Code-Based Cryptography

McEliece Cryptosystem

I.0 Márquez-Corbella 2. McEliece Cryptosystem

1. Formal Deﬁnition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks - Semantic Secure Conversions 6. Reducing the Key Size 7. Reducing the Key Size - LDPC codes 8. Reducing the Key Size - MDPC codes 9. Implementation

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY Without the private key it is computationally impossible to recover the plaintext

If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme

One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible

1 If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme

One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible

Without the private key it is computationally impossible to recover the plaintext

1 =⇒ McEliece is a OW scheme

One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible

Without the private key it is computationally impossible to recover the plaintext

If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom

1 One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible

Without the private key it is computationally impossible to recover the plaintext

If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme

1 Plaintext Ciphertext

Ciphertext Plaintext

Oracle

Queries Answer ORACLE

2 Oracle

Plaintext Ciphertext Queries Answer Ciphertext ORACLE Plaintext

2 Goal 1: Non-malleability Given: y1 = Encrypt m1 , Kp

Goal: Find y2 = Encrypt m2 , Kp

such that a relationship exists between m1 and m2

D. Dolve, C. Dwork and M. Naor. Non-Malleable Cryptography. In Proc. of the 23rd STOC, 1991.

3 McEliece does not satisfy Non-Malleability 1. The adversary intercept a ciphertext

y = mG + e

2. With the public-key GPub he can choose a codeword: cˆ = mˆ GPub 3. Now, the adversary can generate a new ciphertext:

y2 = y + cˆ = m + mˆ GPub + e | {z } m2

The plaintext of the new ciphertext is: m2 = m + mˆ

4 McEliece does not satisfy Non-Malleability Suppose that the adversary has acces to a decryption oracle

y2 Decryption ˆ Oracle m2 = m + m Attacker

5 Goal (Non-Malleability): Find y2 = Encrypt m2 , Kp

such that a relationship exists between m1 and m2

Goal 2: Indistinguishability - Semantic Security Given: y1 = Encrypt m1 , Kp

Goal (Indistinguishability): Learn something about m1

S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 270-299, 1984.

6 Goal 2: Indistinguishability - Semantic Security Given: y1 = Encrypt m1 , Kp

Goal (Indistinguishability): Learn something about m1

Goal (Non-Malleability): Find y2 = Encrypt m2 , Kp

such that a relationship exists between m1 and m2

S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 270-299, 1984.

6 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1

This is inevitable in Public-Key Schemes

m = Plaintext Encrypt(m) Encryption Oracle Attacker

Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice.

7 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1

m = Plaintext Encrypt(m) Encryption Oracle Attacker

Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes

7 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1

Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes

m = Plaintext Encrypt(m) Encryption Oracle Attacker

7 m0, m1

Encrypt(mb, Kp) guess 0 or 1

Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes

m = Plaintext Encrypt(m) Encryption Oracle Attacker A random bit b ∈ {0, 1} is chosen

7 Encrypt(mb, Kp) guess 0 or 1

Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes

m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit b ∈ {0, 1} is chosen

7 guess 0 or 1

Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes

m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen

7 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes

m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1

7 • Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C.

• Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions.

Attack Models 2 - CCA1 and CCA2

Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function.

8 • Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions.

Attack Models 2 - CCA1 and CCA2

Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function.

• Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C.

8 Attack Models 2 - CCA1 and CCA2

Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function.

• Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C.

• Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions.

8 m0, m1

Encrypt(mb, Kp)

guess 0 or 1 Select a bit b

CCA2

Attack Models 2 - CCA1 and CCA2

Decrypt(ci ) Decryption Adversary Challenger Oracle mi = plaintext such that ci = Encrypt(mi)

9 Decrypt(ci ) m0, m1

Encrypt(mb, Kp)

mi = plaintext guess 0 or 1 such that ci = Encrypt(mi)

CCA2

Attack Models 2 - CCA1 and CCA2

Decryption Adversary Challenger Oracle

Select a bit b

9 Decrypt(ci )

Encrypt(mb, Kp)

mi = plaintext guess 0 or 1 such that ci = Encrypt(mi)

CCA2

Attack Models 2 - CCA1 and CCA2

m0, m1 Decryption Adversary Challenger Oracle

Select a bit b

9 Decrypt(ci )

mi = plaintext guess 0 or 1 such that ci = Encrypt(mi)

CCA2

Attack Models 2 - CCA1 and CCA2

m0, m1

Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle

Select a bit b

9 guess 0 or 1

Attack Models 2 - CCA1 and CCA2

Decrypt(ci ) m0, m1

Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle mi = plaintext such that ci = Encrypt(mi) Select a bit b

CCA2

9 Attack Models 2 - CCA1 and CCA2

Decrypt(ci ) m0, m1

Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle mi = plaintext guess 0 or 1 such that ci = Encrypt(mi) Select a bit b

CCA2

9 IND-CCA1 IND-CCA2IND-CCA2

NM-CPA NM-CCA1 NM-CCA2

IND-CPA

Implications: A→B : B provides stronger notion of security compared to A

Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B

Implications and Separations

n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2

M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations Among Notions of Security for Public-Key Encryption Schemes. Crypto 98. Lecture Notes in Computer Science. Vol 1462.

10 IND-CCA2

Implications and Separations

n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2

NM-CPA NM-CCA1 NM-CCA2

IND-CPA IND-CCA1 IND-CCA2

Implications: A→B : B provides stronger notion of security compared to A

Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B

10 IND-CCA2

Implications and Separations

n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2

NM-CPA NM-CCA1 NM-CCA2

IND-CPA IND-CCA1 IND-CCA2

Implications: A→B : B provides stronger notion of security compared to A

Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B

10 IND-CCA2

Implications and Separations

n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2

NM-CPA NM-CCA1 NM-CCA2

IND-CPA IND-CCA1 IND-CCA2

Implications: A→B : B provides stronger notion of security compared to A

Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B

10 IND-CCA2

Implications and Separations

n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2

NM-CPA NM-CCA1 NM-CCA2

IND-CPA IND-CCA1 IND-CCA2

Implications: A→B : B provides stronger notion of security compared to A

Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B

10 2. McEliece Cryptosystem

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY