secure and anonymous hybrid encryption from coding … · secure and anonymous hybrid encryption...

SECURE AND ANONYMOUS HYBRID

ENCRYPTION FROM CODING THEORY

Edoardo Persichetti

University of Warsaw

06 June 2013

(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20

Part I

PRELIMINARIES

ERROR-CORRECTING CODES

[n, k ] LINEAR CODE OVER Fq

A subspace of dimension k of Fnq .

w-error correcting: exists decoding algorithm that corrects up to werrors occurred on a codeword.

HAMMING WEIGHT

Number of non-zero entries: wt(x) = |{i : xi 6= 0,1 ≤ i ≤ n}|.

PARITY-CHECK MATRIX

H ∈ F(n−k)×nq defines the code as follows: x∈C ⇐⇒ HxT = 0.

Systematic form: (M|In−k ).

HAMMING WEIGHT

PARITY-CHECK MATRIX

HAMMING WEIGHT

PARITY-CHECK MATRIX

CODE-BASED PUBLIC-KEY ENCRYPTION SCHEMES

McEliece: first cryptosystem using error correcting codes (1978).

Based on the hardness of decoding random linear codes.

“Dual” version proposed by Niederreiter (1985).

PROBLEM (COMPUTATIONAL SYNDROME DECODING)

Given: H ∈ F(n−k)×nq , y ∈ F(n−k)

q and w ∈ N.Goal: find a word e ∈ Fn

q with wt(e) ≤ w such that HeT = y.

Unique solution and hardness only if w is below a certain threshold(GV bound).

If H defines an error-correcting code, we have a trapdoor: specialdescription ∆ allows decoding algorithm to correct errors.

NIEDERREITER, REVISITED

KEY GENERATION

Choose w-error correcting code C.SK: code description ∆ for C.PK: parity-check matrix H in systematic form for C.

ENCRYPTION

Message is a word e ∈ Fn2 of weight w .

c = HeT .

DECRYPTION

Set e = Decode∆(c) and return e.Return ⊥ if decoding fails.

KEY GENERATION

ENCRYPTION

c = HeT .

DECRYPTION

KEY GENERATION

ENCRYPTION

c = HeT .

DECRYPTION

Part II

HYBRID ENCRYPTION

MOTIVATION

Purpose of public-key encryption: encrypt key for symmetric scheme.

Niederreiter cryptosystem requires use of constant-weight encodingfunctions to transform symmetric key into fixed-weight string e.

Can do this in a more efficient way: build a KEM based onNiederreiter’s assumptions.

MOTIVATION

THE KEM-DEM FRAMEWORK

Introduced by Cramer and Shoup (2001), combines the actions of twoindependent mechanisms.

KEY ENCAPSULATION MECHANISM (KEM)Keygen: generates private key SK and public key PK.EncKEM (PK): produces a symmetric key K and a ciphertext c0.DecKEM (SK, c0): returns the symmetric key K (or ⊥).

DATA ENCAPSULATION MECHANISM (DEM)EncDEM(K ,m): produces the ciphertext c1.DecDEM(K , c1): returns the plaintext m (or ⊥).

HYBRID ENCRYPTION

HYBRID ENCRYPTION SCHEME

Keygen: generates private key SK and public key PK.

EncHY (PK,m):Run EncKEM (PK) and get (K , c0).Run EncDEM(K ,m) and get c1.Final ciphertext c = (c0, c1).

DecHY (SK, c):Run DecKEM (SK,c0) and get K .Run DecDEM(K , c1) and recover m.

SECURITY

Independent components with separate security definitions, however

IND-CCA secure KEM + IND-CCA secure DEM =⇒IND-CCA secure hybrid scheme!

DEM: usual symmetric encryption IND-CCA requirement.Can use any symmetric scheme (e.g. one-time pad) + MAC.

IND-CCA SECURITY FOR KEMGet public key PK.Perform decryption queries.Challenge ciphertext: (K ∗, c∗) either honestly obtained (b = 1)by EncKEM (PK) or by choosing K ∗ as a random string (b = 0).Perform decryption queries ( 6= c∗).Return b∗.

AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2

∣∣∣

SECURITY

AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2

∣∣∣

SECURITY

AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2

∣∣∣

SECURITY

AdvKEM(A, λ) =∣∣∣Pr[b∗ = b]− 1/2

∣∣∣(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 10 / 20

NIEDERREITER KEM

Secure in Random Oracle model, makes use of Key DerivationFunction (KDF), e.g. SHA-3.

KEY GENERATION

ENCRYPTION

Choose a random word e ∈ Fn2 of weight w .

K = KDF (e), c0 = HeT .

DECRYPTION

Set e = Decode∆(c0) and return K = KDF (e).Return KDF (c0) if decoding fails.

NIEDERREITER KEM

KEY GENERATION

ENCRYPTION

K = KDF (e), c0 = HeT .

DECRYPTION

NIEDERREITER KEM

KEY GENERATION

ENCRYPTION

K = KDF (e), c0 = HeT .

DECRYPTION

NIEDERREITER KEM

KEY GENERATION

ENCRYPTION

K = KDF (e), c0 = HeT .

DECRYPTION

PROOF OF SECURITY (SKETCH)

THEOREM

Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for SDP such that

AdvKEM(A, λ) ≤ AdvSDP(A′, λ) + nDEC/N.

Model KDF as a random oracle H.

Game 0: the KEM security game.

Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.

Simulation possible thanks to modification in the decryption algorithm.

THEOREM

Game 1: halt if challenge ciphertext c∗0 = He∗T had beenpreviously queried.

Game 2: generate c∗0 at beginning and halt if H queried at e∗.Use adversary A′ as a simulator.

THEOREM

THE SIMULATOR

A′ has to solve an instance (H, y ,w) of SDP. Interaction with A:

KEY GENERATION

Set PK= H and give PK to A.

CHALLENGE QUERIES

Set c∗ = y and K ∗ random string and give (K ∗, c∗) to A.

RANDOM ORACLE QUERIES

Receive query e and compute s = HeT . If s = y then win the gameand halt. Otherwise, generate K at random.

DECRYPTION QUERIES

Receive query c0 and reply with a random string K .

Use of tables to guarantee integrity.

THE SIMULATOR

KEY GENERATION

CHALLENGE QUERIES

DECRYPTION QUERIES

THE SIMULATOR

KEY GENERATION

CHALLENGE QUERIES

DECRYPTION QUERIES

THE SIMULATOR

KEY GENERATION

CHALLENGE QUERIES

DECRYPTION QUERIES

THE SIMULATOR

KEY GENERATION

CHALLENGE QUERIES

DECRYPTION QUERIES

THE SIMULATOR

KEY GENERATION

CHALLENGE QUERIES

DECRYPTION QUERIES

Use of tables to guarantee integrity.(UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 13 / 20

Part III

ANONYMITY

INTRODUCTION

Increasingly important notion in the community.

Key Privacy vs Data Privacy

IK-CCA SECURITY FOR PKEGet two public keys PK0 and PK1.Perform decryption queries (for either).Choose message m. Challenge ciphertext: c∗ =Enc(PKb,m) forb ∈ {0,1}.Perform decryption queries ( 6= c∗).Return b.

INTRODUCTION

ANONYMITY FOR CODE-BASED SCHEMES

“Plain” Niederreiter (or McEliece) scheme: not secure.

IND-CPA “randomized” variant by Nojima et al.: IK-CPA secure(Yamakawa et al., 2007).

What about hybrid encryption? Unfortunately

IK-CCA secure KEM + IK-CCA secure DEM 6=⇒IK-CCA secure hybrid scheme

(Mohassel, 2010)

We prove IK-CCA security for our scheme directly.

(Mohassel, 2010)

What about hybrid encryption?

Unfortunately

(Mohassel, 2010)

ALTERNATIVE DEFINITION OF ADV

Adv′IND−CCA(A, λ) =∣∣∣Pr[b∗ = 1|b = 1]−Pr[b∗ = 1|b = 0]

∣∣∣.Equivalent since Adv′IND-CCA(A, λ) = 2·AdvIND-CCA(A, λ).

THEOREM

Let A be an adversary for KEM and N = |Wn,q,w |. There exists anadversary A′ for IND-CCA such that

AdvIK -CCA(A, λ) ≤ Adv′IND-CCA(A′, λ) + nDEC/2N.

Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.

THEOREM

Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.

THEOREM

Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.

Game 2: return additional random string m′ together with c∗.Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.

THEOREM

Game 0: the KEM security game.Game 1: halt if challenge ciphertext c∗ =Enc(PKb,m) had beenpreviously queried.Game 2: return additional random string m′ together with c∗.

Game 3: set challenge ciphertext c∗ =Enc(PKb,m′).Use adversary A′ as a simulator.

THEOREM

Part IV

CONCLUSIONS

First KEM based directly on coding theory problem.

Simple construction and tight security proof.

Extending (Yamakawa et al., 2007), obtains IK-CCA security.

Implementation?

CONCLUSIONS

Implementation?

CONCLUSIONS

Implementation?

CONCLUSIONS

Implementation?

Merci beaucoup

Thank you

Grazie

secure and anonymous hybrid encryption from coding … · secure and anonymous hybrid encryption...

Documents