P 2 KC

transcript

P2KCKazukuni Kobara1 and Hideki

Imai1,2

1: Research Center for Information Security (RCIS)

National Institute of Advanced Industrial Science (AIST)2: Chuo Univ.

P2KC ? Our proposal Personalized-Public-Key

Cryptosystem Cryptosystem using personalized-public-keys

Typical Usage of Public-Key Cryptosystem

Bob’s public-key

Bob(Decrypter)

We propose three usage modes for P2KC

Distribution then Personalization (DP) mode

Personalization then Distribution with Hidden PK (PDH) mode

Personalization then Distribution with Open PK (PDO) mode

Distribution then Personalization (DP) Mode

Bob(Decrypter)

Bob’s public-key

Personalized to Dave

Personalized to Carol

Personalized to Alice

PersonalizationDeliver

Personalized to Dave

Personalized to Carol

Personalized to Alice

Personalization then Distribution with Hidden/Open PK (PDH/PDO) Modes

Bob’s public-key

Personalization Deliver

Bob(Decrypter)

Is there any advantage for personalizing PK

Maybe, no for typical (number theoretic) PKCs such as RSA, ElGamal, ECC, DH, ECDH

But definitely yes for a certain class of combinatorial PKCs Niederreiter/McEliece PKCs some of the Hidden Field Equations (HFE) based

PKCs and the Lattice based PKCs as long as ciphertexts are given by the

combination of public-key components according to the plaintexts and both the public-key and plaintext sizes are large

Advantages of P2KC It can reduce the encryption-key size Decrypter can identify the encrypter

with no extra cost such as signing suited for low computational power

applications Note: in order to prevent the replay

attack it should be used in the framework of challenge-response

It can be used with other PK reduction techniques

Pros and Cons of Niederreiter (McEliece) PKC

Pros Underlying problem (syndrome decoding) is well

studied Can be semantically secure (secure in a strong sense) Encryption is quite simple

Mainly done with exclusive-or Suitable for low computational power devices, such as smart

cards, sensors, cellular phones, RFIDs and so on whereas RSA, DH, ECC require multi-precision modular

multiplication/exponentiation -> require coprocessors in such devices

Con Encryption key size is huge -> P2KC gives one

solution to this

Comparison between PKC and P2KC in Niederreiter scheme

PKC: (n,k,t)=(2048,1795,23), i.e. n-k=253P2KC: (DP,RT,a=0.044), i.e. n1=90

Attack Cost

n: code length k: dimension of the code t: # of correctable errors

Core Idea of P2KC (1/2)Message Space of PKC

First message

Second message

Third message

Fourth message

Assumption: messages are chosen at random so that they can be used to generate session keys

Core Idea of P2KC (2/2)P2KC limits the space and allocates it to each user

Message Space of P2KC

Message Space of P2KC for UserA

Message Space of P2KC for UserB

Message Space of P2KC for UserC

Boundary is invisible for adversaries

Hard to distinguish whether the target ciphertexts belong to PKC or P2KC

as long as the following hold:- (# of target ciphertexts)2 << (message space of P2KC)- (# of PPKs)x(Attack cost after knowing PPK) is huge

PKCP2KC Indistinguishable

target ciphertexts

PPK: Personalized-Public-Key

Adversary

PKC and P2KC

PKC={KeyGen(), Enc(), Dec()}

P2KC1={KeyGen(), Pers(), PEnc(), PDec(pv,)} Available when the decrypter knows the

personalization vector pv P2KC2={KeyGen(), Pers(), KEnc(pv,), KDec()}

Available when the encrypter knows the personalization vector pv

KeyGen(): Keys for Niederreiter PKC

accepts (n,k,t) generates secret-key sk

generates public-key pk

Parity-check matrix of Goppa codewhich can correct up to t-error bits

Random Permutation Matrix

Random Non-singular Matrix

Enc(): Encryption of Random Session-Key in Niederreiter PKC

Syndrom

(0,1,0,0,1,0, ... 0,0,1,0)

accepts pk=(K,t) and msg outputs cT=K msgT

ht t o

r less

Dec(): Decryption in Niederreiter PKC

accepts c and sk S-1 cT=H P msgT

By applying the error-correction algorithm to S-1 cT, obtains a t or less bit error pattern (P msgT)

outputs msgT=P-1(P msgT)

sgT= xS-1c

Sketch of Personalization Message Space

PPK for A

PPK for B

pv for A

msg’pv for B

PPK for C

pv for C

Pers(): PersonalizationOne Example

pv=(2, 1, 3, 1, 4, 0, 4, 1, 2, 3)

Sub=(3, 2, 2, 2)

accepts pk=(K,t) and pv and then outputs ppk=(c2,K1,t,Sub)

pv: Personalization VectorSub: weight of each column

Pers(): PersonalizationAnother Example

pv=(0, 2, 3, 2, 1, 4, 1, 3, 0, 4)

Sub=(2, 2, 2, 2)

accepts pk=(K,t) and pv and then outputs ppk=(c2,K1,t,Sub)

pv: Personalization VectorSub: weight of each column

PKC and P2KC

PKC={KeyGen(), Enc(), Dec()}

P2KC1={KeyGen(), Pers(), PEnc(), PDec(pv,)} Available when the decrypter knows the

personalization vector pv P2KC2={KeyGen(), Pers(), KEnc(pv,), KDec()}

Available when the encrypter knows the personalization vector pv

Sketch of P2KC1

where decrypter knows pvMessage Space

Encrypter knows PPK

msg’

Decrypter knows msg and pv and hence can reconstruct msg’

msg’

Sketch of P2KC2

where encrypter knows pvMessage Space

Decrypter can know msg

Encrypter knows msg’ and pv and hence can reconstruct msg

msg’

accepts ppk and msg’ outputs cT=c2 (+) K1 msg’T

PEnc(): Encryption in Niederreiter P2KC1

Syndrom

e (0,1,0)

r of le

ht is ta

that th

ded co

xSub=(3, 2, 2, 2)

PDec(): Decryption in Niederreiter P2KC1

accepts c, sk and the candidates for pv, e.g. pv1=(2, 1, 3, 1, 4, 0, 4, 1, 2, 3) pv2=(0, 2, 3, 2, 1, 4, 1, 3, 0, 4)

decrypts c using Dec() and sk and obtains msg, e.g. msg=(0, 1, 1, 1, 0, 0, 0, 1, 0, 1)

looks for pv being consistent with msg pv1 is consistent in this case

converts msg to msg' using the found pv msg’=(0, 1, 0)

accepts ppk and pv generates msg’ at random cT=c2 (+) K1 msg’T

outputs both c and ms=h(msg)

KEnc(): Encryption in Niederreiter P2KC2

(1,0,0)

sg’ T

Sub=(3, 2, 2, 2)c

Syndrom

pv=(2, 1, 3, 1, 4, 0, 4, 1, 2, 3)

(1,1,0,1,0,0,0,1,1,0)m

verts m

KDec(): Decryption in Niederreiter P2KC2

accepts c and sk decrypts c using Dec() and sk and

then obtains msg outputs ms=h(msg)

It is possible define various P2KCsaccording to pv

One of our recommendations is Random Trimming (RT)

pv=(0, 0, 2, 0, 0, 3, 0, 0, 4, 0)

Sub=(0, 1, 1, 1)

[a n] coordinates where 0 < a < 1

Security of Niederreiter PKC Theorem : Breaking OW-CPA and PDOW-CPA is

NP-Complete under the assumption that c and K are indistinguishable from random ones.

Breaking OW-CPA: Given c and pk, find msg

Breaking PDOW-CPA: Given c and pk, find one (or some) coordinate(s) of

If OW-CPA or PDOW-CPA holds, it is possible to construct a PKC meeting the strongest security notion IND-CCA2

Game0: Syndrome Decoding Problem (SDP) (NP-Complete)

Given a syndrome s, a random parity-check matrix R and a small integer w, find its pre-image of hamming weight w or less

Syndrom

Random MatrixR

(0,1,0,0,1,0, ... 0,0,1,0)

Game1: Indistinguishability (Assumption)

Syndrom

Random MatrixR

If we assume the indistinguishability of them, it is obvious from the form of the PKC and SDP that breaking OW-CPA of the Niederreiter PKC is equivalent to solving the SDP

Remark: the most powerful distinguisher so far is the SSA (Support Splitting Algorithm). Hence the underlying code must be chosen so that it can resist against the SSA.

Security of P2KC P2KC gives constraints on the message by

fixing some coordinates duplicating some coordinates

If these constraints are invisible for adversaries, there is no difference between breaking PKC

and breaking P2KC

We show the invisibility by proving that the following problems are as hard as SDP

Given c and H, determine the i-th coordinate of msg.

Game2: Decision One Coordinate Problem (DOCP)

(0,1,0,0,1,0, ... 0,0,1,0)

i-th co

DOCP is as hard as SDP

(0,1,0,0,1,0, ... 0,0,1,0)

= x ?i-th

since if this is possible one can recover all the bits of msg by changing c and H appropriately

Given two ciphertexts c and c’ and H, determine whether the i-th coordinates of msg for c and c’ are the same or not.

Game3a: Decision Coordinate Equivalence Problem 1 (DCEP1)

(0,1,0,1,0, ... 1,0,0)= x

i-th co

(0,1,0,1,0, ... 1,0,0)

i-th co

DCEP1 is as hard as SDP

(0,1,0,1,0, ... 1,0,0)

i-th co

(0,1,0,1,0, ... 1,0,0)

i-th co

since if this is possible one can recover all the bits of msg by creating c’ from known pre-image

This implies that it is hard to determine some coordinates in msg are fixed or not

Given c and H, determine whether the i-th and the j-th coordinates take the same value or not.

Game3b: Decision Coordinate Equivalence Problem 2 (DCEP2)

(0,1,0,0,1,0, ... 0,0,1,0)

i-th co

j-th co

since if this is possible one can determine all the bits of msg by checking the equivalence for every j

This implies that it is hard to determine whether some coordinates are duplicated or not

DCEP2 is as hard as SDP

(0,1,0,0,1,0, ... 0,0,1,0)

i-th co

j-th co

Giving constraints on the message does not harm the cryptosystem basically

But the following must be satisfied: (# of target ciphertexts)2 << message

space of the P2KC Otherwise adversaries can know the fact that

message space is limited (though this does not imply the break of PKC)

(# of candidate PPKs)x(Attack cost after knowing the PPK) must be huge Otherwise adversaries can apply exhaustive

search on the personalization mechanism

One may define various P2KCsaccording to pv

One of our recommendations is Random Trimming (RT)

pv=(0, 0, 2, 0, 0, 3, 0, 4, 0, 0)

Sub=(0, 1, 1, 1)

[a n] coordinates where 0 < a < 1

Comparison between Niederreiter PKC and P2KC

Conclusion (1/2)

Proposed new concept, P2KC P2KC1 : when decrypter knows pv P2KC2 : when encrypter knows pv Note: they do not need to share pv

Conclusion (2/2) P2KC can reduce the encryption-key size of

a certain class of combinatorial PKCs where ciphertexts are given by the combination of

public-key components according to the plaintexts

both the public-key and plaintext sizes are large P2KC is suitable for low computational

power devices such as smart cards, sensors, cellular phones,

RFIDs and so on

P 2 KC

Documents