cca2 key privacy for code based encryption in the
play

CCA2 Key-Privacy for Code-Based Encryption in the Standard Model - PowerPoint PPT Presentation

Oct 02, 2023 •18 likes •598 views

CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill Morozov and Keisuke Tanaka from Tokyo Institute of Technology, Japan 1 Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) 2

  1. CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill Morozov and Keisuke Tanaka from Tokyo Institute of Technology, Japan 1

  2. Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) 2

  3. Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) Code-Based Encryption Niederreiter 3

  4. Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) Code-Based Encryption Niederreiter CCA2 secure PKE in the standard model k-repetition paradigm 4

  5. Contents Contents Key-Privacy for PKE Our result: Indistinguishability of keys (IK) CCA2 Key-Privacy for Code-Based Code-Based Encryption Encryption in the Standard Model Niederreiter We proved that the k-repetition CCA2 secure PKE paradigm instantiated with Niederreiter is IK-CCA2 in the standard model. in the standard model k-repetition paradigm 5

  6. Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) Code-Based Encryption Niederreiter CCA2 secure PKE in the standard model k-repetition paradigm 6

  7. Key-Privacy (Anonymity) for PKE Indistinguishability of keys (IK) • was proposed by Bellare et al.* *Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. 7

  8. Key-Privacy (Anonymity) for PKE Indistinguishability of keys (IK) • was proposed by Bellare et al.* • means a ciphertext does not leak information about pk. ? true receiver + sender who is the receiver? *Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. 8

  9. Key-Privacy (Anonymity) for PKE Indistinguishability of keys (IK) • was proposed by Bellare et al.* • means a ciphertext does not leak information about pk. • against CPA, CCA2 could be considered. < IK-CPA IK-CCA2 < IND-CPA IND-CCA2 cf.) *Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. 9

  10. Key-Privacy (Anonymity) for PKE Indistinguishability of keys (IK) • was proposed by Bellare et al.* • means a ciphertext does not leak information about pk. • against CPA, CCA2 could be considered. • does not imply / is not implied by IND security. IK-CPA IK-CCA2 ⇎ ⇎ IND-CPA IND-CCA2 *Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. 10

  11. Definition of IK-CPA pk 0 , pk 1 pk 0 ,sk 0 ←Gen(1 λ ) pk 1 ,sk 1 ←Gen(1 λ ) Challenger Adversary 11

  12. Definition of IK-CPA pk 0 , pk 1 pk 0 ,sk 0 ←Gen(1 λ ) pk 1 ,sk 1 ←Gen(1 λ ) Challenger Adversary m* b ← {0, 1} c* c* ←Enc(m*,pk b ) 12

  13. Definition of IK-CPA pk 0 , pk 1 pk 0 ,sk 0 ←Gen(1 λ ) pk 1 ,sk 1 ←Gen(1 λ ) Challenger Adversary m* b ← {0, 1} c* c* ←Enc(m*,pk b ) b’ A PKE is IK-CPA ⇔ |Pr[b = b’] – ½| is negligible 13

  14. Definition of IK-CCA2 pk 0 , pk 1 pk 0 ,sk 0 ←Gen(1 λ ) pk 1 ,sk 1 ←Gen(1 λ ) c,0/1 Challenger Adversary m/ ⊥ m/ ⊥ ←Dec(c,sk 0/1 ) m* b ← {0, 1} c* c* ←Enc(m*,pk b ) c ≠ c*,0/1 m/ ⊥ ←Dec(c,sk 0/1 ) m/ ⊥ b’ A PKE is IK-CCA2 ⇔ |Pr[b = b’] – ½| is negligible 14

  15. Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) Code-Based Encryption Niederreiter CCA2 secure PKE in the standard model k-repetition paradigm 15

  16. Linear Codes A binary 𝑜, 𝑙 linear code 𝒟 * . is a 𝑙 -dimensional subspace of 𝔾 ) 16

  17. Linear Codes A binary 𝑜, 𝑙 linear code 𝒟 * . is a 𝑙 -dimensional subspace of 𝔾 ) 1 for a generator matrix 𝐻 . * | 𝑦 ∈ 𝔾 ) = 𝑦𝐻 ∈ 𝔾 ) McEliece encryption. 17

  18. Linear Codes A binary 𝑜, 𝑙 linear code 𝒟 * . is a 𝑙 -dimensional subspace of 𝔾 ) 1 for a generator matrix 𝐻 . * | 𝑦 ∈ 𝔾 ) = 𝑦𝐻 ∈ 𝔾 ) McEliece encryption. * | 𝐼𝑦 3 = 0 for a parity check matrix 𝐼 . = 𝑦 ∈ 𝔾 ) Niederreiter encryption. 18

  19. Linear Codes A binary 𝑜, 𝑙 linear code 𝒟 * . is a 𝑙 -dimensional subspace of 𝔾 ) * | 𝐼𝑦 3 = 0 for a parity check matrix 𝐼 . = 𝑦 ∈ 𝔾 ) Niederreiter encryption. 19

  20. Linear Codes A binary 𝑜, 𝑙 linear code 𝒟 * . is a 𝑙 -dimensional subspace of 𝔾 ) * | 𝐼𝑦 3 = 0 for a parity check matrix 𝐼 . = 𝑦 ∈ 𝔾 ) Niederreiter encryption. is error-correcting up to Hamming weight 𝑢 . ⇔ Can compute 𝑦 from syndrome 𝑡 = 𝐼𝑦 3 , if 𝑥𝑢 𝑦 ≤ 𝑢 . 20

  21. Syndrome Decoding Problem Syndrome Decoding Problem Given a parity check matrix of random code 𝑆 and a syndrome 𝑡 = 𝑆𝑦 3 for a random low-weight error 𝑦 . Find 𝑦 . *Fischer, J.-B., Stern, J.: An efficient pseudo-random generator provably as secure as syndrome decoding. In: Maurer, U. (ed.) EUROCRYPT 1996. 21

  22. Syndrome Decoding Problem Syndrome Decoding Problem Given a parity check matrix of random code 𝑆 and a syndrome 𝑡 = 𝑆𝑦 3 for a random low-weight error 𝑦 . Find 𝑦 . Decisional version of SD problem Given ( 𝑆 , u ) where u is a uniform random vector or 𝑆, 𝑡 , where s = 𝑆𝑦 3 as above. Decide, which is the case. If SD problem is hard, the decisional version is also hard*. *Fischer, J.-B., Stern, J.: An efficient pseudo-random generator provably as secure as syndrome decoding. In: Maurer, U. (ed.) EUROCRYPT 1996. 22

  23. Niederreiter* 𝐼 < : parity check matrix of 𝑢 -error correcting code. Key generation 𝑇 : random non-singular matrix, 𝑄 : random permutation matrix Public key 𝑞𝑙 = 𝐼 = 𝑇𝐼 < 𝑄 (We assume 𝐼 is indistinguishable from random R) Secret key s 𝑙 = 𝑇, 𝐼 < , 𝑄 *Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory-Probl. Upravleniya I Teorii Informatsii 15(2), 159–166 (1986) 23

  24. Niederreiter* 𝐼 < : parity check matrix of 𝑢 -error correcting code. Key generation 𝑇 : random non-singular matrix, 𝑄 : random permutation matrix Public key 𝑞𝑙 = 𝐼 = 𝑇𝐼 < 𝑄 (We assume 𝐼 is indistinguishable from random R) Secret key s 𝑙 = 𝑇, 𝐼 < , 𝑄 * , 𝑥𝑢 𝑛 ≤ 𝑢 . Encryption Plaintext is 𝑛 ∈ 𝔾 ) Ciphertext is 𝑑 = 𝐼𝑛 3 *Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory-Probl. Upravleniya I Teorii Informatsii 15(2), 159–166 (1986) 24

  25. Niederreiter* 𝐼 < : parity check matrix of 𝑢 -error correcting code. Key generation 𝑇 : random non-singular matrix, 𝑄 : random permutation matrix Public key 𝑞𝑙 = 𝐼 = 𝑇𝐼 < 𝑄 (We assume 𝐼 is indistinguishable from random R) Secret key s 𝑙 = 𝑇, 𝐼 < , 𝑄 * , 𝑥𝑢 𝑛 ≤ 𝑢 . Encryption Plaintext is 𝑛 ∈ 𝔾 ) Ciphertext is 𝑑 = 𝐼𝑛 3 Compute 𝑄 CD 𝐷𝑝𝑠𝑠𝑓𝑑𝑢 𝑇 CD 𝑑 = 𝑄 CD 𝑄𝑛 3 = 𝑛 3 Decryption 𝐷𝑝𝑠𝑠𝑓𝑑𝑢 is the error correction algorithm for 𝐼 < . *Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory-Probl. Upravleniya I Teorii Informatsii 15(2), 159–166 (1986) 25

  26. Randomized Niederreiter* 𝐼 < : parity check matrix of 𝑢 -error correcting code. Key generation 𝑇 : random non-singular matrix, 𝑄 : random permutation matrix Public key 𝑞𝑙 = 𝐼 = 𝑇𝐼 < 𝑄 (We assume 𝐼 is indistinguishable from random R) Secret key s 𝑙 = 𝑇, 𝐼 < , 𝑄 Encryption Plaintext is 𝑛 , Take a random padding vector r * , 𝑥𝑢 𝑛||𝑠 ≤ 𝑢 . 𝑛||𝑠 ∈ 𝔾 ) Ciphertext is 𝑑 = 𝐼(𝑛||𝑠) 3 Compute 𝑄 CD 𝐷𝑝𝑠𝑠𝑓𝑑𝑢 𝑇 CD 𝑑 = 𝑄 CD 𝑄 𝑛||𝑠 3 = 𝑛||𝑠 3 Decryption Pick 𝑛 from 𝑛||𝑠 3 . *Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Crypt. 49(1–3), 289–305 (2008) 26

  27. Key-Privacy for Code-Based Encryption Yamakawa et al.* first studied key-privacy for code-based encryption, and show IK-CPA IK-CCA2 not IK-CPA McEliece *Yamakawa, S., Cui, Y., Kobara, K., Hagiwara, M., Imai, H.: On the key-privacy issue of McEliece public-key encryption. In: Bozta ̧s, S., Lu, H.-F.F. (eds.) AAECC 2007. 27

  28. Key-Privacy for Code-Based Encryption Yamakawa et al.* first studied key-privacy for code-based encryption, and show IK-CPA IK-CCA2 not IK-CPA Randomized McEliece McEliece *Yamakawa, S., Cui, Y., Kobara, K., Hagiwara, M., Imai, H.: On the key-privacy issue of McEliece public-key encryption. In: Bozta ̧s, S., Lu, H.-F.F. (eds.) AAECC 2007. 28

  29. Key-Privacy for Code-Based Encryption Yamakawa et al.* first studied key-privacy for code-based encryption, and show IK-CPA IK-CCA2 not IK-CPA Standard Randomized McEliece Model McEliece Random Kobara and Imai’s conversion† Persichetti’s hybrid encryption‡ Oracle *Yamakawa, S., Cui, Y., Kobara, K., Hagiwara, M., Imai, H.: On the key-privacy issue of McEliece public-key encryption. In: Bozta ̧s, S., Lu, H.-F.F. (eds.) AAECC 2007. †Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems-conversions for McEliece PKC. In: Kim, K. (ed.) PKC 2001. ‡Persichetti, E.: Secure and anonymous hybrid encryption from coding theory. In: Gaborit, P. (ed.) PQCrypto 2013. 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th , 2019 NIST 2 nd PQC Standardization Conference Santa-Barbara https://pqc-hqc.org C. Aguilar Melchor ISAE-Supa ero, University of Toulouse N.

188 views • 15 slides
Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Outline Introduction Support technologies Privacy-preserving IDaaS system Conclusions Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services David Nu nez , Isaac Agudo, and Javier Lopez Network,

422 views • 24 slides
Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

1 2 Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide deployment, IND-CCA2): 640 , 976 , 1344 . frodo Daniel J. Bernstein 512 , 768 , 1024 . kyber 128 , 192 , 256 . lac Primary objective of

1.2k views • 104 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity separately: Goal Primitive Security notion Data privacy symmetric encryption IND-CPA Data authenticity MAC UF-CMA Mihir Bellare UCSD 1

105 views • 9 slides
So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want both privacy and integrity Achieve this by combining encryption and MAC in appropriate way Eike Ritter Cryptography 2014/15 39 Several

1.18k views • 12 slides
AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity

922 views • 73 slides
Encryption Ethical Quandaries that Exist in Privacy Rudolf Musika CS 3111 Overview

Encryption Ethical Quandaries that Exist in Privacy Rudolf Musika CS 3111 Overview

April 12, 2018 Encryption Ethical Quandaries that Exist in Privacy Rudolf Musika CS 3111 Overview Presentation description Brief description of encryption. Bring to attention some of the troubles that plague encryption and

857 views • 23 slides
The Internet: Encryption &amp; Public Keys (6:39, start at 2:12)

The Internet: Encryption &amp; Public Keys (6:39, start at 2:12)

Encryption Sit in teams of 4 students from your lab. At least one person on your team needs to set up an account on code.org http://code.org Click &quot;Sign in&quot; to create your own account and join our class using the code KLCXNY Review the

221 views • 6 slides
Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So whats the problem? Lecture 17 Page 1 CS 236 Online Traffic Analysis

532 views • 21 slides
Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim Gneysu Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim

590 views • 22 slides
McBits Revisited ia.cr/2017/793 Tung Chou Osaka University, Japan Code-based cryptography

McBits Revisited ia.cr/2017/793 Tung Chou Osaka University, Japan Code-based cryptography

McBits Revisited ia.cr/2017/793 Tung Chou Osaka University, Japan Code-based cryptography (encryption) Sender Receiver m + e = r r = m m (noisy channel) 1 Code-based cryptography (encryption) Sender

669 views • 46 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography

GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography

GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography implementation. (Conforms to PGP and RFC 4880, not really just an alternative) Best used mostly for email encryption Uses Hybrid Encryption Install

531 views • 12 slides
Innovations in permutation-based encryption &amp; authentication . based on joint work with

Innovations in permutation-based encryption &amp; authentication . based on joint work with

Innovations in permutation-based encryption &amp; authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU,

Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU,

Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU, CryptoLab) Thanks to YongSoo Song, Kiwoo Lee, Andrey KIM Outline 1. Homomorphic Encryption 2. HEAAN 3. Bootstrapping of HEAAN 4. Toolkit for

981 views • 50 slides
Teens and Taxes Teenagers dont owe taxes He makes too little to owe taxes Does a Teenager Owe

Teens and Taxes Teenagers dont owe taxes He makes too little to owe taxes Does a Teenager Owe

Common Misconceptions Teens and Taxes Teenagers dont owe taxes He makes too little to owe taxes Does a Teenager Owe Taxes? Shes just babysitting The IRS doesnt know because hes paid in Presented by Carol Topp, CPA cash

243 views • 3 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM &amp; IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

619 views • 20 slides
6/26/2017

6/26/2017

6/26/2017

233 views • 8 slides
FAST TWO-OPERAND ADDITION A. Conventional number system. Carry-propagate adders (CPA)

FAST TWO-OPERAND ADDITION A. Conventional number system. Carry-propagate adders (CPA)

1 FAST TWO-OPERAND ADDITION A. Conventional number system. Carry-propagate adders (CPA) Switched carry-ripple adder Carry-skip adder Carry-lookahead adder Prefix adder Carry-select adder and conditional-sum adder

921 views • 57 slides
Understanding the Reasons for the Side-Channel Leakage is Indispensable for Secure Design Werner

Understanding the Reasons for the Side-Channel Leakage is Indispensable for Secure Design Werner

Understanding the Reasons for the Side-Channel Leakage is Indispensable for Secure Design Werner Schindler Federal Office for Information Security (BSI), Bonn, Germany Leuven, September 13, 2012 Outline Introduction and motivation

799 views • 60 slides
Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of PRG (pseudo-random generators) being constructed from any one-way functions. Now we shall consider a related concept: Pseudo-random

829 views • 15 slides
The CPAs Law Reform Lecture 2019 Is There a Need to Reform the Law of Blights? Thursday 30 th

The CPAs Law Reform Lecture 2019 Is There a Need to Reform the Law of Blights? Thursday 30 th

The CPAs Law Reform Lecture 2019 Is There a Need to Reform the Law of Blights? Thursday 30 th April 2019 Bryan Cave Leighton Paisner LLP Welcome &amp; Introduction by the Conference Chairman Rebecca Clutten CPA Vice Chair Barrister,

280 views • 23 slides
The CP -construction: A Category of Classical and Quantum Channels Aleks Kissinger Bob

The CP -construction: A Category of Classical and Quantum Channels Aleks Kissinger Bob

The CP -construction: A Category of Classical and Quantum Channels Aleks Kissinger Bob Coecke Chris Heunen November 4, 2015 A category for protocols Fix a category V . Think of the objects as state spaces, morphisms as pure state

348 views • 18 slides

More recommend