TY - GEN
T1 - Authentication in the Bounded Storage Model
AU - Dodis, Yevgeniy
AU - Quach, Willy
AU - Wichs, Daniel
N1 - Publisher Copyright:
© 2022, International Association for Cryptologic Research.
PY - 2022
Y1 - 2022
N2 - We consider the streaming variant of the Bounded Storage Model (BSM), where the honest parties can stream large amounts of data to each other, while only maintaining a small memory of size n. The adversary also operates as a streaming algorithm, but has a much larger memory size m≫ n. The goal is to construct unconditionally secure cryptographic schemes in the BSM, and prior works did so for symmetric-key encryption, key agreement, oblivious transfer and multiparty computation. In this work, we construct message authentication and signatures in the BSM. First, we consider the symmetric-key setting, where Alice and Bob share a small secret key. Alice can authenticate arbitrarily many messages to Bob by streaming long authentication tags of size k≫ m, while ensuring that the tags can be generated and verified using only n bits of memory. We show a solution using local extractors (Vadhan; JoC ’04), which allows for up to exponentially large adversarial memory m= 2 O(n), and has tags of size k= O(m). Second, we consider the same setting as above, but now additionally require each individual tag to be small, of size k≤ n. We show a solution is still possible when the adversary’s memory is m= O(n2), which is optimal. Our solution relies on a space lower bound for leaning parities (Raz; FOCS ’16). Third, we consider the public-key signature setting. A signer Alice initially streams a long verification key over an authentic channel, while only keeping a short signing key in her memory. A verifier Bob receives the streamed verification key and generates a short verification digest that he keeps in his memory. Later, Alice can sign arbitrarily many messages using her signing key by streaming large signatures to Bob, who can verify them using his verification digest. We show a solution for m= O(n2), which we show to be optimal. Our solution relies on a novel entropy lemma, of independent interest. We show that, if a sequence of blocks has sufficiently high min-entropy, then a large fraction of individual blocks must have high min-entropy. Naive versions of this lemma are false, but we show how to patch it to make it hold.
AB - We consider the streaming variant of the Bounded Storage Model (BSM), where the honest parties can stream large amounts of data to each other, while only maintaining a small memory of size n. The adversary also operates as a streaming algorithm, but has a much larger memory size m≫ n. The goal is to construct unconditionally secure cryptographic schemes in the BSM, and prior works did so for symmetric-key encryption, key agreement, oblivious transfer and multiparty computation. In this work, we construct message authentication and signatures in the BSM. First, we consider the symmetric-key setting, where Alice and Bob share a small secret key. Alice can authenticate arbitrarily many messages to Bob by streaming long authentication tags of size k≫ m, while ensuring that the tags can be generated and verified using only n bits of memory. We show a solution using local extractors (Vadhan; JoC ’04), which allows for up to exponentially large adversarial memory m= 2 O(n), and has tags of size k= O(m). Second, we consider the same setting as above, but now additionally require each individual tag to be small, of size k≤ n. We show a solution is still possible when the adversary’s memory is m= O(n2), which is optimal. Our solution relies on a space lower bound for leaning parities (Raz; FOCS ’16). Third, we consider the public-key signature setting. A signer Alice initially streams a long verification key over an authentic channel, while only keeping a short signing key in her memory. A verifier Bob receives the streamed verification key and generates a short verification digest that he keeps in his memory. Later, Alice can sign arbitrarily many messages using her signing key by streaming large signatures to Bob, who can verify them using his verification digest. We show a solution for m= O(n2), which we show to be optimal. Our solution relies on a novel entropy lemma, of independent interest. We show that, if a sequence of blocks has sufficiently high min-entropy, then a large fraction of individual blocks must have high min-entropy. Naive versions of this lemma are false, but we show how to patch it to make it hold.
UR - http://www.scopus.com/inward/record.url?scp=85132124758&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85132124758&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-07082-2_26
DO - 10.1007/978-3-031-07082-2_26
M3 - Conference contribution
AN - SCOPUS:85132124758
SN - 9783031070815
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 737
EP - 766
BT - Advances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings
A2 - Dunkelman, Orr
A2 - Dziembowski, Stefan
PB - Springer Science and Business Media Deutschland GmbH
T2 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2022
Y2 - 30 May 2022 through 3 June 2022
ER -