61 research outputs found
The Bounded Storage Model in The Presence of a Quantum Adversary
An extractor is a function E that is used to extract randomness. Given an
imperfect random source X and a uniform seed Y, the output E(X,Y) is close to
uniform. We study properties of such functions in the presence of prior quantum
information about X, with a particular focus on cryptographic applications. We
prove that certain extractors are suitable for key expansion in the bounded
storage model where the adversary has a limited amount of quantum memory. For
extractors with one-bit output we show that the extracted bit is essentially
equally secure as in the case where the adversary has classical resources. We
prove the security of certain constructions that output multiple bits in the
bounded storage model.Comment: 13 pages Latex, v3: discussion of independent randomizers adde
Optimal Randomizer Efficiency in the Bounded-Storage Model
In the bounded-storage model for information-theoretically secure encryption and key-agreement one can prove the security of a cipher based on the sole assumption that the adversary's storage capacity is bounded, say by bits, even if her computational power is unlimited. Assume that a random -bit string is either publicly available (e.g., the signal of a deep-space radio source) or broadcast by one of the legitimate parties. If ), or the adversary was assumed to be able to store only actual bits of rather than arbitrary bits of information about , or the adversary received a non-negligible amount of information about . In this paper we prove the first non-restricted security result in the bounded-storage model: is short, is very long, and needs to be only moderately larger than . In fact, can be arbitrarily close to and hence the storage bound is essentially optimal. The security can be proved also if is not uniformly random, provided that the min-entropy of is sufficiently greater than $s
Position Based Cryptography
We consider what constitutes {\em identities\/} in cryptography.
Typical examples include your name and your social-security number,
or your fingerprint/iris-scan, or your address, or your
(non-revoked) public-key coming from some trusted public-key
infrastructure. In many situations, however, {\bf where you are}
defines your identity. For example, we know the role of a
bank-teller behind a bullet-proof bank window not because she shows
us her credentials but by merely knowing her location. In this
paper, we initiate the study of cryptographic protocols where the
identity (or other credentials and inputs) of a party are derived
from its \emph{geographic location}.
We start by considering the central task in this setting, i.e.,
securely verifying the position of a device. Despite much work in
this area, we show that in the Vanilla (or standard) model, the
above task (i.e., of secure positioning) is impossible to achieve.
In light of the above impossibility result, we then turn to the
Bounded Retrieval Model (a variant of the Bounded Storage Model) and
formalize and construct information theoretically secure protocols
for two fundamental tasks:
\begin{itemize}
\item
Secure Positioning; and
\item
Position Based Key Exchange.
\end{itemize}
We then show that these tasks are in fact {\em universal\/} in
this setting -- we show how we can use them to realize Secure
Multi-Party Computation.
Our main contribution in this paper is threefold: to place the
problem of secure positioning on a sound theoretical footing; to
prove a strong impossibility result that simultaneously shows the
insecurity of previous attempts at the problem; and to present
positive results by showing that the bounded-retrieval framework is,
in fact, one of the ``right frameworks (there may be others) to
study the foundations of position-based cryptography
Sampling of min-entropy relative to quantum knowledge
Let X_1, ..., X_n be a sequence of n classical random variables and consider
a sample of r positions selected at random. Then, except with (exponentially in
r) small probability, the min-entropy of the sample is not smaller than,
roughly, a fraction r/n of the total min-entropy of all positions X_1, ...,
X_n, which is optimal. Here, we show that this statement, originally proven by
Vadhan [LNCS, vol. 2729, Springer, 2003] for the purely classical case, is
still true if the min-entropy is measured relative to a quantum system. Because
min-entropy quantifies the amount of randomness that can be extracted from a
given random variable, our result can be used to prove the soundness of locally
computable extractors in a context where side information might be
quantum-mechanical. In particular, it implies that key agreement in the
bounded-storage model (using a standard sample-and-hash protocol) is fully
secure against quantum adversaries, thus solving a long-standing open problem.Comment: 48 pages, late
Simple Schemes in the Bounded Storage Model
The bounded storage model promises unconditional security
proofs against computationally unbounded adversaries, so long as the
adversary’s space is bounded. In this work, we develop simple new constructions
of two-party key agreement, bit commitment, and oblivious
transfer in this model. In addition to simplicity, our constructions have
several advantages over prior work, including an improved number of
rounds and enhanced correctness. Our schemes are based on Raz’s lower
bound for learning parities
Authentication in the Bounded Storage Model
We consider the streaming variant of the Bounded Storage Model (BSM), where the honest parties can stream large amounts of data to each other, while only maintaining a small memory of size . The adversary also operates as a streaming algorithm, but has a much larger memory size . The goal is to construct unconditionally secure cryptographic schemes in the BSM, and prior works did so for symmetric-key encryption, key agreement, oblivious transfer and multiparty computation. In this work, we construct message authentication and signatures in the BSM.
First, we consider the symmetric-key setting, where Alice and Bob share a small secret key. Alice can authenticate arbitrarily many messages to Bob by streaming long authentication tags of size , while ensuring that the tags can be generated and verified using only bits of memory. We show a solution using local extractors (Vadhan; JoC \u2704), which allows for up to exponentially large adversarial memory , and has tags of size .
Second, we consider the same setting as above, but now additionally require each individual tag to be small, of size . We show a solution is still possible when the adversary\u27s memory is , which is optimal. Our solution relies on a space lower bound for leaning parities (Raz; FOCS \u2716).
Third, we consider the public-key signature setting. A signer Alice initially streams a long verification key over an authentic channel, while only keeping a short signing key in her memory. A verifier Bob receives the streamed verification key and generates some short verification digest that he keeps in his memory. Later, Alice can sign arbitrarily many messages using her signing key by streaming the signatures to Bob, who can verify them using his verification digest. We show a solution for , which we show to be optimal. Our solution relies on a novel entropy lemma, of independent interest. We show that, if a sequence of blocks has sufficiently high min-entropy, then a large fraction of individual blocks must have high min-entropy. Naive versions of this lemma are false, but we show how to patch it to make it hold
Incompressible Cryptography
Incompressible encryption allows us to make the ciphertext size flexibly large and ensures that an adversary learns nothing about the encrypted data, even if the decryption key later leaks, unless she stores essentially the entire ciphertext. Incompressible signatures can be made arbitrarily large and ensure that an adversary cannot produce a signature on any message, even one she has seen signed before, unless she stores one of the signatures essentially in its entirety.
In this work, we give simple constructions of both incompressible public-key encryption and signatures under minimal assumptions. Furthermore, large incompressible ciphertexts (resp. signatures) can be decrypted (resp. verified) in a streaming manner with low storage. In particular, these notions strengthen the related concepts of disappearing encryption and signatures, recently introduced by Guan and Zhandry (TCC 2021), whose previous constructions relied on sophisticated techniques and strong, non-standard assumptions. We extend our constructions to achieve an optimal rate , meaning the large ciphertexts (resp. signatures) can contain almost equally large messages, at the cost of stronger assumptions
Non-Malleability against Polynomial Tampering
We present the first explicit construction of a non-malleable code that can handle tampering functions that are bounded-degree polynomials.
Prior to our work, this was only known for degree-1 polynomials (affine tampering functions), due to Chattopadhyay and Li (STOC 2017). As a direct corollary, we obtain an explicit non-malleable code that is secure against tampering by bounded-size arithmetic circuits.
We show applications of our non-malleable code in constructing non-malleable secret sharing schemes that are robust against bounded-degree polynomial tampering. In fact our result is stronger: we can handle adversaries that can adaptively choose the polynomial tampering function based on initial leakage of a bounded number of shares.
Our results are derived from explicit constructions of seedless non-malleable extractors that can handle bounded-degree polynomial tampering functions. Prior to our work, no such result was known even for degree-2 (quadratic) polynomials
- …