Conditionally-perfect secrecy and a provably-secure randomized cipher
Journal of Cryptology - Eurocrypt '90
Encryption against Storage-Bounded Adversaries from On-Line Strong Extractors
Journal of Cryptology
Intrusion-Resilient Secret Sharing
FOCS '07 Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
Leakage-Resilient Cryptography
FOCS '08 Proceedings of the 2008 49th Annual IEEE Symposium on Foundations of Computer Science
Simultaneous Hardcore Bits and Cryptography against Memory Attacks
TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Intrusion-resilient key exchange in the bounded retrieval model
TCC'07 Proceedings of the 4th conference on Theory of cryptography
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Intrusion-Resilience via the bounded-storage model
TCC'06 Proceedings of the Third conference on Theory of Cryptography
Perfectly secure password protocols in the bounded retrieval model
TCC'06 Proceedings of the Third conference on Theory of Cryptography
Hi-index | 0.00 |
Forward-Secure Storage (FSS) was introduced by Dziembowski (CRYPTO 2006). Informally, FSS is an encryption scheme (Encr, Decr) that has the following non-standard property: even if the adversary learns the value of some function h of the ciphertext C = Encr(K,M), he should have essentially no information on the corresponding plaintext M, even if he knows the key K. The only restriction is that h is input-shrinking, i.e. |h(R)| ≤ σ, where σ is some parameter such that σ ≤ |C|. We study the problem of minimizing the length of the secret key in the IT-secure FSS, and we establish an almost optimal lower bound on the length of the secret key. The secret key of the FSS scheme of Dziembowski has length |M|+O(log σ). We show that in every FSS the secret key needs to have length at least |M| + log2 σ-O(log2 log2 σ).