic setting: “Mainstream Cryptography”: Assume parties are time bounded (run in polynomial time). This model: Assume parties have bounded storage.
A long random string R of length r A long random string R of length N Stores ¾r bits Bounded Storage Model - the setting [Maurer 92] A long random string R is transmitted. Honest parties store small portions of R. Adversary allowed to store almost all of R. Random string is no longer available. Bound is only at end of transmit stage. Alice Bob Adversary (Arbitrary function of R )
A long random string R of length r Shared Key Encryption Parties meet in advance and share a (short) secret key k. When R is transmitted Alice and Bob store S k, a small portion of R, determined by k. Adversary does not know k and with overwhelming probability does not store all of S k. Use S k to encrypt the message. Alice Bob Eavesdropper Sk Sk SkSk kk ??
Shared Key Encryption - Properties Abundance of work on this setting: [Mau92,CM97,AR99,ADR02,DR02,DM02,Lu02, Vad03]. State of the art requires low storage from Alice and Bob: |S k | = log r + log 1/ε + m |k| = log r + log 1/ε Everlasting security [ADR]: Security guaranteed even if at a later stage the adversary learns the key k or gains more memory. Security does not require any computational assumptions. What if Alice & Bob don’t meet in advance???
Public Key Encryption in the BSM [CM97] show a method of constructing a Key Agreement protocol in the BSM. Local storage requirements for Alice and Bob are very high. Require r ½+δ storage space. Can one do better? No, the solution is tight as shown by a lower bound of [DM04]. Need to change the model…
A long random string R of length r SkSk SkSk The Hybrid BSM Idea: use a computational Key Agreement protocol to agree on the shared key k E.g. run the Diffie-Helman KA protocol. Then use a standard shared key BSM scheme with everlasting security. Even if the eavesdropper breaks the KA protocol and learns k, it will be after the broadcast, and too late. The computational assumption is with a strict time limit: Cannot break the KA before the end of the transmission of R. Assumption can be made with high level of confidence. Alice Bob Eavesdropper kk ?? KA k
Previous works on the Hybrid BSM Suggested in [ADR00]. Revisited by Dziembowski & Maurer in [DM04]: show that the rationale of the hybrid BSM does not necessarily work: Show a specific (non natural) KA protocol that when combined with a specific (standard) shared key BSM scheme can be fully broken. Open question, what about a “natural” KA scheme? In [HN05]: show that if a compression algorithm for SAT exists then the hybrid BSM model is no more powerful than the standard BSM model. Given a CNF formula Φ with m clauses over n variables (and m>>n), efficiently find a formula Ψ of total length poly(n, log m) that is satisfiable iff Φ was satisfiable
This Work A first rigorous study of the Hybrid BSM. Give formal definitions of a hybrid BSM encryption scheme and of everlasting security of such a scheme. Security defined in two equivalent flavors: Indistinguishability of encryptions. Semantic security. Negative results: Cannot prove everlasting security of a low memory hybrid BSM scheme via black box reductions. Positive results: Show augmentations of the model that allows low memory everlasting security. Hybrid BSM with a random oracle. Bounded Accessibility Model (BAM) Show a low memory hybrid BSM OT protocol in each of the augmented models.
A long random string R of length r Definitions: The General Hybrid Scheme divide time into two parts: Until the end of the transmission of R. After the transmission. Everlasting security (indistinguishability): m 1,m 2 every adversary (C 1,C 2 ) cannot distinguish between encryptions of m 1 and m 2 Alice Bob Eavesdropper A 1,B 1 C1C1 Poly time Bounded storage Output is bounded in length Poly time Low memory A 2,B 2 Poly time Low memory Encryption A 2 (m, S A ) C2C2 No time bound No space bound time SASA SBSB SCSC KA scheme combined with shared key BSM scheme KA S A m Basic Hybrid scheme of [DM04] SASA SBSB SCSC
This Work A first rigorous study of the Hybrid BSM. Give formal definitions of a hybrid BSM encryption scheme and of everlasting security of such a scheme. Security defined in two equivalent flavors: Indistinguishability of encryptions. Semantic security. Negative results: Cannot prove everlasting security of a low memory hybrid BSM scheme via black box reductions. Positive results: Show augmentations of the model that allows low memory everlasting security. Hybrid BSM with a random oracle. Bounded Accessibility Model (BAM) Show a low memory hybrid BSM OT protocol in each of the augmented models.
Negative results – Big Picture [DM04]: Show a specific hybrid scheme is insecure. [HN05] Conditional result: If Compression of SAT exists then every Hybrid BSM scheme can be broken. This result: Cannot prove the security of a hybrid scheme using BB techniques True even if the construction itself is non-BB
No Black-Box Proof We show an oracle “world” where: Any low memory hybrid scheme can be broken. Any computational key agreement remains secure. Corollary: There is no Black-box proof of security of everlasting security of a hybrid scheme. Proof (of corollary): BB proof is an efficient procedure that breaks the KA scheme using BB calls to an adversary (C1,C2) of the hybrid scheme. Such a proof relativizes to other worlds, including the world mentioned above. Since in the world any hybrid scheme can be broken, a BB proof means that also any KA may be broken, which is a contradiction. Same holds for any cryptographic primitive that is secure against a polynomial time adversary. E,g, Oblivious transfer, trapdoor permutation… Any computational cryptographic primitive Note: Only calls to C 1, since C 2 is unbounded…
The Oracle W Oracle W : Input: An NP relation R L and an instance x and parameter m. Output: A random witness w {0,1} m such that R L (x,w) = 1 If no such witness exists then output Theorem: Let E be any hybrid BSM scheme where Alice and Bob use storage of size s A and s B, then any adversary with storage s A · s B and access to the oracle W can break E. Proof uses a technical Lemma from [DM04]
The Oracle Z The world we present consists of a different oracle Z : Input: R L, x and m. Output: i = π(W(R L, x, m)) Z also contains an inverting table for π. The i th row sums up to π -1 (i) Otherwise random Rather than giving out the answers to W the oracle gives an “encrypted” answer to W. The “encryption” is a random permutation π.... 2m2m 2k2k i = π -1 (i) Table is useless to a polynomial time adversary !!! Looks like a random table. A hybrid adversary may store i and find π -1 (i) after the transmission.
This Work A first rigorous study of the Hybrid BSM. Give formal definitions of a hybrid BSM encryption scheme and of everlasting security of such a scheme. Security defined in two equivalent flavors: Indistinguishability of encryptions. Semantic security. Negative results: Cannot prove everlasting security of a low memory hybrid BSM scheme via black box reductions. Positive results: Show augmentations of the model that allows low memory everlasting security. Hybrid BSM with a random oracle. Bounded Accessibility Model (BAM) Show a low memory hybrid BSM OT protocol in each of the augmented models.
Hybrid BSM with a Random Oracle The broadcast string R : Too long to store but possible to read Disappears ! Random Oracle RO : Too long to read (in polynomial time) Always present. Theorem: Low memory hybrid BSM scheme with everlasting security in presence of RO. Alice Bob k KA KA k = RO(k KA ) Run KA to get computational key k KA Use k = RO(k KA ) as key to shared key BSM encryption scheme. If compression of SAT [HN05] exists then this is an example of a task that is: Simple with a random oracle. Altogether impossible without it.
The Bounded Accessibility Model (BAM) Assume that the adversary cannot read all of the broadcast string R. E.g. cannot store an XOR of all of the bits of R. Theorem: Low memory hybrid BAM scheme with everlasting security. The scheme is the basic scheme: Use KA to agree on a shared key k. Use a shared key BSM scheme. Note: The hybrid is necessary, since the lower bound of [DM04] holds in this model as well. No low memory BAM encryption scheme.
Open problems Main open question: is there low memory hybrid BSM encryption? Solution would require to resolve the issue of compressibility [HN05]. Other reasonable models? The BSM allows the adversary unreasonable power. may compute using unlimited space. Can run offline computations.