Exposure-resilient cryptography

We develop the notion of Exposure-Resilient Cryptography. While standard cryptographic definitions and constructions do not guarantee any security even if a tiny fraction of the secret entity (e.g., cryptographic key) is compromised, the objective of Exposure-Resilient Cryptography is to build information structures such that almost complete (intentional or unintentional) exposure of such a structure still protects the secret information embedded in this structure. The key to our approach is a new primitive of independent interest, which we call an Exposure-Resilient Function (ERF) a deterministic function whose output appears random (in a perfect, statistical or computational sense) even if almost all the bits of the input are known. ERF's by themselves efficiently solve the partial exposure of secrets in the setting where the secret is simply a random value, like in the private-key cryptography. They can also be viewed as very secure pseudorandom generators and have many other applications. To solve the general partial exposure of secrets, we use the (generalized) notion of an All-Or-Nothing Transform (AONT) introduced by Rivest [51] and refined by Boyko [16]: an invertible (randomized) transformation T which, nevertheless, reveals "no information" about x even if almost all the bits of T(x) are known. By applying an AONT to the secret entity (of arbitrary structure), we obtain security against almost total exposure of secrets. AONT's have also many other diverse applications in the design of block ciphers, secret sharing and secure communication. To date, however, the only known analyses of AONT candidates were made in the random oracle model (by Boyko [16]). In this thesis we construct ERF's and AONT's with nearly optimal parameters in the standard model (without random oracles), in the perfect, statistical and computational settings (the latter based only on one-way functions). We also show close relationship between and examine many additional properties of what we hope will become important cryptographic primitives Exposure-Resilient Functions and AllOr-Nothing Transforms. Thesis Supervisor: Madhu Sudan Title: Associate Professor