cca2 key privacy for code based encryption in the
play

CCA2 Key-Privacy for Code-Based Encryption in the Standard Model - PowerPoint PPT Presentation

Oct 02, 2023 •18 likes •598 views

CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill Morozov and Keisuke Tanaka from Tokyo Institute of Technology, Japan 1 Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) 2

  1. CCA2 Key-Privacy for Code-Based Encryption in the Standard Model Yusuke Yoshida with Kirill Morozov and Keisuke Tanaka from Tokyo Institute of Technology, Japan 1

  2. Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) 2

  3. Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) Code-Based Encryption Niederreiter 3

  4. Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) Code-Based Encryption Niederreiter CCA2 secure PKE in the standard model k-repetition paradigm 4

  5. Contents Contents Key-Privacy for PKE Our result: Indistinguishability of keys (IK) CCA2 Key-Privacy for Code-Based Code-Based Encryption Encryption in the Standard Model Niederreiter We proved that the k-repetition CCA2 secure PKE paradigm instantiated with Niederreiter is IK-CCA2 in the standard model. in the standard model k-repetition paradigm 5

  6. Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) Code-Based Encryption Niederreiter CCA2 secure PKE in the standard model k-repetition paradigm 6

  7. Key-Privacy (Anonymity) for PKE Indistinguishability of keys (IK) • was proposed by Bellare et al.* *Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. 7

  8. Key-Privacy (Anonymity) for PKE Indistinguishability of keys (IK) • was proposed by Bellare et al.* • means a ciphertext does not leak information about pk. ? true receiver + sender who is the receiver? *Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. 8

  9. Key-Privacy (Anonymity) for PKE Indistinguishability of keys (IK) • was proposed by Bellare et al.* • means a ciphertext does not leak information about pk. • against CPA, CCA2 could be considered. < IK-CPA IK-CCA2 < IND-CPA IND-CCA2 cf.) *Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. 9

  10. Key-Privacy (Anonymity) for PKE Indistinguishability of keys (IK) • was proposed by Bellare et al.* • means a ciphertext does not leak information about pk. • against CPA, CCA2 could be considered. • does not imply / is not implied by IND security. IK-CPA IK-CCA2 ⇎ ⇎ IND-CPA IND-CCA2 *Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. 10

  11. Definition of IK-CPA pk 0 , pk 1 pk 0 ,sk 0 ←Gen(1 λ ) pk 1 ,sk 1 ←Gen(1 λ ) Challenger Adversary 11

  12. Definition of IK-CPA pk 0 , pk 1 pk 0 ,sk 0 ←Gen(1 λ ) pk 1 ,sk 1 ←Gen(1 λ ) Challenger Adversary m* b ← {0, 1} c* c* ←Enc(m*,pk b ) 12

  13. Definition of IK-CPA pk 0 , pk 1 pk 0 ,sk 0 ←Gen(1 λ ) pk 1 ,sk 1 ←Gen(1 λ ) Challenger Adversary m* b ← {0, 1} c* c* ←Enc(m*,pk b ) b’ A PKE is IK-CPA ⇔ |Pr[b = b’] – ½| is negligible 13

  14. Definition of IK-CCA2 pk 0 , pk 1 pk 0 ,sk 0 ←Gen(1 λ ) pk 1 ,sk 1 ←Gen(1 λ ) c,0/1 Challenger Adversary m/ ⊥ m/ ⊥ ←Dec(c,sk 0/1 ) m* b ← {0, 1} c* c* ←Enc(m*,pk b ) c ≠ c*,0/1 m/ ⊥ ←Dec(c,sk 0/1 ) m/ ⊥ b’ A PKE is IK-CCA2 ⇔ |Pr[b = b’] – ½| is negligible 14

  15. Contents Contents Key-Privacy for PKE Indistinguishability of keys (IK) Code-Based Encryption Niederreiter CCA2 secure PKE in the standard model k-repetition paradigm 15

  16. Linear Codes A binary 𝑜, 𝑙 linear code 𝒟 * . is a 𝑙 -dimensional subspace of 𝔾 ) 16

  17. Linear Codes A binary 𝑜, 𝑙 linear code 𝒟 * . is a 𝑙 -dimensional subspace of 𝔾 ) 1 for a generator matrix 𝐻 . * | 𝑦 ∈ 𝔾 ) = 𝑦𝐻 ∈ 𝔾 ) McEliece encryption. 17

  18. Linear Codes A binary 𝑜, 𝑙 linear code 𝒟 * . is a 𝑙 -dimensional subspace of 𝔾 ) 1 for a generator matrix 𝐻 . * | 𝑦 ∈ 𝔾 ) = 𝑦𝐻 ∈ 𝔾 ) McEliece encryption. * | 𝐼𝑦 3 = 0 for a parity check matrix 𝐼 . = 𝑦 ∈ 𝔾 ) Niederreiter encryption. 18

  19. Linear Codes A binary 𝑜, 𝑙 linear code 𝒟 * . is a 𝑙 -dimensional subspace of 𝔾 ) * | 𝐼𝑦 3 = 0 for a parity check matrix 𝐼 . = 𝑦 ∈ 𝔾 ) Niederreiter encryption. 19

  20. Linear Codes A binary 𝑜, 𝑙 linear code 𝒟 * . is a 𝑙 -dimensional subspace of 𝔾 ) * | 𝐼𝑦 3 = 0 for a parity check matrix 𝐼 . = 𝑦 ∈ 𝔾 ) Niederreiter encryption. is error-correcting up to Hamming weight 𝑢 . ⇔ Can compute 𝑦 from syndrome 𝑡 = 𝐼𝑦 3 , if 𝑥𝑢 𝑦 ≤ 𝑢 . 20

  21. Syndrome Decoding Problem Syndrome Decoding Problem Given a parity check matrix of random code 𝑆 and a syndrome 𝑡 = 𝑆𝑦 3 for a random low-weight error 𝑦 . Find 𝑦 . *Fischer, J.-B., Stern, J.: An efficient pseudo-random generator provably as secure as syndrome decoding. In: Maurer, U. (ed.) EUROCRYPT 1996. 21

  22. Syndrome Decoding Problem Syndrome Decoding Problem Given a parity check matrix of random code 𝑆 and a syndrome 𝑡 = 𝑆𝑦 3 for a random low-weight error 𝑦 . Find 𝑦 . Decisional version of SD problem Given ( 𝑆 , u ) where u is a uniform random vector or 𝑆, 𝑡 , where s = 𝑆𝑦 3 as above. Decide, which is the case. If SD problem is hard, the decisional version is also hard*. *Fischer, J.-B., Stern, J.: An efficient pseudo-random generator provably as secure as syndrome decoding. In: Maurer, U. (ed.) EUROCRYPT 1996. 22

  23. Niederreiter* 𝐼 < : parity check matrix of 𝑢 -error correcting code. Key generation 𝑇 : random non-singular matrix, 𝑄 : random permutation matrix Public key 𝑞𝑙 = 𝐼 = 𝑇𝐼 < 𝑄 (We assume 𝐼 is indistinguishable from random R) Secret key s 𝑙 = 𝑇, 𝐼 < , 𝑄 *Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory-Probl. Upravleniya I Teorii Informatsii 15(2), 159–166 (1986) 23

  24. Niederreiter* 𝐼 < : parity check matrix of 𝑢 -error correcting code. Key generation 𝑇 : random non-singular matrix, 𝑄 : random permutation matrix Public key 𝑞𝑙 = 𝐼 = 𝑇𝐼 < 𝑄 (We assume 𝐼 is indistinguishable from random R) Secret key s 𝑙 = 𝑇, 𝐼 < , 𝑄 * , 𝑥𝑢 𝑛 ≤ 𝑢 . Encryption Plaintext is 𝑛 ∈ 𝔾 ) Ciphertext is 𝑑 = 𝐼𝑛 3 *Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory-Probl. Upravleniya I Teorii Informatsii 15(2), 159–166 (1986) 24

  25. Niederreiter* 𝐼 < : parity check matrix of 𝑢 -error correcting code. Key generation 𝑇 : random non-singular matrix, 𝑄 : random permutation matrix Public key 𝑞𝑙 = 𝐼 = 𝑇𝐼 < 𝑄 (We assume 𝐼 is indistinguishable from random R) Secret key s 𝑙 = 𝑇, 𝐼 < , 𝑄 * , 𝑥𝑢 𝑛 ≤ 𝑢 . Encryption Plaintext is 𝑛 ∈ 𝔾 ) Ciphertext is 𝑑 = 𝐼𝑛 3 Compute 𝑄 CD 𝐷𝑝𝑠𝑠𝑓𝑑𝑢 𝑇 CD 𝑑 = 𝑄 CD 𝑄𝑛 3 = 𝑛 3 Decryption 𝐷𝑝𝑠𝑠𝑓𝑑𝑢 is the error correction algorithm for 𝐼 < . *Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory-Probl. Upravleniya I Teorii Informatsii 15(2), 159–166 (1986) 25

  26. Randomized Niederreiter* 𝐼 < : parity check matrix of 𝑢 -error correcting code. Key generation 𝑇 : random non-singular matrix, 𝑄 : random permutation matrix Public key 𝑞𝑙 = 𝐼 = 𝑇𝐼 < 𝑄 (We assume 𝐼 is indistinguishable from random R) Secret key s 𝑙 = 𝑇, 𝐼 < , 𝑄 Encryption Plaintext is 𝑛 , Take a random padding vector r * , 𝑥𝑢 𝑛||𝑠 ≤ 𝑢 . 𝑛||𝑠 ∈ 𝔾 ) Ciphertext is 𝑑 = 𝐼(𝑛||𝑠) 3 Compute 𝑄 CD 𝐷𝑝𝑠𝑠𝑓𝑑𝑢 𝑇 CD 𝑑 = 𝑄 CD 𝑄 𝑛||𝑠 3 = 𝑛||𝑠 3 Decryption Pick 𝑛 from 𝑛||𝑠 3 . *Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Crypt. 49(1–3), 289–305 (2008) 26

  27. Key-Privacy for Code-Based Encryption Yamakawa et al.* first studied key-privacy for code-based encryption, and show IK-CPA IK-CCA2 not IK-CPA McEliece *Yamakawa, S., Cui, Y., Kobara, K., Hagiwara, M., Imai, H.: On the key-privacy issue of McEliece public-key encryption. In: Bozta ̧s, S., Lu, H.-F.F. (eds.) AAECC 2007. 27

  28. Key-Privacy for Code-Based Encryption Yamakawa et al.* first studied key-privacy for code-based encryption, and show IK-CPA IK-CCA2 not IK-CPA Randomized McEliece McEliece *Yamakawa, S., Cui, Y., Kobara, K., Hagiwara, M., Imai, H.: On the key-privacy issue of McEliece public-key encryption. In: Bozta ̧s, S., Lu, H.-F.F. (eds.) AAECC 2007. 28

  29. Key-Privacy for Code-Based Encryption Yamakawa et al.* first studied key-privacy for code-based encryption, and show IK-CPA IK-CCA2 not IK-CPA Standard Randomized McEliece Model McEliece Random Kobara and Imai’s conversion† Persichetti’s hybrid encryption‡ Oracle *Yamakawa, S., Cui, Y., Kobara, K., Hagiwara, M., Imai, H.: On the key-privacy issue of McEliece public-key encryption. In: Bozta ̧s, S., Lu, H.-F.F. (eds.) AAECC 2007. †Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems-conversions for McEliece PKC. In: Kim, K. (ed.) PKC 2001. ‡Persichetti, E.: Secure and anonymous hybrid encryption from coding theory. In: Gaborit, P. (ed.) PQCrypto 2013. 29

Recommend

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th

HQC: H amming Q uasi- C yclic An IND-CCA2 Code-based Public Key Encryption Scheme August the 24 th , 2019 NIST 2 nd PQC Standardization Conference Santa-Barbara https://pqc-hqc.org C. Aguilar Melchor ISAE-Supa ero, University of Toulouse N.

188 views • 15 slides
Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Outline Introduction Support technologies Privacy-preserving IDaaS system Conclusions Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services David Nu nez , Isaac Agudo, and Javier Lopez Network,

422 views • 24 slides
Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

1 2 Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide deployment, IND-CCA2): 640 , 976 , 1344 . frodo Daniel J. Bernstein 512 , 768 , 1024 . kyber 128 , 192 , 256 . lac Primary objective of

1.2k views • 104 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity separately: Goal Primitive Security notion Data privacy symmetric encryption IND-CPA Data authenticity MAC UF-CMA Mihir Bellare UCSD 1

105 views • 9 slides
So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want both privacy and integrity Achieve this by combining encryption and MAC in appropriate way Eike Ritter Cryptography 2014/15 39 Several

1.18k views • 12 slides
AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity

922 views • 73 slides
Encryption Ethical Quandaries that Exist in Privacy Rudolf Musika CS 3111 Overview

Encryption Ethical Quandaries that Exist in Privacy Rudolf Musika CS 3111 Overview

April 12, 2018 Encryption Ethical Quandaries that Exist in Privacy Rudolf Musika CS 3111 Overview Presentation description Brief description of encryption. Bring to attention some of the troubles that plague encryption and

857 views • 23 slides
The Internet: Encryption &amp; Public Keys (6:39, start at 2:12)

The Internet: Encryption &amp; Public Keys (6:39, start at 2:12)

Encryption Sit in teams of 4 students from your lab. At least one person on your team needs to set up an account on code.org http://code.org Click &quot;Sign in&quot; to create your own account and join our class using the code KLCXNY Review the

221 views • 6 slides
Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start

Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption With good encryption, data values not readable So whats the problem? Lecture 17 Page 1 CS 236 Online Traffic Analysis

532 views • 21 slides
Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim Gneysu Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim

590 views • 22 slides
McBits Revisited ia.cr/2017/793 Tung Chou Osaka University, Japan Code-based cryptography

McBits Revisited ia.cr/2017/793 Tung Chou Osaka University, Japan Code-based cryptography

McBits Revisited ia.cr/2017/793 Tung Chou Osaka University, Japan Code-based cryptography (encryption) Sender Receiver m + e = r r = m m (noisy channel) 1 Code-based cryptography (encryption) Sender

669 views • 46 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography

GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography

GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography implementation. (Conforms to PGP and RFC 4880, not really just an alternative) Best used mostly for email encryption Uses Hybrid Encryption Install

531 views • 12 slides
Innovations in permutation-based encryption &amp; authentication . based on joint work with

Innovations in permutation-based encryption &amp; authentication . based on joint work with

Innovations in permutation-based encryption &amp; authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU,

Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU,

Approximate Homomorphic Encryption and Privacy Preserving Machine Learning Jung Hee Cheon (SNU, CryptoLab) Thanks to YongSoo Song, Kiwoo Lee, Andrey KIM Outline 1. Homomorphic Encryption 2. HEAAN 3. Bootstrapping of HEAAN 4. Toolkit for

981 views • 50 slides
Privacy-friendly Forecasting for the Smart Grid using Homomorphic Encryption J. Bos 1 , W.

Privacy-friendly Forecasting for the Smart Grid using Homomorphic Encryption J. Bos 1 , W.

Privacy-friendly Forecasting for the Smart Grid using Homomorphic Encryption J. Bos 1 , W. Castryck 2 , 3 , I. Iliashenko 2 and F . Vercauteren 2 , 4 1 NXP Semiconductors 2 COSIC, KU Leuven and imec 3 Universit de Lille-1 4 Open Security Research

853 views • 72 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
Homomorphic Encryption Based Secure Genome Data Analysis Miran Kim and Kristin Lauter

Homomorphic Encryption Based Secure Genome Data Analysis Miran Kim and Kristin Lauter

Homomorphic Encryption Based Secure Genome Data Analysis Miran Kim and Kristin Lauter Seoul National University Microsoft Research iDASH Privacy&amp;Security Workshop, March 16, 2015 1 / 16 Secure Outsourcing GWAS 2 / 16 Minor

622 views • 24 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
When Encryption is Not Enough Privacy Attacks in Content- Centric Networking ACM ICN 2017 1

When Encryption is Not Enough Privacy Attacks in Content- Centric Networking ACM ICN 2017 1

When Encryption is Not Enough Privacy Attacks in Content- Centric Networking ACM ICN 2017 1 Privacy with IP GET /a/b/c C S RESPONSE: &lt;data&gt; ACM ICN 2017 2 Privacy with IP secure channel GET /a/b/c C S RESPONSE: &lt;data&gt;

386 views • 37 slides
Review Review Course Overview Privacy Querying Published data, Encrypted Data yp Statistical

Review Review Course Overview Privacy Querying Published data, Encrypted Data yp Statistical

Review Review Course Overview Privacy Querying Published data, Encrypted Data yp Statistical databases Statistical databases, Differential privacy, Location-based privacy Encryption E ti Insider Threat/ DBMS Steganographic Intrusion

394 views • 24 slides
TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute

TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute

H2020-ICT-15 GA 688722 TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute Summer school on real-world crypto and privacy 9 th June 2016 *Thanks to George Danezis for sharing slides Privacy in

862 views • 33 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides

More recommend