Code-Based Cryptography McEliece Cryptosystem

Similar documents
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model

A note on CCA2-protected McEliece cryptosystem with a systematic public key

OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea

CS408 Cryptography & Internet Security

IND-CCA2 secure cryptosystems, Dan Bogdanov

Advanced Cryptography 1st Semester Symmetric Encryption

Table of Contents. Preface... vii Abstract... vii Kurzfassung... x Acknowledgements... xiii. I The Preliminaries 1

Modified Parameter Attacks: Practical Attacks Against CCA2 Secure Cryptosystems, and Countermeasures

Cryptography. Andreas Hülsing. 6 September 2016

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

From semantic security to chosen ciphertext security

New Public Key Cryptosystems Based on the Dependent RSA Problems

Security of Cryptosystems

Stateful Key Encapsulation Mechanism

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Network Security Technology Project

RSA. Public Key CryptoSystem

Lecture Note 05 Date:

Public-Key Cryptanalysis

Imperfect Decryption and an Attack on the NTRU Encryption Scheme

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks

PSEC{3: Provably Secure Elliptic Curve. Encryption Scheme { V3. (Submission to P1363a)

A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks

Security of Identity Based Encryption - A Different Perspective

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Asymmetric Primitives. (public key encryptions and digital signatures)

Immunizing Encryption Schemes from Decryption Errors

Strong Privacy for RFID Systems from Plaintext-Aware Encryption

1 Achieving IND-CPA security

Weak adaptive chosen ciphertext secure hybrid encryption scheme

Failure of the McEliece Public-Key Cryptosystem Under Message-Resend and Related-Message Attack

Lecture 18 - Chosen Ciphertext Security

On Symmetric Encryption with Distinguishable Decryption Failures

Notion Of Security. February 18, 2009

Efficient chosen ciphertext secure PKE scheme with short ciphertext

Public key encryption: definitions and security

Universal Exponentiation Algorithm

Concrete Security of Symmetric-Key Encryption

Definitions and Notations

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

CSCE 813 Internet Security Symmetric Cryptography

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Brief Introduction to Provable Security

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

A New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Inductive Trace Properties for Computational Security

Relations between Semantic Security and Anonymity in Identity Based Encryption

Botan s Implementation of the McEliece PKC

Research, Universiti Putra Malaysia, Serdang, 43400, Malaysia. 1,2 Department of Mathematics, Faculty of Sciences, Universiti Putra Malaysia,

Efficient Multi-receiver identity-based encryption and its application to broadcast encryption

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

Proofs for Key Establishment Protocols

Chapter 11 : Private-Key Encryption

Lightweight Code-based Cryptography: QC-MDPC McEliece Encryption on Reconfigurable Devices

Computational Security, Stream and Block Cipher Functions

An efficient semantically secure elliptic curve cryptosystem based on KMOV

On the Security of a Certificateless Public-Key Encryption

Cryptanalyzing the Polynomial Reconstruction based Public-Key System under Optimal Parameter Choice

Computer Security CS 526

Applied Cryptography and Computer Security CSE 664 Spring 2018

Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing

Oblivious Transfer via McEliece s PKC and Permuted Kernels

REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM

A Designer s Guide to KEMs. Errata List

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Coding-theoretic problems in public key cryptography

Classic McEliece: conservative code-based cryptography

Block ciphers, stream ciphers

Lecture Note 05 Date:

Homomorphic Encryption

Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption

Distributed ID-based Signature Using Tamper-Resistant Module

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Practical Symmetric On-line Encryption

Hierarchical Identity-Based Online/Offline Encryption

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Malicious KGC Attacks in Certificateless Cryptography

Simple and Efficient Threshold Cryptosystem from the Gap Diffie-Hellman Group

Securely Combining Public-Key Cryptosystems

Related-key Attacks on Triple-DES and DESX Variants

The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model

MTAT Cryptology II. Commitment Schemes. Sven Laur University of Tartu

McEliece Cryptosystem in real life: security and implementation

The Security of Elastic Block Ciphers Against Key-Recovery Attacks

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Random Oracle Instantiation in Distributed Protocols Using Trusted Platform Modules

Worst case QC-MDPC decoder for McEliece cryptosystem

Strong Adaptive Chosen-Ciphertext Attacks with Memory Dump (Or: The Importance of the Order of Decryption and Validation)

Code-Based Cryptography Error-Correcting Codes and Cryptography

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Marc Fischlin, Giorgia Azzurra Marson, and Kenneth G.

A Study on the Security of Privacy Homomorphism

Information Security

Efficient revocation and threshold pairing based cryptosystems

Efficient Re-Keyed Encryption Schemes for Secure Communications

Transcription:

Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0

2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks - Semantic Secure Conversions 6. Reducing the Key Size 7. Reducing the Key Size - LDPC codes 8. Reducing the Key Size - MDPC codes 9. Implementation I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

Critical Attacks: Partial knowledge on the plaintext k m (message) =... 1

Critical Attacks: Partial knowledge on the plaintext k m (message) =... The attacker knows r bits of the plaintext 1

Critical Attacks: Partial knowledge on the plaintext k m (message) =... The attacker knows r bits of the plaintext Recovering the rest of k r bits in the McEliece scheme with parameters [n, k] Recovering a plaintext in the McEliece scheme with parameters [n, k r] 1

Critical Attacks: Partial knowledge on the plaintext I = Known positions {1,..., n} \ I = I := Unknown positions k m (message) =... The attacker knows r bits of the plaintext Recovering the rest of k r bits in the McEliece scheme with parameters [n, k] Recovering a plaintext in the McEliece scheme with parameters [n, k r] 1

Critical Attacks: Partial knowledge on the plaintext I = Known positions {1,..., n} \ I = I := Unknown positions y = mg + e = m I G I + m I G I + e m (message) = k... Restriction of the matrix G to the columns indexed by i I The attacker knows r bits of the plaintext Recovering the rest of k r bits in the McEliece scheme with parameters [n, k] Recovering a plaintext in the McEliece scheme with parameters [n, k r] 1

Critical Attacks: Reaction Attack This attack can be classified as CCA but with a weaker assumption y : d H (y, C) > t Receiver (Reaction) INVALID CIPHERTEXT Attacker A decoder of an [n, k] q code will not attempt to correct a vector which has t + 1 or more errors 2

Critical Attacks: Reaction Attack We flip the i-th bit of the ciphertext y : y y y Receiver (Reaction) Attacker 3 K. Kobara and H. Imai New Chosen-Plaintext Attacks on the One-Wayness of the Modified McEliece PKC. Proposed at Asiacrypt 2000.

Critical Attacks: Reaction Attack We flip the i-th bit of the ciphertext y : y y y Receiver (Reaction) Reaction A: INVALID CIPHERTEXT Attacker Reaction A: i is an error-free position, d H (y, C) = t + 1 3 K. Kobara and H. Imai New Chosen-Plaintext Attacks on the One-Wayness of the Modified McEliece PKC. Proposed at Asiacrypt 2000.

Critical Attacks: Reaction Attack We flip the i-th bit of the ciphertext y : y y y Receiver (Reaction) Reaction A: INVALID CIPHERTEXT Attacker Reaction B: VALID CIPHERTEXT Reaction A: i is an error-free position, d H (y, C) = t + 1 Reaction B: i is an error position, d H (y, C) = t 1 3 K. Kobara and H. Imai New Chosen-Plaintext Attacks on the One-Wayness of the Modified McEliece PKC. Proposed at Asiacrypt 2000.

Critical Attacks: Resend-message Attack y 1 = mg pub + e 1 C with w H (e 1 ) = t m P ENCRYPT G pub K p y 2 = mg pub + e 2 C with w H (e 2 ) = t with e 1 e 2 Message-Resend Condition: w H (y 1 + y 2 ) = w H (e 1 + e 2 ) = 2(t ν) In practice ν is very small 4 Thomas A. Berson Failure of the McEliece public-key cryptosystem under message-resend and related-message attack. Advances in Cryptology - CRYPTO 97, LNCS, volume 1294, 1997, pp. 213-220.

Semantic Secure Conversions (Example) ˆm e m Rnd 0 0 f h ˆm = A + h(b) e = B + f (A + h(b)) A = e + h( ˆm + f (e)) B = ˆm + f (e) A B Under random oracle assumption on f and h this conversions provides semantic security (non malleability and indistinguishability) 5

Semantic Secure Conversion OAEP Conversion M. Bellare and P. Rogaway. Optimal Asymmetric Encryption. Eurocrypt 1994, pp. 92-111. 6

Semantic Secure Conversion OAEP Conversion M. Bellare and P. Rogaway. Optimal Asymmetric Encryption. Eurocrypt 1994, pp. 92-111. Kobara-Imai conversion K. Kobara and H. Imai Semantically secure McEliece public-key cryptosystems-conversions for McEliece PKC. PKC 2001, 19-35. Under Kobara-Imai Conversion: Break indistinguishability of encryption of the specific conversion of McEliece in an CC2 scenario = Break the original McEliece without any decryption oracles and any knowledge on the plaintext 6

Semantic Secure Conversion OAEP Conversion M. Bellare and P. Rogaway. Optimal Asymmetric Encryption. Eurocrypt 1994, pp. 92-111. Kobara-Imai conversion K. Kobara and H. Imai Semantically secure McEliece public-key cryptosystems-conversions for McEliece PKC. PKC 2001, 19-35. Under Kobara-Imai Conversion: Break indistinguishability of encryption of the specific conversion of McEliece in an CC2 scenario = Break the original McEliece without any decryption oracles and any knowledge on the plaintext An IND-CPA conversion without random oracles also exists 6 R. Nojima, H. Imai, K. Kobara and K. Morozov Semantic Security for the McEliece Cryptosystem without Random Oracles. International Workshop on Coding and Cryptography WCC 2007, pp.289-305.

2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks - Semantic Secure Conversions 6. Reducing the Key Size 7. Reducing the Key Size - LDPC codes 8. Reducing the Key Size - MDPC codes 9. Implementation I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback