Abstract
In this paper we study public-key encryption schemes based on error-correcting codes that are IND-CCA2 secure in the standard model. In particular, we analyze a protocol due to Dowsley, Müller-Quade and Nascimento, based on a work of Rosen and Segev. The original formulation of the protocol contained some ambiguities and incongruences, which we point out and correct; moreover, the protocol deviates substantially from the work it is based on. We then present a construction which resembles more closely the original Rosen-Segev framework, and show how this can be instantiated with the McEliece scheme.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For instance for Goppa codes, this is given by the support \(\alpha _1,\dots ,\alpha _n\in \mathbb F_{q^m}\) and the Goppa polynomial g.
- 2.
Note that the randomness we are expliciting here is the one necessary to realize the IND-CPA security of PKE, hence \(\textsf {Enc}\) is still a randomized algorithm. In particular, for the McEliece instantiation we would have \(c_i=(r|m)\hat{G}_i+e_i\).
- 3.
By analogy with the Rosen-Segev scheme. Clearly in practice it would be much more efficient, rather than decoding \(\textsf {k}\) ciphertexts, to just decode one and then re-encode and test as in [3, Theorem 3].
- 4.
Remember that in the one-time strong unforgeability game the adversary is allowed to ask to a signing oracle for the signature on one message.
References
Biswas, B., Sendrier, N.: McEliece cryptosystem implementation: theory and practice. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 47–62. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_4
Döttling, N., Dowsley, R., Müller-Quade, J., Nascimento, A.C.: A CCA2 secure variant of the McEliece cryptosystem. IEEE Trans. Inf. Theory 58(10), 6672–6680 (2012)
Dowsley, R., Müller-Quade, J., Nascimento, A.C.A.: A CCA2 secure public key encryption scheme based on the mceliece assumptions in the standard model. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 240–251. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_16
Faugère, J.-C., Gauthier-Umaña, V., Otmani, A., Perret, L., Tillich, J.-P.: A distinguisher for high rate McEliece cryptosystems. In: 2011 IEEE Information Theory Workshop (ITW), pp. 282–286, October 2011
Fischer, J.-B., Stern, J.: An efficient pseudo-random generator provably as secure as syndrome decoding. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 245–255. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_22
Freeman, D.M., Goldreich, O., Kiltz, E., Rosen, A., Segev, G.: More constructions of lossy and correlation-secure trapdoor functions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 279–295. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_17
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems -conversions for McEliece PKC. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 19–35. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_2
Li, Y.X., Deng, R.H., Wang, X.M.: On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Trans. Inf. Theory 40(1), 271–273 (1994)
Preetha Mathew, K., Vasant, S., Venkatesan, S., Pandu Rangan, C.: An efficient IND-CCA2 secure variant of the niederreiter encryption scheme in the standard model. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 166–179. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31448-3_13
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Netw. Progress Rep. 44, 114–116 (1978)
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Control Inf. Theory 15(2), 159–166 (1986)
Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Cryptogr. 49(1–3), 289–305 (2008)
Persichetti, E.: On a CCA2-secure variant of McEliece in the standard model. IACR Cryptology ePrint Archive 2012:268 (2012)
Persichetti, E.: Secure and anonymous hybrid encryption from coding theory. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 174–187. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38616-9_12
Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_25
Strenzke, F.: A timing attack against the secret permutation in the McEliece PKC. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 95–107. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_8
Strenzke, F., Tews, E., Molter, H.G., Overbeck, R., Shoufan, A.: Side channels in the McEliece PKC. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 216–229. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_15
Yoshida, Y., Morozov, K., Tanaka, K.: CCA2 key-privacy for code-based encryption in the standard model. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 35–50. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_3
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Security Arguments for the Corrected Scheme
A Security Arguments for the Corrected Scheme
Theorem 3
Assuming that \(PKE_\textsf {k}\) is IND-CPA secure and verifiable under \(\textsf {k}\)-correlated inputs, and that the signature scheme is one-time strongly unforgeable, the above encryption scheme is IND-CCA2-secure.
Let \(\mathcal A\) be an IND-CCA2 adversary. During the attack game, \(\mathcal A\) submits \(m_0,m_1\) and gets back the challenge ciphertext \(\psi ^*=(\textsf {vk}^*,c^*_1,\dots ,c^*_\textsf {k},\sigma ^*)\). Indicate with \(\textsf {Forge}\) the event that, for one of \(\mathcal A\)’s decryption queries \(\psi =(\textsf {vk},c_1,\dots ,c_\textsf {k},\sigma )\), it holds \(\textsf {vk}=\textsf {vk}^*\) and \(\textsf {Ver}^\mathrm { SS}_\textsf {vk}((c_1,\dots , c_\textsf {k}),\sigma )=1\). The theorem is proved by means of the two following lemmas.
Lemma 2
Pr[Forge] is negligible.
Proof
Assume that there exists an adversary \(\mathcal A\) for which Pr[Forge] is not negligible. We build an adversary \(\mathcal A'\) that breaks the security of the one-time strongly unforgeable scheme. \(\mathcal A'\) works as follows:
Key Generation: Invoke \(\textsf {KeyGen}^\mathrm { DMQN}\) as above and return \(\textsf {pk}\) to \(\mathcal A\).
Decryption Queries: Upon a decryption query \(\psi =(\textsf {vk},c_1,\dots ,c_\textsf {k},\sigma )\):
-
1.
If \(\textsf {vk}=\textsf {vk}^*\) and \(\textsf {Ver}^\mathrm { SS}_\textsf {vk}((c_1,\dots , c_\textsf {k}),\sigma )=1\) output \(\bot \) and halt.
-
2.
Otherwise, decrypt normally using \(\textsf {Dec}^\mathrm { DMQN}\).
Challenge Queries: Upon a challenge query \(m_0,m_1\):
-
1.
Choose random \(b\in \{0,1\}\).
-
2.
Use \(\textsf {Enc}^\mathrm { DMQN}\) to compute \(c^*_i=\textsf {Enc}_{\textsf {pk}_i^{\textsf {vk}^*_i}}(m_b,r)\) for \(i=1,\dots ,\textsf {k}\).
-
3.
Obtain the signature \(\sigma ^*\) on \((c^*_1,\dots ,c^*_\textsf {k})\) with respect to \(\textsf {vk}^*\)Footnote 4.
-
4.
Return the challenge ciphertext \(\psi ^*=(\textsf {vk}^*,c^*_1,\dots ,c^*_\textsf {k},\sigma ^*)\).
Note that, if Forge doesn’t occur, the simulation of the CCA2 interaction is perfect. Therefore, the probability that \(\mathcal A'\) breaks the security of the one-time signature scheme is exactly Pr[Forge]. The one-time strong unforgeability implies that this probability is negligible. \(\square \)
Lemma 3
\(\Big |\textsf {Pr}[b=b^*\wedge \lnot \textsf {Forge}] -\frac{1}{2}\Big |\) is negligible.
Proof
Assume that there exists an adversary \(\mathcal A\) for which \(\Big |\textsf {Pr}[b=b^*\wedge \lnot \textsf {Forge}] -\frac{1}{2}\Big |\) is not negligible. We build an adversary \(\mathcal A'\) that breaks the IND-CPA security of \(PKE_\textsf {k}\). \(\mathcal A'\) works as follows:
Key Generation: On input the public key \((\textsf {pk}_1,\dots ,\textsf {pk}_\textsf {k})\) for \(PKE_\textsf {k}\):
-
1.
Execute \(\textsf {KeyGen}^\mathrm { SS}\) and obtain a key \((\textsf {vk}^*,\textsf {sgk}^*)\).
-
2.
Set \(\textsf {pk}_i^{\textsf {vk}^*}=\textsf {pk}_i\) for \(i=1,\dots ,\textsf {k}\).
-
3.
Run \(\textsf {KeyGen}^\mathrm { PKE}\) for \(\textsf {k}\) times and denote the resulting public keys by \((\textsf {pk}^{1-\textsf {vk}^*_1}_1\), \(\dots ,\textsf {pk}_{\textsf {k}}^{1-\textsf {vk}^*_\textsf {k}})\) and private keys by \((\textsf {sk}^{1-\textsf {vk}^*_1}_1,\dots ,\textsf {sk}_{\textsf {k}}^{1-\textsf {vk}^*_\textsf {k}})\).
-
4.
Return the public key \(\textsf {pk}=(\textsf {pk}^0_1,\textsf {pk}^1_1,\dots ,\textsf {pk}_{\textsf {k}}^0,\textsf {pk}_{\textsf {k}}^1)\) to \(\mathcal A\).
Decryption Queries: Upon a decryption query from \(\mathcal A\):
-
1.
If Forge occurs output \(\bot \) and halt.
-
2.
Otherwise, there will be some i such that \(\textsf {vk}_i\ne \textsf {vk}^*_i\). Decrypt normally using \(\textsf {Dec}^\mathrm { DMQN}\) with the key \(\textsf {sk}_i^{\textsf {vk}_i}\) previously generated.
Challenge Queries: Upon a challenge query \(m_0,m_1\):
-
1.
Send \(m_0,m_1\) to the challenge oracle for the IND-CPA game of \(\mathcal A'\) and obtain the corresponding challenge ciphertext \((c^*_1,\dots ,c^*_\textsf {k})\).
-
2.
Sign \((c^*_1,\dots ,c^*_\textsf {k})\) using \(\textsf {sgk}^*\) to get the signature \(\sigma ^*\).
-
3.
Return the challenge ciphertext \(\psi ^*=(\textsf {vk}^*,c^*_1,\dots ,c^*_\textsf {k},\sigma ^*)\).
Output: When \(\mathcal A\) outputs \(b^*\) also \(\mathcal A'\) outputs \(b^*\).
As long as Forge doesn’t occur, it is clear that the IND-CPA advantage of \(\mathcal A'\) against \(PKE_\textsf {k}\) is the same as the IND-CCA2 advantage of \(\mathcal A\) against the above scheme. Since we are assuming the IND-CPA security of \(PKE_\textsf {k}\), we have the IND-CCA2 security as desired. \(\square \)
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Persichetti, E. (2018). On the CCA2 Security of McEliece in the Standard Model. In: Baek, J., Susilo, W., Kim, J. (eds) Provable Security. ProvSec 2018. Lecture Notes in Computer Science(), vol 11192. Springer, Cham. https://doi.org/10.1007/978-3-030-01446-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-01446-9_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01445-2
Online ISBN: 978-3-030-01446-9
eBook Packages: Computer ScienceComputer Science (R0)