Foundations of Cryptography
Lecture 7
Lecturer:Danny Harnik
Maurer’s Bounded Storage
Model




Most Cryptographic tasks are only possible
when parties are known to be bounded.
“Mainstream Cryptography”: Assume parties
are time bounded (run in polynomial time).
Maurer’s model: Assume parties have
bounded storage.
Remark: Bounded Storage ≠ Bounded Space.

Measures only the storage capacity at one point of
the process.
The bounded storage model:
The setting

A long random string R
is transmitted.

Honest parties store
small portions of R.

Parties interact.

Protocol is secure even
against dishonest
parties which store
almost all of R.
½ length N
A long
random
Stores
string
bits
RNof
Stores
N½ ¾N
Stores
Alice
Bob
Malicious party
(Arbitrary function of R)
Example: Key-Agreement
Alice and Bob interact
over a public channel
(with no initial secret
key).
They want to agree on a
secret key.
public channel
Alice
Bob
key
key
Eavesdropper
??
Protocol: Key-Agreement
[CM97]

A long random string R is
transmitted.

Alice and Bob store random
subsets of size ~N½.


A long random
string
key
Stores
Stores
N½R of
N½length N
Alice
Bob
Send position of subsets and
agree on content of
intersection.
Next, we show that an
eavesdropper which stores
¾N bits has a lot of entropy
on the key.
Eavesdropper
Does not know the key!
The view of the adversary




¾N bits
key
Simplifying assumption:
The adversary stores a
¾ known random set
¼ unknown
subset bits of R of size
¾N.
The sets chosen by the
From my point of view
players are random.
the key is a highentropy source!
The set which defines the
key is a random set.
The adversary does not
Eavesdropper
remember ~ ¼N bits.
* This holds even when the adversary stores an arbitrary
function of R [NZ93].
Randomness Extractors [NZ93]




Extract randomness from
arbitrary distributions
which contain sufficient
(min)-entropy.
Use a short seed of truly
random bits.
Output is (close to)
uniform even when the
adversary knows the seed.
Relation to BSM pointed
out by [Lu02,Vad03]
high entropy distribution
Extractor
random output
seed
Key-Agreement using
extractors

A long random string R is
transmitted.

Alice and Bob store random
subsets of size ~N½.


A long random
string
Stores
Stores
N½R of
N½length N
Alice
Bob
Send position of subsets and
agree on content of
intersection.
Alice randomly chooses a
seed and sends it to Bob.
Both apply an extractor To
receive the key.
Extractor
random key
seed
Further Improvements

Instead of random subsets, Alice & Bob
remember pairwise independent locations




Eavesdropper still has high min-entropy [NZ].
Saves communication when finding the
intersection of both sides.
Can further use better “Samplers” to choose
these locations.
Only need to send seed to the sampler in
order to agree on intersection.
The Secret Key Setting


Seed to sampler is used as the secret key.
Alice & Bob only store the bits at the locations the
sampler chooses.




Can use small set for Alice and Bob.
For the Eavesdropper this set is a high min-entropy
source.
By applying extractor, receive a long key that is close
to uniform from Eavesdropper’s point of view.
Best result so far for message of length m [Vad03]:


Alice & Bob store only O(m + log 1/ ε )
Secret Key length: O(log N + log 1/ ε )
The bounded storage model


Practical? Depends on ratio between price of memory
and speed of broadcast.
Most of the research so far focused on:


Key agreement [Mau93,CM97].
Secret-key encryption
[Mau93,CM97,AR99,ADR02,DR02,DM02,Lu02,Vad03].
Advantages:
 Clean model.
 Security does not require unproven assumptions.
 Everlasting security: The security is guaranteed even
if at a later stage the adversary gains more memory.