Abstract
In this paper, we propose an IND-CCA2 secure Key-Encapsulation (KEM) in the standard model using the Niederreiter Encryption scheme. Also, we propose a PRIV-1CCA secure deterministic variant of the Niederreiter encryption scheme in the standard model. The security of these constructions are reduced to the hardness of the Syndrome Decoding problem and the Goppa Code Distinguishability problem. To the best of our knowledge, the proposed constructions are the first of its kind under coding-based assumption in the standard model that do not use the \(\kappa \)-repetition paradigm initiated by Rosen and Segev at Theory of Cryptography Conference (TCC), 2009.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010)
Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. In: Menezes [23], pp. 535–552
Bellare, M., Fischlin, M., O’Neill, A., Ristenpart, T.: Deterministic encryption: definitional equivalences and constructions without random oracles. In: Wagner [35], pp. 360–378
Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008)
Boldyreva, A., Fehr, S., O’Neill, A.: On notions of security for deterministic encryption, and efficient constructions without random oracles. In: Wagner [35], pp. 335–359
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33, 167–226 (2003)
Cui, Y., Morozov, K., Kobara, K., Imai, H.: Efficient constructions of deterministic encryption from hybrid encryption and code-based PKE. In: Bras-Amorós, M., Høholdt, T. (eds.) AAECC-18 2009. LNCS, vol. 5527, pp. 159–168. Springer, Heidelberg (2009)
Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)
Dowsley, R., Müller-Quade, J., Nascimento, A.C.A.: A CCA2 secure public key encryption scheme based on the McEliece assumptions in the standard model. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 240–251. Springer, Heidelberg (2009)
Faugére, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys - toward a complexity analysis. In: SCC ’10: Proceedings of the 2nd International Conference on Symbolic Computation and Cryptography, RHUL, June 2010, pp. 45–55 (2010)
Faugère, J.-C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.-P.: A distinguisher for high rate McEliece cryptosystems. In: Information Theory Workshop (ITW). IEEE (2011)
Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)
Freeman, D.M., Goldreich, O., Kiltz, E., Rosen, A., Segev, G.: More constructions of lossy and correlation-secure trapdoor functions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 279–295. Springer, Heidelberg (2010)
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999)
Fuller, B., O’Neill, A., Reyzin, L.: A unified approach to deterministic encryption: new constructions and a connection to computational entropy. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 582–599. Springer, Heidelberg (2012)
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Contr. Inf. Theor. 15, 159–166 (1986)
Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes [23], pp. 553–571
Kiltz, E., Pietrzak, K., Stam, M., Yung, M.: A new randomness extraction paradigm for hybrid encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 590–609. Springer, Heidelberg (2009)
Kurosawa, K., Desmedt, Y.G.: A new paradigm of hybrid encryption scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004)
Lucks, S.: A variant of the Cramer-Shoup cryptosystem for groups of unknown order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 27–45. Springer, Heidelberg (2002)
Preetha Mathew, K., Vasant, S., Venkatesan, S., Pandu Rangan, C.: An efficient IND-CCA2 secure variant of the Niederreiter encryption scheme in the standard model. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 166–179. Springer, Heidelberg (2012)
Menezes, A. (ed.): CRYPTO 2007. LNCS, vol. 4622. Springer, Heidelberg (2007)
Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. pp. 33–43 (1989)
Niebuhr, R., Cayrel, P.-L.: Broadcast attacks against code-based schemes. In: Armknecht, F., Lucks, S. (eds.) WEWoRC 2011. LNCS, vol. 7242, pp. 1–17. Springer, Heidelberg (2012)
Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Cryptogr. 49(1–3), 289–305 (2008)
Patterson, N.: The algebraic decoding of Goppa codes. IEEE Trans. Inf. Theor. 21(2), 203–207 (1975)
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Dwork, C. (ed.) STOC, pp. 187–196. ACM (2008)
Persichetti, E.: Secure and anonymous hybrid encryption from coding theory. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 174–187. Springer, Heidelberg (2013)
Persichetti, E.: On a CCA2-secure variant of McEliece in the standard model. In: IACR Cryptology ePrint Archive (2012). http://eprint.iacr.org/2012/268
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report, pp. 114–116 (1978)
Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009)
Shor, P.W.: Polynomial time algorithms for discrete logarithms and factoring on a quantum computer. In: ANTS, p. 289 (1994)
Shoup, V.: Using hash functions as a hedge against chosen ciphertext attack. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 275. Springer, Heidelberg (2000)
Wagner, D. (ed.): CRYPTO 2008. LNCS, vol. 5157. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Proof of Security for Deterministic Encryption
Proof: The proof is presented as a sequence of games, Game 0, Game 1 .... While, Game 0 fits the scheme exactly as in the PRIV-1CCA game. Subsequent games change the environment, such that the view of the adversary in discriminating between two consecutive games is at best negligible in \(\kappa \) or reduces to the solution of a hard-problem instance. We denote the challenger/simulator as a PPT algorithm \(\mathcal {C}\) and the adversary of the system as a PPT algorithm \(\mathcal {A}\).
-
Game 0. \(\mathcal {C}\) adapts the proposed scheme directly to the PRIV-1CCA game. The system parameters are set as in the proposed scheme, with the security parameter \(\kappa \). The key-generation oracle and the decryption oracle is run using the described scheme. Let \(M\) be a random variable over the message space with a min-entropy. Let \(m^* \mathop {\leftarrow }\limits ^{\$} M \) and the function to be computed on \(m^*\) be \(f\). \(\mathcal {C}\) computes \(c^* = (c_1^*,c_2^*,c_3^*,c_4^*) = \mathsf{Enc }(m^*)\). \(c^*\) is the “challenge ciphertext” given to \(\mathcal {A}\),i.e., given \(c^*\), \(\mathcal {A}\) must compute \(f(m^*)\). \(\mathcal {A}\) outputs \(t\), \(t \leftarrow \mathcal {A}^{\mathcal {D}(.)}(M,f,c^*)\). \(\mathcal {A}\) wins if where \(t == f(m^*)\).
Let the event that the adversary \(\mathcal {A}\) wins the game be quantified by the random variable \(X_0\). Then,
$$\begin{aligned} \mathbf{Real }_{\mathcal {AE}}(\mathcal {A},M,f) = Pr[X_0] \end{aligned}$$(7) -
Game 1. Decryption Oracle is simulated by \(\mathcal {C}\) as follows:
Let the event that the adversary \(\mathcal {A}\) wins in this game be quantified by the random variable \(X_1\). The difference in the distribution (or view of the adversary) between \(X_0\) and \(X_1\) is the situation in which \(\mathcal {C}\) returns \(\perp \) if \(c_1 = c_1^*\) in this game, during the decryption oracle. The simulator returns \(\perp \) implying the ciphertext is invalid (as the integrity check will not hold). But, it can be seen that \(\mathcal {A}\) may have given a valid ciphertext (that is not the challenge ciphertext), i.e., a ciphertext for some \(m' \ne m^*\). Clearly, this would violate the target collision resistance of \(h_1\) or of \(h_2\). \( \mathcal {H}\) is target collision resistant if for every polynomial time adversary \(\mathcal {A}\) the TCR advantage is
$$\begin{aligned} {Adv}_{\mathcal {H}}^{\mathsf {TCR}}(A) = Pr[H(K,x_1)=H(K,x_2) : (x_1,st)\leftarrow ^R \mathcal {A}, K \leftarrow ^R \mathcal {K}, x_2 \leftarrow ^R A(K,st)] \end{aligned}$$(8)of \(A\) against \(\mathcal {H}\) is negligible(\(\epsilon \)). That is in TCR the adversary must commit to an element in collision before seeing the hash key. As per Generalised Left Over Hash Lemma(LHL), TCR smooths out an input distribution (distribution of \(m\) in this paper) to nearly uniform on its range, provided that the input distribution has sufficient minimum entropy, since TCR comes under universal one-wayness [5, 24]. Let \(\mathsf{Adv }_{h_1}^{\mathsf {TCR}}(\mathcal {A})=\epsilon _1, \mathsf{Adv }_{h_2}^{\mathsf {TCR}}(\mathcal {A})=\epsilon _2\). Hence,
$$\begin{aligned} |Pr[X_0] - Pr[X_1]| \le \epsilon _1+\epsilon _2 \end{aligned}$$(9) -
Game 2. Key Generation: The key-generation process is altered. \(\mathcal {C}\) replaces the Goppa parity-check matrix of \(H_1\) with the parity check matrix \(R\) of a random \([n,k,2t+1]\) code. Thus \(H_1 \leftarrow R\). Also, the knowledge of the target message \(m^*\) is made use of. \(\mathcal {C}\) computes \(c^* = (c_1^*,c_2^*,c_3^*,c_4^*) = \mathsf{Enc }(m^*)\). The remainder of the key-generation process remains unchanged.
$$\begin{aligned} |Pr[X_2] = Pr[X_1]| \end{aligned}$$(10)There is consistency with the decryption oracle described in the previous game. The only difference is the use of a random code instead of a Goppa code for \(H_1\).
-
Game 3. Key for Challenge text and construct challenge: The Public key generated is again altered. Replace \(H_2\) with parity check of random matrix \(R_2\) so that now \(\widetilde{H}_1\) and \(\widetilde{H}_2\) are parity-check matrices of random codes.
Thus, for the event that \(\mathcal {A}\) wins Game 2, \(X_2\), \(\mathcal {C}\) can construct a Goppa-code distinguisher based on the difference in the distributions of \(X_2\) and \(X_3\) is distinguishing Goppa code with random code. \(\mathcal {C}\) uses the challenge \(K^{\dagger }\) and computes \(c^*\) using the altered public keys. The winning of this game is only by syndrome decoding of random code Thus, for the event that \(\mathcal {A}\) wins Game3, \(X_3\), \(\mathcal {C}\) can construct a Goppa-code distinguisher based on the difference in the distributions of \(X_2\) and \(X_3\). Also compute challenge \(c^*\) using the new public keys. The winning of this game is solving syndrome decoding.
$$\begin{aligned} |Pr[X_3] - Pr[X_2]| \le \mathsf{Adv }_{\mathcal {C}}^\mathsf{CD }(n,k) + 4(\root 3 \of {n \cdot \mathsf {Adv}_{\mathcal {D'}}^{\mathsf {SD}}(n,k)}) \end{aligned}$$(11)Also, it can be noted that no information of \(m^*\) is revealed in \(c^*\). It can be noted that generating a random \(c_4^*\) does not affect the validity of the ciphertext. This is due to the us of the Generalised Left-over Hash Lemma on all three functions \(h_1,h_2\) (as the entropy of the message space is large), and the resultant use of the hash lemma on \(h_3\) (the domain of which is the same as the range of \(h_2\)). Therefore,
$$\begin{aligned} \mathbf{Ideal }_{\mathcal {AE}}(\mathcal {A},M,f) = Pr[X_3] \end{aligned}$$(12)
Since,
Substituting Eqs. (6) and (10), we have
By repeatedly applying the difference lemma and using the Eqs. (7)–(9), we get,
Thus, the advantage of the PPT adversary \(\mathcal {A}\) in the PRIV-1CCA game is bounded by the target-collision resistance of \(h_1\) and \(h_2\), the Goppa-distinguishability of \(H_1\) and the hardness of syndrome decoding. Thus, the proposed scheme is PRIV-1CCA secure as long as \(h_1\) and \(h_2\) are TCR hash functions, and the Goppa-code distinguishability and syndrome decoding of the corresponding parameters are hard to solve. \(\square \)
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Preetha Mathew, K., Vasant, S., Pandu Rangan, C. (2014). Efficient Code Based Hybrid and Deterministic Encryptions in the Standard Model. In: Lee, HS., Han, DG. (eds) Information Security and Cryptology -- ICISC 2013. ICISC 2013. Lecture Notes in Computer Science(), vol 8565. Springer, Cham. https://doi.org/10.1007/978-3-319-12160-4_31
Download citation
DOI: https://doi.org/10.1007/978-3-319-12160-4_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12159-8
Online ISBN: 978-3-319-12160-4
eBook Packages: Computer ScienceComputer Science (R0)