An efficient IND-CCA2 secure variant of the niederreiter encryption scheme in the standard model
09 Jul 2012-pp 166-179
TL;DR: This scheme is built on the Niederreiter encryption scheme and can be considered as the first practical code-based encryption scheme that is IND-CCA2 secure in the standard model.
Abstract: In this paper, we propose an IND-CCA2 secure code based encryption scheme in the standard model, built on the Niederreiter encryption scheme. The security of the scheme is based on the hardness of the Syndrome Decoding problem and the Goppa Code Distinguishability problem. The system is developed according to the construction similar to IND-CCA2 secure encryption scheme by Peikert and Waters using the lossy trapdoor functions. Compared to the existing IND-CCA2 secure variants due to Dowsley et.al. and Freeman et. al. (using the κ repetition paradigm initiated by Rosen and Segev), our scheme is more efficient as it avoids κ repetitions. This can be considered as the first practical code-based encryption scheme that is IND-CCA2 secure in the standard model.
Citations
More filters
Book•
01 Jan 2010
TL;DR: Cryptosystems I and II: Cryptography between Wonderland and Underland as discussed by the authors, a simple BGN-type Cryptosystem from LWE, or Bonsai Trees, or how to delegate a Lattice Basis.
Abstract: Cryptosystems I.- On Ideal Lattices and Learning with Errors over Rings.- Fully Homomorphic Encryption over the Integers.- Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups.- Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption.- Obfuscation and Side Channel Security.- Secure Obfuscation for Encrypted Signatures.- Public-Key Encryption in the Bounded-Retrieval Model.- Protecting Circuits from Leakage: the Computationally-Bounded and Noisy Cases.- 2-Party Protocols.- Partial Fairness in Secure Two-Party Computation.- Secure Message Transmission with Small Public Discussion.- On the Impossibility of Three-Move Blind Signature Schemes.- Efficient Device-Independent Quantum Key Distribution.- Cryptanalysis.- New Generic Algorithms for Hard Knapsacks.- Lattice Enumeration Using Extreme Pruning.- Algebraic Cryptanalysis of McEliece Variants with Compact Keys.- Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds.- IACR Distinguished Lecture.- Cryptography between Wonderland and Underland.- Automated Tools and Formal Methods.- Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others.- Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR.- Computational Soundness, Co-induction, and Encryption Cycles.- Models and Proofs.- Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks.- Cryptographic Agility and Its Relation to Circular Encryption.- Bounded Key-Dependent Message Security.- Multiparty Protocols.- Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography.- Adaptively Secure Broadcast.- Universally Composable Quantum Multi-party Computation.- Cryptosystems II.- A Simple BGN-Type Cryptosystem from LWE.- Bonsai Trees, or How to Delegate a Lattice Basis.- Efficient Lattice (H)IBE in the Standard Model.- Hash and MAC.- Multi-property-preserving Domain Extension Using Polynomial-Based Modes of Operation.- Stam's Collision Resistance Conjecture.- Universal One-Way Hash Functions via Inaccessible Entropy.- Foundational Primitives.- Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions.- Constructing Verifiable Random Functions with Large Input Spaces.- Adaptive Trapdoor Functions and Chosen-Ciphertext Security.
320 citations
TL;DR: This paper studies a variant of the McEliece cryptosystem able to ensure that the code used as the public key is no longer permutation equivalent to the secret code, thus opening the way for reconsidering the adoption of classical families of codes, like Reed–Solomon codes, that have been longly excluded from the Mceliece Cryptosystem for security reasons.
Abstract: This paper studies a variant of the McEliece cryptosystem able to ensure that the code used as the public key is no longer permutation equivalent to the secret code. This increases the security level of the public key, thus opening the way for reconsidering the adoption of classical families of codes, like Reed---Solomon codes, that have been longly excluded from the McEliece cryptosystem for security reasons. It is well known that codes of these classes are able to yield a reduction in the key size or, equivalently, an increased level of security against information set decoding; so, these are the main advantages of the proposed solution. We also describe possible vulnerabilities and attacks related to the considered system and show what design choices are best suited to avoid them.
93 citations
Cites background from "An efficient IND-CCA2 secure varian..."
...Classical CCA2-secure conversions work in the random oracle model [22, 28], while the problem of finding efficient CCA2-secure conversions of these cryptosystem in the standard model has been addressed more recently [19, 18, 39, 42, 44]....
[...]
29 Nov 2015
TL;DR: The scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem.
Abstract: We solve an open question in code-based cryptography by introducing the first provably secure group signature scheme from code-based assumptions. Specifically, the scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. Our construction produces smaller key and signature sizes than the existing post-quantum group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed the population of the Netherlands $${\approx }2^{24}$$ users. The feasibility of the scheme is supported by implementation results. Additionally, the techniques introduced in this work might be of independent interest: a new verifiable encryption protocol for the randomized McEliece encryption and a new approach to design formal security reductions from the Syndrome Decoding problem.
44 citations
Dissertation•
01 Jan 2012
TL;DR: This work is based on Generalized Srivastava codes and represents a generalization of the Quasi-Dyadic scheme proposed by Misoczki and Barreto, with two advantages: a better flexibility, and improved resistance to all the known attacks.
Abstract: Recent public-key cryptography is largely based on number theory problems, such as factoring or computing of discrete logarithm. These systems constitute an excellent choice in many applications, and their security is well defined and understood. One of the major drawbacks, though, is that they will be vulnerable once quantum computers of an appropriate size are available. There is then a strong need for alternative systems that would resist attackers equipped with quantum technology. One of the most well-known systems of this kind is the McEliece cryptosystem, introduced in 1978, that is based on algebraic coding theory. There are no known vulnerabilities against quantum computers, and it has a very fast and efficient encryption procedure. However, it has also one big aw, the size of the public key, that makes it impractical for many applications. The first part of this thesis is dedicated to finding a way to significantly reduce the size of the public key. Latest publications achieve very good results by using codes with particular structures, obtaining keys as small as 4,096 bits. Unfortunately, almost all of the variants presented until now have been broken or proven to be insecure against the so-called structural attacks, i.e. attacks that aim to exploit the hidden structure in order to recover the private key. My work is based on Generalized Srivastava codes and represents a generalization of the Quasi-Dyadic scheme proposed by Misoczki and Barreto, with two advantages: a better flexibility, and improved resistance to all the known attacks. An efficient implementation of the above scheme is also provided, as a result of a joint work with P.-L. Cayrel and G. Hoffmann. In the next chapters, other important aspects of code-based cryptography are investigated. These include the study of a higher security standard, called indistinguishability under a chosen ciphertext attack, in the standard model, and the design of a code-based key encapsulation mechanism (KEM), which is an essential component of the hybrid encryption protocol. The last chapter is about digital signatures, a fundamental protocol in modern cryptography; existing code-based signatures schemes are reviewed and a negative result is obtained, showing that the design of an efficient signature scheme based on coding theory is still an open problem.
35 citations
Additional excerpts
...As for IND-CCA2 security, a few promising recent results have been published, for instance by Preetha Mathew, Vasant, Venkatesan and Pandu Rangan [78] at ACISP 2012....
[...]
TL;DR: The first provably secure group signature scheme from code-based assumptions was proposed in this article, which satisfies the CPA -anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome decoding problem.
Abstract: We solve an open question in code-based cryptography by introducing two provably secure group signature schemes from code-based assumptions. Our basic scheme satisfies the CPA -anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. The construction produces smaller key and signature sizes than the previous group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed 224, which is roughly comparable to the current population of the Netherlands. We develop the basic scheme further to achieve the strongest anonymity notion, i.e. , CCA -anonymity, with a small overhead in terms of efficiency. The feasibility of two proposed schemes is supported by implementation results. Our two schemes are the first in their respective classes of provably secure groups signature schemes. Additionally, the techniques introduced in this work might be of independent interest. These are a new verifiable encryption protocol for the randomized McEliece encryption and a novel approach to design formal security reductions from the Syndrome Decoding problem.
14 citations
References
More filters
26 May 2010
TL;DR: This work gives an information-theoretic lower bound on the communication of any multi-query information retrieval protocol and designs an efficient non-trivial multi- query CPIR protocol that matches this lower bound.
Abstract: A fundamental privacy problem in the client-server setting is the retrieval of a record from a database maintained by a server so that the computationally bounded server remains oblivious to the index of the record retrieved while the overall communication between the two parties is smaller than the database size. This problem has been extensively studied and is known as computationally private information retrieval (CPIR). In this work we consider a natural extension of this problem: a multi-query CPIR protocol allows a client to extract m records of a database containing n l-bit records. We give an information-theoretic lower bound on the communication of any multi-query information retrieval protocol. We then design an efficient non-trivial multi-query CPIR protocol that matches this lower bound. This means we settle the multi-query CPIR problem optimally up to a constant factor.
243 citations
30 May 2010
TL;DR: It is proved that the private key of the McEliece cryptosystem satisfies a system of bi-homogeneous polynomial equations, which is due to the particular class of codes considered which are alternant codes.
Abstract: In this paper we propose a new approach to investigate the security of the McEliece cryptosystem. We recall that this cryptosystem relies on the use of error-correcting codes. Since its invention thirty years ago, no efficient attack had been devised that managed to recover the private key. We prove that the private key of the cryptosystem satisfies a system of bi-homogeneous polynomial equations. This property is due to the particular class of codes considered which are alternant codes. We have used these highly structured algebraic equations to mount an efficient key-recovery attack against two recent variants of the McEliece cryptosystems that aim at reducing public key sizes. These two compact variants of McEliece managed to propose keys with less than 20,000 bits. To do so, they proposed to use quasi-cyclic or dyadic structures. An implementation of our algebraic attack in the computer algebra system Magma allows to find the secret-key in a negligible time (less than one second) for almost all the proposed challenges. For instance, a private key designed for a 256-bit security has been found in 0.06 seconds with about 217.8 operations.
231 citations
13 Feb 2001
TL;DR: In this paper, a modified version of the McEliece cryptosystem was proposed to be semantically secure against adaptive chosen-ciphertext attacks, which can achieve the reduction of the redundant data down to 1/3 ∼ 1/4 compared with the generic conversions for practical parameters.
Abstract: Almost all of the current public-key cryptosystems (PKCs) are based on number theory, such as the integer factoring problem and the discrete logarithm problem (which will be solved in polynomial-time after the emergence of quantum computers). While the McEliece PKC is based on another theory, i.e. coding theory, it is vulnerable against several practical attacks. In this paper, we carefully review currently known attacks to the McEliece PKC, and then point out that, without any decryption oracles or any partial knowledge on the plaintext of the challenge ciphertext, no polynomial-time algorithm is known for inverting the McEliece PKC whose parameters are carefully chosen. Under the assumption that this inverting problem is hard, we propose slightly modified versions of McEliece PKC that can be proven, in the random oracle model, to be semantically secure against adaptive chosen-ciphertext attacks. Our conversions can achieve the reduction of the redundant data down to 1/3 ∼ 1/4 compared with the generic conversions for practical parameters.
199 citations
TL;DR: It is shown that a protocol by Broder and Dolev is insecure if RSA with a small exponent is used and the RSA cryptosystem used with asmall exponent is not a good choice to use as a public-key cryptos system in a large network.
Abstract: We consider the problem of solving systems of equations $P_i (x) \equiv 0(\bmod n_i )i = 1 \cdots k$ where $P_i $ are polynomials of degree d and the $n_i $ are distinct relatively prime numbers and $x {{d(d + 1)} / 2}$ we can recover x in polynomial time provided $\min (n_i ) > 2^{d^2 } $. As a consequence the RSA cryptosystem used with a small exponent is not a good choice to use as a public-key cryptosystem in a large network. We also show that a protocol by Broder and Dolev [Proceedings on the 25th Annual IEEE Symposium on the Foundations of Computer Science, 1984] is insecure if RSA with a small exponent is used.
188 citations
"An efficient IND-CCA2 secure varian..." refers background in this paper
...The parameters chosen in [12] are for the deterministic version of Niederreiter, which are vulnerable to an attack proposed by H̊astad, [14]....
[...]
TL;DR: It is shown that McEliece's and Niederreiter's public-key cryptosystems are equivalent when set up for corresponding choices of parameters and a security analysis for the two systems is presented.
Abstract: It is shown that McEliece's and Niederreiter's public-key cryptosystems are equivalent when set up for corresponding choices of parameters. A security analysis for the two systems based on this equivalence observation, is presented. >
172 citations
"An efficient IND-CCA2 secure varian..." refers methods in this paper
...[16] showed the equivalence of the security of McEliece and Niederreiter cryptosystems....
[...]