Abstract. We propose a private-key cryptosystem and a protocol for key agreement by public discussion that are unconditionally secure based on the sole assumption that an adversary's memory capacity is limited. No assumption about her computing power is made. The scenario assumes that a random bit string of length slightly larger than the adversary's memory capacity can be received by all parties. The random bit string can for instance be broadcast by a satellite or over an optical network, or transmitted over an insecure channel between the communicating parties. The proposed schemes require very high bandwidth but can nevertheless be practical.
IntroductionOne of the most important properties of a cryptographic system is a proof of its security under reasonable and general assumptions. However, every design involves a trade-off between the strength of the security and further important qualities of a cryptosystem, such as efficiency and practicality. The security of all currently used cryptosystems is based on the difficulty of an underlying computational problem, such as factoring large numbers or computing discrete logarithms in the case of many public-key systems. Security proofs for these systems show that the ability of the adversary to defeat the cryptosystem with significant probability contradicts the assumed difficulty of the problem [24]. Although the hardness of these problems is unquestioned at the moment, it can be dangerous to base the security of the global information economy on a very small number of mathematical problems. Recent advances in quantum computing show that precisely these two problems, factoring and discrete logarithm, could be solved efficiently if quantum computers could be built [27].An alternative to proofs in the computational security model is offered by the stronger notion of information-theoretic or unconditional security where no limits on an adversary's computational power are assumed. The first informationtheoretic definition of perfect secrecy by Shannon [26] led immediately to his famous impracticality theorem, which states, roughly, that the shared secret key in any perfectly secure cryptosystem must be at least as long as the plaintext * Current address: