On the CCA2 Security of McEliece in the Standard Model

Abstract

In this paper we study public-key encryption schemes based on error-correcting codes that are IND-CCA2 secure in the standard model. In particular, we analyze a protocol due to Dowsley, Müller-Quade and Nascimento, based on a work of Rosen and Segev. The original formulation of the protocol contained some ambiguities and incongruences, which we point out and correct; moreover, the protocol deviates substantially from the work it is based on. We then present a construction which resembles more closely the original Rosen-Segev framework, and show how this can be instantiated with the McEliece scheme.

A Security Arguments for the Corrected Scheme

Theorem 3

Assuming that \(PKE_\textsf {k}\) is IND-CPA secure and verifiable under \(\textsf {k}\)-correlated inputs, and that the signature scheme is one-time strongly unforgeable, the above encryption scheme is IND-CCA2-secure.

Let \(\mathcal A\) be an IND-CCA2 adversary. During the attack game, \(\mathcal A\) submits \(m_0,m_1\) and gets back the challenge ciphertext \(\psi ^*=(\textsf {vk}^*,c^*_1,\dots ,c^*_\textsf {k},\sigma ^*)\). Indicate with \(\textsf {Forge}\) the event that, for one of \(\mathcal A\)’s decryption queries \(\psi =(\textsf {vk},c_1,\dots ,c_\textsf {k},\sigma )\), it holds \(\textsf {vk}=\textsf {vk}^*\) and \(\textsf {Ver}^\mathrm { SS}_\textsf {vk}((c_1,\dots , c_\textsf {k}),\sigma )=1\). The theorem is proved by means of the two following lemmas.

Lemma 2

Pr[Forge] is negligible.

Proof

Assume that there exists an adversary \(\mathcal A\) for which Pr[Forge] is not negligible. We build an adversary \(\mathcal A'\) that breaks the security of the one-time strongly unforgeable scheme. \(\mathcal A'\) works as follows:

Key Generation: Invoke \(\textsf {KeyGen}^\mathrm { DMQN}\) as above and return \(\textsf {pk}\) to \(\mathcal A\).

Decryption Queries: Upon a decryption query \(\psi =(\textsf {vk},c_1,\dots ,c_\textsf {k},\sigma )\):

1. 1.

   If \(\textsf {vk}=\textsf {vk}^*\) and \(\textsf {Ver}^\mathrm { SS}_\textsf {vk}((c_1,\dots , c_\textsf {k}),\sigma )=1\) output \(\bot \) and halt.

2. 2.

   Otherwise, decrypt normally using \(\textsf {Dec}^\mathrm { DMQN}\).

Challenge Queries: Upon a challenge query \(m_0,m_1\):

1. 1.

   Choose random \(b\in \{0,1\}\).

2. 2.

   Use \(\textsf {Enc}^\mathrm { DMQN}\) to compute \(c^*_i=\textsf {Enc}_{\textsf {pk}_i^{\textsf {vk}^*_i}}(m_b,r)\) for \(i=1,\dots ,\textsf {k}\).

3. 3.

   Obtain the signature \(\sigma ^*\) on \((c^*_1,\dots ,c^*_\textsf {k})\) with respect to \(\textsf {vk}^*\)⁴.

4. 4.

   Return the challenge ciphertext \(\psi ^*=(\textsf {vk}^*,c^*_1,\dots ,c^*_\textsf {k},\sigma ^*)\).

Note that, if Forge doesn’t occur, the simulation of the CCA2 interaction is perfect. Therefore, the probability that \(\mathcal A'\) breaks the security of the one-time signature scheme is exactly Pr[Forge]. The one-time strong unforgeability implies that this probability is negligible. \(\square \)

Lemma 3

\(\Big |\textsf {Pr}[b=b^*\wedge \lnot \textsf {Forge}] -\frac{1}{2}\Big |\) is negligible.

Proof

Assume that there exists an adversary \(\mathcal A\) for which \(\Big |\textsf {Pr}[b=b^*\wedge \lnot \textsf {Forge}] -\frac{1}{2}\Big |\) is not negligible. We build an adversary \(\mathcal A'\) that breaks the IND-CPA security of \(PKE_\textsf {k}\). \(\mathcal A'\) works as follows:

Key Generation: On input the public key \((\textsf {pk}_1,\dots ,\textsf {pk}_\textsf {k})\) for \(PKE_\textsf {k}\):

1. 1.

   Execute \(\textsf {KeyGen}^\mathrm { SS}\) and obtain a key \((\textsf {vk}^*,\textsf {sgk}^*)\).

2. 2.

   Set \(\textsf {pk}_i^{\textsf {vk}^*}=\textsf {pk}_i\) for \(i=1,\dots ,\textsf {k}\).

3. 3.

   Run \(\textsf {KeyGen}^\mathrm { PKE}\) for \(\textsf {k}\) times and denote the resulting public keys by \((\textsf {pk}^{1-\textsf {vk}^*_1}_1\), \(\dots ,\textsf {pk}_{\textsf {k}}^{1-\textsf {vk}^*_\textsf {k}})\) and private keys by \((\textsf {sk}^{1-\textsf {vk}^*_1}_1,\dots ,\textsf {sk}_{\textsf {k}}^{1-\textsf {vk}^*_\textsf {k}})\).

4. 4.

   Return the public key \(\textsf {pk}=(\textsf {pk}^0_1,\textsf {pk}^1_1,\dots ,\textsf {pk}_{\textsf {k}}^0,\textsf {pk}_{\textsf {k}}^1)\) to \(\mathcal A\).

Decryption Queries: Upon a decryption query from \(\mathcal A\):

1. 1.

   If Forge occurs output \(\bot \) and halt.

2. 2.

   Otherwise, there will be some i such that \(\textsf {vk}_i\ne \textsf {vk}^*_i\). Decrypt normally using \(\textsf {Dec}^\mathrm { DMQN}\) with the key \(\textsf {sk}_i^{\textsf {vk}_i}\) previously generated.

Challenge Queries: Upon a challenge query \(m_0,m_1\):

1. 1.

   Send \(m_0,m_1\) to the challenge oracle for the IND-CPA game of \(\mathcal A'\) and obtain the corresponding challenge ciphertext \((c^*_1,\dots ,c^*_\textsf {k})\).

2. 2.

   Sign \((c^*_1,\dots ,c^*_\textsf {k})\) using \(\textsf {sgk}^*\) to get the signature \(\sigma ^*\).

3. 3.

   Return the challenge ciphertext \(\psi ^*=(\textsf {vk}^*,c^*_1,\dots ,c^*_\textsf {k},\sigma ^*)\).

Output: When \(\mathcal A\) outputs \(b^*\) also \(\mathcal A'\) outputs \(b^*\).

As long as Forge doesn’t occur, it is clear that the IND-CPA advantage of \(\mathcal A'\) against \(PKE_\textsf {k}\) is the same as the IND-CCA2 advantage of \(\mathcal A\) against the above scheme. Since we are assuming the IND-CPA security of \(PKE_\textsf {k}\), we have the IND-CCA2 security as desired. \(\square \)