SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY

Size: px

Start display at page:

Download "SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY"

Amber Potter
5 years ago
Views:

1 SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

2 Part I PRELIMINARIES (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

3 ERROR-CORRECTING CODES [n, k] LINEAR CODE OVER F q A subspace of dimension k of F n q. w-error correcting: exists decoding algorithm that corrects up to w errors occurred on a codeword. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

4 ERROR-CORRECTING CODES [n, k] LINEAR CODE OVER F q A subspace of dimension k of F n q. w-error correcting: exists decoding algorithm that corrects up to w errors occurred on a codeword. HAMMING WEIGHT Number of non-zero entries: wt(x) = {i : x i 0, 1 i n}. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

5 ERROR-CORRECTING CODES [n, k] LINEAR CODE OVER F q A subspace of dimension k of F n q. w-error correcting: exists decoding algorithm that corrects up to w errors occurred on a codeword. HAMMING WEIGHT Number of non-zero entries: wt(x) = {i : x i 0, 1 i n}. PARITY-CHECK MATRIX H F (n k) n q defines the code as follows: x C Hx T = 0. Systematic form: (M I n k ). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

6 CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES McEliece: first cryptosystem using error correcting codes (1978). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

7 CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

8 CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. Dual version proposed by Niederreiter (1985). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

9 CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. Dual version proposed by Niederreiter (1985). PROBLEM (COMPUTATIONAL SYNDROME DECODING) Given: H F (n k) n q, y F (n k) q and w N. Goal: find a word e F n q with wt(e) w such that He T = y. Unique solution and hardness only if w is below a certain threshold (GV bound). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

10 CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES McEliece: first cryptosystem using error correcting codes (1978). Based on the hardness of decoding random linear codes. Dual version proposed by Niederreiter (1985). PROBLEM (COMPUTATIONAL SYNDROME DECODING) Given: H F (n k) n q, y F (n k) q and w N. Goal: find a word e F n q with wt(e) w such that He T = y. Unique solution and hardness only if w is below a certain threshold (GV bound). If H defines an error-correcting code, we have a trapdoor: special description allows decoding algorithm to correct errors. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

11 NIEDERREITER, REVISITED KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

12 NIEDERREITER, REVISITED KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. ENCRYPTION Message is a word e F n 2 of weight w. c = He T. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

13 NIEDERREITER, REVISITED KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. ENCRYPTION Message is a word e F n 2 of weight w. c = He T. DECRYPTION Set e = Decode (c) and return e. Return if decoding fails. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

14 Part II HYBRID ENCRYPTION (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

15 MOTIVATION Purpose of public-key encryption: encrypt key for symmetric scheme. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

16 MOTIVATION Purpose of public-key encryption: encrypt key for symmetric scheme. Niederreiter cryptosystem requires use of constant-weight encoding functions to transform symmetric key into fixed-weight string e. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

17 MOTIVATION Purpose of public-key encryption: encrypt key for symmetric scheme. Niederreiter cryptosystem requires use of constant-weight encoding functions to transform symmetric key into fixed-weight string e. Can do this in a more efficient way: build a KEM based on Niederreiter s assumptions. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

18 THE KEM-DEM FRAMEWORK Introduced by Cramer and Shoup (2001), combines the actions of two independent mechanisms. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

19 THE KEM-DEM FRAMEWORK Introduced by Cramer and Shoup (2001), combines the actions of two independent mechanisms. KEY ENCAPSULATION MECHANISM (KEM) Keygen: generates private key SK and public key PK. Enc KEM (PK): produces a symmetric key K and a ciphertext c 0. Dec KEM (SK, c 0 ): returns the symmetric key K (or ). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

20 THE KEM-DEM FRAMEWORK Introduced by Cramer and Shoup (2001), combines the actions of two independent mechanisms. KEY ENCAPSULATION MECHANISM (KEM) Keygen: generates private key SK and public key PK. Enc KEM (PK): produces a symmetric key K and a ciphertext c 0. Dec KEM (SK, c 0 ): returns the symmetric key K (or ). DATA ENCAPSULATION MECHANISM (DEM) Enc DEM (K, m): produces the ciphertext c 1. Dec DEM (K, c 1 ): returns the plaintext m (or ). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

21 HYBRID ENCRYPTION HYBRID ENCRYPTION SCHEME Keygen: generates private key SK and public key PK. Enc HY (PK,m): Run Enc KEM (PK) and get (K, c 0 ). Run Enc DEM (K, m) and get c 1. Final ciphertext c = (c 0, c 1 ). Dec HY (SK, c): Run Dec KEM (SK,c 0 ) and get K. Run Dec DEM (K, c 1 ) and recover m. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

22 SECURITY Independent components with separate security definitions, however (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

23 SECURITY Independent components with separate security definitions, however IND-CCA secure KEM + IND-CCA secure DEM = IND-CCA secure hybrid scheme! (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

24 SECURITY Independent components with separate security definitions, however IND-CCA secure KEM + IND-CCA secure DEM = IND-CCA secure hybrid scheme! DEM: usual symmetric encryption IND-CCA requirement. Can use any symmetric scheme (e.g. one-time pad) + MAC. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

25 SECURITY Independent components with separate security definitions, however IND-CCA secure KEM + IND-CCA secure DEM = IND-CCA secure hybrid scheme! DEM: usual symmetric encryption IND-CCA requirement. Can use any symmetric scheme (e.g. one-time pad) + MAC. IND-CCA SECURITY FOR KEM Get public key PK. Perform decryption queries. Challenge ciphertext: (K, c ) either honestly obtained (b = 1) by Enc KEM (PK) or by choosing K as a random string (b = 0). Perform decryption queries ( c ). Return b. Adv KEM (A, λ) = Pr[b = b] 1/2 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

26 NIEDERREITER KEM Secure in Random Oracle model, makes use of Key Derivation Function (KDF), e.g. SHA-3. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

27 NIEDERREITER KEM Secure in Random Oracle model, makes use of Key Derivation Function (KDF), e.g. SHA-3. KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

28 NIEDERREITER KEM Secure in Random Oracle model, makes use of Key Derivation Function (KDF), e.g. SHA-3. KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. ENCRYPTION Choose a random word e F n 2 of weight w. K = KDF(e), c 0 = He T. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

29 NIEDERREITER KEM Secure in Random Oracle model, makes use of Key Derivation Function (KDF), e.g. SHA-3. KEY GENERATION Choose w-error correcting code C. SK: code description for C. PK: parity-check matrix H in systematic form for C. ENCRYPTION Choose a random word e F n 2 of weight w. K = KDF(e), c 0 = He T. DECRYPTION Set e = Decode (c 0 ) and return K = KDF (e). Return KDF(c 0 ) if decoding fails. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

30 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

31 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. Model KDF as a random oracle H. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

32 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. Model KDF as a random oracle H. Game 0: the KEM security game. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

33 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c 0 = He T had been previously queried. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

34 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c 0 = He T had been previously queried. Game 2: generate c 0 at beginning and halt if H queried at e. Use adversary A as a simulator. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

35 PROOF OF SECURITY (SKETCH) THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for SDP such that Adv KEM (A, λ) Adv SDP (A, λ) + n DEC /N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c 0 = He T had been previously queried. Game 2: generate c 0 at beginning and halt if H queried at e. Use adversary A as a simulator. Simulation possible thanks to modification in the decryption algorithm. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

36 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

37 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: KEY GENERATION Set PK= H and give PK to A. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

38 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: KEY GENERATION Set PK= H and give PK to A. CHALLENGE QUERIES Set c = y and K random string and give (K, c ) to A. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

39 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: KEY GENERATION Set PK= H and give PK to A. CHALLENGE QUERIES Set c = y and K random string and give (K, c ) to A. RANDOM ORACLE QUERIES Receive query e and compute s = He T. If s = y then win the game and halt. Otherwise, generate K at random. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

40 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: KEY GENERATION Set PK= H and give PK to A. CHALLENGE QUERIES Set c = y and K random string and give (K, c ) to A. RANDOM ORACLE QUERIES Receive query e and compute s = He T. If s = y then win the game and halt. Otherwise, generate K at random. DECRYPTION QUERIES Receive query c 0 and reply with a random string K. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

41 THE SIMULATOR A has to solve an instance (H, y, w) of SDP. Interaction with A: KEY GENERATION Set PK= H and give PK to A. CHALLENGE QUERIES Set c = y and K random string and give (K, c ) to A. RANDOM ORACLE QUERIES Receive query e and compute s = He T. If s = y then win the game and halt. Otherwise, generate K at random. DECRYPTION QUERIES Receive query c 0 and reply with a random string K. Use of tables to guarantee integrity. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

42 Part III ANONYMITY (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

43 INTRODUCTION Increasingly important notion in the community. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

44 INTRODUCTION Increasingly important notion in the community. Key Privacy vs Data Privacy (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

45 INTRODUCTION Increasingly important notion in the community. Key Privacy vs Data Privacy IK-CCA SECURITY FOR PKE Get two public keys PK 0 and PK 1. Perform decryption queries (for either). Choose message m. Challenge ciphertext: c =Enc(PK b, m) for b {0, 1}. Perform decryption queries ( c ). Return b. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

46 ANONYMITY FOR CODE-BASED SCHEMES Plain Niederreiter (or McEliece) scheme: not secure. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

47 ANONYMITY FOR CODE-BASED SCHEMES Plain Niederreiter (or McEliece) scheme: not secure. IND-CPA randomized variant by Nojima et al.: IK-CPA secure (Yamakawa et al., 2007). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

48 ANONYMITY FOR CODE-BASED SCHEMES Plain Niederreiter (or McEliece) scheme: not secure. IND-CPA randomized variant by Nojima et al.: IK-CPA secure (Yamakawa et al., 2007). What about hybrid encryption? (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

49 ANONYMITY FOR CODE-BASED SCHEMES Plain Niederreiter (or McEliece) scheme: not secure. IND-CPA randomized variant by Nojima et al.: IK-CPA secure (Yamakawa et al., 2007). What about hybrid encryption? Unfortunately (Mohassel, 2010) IK-CCA secure KEM + IK-CCA secure DEM IK-CCA secure hybrid scheme = (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

50 ANONYMITY FOR CODE-BASED SCHEMES Plain Niederreiter (or McEliece) scheme: not secure. IND-CPA randomized variant by Nojima et al.: IK-CPA secure (Yamakawa et al., 2007). What about hybrid encryption? Unfortunately (Mohassel, 2010) IK-CCA secure KEM + IK-CCA secure DEM IK-CCA secure hybrid scheme We prove IK-CCA security for our scheme directly. = (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

51 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

52 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

53 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. Model KDF as a random oracle H. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

54 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. Model KDF as a random oracle H. Game 0: the KEM security game. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

55 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c =Enc(PK b, m) had been previously queried. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

56 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c =Enc(PK b, m) had been previously queried. Game 2: return additional random string m together with c. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

57 PROOF OF SECURITY (SKETCH) ALTERNATIVE DEFINITION OF ADV Adv Pr[b IND CCA (A, λ) = = 1 b = 1] Pr[b = 1 b = 0]. Equivalent since Adv IND-CCA (A, λ) = 2 Adv IND-CCA(A, λ). THEOREM Let A be an adversary for KEM and N = W n,q,w. There exists an adversary A for IND-CCA such that Adv IK -CCA (A, λ) Adv IND-CCA (A, λ) + n DEC /2N. Model KDF as a random oracle H. Game 0: the KEM security game. Game 1: halt if challenge ciphertext c =Enc(PK b, m) had been previously queried. Game 2: return additional random string m together with c. Game 3: set challenge ciphertext c =Enc(PK b, m ). Use adversary A as a simulator. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

58 Part IV CONCLUSIONS (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

59 CONCLUSIONS First KEM based directly on coding theory problem. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

60 CONCLUSIONS First KEM based directly on coding theory problem. Simple construction and tight security proof. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

61 CONCLUSIONS First KEM based directly on coding theory problem. Simple construction and tight security proof. Extending (Yamakawa et al., 2007), obtains IK-CCA security. (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

62 CONCLUSIONS First KEM based directly on coding theory problem. Simple construction and tight security proof. Extending (Yamakawa et al., 2007), obtains IK-CCA security. Implementation? (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

63 Merci beaucoup Thank you Grazie (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE / 20

A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model

A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification: