An efficient IND-CCA2 secure variant of the niederreiter encryption scheme in the standard model
09 Jul 2012-pp 166-179
TL;DR: This scheme is built on the Niederreiter encryption scheme and can be considered as the first practical code-based encryption scheme that is IND-CCA2 secure in the standard model.
Abstract: In this paper, we propose an IND-CCA2 secure code based encryption scheme in the standard model, built on the Niederreiter encryption scheme. The security of the scheme is based on the hardness of the Syndrome Decoding problem and the Goppa Code Distinguishability problem. The system is developed according to the construction similar to IND-CCA2 secure encryption scheme by Peikert and Waters using the lossy trapdoor functions. Compared to the existing IND-CCA2 secure variants due to Dowsley et.al. and Freeman et. al. (using the κ repetition paradigm initiated by Rosen and Segev), our scheme is more efficient as it avoids κ repetitions. This can be considered as the first practical code-based encryption scheme that is IND-CCA2 secure in the standard model.
Citations
More filters
Book•
01 Jan 2010
TL;DR: Cryptosystems I and II: Cryptography between Wonderland and Underland as discussed by the authors, a simple BGN-type Cryptosystem from LWE, or Bonsai Trees, or how to delegate a Lattice Basis.
Abstract: Cryptosystems I.- On Ideal Lattices and Learning with Errors over Rings.- Fully Homomorphic Encryption over the Integers.- Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups.- Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption.- Obfuscation and Side Channel Security.- Secure Obfuscation for Encrypted Signatures.- Public-Key Encryption in the Bounded-Retrieval Model.- Protecting Circuits from Leakage: the Computationally-Bounded and Noisy Cases.- 2-Party Protocols.- Partial Fairness in Secure Two-Party Computation.- Secure Message Transmission with Small Public Discussion.- On the Impossibility of Three-Move Blind Signature Schemes.- Efficient Device-Independent Quantum Key Distribution.- Cryptanalysis.- New Generic Algorithms for Hard Knapsacks.- Lattice Enumeration Using Extreme Pruning.- Algebraic Cryptanalysis of McEliece Variants with Compact Keys.- Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds.- IACR Distinguished Lecture.- Cryptography between Wonderland and Underland.- Automated Tools and Formal Methods.- Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others.- Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR.- Computational Soundness, Co-induction, and Encryption Cycles.- Models and Proofs.- Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks.- Cryptographic Agility and Its Relation to Circular Encryption.- Bounded Key-Dependent Message Security.- Multiparty Protocols.- Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography.- Adaptively Secure Broadcast.- Universally Composable Quantum Multi-party Computation.- Cryptosystems II.- A Simple BGN-Type Cryptosystem from LWE.- Bonsai Trees, or How to Delegate a Lattice Basis.- Efficient Lattice (H)IBE in the Standard Model.- Hash and MAC.- Multi-property-preserving Domain Extension Using Polynomial-Based Modes of Operation.- Stam's Collision Resistance Conjecture.- Universal One-Way Hash Functions via Inaccessible Entropy.- Foundational Primitives.- Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions.- Constructing Verifiable Random Functions with Large Input Spaces.- Adaptive Trapdoor Functions and Chosen-Ciphertext Security.
320 citations
TL;DR: This paper studies a variant of the McEliece cryptosystem able to ensure that the code used as the public key is no longer permutation equivalent to the secret code, thus opening the way for reconsidering the adoption of classical families of codes, like Reed–Solomon codes, that have been longly excluded from the Mceliece Cryptosystem for security reasons.
Abstract: This paper studies a variant of the McEliece cryptosystem able to ensure that the code used as the public key is no longer permutation equivalent to the secret code. This increases the security level of the public key, thus opening the way for reconsidering the adoption of classical families of codes, like Reed---Solomon codes, that have been longly excluded from the McEliece cryptosystem for security reasons. It is well known that codes of these classes are able to yield a reduction in the key size or, equivalently, an increased level of security against information set decoding; so, these are the main advantages of the proposed solution. We also describe possible vulnerabilities and attacks related to the considered system and show what design choices are best suited to avoid them.
93 citations
Cites background from "An efficient IND-CCA2 secure varian..."
...Classical CCA2-secure conversions work in the random oracle model [22, 28], while the problem of finding efficient CCA2-secure conversions of these cryptosystem in the standard model has been addressed more recently [19, 18, 39, 42, 44]....
[...]
29 Nov 2015
TL;DR: The scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem.
Abstract: We solve an open question in code-based cryptography by introducing the first provably secure group signature scheme from code-based assumptions. Specifically, the scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. Our construction produces smaller key and signature sizes than the existing post-quantum group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed the population of the Netherlands $${\approx }2^{24}$$ users. The feasibility of the scheme is supported by implementation results. Additionally, the techniques introduced in this work might be of independent interest: a new verifiable encryption protocol for the randomized McEliece encryption and a new approach to design formal security reductions from the Syndrome Decoding problem.
44 citations
Dissertation•
01 Jan 2012
TL;DR: This work is based on Generalized Srivastava codes and represents a generalization of the Quasi-Dyadic scheme proposed by Misoczki and Barreto, with two advantages: a better flexibility, and improved resistance to all the known attacks.
Abstract: Recent public-key cryptography is largely based on number theory problems, such as factoring or computing of discrete logarithm. These systems constitute an excellent choice in many applications, and their security is well defined and understood. One of the major drawbacks, though, is that they will be vulnerable once quantum computers of an appropriate size are available. There is then a strong need for alternative systems that would resist attackers equipped with quantum technology. One of the most well-known systems of this kind is the McEliece cryptosystem, introduced in 1978, that is based on algebraic coding theory. There are no known vulnerabilities against quantum computers, and it has a very fast and efficient encryption procedure. However, it has also one big aw, the size of the public key, that makes it impractical for many applications. The first part of this thesis is dedicated to finding a way to significantly reduce the size of the public key. Latest publications achieve very good results by using codes with particular structures, obtaining keys as small as 4,096 bits. Unfortunately, almost all of the variants presented until now have been broken or proven to be insecure against the so-called structural attacks, i.e. attacks that aim to exploit the hidden structure in order to recover the private key. My work is based on Generalized Srivastava codes and represents a generalization of the Quasi-Dyadic scheme proposed by Misoczki and Barreto, with two advantages: a better flexibility, and improved resistance to all the known attacks. An efficient implementation of the above scheme is also provided, as a result of a joint work with P.-L. Cayrel and G. Hoffmann. In the next chapters, other important aspects of code-based cryptography are investigated. These include the study of a higher security standard, called indistinguishability under a chosen ciphertext attack, in the standard model, and the design of a code-based key encapsulation mechanism (KEM), which is an essential component of the hybrid encryption protocol. The last chapter is about digital signatures, a fundamental protocol in modern cryptography; existing code-based signatures schemes are reviewed and a negative result is obtained, showing that the design of an efficient signature scheme based on coding theory is still an open problem.
35 citations
Additional excerpts
...As for IND-CCA2 security, a few promising recent results have been published, for instance by Preetha Mathew, Vasant, Venkatesan and Pandu Rangan [78] at ACISP 2012....
[...]
TL;DR: The first provably secure group signature scheme from code-based assumptions was proposed in this article, which satisfies the CPA -anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome decoding problem.
Abstract: We solve an open question in code-based cryptography by introducing two provably secure group signature schemes from code-based assumptions. Our basic scheme satisfies the CPA -anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. The construction produces smaller key and signature sizes than the previous group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed 224, which is roughly comparable to the current population of the Netherlands. We develop the basic scheme further to achieve the strongest anonymity notion, i.e. , CCA -anonymity, with a small overhead in terms of efficiency. The feasibility of two proposed schemes is supported by implementation results. Our two schemes are the first in their respective classes of provably secure groups signature schemes. Additionally, the techniques introduced in this work might be of independent interest. These are a new verifiable encryption protocol for the randomized McEliece encryption and a novel approach to design formal security reductions from the Syndrome Decoding problem.
14 citations
References
More filters
IBM1
TL;DR: This work shows how to construct a public-key cryptosystem (as originally defined by DiNe and Hellman) secure against chosen ciphertezt attacks, given aPublic-Key cryptosystern secure against passive eavesdropping and a noninteractive zero-knowledge proof system in the shared string model.
Abstract: We show how to construct a public-key cryptosystem (as originally defined by DiNe and Hellman) secure against chosen ciphertezt attacks, given a public-key cryptosystern secure against passive eavesdropping and a noninteractive zero-knowledge proof system in the shared string model. No such secure cryptosystems were known before. A concrete implementation can be based on quadratic residuosity intractability.
1,220 citations
"An efficient IND-CCA2 secure varian..." refers background in this paper
...The important notions in public key cryptography are that of security under chosen ciphertext attack (CCA security) and trapdoor functions (TDFs) [7,17,20]....
[...]
11 Aug 1991
TL;DR: A formalization of chosen ciphertext attack is given in the model which is stronger than the "lunchtime attack" considered by Naor and Yung, and it is proved a non-interactive public-key cryptosystem based on non-Interactive zero-knowledge proof of knowledge to be secure against it.
Abstract: The zero-knowledge proof of knowledge, first denned by Fiat, Fiege and Shamir, was used by Galil, Haber and Yung as a means of constructing (out of a trapdoor function) an interactive public-key cryptosystem provably secure against chosen ciphertext attack. We introduce a revised setting which permits the definition of a non-interactive analogue, the non-interactive zero-knowledge proof of knowledge, and show how it may be constructed in that setting from a non-interactive zero-knowledge proof system for NP (of the type introduced by Blum, Feldman and Micali). We give a formalization of chosen ciphertext attack in our model which is stronger than the "lunchtime attack" considered by Naor and Yung, and prove a non-interactive public-key cryptosystem based on non-interactive zero-knowledge proof of knowledge to be secure against it.
1,198 citations
"An efficient IND-CCA2 secure varian..." refers background in this paper
...The important notions in public key cryptography are that of security under chosen ciphertext attack (CCA security) and trapdoor functions (TDFs) [7,17,20]....
[...]
Posted Content•
TL;DR: In this paper, the authors take a critical look at the relationship between the security of cryptographic schemes in the Random Oracle Model, and the schemes that result from implementing the random oracle by so called "cryptographic hash functions".
Abstract: We take a critical look at the relationship between the security of cryptographic schemes in the Random Oracle Model, and the security of the schemes that result from implementing the random oracle by so called "cryptographic hash functions". The main result of this paper is a negative one: There exist signature and encryption schemes that are secure in the Random Oracle Model, but for which any implementation of the random oracle results in insecure schemes.
In the process of devising the above schemes, we consider possible definitions for the notion of a "good implementation" of a random oracle, pointing out limitations and challenges.
1,007 citations
Book•
01 Jan 1990TL;DR: This book gives a broad overview of public-key cryptography - its essence and advantages, various public- key cryptosystems, and protocols - as well as a comprehensive introduction to classical cryptography and cryptoanalysis.
Abstract: Cryptography, secret writing, is enjoying a scientific renaissance following the seminal discovery in 1977 of public-key cryptography and applications in computers and communications. This book gives a broad overview of public-key cryptography - its essence and advantages, various public-key cryptosystems, and protocols - as well as a comprehensive introduction to classical cryptography and cryptoanalysis. The second edition has been revised and enlarged especially in its treatment of cryptographic protocols. From a review of the first edition: "This is a comprehensive review ... there can be no doubt that this will be accepted as a standard text. At the same time, it is clearly and entertainingly written ... and can certainly stand alone." Alex M. Andrew, Kybernetes, March 1992
1,000 citations