On a CCA2-secure variant of McEliece in the standard model

Size: px

Start display at page:

Download "On a CCA2-secure variant of McEliece in the standard model"

Adele Malone
5 years ago
Views:

1 On a CCA2-secure varant of McElece n the standard model Edoardo Perschett Department of Mathematcs, Unversty of Auckland, New Zealand. e.perschett@math.auckland.ac.nz Abstract. We consder publc-key encrypton schemes based on error-correctng codes that are IND-CCA2 secure n the standard model. We analyze a system due to Dowsley, Müller-Quade and Nascmento. We then show how to nstantate the Rosen-Segev framework wth the McElece scheme. 1 Introducton The McElece cryptosystem [10] s the frst scheme based on codng theory problems and t makes use of error-correctng codes (bnary Goppa codes n the orgnal proposal). It s possble to produce CCA2-secure varants n the random oracle model [4,6], but t s of nterest to study systems that are secure n the standard model. Rosen and Segev n [13] gave a general approach for CCA2 securty n the standard model ncorporatng tools lke lossy trapdoor functons and one-tme sgnature schemes. Ths general protocol can be appled drectly to many dfferent hard problems such as Quadratc Resduosty, Composte Resduosty, the d-lnear Assumpton and the Syndrome Decodng Problem, as shown n [8]. Dowsley et al. [1] have tred to apply the Rosen-Segev approach to the McElece framework. To do ths, a new structure called k-repetton PKE s ntroduced, as well as a number of dfferences n the key generaton, encrypton and decrypton processes. It s clamed that the scheme has IND-CCA2 securty n the standard model. In ths paper we make some observatons on the ambguty of the descrpton of the scheme of [1], provde a correct formulaton and proof of securty, and then show how to get a CCA2-secure cryptosystem based on the McElece assumptons usng the orgnal Rosen-Segev approach. The paper s structured as follows: n the next secton, formal defntons of the schemes n use and the correspondng notons of securty are presented. Secton 3 recalls the orgnal Rosen-Segev scheme. Secton 4 features two exstng proposals for a scheme based on codng theory: the frst makes use of the Nederreter cryptosystem [11], whle the second s a summary of [1]. In Secton 5 we propose an alternatve scheme to realze the Rosen-Segev protocol wth McElece. We conclude n Secton 6.

2 2 Prelmnares We start wth some formal cryptographc defntons. A Publc-Key Encrypton scheme (PKE) conssts of a 6-tuple (K, P, C, KeyGen, Enc, Dec) defned as follows: Table 1: Publc-Key Encrypton scheme K P C K publ the publc key space. K prv the prvate key space. The set of messages to be encrypted, or plantext space. The set of the messages transmtted over the channel, or cphertext space. KeyGen A probablstc key generaton algorthm that takes as nput a securty parameter 1 δ and outputs a publc key pk K publ and a prvate key sk K prv. Enc Dec A (possbly probablstc) encrypton algorthm that receves as nput a publc key pk K publ and a plantext φ P and returns a cphertext ψ C. A determnstc decrypton algorthm that receves as nput a prvate key sk K prv and a cphertext ψ C and outputs a plantext φ P or the falure symbol. A Sgnature scheme (SS) conssts of a 6-tuple (K, M, Σ, KeyGen, Sgn, Ver) defned as follows: Table 2: Sgnature scheme K M Σ K sgn the sgnng key space. K ver the verfcaton key space. The set of documents to be sgned, or message space. The set of the sgnatures to be transmtted wth the messages, or sgnature space. KeyGen A probablstc key generaton algorthm that takes as nput a securty parameter 1 δ and outputs a sgnng key sgk K sgn and a verfcaton key vk K ver. Sgn Ver A (possbly probablstc) sgnng algorthm that receves as nput a sgnng key sgk K sgn and a message µ M and returns a sgnature σ Σ. A determnstc decrypton algorthm that receves as nput a verfcaton key vk K ver, a message µ M and a sgnature σ Σ and outputs 1, f the sgnature s recognzed as vald, or 0 otherwse.

3 2.1 Securty notons We present here the most common notons of securty for PKE s. Defnton 1 (One-Way). A One-Way adversary s a polynomal-tme algorthm A that takes as nput a publc key pk K publ and a cphertext ψ = Enc pk (φ) C and outputs φ P. The adversary succeeds f φ = φ. We say that a PKE s One-Way Secure f the probablty of success of any adversary A s neglgble n the securty parameter,.e. Pr[pk K publ, φ P : A(pk, Enc pk (φ)) = φ] negl(λ). 1 (1) Defnton 2 (IND). An adversary A for the ndstngushablty (IND) property s a two-stage polynomal-tme algorthm. In the frst stage, A takes as nput a publc key pk K publ, then outputs two arbtrary plantexts φ 0, φ 1. In the second stage, t receves a cphertext ψ = Enc pk (φ b ), for b {0, 1}, and returns a bt b. The adversary succeeds f b = b. More precsely, we defne the advantage of A aganst PKE as Adv A (λ) = Pr[b = b] 1 2. (2) We say that a PKE enjoys Indstngushablty f the advantage of any adversary A over all choces of pk, ψ and the randomness used by A s neglgble n the securty parameter. Indstngushablty can be acheved n varous attack models. We present here two of the most famous. Defnton 3 (IND-CPA). The attack game for IND-CPA (or passve attack) proceeds as follows: - Query a key generaton oracle to obtan a publc key pk. - Choose φ 0, φ 1 P and submt them to an encrypton oracle. The oracle wll choose a random b {0, 1} and reply wth the challenge cphertext ψ = Enc pk (φ b ). - Output b {0, 1}. We say that a PKE has Indstngushablty aganst Chosen Plantext Attacks (IND- CPA) f the advantage Adv CPA of any IND adversary A n the CPA attack model s neglgble. An even stronger attack model, called CCA2, allows the adversary to make use of a decrypton oracle durng the game, wth the only excepton that t s not allowed to ask for the decrypton of the challenge cphertext. 1 For smplcty, from now on we denote the key as an ndex rather than as an nput for the algorthms Enc and Dec.

4 Defnton 4 (IND-CCA2). The attack game for IND-CCA2 (or actve attack) proceeds as follows: - Query a key generaton oracle to obtan a publc key pk. - Make a sequence of calls to a decrypton oracle, submttng any strng ψ of the proper length (not necessarly an element of C). The oracle wll respond wth Dec sk (ψ). - Choose φ 0, φ 1 P and submt them to an encrypton oracle. The oracle wll choose a random b {0, 1} and reply wth the challenge cphertext ψ = Enc pk (φ b ). - Keep performng decrypton queres. If the submtted cphertext s ψ = ψ, return. - Output b {0, 1}. We say that a PKE has Indstngushablty aganst Adaptve Chosen Cphertext Attacks (IND-CCA2) f the advantage Adv CCA2 of any IND adversary A n the CCA2 attack model s neglgble. There are many notons of securty for sgnature schemes; the one we present here s what we need for the Rosen-Segev scheme. Defnton 5 (One-Tme Strong Unforgeablty). We defne an adversary A as a polynomal-tme algorthm that acts as follows: - Query a key generaton oracle to obtan a verfcaton key vk. - Choose a message µ M and submt t to a sgnng oracle. The oracle wll reply wth σ = Sgn sgk (µ). 2 - Output a par (µ, σ ). The adversary succeeds f Ver vk (µ, σ ) = 1 and (µ, σ ) (µ, σ). We say that a sgnature scheme s One-Tme Strongly Unforgeable f the probablty of success of any adversary A s neglgble n the securty parameter,.e. Pr[vk K ver : Ver vk (A(vk, Sgn sgk (µ))) = 1] negl(λ). (3) Note that n ths scenaro the adversary s only allowed to ask for the sgnature of a sngle message (hence the One-Tme), so ths s a relatvely weak securty assumpton. Defnton 6 (Hard-Core Predcate). Let f be a one-way functon and h be a predcate,.e. a functon whose output s a sngle bt. Defne an adversary A to be a probablstc polynomal-tme algorthm that, on nput f(x), tres to compute h(x),.e. A(f(x)) = b {0, 1}. The predcate h s a Hard-Core Predcate of the functon f f the probablty Pr[b = h(x)] 1 2 s neglgble for all random choces of x. 2 As before, we use subscrpt notaton for the algorthms Sgn and Ver.

5 2.2 The McElece cryptosystem The orgnal McElece cryptosystem, based on codng theory, was ntroduced n 1978 by Robert J. McElece [10] and, for an approprate choce of parameters, t s stll unbroken. In the orgnal proposal, bnary Goppa codes are used as a bass for the constructon. We gve here a more general and formal descrpton accordng to the defntons gven n Secton 2.1. Table 3: The McElece cryptosystem. Setup K Fx publc system parameters q, m, n, k, w N such that k n wm. K publ the set of k n matrces over F q. K prv the set of trples formed by a k k nvertble matrx, an n n permutaton matrx and a code descrpton 3. P The vector space F k q. C The vector space F n q. KeyGen Generate at random a polynomal g F q m[x] and elements α 1,..., α n F q m, then buld the Goppa code Γ = Γ (α 1,..., α n, g) over F q and ts generator matrx G. Select at random a k k nvertble matrx S and an n n permutaton matrx P. Publsh the publc key Ĝ = SGP K publ and store the prvate key (S, P, Γ ) K prv. Enc Dec On nput a publc key Ĝ K publ and a plantext m P, sample a random error vector e of weght w n F n q and return the cphertext ψ = mĝ + e C. On nput the prvate key (S, P, Γ ) K prv and a cphertext ψ C, frst compute ψp 1 then apply the decodng algorthm D Γ to t. If the decodng succeeds, multply the output ˆm by S 1, and return the resultng plantext φ = ˆmS 1. Otherwse, output. The securty of the McElece scheme reles on two computatonal assumptons. Assumpton 1 (Indstngushablty) The matrx Ĝ output by KeyGen s computatonally ndstngushable from a unformly chosen matrx of the same sze. Assumpton 2 (Decodng hardness) Decodng a random lnear code wth parameters n, k, w s hard. It s mmedately clear that the followng corollary s true. Corollary 1. Gven that both the above assumptons hold, the McElece cryptosystem s one-way secure under passve attacks. Remark 1. In a recent paper [2], Faugère et al. presented a dstngusher for nstances of the McElece cryptosystem that make use of hgh-rate Goppa codes. Whle the dstngusher works only n a specal case and doesn t affect securty for the general scheme, t s stll recommended to avod such nsecure choces of Γ. 3 For Goppa codes, gven by the support α 1,..., α n and the Goppa polynomal g.

6 We remark that t s possble to obtan CCA2 securty for the McElece cryptosystem n the Random Oracle Model usng standard conversons, for example see [6]. We therefore consder only the Standard Model. 2.3 Computable functons and correlated products We defne here the noton of securty under correlated products for a collecton of functons. Formally, we descrbe a collecton of effcently computable functons as a par of algorthms F = (G,F) where G s a generaton algorthm that samples the descrpton f of a functon and F(f, x) s an evaluaton algorthm that evaluates the functon f on a gven nput x. We then defne a k-wse product as follows: Defnton 7. Let F = (G,F) be a collecton of effcently computable functons and k be an nteger. The k-wse product F k s a par of algorthms (G k, F k ) such that: - G k s a generaton algorthm that ndependently samples k functons from F by nvokng k tmes the algorthm G and returns a tuple (f 1,..., f k ). - F k s an evaluaton algorthm that receves as nput a sequence of functons (f 1,..., f k ) and a sequence of ponts (x 1,..., x k ) and nvokes F to evaluate each functon on the correspondng pont,.e. F k (f 1,..., f k, x 1,..., x k ) = (F(f 1, x 1 ),..., F(f k, x k )). A trapdoor one-way functon s then an effcently computable functon that, gven the mage of a unform chosen nput, s easy to nvert wth the use of a certan trapdoor td but hard to nvert otherwse;.e. there exsts an algorthm F 1 such that F 1 (td, F(f, x)) = x. We may thnk to extend the noton to the case where the nput s gven accordng to a certan dstrbuton, that s, there exsts a correlaton between the ponts x 1,..., x k. Defnton 8. Let F = (G,F) be a collecton of effcently computable functons wth doman D and C k be a dstrbuton of ponts n D 1 D k. We say that F s secure under a C k -correlated product f F k s one-way wth respect to the nput dstrbuton C k. In the specal case where the nput dstrbuton C k s exactly the unform k- repetton dstrbuton (that s, k copes of the same nput x D) we smply speak about one-wayness under k-correlated nputs. Rosen and Segev n [13] showed that a collecton of lossy trapdoor functons for an approprate choce of parameters can be used to construct a collecton of functons that s one-way under k-correlated nputs. Ther work s summarzed n the next secton.

7 3 The Rosen-Segev scheme The computatonal assumpton underlyng the scheme s that there exsts a collecton of functons F = (G,F) whch s secure under k-correlated nputs. The scheme makes use of a strongly-unforgeable sgnature scheme and of a hard-core predcate h for the collecton F k. KeyGen RS : Invoke G for 2k tmes ndependently and obtan the descrptons of functons (f 0 1, f 1 1,..., fk 0, f k 1) and the correspondng trapdoors (td0 1, td 1 1,..., td 0 k, td1 k ). The former s dstrbuted as the publc key pk, whle the latter s the prvate key sk. Enc RS : To encrypt a plantext m {0, 1} wth the publc key pk, sample a key from a strongly-unforgeable one-tme sgnature scheme, say (vk, sgk) and a random x {0, 1} N. Wrte vk for the -th bt of vk and let h be a hard-core predcate, then: c = F(f vk, x) for = 1,..., k. y = m h(f vk 1 1,..., f vk k, x). σ = Sgn SS sgk (c 1,..., c k, y). k It s assumed that vk {0, 1} k : f not, t s enough to apply a unversal one-way hash functon to obtan the desred length. Fnally, output the cphertext ψ = (vk, c 1,..., c k, y, σ). Dec RS : Upon recepton of a cphertext ψ: Verfy the sgnature; f Ver SS vk ((c 1,..., c k, y), σ) = 0 output. Otherwse compute x = F 1 (td vk, c ) for = 1,..., k. If x 1 = = x k then set m = y h(f vk 1 1,..., f vk k k, x 1 ) and return the plantext m, otherwse output. The securty of the scheme s summarzed n the next theorem, whch was proved n [13]. Theorem 1. Assumng that F s secure under k-correlated nputs, and that the sgnature scheme s one-tme strongly unforgeable, the above encrypton scheme s IND-CCA2-secure. The proof conssts of a standard argument, dvded n two parts. The frst part shows that f an adversary exsts capable to break the CCA2 securty of the scheme, t can be converted to an adversary able to forge the sgnature scheme. In the second part, assumng that the forgery doesn t occur, an adversary s bult that contradcts the securty of the hard-core predcate. For lack of space we don t present the proof here, but we refer the reader to [13] for more detals.

8 4 Prevous proposals If we descrbe the McElece encrypton as a functon f G (x, y) = xg + y then clearly ths s not secure under correlated nputs: n fact, gven two evaluatons f G1 (x, y) = xg 1 + y and f G2 (x, y) = xg 2 + y then clearly we could sum the outputs together and, snce the error vector cancels out (we assume we are n the bnary case lke n the orgnal McElece scheme), we get x(g 1 + G 2 ) from whch t s easy to recover x. The problem s that, snce we are defnng a functon, there s no randomness anymore, whereas McElece requres a random error vector n order to be secure under k-correlated nputs. A mappng that ncorporates a random element would n fact gve a dfferent result for multple encryptons of the same plantext and so won t have a unque mage. We now present two alternatve schemes that have been proposed to deal wth the matter. 4.1 Syndrome decodng Ths constructon was presented n [8] and s based on the Nederreter cryptosystem [11]. Snce ths reles on the propertes of the party-check matrx rather than the generator matrx, t s often consdered the dual cryptosystem and the computatonal assumptons for the securty change accordngly. The Nederreter trapdoor functon can be effcently descrbed as the famly N = (G,F) n the followng way: Generaton: on nput n, k the algorthm G generates a random party-check matrx H for an [n, k]-lnear code wth an effcent decodng algorthm over F q, an (n k) (n k) random nvertble matrx S and an n n permutaton matrx P, then publshes the publc key Ĥ = SHP and the prvate key (S, P, Γ ). Evaluaton: on nput Ĥ, e, where e s a strng of fxed weght w n Fn q, the algorthm F computes ψ = Ĥe and returns the cphertext ψ. It s possble to nvert F usng the trapdoor: on nput (S, P, Γ ) and ψ, multply ψ by S 1, decode to obtan P e and retreve e by multplyng by P 1. The functon s proved to be one-way under k-correlated nputs n [8, Th. 6.2] f k s chosen such that the Nederreter assumptons hold for n and (n k)k, and t s ntended to be used n the general Rosen-Segev framework.

9 4.2 k-repetton PKE Dowsley, Müller-Quade and Nascmento [1] propose a scheme that resembles the Rosen-Segev protocol tryng to apply t to the McElece cryptosystem. Despte the authors clam that ths s the drect translaton of [13], clearly ths s not the case. Among other dfferences, the scheme doesn t rely on a collecton of functons but nstead defnes a structure called k-repetton Publc-Key Encrypton (P KE k ). Ths s essentally an applcaton of k samples of the PKE to the same nput, n whch the decrypton algorthm also ncludes a verfcaton step on the k outputs. The encrypton step produces a sgnature drectly on the McElece cphertexts nstead of ntroducng a random vector x as n the orgnal scheme; therefore an IND-CPA secure varant of McElece s cryptosystem [12] s necessary to acheve CCA2 securty. We brefly recall t below. Table 4: The Randomzed McElece cryptosystem. Setup Fx publc system parameters q, m, n, k, w N such that k n wm, k = k 1 + k 2. K K publ the set of k n matrces over F q. K prv the set of trples formed by a k k nvertble matrx, an n n permutaton matrx and a code descrpton. P The vector space F k 1 q. R The vector space F k 2 q. C The vector space F n q. KeyGen Generate at random a polynomal g F q m[x] and elements α 1,..., α n F q m, then buld the Goppa code Γ = Γ (α 1,..., α n, g) over F q and ts generator matrx G. Select at random a k k nvertble matrx S and an n n permutaton matrx P. Publsh the publc key Ĝ = SGP K publ and store the prvate key (S, P, Γ ) K prv. Enc Dec On nput a publc key Ĝ K publ, a plantext m P and a randomness r P, sample a random error vector e of weght w n F n q and return the cphertext ψ = (r m)ĝ + e C. On nput the prvate key (S, P, Γ ) K prv and a cphertext ψ C, frst compute ψp 1 then apply the decodng algorthm D Γ to t. If the decodng succeeds, multply the output by S 1, parse t as (r m) and return the plantext φ = m. Otherwse, output. We now present the scheme descrbed n [1]. Note that, n the paper, ths s presented as a general scheme, applcable to any IND-CPA secure PKE whch s secure and verfable under k-correlated nputs. KeyGen DMQN : Invoke KeyGen PKE for 2k tmes ndependently and obtan the collecton of publc keys (pk 0 1, pk 1 1,..., pk 0 k, pk1 k ) and the correspondng prvate keys (sk 0 1, sk 1 1,..., sk 0 k, sk1 k ), then run the key generaton algorthm for the sgnature scheme to obtan a key (vk, sgk ). Publsh the publc key pk = (pk 0 1, pk 1 1,..., pk 0 k, pk1 k ) and choose the prvate key accordngly to vk,.e. sk = (vk, sk 1 vk 1 1,..., sk 1 vk k k ).

10 Enc DMQN : To encrypt a plantext m wth the publc key pk, sample another, dfferent key (vk, sgk) from the sgnature scheme, then: c = Enc PKE (m) for = 1,..., k. pk vk σ = Sgn SS sgk (c 1,..., c k ). Output the cphertext ψ = (vk, c 1,..., c k, σ). Dec DMQN : Upon recepton of a cphertext ψ: If vk = vk or Ver SS vk ((c 1,..., c k ), σ) = 0 output. Otherwse compute m = Dec PKE (c ) for some such that vk vk. sk vk Verfy that c = Enc PKE (m) for all = 1,..., t. If the verfcaton s successful pk vk return the plantext m, otherwse output. Snce we know that vk vk, there s at least one poston n whch they dffer, hence the decrypton process s well defned. Remark 2. Note that, even though the encrypton process s not determnstc, for McElece encrypton t s stll possble to perform the check n the last step of Dec DMQN. It s n fact enough to check the Hammng weght of c mĝ where Ĝ s the generator matrx correspondng to the publc key pk vk. Ths s not clearly stated by the authors along wth the descrpton of the general scheme, but t s mentoned later on n [1, Theorem 3] for the partcular case of the randomzed McElece. Remark 3. Clearly, the above specfcaton of the scheme s ambguous. In fact, even assumng that the underlyng encrypton scheme s IND-CPA secure, the encrypton step s descrbed smply as Enc PKE (m) for = 1,..., k, wthout ndcatng explctly pk vk the role of the randomness. In [1, Secton 4] some remarks are made about the securty and there s the suggeston that the scheme n use be the randomzed McElece scheme from [12] (see Table 4); however, precse detals on how ths should be nstantated are mssng. One could n general thnk at the k encryptons as c = Enc PKE (m, r ) = (r m)ĝ + e. In ths case, snce we check the Hammng pk vk weght of c (r m)ĝ, the check would obvously fal unless r 1 = = r k = r. Remark 4. The KeyGen algorthm s slghtly dfferent from the Rosen-Segev case. In partcular, 2k keys are generated, then a random verfcaton key vk s chosen and half of the prvate keys (the ones correspondng to vk ) are dscarded. Ths also mples that decrypton only works when vk vk. Ths technque s used n the context of the proof of Theorem 1, specfcally n the second part whle constructng an effcent dstngusher for the hard-core predcate. Whle, as we wll see n the followng, ths s necessary for the proof (both for the orgnal paper and for the proposed scheme), t s certanly a redundant requrement n the KeyGen process.

11 In lght of the prevous observatons, a more correct descrpton of the scheme would then be: KeyGen DMQN : Invoke KeyGen PKE for 2k tmes ndependently and obtan the collecton of publc keys (pk 0 1, pk 1 1,..., pk 0 k, pk1 k ) and the correspondng prvate keys (sk 0 1, sk 1 1,..., sk 0 k, sk1 k ). The former s dstrbuted as the publc key pk, whle the latter s the prvate key sk. Enc DMQN : To encrypt a plantext m wth the publc key pk, sample a key (vk, sgk) from the sgnature scheme and a randomness r, then: c = Enc PKE (m, r) 4 for = 1,..., k. pk vk σ = Sgn SS sgk (c 1,..., c k ). Output the cphertext ψ = (vk, c 1,..., c k, σ). Dec DMQN : Upon recepton of a cphertext ψ: If Ver SS vk ((c 1,..., c k ), σ) = 0 output. Otherwse compute (m, r) = Dec PKE (c ) for some. sk vk Verfy that c = Enc PKE (m, r) for all = 1,..., t. If the verfcaton s successful pk vk return the plantext m, otherwse output. The constructon s proved to be CCA2-secure n [1, Theorem 1]. We now reproduce a more careful proof of securty. Theorem 2 ([1]). Assumng that P KE k s IND-CPA secure and verfable under k-correlated nputs, and that the sgnature scheme s one-tme strongly unforgeable, the above encrypton scheme s IND-CCA2-secure. Let A be an IND-CCA2 adversary. Durng the attack game, A submts m 0, m 1 and gets back the challenge cphertext ψ = (vk, c 1,..., c k, σ ). Indcate wth Forge the event that, for one of A s decrypton queres ψ = (vk, c 1,..., c k, σ), t holds vk = vk and Ver SS vk ((c 1,..., c k ), σ) = 1. The theorem s proved by means of the two followng lemmas. Lemma 1. Pr[Forge] s neglgble. Proof. Assume that there exsts an adversary A for whch Pr[Forge] s not neglgble. We buld an adversary A that breaks the securty of the one-tme strongly unforgeable scheme. A works as follows: 4 Note that the randomness we are explctng here s the one necessary to realze the IND-CPA securty of P KE, hence Enc s stll a randomzed algorthm. In partcular, for the McElece nstantaton we would have c = (r m)ĝ + e.

12 Key Generaton: Invoke KeyGen DMQN as above and return pk to A. Decrypton queres: Upon a decrypton query ψ = (vk, c 1,..., c k, σ): 1. If vk = vk and Ver SS vk ((c 1,..., c k ), σ) = 1 output and halt. 2. Otherwse, decrypt normally usng Dec DMQN. Challenge queres: Upon a challenge query m 0, m 1 : 1. Choose random b {0, 1}. 2. Use Enc DMQN to compute c = Enc pk vk (m b, r) for = 1,..., k. 3. Obtan the sgnature σ on (c 1,..., c k ) wth respect to vk Return the challenge cphertext ψ = (vk, c 1,..., c k, σ ). Note that, f Forge doesn t occur, the smulaton of the CCA2 nteracton s perfect. Therefore, the probablty that A breaks the securty of the one-tme sgnature scheme s exactly Pr[Forge]. The one-tme strong unforgeablty mples that ths probablty s neglgble. Lemma 2. Pr[b = b Forge] 1 2 s neglgble. Proof. Assume that there exsts an adversary A for whch Pr[b = b Forge] 1 2 s not neglgble. We buld an adversary A that breaks the IND-CPA securty of P KE k. A works as follows: Key Generaton: On nput the publc key (pk 1,..., pk k ) for P KE k : 1. Execute KeyGen SS and obtan a key (vk, sgk ). 2. Set pk vk = pk for = 1,..., k. 3. Run KeyGen PKE for k tmes and denote the resultng publc keys by (pk 1 vk 1 1,..., pk 1 vk k k ) and prvate keys by (sk 1 vk 1 1,..., sk 1 vk k k ). 4. Return the publc key pk = (pk 0 1, pk 1 1,..., pk 0 k, pk1 k ) to A. Decrypton queres: Upon a decrypton query from A: 1. If Forge occurs output and halt. 2. Otherwse, there wll be some such that vk vk. Decrypt normally usng Dec DMQN wth the key sk vk prevously generated. 5 Remember that n the one-tme strong unforgeablty game the adversary s allowed to ask to a sgnng oracle for the sgnature on one message.

13 Challenge queres: Upon a challenge query m 0, m 1 : 1. Send m 0, m 1 to the challenge oracle for the IND-CPA game of A and obtan the correspondng challenge cphertext (c 1,..., c k ). 2. Sgn (c 1,..., c k ) usng sgk to get the sgnature σ. 3. Return the challenge cphertext ψ = (vk, c 1,..., c k, σ ). Output: When A outputs b also A outputs b. As long as Forge doesn t occur, t s clear that the IND-CPA advantage of A aganst P KE k s the same as the IND-CCA2 advantage of A aganst the above scheme. Snce we are assumng the IND-CPA securty of P KE k, we have the IND-CCA2 securty as desred. Remark 5. It s clear that, as already mentoned by the authors n [12], the IND- CPA securty of the randomzed McElece scheme s not absolute, but depends on the choce of the szes of the message m and randomness r n the encrypton procedure (r m)ĝ+e. In the context of a CPA attack game, n fact, ths cphertext s subject to general decodng attacks wth partal nformaton about the plantext. As llustrated n [12, Table 1], f the randomness r s not large enough, the IND-CPA securty of the scheme can be easly broken. 5 A drect translaton of McElece We now explan how to realze the Rosen-Segev scheme usng McElece. The constructon arses naturally f we want to be as close as possble to the orgnal McElece formulaton. We hence follow the usual approach of the McElece cryptosystem, that s to choose a dfferent random error vector every tme we call the evaluaton algorthm; ths mples that we are not usng functons anymore. The constructon s proved to be secure under k-correlated nputs n Theorem 3. It proceeds as follows: Descrbe McElece as a par McE = (G, F) composed by two algorthms: G s a generaton algorthm that samples a descrpton, and F s an evaluaton algorthm that provdes the evaluaton on a gven nput. Generaton: on nput n, k the algorthm G generates a random generator matrx G for an [n, k]-lnear code wth an effcent decodng algorthm over F q, a k k random nvertble matrx S and an n n permutaton matrx P, then publshes the publc key Ĝ = SGP and the prvate key (S, P, Γ ). Evaluaton: on nput Ĝ, m the algorthm F generates a random error vector e of fxed weght w n F n q, computes ψ = mĝ + e and outputs the cphertext ψ.

14 It s possble to nvert F usng the trapdoor: on nput (S, P, Γ ) and ψ, multply ψ by P 1, decode to obtan ms and retreve m by multplyng by S 1. We clam that ths encrypton process s secure under k-correlated nputs. Ths s proved n the followng theorem, whch closely follows the proof of [8, Th. 6.2]. Frst, we need a lemma: Lemma 3. If Assumpton 2 holds for parameters ˆn, k and ŵ, then the ensembles {(G, mg + e) : G F k ˆn q, m F k q, e Wˆn,ŵ } and {(G, y) : G Fq k ˆn, y R Fˆn q } are computatonally ndstngushable. Ths was proved n [3] for the syndrome decodng (Nederreter) case. We know [7] that the two formulatons are equvalent; n partcular, any adversary able to dstngush the above ensembles can be used to buld an adversary for the Nederreter case. Therefore, the above lemma must also be true. A complete proof s gven n Appendx A. Theorem 3. Fx an nteger k. If the parameters n, k, w are chosen such that decodng a random lnear code wth parameters nk, k and wk s hard, then the above encrypton process s secure under k-correlated nputs. Proof. Let A be an adversary for the one-wayness under k-correlated nputs. We defne the advantage of A to be Adv A (λ) = Pr[A(Ĝ1,..., Ĝk, F(Ĝ1, m),..., F(Ĝk, m)) = m] where Ĝ1,..., Ĝk are k ndependent publc keys generated by G. We assume the ndstngushablty assumpton holds: we can then exchange all the matrces Ĝ wth unform matrces U wth a neglgble advantage for the attacker. Now, let s defne the k nk matrx U by concatenatng the rows of the matrces U,.e. U = (U 1... U k ). We assume that the dstrbutons (U 1,..., U k, F(U 1, m),..., F(U k, m)) and (U, F(U, m)) are nterchangeable wthout a sgnfcant advantage for the attacker. Note that n the latter the error vector used wll have length nk and weght wk. A formal argument wll be provded n Appendx B. We now nvoke Lemma 3 wth ˆn = nk and ŵ = wk. Hence Adv A (λ) = Pr[A(U, F(U, m)) = m] Pr[A(U, y) = m] negl(n) and snce ths last one s of course neglgble, we conclude the proof. One can then mplement the Rosen-Segev scheme usng ths choce of F and G. For completeness we present the detals below. KeyGen P : Invoke G for 2k tmes ndependently and obtan the collectons of publc keys pk = (pk 0 1, pk 1 1,..., pk 0 k, pk1 k ) and prvate keys sk = (sk0 1, sk 1 1,..., sk 0 k, sk1 k ), where pk j = (Ĝj) and sk j = (S, P, Γ ) j as above.

15 Enc P : To encrypt a plantext m wth the publc key pk, sample a key (vk, sgk) and a random x {0, 1} k, then: c = F(pk vk, x) for = 1,..., k. y = m h(pk vk 1 1,..., pk vk k, x). σ = Sgn SS sgk (c 1,..., c k, y). k where vk represents the -th bt of vk. As n [13] we can assume m to be a sngle bt, n whch case h descrbes a hard-core predcate for McElece; the protocol extends easly to multple bts plantexts. Fnally, output the cphertext ψ = (vk, c 1,..., c k, y, σ). Dec P : Upon recepton of a cphertext ψ: Verfy the sgnature; f Ver SS vk ((c 1,..., c k, y), σ) = 0 output. Otherwse compute x = F 1 (sk vk, c ) for = 1,..., k. 6 If x 1 = = x k then set m = y h(pk vk 1 1,..., pk vk k k, x 1) and return the plantext m, otherwse output. The securty s assessed n the followng corollary: Corollary 2. The above encrypton scheme s IND-CCA2 secure n the standard model. Proof. By Theorem 3, the collecton of McElece encrypton schemes McE s k- correlaton secure. Then ths s analogous to Theorem 1, notng that the same argument apples when F = McE,.e. f descrbes a randomzed algorthm rather than a functon. The proof uses the same steps as n Theorem 2, wth the excepton that n our case Lemma 2 s proved by constructng an adversary A that works as a predctor for the hard-core predcate h. 6 Conclusons The scheme of Dowsley et al. [1] s a frst proposal to translate the Rosen-Segev protocol to the McElece framework. However, the constructon s ambguous, as we have shown n Secton 4.2. Another crtcsm of the Dowsley, Müller-Quade, Nascmento dea s the strange and unnecessary forgettng of half the prvate keys, and forbddng cphertexts to feature the verfcaton key vk. The orgnal Rosen-Segev scheme has no such requrements. We therefore present a constructon that successfully deals wth the problem, provdng a choce of algorthms F and G that can be used drectly nto the Rosen-Segev scheme preservng the orgnal framework. 6 By analogy wth the Rosen-Segev scheme. Clearly n practce t would be much more effcent, rather than decodng k cphertexts, to just decode one and then re-encode and test as n [1, Theorem 3].

16 References 1. R. Dowsley, J. Müller-Quade, and A. C. A. Nascmento, A CCA2 secure publc key encrypton scheme based on the McElece assumptons n the standard model. In Topcs n Cryptology - CT-RSA 2009, LNCS, volume 5473, pages , J.-C. Faugère, V. Gauther-Umaña, A. Otman, L. Perret. and J.-P. Tllch, A dstngusher for hgh rate McElece cryptosystems. In Informaton Theory Workshop (ITW), pages , J.-B. Fscher and J. Stern, An effcent pseudo-random generator provably as secure as syndrome decodng. In Advances n Cryptology - EUROCRYPT 1996, volume 4004 of Lecture Notes n Computer Scence, pages 73-87, E. Fujsak and T. Okamoto, Secure ntegraton of asymmetrc and symmetrc encrypton schemes. In CRYPTO 99: Proceedngs of the 19th Annual Internatonal Cryptology Conference on Advances n Cryptology, volume 6110 of LNCS, Sprnger-Verlag, pages , London, J. Katz and J. S. Shn, Parallel and concurrent securty of the HB and HB + protocols. In Advances n Cryptology - EUROCRYPT 2006, volume 1070 of Lecture Notes n Computer Scence, pages , K. Kobara and H. Ima, Semantcally secure McElece publc-key cryptosystems-conversons for McElece PKC. In PKC 01: Proceedngs of the 4th Internatonal Workshop on Practce and Theory n Publc Key Cryptography, Sprnger-Verlag, pages 19-35, London, Y. X. L, R. H. Deng and X. M. Wang, On the equvalence of McElece s and Nederreter s publc-key cryptosystems. In IEEE Transactons on Informaton Theory, volume 40, ssue 1, pages , D. Mandell Freeman, O. Goldrech, E. Kltz, A. Rosen, and G. Segev, More constructons of lossy and correlaton-secure trapdoor functons. In Publc Key Cryptography - PKC 2010, volume 6056 of Lecture Notes n Computer Scence, pages , F. J. MacWllams and N. J. Sloane, The theory of error-correctng codes. North Holland, Amsterdam, R. J. McElece, A Publc-Key System Based on Algebrac Codng Theory. In DSN Progress Report 44, pages , Jet Propulson Lab, H. Nederreter, Knapsack-type cryptosystems and algebrac codng theory. In Problems of Control and Informaton Theory, volume 15, ssue 2, pages , R. Nojma, H. Ima, K. Kobara, K. Morozov, Semantc securty for the McElece cryptosystem wthout random oracles. In Proceedngs of Internatonal Workshop on Codng and Cryptography (WCC), INRIA, pages , A. Rosen and G. Segev, Chosen-cphertext securty va correlated products. In Theory of Cryptography Conference - TCC 2009, LNCS, volume 5444, pages , 2009.

17 A Proof of Lemma 3 Consder the problem of dstngushng the ensembles {(H, He T ) : H F (ˆn k) ˆn q, e Wˆn,ŵ } and {(H, y) : H F (ˆn k) ˆn q, y R Fˆn k q } as n [3] and suppose A s a probablstc polynomal-tme algorthm that s able to dstngush the ensembles of Lemma 3. In partcular, say A outputs 1 f the challenge ensemble s of the form (G, mg + e) and 0 otherwse. We show how to construct an adversary A that solves the above problem. Let (H, z) be the receved nput, where z s ether He T for a certan error vector e Wˆn,ŵ or a random vector of Fˆn k q. By lnear algebra, s easy to fnd a vector x Fˆn q wth wt(x) ŵ such that z = Hx T. Submt ( G, x) to A, where G s the generator matrx assocated to H. Now, f z = He T we can wrte x = m G + e; n ths case, n fact, we have Hx T = z = He T = H(x e) T = 0 and clearly ths mples that (x e) T s a codeword. Then A wll output 1 and so wll A. Otherwse, A wll output 0 and so wll A. In both cases, A s able to dstngush correctly and ths termnates the proof. B An ndstngushablty assumpton on error vectors Smlarly to what happens for the IND-CPA securty of the McElece varant (as ponted out n Remark 5), also n ths case the securty we are tryng to acheve s not absolute, but depends on a sutable choce of parameters. The assumpton n ths case s that we can replace the vector (mu 1 + e 1... mu k + e k ) wth the vector mu + e, where U = (U 1... U k ) and e s a random error vector of weght wk; n other words, we would lke to argue that e = (e 1... e k ) s ndstngushable from e. Note that wt(e ) = wt(e) but whle the dstrbuton of the error postons on e s truly pseudorandom, e s formed by k blocks of weght w each. It s plausble that the number of vectors of ths knd (that we denote # e ) s not too small compared to the total of error vectors wth same length and weght. Unfortunately, the only estmate we can provde s not of help: # e W nk,wk = ( n w ( nk wk ) k ) ( n w ) wk ( ne w ) wk = 1. (4) ewk However, the bound s not tght, and expermental evdence ndcates that ths rato s much bgger.

Provable Security Signatures

Provable Security Signatures Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -