Efficient Code Based Hybrid and Deterministic Encryptions in the Standard Model

Abstract

In this paper, we propose an IND-CCA2 secure Key-Encapsulation (KEM) in the standard model using the Niederreiter Encryption scheme. Also, we propose a PRIV-1CCA secure deterministic variant of the Niederreiter encryption scheme in the standard model. The security of these constructions are reduced to the hardness of the Syndrome Decoding problem and the Goppa Code Distinguishability problem. To the best of our knowledge, the proposed constructions are the first of its kind under coding-based assumption in the standard model that do not use the \(\kappa \)-repetition paradigm initiated by Rosen and Segev at Theory of Cryptography Conference (TCC), 2009.

A Appendix

1.1 A.1 Proof of Security for Deterministic Encryption

Proof: The proof is presented as a sequence of games, Game 0, Game 1 .... While, Game 0 fits the scheme exactly as in the PRIV-1CCA game. Subsequent games change the environment, such that the view of the adversary in discriminating between two consecutive games is at best negligible in \(\kappa \) or reduces to the solution of a hard-problem instance. We denote the challenger/simulator as a PPT algorithm \(\mathcal {C}\) and the adversary of the system as a PPT algorithm \(\mathcal {A}\).

• Game 0. \(\mathcal {C}\) adapts the proposed scheme directly to the PRIV-1CCA game. The system parameters are set as in the proposed scheme, with the security parameter \(\kappa \). The key-generation oracle and the decryption oracle is run using the described scheme. Let \(M\) be a random variable over the message space with a min-entropy. Let \(m^* \mathop {\leftarrow }\limits ^{\$} M \) and the function to be computed on \(m^*\) be \(f\). \(\mathcal {C}\) computes \(c^* = (c_1^*,c_2^*,c_3^*,c_4^*) = \mathsf{Enc }(m^*)\). \(c^*\) is the “challenge ciphertext” given to \(\mathcal {A}\),i.e., given \(c^*\), \(\mathcal {A}\) must compute \(f(m^*)\). \(\mathcal {A}\) outputs \(t\), \(t \leftarrow \mathcal {A}^{\mathcal {D}(.)}(M,f,c^*)\). \(\mathcal {A}\) wins if where \(t == f(m^*)\).

  Let the event that the adversary \(\mathcal {A}\) wins the game be quantified by the random variable \(X_0\). Then,

  $$\begin{aligned} \mathbf{Real }_{\mathcal {AE}}(\mathcal {A},M,f) = Pr[X_0] \end{aligned}$$

  (7)

• Game 1. Decryption Oracle is simulated by \(\mathcal {C}\) as follows:

  

  Let the event that the adversary \(\mathcal {A}\) wins in this game be quantified by the random variable \(X_1\). The difference in the distribution (or view of the adversary) between \(X_0\) and \(X_1\) is the situation in which \(\mathcal {C}\) returns \(\perp \) if \(c_1 = c_1^*\) in this game, during the decryption oracle. The simulator returns \(\perp \) implying the ciphertext is invalid (as the integrity check will not hold). But, it can be seen that \(\mathcal {A}\) may have given a valid ciphertext (that is not the challenge ciphertext), i.e., a ciphertext for some \(m' \ne m^*\). Clearly, this would violate the target collision resistance of \(h_1\) or of \(h_2\). \( \mathcal {H}\) is target collision resistant if for every polynomial time adversary \(\mathcal {A}\) the TCR advantage is

  $$\begin{aligned} {Adv}_{\mathcal {H}}^{\mathsf {TCR}}(A) = Pr[H(K,x_1)=H(K,x_2) : (x_1,st)\leftarrow ^R \mathcal {A}, K \leftarrow ^R \mathcal {K}, x_2 \leftarrow ^R A(K,st)] \end{aligned}$$

  (8)

  of \(A\) against \(\mathcal {H}\) is negligible(\(\epsilon \)). That is in TCR the adversary must commit to an element in collision before seeing the hash key. As per Generalised Left Over Hash Lemma(LHL), TCR smooths out an input distribution (distribution of \(m\) in this paper) to nearly uniform on its range, provided that the input distribution has sufficient minimum entropy, since TCR comes under universal one-wayness [5, 24]. Let \(\mathsf{Adv }_{h_1}^{\mathsf {TCR}}(\mathcal {A})=\epsilon _1, \mathsf{Adv }_{h_2}^{\mathsf {TCR}}(\mathcal {A})=\epsilon _2\). Hence,

  $$\begin{aligned} |Pr[X_0] - Pr[X_1]| \le \epsilon _1+\epsilon _2 \end{aligned}$$

  (9)

• Game 2. Key Generation: The key-generation process is altered. \(\mathcal {C}\) replaces the Goppa parity-check matrix of \(H_1\) with the parity check matrix \(R\) of a random \([n,k,2t+1]\) code. Thus \(H_1 \leftarrow R\). Also, the knowledge of the target message \(m^*\) is made use of. \(\mathcal {C}\) computes \(c^* = (c_1^*,c_2^*,c_3^*,c_4^*) = \mathsf{Enc }(m^*)\). The remainder of the key-generation process remains unchanged.

  $$\begin{aligned} |Pr[X_2] = Pr[X_1]| \end{aligned}$$

  (10)

  There is consistency with the decryption oracle described in the previous game. The only difference is the use of a random code instead of a Goppa code for \(H_1\).

• Game 3. Key for Challenge text and construct challenge: The Public key generated is again altered. Replace \(H_2\) with parity check of random matrix \(R_2\) so that now \(\widetilde{H}_1\) and \(\widetilde{H}_2\) are parity-check matrices of random codes.

  Thus, for the event that \(\mathcal {A}\) wins Game 2, \(X_2\), \(\mathcal {C}\) can construct a Goppa-code distinguisher based on the difference in the distributions of \(X_2\) and \(X_3\) is distinguishing Goppa code with random code. \(\mathcal {C}\) uses the challenge \(K^{\dagger }\) and computes \(c^*\) using the altered public keys. The winning of this game is only by syndrome decoding of random code Thus, for the event that \(\mathcal {A}\) wins Game3, \(X_3\), \(\mathcal {C}\) can construct a Goppa-code distinguisher based on the difference in the distributions of \(X_2\) and \(X_3\). Also compute challenge \(c^*\) using the new public keys. The winning of this game is solving syndrome decoding.

  $$\begin{aligned} |Pr[X_3] - Pr[X_2]| \le \mathsf{Adv }_{\mathcal {C}}^\mathsf{CD }(n,k) + 4(\root 3 \of {n \cdot \mathsf {Adv}_{\mathcal {D'}}^{\mathsf {SD}}(n,k)}) \end{aligned}$$

  (11)

  Also, it can be noted that no information of \(m^*\) is revealed in \(c^*\). It can be noted that generating a random \(c_4^*\) does not affect the validity of the ciphertext. This is due to the us of the Generalised Left-over Hash Lemma on all three functions \(h_1,h_2\) (as the entropy of the message space is large), and the resultant use of the hash lemma on \(h_3\) (the domain of which is the same as the range of \(h_2\)). Therefore,

  $$\begin{aligned} \mathbf{Ideal }_{\mathcal {AE}}(\mathcal {A},M,f) = Pr[X_3] \end{aligned}$$

  (12)

Since,

$$\begin{aligned} \mathsf {Adv}^{priv-1cca}_{\mathsf{PKE },\mathcal {A}}(\kappa ) = |\mathbf{Real }_{\mathcal {AE}}(\mathcal {A},M,f) - \mathbf{Ideal }_{\mathcal {AE}}(\mathcal {A},M,f)| \end{aligned}$$

Substituting Eqs. (6) and (10), we have

$$\begin{aligned} \mathsf {Adv}^{priv-1cca}_{\mathsf{PKE },\mathcal {A}}(\kappa ) \le |Pr[X_0] - Pr[X_3]| \end{aligned}$$

By repeatedly applying the difference lemma and using the Eqs. (7)–(9), we get,

$$\begin{aligned} \mathsf {Adv}^{priv-1cca}_{\mathsf{PKE },\mathcal {A}}(\kappa ) \le \epsilon _1 + \epsilon _2 + \mathsf{Adv }_{\mathcal {C}}^\mathsf{CD }(n,k) + 4(\root 3 \of {n \cdot \mathsf {Adv}_{\mathcal {D'}}^{\mathsf {SD}}(n,k)}) \end{aligned}$$

Thus, the advantage of the PPT adversary \(\mathcal {A}\) in the PRIV-1CCA game is bounded by the target-collision resistance of \(h_1\) and \(h_2\), the Goppa-distinguishability of \(H_1\) and the hardness of syndrome decoding. Thus, the proposed scheme is PRIV-1CCA secure as long as \(h_1\) and \(h_2\) are TCR hash functions, and the Goppa-code distinguishability and syndrome decoding of the corresponding parameters are hard to solve.    \(\square \)