On Everlasting Security in the Hybrid Bounded Storage Model

  • Danny Harnik
  • Moni Naor
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4052)


The bounded storage model (BSM) bounds the storage space of an adversary rather than its running time. It utilizes the public transmission of a long random string \({\cal R}\) of length r, and relies on the assumption that an eavesdropper cannot possibly store all of this string. Encryption schemes in this model achieve the appealing property of everlasting security. In short, this means that an encrypted message remains secure even if the adversary eventually gains more storage or gains knowledge of (original) secret keys that may have been used. However, if the honest parties do not share any private information in advance, then achieving everlasting security requires high storage capacity from the honest parties (storage of \(\Omega(\sqrt{r})\), as shown in [9]).

We consider the idea of a hybrid bounded storage model were computational limitations on the eavesdropper are assumed up until the time that the transmission of \({\cal R}\) has ended. For example, can the honest parties run a computationally secure key agreement protocol in order to agree on a shared private key for the BSM, and thus achieve everlasting security with low memory requirements? We study the possibility and impossibility of everlasting security in the hybrid bounded storage model. We start by formally defining the model and everlasting security for this model. We show the equivalence of two flavors of definitions: indistinguishability of encryptions and semantic security.

On the negative side, we show that everlasting security with low storage requirements cannot be achieved by black-box reductions in the hybrid BSM. This serves as a further indication to the hardness of achieving low storage everlasting security, adding to previous results of this nature [9, 15]. On the other hand, we show two augmentations of the model that allow for low storage everlasting security. The first is by adding a random oracle to the model, while the second bounds the accessibility of the adversary to the broadcast string \({\cal R}\). Finally, we show that in these two modified models, there also exist bounded storage oblivious transfer protocols with low storage requirements.


Hybrid Scheme Random Oracle Oblivious Transfer Private Information Retrieval Polynomial Time Adversary 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aumann, Y., Ding, Y.Z., Rabin, M.O.: Everlasting security in the bounded storage model. IEEE Transactions on Information Theory 48(6), 1668–1680 (2002)MATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Aumann, Y., Rabin, M.O.: Information theoretically secure communication in the limited storage space model. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 65–79. Springer, Heidelberg (1999)Google Scholar
  3. 3.
    Cachin, C., Crépeau, C., Marcil, J.: Oblivious transfer with a memory-bound receiver. In: 39th IEEE FOCS, pp. 493–502 (1998)Google Scholar
  4. 4.
    Cachin, C., Maurer, U.: Unconditional security against memory-bound adversaries. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 292–306. Springer, Heidelberg (1997)Google Scholar
  5. 5.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. Journal of the ACM 51(4), 557–594 (2004)CrossRefMathSciNetMATHGoogle Scholar
  6. 6.
    Ding, Y.Z.: Oblivious transfer in the bounded storage model. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 155–170. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Ding, Y.Z., Harnik, D., Rosen, A., Shaltiel, R.: Constant round oblivious transfer in the bounded storage model. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 446–472. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Ding, Y.Z., Rabin, M.O.: Hyper-encryption and everlasting security. In: STACS, pp. 1–26 (2002)Google Scholar
  9. 9.
    Dziembowski, S., Maurer, U.: On generating the initial key in the bounded-storage model. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 126–137. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Dziembowski, S., Maurer, U.: Optimal randomizer efficiency in the bounded-storage model. Journal of Cryptology 17(1), 5–26 (2004)MATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Communications of the ACM 28(6), 637–647 (1985)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Goldwasser, S., Tauman Kalai, Y.: On the (in)security of the fiat-shamir paradigm. In: 44th IEEE FOCS, pp. 102–111 (2003)Google Scholar
  13. 13.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of the ACM 28(4), 270–299 (1984)MATHMathSciNetGoogle Scholar
  14. 14.
    D. Harnik and M. Naor. On everlasting security in the hybrid bounded storage model,
  15. 15.
    Harnik, D., Naor, M.: On the compressibility of NP instances and cryptographic applications. In: ECCC, TR06-022 (2006)Google Scholar
  16. 16.
    Lu, C.: Encryption against space-bounded adversaries from on-line strong extractors. Journal of Cryptology 17(1), 27–42 (2004)MATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Maurer, U.: Conditionally-perfect secrecy and a provably-secure randomized cipher. Journal of Cryptology 5(1), 53–66 (1992)MATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Naor, M., Pinkas, B., Reingold, O.: Distributed pseudo-random functions and kdcs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 327–346. Springer, Heidelberg (1999)Google Scholar
  20. 20.
    Rabin, M.O.: How to exchange secrets by oblivious transfer. In: TR-81, Harvard (1981)Google Scholar
  21. 21.
    Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Vadhan, S.P.: Constructing locally computable extractors and cryptosystems in the bounded storage model. Journal of Cryptology 17(1), 43–77 (2004)MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Danny Harnik
    • 1
  • Moni Naor
    • 2
  1. 1.Dept. of Computer ScienceTechnionHaifaIsrael
  2. 2.Dept. of Computer Science and Applied Math.Weizmann Institute of ScienceRehovotIsrael

Personalised recommendations