On Constructing Locally Computable Extractors and Cryptosystems in the Bounded Storage Model

Vadhan, Salil

doi:10.1007/978-3-540-45146-4_4

Cited by 75 publications

(141 citation statements)

References 30 publications

Supporting

Mentioning

136

Contrasting

Order By: Relevance

“…On the other hand an eavesdropper who can store up to a constant fraction of R (e.g. 1 2 r bits) cannot learn anything about the messages (this was shown initially in [2] and improved in [1,9,11,20] and ultimately in [27]). These encryption schemes have the important property called everlasting security (put forward in [1,9]), where once the broadcast is over and R is no longer accessible then the message remains secure even if the private key is exposed and Charlie gains stronger storage capabilities.…”

Section: The Bounded Storage Modelmentioning

confidence: 99%

“…However, it is not efficient in the sense that the number of bits read from the random oracle is far larger than the actual key. This may be greatly improved by using one of the known schemes for private key encryption in the regular (non-hybrid) bounded storage model, such as the scheme in [20,27]. The ensuing hybrid scheme that is described next achieves comparable parameters to the scheme of [27].…”

Section: Everlasting Security With a Random Oraclementioning

confidence: 99%

“…Loosely speaking, a locally computable strong extractor [27] is a strong randomness extractor 3 with the additional property that the extractor computes its output while reading only a small number of bits from the source. A construction of such an extractor is shown in [27] with seed length O(log r + log 1 ε ) that reads only O(k + log 1 ε ) bits of the source. In the efficient scheme, Alice and Bob use the key SK as a seed to a locally computable strong extractor Ext.…”

Section: Everlasting Security With a Random Oraclementioning

confidence: 99%

See 2 more Smart Citations

On Everlasting Security in the Hybrid Bounded Storage Model

Harnik

Naor

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The bounded storage model (BSM) bounds the storage space of an adversary rather than its running time. It utilizes the public transmission of a long random string R of length r, and relies on the assumption that an eavesdropper cannot possibly store all of this string. Encryption schemes in this model achieve the appealing property of everlasting security. In short, this means that an encrypted message remains secure even if the adversary eventually gains more storage or gains knowledge of (original) secret keys that may have been used. However, if the honest parties do not share any private information in advance, then achieving everlasting security requires high storage capacity from the honest parties (storage of Ω( √ r), as shown in [10]). We consider the idea of a hybrid bounded storage model were computational limitations on the eavesdropper are assumed up until the time that the transmission of R has ended. For example, can the honest parties run a computationally secure key agreement protocol in order to agree on a shared private key for the BSM, and thus achieve everlasting security with low memory requirements? We study the possibility and impossibility of everlasting security in the hybrid bounded storage model. We start by formally defining the model and everlasting security for this model. We show the equivalence of two flavors of definitions: indistinguishability of encryptions and semantic security.On the negative side, we show that everlasting security with low storage requirements cannot be achieved by black-box reductions in the hybrid BSM. This serves as a further indication to the hardness of achieving low storage everlasting security, adding to previous results of this nature [10,18]. On the other hand, we show two augmentations of the model that allow for low storage everlasting security. The first is by adding a random oracle to the model, while the second bounds the accessibility of the adversary to the broadcast string R. Finally, we show that in these two modified models, there also exist bounded storage oblivious transfer protocols with low storage requirements.

show abstract

Section: The Bounded Storage Modelmentioning

confidence: 99%

Section: Everlasting Security With a Random Oraclementioning

confidence: 99%

Section: Everlasting Security With a Random Oraclementioning

confidence: 99%

See 1 more Smart Citation

On Everlasting Security in the Hybrid Bounded Storage Model

Harnik

Naor

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Most of the previous work on the bounded storage model concentrated on private key encryption [19,10,2,1,14,15,18,25], Key Agreement [10] and Oblivious Transfer [9,12,13]. In contrast, the notion of non-interactive timestamping cannot be implemented in the "standard cryptographic setting".…”

Section: The Bounded Storage Modelmentioning

confidence: 99%

“…A stronger notion of efficiency called "locally-computable" was suggested in [25]. It requires the honest players to store a small substring of the string r. More precisely, the players need to choose a subset S ⊆ [R] before the random string is transmitted and only store r| S .…”

Section: Online Versus Locally-computablementioning

confidence: 99%

Non-interactive Timestamping in the Bounded Storage Model

Moran

Shaltiel

Ta-Shma

2004

Advances in Cryptology – CRYPTO 2004

View full text Add to dashboard Cite

Abstract.A timestamping scheme is non-interactive if a stamper can stamp a document without communicating with any other player. The only communication done is at validation time. Non-Interactive timestamping has many advantages, such as information theoretic privacy and enhanced robustness. Unfortunately, no such scheme exists against polynomial time adversaries that have unbounded storage at their disposal. In this paper we show non-interactive timestamping is possible in the bounded storage model. In this model it is assumed that all parties participating in the protocol have small storage, and that in the beginning of the protocol a very long random string (which is too long to be stored by the players) is transmitted. To the best of our knowledge, this is the first example of a cryptographic task that is possible in the bounded storage model, but is impossible in the "standard cryptographic setting", even assuming cryptographic assumptions. We give an explicit construction that is secure against all bounded storage adversaries, and a significantly more efficient construction secure against all bounded storage adversaries that run in polynomial time.

show abstract

Improved Real‐Time Post‐Processing for Quantum Random Number Generators

Li,

Sun,

Zhang

et al. 2024

Adv Quantum Tech

View full text Add to dashboard Cite

Randomness extraction is a key problem in cryptography and theoretical computer science. With the recent rapid development of quantum cryptography, quantum‐proof randomness extraction has also been widely studied, addressing the security issues in the presence of a quantum adversary. In contrast with conventional quantum‐proof randomness extractors characterizing the input raw data as min‐entropy sources, it is found that the input raw data generated by a large class of trusted‐device quantum random number generators can be characterized as the so‐called reverse block source. This fact enables us to design improved extractors. Two novel quantum‐proof randomness extractors for reverse block sources that realize real‐time block‐wise extraction are proposed specifically. In comparison with the general min‐entropy randomness extractors, the designs achieve a significantly higher extraction speed and a longer output data length with the same seed length. In addition, they enjoy the property of online algorithms, which process the raw data on the fly without waiting for the entire input raw data to be available. These features make the design an adequate choice for the real‐time post‐processing of practical quantum random number generators. Applying the extractors to the raw data generated by a widely used quantum random number generator, a simulated extraction speed as high as 300 Gbps is achieved.

show abstract

On Constructing Locally Computable Extractors and Cryptosystems in the Bounded Storage Model

Cited by 75 publications

References 30 publications

On Everlasting Security in the Hybrid Bounded Storage Model

On Everlasting Security in the Hybrid Bounded Storage Model

Non-interactive Timestamping in the Bounded Storage Model

Improved Real‐Time Post‐Processing for Quantum Random Number Generators

Contact Info

Product

Resources

About