On Perfect and Adaptive Security in Exposure-Resilient Cryptography
- 1.8k Downloads
We consider the question of adaptive security for two related cryptographic primitives: all-or-nothing transforms and exposure-resilient functions. Both are concerned with retaining security when an intruder learns some bits of a string which is supposed to be secret: all-or-nothing transforms (AONT) protect their input even given partial knowledge of the output; exposure-resilient functions (ERF) hide their output even given partial exposure of their input. Both of these primitives can be defined in the perfect, statistical and computational settings and have a variety of applications in cryptography. In this paper, we study how these notions fare against adaptive adversaries, who may choose which positions of a secret string to observe on the fly.
In the perfect setting, we prove a new, strong lower bound on the constructibility of (perfect) AONT. This applies to both standard and adaptively secure AONT. In particular, to hide an input as short as log n bits, the adversary must see no more than half of the n-bit output. This bound also provides a new impossibility result on the existence of (ramp) secret-sharing schemes  and relates to a combinatorial problem of independent interest: finding “balanced” colorings of the hypercube.
In the statistical setting, we show that adaptivity adds strictly more power to the adversary. We relate and reduce the construction of adaptive ERF's to that of almost-perfect resilient functions , for which the adversary can actually set some of the input positions and still learn nothing about the output. We give a probabilistic construction of these functions which is essentially optimal and substantially improves on previous constructions of [19, 5]. As a result, we get nearly optimal adaptively secure ERF's and AONT's. Finally, extending the statistical construction we obtain optimal computational adaptive ERF's, “public-value” AONT's and resilient functions.
KeywordsBlock Cipher Pseudorandom Generator Perfect Setting Computational Setting Balance Coloring
- 1.M. Bellare and A. Boldyreva. The Security of Chaffing and Winnowing. In Proc. of Asiacrypt, 2000.Google Scholar
- 2.M. Bellare, J. Rompel. Randomness-Efficient Oblivious Sampling. In Proc. of 35th FOCS, pp. 276–287, 1994.Google Scholar
- 5.J. Bierbrauer, H. Schellwat. Almost Independent and Weakly Biased Arrys: Efficient Constructions and Cryptologic Applications. In Proc. of CRYPTO, pp. 531–543, 2000.Google Scholar
- 6.G. R. Blakley and C. Meadows. Security of Ramp Schemes. In Proc. of CRYPTO, pp. 242–268, 1984.Google Scholar
- 7.M. Blaze. High Bandwidth Encryption with low-bandwidth smartcards. In Fast Software Encryption, pp. 33–40, 1996.Google Scholar
- 8.C. Blundo, A. De Santis, U. Vaccaro. Efficient Sharing of Many Secrets. In Proc. of STACS, LNCS 665, pp. 692–703, 1993.Google Scholar
- 9.V. Boyko. On the Security Properties of the OAEP as an All-or-Nothing Transform. In Proc. of Crypto, pp. 503–518, 1999.Google Scholar
- 10.R. Canetti, Y. Dodis, S. Halevi, E. Kushilevitz and A. Sahai. Exposure-Resilient Functions and All-Or-Nothing Transforms. In Proc. of EuroCrypt, 2000.Google Scholar
- 12.B. Chor, J. Friedman, O. Goldreich, J. Håstad, S. Rudich, R. Smolensky. The Bit Extraction Problem or t-resilient Functions. In Proc. of FOCS, pp. 396–407, 1985.Google Scholar
- 13.Y. Dodis. Exposure-Resilient Cryptography. Ph.D. Thesis., MIT, 2000.Google Scholar
- 14.A. Desai. The security of All-or-Nothing Encryption: Protecting Against Exhaustive Key Search In Proc. of CRYPTO, pp. 359–375, 2000.Google Scholar
- 15.J. Friedman. On the Bit Extraction Problem In Proc. of FOCS, pp. 314–319, 1992.Google Scholar
- 16.O. Goldreich. Foundations of Cryptography (Fragments of a Book). URL: http://www.wisdom.weizmann.ac.il/home/oded/public html/frag.html
- 18.M. Jakobsson, J. Stern, M. Yung. Scramble All, Encrypt Small. In Proc. of Fast Software Encryption, pp. 95–111, 1999.Google Scholar
- 19.K. Kurosawa, T. Johansson and D. Stinson. Almost k-wise independent sample spaces and their cryptologic applications. Submitted to J. of Cryptology, preliminary version appeared in Proc. of EuroCrypt, pp. 409–421, 1997.Google Scholar
- 20.S. Matyas, M. Peyravian and A. Roginsky. Encryption of Long Blocks Using a Short-Block Encryption Procedure. Available at http://grouper.ieee.org/groups/1363/P1363a/LongBlock.html.
- 22.L. H. Ozarow and A. D. Wyner. Wire-Tap Channel II In Proc. of EUROCRYPT, pp. 33–50, 1984.Google Scholar
- 24.R. Rivest. Chaffing and Winnowing: Confidentiality without Encryption. CryptoBytes (RSA Laboratories), 4(1):12–17, 1998.Google Scholar
- 27.L. Trevisan and S. Vadhan. Extracting randomness from samplable distributions In Proc. of FOCS, 2000.Google Scholar