A lower bound on the key length of information-theoretic forward-secure storage schemes

Authors:
Stefan Dziembowski
Affiliations:
Department of Computer Science, University of Rome, La Sapienza
Venue:
ICITS'09 Proceedings of the 4th international conference on Information theoretic security
Year:
2009

Citing 11
Cited 0

Conditionally-perfect secrecy and a provably-secure randomized cipher

Journal of Cryptology - Eurocrypt '90
Encryption against Storage-Bounded Adversaries from On-Line Strong Extractors

Journal of Cryptology
Constructing Locally Computable Extractors and Cryptosystems in the Bounded-Storage Model

Journal of Cryptology
Intrusion-Resilient Secret Sharing

FOCS '07 Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
Leakage-Resilient Cryptography

FOCS '08 Proceedings of the 2008 49th Annual IEEE Symposium on Foundations of Computer Science
Simultaneous Hardcore Bits and Cryptography against Memory Attacks

TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model

CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Intrusion-resilient key exchange in the bounded retrieval model

TCC'07 Proceedings of the 4th conference on Theory of cryptography
On forward-secure storage

CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Intrusion-Resilience via the bounded-storage model

TCC'06 Proceedings of the Third conference on Theory of Cryptography
Perfectly secure password protocols in the bounded retrieval model

TCC'06 Proceedings of the Third conference on Theory of Cryptography

Quantified Score

Hi-index	0.00

Visualization

Abstract

Forward-Secure Storage (FSS) was introduced by Dziembowski (CRYPTO 2006). Informally, FSS is an encryption scheme (Encr, Decr) that has the following non-standard property: even if the adversary learns the value of some function h of the ciphertext C = Encr(K,M), he should have essentially no information on the corresponding plaintext M, even if he knows the key K. The only restriction is that h is input-shrinking, i.e. |h(R)| ≤ σ, where σ is some parameter such that σ ≤ |C|. We study the problem of minimizing the length of the secret key in the IT-secure FSS, and we establish an almost optimal lower bound on the length of the secret key. The secret key of the FSS scheme of Dziembowski has length |M|+O(log σ). We show that in every FSS the secret key needs to have length at least |M| + log2 σ-O(log2 log2 σ).