Paper 2009/399

Leakage-Resilient Storage

Francesco Davì, Stefan Dziembowski, and Daniele Venturi

Abstract

We study a problem of secure data storage on hardware that may leak information. We introduce a new primitive, that we call {\em leakage-resilient storage} (LRS), which is an (unkeyed) scheme for encoding messages, and can be viewed as a generalization of the {\em All-Or-Nothing Transform} (AONT, Rivest 1997). The standard definition of AONT requires that it should be hard to reconstruct a message $$ if not all the bits of its encoding $$ are known. LRS is defined more generally, with respect to a class $$ of functions. The security definition of LRS requires that it should be hard to reconstruct $$ even if some values $$ $$ are known (where $$), as long as the total length of $$ is smaller than some parameter $$. We construct an LRS scheme that is secure with respect to $$ being a set of functions that can depend only on some restricted part of the memory. More precisely: we assume that the memory is divided in $$ parts, and the functions in $$ can be just applied to one of these parts. We also construct a scheme that is secure if the cardinality of $$ is restricted (but still it can be exponential in the length of the encoding). This construction implies security in the case when the set $$ consists of functions that are computable by Boolean circuits of a small size. We also discuss the connection between the problem of constructing leakage-resilient storage and a theory of the compressibility of NP-instances.