Hyper-encryption and everlasting security

Abstract

We present substantial extensions of works [1], [2], andall previous works, on encryption in the bounded storage model introduced by Maurer in [25]. The major new result is that the sharedsecret key employedby the sender Alice andthe receiver Bob can be re-usedto send an exponential number of messages, against strong adaptive attacks. This essential step enhances the usability of the encryption method, and also allows strong authentication andnon-malleability describedbelow. We give an encryption scheme that is provably secure against adaptive attacks by a computationally unbounded adversary in the bounded storage model. In the model, a sender Alice and a receiver Bob have access to a public random string α, andshare a secret key s. Alice andBob observe α on the fly, andby use of s extract bits from which they create a one-time pad X usedto encrypt M as C = X ⊕ M. The size of the secret key s is |s| = klog2 |α|, where k is a security parameter. An Adversary AD can compute andstore any function A1 (α) = η, subject to the bound on storage |η| ≤ γ · |α|, γ < 1, andcaptures C. Even if AD later gets the key s and is computationally unbounded, the encryption is provably secure. Assume that the key s is repeatedly used with successive strings α1, α2,… to produce encryptions C1, C2,… of messages M1,M2,….AD computes η1 = A1(α1), obtains C1, andgets to see the first message M1. Using these he computes andstores η2 = A1(α2,η1,C1,M1), andso on. When he has stored ηl andcaptured Cl, he gets the key s (but not Ml). The main result is that the encryption Cl is provably secure against this adaptive attack, where l, the number of time the secret key s is re-used, is exponentially large in the security parameter k. On this we base non-interactive protocols for authentication andnon-malleability. Again, the sharedsecret key usedin these protocols can be securely re-usedan exponential number of times against adaptive attacks. The method of proof is stronger than the one in [1], [2], and yields ergodic results of independent interest. We discuss in the Introduction the feasibility of the bounded storage model, and outline a solution. Furthermore, the existence of an encryption scheme with the provable strong security properties presented here, may prompt other implementations of the bounded storage model.