Semantic Security Under Related-Key Attacks and Applications

In a related-key attack (RKA) an adversary attempts to break a cryptographic primitive by invoking the primitive with several secret keys which satisfy some known, or even chosen, relation. We initiate a formal study of RKA security for \emph{randomized encryption} schemes. We begin by providing general definitions for semantic security under passive and active RKAs. We then focus on RKAs in which the keys satisfy known linear relations over some Abelian group. We construct simple and efficient schemes which resist such RKAs even when the adversary can choose the linear relation adaptively during the attack. More concretely, we present two approaches for constructing RKA-secure encryption schemes. The first is based on standard randomized encryption schemes which additionally satisfy a natural ``key-homomorphism\u27\u27 property. We instantiate this approach under number-theoretic or lattice-based assumptions such as the Decisional Diffie-Hellman (DDH) assumption and the Learning Noisy Linear Equations assumption. Our second approach is based on RKA-secure pseudorandom generators. This approach can yield either {\em deterministic,} {\em one-time use} schemes with optimal ciphertext size or randomized unlimited use schemes. We instantiate this approach by constructing a simple RKA-secure pseurodandom generator under a variant of the DDH assumption. Finally, we present several applications of RKA-secure encryption by showing that previous protocols which made a specialized use of random oracles in the form of \emph{operation respecting synthesizers} (Naor and Pinkas, Crypto 1999) or \emph{correlation-robust hash functions} (Ishai et. al., Crypto 2003) can be instantiated with RKA-secure encryption schemes. This includes the Naor-Pinkas protocol for oblivious transfer (OT) with adaptive queries, the IKNP protocol for batch-OT, the optimized garbled circuit construction of Kolesnikov and Schneider (ICALP 2008), and other results in the area of secure computation. Hence, by plugging in our constructions we get instances of these protocols that are provably secure in the standard model under standard assumptions

Compression and SSD: Where and How?

Abstract Compression is widely used in storage systems to reduce the amount of data that is written to physical storage devices, in order to improve both bandwidth and price per GB. In SSDs, which use NAND flash devices, compression also helps to improve endurance, which is limited to a fixed number of raw bytes written to the media, and to reduce garbage-collection overheads. Compression is typically implemented in one of three layers: the application, the file system or the firmware of the storage device. Our main findings are that compression embedded within the SSD outperforms the built-in host-side compression engines of a well-known database and file systems. Therefore we focus on intra-SSD compression schemes. We investigate the effects of compression granularity and the arrangement of compressed data in NAND flash pages on data reduction and the lifetime of the SSD. We compare several schemes in this design space, some taken from the literature and some new

On the Compressibility of N P Instances and Cryptographic Applications ‡

We study compression that preserves the solution to an instance of a problem rather than preserving the instance itself. Our focus is on the compressibility of N P decision problems. We consider N P problems that have long instances but relatively short witnesses. The question is, can one efficiently compress an instance and store a shorter representation that maintains the information of whether the original input is in the language or not. We want the length of the compressed instance to be polynomial in the length of the witness and polylog in the length of original input. We discuss the differences between this notion and similar notions from parameterized complexity. Such compression enables to succinctly store instances until a future setting will allow solving them, either via a technological or algorithmic breakthrough or simply until enough time has elapsed. We give a new classification of N P with respect to compression. This classification forms a stratification of N P that we call the VC hierarchy. The hierarchy is based on a new type of reduction called W-reduction and there are compression-complete problems for each class. Our motivation for studying this issue stems from the vast cryptographic implications compressibility has. For example, we say that SAT is compressible if there exists a polynomial p(·, ·) so that given

Electronic Colloquium on Computational Complexity, Report No. 22 (2006) On the Compressibility of N P Instances and Cryptographic Applications ‡

We initiate the study of the compressibility of N P problems. We consider N P problems that have long instances but relatively short witnesses. The question is, can one efficiently compress an instance and store a shorter representation that maintains the information of whether the original input is in the language or not. We want the length of the compressed instance to be polynomial in the length of the witness rather than the length of original input. Such compression enables to succinctly store instances until a future setting will allow solving them, either via a technological or algorithmic breakthrough or simply until enough time has elapsed. We give a new classification of N P with respect to compression. This classification forms a stratification of N P that we call the VC hierarchy. The hierarchy is based on a new type of reduction called W-reduction and there are compression-complete problems for each class. Our motivation for studying this issue stem from the vast cryptographic implications compressibility has. For example, suppose that SAT is compressible, that is there exist a polynomial p(·, ·) so that given a formula consisting of m clauses over n variables it is possible to come up with an equivalent (w.r.t satisfiability) formula of size at most p(n, logm). Then if the reduction is what we call witness retrievabl