Embed Size (px)
Citation preview
SECURE AND ANONYMOUS HYBRID
ENCRYPTION FROM CODING THEORY
Edoardo Persichetti
University of Warsaw
06 June 2013
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20
Part I
PRELIMINARIES
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 2 / 20
ERROR-CORRECTING CODES
[n, k ] LINEAR CODE OVER Fq
A subspace of dimension k of Fnq .
w-error correcting: exists decoding algorithm that corrects up to werrors occurred on a codeword.
HAMMING WEIGHT
Number of non-zero entries: wt(x) = |{i : xi 6= 0,1 ≤ i ≤ n}|.
PARITY-CHECK MATRIX
H ∈ F(n−k)×nq defines the code as follows: x∈C ⇐⇒ HxT = 0.
Systematic form: (M|In−k ).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 3 / 20
ERROR-CORRECTING CODES
[n, k ] LINEAR CODE OVER Fq
A subspace of dimension k of Fnq .
w-error correcting: exists decoding algorithm that corrects up to werrors occurred on a codeword.
HAMMING WEIGHT
Number of non-zero entries: wt(x) = |{i : xi 6= 0,1 ≤ i ≤ n}|.
PARITY-CHECK MATRIX
H ∈ F(n−k)×nq defines the code as follows: x∈C ⇐⇒ HxT = 0.
Systematic form: (M|In−k ).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 3 / 20
ERROR-CORRECTING CODES
[n, k ] LINEAR CODE OVER Fq
A subspace of dimension k of Fnq .
w-error correcting: exists decoding algorithm that corrects up to werrors occurred on a codeword.
HAMMING WEIGHT
Number of non-zero entries: wt(x) = |{i : xi 6= 0,1 ≤ i ≤ n}|.
PARITY-CHECK MATRIX
H ∈ F(n−k)×nq defines the code as follows: x∈C ⇐⇒ HxT = 0.
Systematic form: (M|In−k ).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 3 / 20
CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES
McEliece: first cryptosystem using error correcting codes (1978).
Based on the hardness of decoding random linear codes.
“Dual” version proposed by Niederreiter (1985).
PROBLEM (COMPUTATIONAL SYNDROME DECODING)
Given: H ∈ F(n−k)×nq , y ∈ F(n−k)
q and w ∈ N.Goal: find a word e ∈ Fn
q with wt(e) ≤ w such that HeT = y.
Unique solution and hardness only if w is below a certain threshold(GV bound).
If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 4 / 20
CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES
McEliece: first cryptosystem using error correcting codes (1978).
Based on the hardness of decoding random linear codes.
“Dual” version proposed by Niederreiter (1985).
PROBLEM (COMPUTATIONAL SYNDROME DECODING)
Given: H ∈ F(n−k)×nq , y ∈ F(n−k)
q and w ∈ N.Goal: find a word e ∈ Fn
q with wt(e) ≤ w such that HeT = y.
Unique solution and hardness only if w is below a certain threshold(GV bound).
If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 4 / 20
CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES
McEliece: first cryptosystem using error correcting codes (1978).
Based on the hardness of decoding random linear codes.
“Dual” version proposed by Niederreiter (1985).
PROBLEM (COMPUTATIONAL SYNDROME DECODING)
Given: H ∈ F(n−k)×nq , y ∈ F(n−k)
q and w ∈ N.Goal: find a word e ∈ Fn
q with wt(e) ≤ w such that HeT = y.
Unique solution and hardness only if w is below a certain threshold(GV bound).
If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 4 / 20
CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES
McEliece: first cryptosystem using error correcting codes (1978).
Based on the hardness of decoding random linear codes.
“Dual” version proposed by Niederreiter (1985).
PROBLEM (COMPUTATIONAL SYNDROME DECODING)
Given: H ∈ F(n−k)×nq , y ∈ F(n−k)
q and w ∈ N.Goal: find a word e ∈ Fn
q with wt(e) ≤ w such that HeT = y.
Unique solution and hardness only if w is below a certain threshold(GV bound).
If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 4 / 20
CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES
McEliece: first cryptosystem using error correcting codes (1978).
Based on the hardness of decoding random linear codes.
“Dual” version proposed by Niederreiter (1985).
PROBLEM (COMPUTATIONAL SYNDROME DECODING)
Given: H ∈ F(n−k)×nq , y ∈ F(n−k)
q and w ∈ N.Goal: find a word e ∈ Fn
q with wt(e) ≤ w such that HeT = y.
Unique solution and hardness only if w is below a certain threshold(GV bound).
If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 4 / 20
NIEDERREITER, REVISITED
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Message is a word e ∈ Fn2 of weight w .
c = HeT .
DECRYPTION
Set e = Decode∆(c) and return e.Return ⊥ if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 5 / 20
NIEDERREITER, REVISITED
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Message is a word e ∈ Fn2 of weight w .
c = HeT .
DECRYPTION
Set e = Decode∆(c) and return e.Return ⊥ if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 5 / 20
NIEDERREITER, REVISITED
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Message is a word e ∈ Fn2 of weight w .
c = HeT .
DECRYPTION
Set e = Decode∆(c) and return e.Return ⊥ if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 5 / 20
Part II
HYBRID ENCRYPTION
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 6 / 20
MOTIVATION
Purpose of public-key encryption: encrypt key for symmetric scheme.
Niederreiter cryptosystem requires use of constant-weight encodingfunctions to transform symmetric key into fixed-weight string e.
Can do this in a more efficient way: build a KEM based onNiederreiter’s assumptions.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 7 / 20
MOTIVATION
Purpose of public-key encryption: encrypt key for symmetric scheme.
Niederreiter cryptosystem requires use of constant-weight encodingfunctions to transform symmetric key into fixed-weight string e.
Can do this in a more efficient way: build a KEM based onNiederreiter’s assumptions.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 7 / 20
MOTIVATION
Purpose of public-key encryption: encrypt key for symmetric scheme.
Niederreiter cryptosystem requires use of constant-weight encodingfunctions to transform symmetric key into fixed-weight string e.
Can do this in a more efficient way: build a KEM based onNiederreiter’s assumptions.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 7 / 20
THE KEM-DEM FRAMEWORK
Introduced by Cramer and Shoup (2001), combines the actions of twoindependent mechanisms.
KEY ENCAPSULATION MECHANISM (KEM)Keygen: generates private key SK and public key PK.EncKEM (PK): produces a symmetric key K and a ciphertext c0.DecKEM (SK, c0): returns the symmetric key K (or ⊥).
DATA ENCAPSULATION MECHANISM (DEM)EncDEM(K ,m): produces the ciphertext c1.DecDEM(K , c1): returns the plaintext m (or ⊥).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 8 / 20
THE KEM-DEM FRAMEWORK
Introduced by Cramer and Shoup (2001), combines the actions of twoindependent mechanisms.
KEY ENCAPSULATION MECHANISM (KEM)Keygen: generates private key SK and public key PK.EncKEM (PK): produces a symmetric key K and a ciphertext c0.DecKEM (SK, c0): returns the symmetric key K (or ⊥).
DATA ENCAPSULATION MECHANISM (DEM)EncDEM(K ,m): produces the ciphertext c1.DecDEM(K , c1): returns the plaintext m (or ⊥).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 8 / 20
THE KEM-DEM FRAMEWORK
Introduced by Cramer and Shoup (2001), combines the actions of twoindependent mechanisms.
KEY ENCAPSULATION MECHANISM (KEM)Keygen: generates private key SK and public key PK.EncKEM (PK): produces a symmetric key K and a ciphertext c0.DecKEM (SK, c0): returns the symmetric key K (or ⊥).
DATA ENCAPSULATION MECHANISM (DEM)EncDEM(K ,m): produces the ciphertext c1.DecDEM(K , c1): returns the plaintext m (or ⊥).
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 8 / 20
HYBRID ENCRYPTION
HYBRID ENCRYPTION SCHEME
Keygen: generates private key SK and public key PK.
EncHY (PK,m):Run EncKEM (PK) and get (K , c0).Run EncDEM(K ,m) and get c1.Final ciphertext c = (c0, c1).
DecHY (SK, c):Run DecKEM (SK,c0) and get K .Run DecDEM(K , c1) and recover m.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 9 / 20
SECURITY
Independent components with separate security definitions, however
IND-CCA secure KEM + IND-CCA secure DEM =⇒IND-CCA secure hybrid scheme!
DEM: usual symmetric encryption IND-CCA requirement.Can use any symmetric scheme (e.g. one-time pad) + MAC.
IND-CCA SECURITY FOR KEMGet public key PK.Perform decryption queries.Challenge ciphertext: (K ∗, c∗) either honestly obtained (b = 1)by EncKEM (PK) or by choosing K ∗ as a random string (b = 0).Perform decryption queries ( 6= c∗).Return b∗.
AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2
∣∣∣
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 10 / 20
SECURITY
Independent components with separate security definitions, however
IND-CCA secure KEM + IND-CCA secure DEM =⇒IND-CCA secure hybrid scheme!
DEM: usual symmetric encryption IND-CCA requirement.Can use any symmetric scheme (e.g. one-time pad) + MAC.
IND-CCA SECURITY FOR KEMGet public key PK.Perform decryption queries.Challenge ciphertext: (K ∗, c∗) either honestly obtained (b = 1)by EncKEM (PK) or by choosing K ∗ as a random string (b = 0).Perform decryption queries ( 6= c∗).Return b∗.
AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2
∣∣∣
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 10 / 20
SECURITY
Independent components with separate security definitions, however
IND-CCA secure KEM + IND-CCA secure DEM =⇒IND-CCA secure hybrid scheme!
DEM: usual symmetric encryption IND-CCA requirement.Can use any symmetric scheme (e.g. one-time pad) + MAC.
IND-CCA SECURITY FOR KEMGet public key PK.Perform decryption queries.Challenge ciphertext: (K ∗, c∗) either honestly obtained (b = 1)by EncKEM (PK) or by choosing K ∗ as a random string (b = 0).Perform decryption queries ( 6= c∗).Return b∗.
AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2
∣∣∣
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 10 / 20
SECURITY
Independent components with separate security definitions, however
IND-CCA secure KEM + IND-CCA secure DEM =⇒IND-CCA secure hybrid scheme!
DEM: usual symmetric encryption IND-CCA requirement.Can use any symmetric scheme (e.g. one-time pad) + MAC.
IND-CCA SECURITY FOR KEMGet public key PK.Perform decryption queries.Challenge ciphertext: (K ∗, c∗) either honestly obtained (b = 1)by EncKEM (PK) or by choosing K ∗ as a random string (b = 0).Perform decryption queries ( 6= c∗).Return b∗.
AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2
∣∣∣(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 10 / 20
NIEDERREITER KEM
Secure in Random Oracle model, makes use of Key DerivationFunction (KDF), e.g. SHA-3.
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Choose a random word e ∈ Fn2 of weight w .
K = KDF (e), c0 = HeT .
DECRYPTION
Set e = Decode∆(c0) and return K = KDF (e).Return KDF (c0) if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 11 / 20
NIEDERREITER KEM
Secure in Random Oracle model, makes use of Key DerivationFunction (KDF), e.g. SHA-3.
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Choose a random word e ∈ Fn2 of weight w .
K = KDF (e), c0 = HeT .
DECRYPTION
Set e = Decode∆(c0) and return K = KDF (e).Return KDF (c0) if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 11 / 20
NIEDERREITER KEM
Secure in Random Oracle model, makes use of Key DerivationFunction (KDF), e.g. SHA-3.
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Choose a random word e ∈ Fn2 of weight w .
K = KDF (e), c0 = HeT .
DECRYPTION
Set e = Decode∆(c0) and return K = KDF (e).Return KDF (c0) if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 11 / 20
NIEDERREITER KEM
Secure in Random Oracle model, makes use of Key DerivationFunction (KDF), e.g. SHA-3.
KEY GENERATION
Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.
ENCRYPTION
Choose a random word e ∈ Fn2 of weight w .
K = KDF (e), c0 = HeT .
DECRYPTION
Set e = Decode∆(c0) and return K = KDF (e).Return KDF (c0) if decoding fails.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 11 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.
Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
PROOF OF SECURITY (SKETCH)
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that
AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.
Simulation possible thanks to modification in the decryption algorithm.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 12 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
THE SIMULATOR
A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:
KEY GENERATION
Set PK= H and give PK to A.
CHALLENGE QUERIES
Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.
RANDOM ORACLE QUERIES
Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.
DECRYPTION QUERIES
Receive query c0 and reply with a random string K .
Use of tables to guarantee integrity.(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20
Part III
ANONYMITY
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 14 / 20
INTRODUCTION
Increasingly important notion in the community.
Key Privacy vs Data Privacy
IK-CCA SECURITY FOR PKEGet two public keys PK0 and PK1.Perform decryption queries (for either).Choose message m. Challenge ciphertext: c∗ =Enc(PKb,m) forb ∈ {0,1}.Perform decryption queries ( 6= c∗).Return b.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 15 / 20
INTRODUCTION
Increasingly important notion in the community.
Key Privacy vs Data Privacy
IK-CCA SECURITY FOR PKEGet two public keys PK0 and PK1.Perform decryption queries (for either).Choose message m. Challenge ciphertext: c∗ =Enc(PKb,m) forb ∈ {0,1}.Perform decryption queries ( 6= c∗).Return b.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 15 / 20
INTRODUCTION
Increasingly important notion in the community.
Key Privacy vs Data Privacy
IK-CCA SECURITY FOR PKEGet two public keys PK0 and PK1.Perform decryption queries (for either).Choose message m. Challenge ciphertext: c∗ =Enc(PKb,m) forb ∈ {0,1}.Perform decryption queries ( 6= c∗).Return b.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 15 / 20
ANONYMITY FOR CODE-BASED SCHEMES
“Plain” Niederreiter (or McEliece) scheme: not secure.
IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).
What about hybrid encryption? Unfortunately
IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme
(Mohassel, 2010)
We prove IK-CCA security for our scheme directly.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 16 / 20
ANONYMITY FOR CODE-BASED SCHEMES
“Plain” Niederreiter (or McEliece) scheme: not secure.
IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).
What about hybrid encryption? Unfortunately
IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme
(Mohassel, 2010)
We prove IK-CCA security for our scheme directly.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 16 / 20
ANONYMITY FOR CODE-BASED SCHEMES
“Plain” Niederreiter (or McEliece) scheme: not secure.
IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).
What about hybrid encryption?
Unfortunately
IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme
(Mohassel, 2010)
We prove IK-CCA security for our scheme directly.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 16 / 20
ANONYMITY FOR CODE-BASED SCHEMES
“Plain” Niederreiter (or McEliece) scheme: not secure.
IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).
What about hybrid encryption? Unfortunately
IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme
(Mohassel, 2010)
We prove IK-CCA security for our scheme directly.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 16 / 20
ANONYMITY FOR CODE-BASED SCHEMES
“Plain” Niederreiter (or McEliece) scheme: not secure.
IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).
What about hybrid encryption? Unfortunately
IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme
(Mohassel, 2010)
We prove IK-CCA security for our scheme directly.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 16 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.
Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.
Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.
Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
PROOF OF SECURITY (SKETCH)
ALTERNATIVE DEFINITION OF ADV
Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]
∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).
THEOREM
Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that
AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.
Model KDF as a random oracle H.
Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 17 / 20
Part IV
CONCLUSIONS
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 18 / 20
CONCLUSIONS
First KEM based directly on coding theory problem.
Simple construction and tight security proof.
Extending (Yamakawa et al., 2007), obtains IK-CCA security.
Implementation?
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 19 / 20
CONCLUSIONS
First KEM based directly on coding theory problem.
Simple construction and tight security proof.
Extending (Yamakawa et al., 2007), obtains IK-CCA security.
Implementation?
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 19 / 20
CONCLUSIONS
First KEM based directly on coding theory problem.
Simple construction and tight security proof.
Extending (Yamakawa et al., 2007), obtains IK-CCA security.
Implementation?
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 19 / 20
CONCLUSIONS
First KEM based directly on coding theory problem.
Simple construction and tight security proof.
Extending (Yamakawa et al., 2007), obtains IK-CCA security.
Implementation?
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 19 / 20
Merci beaucoup
Thank you
Grazie
(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 20 / 20
