On Forward-Secure Storage
We study a problem of secure data storage in a recently introduced Limited Communication Model. We propose a new cryptographic primitive that we call a Forward-Secure Storage (FSS). This primitive is a special kind of an encryption scheme, which produces huge (5 GB, say) ciphertexts, even from small plaintexts, and has the following non-standard security property. Suppose an adversary gets access to a ciphertext C = E(K,M) and he is allowed to compute any function h of C, with the restriction that |h(C)| ≪|C| (say: |h(C)| = 1 GB). We require that h(C) should give the adversary no information about M, even if he later learns K.
A practical application of this concept is as follows. Suppose a ciphertext C is stored on a machine on which an adversary can install a virus. In many cases it is completely infeasible for the virus to retrieve 1 GB of data from the infected machine. So if the adversary (at some point later) learns K, then M remains secret.
We provide a formal definition of the FSS, propose some FSS schemes, and show that FSS can be composed sequentially in a secure way. We also show connections of the FSS to the theory of compressibility of NP-instances (recently developed by Harnik and Naor).
KeywordsEncryption Scheme Random Oracle Security Parameter Random String Pseudorandom Generator
- 2.Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
- 3.Cachin, C., Crepeau, C., Marcil, J.: Oblivious transfer with a memory-bounded receiver. In: 39th Annual Symposium on Foundations of Computer Science, pp. 493–502 (1998)Google Scholar
- 4.Cachin, C., Maurer, U.M.: Unconditional security against memory-bounded adversaries. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 292–306. Springer, Heidelberg (1997)Google Scholar
- 5.Cash, D., Ding, Y.Z., Dodis, Y., Lee, W., Lipton, R., Walfish, S.: Intrusion-resilient authentication in the Limited Communication Model. Cryptology ePrint Archive, Report 2005/409 (2005), http://eprint.iacr.org/
- 11.Dubrov, B., Ishai, Y.: On the randomness complexity of efficient sampling. In: ACM Symposium on Theory of Computing, pp. 711–720 (2006)Google Scholar
- 13.Dziembowski, S.: On Forward-Secure Storage. Cryptology ePrint Archive (2006), http://eprint.iacr.org
- 16.Harnik, D., Naor, M.: On the compressibility of NP instances and cryptographic applications. Electronic Colloquium on Computational Complexity, Report TR06-022 (2006)Google Scholar
- 19.Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: ACM Symposium on Theory of Computing, pp. 44–61 (1989)Google Scholar
- 20.Kelsey, J., Schneier, B.: Authenticating secure tokens using slow memory access. In: USENIX Workshop on Smart Card Technology, pp. 101–106 (1999)Google Scholar
- 21.Kushilevitz, E., Ostrovsky, R.: Replication is not needed: Single database, Computationally-Private Information Retrieval. In: 38th Annual Symposium on Foundations of Computer Science, pp. 364–373 (1997)Google Scholar
- 25.Moran, T., Shaltiel, R., Ta-Shma, A.: Non-interactive Timestamping in the Bounded Storage Model. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 460–476. Springer, Heidelberg (2004)Google Scholar