Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 P 2 KC Kazukuni Kobara 1 and Hideki Imai 1,2 1: Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science (AIST)

Published byCory McDowell Modified over 8 years ago

Similar presentations

Presentation on theme: "1 P 2 KC Kazukuni Kobara 1 and Hideki Imai 1,2 1: Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science (AIST)"— Presentation transcript:

1 1 P 2 KC Kazukuni Kobara 1 and Hideki Imai 1,2 1: Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science (AIST) 2: Chuo Univ.

2 2 P 2 KC ? Our proposal Personalized-Public-Key Cryptosystem Cryptosystem using personalized- public-keys

3 3 Typical Usage of Public-Key Cryptosystem Bob ’ s public-key Bob ’ s public-key Bob ’ s public-key Bob (Decrypter) Encrypters

4 4 We propose three usage modes for P 2 KC Distribution then Personalization (DP) mode Personalization then Distribution with Hidden PK (PDH) mode Personalization then Distribution with Open PK (PDO) mode

5 5 Distribution then Personalization (DP) Mode Bob (Decrypter) Bob ’ s public-key Personalized to Dave Personalized to Carol Personalized to Alice Personalization Delivery Encrypters

6 6 Personalized to Dave Personalized to Carol Personalized to Alice Personalization then Distribution with Hidden/Open PK (PDH/PDO) Modes Bob ’ s public-key Personalization Delivery Bob (Decrypter) Encrypters

7 7 Is there any advantage for personalizing PK Maybe, no for typical (number theoretic) PKCs such as RSA, ElGamal, ECC, DH, ECDH But definitely yes for a certain class of combinatorial PKCs Niederreiter/McEliece PKCs some of the Hidden Field Equations (HFE) based PKCs and the Lattice based PKCs as long as ciphertexts are given by the combination of public-key components according to the plaintexts and both the public-key and plaintext sizes are large

8 8 Advantages of P 2 KC It can reduce the encryption-key size Decrypter can identify the encrypter with no extra cost such as signing suited for low computational power applications Note: in order to prevent the replay attack it should be used in the framework of challenge-response It can be used with other PK reduction techniques

9 9 Pros and Cons of Niederreiter (McEliece) PKC Pros Underlying problem (syndrome decoding) is well studied Can be semantically secure (secure in a strong sense) Encryption is quite simple Mainly done with exclusive-or Suitable for low computational power devices, such as smart cards, sensors, cellular phones, RFIDs and so on whereas RSA, DH, ECC require multi-precision modular multiplication/exponentiation -> require coprocessors in such devices Con Encryption key size is huge -> P 2 KC gives one solution to this

10 10 Comparison between PKC and P 2 KC in Niederreiter scheme PKC: (n,k,t)=(2048,1795,23), i.e. n-k=253 P 2 KC: (DP,RT,a=0.044), i.e. n 1 =90 PKC: (n,k,t)=(2048,1630,38), i.e. n-k=418 P 2 KC: (DP,RT,a=0.042), i.e. n 1 =86

11 11 Attack Cost n: code length k: dimension of the code t: # of correctable errors

12 12 Core Idea of P 2 KC (1/2) Message Space of PKC First message Second message Third message Fourth message Assumption: messages are chosen at random so that they can be used to generate session keys

13 13 Core Idea of P 2 KC (2/2) P 2 KC limits the space and allocates it to each user Message Space of P 2 KC Message Space of P 2 KC for UserA Message Space of P 2 KC for UserB Message Space of P 2 KC for UserC Boundary is invisible for adversaries

14 14 Hard to distinguish whether the target ciphertexts belong to PKC or P 2 KC as long as the following hold: - (# of target ciphertexts) 2 << (message space of P 2 KC) - (# of PPKs)x(Attack cost after knowing PPK) is huge PKC P 2 KC Indistinguishable target ciphertexts PPK: Personalized-Public-Key Adversary

15 15 PKC and P 2 KC PKC={KeyGen(), Enc(), Dec()} P 2 KC 1 ={KeyGen(), Pers(), PEnc(), PDec(pv,)} Available when the decrypter knows the personalization vector pv P 2 KC 2 ={KeyGen(), Pers(), KEnc(pv,), KDec()} Available when the encrypter knows the personalization vector pv

16 16 KeyGen(): Keys for Niederreiter PKC accepts (n,k,t) generates secret-key sk generates public-key pk K P HS n n-k Parity-check matrix of Goppa code which can correct up to t-error bits and t Random Permutation Matrix Random Non- singular Matrix xx

17 17 Enc(): Encryption of Random Session-Key in Niederreiter PKC K Syndrome (0,1,0,0,1,0,... 0,0,1,0) accepts pk=(K,t) and msg outputs c T =K msg T Plaintext msg T n-dimentional vector of weight t or less Ciphertext c T = x

18 18 Dec(): Decryption in Niederreiter PKC accepts c and sk S -1 c T =H P msg T By applying the error-correction algorithm to S -1 c T, obtains a t or less bit error pattern (P msg T ) outputs msg T =P -1 (P msg T ) H P msg T = x S -1 cTcT P -1 P msg T x

19 19 Sketch of Personalization Message Space PK PPK for A PPK for B msg pv for A msg ’ pv for B PPK for C pv for C

20 20 Pers(): Personalization One Example c2c2 pv=(2, 1, 3, 1, 4, 0, 4, 1, 2, 3) =K =K 1 Sub=(3, 2, 2, 2) accepts pk=(K,t) and pv and then outputs ppk=(c 2,K 1,t,Sub) pv: Personalization Vector Sub: weight of each column n1n1

21 21 Pers(): Personalization Another Example c2c2 pv=(0, 2, 3, 2, 1, 4, 1, 3, 0, 4) =K =K 1 Sub=(2, 2, 2, 2) accepts pk=(K,t) and pv and then outputs ppk=(c 2,K 1,t,Sub) pv: Personalization Vector Sub: weight of each column n1n1

22 22 PKC and P 2 KC PKC={KeyGen(), Enc(), Dec()} P 2 KC 1 ={KeyGen(), Pers(), PEnc(), PDec(pv,)} Available when the decrypter knows the personalization vector pv P 2 KC 2 ={KeyGen(), Pers(), KEnc(pv,), KDec()} Available when the encrypter knows the personalization vector pv

23 23 Sketch of P 2 KC 1 where decrypter knows pv Message Space Encrypter knows PPK msg ’ PPK PK Decrypter knows msg and pv and hence can reconstruct msg ’ msg ’ PPK PK pv msg

24 24 Sketch of P 2 KC 2 where encrypter knows pv Message Space Decrypter can know msg msg PK Encrypter knows msg ’ and pv and hence can reconstruct msg msg ’ PPK PK pv msg

25 25 accepts ppk and msg ’ outputs c T =c 2 (+) K 1 msg ’ T PEnc(): Encryption in Niederreiter P 2 KC 1 Syndrome (0,1,0) Plaintext msg ’ T A vector of length n 1 whose weight is taken so that the total number of added columns should not exceed t Ciphertext c T = x Sub=(3, 2, 2, 2) c2c2 x

26 26 PDec(): Decryption in Niederreiter P 2 KC 1 accepts c, sk and the candidates for pv, e.g. pv 1 =(2, 1, 3, 1, 4, 0, 4, 1, 2, 3) pv 2 =(0, 2, 3, 2, 1, 4, 1, 3, 0, 4) decrypts c using Dec() and sk and obtains msg, e.g. msg=(0, 1, 1, 1, 0, 0, 0, 1, 0, 1) looks for pv being consistent with msg pv 1 is consistent in this case converts msg to msg' using the found pv msg ’ =(0, 1, 0)

27 27 accepts ppk and pv generates msg ’ at random c T =c 2 (+) K 1 msg ’ T outputs both c and ms=h(msg) KEnc(): Encryption in Niederreiter P 2 KC 2 (1,0,0) random msg ’ T x Sub=(3, 2, 2, 2) c2c2 Syndrome Ciphertext c T = pv=(2, 1, 3, 1, 4, 0, 4, 1, 2, 3) (1,1,0,1,0,0,0,1,1,0) msg T = converts msg ’ to msg using pv

28 28 KDec(): Decryption in Niederreiter P 2 KC 2 accepts c and sk decrypts c using Dec() and sk and then obtains msg outputs ms=h(msg)

29 29 It is possible define various P 2 KCs according to pv One of our recommendations is Random Trimming (RT) pv=(0, 0, 2, 0, 0, 3, 0, 0, 4, 0) =K =K 1 Sub=(0, 1, 1, 1) [a n] coordinates where 0 < a < 1

30 30 Security of Niederreiter PKC Theorem : Breaking OW-CPA and PDOW-CPA is NP- Complete under the assumption that c and K are indistinguishable from random ones. Breaking OW-CPA: Given c and pk, find msg Breaking PDOW-CPA: Given c and pk, find one (or some) coordinate(s) of msg If OW-CPA or PDOW-CPA holds, it is possible to construct a PKC meeting the strongest security notion IND-CCA2

31 31 Game0: Syndrome Decoding Problem (SDP) (NP-Complete) Given a syndrome s, a random parity- check matrix R and a small integer w, find its pre-image of hamming weight w or less Syndrome Random Matrix R (0,1,0,0,1,0,... 0,0,1,0) = x

32 32 Game1: Indistinguishability (Assumption) Syndrome Random Matrix R c K=SHP If we assume the indistinguishability of them, it is obvious from the form of the PKC and SDP that breaking OW-CPA of the Niederreiter PKC is equivalent to solving the SDP Remark: the most powerful distinguisher so far is the SSA (Support Splitting Algorithm). Hence the underlying code must be chosen so that it can resist against the SSA.

33 33 Security of P 2 KC P 2 KC gives constraints on the message by fixing some coordinates duplicating some coordinates If these constraints are invisible for adversaries, there is no difference between breaking PKC and breaking P 2 KC We show the invisibility by proving that the following problems are as hard as SDP

34 34 Given c and H, determine the i-th coordinate of msg. Game2: Decision One Coordinate Problem (DOCP) K c (0,1,0,0,1,0,... 0,0,1,0) = x ? i-th column

35 35 DOCP is as hard as SDP K c (0,1,0,0,1,0,... 0,0,1,0) = x ? i-th column since if this is possible one can recover all the bits of msg by changing c and H appropriately

36 36 Given two ciphertexts c and c ’ and H, determine whether the i-th coordinates of msg for c and c ’ are the same or not. Game3a: Decision Coordinate Equivalence Problem 1 (DCEP1) K c (0,1,0,1,0,... 1,0,0) = x i-th column ? K c’ (0,1,0,1,0,... 1,0,0) = x i-th column

37 37 DCEP1 is as hard as SDP K c (0,1,0,1,0,... 1,0,0) = x i-th column ? K c’ (0,1,0,1,0,... 1,0,0) = x i-th column since if this is possible one can recover all the bits of msg by creating c ’ from known pre- image This implies that it is hard to determine some coordinates in msg are fixed or not

38 38 Given c and H, determine whether the i- th and the j-th coordinates take the same value or not. Game3b: Decision Coordinate Equivalence Problem 2 (DCEP2) K c (0,1,0,0,1,0,... 0,0,1,0) = x ? i-th column j-th column

39 39 since if this is possible one can determine all the bits of msg by checking the equivalence for every j This implies that it is hard to determine whether some coordinates are duplicated or not DCEP2 is as hard as SDP K c (0,1,0,0,1,0,... 0,0,1,0) = x ? i-th column j-th column

40 40 Giving constraints on the message does not harm the cryptosystem basically But the following must be satisfied: (# of target ciphertexts) 2 << message space of the P 2 KC Otherwise adversaries can know the fact that message space is limited (though this does not imply the break of PKC) (# of candidate PPKs)x(Attack cost after knowing the PPK) must be huge Otherwise adversaries can apply exhaustive search on the personalization mechanism

41 41 One may define various P 2 KCs according to pv One of our recommendations is Random Trimming (RT) pv=(0, 0, 2, 0, 0, 3, 0, 4, 0, 0) =K =K 1 Sub=(0, 1, 1, 1) [a n] coordinates where 0 < a < 1

42 42 Comparison between Niederreiter PKC and P 2 KC PKC: (n,k,t)=(2048,1795,23), i.e. n-k=253 P 2 KC: (DP,RT,a=0.044), i.e. n 1 =90 PKC: (n,k,t)=(2048,1630,38), i.e. n-k=418 P 2 KC: (DP,RT,a=0.042), i.e. n 1 =86

43 43 Conclusion (1/2) Proposed new concept, P 2 KC P 2 KC 1 : when decrypter knows pv P 2 KC 2 : when encrypter knows pv Note: they do not need to share pv

44 44 Conclusion (2/2) P 2 KC can reduce the encryption-key size of a certain class of combinatorial PKCs where ciphertexts are given by the combination of public-key components according to the plaintexts both the public-key and plaintext sizes are large P 2 KC is suitable for low computational power devices such as smart cards, sensors, cellular phones, RFIDs and so on

Download ppt "1 P 2 KC Kazukuni Kobara 1 and Hideki Imai 1,2 1: Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science (AIST)"

Similar presentations

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Biometrics based Cryptosystem Design. Cryptosystem A mechanism using which one can encode an information content to an incomprehensible form and also.

Biometrics based Cryptosystem Design. Cryptosystem A mechanism using which one can encode an information content to an incomprehensible form and also.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google