DOCSLIB.ORG

Code-Based Cryptography

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Code-Based Cryptography Code-Based Cryptography McEliece Cryptosystem I.0 Márquez-Corbella 2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks - Semantic Secure Conversions 6. Reducing the Key Size 7. Reducing the Key Size - LDPC codes 8. Reducing the Key Size - MDPC codes 9. Implementation I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY Without the private key it is computationally impossible to recover the plaintext If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible 1 If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible Without the private key it is computationally impossible to recover the plaintext 1 =⇒ McEliece is a OW scheme One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible Without the private key it is computationally impossible to recover the plaintext If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom 1 One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible Without the private key it is computationally impossible to recover the plaintext If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme 1 Plaintext Ciphertext Ciphertext Plaintext Oracle Queries Answer ORACLE 2 Oracle Plaintext Ciphertext Queries Answer Ciphertext ORACLE Plaintext 2 Goal 1: Non-malleability Given: y1 = Encrypt m1 , Kp Goal: Find y2 = Encrypt m2 , Kp such that a relationship exists between m1 and m2 D. Dolve, C. Dwork and M. Naor. Non-Malleable Cryptography. In Proc. of the 23rd STOC, 1991. 3 McEliece does not satisfy Non-Malleability 1. The adversary intercept a ciphertext y = mG + e 2. With the public-key GPub he can choose a codeword: c^ = m^ GPub 3. Now, the adversary can generate a new ciphertext: y2 = y + c^ = m + m^ GPub + e | {z } m2 The plaintext of the new ciphertext is: m2 = m + m^ 4 McEliece does not satisfy Non-Malleability Suppose that the adversary has acces to a decryption oracle y2 Decryption ^ Oracle m2 = m + m Attacker m 5 Goal (Non-Malleability): Find y2 = Encrypt m2 , Kp such that a relationship exists between m1 and m2 Goal 2: Indistinguishability - Semantic Security Given: y1 = Encrypt m1 , Kp Goal (Indistinguishability): Learn something about m1 S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 270-299, 1984. 6 Goal 2: Indistinguishability - Semantic Security Given: y1 = Encrypt m1 , Kp Goal (Indistinguishability): Learn something about m1 Goal (Non-Malleability): Find y2 = Encrypt m2 , Kp such that a relationship exists between m1 and m2 S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 270-299, 1984. 6 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1 This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Oracle Attacker Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. 7 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1 m = Plaintext Encrypt(m) Encryption Oracle Attacker Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes 7 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Oracle Attacker 7 m0, m1 Encrypt(mb, Kp) guess 0 or 1 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Oracle Attacker A random bit b ∈ {0, 1} is chosen 7 Encrypt(mb, Kp) guess 0 or 1 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit b ∈ {0, 1} is chosen 7 guess 0 or 1 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen 7 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1 7 • Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C. • Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions. Attack Models 2 - CCA1 and CCA2 Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function. 8 • Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions. Attack Models 2 - CCA1 and CCA2 Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function. • Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C. 8 Attack Models 2 - CCA1 and CCA2 Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function. • Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C. • Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions. 8 m0, m1 Encrypt(mb, Kp) guess 0 or 1 Select a bit b CCA2 Attack Models 2 - CCA1 and CCA2 Decrypt(ci ) Decryption Adversary Challenger Oracle mi = plaintext such that ci = Encrypt(mi) 9 Decrypt(ci ) m0, m1 Encrypt(mb, Kp) mi = plaintext guess 0 or 1 such that ci = Encrypt(mi) CCA2 Attack Models 2 - CCA1 and CCA2 Decryption Adversary Challenger Oracle Select a bit b 9 Decrypt(ci ) Encrypt(mb, Kp) mi = plaintext guess 0 or 1 such that ci = Encrypt(mi) CCA2 Attack Models 2 - CCA1 and CCA2 m0, m1 Decryption Adversary Challenger Oracle Select a bit b 9 Decrypt(ci ) mi = plaintext guess 0 or 1 such that ci = Encrypt(mi) CCA2 Attack Models 2 - CCA1 and CCA2 m0, m1 Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle Select a bit b 9 guess 0 or 1 Attack Models 2 - CCA1 and CCA2 Decrypt(ci ) m0, m1 Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle mi = plaintext such that ci = Encrypt(mi) Select a bit b CCA2 9 Attack Models 2 - CCA1 and CCA2 Decrypt(ci ) m0, m1 Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle mi = plaintext guess 0 or 1 such that ci = Encrypt(mi) Select a bit b CCA2 9 IND-CCA1 IND-CCA2IND-CCA2 NM-CPA NM-CCA1 NM-CCA2 IND-CPA Implications: A→B : B provides stronger notion of security compared to A Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B Implications and Separations n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2 M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations Among Notions of Security for Public-Key Encryption Schemes. Crypto 98. Lecture Notes in Computer Science. Vol 1462. 10 IND-CCA2 Implications and Separations n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2 NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 Implications: A→B : B provides stronger notion of security compared to A Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B 10 IND-CCA2 Implications and Separations n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2 NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 Implications: A→B : B provides stronger notion of security compared to A Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B 10 IND-CCA2 Implications and Separations n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2 NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 Implications: A→B : B provides stronger notion of security compared to A Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B 10 IND-CCA2 Implications and Separations n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2 NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 Implications: A→B : B provides stronger notion of security compared to A Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B 10 2.
Load more

Recommended publications
  • On Notions of Security for Deterministic Encryption, and Efficient Constructions Without Random Oracles
    A preliminary version of this paper appears in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles Alexandra Boldyreva∗ Serge Fehr† Adam O’Neill∗ Abstract The study of deterministic public-key encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible” notion of security for this primitive (called PRIV) and con- structions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes without random oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is a-priori hard-to-guess given the others (while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for certain practical applica- tions. We show equivalence of this definition to single-message and indistinguishability-based ones, which are easier to work with. Then we give general constructions of both chosen-plaintext (CPA) and chosen-ciphertext-attack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard number-theoretic assumptions. Our constructions build on the recently-introduced framework of Peikert and Waters (STOC ’08) for constructing CCA-secure probabilistic encryption schemes, extending it to the deterministic-encryption setting and yielding some improvements to their original results as well. Keywords: Public-key encryption, deterministic encryption, lossy trapdoor functions, leftover hash lemma, standard model. ∗ College of Computing, Georgia Institute of Technology, 266 Ferst Drive, Atlanta, GA 30332, USA.
    [Show full text]
  • Probabilistic Public-Key Encryption
    PROBABILISTIC PUBLIC-KEY ENCRYPTION By Azymbek Beibyt Fundamentals Semantic Security A public-key cryptosystem is semantically secure if it’s computationally infeasible for opponent to derive any information about plaintext given only ciphertext and public key. Semantic Security = Cryptosystem Indistinguishability Fundamentals Semantic Security (Cont.) Semantic security are obtained using trapdoor (one- way) functions: - prime factorization in RSA - discrete logarithm problem in ElGamal Fundamentals Semantic Security (Cont.) Why not use trapdoor functions as before? ¨ The fact that f is a trapdoor function does not rule out the possibility of computing x from f (x) when x is of a special form. ¨ The fact that f is a trapdoor function does not rule out the possibility of easily computing some partial information about x (even every other bit of x) from f(x). Probabilistic Encryption New approach introduced by Shafi Goldwasser and Silvio Micali in 1983. ¨ Replace deterministic block encryption by probabilistic encryption of single bits. ¨ Proved to be hard to extract any information about plaintext under polynomially bounded computational resources, because is based on intractability of deciding Quadratic Residuosity modulo composite numbers whose factorization is unknown. Probabilistic Public -Key Cryptosystem General Idea (P, C, K, E, D, R), where R is a set of randomizers, encryption is public and decryption is secret and following properties should be satisfied: 1. , where b Є P, r Є R and if Probabilistic Public -Key Cryptosystem General Idea (Cont.) 2. Let ϵ be specified security parameter. Define probability distribution on C, which denotes the probability that y is the ciphertext given that K is the key and x is the plaintext .
    [Show full text]
  • A CCA2 Secure Public Key Encryption Scheme Based on the Mceliece Assumptions in the Standard Model
    A CCA2 Secure Public Key Encryption Scheme Based on the McEliece Assumptions in the Standard Model Rafael Dowsley1, J¨ornM¨uller-Quade2, Anderson C. A. Nascimento1 1 Department of Electrical Engineering, University of Brasilia. Campus Universit´arioDarcy Ribeiro,Brasilia, CEP: 70910-900, Brazil, Email:[email protected], [email protected] 2 Universit¨atKarlsruhe, Institut f¨urAlgorithmen und Kognitive Systeme. Am Fasanengarten 5, 76128 Karlsruhe, Germany. E-mail: [email protected] We show that a recently proposed construction by Rosen and Segev can be used for obtaining the first public key encryption scheme based on the McEliece assumptions which is secure against adaptive chosen ciphertext attacks in the standard model. 1 Introduction Indistinguishability of messages under adaptive chosen ciphertext attacks is the strongest known notion of security for public key encryption schemes (PKE). Many computational assumptions have been used in the literature for obtain- ing cryptosystems meeting such a strong security requirements. Given one-way trapdoor permutations, we know how to obtain CCA2 security from any seman- tically secure public key cryptosystem [14, 20, 12]. Efficient constructions are also known based on number-theoretic assumptions [6] or on identity based encryp- tion schemes [3]. Obtaining a CCA2 secure cryptosystem (even an inefficient one) based on the McEliece assumptions in the standard model has been an open problem in this area for quite a while. Recently, Rosen and Segev proposed an elegant and simple new computa- tional assumption for obtaining CCA2 secure PKEs: correlated products [19]. They provided constructions of correlated products based on the existence of certain lossy trapdoor functions [16] which in turn can be based on the deci- sional Diffie-Hellman problem and on Paillier's decisional residuosity problem [16].
    [Show full text]
  • Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information
    Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information Ran Canetti IBM T.J.Watson Research Center. Email: canettiOwatson.ibm.com Abstract. The random oracle model is a very convenient setting for designing cryptographic protocols. In this idealized model all parties have access to a common, public random function, called a random or- acle. Protocols in this model are often very simple and efficient; also the analysis is often clearer. However, we do not have a general mech- anism for transforming protocols that are secure in the random oracle model into protocols that are secure in real life. In fact, we do not even know how to meaningfully specify the properties required from such a mechanism. Instead, it is a common practice to simply replace - often without mathematical justification - the random oracle with a ‘crypto- graphic hash function’ (e.g., MD5 or SHA). Consequently, the resulting protocols have no meaningful proofi of security. We propose a research program aimed at rectifying this situation by means of identifying, and subsequently realizing, the useful properties of random oracles. As a first step, we introduce a new primitive that realizes a specific aspect of random oracles. This primitive, cded omcle hashang, is a hash function that, like random oracles, ‘hides all partial information on its input’. A salient property of oracle hashing is that it is probabilistic: different applications to the same input result in Merent hash dues. Still, we maintain the ability to ueejy whether a given hash value was generated from a given input. We describe constructions of oracle hashing, as well as applications where oracle hashing successfully replaces random oracles.
    [Show full text]
  • Indistinguishability and Semantic Security for Quantum Encryption Scheme
    Indistinguishability and semantic security for quantum encryption scheme Chong Xianga, Li Yanga,∗ aState Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China Abstract We investigate the definition of security for encryption scheme in quantum context. We systematically define the indistinguishability and semantic se- curity for quantum public-key and private-key encryption schemes, and for computational security, physical security and information-theoretic security. Based on our definition, we present a necessary and sufficient condition that leads to information-theoretic indistinguishability for quantum encryption scheme. The equivalence between the indistinguishability and semantic se- curity of quantum encryption scheme is also proved. Keywords: indistinguishability, semantic security, quantum encryption scheme 1. Introduction The definition of security for encryption scheme is an important area of cryptography. Up till now, both the quantum public-key encryption [1, 2, 3, 4, 5] and quantum private-key encryption [6, 7, 8] has been carried out. Here arXiv:1506.05944v1 [cs.CR] 19 Jun 2015 we investigate the indistinguishability and semantic security into quantum context which would be useful for analysis the security of quantum encryption schemes. In our previous work, we have already shown the definition of the in- distinguishability for quantum public-key encryption scheme[9], for quan- tum private-key encryption scheme[10],and for quantum bit commitment scheme and have presented a necessary and sufficient condition leads to ∗Corresponding author. E-mail: [email protected] 1 this security[11]. Here we will systematically define the indistinguishabil- ity and semantic security for quantum public-key and private-key encryption schemes, and for computational security, physical security and information- theoretic security.
    [Show full text]
  • Frequency-Hiding Dependency-Preserving Encryption for Outsourced Databases
    Frequency-hiding Dependency-preserving Encryption for Outsourced Databases Boxiang Dong, Wendy Wang Department of Computer Science Stevens Institute of Technology Hoboken, NJ bdong, [email protected] ABSTRACT ID A B C ID A B C t a b c t1 aˆ1 ˆb1 cˆ1 The cloud paradigm enables users to outsource their data to 1 1 1 1 t a b c t aˆ ˆb cˆ computationally powerful third-party service providers for 2 1 1 2 2 1 1 2 t3 a1 b1 c3 t aˆ ˆb cˆ data management. Many data management tasks rely on 3 1 1 3 t4 a1 b1 c1 t aˆ ˆb cˆ the data dependencies in the outsourced data. This raises an 4 1 1 1 (a) Base table D (b) Dˆ1 encrypted important issue of how the data owner can protect the sen- (FD : A → B) by deterministic encryption sitive information in the outsourced data while preserving (not frequency-hiding) the data dependencies. In this paper, we consider functional ID A B C ID A B C dependency (F D), an important type of data dependency. 1 ˆ1 1 1 ˆ1 1 t1 aˆ1 b1 cˆ1 t1 aˆ1 b1 cˆ1 We design a F D-preserving encryption scheme, named F 2, 1 ˆ2 1 1 ˆ1 1 t2 aˆ1 b1 cˆ2 t2 aˆ1 b1 cˆ2 that enables the service provider to discover the FDs from 2 ˆ1 1 2 ˆ2 1 t3 aˆ1 b1 cˆ3 t3 aˆ1 b1 cˆ3 2 2 2 2 2 2 the encrypted dataset. We consider the frequency analysis t4 aˆ ˆb cˆ t4 aˆ ˆb cˆ 2 1 1 1 1 1 1 attack, and show that the F encryption scheme can defend (c) Dˆ 2 encrypted by (d) Dˆ3 encrypted by against the attack under Kerckhoff’s principle with provable probabilistic encryption on probabilistic encryption guarantee.
    [Show full text]
  • Perfectly One-Way Probabilistic Hash Functions (Preliminary Version)
    Perfectly One-Way Probabilistic Hash Functions (Preliminary Version) Ran Canetti∗ Daniele Micciancioy Omer Reingoldz March 1, 1998 Abstract Probabilistic hash functions that hide all partial information on their input were recently introduced. This new cryptographic primitive can be regarded as a function that offers \perfect one-wayness", in the following sense: Having access to the function value on some input is equivalent to having access only to an oracle that answers \yes" if the correct input is queried, and answers \no" otherwise. Constructions of this primitive (originally called oracle hashing and here re-named perfectly one-way functions) were given based on certain strong variants of the Diffie-Hellman assumption. In this work we present several constructions of perfectly one-way functions; some constructions are based on claw-free permutation, and others are based on any one-way permutation. One of our constructions is simple and efficient to the point of being attractive from a practical point of view. 1 Introduction Traditionally, one-way functions only guarantee that it is infeasible to compute an entire preimage of a given function value. It is not ruled out that the output of a one-way function `leaks' substantial information on its preimage (say, half of the bits of the preimage). In fact, any deterministic function f inevitably yields some information on its preimage (since f(x) is by itself information on x). Sometimes, however, one wants to make sure that the function value determines a unique preimage, while yielding no information on this preimage. (Of course, at least one of these seemingly contradictory requirements would hold only in a computational sense.) This \perfect one-wayness" property is very attractive in the context of cryptographic hashing, where one wants to make sure that the hash value yields as little information as possible on the preimage.
    [Show full text]
  • Efficient Implementation of a CCA2-Secure Variant of Mceliece
    Efficient Implementation of a CCA2-secure Variant of McEliece Using Generalized Srivastava Codes Pierre-Louis Cayrel1, Gerhard Hoffmann2, and Edoardo Persichetti3 1 Universit´eJean Monnet, Saint-Etienne, France 2 Technische Universit¨atDarmstadt, Germany 3 University of Auckland, New Zealand Abstract. In this paper we present efficient implementations of McEliece variants using quasi-dyadic codes. We provide secure parameters for a classical McEliece encryption scheme based on quasi-dyadic generalized Srivastava codes, and successively convert our scheme to a CCA2-secure protocol in the random oracle model applying the Fujisaki-Okamoto transform. In contrast with all other CCA2-secure code-based cryptosys- tems that work in the random oracle model, our conversion does not require a constant weight encoding function. We present results for both 128-bit and 80-bit security level, and for the latter we also feature an implementation for an embedded device. 1 Introduction The McEliece and Niederreiter public-key encryption schemes are based on error- correcting codes. One drawback are the large public keys. There have been few implementations reported; we cite for instance [29] and [30] for 32-bit software implementations. An alternative scheme, called HyMES (Hybrid McEliece cryp- tosystem), was implemented by Sendrier and Biswas [11], combining ideas from both the previous schemes. Recently, implementations of the McEliece and Niederreiter cryptosystems for embedded devices have been presented, respectively by Eisenbarth et al. in [13] and by Heyse in [18], with the disadvantage of an external memory requirement for storing the key. A first proposal to deal with this issue from an implemen- tational point of view is to make use of the quasi-dyadic variant of Misoczki and Barreto [25].
    [Show full text]
  • A Practical Public Key Cryptosystem from Paillier and Rabin Schemes
    A Practical Public Key Cryptosystem from Paillier and Rabin Schemes David Galindo, Sebasti`aMart´ın, Paz Morillo, and Jorge L. Villar Dep. Matem`atica Aplicada IV. Universitat Polit`ecnica de Catalunya Campus Nord, c/Jordi Girona, 1-3, 08034 Barcelona {dgalindo,sebasm,paz,jvillar}@mat.upc.es Abstract. We propose a practical scheme based on factoring and se- mantically secure (IND-CPA) in the standard model. The scheme is obtained from a modification of the so called RSA-Paillier [5] scheme. This modification is reminiscent of the ones applied by Rabin [22]and Williams [25] to the well-known RSA cryptosystem. Thanks to the spe- cial properties of such schemes, we obtain efficiency similar to that of RSA cryptosystem, provably secure encryption (since recovering plain- text from ciphertext is as hard as factoring) and indistinguishability against plaintext attacks. We also construct a new trapdoor permuta- tion based on factoring, which has interest on its own. Semantic security of the scheme is based on an appropiate decisional assumption, named as Decisional Small 2e-Residues assumption. The robustness of this assump- tion is also discussed. Compared to Okamoto-Uchiyama’s scheme [18], the previous IND-CPA cryptosystem in the standard model with one- wayness based on factoring, our scheme is drastically more efficient in encryption, and presents higher bandwith, achieving the same expansion factor as Paillier or El Gamal schemes. We believe the new scheme could be an interesting starting point to develop efficient IND-CCA schemes in the standard model with one-wayness based on factoring. Keywords: public-key cryptography, semantic security, factoring, stan- dard model.
    [Show full text]
  • Identity-Based Cryptosystems and Quadratic Residuosity
    Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Technicolor 175 S. San Antonio Road, Los Altos, CA 94022, USA [email protected] Abstract. Three approaches are currently used for devising identity- based encryption schemes. They respectively build on pairings, quadratic residues (QR), and lattices. Among them, the QR-based scheme proposed by Cocks in 2001 is notable in that it works in standard RSA groups: its security relies on the standard quadratic residuosity assumption. But it has also a number of deficiencies, some of them have been subsequently addressed in follow-up works. Currently, one of the main limitations of Cocks' scheme resides in its apparent lack of structure. This considerably restricts the range of possible applications. For example, given two Cocks ciphertexts, it is unknown how to evaluate of a function thereof. Cocks' scheme is believed to be non-homomorphic. This paper disproves this conjecture and proposes a constructive method for computing over Cocks ciphertexts. The discovery of the hidden algebraic structure be- hind Cocks encryption is at the core of the method. It offers a better understanding of Cocks' scheme. As a further illustration of the impor- tance of the knowledge of the underlying structure, this paper shows how to anonymize Cocks ciphertexts without increasing their size or sacrific- ing the security. Finally and of independent interest, this paper presents a simplified ver- sion of the abstract identity-based cryptosystem with short ciphertexts of Boneh, Gentry, and Hamburg. Keywords: Public-key cryptography; identity-based encryption; Cocks' scheme; homomorphic encryption; anonymous encryption; public-key en- cryption with keyword search; quadratic residuosity.
    [Show full text]
  • A CCA2 Secure Variant of the Mceliece Cryptosystem Nico Dottling,¨ Rafael Dowsley, Jorn¨ Muller-Quade¨ and Anderson C
    1 A CCA2 Secure Variant of the McEliece Cryptosystem Nico Dottling,¨ Rafael Dowsley, Jorn¨ Muller-Quade¨ and Anderson C. A. Nascimento Abstract—The McEliece public-key encryption scheme has trapdoor functions [29] which in turn can be based on the become an interesting alternative to cryptosystems based on decisional Diffie-Hellman problem and on Paillier’s decisional number-theoretical problems. Differently from RSA and ElGa- residuosity problem [29]. mal, McEliece PKC is not known to be broken by a quantum computer. Moreover, even tough McEliece PKC has a relatively In this paper, we show that ideas similar to those of Rosen big key size, encryption and decryption operations are rather and Segev can be applied for obtaining an efficient construc- efficient. In spite of all the recent results in coding theory based tion of a CCA2 secure PKE built upon the McEliece assump- cryptosystems, to the date, there are no constructions secure tion. Inspired by the definition of correlated products [33], against chosen ciphertext attacks in the standard model – the de we define a new kind of PKE called k-repetition CPA secure facto security notion for public-key cryptosystems. In this work, we show the first construction of a McEliece cryptosystem and provide an adaptation of the construction based public-key cryptosystem secure against chosen ciphertext proposed in [33] to this new scenario. Such cryptosystems can attacks in the standard model. Our construction is inspired by be constructed from very weak (one-way CPA secure) PKEs a recently proposed technique by Rosen and Segev. and randomized encoding functions. In contrast, Rosen and Index Terms—Public-key encryption, CCA2 security, McEliece Segev give a more general, however less efficient, construction assumptions, standard model of correlated secure trapdoor functions from lossy trapdoor functions.
    [Show full text]
  • An Efficient and Provably Secure Public Key Encryption Scheme Based on Coding Theory Rongxing Lu1, Xiaodong Lin2, Xiaohui Liang1 and Xuemin (Sherman) Shen1∗
    SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks (2010) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.274 RESEARCH ARTICLE An efficient and provably secure public key encryption scheme based on coding theory Rongxing Lu1, Xiaodong Lin2, Xiaohui Liang1 and Xuemin (Sherman) Shen1∗ 1 Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Ontario, N2L 3G1, Canada 2 Faculty of Business and Information Technology, University of Ontario Institute of Technology, Oshawa, Ontario, L1H 7K4, Canada ABSTRACT Although coding-based public key encryption schemes such as McEliece and Niederreiter cryptosystems have been well studied, it is not a trivial task to design an efficient coding-based cryptosystem with semantic security against adaptive chosen ciphertext attacks (IND-CCA2). To tackle this challenging issue, in this paper, we first propose an efficient IND- CCA2-secure public key encryption scheme based on coding theory. We then use the provable security technique to formally prove the security of the proposed scheme is tightly related to the syndrome decoding (SD) problem in the random oracle model. Compared with the previously reported schemes, the proposed scheme is merited with simple construction and fast encryption speed. Copyright © 2010 John Wiley & Sons, Ltd. KEYWORDS coding-based cryptography; public key encryption; semantic security; chosen-ciphertext attacks; syndrom decoding problem *Correspondence Xuemin (Sherman) Shen, Department of Electrical and Computer
    [Show full text]