Skip to main content

Efficient Code Based Hybrid and Deterministic Encryptions in the Standard Model

  • Conference paper
  • First Online:
Information Security and Cryptology -- ICISC 2013 (ICISC 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8565))

Included in the following conference series:

  • 1176 Accesses

Abstract

In this paper, we propose an IND-CCA2 secure Key-Encapsulation (KEM) in the standard model using the Niederreiter Encryption scheme. Also, we propose a PRIV-1CCA secure deterministic variant of the Niederreiter encryption scheme in the standard model. The security of these constructions are reduced to the hardness of the Syndrome Decoding problem and the Goppa Code Distinguishability problem. To the best of our knowledge, the proposed constructions are the first of its kind under coding-based assumption in the standard model that do not use the \(\kappa \)-repetition paradigm initiated by Rosen and Segev at Theory of Cryptography Conference (TCC), 2009.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  2. Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. In: Menezes [23], pp. 535–552

    Google Scholar 

  3. Bellare, M., Fischlin, M., O’Neill, A., Ristenpart, T.: Deterministic encryption: definitional equivalences and constructions without random oracles. In: Wagner [35], pp. 360–378

    Google Scholar 

  4. Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  5. Boldyreva, A., Fehr, S., O’Neill, A.: On notions of security for deterministic encryption, and efficient constructions without random oracles. In: Wagner [35], pp. 335–359

    Google Scholar 

  6. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  7. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33, 167–226 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  8. Cui, Y., Morozov, K., Kobara, K., Imai, H.: Efficient constructions of deterministic encryption from hybrid encryption and code-based PKE. In: Bras-Amorós, M., Høholdt, T. (eds.) AAECC-18 2009. LNCS, vol. 5527, pp. 159–168. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  9. Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  10. Dowsley, R., Müller-Quade, J., Nascimento, A.C.A.: A CCA2 secure public key encryption scheme based on the McEliece assumptions in the standard model. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 240–251. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  11. Faugére, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys - toward a complexity analysis. In: SCC ’10: Proceedings of the 2nd International Conference on Symbolic Computation and Cryptography, RHUL, June 2010, pp. 45–55 (2010)

    Google Scholar 

  12. Faugère, J.-C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.-P.: A distinguisher for high rate McEliece cryptosystems. In: Information Theory Workshop (ITW). IEEE (2011)

    Google Scholar 

  13. Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  14. Freeman, D.M., Goldreich, O., Kiltz, E., Rosen, A., Segev, G.: More constructions of lossy and correlation-secure trapdoor functions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 279–295. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  15. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  16. Fuller, B., O’Neill, A., Reyzin, L.: A unified approach to deterministic encryption: new constructions and a connection to computational entropy. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 582–599. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  17. Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Contr. Inf. Theor. 15, 159–166 (1986)

    MathSciNet  MATH  Google Scholar 

  18. Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes [23], pp. 553–571

    Google Scholar 

  19. Kiltz, E., Pietrzak, K., Stam, M., Yung, M.: A new randomness extraction paradigm for hybrid encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 590–609. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  20. Kurosawa, K., Desmedt, Y.G.: A new paradigm of hybrid encryption scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  21. Lucks, S.: A variant of the Cramer-Shoup cryptosystem for groups of unknown order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 27–45. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  22. Preetha Mathew, K., Vasant, S., Venkatesan, S., Pandu Rangan, C.: An efficient IND-CCA2 secure variant of the Niederreiter encryption scheme in the standard model. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 166–179. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  23. Menezes, A. (ed.): CRYPTO 2007. LNCS, vol. 4622. Springer, Heidelberg (2007)

    MATH  Google Scholar 

  24. Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. pp. 33–43 (1989)

    Google Scholar 

  25. Niebuhr, R., Cayrel, P.-L.: Broadcast attacks against code-based schemes. In: Armknecht, F., Lucks, S. (eds.) WEWoRC 2011. LNCS, vol. 7242, pp. 1–17. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  26. Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Cryptogr. 49(1–3), 289–305 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  27. Patterson, N.: The algebraic decoding of Goppa codes. IEEE Trans. Inf. Theor. 21(2), 203–207 (1975)

    Article  MATH  Google Scholar 

  28. Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Dwork, C. (ed.) STOC, pp. 187–196. ACM (2008)

    Google Scholar 

  29. Persichetti, E.: Secure and anonymous hybrid encryption from coding theory. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 174–187. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  30. Persichetti, E.: On a CCA2-secure variant of McEliece in the standard model. In: IACR Cryptology ePrint Archive (2012). http://eprint.iacr.org/2012/268

  31. McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report, pp. 114–116 (1978)

    Google Scholar 

  32. Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  33. Shor, P.W.: Polynomial time algorithms for discrete logarithms and factoring on a quantum computer. In: ANTS, p. 289 (1994)

    Google Scholar 

  34. Shoup, V.: Using hash functions as a hedge against chosen ciphertext attack. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 275. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  35. Wagner, D. (ed.): CRYPTO 2008. LNCS, vol. 5157. Springer, Heidelberg (2008)

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to K. Preetha Mathew .

Editor information

Editors and Affiliations

A Appendix

A Appendix

1.1 A.1 Proof of Security for Deterministic Encryption

Proof: The proof is presented as a sequence of games, Game 0, Game 1 .... While, Game 0 fits the scheme exactly as in the PRIV-1CCA game. Subsequent games change the environment, such that the view of the adversary in discriminating between two consecutive games is at best negligible in \(\kappa \) or reduces to the solution of a hard-problem instance. We denote the challenger/simulator as a PPT algorithm \(\mathcal {C}\) and the adversary of the system as a PPT algorithm \(\mathcal {A}\).

  • Game 0. \(\mathcal {C}\) adapts the proposed scheme directly to the PRIV-1CCA game. The system parameters are set as in the proposed scheme, with the security parameter \(\kappa \). The key-generation oracle and the decryption oracle is run using the described scheme. Let \(M\) be a random variable over the message space with a min-entropy. Let \(m^* \mathop {\leftarrow }\limits ^{\$} M \) and the function to be computed on \(m^*\) be \(f\). \(\mathcal {C}\) computes \(c^* = (c_1^*,c_2^*,c_3^*,c_4^*) = \mathsf{Enc }(m^*)\). \(c^*\) is the “challenge ciphertext” given to \(\mathcal {A}\),i.e., given \(c^*\), \(\mathcal {A}\) must compute \(f(m^*)\). \(\mathcal {A}\) outputs \(t\), \(t \leftarrow \mathcal {A}^{\mathcal {D}(.)}(M,f,c^*)\). \(\mathcal {A}\) wins if where \(t == f(m^*)\).

    Let the event that the adversary \(\mathcal {A}\) wins the game be quantified by the random variable \(X_0\). Then,

    $$\begin{aligned} \mathbf{Real }_{\mathcal {AE}}(\mathcal {A},M,f) = Pr[X_0] \end{aligned}$$
    (7)
  • Game 1. Decryption Oracle is simulated by \(\mathcal {C}\) as follows:

    figure f

    Let the event that the adversary \(\mathcal {A}\) wins in this game be quantified by the random variable \(X_1\). The difference in the distribution (or view of the adversary) between \(X_0\) and \(X_1\) is the situation in which \(\mathcal {C}\) returns \(\perp \) if \(c_1 = c_1^*\) in this game, during the decryption oracle. The simulator returns \(\perp \) implying the ciphertext is invalid (as the integrity check will not hold). But, it can be seen that \(\mathcal {A}\) may have given a valid ciphertext (that is not the challenge ciphertext), i.e., a ciphertext for some \(m' \ne m^*\). Clearly, this would violate the target collision resistance of \(h_1\) or of \(h_2\). \( \mathcal {H}\) is target collision resistant if for every polynomial time adversary \(\mathcal {A}\) the TCR advantage is

    $$\begin{aligned} {Adv}_{\mathcal {H}}^{\mathsf {TCR}}(A) = Pr[H(K,x_1)=H(K,x_2) : (x_1,st)\leftarrow ^R \mathcal {A}, K \leftarrow ^R \mathcal {K}, x_2 \leftarrow ^R A(K,st)] \end{aligned}$$
    (8)

    of \(A\) against \(\mathcal {H}\) is negligible(\(\epsilon \)). That is in TCR the adversary must commit to an element in collision before seeing the hash key. As per Generalised Left Over Hash Lemma(LHL), TCR smooths out an input distribution (distribution of \(m\) in this paper) to nearly uniform on its range, provided that the input distribution has sufficient minimum entropy, since TCR comes under universal one-wayness [5, 24]. Let \(\mathsf{Adv }_{h_1}^{\mathsf {TCR}}(\mathcal {A})=\epsilon _1, \mathsf{Adv }_{h_2}^{\mathsf {TCR}}(\mathcal {A})=\epsilon _2\). Hence,

    $$\begin{aligned} |Pr[X_0] - Pr[X_1]| \le \epsilon _1+\epsilon _2 \end{aligned}$$
    (9)
  • Game 2. Key Generation: The key-generation process is altered. \(\mathcal {C}\) replaces the Goppa parity-check matrix of \(H_1\) with the parity check matrix \(R\) of a random \([n,k,2t+1]\) code. Thus \(H_1 \leftarrow R\). Also, the knowledge of the target message \(m^*\) is made use of. \(\mathcal {C}\) computes \(c^* = (c_1^*,c_2^*,c_3^*,c_4^*) = \mathsf{Enc }(m^*)\). The remainder of the key-generation process remains unchanged.

    $$\begin{aligned} |Pr[X_2] = Pr[X_1]| \end{aligned}$$
    (10)

    There is consistency with the decryption oracle described in the previous game. The only difference is the use of a random code instead of a Goppa code for \(H_1\).

  • Game 3. Key for Challenge text and construct challenge: The Public key generated is again altered. Replace \(H_2\) with parity check of random matrix \(R_2\) so that now \(\widetilde{H}_1\) and \(\widetilde{H}_2\) are parity-check matrices of random codes.

    Thus, for the event that \(\mathcal {A}\) wins Game 2, \(X_2\), \(\mathcal {C}\) can construct a Goppa-code distinguisher based on the difference in the distributions of \(X_2\) and \(X_3\) is distinguishing Goppa code with random code. \(\mathcal {C}\) uses the challenge \(K^{\dagger }\) and computes \(c^*\) using the altered public keys. The winning of this game is only by syndrome decoding of random code Thus, for the event that \(\mathcal {A}\) wins Game3, \(X_3\), \(\mathcal {C}\) can construct a Goppa-code distinguisher based on the difference in the distributions of \(X_2\) and \(X_3\). Also compute challenge \(c^*\) using the new public keys. The winning of this game is solving syndrome decoding.

    $$\begin{aligned} |Pr[X_3] - Pr[X_2]| \le \mathsf{Adv }_{\mathcal {C}}^\mathsf{CD }(n,k) + 4(\root 3 \of {n \cdot \mathsf {Adv}_{\mathcal {D'}}^{\mathsf {SD}}(n,k)}) \end{aligned}$$
    (11)

    Also, it can be noted that no information of \(m^*\) is revealed in \(c^*\). It can be noted that generating a random \(c_4^*\) does not affect the validity of the ciphertext. This is due to the us of the Generalised Left-over Hash Lemma on all three functions \(h_1,h_2\) (as the entropy of the message space is large), and the resultant use of the hash lemma on \(h_3\) (the domain of which is the same as the range of \(h_2\)). Therefore,

    $$\begin{aligned} \mathbf{Ideal }_{\mathcal {AE}}(\mathcal {A},M,f) = Pr[X_3] \end{aligned}$$
    (12)

Since,

$$\begin{aligned} \mathsf {Adv}^{priv-1cca}_{\mathsf{PKE },\mathcal {A}}(\kappa ) = |\mathbf{Real }_{\mathcal {AE}}(\mathcal {A},M,f) - \mathbf{Ideal }_{\mathcal {AE}}(\mathcal {A},M,f)| \end{aligned}$$

Substituting Eqs. (6) and (10), we have

$$\begin{aligned} \mathsf {Adv}^{priv-1cca}_{\mathsf{PKE },\mathcal {A}}(\kappa ) \le |Pr[X_0] - Pr[X_3]| \end{aligned}$$

By repeatedly applying the difference lemma and using the Eqs. (7)–(9), we get,

$$\begin{aligned} \mathsf {Adv}^{priv-1cca}_{\mathsf{PKE },\mathcal {A}}(\kappa ) \le \epsilon _1 + \epsilon _2 + \mathsf{Adv }_{\mathcal {C}}^\mathsf{CD }(n,k) + 4(\root 3 \of {n \cdot \mathsf {Adv}_{\mathcal {D'}}^{\mathsf {SD}}(n,k)}) \end{aligned}$$

Thus, the advantage of the PPT adversary \(\mathcal {A}\) in the PRIV-1CCA game is bounded by the target-collision resistance of \(h_1\) and \(h_2\), the Goppa-distinguishability of \(H_1\) and the hardness of syndrome decoding. Thus, the proposed scheme is PRIV-1CCA secure as long as \(h_1\) and \(h_2\) are TCR hash functions, and the Goppa-code distinguishability and syndrome decoding of the corresponding parameters are hard to solve.    \(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Preetha Mathew, K., Vasant, S., Pandu Rangan, C. (2014). Efficient Code Based Hybrid and Deterministic Encryptions in the Standard Model. In: Lee, HS., Han, DG. (eds) Information Security and Cryptology -- ICISC 2013. ICISC 2013. Lecture Notes in Computer Science(), vol 8565. Springer, Cham. https://doi.org/10.1007/978-3-319-12160-4_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12160-4_31

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12159-8

  • Online ISBN: 978-3-319-12160-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics