A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model

Similar documents
Code-Based Cryptography McEliece Cryptosystem

SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Cryptography. Andreas Hülsing. 6 September 2016

Authenticated encryption

CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS

IND-CCA2 secure cryptosystems, Dan Bogdanov

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Table of Contents. Preface... vii Abstract... vii Kurzfassung... x Acknowledgements... xiii. I The Preliminaries 1

Lecture 15: Public Key Encryption: I

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Chosen-Ciphertext Security (II)

Information Security

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Stateful Key Encapsulation Mechanism

Feedback Week 4 - Problem Set

Public-Key Cryptography

McEliece Cryptosystem in real life: security and implementation

Lecture 3.4: Public Key Cryptography IV

Brief Introduction to Provable Security

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Lecture 07: Private-key Encryption. Private-key Encryption

Computer Security CS 526

Strong Privacy for RFID Systems from Plaintext-Aware Encryption

Imperfect Decryption and an Attack on the NTRU Encryption Scheme

Katz, Lindell Introduction to Modern Cryptrography

Scanned by CamScanner

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Block ciphers, stream ciphers

Breaking Korea Transit Card with Side-Channel Attack

Homomorphic Encryption

Security of Cryptosystems

1 Achieving IND-CPA security

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Lecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes

Lecture 8: Cryptography in the presence of local/public randomness

Lecture 18 - Chosen Ciphertext Security

EC500. Design of Secure and Reliable Hardware. Lecture 1 & 2

1 Identification protocols

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

CS 395T. Formal Model for Secure Key Exchange

Symmetric-Key Cryptography

Information Security CS526

Leakage-Resilient Chosen-Ciphertext Secure Public-Key Encryption from Hash Proof System and One-Time Lossy Filter

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Proofs for Key Establishment Protocols

Notion Of Security. February 18, 2009

Lecture10. 1 Semantically secure PKE

Advanced Cryptography 1st Semester Symmetric Encryption

Definitions and Notations

Cryptography. Lecture 12. Arpita Patra

Network Security Technology Project

Encryption from the Diffie-Hellman assumption. Eike Kiltz

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

symmetric cryptography s642 computer security adam everspaugh

Refining Computationally Sound Mech. Proofs for Kerberos

Public-Key Encryption

If DDH is secure then ElGamal is also secure w.r.t IND-CPA

A note on CCA2-protected McEliece cryptosystem with a systematic public key

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018

Timed-Release Certificateless Encryption

On the Security of a Certificateless Public-Key Encryption

Cryptographic protocols

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

Homework 3: Solution

Two-Dimensional Representation of Cover Free Families and its Applications: Short Signatures and More Shota Yamada The University of Tokyo

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Defining Encryption. Lecture 2. Simulation & Indistinguishability

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Introduction to cryptology (GBIN8U16) Introduction

Cryptology complementary. Symmetric modes of operation

Applied Cryptography and Computer Security CSE 664 Spring 2018

Solutions to exam in Cryptography December 17, 2013

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

From obfuscation to white-box crypto: relaxation and security notions

Cryptography. Lecture 03

Computational Security, Stream and Block Cipher Functions

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Randomness Extractors. Secure Communication in Practice. Lecture 17

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

RFID Authentication: Security, Privacy and the Real World

A Parametric Family of Attack Models for Proxy Re-Encryption

Inductive Trace Properties for Computational Security

Summary on Crypto Primitives and Protocols

Message Authentication ( 消息认证 )

Classic McEliece: conservative code-based cryptography

ALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs

Concrete Security of Symmetric-Key Encryption

: Practical Cryptographic Systems March 25, Midterm

What Can Be Proved About Security?

Introduction to Cryptography. Lecture 3

Upgrading to Functional Encryption

Transcription:

A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification: Alternative Encryption

Agenda The McEliece Crypto System An Attack and IND-CCA2 A First Step: Achieving IND-CCA1 Achieving IND-CCA2 2

The McEliece Crypto System

The McEliece Public Key Scheme Secret Key P G S Public Key P. G. S = G Encryption m G + e = c Decryption m = Goppa S -1 decoding P -1 algorithm. c McEliece Assumption: 1. A public key G is indistinguishable from random 2. Syndrome decoding is hard

The McEliece Public Key Scheme Secret Key P G S Public Key Chosen randomly P. G. S = G Encryption m G + e = c Decryption m = Goppa S -1 decoding P -1 algorithm. c McEliece Assumption: 1. A public key G is indistinguishable from random 2. Syndrome decoding is hard

Semantic Security (IND-CPA) Public key G A challenge 1, challenge 2 Enc G (challenge i ) Chosen at random A Public key G Decision

Semantic Security (IND-CPA) Public key G A challenge 1, challenge 2 A cannot distinguish better than guessing Enc G (challenge i ) Chosen at random A Public key G Decision

Semantic Security (IND-CPA) Padding the message with a random string yields a semantically secure public key scheme (IND-CPA). [Nojima, Imai, Kobara, Morozov, DCC 2008] r m G + e Random padding

An Attack and IND-CCA2

A Reaction Attack The password identifies the customer and the nonce avoids replay attacks. Pay by sending your password and a nonce We use text book McEliece to securely send the password and the nonce. Password not valid Nonce not new

A Reaction Attack Replay an old Enc VM (pwd nonce) Add a new error Pay by sending your password and a nonce Password not valid Nonce not new

A Reaction Attack Replay an old Enc VM (pwd nonce) Add a new error Pay by sending your password and a nonce Depending on the message the new error corrected an error from the encryption. Password not valid Nonce not new

A Reaction Attack Replay an old Enc VM (pwd nonce) Add a new error Pay by sending your password and a nonce Locate all the errors from the encryption. Decode the codeword. Extract pwd. Depending on the message the new error corrected an error from the encryption. Password not valid Nonce not new

IND-CCA2 Decryption Oracle Public key e A challenge 1, challenge 2 Enc e (challenge i ) Chosen at random Decryption Oracle! A Public key e Decision

IND-CCA2 Decryption Oracle Public key e A challenge 1, challenge 2 A cannot distinguish better than guessing Enc e (challenge i ) Chosen at random Decryption Oracle! A Public key e Decision

IND-CCA2 A decryption oracle yields more information than the reaction of the vending machine. IND- CCA2 security implies security against reaction attacks. IND-CCA2 is the strongest established security notion for PKE and it implies universal composability.

A First Step: achieving IND-CCA1

A First Step: IND-CCA1 Decryption Oracle Public key e A challenge 1, challenge 2 Enc e (challenge i ) Chosen at random Decryption Oracle! A Public key e Decision

A First Step: IND-CCA1 Decryption Oracle Public key e A challenge 1, challenge 2 A cannot distinguish better than guessing Enc e (challenge i ) Chosen at random Decryption Oracle! A Public key e Decision

k-repetition For a PKE (KeyGen, Enc, Dec) we define the k-repetition (KeyGen k, Enc k, Dec k ) as follows: KeyGen k calls KeyGen k times. Enc k encrypts with Enc k times using the corresponding public keys and correlated randomness. Dec k decrypts all cipher texts with the corresponding secret keys and outputs m if all individual cipher texts did decrypt to m. Soundness: Dec k (Enc k (m)) = m with overwhelming probability. This construction is derived from [Rosen, Segev, TCC 2009]

k-repetition McEliece KeyGen k calls KeyGen k times Enc k encrypts with Enc k times using independent random error vectors, but the same padding r m in all encryptions. Dec k decrypts all cipher texts with the corresponding secret keys and outputs m if all individual cipher texts did decrypt to m. Soundness: Dec k (Enc k (m)) = m with overwhelming probability. This randomized k-repetition McEliece remains IND-CPA secure.

Verifiability of k-repetition A k-repetition PKE is called verifiable if given a ciphertext c, the public key pk = (pk 1,...,pk k ) and any secret key sk i it is possible to verify if c is a valid ciphertext (i.e., all individual ciphertexts decrypt to the same message). c = (c 1,...,c i,...,c k ) c = (c 1,...,c i,...,c k ) Dec???...... Dec k m m

Verifiability of k-repetition k-repetition McEliece is verifiable: c = (c 1,...,c i,...,c k ) Dec m Encode with public key matrix and check the hamming distance c = (c 1,...,c i,...,c k )...... m Dec k

From k-repetition to IND-CCA1 KeyGen CCA1 gives (pk 10,pk 11,...,pk k0,pk k1 ) and the secret key (sk 1 1r,sk 2r,...,sk 2 r k ) k Enc CCA1 chooses a random string s = s 1,...,s k, encrypts (k-repetition) with pk s 1 1,pk s 2 1,...,pk sk k obtains c = c 1,...,c k and outputs (s,c). Dec CCA1 decrypts whenever a s i = r i with sk r i obtains m and outputs m if the ciphertext was valid (verifiability). This construction follows closely [Rosen, Segev, TCC 2009]

From k-repetition to IND-CCA1 KeyGen CCA1 gives (pk 10,pk 11,...,pk k0,pk k1 ) and the secret key (sk 1 1r,sk 2r,...,sk 2 r k k ) Enc CCA1 chooses a random string s = s 1,...,s k, encrypts (k-repetition) with pk s 1 1,pk s 2 1,...,pk sk k obtains c = c 1,...,c k and outputs (s,c). Dec CCA1 decrypts whenever a s i = r i with sk r i obtains m and outputs m if the ciphertext was valid (verifiability). If s is the complement of the string r it is impossible to decode.

From k-repetition to IND-CCA1 If s is the complement of the string r it is impossible to decode. Given a successful IND-CCA1 adversary A for PKE CCA1 we construct an adversary A breaking the IND-CPA security of k-repetition PKE k : A obtains (pk 1,...,pk k ) A chooses (pk 10,pk 11,...,pk k0,pk k1 ) and (sk 1r,sk 2r,...,sk k r ) then every cipher (s,c) can be deciphered by A, except for s = complement(r). A can mimic the oracle for A. A gives (pk 10,pk 11,...,pk k0,pk k1 ) to A. 1 2 k

From k-repetition to IND-CCA1 If s is the complement of the string r it is impossible to decode. Given a successful IND-CCA1 adversary A for PKE CCA1 we construct an adversary A breaking the IND-CPA security of k-repetition PKE k : given (pk 10,pk 11,...,pk k0,pk k1 ) A outputs m 1, m 2 A outputs m 1, m 2 and obtains a challenge c. A gives (complement(r),c) as a challenge to A. A outputs a decision d. A outputs this decision d.

Achieving IND-CCA2

From k-repetition to IND-CCA2 This scheme is not yet IND-CCA2 secure: After obtaining the challenge (s,c) just change a bit in s and give this to the decryption oracle. KeyGen CCA2 gives (pk 10,pk 11,...,pk k0,pk k1 ) chooses a signing key and r = r 1,...,r k as the complement of a the corresponding signature verification key. The secret key is chosen as (sk 1r,sk 2r,...,sk k r ).

From k-repetition to IND-CCA2 This scheme is not yet IND-CCA2 secure: After obtaining the challenge (s,c) just change a bit in s and give this to the decryption oracle. Enc CCA2 chooses a signing key sk and a verification key vk = vk 1,...,vk k, encrypts with pk vk 1 1,pk vk 2 1,...,pk vk k k obtains c = c 1,...,c k then signs (sk,c) and outputs c, vk and the signature.

From k-repetition to IND-CCA2 This scheme is not yet IND-CCA2 secure: After obtaining the challenge (s,c) just change a bit in s and give this to the decryption oracle. Dec CCA1 decrypts whenever a s i = r i with sk r obtains m and outputs m if the ciphertext was valid (verifiability) this includes checking of the signatures. Successfully changing the ciphertext now amounts to forging a signature.

Conclusion Based on the work of Rosen and Segev at TCC 2009 we presented an IND-CCA2 secure PKE based on the McEliece assumptions in the standard model. The construction is O(k 2 ) and finding a more efficient construction is an open problem.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback