Code-Based Cryptography McEliece Cryptosystem I.0 Márquez-Corbella 2. McEliece Cryptosystem 1. Formal Definition 2. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks - Semantic Secure Conversions 6. Reducing the Key Size 7. Reducing the Key Size - LDPC codes 8. Reducing the Key Size - MDPC codes 9. Implementation I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY Without the private key it is computationally impossible to recover the plaintext If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible 1 If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible Without the private key it is computationally impossible to recover the plaintext 1 =⇒ McEliece is a OW scheme One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible Without the private key it is computationally impossible to recover the plaintext If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom 1 One-Wayness property Let Π be a cryptosystem. The probability of success of any Π is One-Wayness ⇐⇒ adversary running in polynomial time is negligible Without the private key it is computationally impossible to recover the plaintext If we assume that: 1. Decoding a random linear code is HARD. 2. Goppa codes are pseudorandom =⇒ McEliece is a OW scheme 1 Plaintext Ciphertext Ciphertext Plaintext Oracle Queries Answer ORACLE 2 Oracle Plaintext Ciphertext Queries Answer Ciphertext ORACLE Plaintext 2 Goal 1: Non-malleability Given: y1 = Encrypt m1 , Kp Goal: Find y2 = Encrypt m2 , Kp such that a relationship exists between m1 and m2 D. Dolve, C. Dwork and M. Naor. Non-Malleable Cryptography. In Proc. of the 23rd STOC, 1991. 3 McEliece does not satisfy Non-Malleability 1. The adversary intercept a ciphertext y = mG + e 2. With the public-key GPub he can choose a codeword: c^ = m^ GPub 3. Now, the adversary can generate a new ciphertext: y2 = y + c^ = m + m^ GPub + e | {z } m2 The plaintext of the new ciphertext is: m2 = m + m^ 4 McEliece does not satisfy Non-Malleability Suppose that the adversary has acces to a decryption oracle y2 Decryption ^ Oracle m2 = m + m Attacker m 5 Goal (Non-Malleability): Find y2 = Encrypt m2 , Kp such that a relationship exists between m1 and m2 Goal 2: Indistinguishability - Semantic Security Given: y1 = Encrypt m1 , Kp Goal (Indistinguishability): Learn something about m1 S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 270-299, 1984. 6 Goal 2: Indistinguishability - Semantic Security Given: y1 = Encrypt m1 , Kp Goal (Indistinguishability): Learn something about m1 Goal (Non-Malleability): Find y2 = Encrypt m2 , Kp such that a relationship exists between m1 and m2 S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 270-299, 1984. 6 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1 This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Oracle Attacker Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. 7 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1 m = Plaintext Encrypt(m) Encryption Oracle Attacker Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes 7 m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Oracle Attacker 7 m0, m1 Encrypt(mb, Kp) guess 0 or 1 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Oracle Attacker A random bit b ∈ {0, 1} is chosen 7 Encrypt(mb, Kp) guess 0 or 1 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit b ∈ {0, 1} is chosen 7 guess 0 or 1 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen 7 Attack Models 1 - CPA Chosen Plaintext Attack (CPA): The adversary can encrypt any message of his choice. This is inevitable in Public-Key Schemes m = Plaintext Encrypt(m) Encryption Attacker Oracle m0, m1 A random bit Encrypt(mb, Kp) b ∈ {0, 1} is chosen guess 0 or 1 7 • Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C. • Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions. Attack Models 2 - CCA1 and CCA2 Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function. 8 • Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions. Attack Models 2 - CCA1 and CCA2 Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function. • Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C. 8 Attack Models 2 - CCA1 and CCA2 Chosen Ciphertext Attack (CCA): The adversary gets acces to an oracle for the decryption function. • Chosen Ciphertext Attack (CCA1): The adversary can use this oracle before it gets the challenge ciphertext. The queries cannot depend on the ciphertext C. • Adaptative Chosen Ciphertext Attack (CCA2): The adversary gets acces to a decryption oracle without restrictions. 8 m0, m1 Encrypt(mb, Kp) guess 0 or 1 Select a bit b CCA2 Attack Models 2 - CCA1 and CCA2 Decrypt(ci ) Decryption Adversary Challenger Oracle mi = plaintext such that ci = Encrypt(mi) 9 Decrypt(ci ) m0, m1 Encrypt(mb, Kp) mi = plaintext guess 0 or 1 such that ci = Encrypt(mi) CCA2 Attack Models 2 - CCA1 and CCA2 Decryption Adversary Challenger Oracle Select a bit b 9 Decrypt(ci ) Encrypt(mb, Kp) mi = plaintext guess 0 or 1 such that ci = Encrypt(mi) CCA2 Attack Models 2 - CCA1 and CCA2 m0, m1 Decryption Adversary Challenger Oracle Select a bit b 9 Decrypt(ci ) mi = plaintext guess 0 or 1 such that ci = Encrypt(mi) CCA2 Attack Models 2 - CCA1 and CCA2 m0, m1 Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle Select a bit b 9 guess 0 or 1 Attack Models 2 - CCA1 and CCA2 Decrypt(ci ) m0, m1 Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle mi = plaintext such that ci = Encrypt(mi) Select a bit b CCA2 9 Attack Models 2 - CCA1 and CCA2 Decrypt(ci ) m0, m1 Decryption Encrypt( , ) Adversary mb Kp Challenger Oracle mi = plaintext guess 0 or 1 such that ci = Encrypt(mi) Select a bit b CCA2 9 IND-CCA1 IND-CCA2IND-CCA2 NM-CPA NM-CCA1 NM-CCA2 IND-CPA Implications: A→B : B provides stronger notion of security compared to A Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B Implications and Separations n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2 M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations Among Notions of Security for Public-Key Encryption Schemes. Crypto 98. Lecture Notes in Computer Science. Vol 1462. 10 IND-CCA2 Implications and Separations n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2 NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 Implications: A→B : B provides stronger notion of security compared to A Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B 10 IND-CCA2 Implications and Separations n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2 NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 Implications: A→B : B provides stronger notion of security compared to A Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B 10 IND-CCA2 Implications and Separations n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2 NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 Implications: A→B : B provides stronger notion of security compared to A Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B 10 IND-CCA2 Implications and Separations n IND − CPA, IND − CCA1, IND − CCA2, o One can mix-and-match the goals and the attacks: NM − CPA, NM − CCA1, NM − CCA2 NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 Implications: A→B : B provides stronger notion of security compared to A Separations: A6→B : There exists an encryption scheme which is secure in the sense of A but which is not secure in the sence of B 10 2.