One-time Computable and Uncomputable Functions

This paper studies the design of cryptographic schemes that are secure even if implemented on untrusted machines, whose internals can be partially observed/controlled by an adversary. For example, this includes machines that are infected with a software virus. We introduce a new cryptographic notion that we call a one-time computable pseudorandom function (PRF), which is a PRF FK(·) that can be evaluated at most once on a machine which stores the (long) key K, as long as: (1) the adversary cannot retrieve the key K out of the machine completely (this is similar to the assumptions made in the so-called Bounded-Retrieval Model), and (2) the local read/write memory of the machine is restricted, and not too much larger than the size of K. In particular, the only way to evaluate FK(x) on such device, is to overwrite part of the key K, preventing all future evaluations of FK(·) at any other point x′ 6= x. We show that this primitive can be used to construct schemes for password protected storage that are secure against dictionary attacks, even by a virus that infects the machine. Our constructions rely on the random-oracle model, and lower-bounds for graphs pebbling problems. We show that our techniques can also be used to construct another primitive, that we call uncomputable hash functions, which are hash funcitons that cannot be computed if the local storage has some restricted size s, but can be computed if they are given slightly more storage than s. We show that this tool can be used to improve the communication complexity of proofs-of-erasure schemes, introduced recently by Perito and Tsudik (ESORICS 2010).