An efficient IND-CCA2 secure variant of the niederreiter encryption scheme in the standard model
09 Jul 2012-pp 166-179
TL;DR: This scheme is built on the Niederreiter encryption scheme and can be considered as the first practical code-based encryption scheme that is IND-CCA2 secure in the standard model.
Abstract: In this paper, we propose an IND-CCA2 secure code based encryption scheme in the standard model, built on the Niederreiter encryption scheme. The security of the scheme is based on the hardness of the Syndrome Decoding problem and the Goppa Code Distinguishability problem. The system is developed according to the construction similar to IND-CCA2 secure encryption scheme by Peikert and Waters using the lossy trapdoor functions. Compared to the existing IND-CCA2 secure variants due to Dowsley et.al. and Freeman et. al. (using the κ repetition paradigm initiated by Rosen and Segev), our scheme is more efficient as it avoids κ repetitions. This can be considered as the first practical code-based encryption scheme that is IND-CCA2 secure in the standard model.
Citations
More filters
Book•
01 Jan 2010
TL;DR: Cryptosystems I and II: Cryptography between Wonderland and Underland as discussed by the authors, a simple BGN-type Cryptosystem from LWE, or Bonsai Trees, or how to delegate a Lattice Basis.
Abstract: Cryptosystems I.- On Ideal Lattices and Learning with Errors over Rings.- Fully Homomorphic Encryption over the Integers.- Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups.- Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption.- Obfuscation and Side Channel Security.- Secure Obfuscation for Encrypted Signatures.- Public-Key Encryption in the Bounded-Retrieval Model.- Protecting Circuits from Leakage: the Computationally-Bounded and Noisy Cases.- 2-Party Protocols.- Partial Fairness in Secure Two-Party Computation.- Secure Message Transmission with Small Public Discussion.- On the Impossibility of Three-Move Blind Signature Schemes.- Efficient Device-Independent Quantum Key Distribution.- Cryptanalysis.- New Generic Algorithms for Hard Knapsacks.- Lattice Enumeration Using Extreme Pruning.- Algebraic Cryptanalysis of McEliece Variants with Compact Keys.- Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds.- IACR Distinguished Lecture.- Cryptography between Wonderland and Underland.- Automated Tools and Formal Methods.- Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others.- Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR.- Computational Soundness, Co-induction, and Encryption Cycles.- Models and Proofs.- Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks.- Cryptographic Agility and Its Relation to Circular Encryption.- Bounded Key-Dependent Message Security.- Multiparty Protocols.- Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography.- Adaptively Secure Broadcast.- Universally Composable Quantum Multi-party Computation.- Cryptosystems II.- A Simple BGN-Type Cryptosystem from LWE.- Bonsai Trees, or How to Delegate a Lattice Basis.- Efficient Lattice (H)IBE in the Standard Model.- Hash and MAC.- Multi-property-preserving Domain Extension Using Polynomial-Based Modes of Operation.- Stam's Collision Resistance Conjecture.- Universal One-Way Hash Functions via Inaccessible Entropy.- Foundational Primitives.- Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions.- Constructing Verifiable Random Functions with Large Input Spaces.- Adaptive Trapdoor Functions and Chosen-Ciphertext Security.
320 citations
TL;DR: This paper studies a variant of the McEliece cryptosystem able to ensure that the code used as the public key is no longer permutation equivalent to the secret code, thus opening the way for reconsidering the adoption of classical families of codes, like Reed–Solomon codes, that have been longly excluded from the Mceliece Cryptosystem for security reasons.
Abstract: This paper studies a variant of the McEliece cryptosystem able to ensure that the code used as the public key is no longer permutation equivalent to the secret code. This increases the security level of the public key, thus opening the way for reconsidering the adoption of classical families of codes, like Reed---Solomon codes, that have been longly excluded from the McEliece cryptosystem for security reasons. It is well known that codes of these classes are able to yield a reduction in the key size or, equivalently, an increased level of security against information set decoding; so, these are the main advantages of the proposed solution. We also describe possible vulnerabilities and attacks related to the considered system and show what design choices are best suited to avoid them.
93 citations
Cites background from "An efficient IND-CCA2 secure varian..."
...Classical CCA2-secure conversions work in the random oracle model [22, 28], while the problem of finding efficient CCA2-secure conversions of these cryptosystem in the standard model has been addressed more recently [19, 18, 39, 42, 44]....
[...]
29 Nov 2015
TL;DR: The scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem.
Abstract: We solve an open question in code-based cryptography by introducing the first provably secure group signature scheme from code-based assumptions. Specifically, the scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. Our construction produces smaller key and signature sizes than the existing post-quantum group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed the population of the Netherlands $${\approx }2^{24}$$ users. The feasibility of the scheme is supported by implementation results. Additionally, the techniques introduced in this work might be of independent interest: a new verifiable encryption protocol for the randomized McEliece encryption and a new approach to design formal security reductions from the Syndrome Decoding problem.
44 citations
Dissertation•
01 Jan 2012
TL;DR: This work is based on Generalized Srivastava codes and represents a generalization of the Quasi-Dyadic scheme proposed by Misoczki and Barreto, with two advantages: a better flexibility, and improved resistance to all the known attacks.
Abstract: Recent public-key cryptography is largely based on number theory problems, such as factoring or computing of discrete logarithm. These systems constitute an excellent choice in many applications, and their security is well defined and understood. One of the major drawbacks, though, is that they will be vulnerable once quantum computers of an appropriate size are available. There is then a strong need for alternative systems that would resist attackers equipped with quantum technology. One of the most well-known systems of this kind is the McEliece cryptosystem, introduced in 1978, that is based on algebraic coding theory. There are no known vulnerabilities against quantum computers, and it has a very fast and efficient encryption procedure. However, it has also one big aw, the size of the public key, that makes it impractical for many applications. The first part of this thesis is dedicated to finding a way to significantly reduce the size of the public key. Latest publications achieve very good results by using codes with particular structures, obtaining keys as small as 4,096 bits. Unfortunately, almost all of the variants presented until now have been broken or proven to be insecure against the so-called structural attacks, i.e. attacks that aim to exploit the hidden structure in order to recover the private key. My work is based on Generalized Srivastava codes and represents a generalization of the Quasi-Dyadic scheme proposed by Misoczki and Barreto, with two advantages: a better flexibility, and improved resistance to all the known attacks. An efficient implementation of the above scheme is also provided, as a result of a joint work with P.-L. Cayrel and G. Hoffmann. In the next chapters, other important aspects of code-based cryptography are investigated. These include the study of a higher security standard, called indistinguishability under a chosen ciphertext attack, in the standard model, and the design of a code-based key encapsulation mechanism (KEM), which is an essential component of the hybrid encryption protocol. The last chapter is about digital signatures, a fundamental protocol in modern cryptography; existing code-based signatures schemes are reviewed and a negative result is obtained, showing that the design of an efficient signature scheme based on coding theory is still an open problem.
35 citations
Additional excerpts
...As for IND-CCA2 security, a few promising recent results have been published, for instance by Preetha Mathew, Vasant, Venkatesan and Pandu Rangan [78] at ACISP 2012....
[...]
TL;DR: The first provably secure group signature scheme from code-based assumptions was proposed in this article, which satisfies the CPA -anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome decoding problem.
Abstract: We solve an open question in code-based cryptography by introducing two provably secure group signature schemes from code-based assumptions. Our basic scheme satisfies the CPA -anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. The construction produces smaller key and signature sizes than the previous group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed 224, which is roughly comparable to the current population of the Netherlands. We develop the basic scheme further to achieve the strongest anonymity notion, i.e. , CCA -anonymity, with a small overhead in terms of efficiency. The feasibility of two proposed schemes is supported by implementation results. Our two schemes are the first in their respective classes of provably secure groups signature schemes. Additionally, the techniques introduced in this work might be of independent interest. These are a new verifiable encryption protocol for the randomized McEliece encryption and a novel approach to design formal security reductions from the Syndrome Decoding problem.
14 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
"An efficient IND-CCA2 secure varian..." refers methods in this paper
...Trapdoor functions, which are hard to invert unless one possesses some secret trapdoor information was conceptualized by Diffie and Hellman [6] and were realized by the RSA implementation by Rivest, Shamir and Adleman [21]....
[...]
TL;DR: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key.
Abstract: An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intented recipient. Only he can decipher the message, since only he knows the corresponding decryption key. (2) A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n, of two large secret primer numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d ≡ 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n.
14,659 citations
TL;DR: In this paper, the authors considered factoring integers and finding discrete logarithms on a quantum computer and gave an efficient randomized algorithm for these two problems, which takes a number of steps polynomial in the input size of the integer to be factored.
Abstract: A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems which are generally thought to be hard on a classical computer and which have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, e.g., the number of digits of the integer to be factored.
7,427 citations
TL;DR: In this paper, the authors considered factoring integers and finding discrete logarithms, two problems that are generally thought to be hard on classical computers and that have been used as the basis of several proposed cryptosystems.
Abstract: A digital computer is generally believed to be an efficient universal computing device; that is, it is believed to be able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems that are generally thought to be hard on classical computers and that have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, for example, the number of digits of the integer to be factored.
2,856 citations