1
P2KCKazukuni Kobara1 and Hideki
Imai1,2
1: Research Center for Information Security (RCIS)
National Institute of Advanced Industrial Science (AIST)2: Chuo Univ.
2
P2KC ? Our proposal Personalized-Public-Key
Cryptosystem Cryptosystem using personalized-public-keys
3
Typical Usage of Public-Key Cryptosystem
Bob’s public-key
Bob’s public-key
Bob’s public-key
Bob(Decrypter)
En
cryp
ters
4
We propose three usage modes for P2KC
Distribution then Personalization (DP) mode
Personalization then Distribution with Hidden PK (PDH) mode
Personalization then Distribution with Open PK (PDO) mode
5
Distribution then Personalization (DP) Mode
Bob(Decrypter)
Bob’s public-key
Personalized to Dave
Personalized to Carol
Personalized to Alice
PersonalizationDeliver
y
En
cryp
ters
6
Personalized to Dave
Personalized to Carol
Personalized to Alice
Personalization then Distribution with Hidden/Open PK (PDH/PDO) Modes
Bob’s public-key
Personalization Deliver
y
Bob(Decrypter)
En
cryp
ters
7
Is there any advantage for personalizing PK
Maybe, no for typical (number theoretic) PKCs such as RSA, ElGamal, ECC, DH, ECDH
But definitely yes for a certain class of combinatorial PKCs Niederreiter/McEliece PKCs some of the Hidden Field Equations (HFE) based
PKCs and the Lattice based PKCs as long as ciphertexts are given by the
combination of public-key components according to the plaintexts and both the public-key and plaintext sizes are large
8
Advantages of P2KC It can reduce the encryption-key size Decrypter can identify the encrypter
with no extra cost such as signing suited for low computational power
applications Note: in order to prevent the replay
attack it should be used in the framework of challenge-response
It can be used with other PK reduction techniques
9
Pros and Cons of Niederreiter (McEliece) PKC
Pros Underlying problem (syndrome decoding) is well
studied Can be semantically secure (secure in a strong sense) Encryption is quite simple
Mainly done with exclusive-or Suitable for low computational power devices, such as smart
cards, sensors, cellular phones, RFIDs and so on whereas RSA, DH, ECC require multi-precision modular
multiplication/exponentiation -> require coprocessors in such devices
Con Encryption key size is huge -> P2KC gives one
solution to this
10
Comparison between PKC and P2KC in Niederreiter scheme
PKC: (n,k,t)=(2048,1795,23), i.e. n-k=253P2KC: (DP,RT,a=0.044), i.e. n1=90
PKC: (n,k,t)=(2048,1630,38), i.e. n-k=418P2KC: (DP,RT,a=0.042), i.e. n1=86
11
Attack Cost
n: code length k: dimension of the code t: # of correctable errors
12
Core Idea of P2KC (1/2)Message Space of PKC
First message
Second message
Third message
Fourth message
Assumption: messages are chosen at random so that they can be used to generate session keys
13
Core Idea of P2KC (2/2)P2KC limits the space and allocates it to each user
Message Space of P2KC
Message Space of P2KC for UserA
Message Space of P2KC for UserB
Message Space of P2KC for UserC
Boundary is invisible for adversaries
14
Hard to distinguish whether the target ciphertexts belong to PKC or P2KC
as long as the following hold:- (# of target ciphertexts)2 << (message space of P2KC)- (# of PPKs)x(Attack cost after knowing PPK) is huge
PKCP2KC Indistinguishable
target ciphertexts
PPK: Personalized-Public-Key
Adversary
15
PKC and P2KC
PKC={KeyGen(), Enc(), Dec()}
P2KC1={KeyGen(), Pers(), PEnc(), PDec(pv,)} Available when the decrypter knows the
personalization vector pv P2KC2={KeyGen(), Pers(), KEnc(pv,), KDec()}
Available when the encrypter knows the personalization vector pv
16
KeyGen(): Keys for Niederreiter PKC
accepts (n,k,t) generates secret-key sk
generates public-key pk
K
P
HS
n
n-k
Parity-check matrix of Goppa codewhich can correct up to t-error bits
and t
Random Permutation Matrix
Random Non-singular Matrix
x x
17
Enc(): Encryption of Random Session-Key in Niederreiter PKC
K
Syndrom
e
(0,1,0,0,1,0, ... 0,0,1,0)
accepts pk=(K,t) and msg outputs cT=K msgT
Pla
inte
xt m
sgT
n-d
imen
tion
al v
ecto
r of
weig
ht t o
r less
Cip
herte
xt c
T
=
x
18
Dec(): Decryption in Niederreiter PKC
accepts c and sk S-1 cT=H P msgT
By applying the error-correction algorithm to S-1 cT, obtains a t or less bit error pattern (P msgT)
outputs msgT=P-1(P msgT)
H
P m
sgT= xS-1c
T
P-1
P m
sgT
x
19
Sketch of Personalization Message Space
PK
PPK for A
PPK for B
msg
pv for A
msg’pv for B
PPK for C
pv for C
20
Pers(): PersonalizationOne Example
c2
pv=(2, 1, 3, 1, 4, 0, 4, 1, 2, 3)
=K=K1
Sub=(3, 2, 2, 2)
accepts pk=(K,t) and pv and then outputs ppk=(c2,K1,t,Sub)
pv: Personalization VectorSub: weight of each column
n1
21
Pers(): PersonalizationAnother Example
c2
pv=(0, 2, 3, 2, 1, 4, 1, 3, 0, 4)
=K=K1
Sub=(2, 2, 2, 2)
accepts pk=(K,t) and pv and then outputs ppk=(c2,K1,t,Sub)
pv: Personalization VectorSub: weight of each column
n1
22
PKC and P2KC
PKC={KeyGen(), Enc(), Dec()}
P2KC1={KeyGen(), Pers(), PEnc(), PDec(pv,)} Available when the decrypter knows the
personalization vector pv P2KC2={KeyGen(), Pers(), KEnc(pv,), KDec()}
Available when the encrypter knows the personalization vector pv
23
Sketch of P2KC1
where decrypter knows pvMessage Space
Encrypter knows PPK
msg’
PPK
PK
Decrypter knows msg and pv and hence can reconstruct msg’
msg’
PPK
PK
pvmsg
24
Sketch of P2KC2
where encrypter knows pvMessage Space
Decrypter can know msg
msg
PK
Encrypter knows msg’ and pv and hence can reconstruct msg
msg’
PPK
PK
pvmsg
25
accepts ppk and msg’ outputs cT=c2 (+) K1 msg’T
PEnc(): Encryption in Niederreiter P2KC1
Syndrom
e (0,1,0)
Pla
inte
xt m
sg
’T
A v
ecto
r of le
ngth
n1
wh
ose
weig
ht is ta
ken
so
that th
e to
tal n
um
ber o
f ad
ded co
lum
ns sh
ould
n
ot e
xce
ed
t
Cip
herte
xt c
T
=
xSub=(3, 2, 2, 2)
c2 x
26
PDec(): Decryption in Niederreiter P2KC1
accepts c, sk and the candidates for pv, e.g. pv1=(2, 1, 3, 1, 4, 0, 4, 1, 2, 3) pv2=(0, 2, 3, 2, 1, 4, 1, 3, 0, 4)
decrypts c using Dec() and sk and obtains msg, e.g. msg=(0, 1, 1, 1, 0, 0, 0, 1, 0, 1)
looks for pv being consistent with msg pv1 is consistent in this case
converts msg to msg' using the found pv msg’=(0, 1, 0)
27
accepts ppk and pv generates msg’ at random cT=c2 (+) K1 msg’T
outputs both c and ms=h(msg)
KEnc(): Encryption in Niederreiter P2KC2
(1,0,0)
rand
om
m
sg’ T
x
Sub=(3, 2, 2, 2)c
2
Syndrom
e
Cip
herte
xt c
T
=
pv=(2, 1, 3, 1, 4, 0, 4, 1, 2, 3)
(1,1,0,1,0,0,0,1,1,0)m
sgT
=
con
verts m
sg’
to m
sg u
sing
p
v
28
KDec(): Decryption in Niederreiter P2KC2
accepts c and sk decrypts c using Dec() and sk and
then obtains msg outputs ms=h(msg)
29
It is possible define various P2KCsaccording to pv
One of our recommendations is Random Trimming (RT)
pv=(0, 0, 2, 0, 0, 3, 0, 0, 4, 0)
=K=K1
Sub=(0, 1, 1, 1)
[a n] coordinates where 0 < a < 1
30
Security of Niederreiter PKC Theorem : Breaking OW-CPA and PDOW-CPA is
NP-Complete under the assumption that c and K are indistinguishable from random ones.
Breaking OW-CPA: Given c and pk, find msg
Breaking PDOW-CPA: Given c and pk, find one (or some) coordinate(s) of
msg
If OW-CPA or PDOW-CPA holds, it is possible to construct a PKC meeting the strongest security notion IND-CCA2
31
Game0: Syndrome Decoding Problem (SDP) (NP-Complete)
Given a syndrome s, a random parity-check matrix R and a small integer w, find its pre-image of hamming weight w or less
Syndrom
e
Random MatrixR
(0,1,0,0,1,0, ... 0,0,1,0)
= x
32
Game1: Indistinguishability (Assumption)
Syndrom
e
Random MatrixR
c
K=SHP
If we assume the indistinguishability of them, it is obvious from the form of the PKC and SDP that breaking OW-CPA of the Niederreiter PKC is equivalent to solving the SDP
Remark: the most powerful distinguisher so far is the SSA (Support Splitting Algorithm). Hence the underlying code must be chosen so that it can resist against the SSA.
33
Security of P2KC P2KC gives constraints on the message by
fixing some coordinates duplicating some coordinates
If these constraints are invisible for adversaries, there is no difference between breaking PKC
and breaking P2KC
We show the invisibility by proving that the following problems are as hard as SDP
34
Given c and H, determine the i-th coordinate of msg.
Game2: Decision One Coordinate Problem (DOCP)
Kc
(0,1,0,0,1,0, ... 0,0,1,0)
= x ?
i-th co
lum
n
35
DOCP is as hard as SDP
Kc
(0,1,0,0,1,0, ... 0,0,1,0)
= x ?i-th
colu
mn
since if this is possible one can recover all the bits of msg by changing c and H appropriately
36
Given two ciphertexts c and c’ and H, determine whether the i-th coordinates of msg for c and c’ are the same or not.
Game3a: Decision Coordinate Equivalence Problem 1 (DCEP1)
K
c
(0,1,0,1,0, ... 1,0,0)= x
i-th co
lum
n
?
K
c’
(0,1,0,1,0, ... 1,0,0)
= x
i-th co
lum
n
37
DCEP1 is as hard as SDP
K
c
(0,1,0,1,0, ... 1,0,0)
= x
i-th co
lum
n
?
K
c’
(0,1,0,1,0, ... 1,0,0)
= x
i-th co
lum
n
since if this is possible one can recover all the bits of msg by creating c’ from known pre-image
This implies that it is hard to determine some coordinates in msg are fixed or not
38
Given c and H, determine whether the i-th and the j-th coordinates take the same value or not.
Game3b: Decision Coordinate Equivalence Problem 2 (DCEP2)
Kc
(0,1,0,0,1,0, ... 0,0,1,0)
= x
?
i-th co
lum
n
j-th co
lum
n
39
since if this is possible one can determine all the bits of msg by checking the equivalence for every j
This implies that it is hard to determine whether some coordinates are duplicated or not
DCEP2 is as hard as SDP
Kc
(0,1,0,0,1,0, ... 0,0,1,0)
= x
?
i-th co
lum
n
j-th co
lum
n
40
Giving constraints on the message does not harm the cryptosystem basically
But the following must be satisfied: (# of target ciphertexts)2 << message
space of the P2KC Otherwise adversaries can know the fact that
message space is limited (though this does not imply the break of PKC)
(# of candidate PPKs)x(Attack cost after knowing the PPK) must be huge Otherwise adversaries can apply exhaustive
search on the personalization mechanism
41
One may define various P2KCsaccording to pv
One of our recommendations is Random Trimming (RT)
pv=(0, 0, 2, 0, 0, 3, 0, 4, 0, 0)
=K=K1
Sub=(0, 1, 1, 1)
[a n] coordinates where 0 < a < 1
42
Comparison between Niederreiter PKC and P2KC
PKC: (n,k,t)=(2048,1795,23), i.e. n-k=253P2KC: (DP,RT,a=0.044), i.e. n1=90
PKC: (n,k,t)=(2048,1630,38), i.e. n-k=418P2KC: (DP,RT,a=0.042), i.e. n1=86
43
Conclusion (1/2)
Proposed new concept, P2KC P2KC1 : when decrypter knows pv P2KC2 : when encrypter knows pv Note: they do not need to share pv
44
Conclusion (2/2) P2KC can reduce the encryption-key size of
a certain class of combinatorial PKCs where ciphertexts are given by the combination of
public-key components according to the plaintexts
both the public-key and plaintext sizes are large P2KC is suitable for low computational
power devices such as smart cards, sensors, cellular phones,
RFIDs and so on