Code-Based Cryptography
McEliece Cryptosystem
I.0 Márquez-Corbella 2. McEliece Cryptosystem
1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks - Semantic Secure Conversions 6. Reducing the Key Size 7. Reducing the Key Size - LDPC codes 8. Reducing the Key Size - MDPC codes 9. Implementation
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY Without the private key it is computationally impossible to recover the plaintext
If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme
One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible
1 If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme
One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible
Without the private key it is computationally impossible to recover the plaintext
1 =⇒ McEliece is a OW scheme
One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible
Without the private key it is computationally impossible to recover the plaintext
If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom
1 One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible
Without the private key it is computationally impossible to recover the plaintext
If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme
1 Plaintext Ciphertext
Ciphertext Plaintext
Oracle
Queries Answer ORACLE
2 Oracle
Plaintext Ciphertext Queries Answer Ciphertext ORACLE Plaintext
2 Goal 1: Non-malleability Given: y1 = Encrypt m1 , Kp
Goal: Find y2 = Encrypt m2 , Kp
such that a relationship exists between m1 and m2
D. Dolve, C. Dwork and M. Naor. Non-Malleable Cryptography. In Proc. of the 23rd STOC, 1991.
3 McEliece does not satisfy Non-Malleability 1. The adversary intercept a ciphertext
y = mG + e
2. With the public-key GPub he can choose a codeword: cˆ = mˆ GPub 3. Now, the adversary can generate a new ciphertext:
y2 = y + cˆ = m + mˆ GPub + e | {z } m2
The plaintext of the new ciphertext is: m2 = m + mˆ
4 McEliece does not satisfy Non-Malleability Suppose that the adversary has acces to a decryption oracle
y2 Decryption ˆ Oracle m2 = m + m Attacker
m
5 Goal (Non-Malleability): Find y2 = Encrypt m2 , Kp
such that a relationship exists between m1 and m2
Goal 2: Indistinguishability - Semantic Security Given: y1 = Encrypt m1 , Kp
Goal (Indistinguishability): Learn something about m1
S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 270-299, 1984.
6 Goal 2: Indistinguishability - Semantic Security Given: y1 = Encrypt m1 , Kp
Goal (Indistinguishability): Learn something about m1
Goal (Non-Malleability): Find y2 = Encrypt m2 , Kp
such that a relationship exists between m1 and m2
S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 270-299, 1984.
6 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1
This is inevitable in Public-Key Schemes
m = Plaintext Encrypt(m) Encryption Oracle Attacker
Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice.
7 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1
m = Plaintext Encrypt(m) Encryption Oracle Attacker
Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes
7 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1
Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes
m = Plaintext Encrypt(m) Encryption Oracle Attacker
7 m0, m1
Encrypt(mb, Kp) guess 0 or 1
Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes
m = Plaintext Encrypt(m) Encryption Oracle Attacker A random bit b ∈ {0, 1} is chosen
7 Encrypt(mb, Kp) guess 0 or 1
Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes
m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit b ∈ {0, 1} is chosen
7 guess 0 or 1
Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes
m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen
7 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes
m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1
7 • Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C.
• Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions.
Attack Models 2 - CCA1 and CCA2
Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function.
8 • Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions.
Attack Models 2 - CCA1 and CCA2
Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function.
• Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C.
8 Attack Models 2 - CCA1 and CCA2
Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function.
• Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C.
• Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions.
8 m0, m1
Encrypt(mb, Kp)
guess 0 or 1 Select a bit b
CCA2
Attack Models 2 - CCA1 and CCA2
Decrypt(ci ) Decryption Adversary Challenger Oracle mi = plaintext such that ci = Encrypt(mi)
9 Decrypt(ci ) m0, m1
Encrypt(mb, Kp)
mi = plaintext guess 0 or 1 such that ci = Encrypt(mi)
CCA2
Attack Models 2 - CCA1 and CCA2
Decryption Adversary Challenger Oracle
Select a bit b
9 Decrypt(ci )
Encrypt(mb, Kp)
mi = plaintext guess 0 or 1 such that ci = Encrypt(mi)
CCA2
Attack Models 2 - CCA1 and CCA2
m0, m1 Decryption Adversary Challenger Oracle
Select a bit b
9 Decrypt(ci )
mi = plaintext guess 0 or 1 such that ci = Encrypt(mi)
CCA2
Attack Models 2 - CCA1 and CCA2
m0, m1
Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle
Select a bit b
9 guess 0 or 1
Attack Models 2 - CCA1 and CCA2
Decrypt(ci ) m0, m1
Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle mi = plaintext such that ci = Encrypt(mi) Select a bit b
CCA2
9 Attack Models 2 - CCA1 and CCA2
Decrypt(ci ) m0, m1
Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle mi = plaintext guess 0 or 1 such that ci = Encrypt(mi) Select a bit b
CCA2
9 IND-CCA1 IND-CCA2IND-CCA2
NM-CPA NM-CCA1 NM-CCA2
IND-CPA
Implications: A→B : B provides stronger notion of security compared to A
Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B
Implications and Separations
n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2
M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations Among Notions of Security for Public-Key Encryption Schemes. Crypto 98. Lecture Notes in Computer Science. Vol 1462.
10 IND-CCA2
Implications and Separations
n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2
NM-CPA NM-CCA1 NM-CCA2
IND-CPA IND-CCA1 IND-CCA2
Implications: A→B : B provides stronger notion of security compared to A
Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B
10 IND-CCA2
Implications and Separations
n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2
NM-CPA NM-CCA1 NM-CCA2
IND-CPA IND-CCA1 IND-CCA2
Implications: A→B : B provides stronger notion of security compared to A
Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B
10 IND-CCA2
Implications and Separations
n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2
NM-CPA NM-CCA1 NM-CCA2
IND-CPA IND-CCA1 IND-CCA2
Implications: A→B : B provides stronger notion of security compared to A
Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B
10 IND-CCA2
Implications and Separations
n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2
NM-CPA NM-CCA1 NM-CCA2
IND-CPA IND-CCA1 IND-CCA2
Implications: A→B : B provides stronger notion of security compared to A
Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B
10 2. McEliece Cryptosystem
1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks - Semantic Secure Conversions 6. Reducing the Key Size 7. Reducing the Key Size - LDPC codes 8. Reducing the Key Size - MDPC codes 9. Implementation
I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY