Post-Compromise Security in Self-Encryption

In self-encryption, a device encrypts some piece of information for itself to decrypt in the future. We are interested in security of self-encryption when the state occasionally leaks. Applications that use self-encryption include cloud storage, when a client encrypts files to be stored, and in 0-RTT session resumptions, when a server encrypts a resumption key to be kept by the client. Previous works focused on forward security and resistance to replay attacks. In our work, we study post-compromise security (PCS). PCS was achieved in ratcheted instant messaging schemes, at the price of having an inflating state size. An open question was whether state inflation was necessary. In our results, we prove that post-compromise security implies a super-linear state size in terms of the number of active ciphertexts which can still be decrypted. We apply our result to self-encryption for cloud storage, 0-RTT session resumption, and secure messaging. We further show how to construct a secure scheme matching our bound on the state size up to a constant factor.