Notes on Alekhnovich s cryptosystems

Similar documents
Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lattice Cryptography

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Public-Key Encryption Based on LPN

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

How to Encrypt with the LPN Problem

Division Property: a New Attack Against Block Ciphers

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Lecture 3: Error Correcting Codes

Background: Lattices and the Learning-with-Errors problem

CPSC 467b: Cryptography and Computer Security

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 5, CPA Secure Encryption from PRFs

Low Noise LPN: KDM Secure Public Key Encryption and Sample Amplification

8 Security against Chosen Plaintext

RSA RSA public key cryptosystem

Cryptology. Scribe: Fabrice Mouhartem M2IF

Channel Coding for Secure Transmissions

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

And for polynomials with coefficients in F 2 = Z/2 Euclidean algorithm for gcd s Concept of equality mod M(x) Extended Euclid for inverses mod M(x)

Advanced Topics in Cryptography

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

1 Indistinguishability for multiple encryptions

Notes 10: Public-key cryptography

1 Distributional problems

Benes and Butterfly schemes revisited

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Lectures 2+3: Provable Security

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Modern Cryptography Lecture 4

Structural Cryptanalysis of SASAS

Gentry s SWHE Scheme

Code-based Cryptography

} has dimension = k rank A > 0 over F. For any vector b!

9 Knapsack Cryptography

Solutions to homework 2

CPSC 467b: Cryptography and Computer Security

QC-MDPC: A Timing Attack and a CCA2 KEM

Short Exponent Diffie-Hellman Problems

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Cryptanalysis of the Sidelnikov cryptosystem

Lattice Cryptography

ECS 189A Final Cryptography Spring 2011

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

MATH3302. Coding and Cryptography. Coding Theory

Jay Daigle Occidental College Math 401: Cryptology

MATH32031: Coding Theory Part 15: Summary

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Chapter 2 : Perfectly-Secret Encryption

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Symmetric Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

RSA-OAEP and Cramer-Shoup

1 Cryptographic hash functions

Computers and Mathematics with Applications

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Provable security. Michel Abdalla

Notes for Lecture 17

1 Cryptographic hash functions

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 9 - Symmetric Encryption

10 Concrete candidates for public key crypto

arxiv: v2 [cs.cr] 14 Feb 2018

Cryptanalysis of a homomorphic public-key cryptosystem over a finite group

Adaptive Security of Compositions

Cryptography 2017 Lecture 2

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Modern symmetric-key Encryption

Lecture 2: Perfect Secrecy and its Limitations

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Recommended Reading. A Brief History of Infinity The Mystery of the Aleph Everything and More

Attacking and defending the McEliece cryptosystem

Public-Key Encryption: ElGamal, RSA, Rabin

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Indistinguishability and Pseudo-Randomness

Perfectly-Secret Encryption

MATH 291T CODING THEORY

MATH3302 Coding Theory Problem Set The following ISBN was received with a smudge. What is the missing digit? x9139 9

El Gamal A DDH based encryption scheme. Table of contents

Solving LPN Using Covering Codes

Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets

Lecture 7: CPA Security, MACs, OWFs

Bootstrapping Obfuscators via Fast Pseudorandom Functions

The failure of McEliece PKC based on Reed-Muller codes.

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

1 Secure two-party computation

Lecture 12: Block ciphers

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Notes on Property-Preserving Encryption

19. Basis and Dimension

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Hamming Codes 11/17/04

PERFECTLY secure key agreement has been studied recently

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Transcription:

Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given k, n such that R 1 k/n R 2, given a random code C defined by a uniform random generating k n matrix (or a uniform random parity-check (n k) n matrix), and a vector which is either (i) a uniformly random vector u (ii) c + e where c C is a uniformly random codeword and e a uniformly random vector of weight t, independent of c. A decides between (i) and (ii) with a non-negligible advantage over random choice. We remark that we may replace the probability distribution for choosing C by the uniform distribution over all codes of dimension k. To obtain it choose a random generating matrix, and if it is not full-rank discard it and choose again. Since the probability of a k n random matrix being singular is at most 1/2 n k, the two probability distributions (uniform k n random generating matrix and uniform random code of dimension k) are computationally indistinguishable. Note also that the uniform distribution over all codes of dimension k may be obtained by choosing an (n k) n parity-check matrix with uniform distribution, discarding it and sampling it again if ever it is not full-rank. Alekhnovich s first cryptosystem We set the parameter t to be o(n 1/2 ). Let A be a random k n matrix and let ε be a random vector in F n 2 of weight t. Let H be the (k + 1) n matrix obtained by appending to A an additional row consisting of the vector y = xa + ε where x is a uniform vector in F k 2 independent of ε. In other words, y is the sum of the error vector ε and a random codeword of the code generated by the matrix A. Let C be the code with parity-check matrix H. The public key is a generating matrix for the code C. In this cryptosystem the message space consists of a single bit M = {0, 1}. 1

Encryption. To encrypt 0, output C(0) = c + e where c is a random codeword of C and e is a random vector of weight t. To encrypt 1, output C(1) = u where u is a uniform random vector of F n 2. Decryption. The secret key is the vector ε. To decrypt the encrypted bit C(m), m {0, 1}, compute b = ε, C(m) and declare b to be the decrypted plaintext. We have that ε, C(0) = ε, c + e = ε, c + ε, e = ε, e because ε, being a row of the parity-check matrix H, is orthogonal to all codewords of C. Since we have imposed on both ε and e to be of weight t = o( n), the probability that ε, e = 0 is close to 1. Besides, since C(1) is a random vector, we have that when m = 1, decryption succeeds with probability exactly 1/2. To obtain a reliable cryptosystem, use an error-correcting code, e.g. encrypt the secret bit m several times. Security reduction. Suppose there exists a decryption algorithm D that extracts m from C(m) given only knowledge of the code C (and not ε). Then this algorithm should work without any noticeable difference if the code C is replaced by a random code C defined by a uniform random parity-check matrix H, i.e. if the vector y = x + ε used in defining the last row of H is uniformly random, equivalently if ε is taken to be uniformly random rather than random of weight t. If there were a noticeable difference, this would yield a way of distinguishing whether y is uniformly random or at distance t from the random code generated by the matrix A, contradicting the decisional decoding hypothesis of parameter t. Suppose therefore that we are now using the encryption scheme with the random code C rather than the original code C. Again, the decryption algorithm D should work just as well when the error vector e used to encrypt the message m = 0 is replaced by 2

a uniform random vector. Otherwise we again have a distinguisher between a uniform random vector and a vector of the form c + e where e is of weight t and c is a random codeword of the random code C. Again this would contradict the decisional decoding hypothesis. But we now have an absurd result, which is that the decryption algorithm D should somehow be able to decrypt in the situation when the encryption of both 0 and 1 are uniform random vectors of F n 2, which clearly cannot be achieved with a success probability different from 1/2. Alekhnovich s second cryptosystem Let A be a uniform random n/2 n matrix, let X be a uniform random n n/2 matrix, and let E be a random n n matrix, chosen uniformly among matrices such that every row of E is of weight t. Set M = XA + E. Every row of M is therefore obtained by adding a random vector of weight t to a random codeword of the code generated by the rows of the matrix A. We add the requirement that M is invertible: if this is not the case we throw away the matrix M and choose another one in the same way until we obtain an invertible matrix M. Let C 0 be an error-correcting code of length n that comes with a polynomial-time decoding algorithm that almost always decodes correctly codewords that have been submitted to a binary symmetric channel of transition probability p = t 2 /n. We should have dim C 0 > n/2, for example suppose dim C 0 = 9n/10. Let φ : F n 2 F n 2 be the linear map defined by the matrix M, i.e. for a column vector x, φ(x) = Mx. Let C 1 = φ 1 (C 0 ), i.e. C 1 = {x F n 2, φ(x) C 0 }. Denote by C 2 the code for which A is a parity-check matrix. Finally, define the code C = C 1 C 2. Let G be a generating matrix for this code. The matrix G is the public key of the cryptosystem. Let k = dim C. Without loss of generality we can suppose k is even and set k = 2m. The message (cleartext) space is M = F m 2. Encryption. To encrypt a message m F m 2, append to it a random m-bit vector r to create x F k 2. The ciphertext is: C(m) = xg + e where e is a random vector of weight t in F n 2. Decryption. The secret key is the matrix E. To decrypt, start by computing the vector y, such that y T = EC(m) T. We note that C(m) = c + e where c = xg is 3

a codeword of C. Since C is a subcode of C 2, all rows of A are orthogonal to all codewords of C, so that Ac T = 0. Therefore y T = E(c + e) T = Ec T + Ee T = XAc T + Ec T + Ee T = Mc T + Ee T = c T 0 + Ee T where c T 0 = Mc T. But since c C C 1 and φ(c 1 ) = C 0, we have c 0 C 0. Also, since every row E i, 1 i n, of E has weight t, we have that E i, e = 1 with probability at most p = t 2 /n. Therefore, applying the decoding algorithm for C 0 to y will yield c 0 with a vanishing probability of error. To finish decryption, solve the linear system xg = φ(c 0 ), (i.e. xg(m T ) 1 = c 0 ) and throw away the last m bits of x to recover m. The matrix G(M T ) 1 can be chosen in systematic form to avoid solving the linear system. This implies that M T or simply G(M T ) 1 is known to the decryption algorithm, but these quantities could just as well be public, we will see that they do not help cryptanalysis. Security reduction. Suppose there is a decryption algorithm D that decrypts without the secret key E. Then we first argue, as for the first cryptosystem, that the decryption algorithm must behave in the same way when the matrix M is replaced by a random uniform full-rank matrix M. Otherwise, by feeding the decryption algorithm D with messages encrypted either with the genuine cryptosystem, or by the modified cryptosystem where M is replaced by M and everything else constructed in the same way, we would have a way of differentiating between pairs of vectors u, v, where u is uniformly random and v = a + ε, where a is a random sum of rows of A and ε is a random vector of weight t. This would contradict the decisional decoding hypothesis. We suppose the decryption algorithm works in the IND-CPA model, this means that D first chooses two plaintexts m 0 and m 1, and asks for an encryption of m i : it then returns i with a probability π such that π 1/2 is non-negligible. We now work towards a contradiction by showing how to use D to break the decisional decoding hypothesis. Let V be a uniform random code of length n and dimension m. Suppose z is either a uniform random vector of length n, or equal to r + e with r a random vector of V and e a random vector of weight t. We will call upon the deciphering algorithm D to decide what category z belongs to. 4

Let U be another uniform random code of length n and dimension m. With overwhelming probability, the codes U and V have trivial intersection and the code C = U V has dimension k = 2m. Randomly extend the code C by adding random vectors so as to obtain a code C 1 of the required dimension (say 9n/10) and similarly extend the code C by adding random vectors so as to obtain a code C 2 of the required dimension (n/2). By construction C 1 and C 2 are uniform random codes of the required dimensions and C = C 1 C 2. Let G be a generating matrix of C of the form G = [ G U ] G V Let φ be a random one-to-one linear mapping that maps C 0 to C 1. Since C 1 is a random linear code of the same dimension as C 0, φ is simply a random one-to-one linear map that we associate to the random matrix M. The matrix M and the codes C, C 1, C 2 have the same distribution as in the cryptosystem defined by the matrix M and the condition that none of the codes C, C 1, C 2 are degenerate, which happens with overwhelming probability when defining the original cryptosystem. Now we call upon the algorithm D. Algorithm D gives us the plaintexts m 0 and m 1, and we choose i {0, 1} randomly. We then give algorithm D the ciphertext m i G U + z. Algorithm D returns its guess ι of the bit i. If ι = i we declare z to be of the form z = r + e. Otherwise we declare z to be equal to the uniform random vector u. We see that whenever z is of the form z = r + e, then the ciphertext given to algorithm D has exactly the form of a valid encryption of m i, hence the non-negligible advantage in telling apart whether z is uniform or at distance t from a random codeword of V. Reduction to the search decoding problem Difficulty of Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given k, n such that R 1 k/n R 2, given a random code C defined by a uniform random generating k n matrix (or a uniform random parity-check (n k) n matrix), and a vector y = c + e where c is a random codeword of C and e is a random vector of weight t, chosen uniformly and independently of c, 5

algorithm A returns c with non-negligible probability. Theorem 1. If the difficulty of decoding hypothesis with parameter t is satisfied, then there is no polynomial-time algorithm A that computes r, x with a non-negligible advantage over random choice (outputting 0 or 1 with probability 1/2) given two real numbers R 1, R 2, with 0 < R 1 < R 2 < 1, a k n uniform random matrix G with R 1 < k/n < R 2, an instance xg + e of the decoding problem for the code C generated by G, where x F k 2 is randomly chosen, and a random vector e of weight t. a uniform random vector r of length n, Before proving Theorem 1 we show how to use it to deduce the full difficulty of decoding hypothesis from the purely decisional version. Proposition 2. The difficulty of decoding hypothesis with parameter t implies the decisional decoding hypothesis with the same parameter t. In other words, if there exists an algorithm that efficiently tells the difference between a vector at distance t from the code and a uniform random vector, then there exists an algorithm that efficiently decodes vectors at distance t from the code. Proof. Suppose D is an algorithm that breaks the decisional decoding hypothesis and distinguishes between a vector of the form xg + e, for a random codeword xg of a the random code generated by the random matrix G. We will construct an algorithm A that contradicts Theorem 1. Algorithm A will be given as input a random matrix G, a vector y = xg + e, e of weight t, a random vector r. Algorithm A will then proceed to evaluate x, r. Now let r and s be two uniform random vectors, in F k 2 and F n 2 respectively. Form the matrix G = G+r T s and remark that G is uniform random like G. Remark also that therefore either x, r = 0 and xg = xg, x(r T s) = x, r s 6

or x, r = 1 and xg = xg + s. We now define the code C to be the code generated by the matrix G. Algorithm A simply gives the code C (defined by G ) and the vector y to the distinguishing algorithm D. If algorithm D says uniform, algorithm A declares x, r = 1. If algorithm D says y = c + e, then algorithm A declares x, r = 0. Proof of the Goldreich-Levin Theorem Theorem 1 is a special case of the more general statement: Theorem 3. Let f be any one-way function from {0, 1} n to {0, 1} m. There is no polynomial-time algorithm A that given y = f(x) for a uniform random input x, and an independent uniformly random r {0, 1} n, computes x, r with a non-negligible advantage, i.e. outputs b {0, 1} with P (b = x, r ) 1/2+ε, where ε is a polynomial function of 1/n. Proof. We suppose A exists and use A to construct an algorithm that computes x from f(x). First notice that for a fraction at least ε/2 of entries x, algorithm A must predict x, r correctly from f(x) for a proportion at least 1/2 + ε/2 of choices of r. We may therefore suppose that x is a fixed (but unknown) entry, for which algorithm A predicts x, r with an ɛ positive bias. From now on ε denotes this particular bias, rather than the average bias of Theorem 3. Since x is now fixed, we also denote by A(r) algorithm A s evaluation of x, r. Our goal is to compute the exact values of x, e i, i = 1, 2,..., n, for e i the canonical basis of F n 2. This will give the individual coordinates of x and we will be done. If we were guaranteed that A always gave the right value x, r for every r (i.e. ε = 1/2), there would be nothing to prove. We have to deal however with an algorithm that is often wrong (though less often than it is right). A key remark is that if A(r) and A(r + e i ) are both correct (or both incorrect) we have x, e i = A(r) + A(r + e i ). To evaluate x, e i, we are therefore tempted to take random values r, compute A(r) + A(r + e i ), and take a majority vote. Unfortunately, A(r) and A(r+e i ), viewed as random variables (over the random choice of r), need not be independent, and we can only guarantee that A(r)+A(r+e i ) coincides with x, e i with probability > 1/2 for a bias ε > 1/4. We need to improve upon this strategy. We shall use the following technical lemma: 7

Lemma 4. Let V be a random subvector space V of F n 2 of dimension k. Let S i = e i +V, i = 1, 2,..., n. Let η > 0 be a constant. Then if k log 2 (n 1+η /ε 2 ), we have that, for every i, # {r S i A(r) = x, r } > S i /2 (1) with probability (over the choice of V ) at least 1 1/n 1+η. Lemma 4 implies that, when choosing a random subspace V, we have, with probability at least 1 1/n η, that (1) holds for all S i = e i + V, i = 1,..., n simultaneously. Let b = (b 1,..., b k ) be an arbitrary basis of the vector space V and let γ = (γ 1,..., γ k ) F k 2. Consider the following function g γ, defined on V : r = g γ : V F 2 k k λ i b i λ i γ i i=1 i=1 in words, g γ guesses the values of x, r on basis elements r = b 1... b k, and uses linearity to extend this guess to the rest of the space V. The result is that, whenever g γ is right on the whole of the basis b, it is also always right on the whole space V, by linearity of the function r x, r. Now we proceed as follows: for all 2 k possible values of γ we evaluate x, e i by computing A(r + e i ) + g γ (r) for all r V and by setting { 0 if #{r V A(r + e i ) + g γ (r) = 0} > V /2 x, e i = 1 if #{r V A(r + e i ) + g γ (r) = 1} V /2 When γ = (γ 1,..., γ k ) coincides with ( x, b i ) i=1..k then g γ (r) = x, r for every r V, and the value A(r + e i ) + g γ (r) is a correct guess of x, e i if and only if A is correct on r + e i, which happens for a majority of r in V by (1). So for this particular choice of γ, we have all the coordinates x, e i with a probability 1 1/n η. Since we can check whether we have the right value of x by computing f(x), we can stop when we have a satisfying answer for x. Proof of Lemma 4. To randomly generate the subvector space V, choose k uniform random independent variables v 1, v 2,..., v k in F n 2 and declare V to be generated by 8

(v i ). Note that v 1,..., v k are linearly dependent with probability at most 1/2 n k. For every λ = (λ 1,..., λ k ), define v λ = k i=1 λ iv i and define the Bernoulli variable X λ by { 1 if A(v λ ) = x, v λ ) X λ = 0 otherwise. The variables v λ are pairwise independent, therefore so are the X λ, and Chebychov s inequality implies therefore that P 1 X 2 k λ 1/2 1 ε 2 2 = 1 k n. 1+η λ F k 2 Modern variations Variations on Alekhnovich s first cryptosystem Variation 1. Let A be a random k n matrix and let ε be a random vector of F n 2 of weight t = o(n 1/2 ). Let s be a uniform random vector in F k 2 and let y = sa + ε. The message (plaintext) space is M = {0, 1} and the matrix A and the vector y make up the public key. Encryption. To encrypt m F 2, output C(m) = (Ae T, m + e, y ) where e is a random t-weight vector of F n 2. Exercice 1. a) The secret key is s. Figure out how to decrypt by computing ea T, s. b) Prove security. 9

Variation 2. Let A be a random k n matrix and let e be a random t-weight vector of F n 2. The message (plaintext) space is M = {0, 1} and the matrix A and the vector σ = Ae T F k 2 make up the public key. To encrypt m F 2, output C(m) = (sa + ε, m + s, σ ) where s is a uniform random vector of F k 2 and ε is a random t-weight vector of F n 2. Exercice 2. a) Figure out how to decrypt with the secret key e. b) Prove security. Variation on Alekhnovich s second cryptosystem Let A be a random k n matrix and let S be a uniform random l k matrix. Let E be an l n matrix such that all its rows are randomly and independently chosen among row vectors of weight t. Define the l n matrix Y = SA + E. The message (plaintext) space is M = C {0, 1} l where C is an error-correcting code that comes with a polynomial-time algorithm that almost always decodes correctly codewords that have been submitted to a binary symmetric channel of transition probability p = t 2 /n. The matrices A and Y make up the public key. The parameter l should be chosen so that k + l < Rn for some constant R < 1. Encryption. To encrypt m C, output where e is a random t-weight vector of F n 2. Exercice 3. C(m) = (Ae T, m + Ye T ) a) Figure out how to decrypt with the secret key S. b) if we had k + l n, how could one decrypt without any secret key? c) Prove security. Argue first that a decryption algorithm that is only given A and Y should also work with a random Y. Then suppose that one is given a random u n matrix 10

R and a vector z F u 2 that is promised to be either uniform random or of the form Re T for a random weight t vector e F n 2. Set u = k + l and let the first k rows of R make up a matrix A and the remaining l rows of R make up a matrix Y. Create a cryptosystem from A and Y, split the vector z into two parts and feed the decryption algorithm the relevant cryptogram. References [1] M. Alekhnovich, More on average case vs approximation complexity, Comput. Complex. 20 (2011), 755 786. [2] B. Applebaum, Y. Ishai and E. Kushilevitz, Cryptography with constant input locality, J. Cryptology 22 (2009), 429 469. [3] I Damgard and S. Park, Is Public-Key Encryption Based on LPN Practical? https://eprint.iacr.org/2012/699.pdf [4] L. Trevisan, Some Applications of Coding Theory in Computational Complexity, Electronic Colloquium on Computational Complexity, Report No. 43 (2004). 11

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback