Hyper-encryption against space-bounded adversaries from on-line strong extractors

Abstract

We study the problem of information-theoretically secure encryption in the bounded-storage model introduced by Maurer [10]. The sole assumption of this model is a limited storage bound on an eavesdropper Eve, who is even allowed to be computationally unbounded. Suppose a sender Alice and a receiver Bob agreed on a short private key beforehand, and there is a long public random string accessible by all parties, say broadcast from a satellite or sent by Alice. Eve can only store some partial information of this long random string due to her limited storage. Alice and Bob read the public random string using the shared private key, and produce a one-time pad for encryption or decryption. In this setting, Aumann, Ding, and Rabin [2] proposed protocols with a nice property called everlasting security, which says that the security holds even if Eve later manages to obtain that private key. Ding and Rabin [5] gave a better analysis showing that the same private key can be securely reused for an exponential number of times, against some adaptive attacks. We study this problem from the approach of constructing randomness extractors ([13,11,16,15] and more), which seems to provide a more intuitive understanding together with some powerful tools. A strong extractor is a function which purifies randomness from a slightly random source using a short random seed as a catalyst, so that its output and its seed together look almost random. We show that any strong extractor immediately yields an encryption scheme with the nice security properties of [2,5]. To have an efficient encryption scheme, we need strong extractors which can be evaluated in an on-line and efficient way. We give one such construction. This yields an encryption scheme, which has the same nice security properties as before but now can encrypt longer messages using a shorter private key. In addition, our scheme works even when the long public random string is not perfectly random, as long as it contains enough amount of randomness.