Encryption against Storage-Bounded Adversaries from On-Line Strong Extractors

摘要

We study the problem of information-theoretically secure encryption in the bounded-storage model introduced by Maurer. The sole assumption of this model is a limited storage bound on an eavesdropper Eve, who is even allowed to be computationally unbounded. Suppose a sender Alice and a receiver Bob agreed on a short private key beforehand, and there is a long public random string accessible by all parties, say broadcast from a satellite or sent by Alice. Eve can only store some partial information of this long random string due to her limited storage. Alice and Bob read the public random string using the shared private key, and produce a one-time pad for encryption or decryption. In this setting, Aumann et al. proposed protocols with a nice property called everlasting security, which says that the security holds even if Eve later manages to obtain that private key. Ding and Rabin gave a better analysis showing that the same private key can be securely reused for an exponential number of times, against some adaptive attacks. We show that an encryption scheme with such nice properties can be derived immediately from any strong randomness extractor, a function which extracts randomness from a slightly random source, so that its output and its seed together are almost random. To have an efficient encryption scheme, one needs a strong extractor that can be evaluated in an on-line and efficient way. We give one such construction, which yields an encryption scheme that has the nice security properties as before but now can encrypt longer messages using shorter private keys.