Zero-Knowledge Protocols for Code-Based Public-Key Encryption

Cryptography relies on Mathematics in all its aspects, beginning from the constructions relying on various mathematical theories, continuing with security evaluation of cryptographic systems, and proving their security, and finally ending in implementation. Recently, new security threats are posed by the emerging quantum computing technology. Specifically, quantum algorithms can break some public-key encryption schemes such as RSA and Elgamal, which are widely used for protection of computer systems and networks. This issue demands us to develop a new generation of cryptographic systems, which will serve as secure alternatives to the currently used ones. Such the new systems are referred to as the post-quantum cryptography. One promising direction in post-quantum cryptography is the systems whose security is based on hardness of mathematical problems arising in the context of coding theory. In particular, the problem of decoding random linear codes has been studied for over 30 years, and still no polynomial-time solution has been proposed, even when using quantum algorithms. In this thesis, we focus on this area, which is called the code-based cryptography. The first code-based public-key encryption (PKE) scheme was introduced by R.J. McEliece in 1978. Since then, various code-based public-key encryption, digital signature and identification schemes were introduced, but currently, one of the main challenges is to introduce more advanced cryptographic functionalities based on coding. In this thesis, first, we give a brief introduction about post-quantum cryptography and codebased cryptography, and then we provide the background information about the cryptographic primitives, which we will study, as well as the relevant notions and results from coding theory and cryptography. Next, we introduce our contributions as follows. Firstly, we study zero-knowledge (ZK) identification schemes based q-ary linear codes. We show that when q < 5, a straightforward generalization of Stern’s ZK identification scheme (1993) is more efficient in terms of both communication and computation, as compared to the ZK identification scheme by Cayrel, Véron and El Yousfi Alaoui (2010), which is specifically designed for q-ary codes. Secondly, we introduce the first proof of plaintext knowledge (PPK) for the McEliece PKE and the Niederreiter PKE. These protocols allow the encryptor to prove the knowledge of the plaintext contained in a given ciphertext to any party, who does not hold the secret key for decryption. We also provide a performance evaluation for the proposed schemes.

[1]  Tanja Lange,et al.  Post-quantum cryptography , 2008, Nature.

[2]  Nicolas Sendrier,et al.  Encoding information into constant weight words , 2005, Proceedings. International Symposium on Information Theory, 2005. ISIT 2005..

[3]  Tanja Lange,et al.  Attacking and defending the McEliece cryptosystem , 2008, IACR Cryptol. ePrint Arch..

[4]  N. Koblitz A Course in Number Theory and Cryptography , 1987 .

[5]  Kazukuni Kobara,et al.  Coding-Based Oblivious Transfer , 2008, MMICS.

[6]  Christiane Peters,et al.  Information-Set Decoding for Linear Codes over Fq , 2010, PQCrypto.

[7]  Oded Goldreich,et al.  How to construct constant-round zero-knowledge proof systems for NP , 1996, Journal of Cryptology.

[8]  Anderson C. A. Nascimento,et al.  Oblivious Transfer Based on the McEliece Assumptions , 2008, ICITS.

[9]  Gerrit Bleumer,et al.  Undeniable Signatures , 2011, Encyclopedia of Cryptography and Security.

[10]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[11]  Keisuke Tanaka,et al.  Zero-Knowledge Protocols for NTRU: Application to Identification and Proof of Plaintext Knowledge , 2009, ProvSec.

[12]  Sami Harari A new authentication algorithm , 1988, Coding Theory and Applications.

[13]  Atsuko Miyaji,et al.  Efficient Elliptic Curve Exponentiation Using Mixed Coordinates , 1998, ASIACRYPT.

[14]  David Chaum,et al.  Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer , 1991, CRYPTO.

[15]  Nicolas Sendrier Code-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[16]  Tsuyoshi Takagi,et al.  Zero-Knowledge Protocols for Code-Based Public-Key Encryption , 2015, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[17]  Shafi Goldwasser,et al.  Transformation of Digital Signature Schemes into Designated Confirmer Signature Schemes , 2004, TCC.

[18]  Jr. H. F. Mattson The Theory of Error-Correcting Codes (F. J. MacWilliams and N. J. A. Sloane) , 1980 .

[19]  Ivan Damgård,et al.  Verifiable Encryption, Group Encryption, and Their Applications to Separable Group Signatures and Signature Sharing Schemes , 2000, ASIACRYPT.

[20]  C. Pandu Rangan,et al.  An Efficient IND-CCA2 Secure Variant of the Niederreiter Encryption Scheme in the Standard Model , 2012, ACISP.

[21]  Alexander Russell,et al.  Quantum Fourier sampling, Code Equivalence, and the quantum security of the McEliece and Sidelnikov cryptosystems , 2011, ArXiv.

[22]  Raphael Overbeck,et al.  A Summary of McEliece-Type Cryptosystems and their Security , 2007, J. Math. Cryptol..

[23]  Philippe Gaborit,et al.  Efficient code-based one-time signature from automorphism groups with syndrome compatibility , 2012, 2012 IEEE International Symposium on Information Theory Proceedings.

[24]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[25]  Krzysztof Pietrzak,et al.  Cryptography from Learning Parity with Noise , 2012, SOFSEM.

[26]  N. Asokan,et al.  Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[27]  Tanja Lange,et al.  Wild McEliece , 2010, IACR Cryptol. ePrint Arch..

[28]  Pierre-Louis Cayrel,et al.  Post-quantum Cryptography: Code-Based Signatures , 2010, AST/UCMA/ISA/ACN.

[29]  Jean-Charles Faugère,et al.  A Distinguisher for High-Rate McEliece Cryptosystems , 2011, IEEE Transactions on Information Theory.

[30]  Tsuyoshi Takagi,et al.  Zero-Knowledge Protocols for the McEliece Encryption , 2012, ACISP.

[31]  Kazukuni Kobara,et al.  Privacy Enhanced RFID Using Quasi-Dyadic Fix Domain Shrinking , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[32]  Marc Girault,et al.  A (non-practical) three-pass identification protocol using coding theory , 1990, AUSCRYPT.

[33]  F. Chabaud,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to Primitive Narrow-Sense BCH Codes of Length~511 , 1995 .

[34]  Oded Goldreich,et al.  Computational complexity: a conceptual perspective , 2008, SIGA.

[35]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[36]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[37]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[38]  Laila El Aimani,et al.  Efficient Confirmer Signatures from the "Signature of a Commitment" Paradigm , 2010, ProvSec.

[39]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[40]  Yuan Zhou Introduction to Coding Theory , 2010 .

[41]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[42]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[43]  Tsuyoshi Takagi,et al.  Proof of plaintext knowledge for code-based public-key encryption revisited , 2013, ASIA CCS '13.

[44]  Shafi Goldwasser,et al.  Proof of Plaintext Knowledge for the Ajtai-Dwork Cryptosystem , 2005, TCC.

[45]  Tsuyoshi Takagi,et al.  Security Analysis of Collusion-Resistant Nearest Neighbor Query Scheme on Encrypted Cloud Data , 2014, IEICE Trans. Inf. Syst..

[46]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[47]  Marc Girault,et al.  Lightweight code-based identification and signature , 2007, 2007 IEEE International Symposium on Information Theory.

[48]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[49]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[50]  David Chaum,et al.  Designated Confirmer Signatures , 1994, EUROCRYPT.

[51]  Jeffrey S. Leon,et al.  A probabilistic algorithm for computing minimum weights of large error-correcting codes , 1988, IEEE Trans. Inf. Theory.

[52]  Oscar Moreno,et al.  McEliece Public Key Cryptosystems Using Algebraic-Geometric Codes , 1996, Des. Codes Cryptogr..

[53]  Jan Camenisch,et al.  Confirmer Signature Schemes Secure against Adaptive Adversaries , 2000, EUROCRYPT.

[54]  Moni Naor,et al.  Bit Commitment Using Pseudo-Randomness , 1989, CRYPTO.

[55]  M. Panella Associate Editor of the Journal of Computer and System Sciences , 2014 .

[56]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[57]  Jacques Stern,et al.  An Efficient Pseudo-Random Generator Provably as Secure as Syndrome Decoding , 1996, EUROCRYPT.

[58]  Joonsang Baek,et al.  On the Generic and Efficient Constructions of Secure Designated Confirmer Signatures , 2007, Public Key Cryptography.

[59]  Keisuke Tanaka,et al.  Proof of Plaintext Knowledge for the Regev Cryptosystems Proof of Plaintext Knowledge for the Regev Cryptosystems , 2007 .

[60]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[61]  Ivan Damgård,et al.  Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs , 1995, CRYPTO.

[62]  Douglas Wikström Designated Confirmer Signatures Revisited , 2007, TCC.

[63]  Ali Miri,et al.  Securing Harari's Authentication Scheme , 2012, Int. J. Netw. Secur..

[64]  Osamu Watanabe,et al.  Computational and Statistical Indistinguishabilities , 1992, ISAAC.

[65]  Peter W. Shor,et al.  Polynominal time algorithms for discrete logarithms and factoring on a quantum computer , 1994, ANTS.

[66]  N. Asokan,et al.  Optimistic Fair Exchange of Digital Signatures (Extended Abstract) , 1998, EUROCRYPT.

[67]  Craig Gentry,et al.  Efficient Designated Confirmer Signatures Without Random Oracles or General Zero-Knowledge Proofs , 2005, ASIACRYPT.

[68]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[69]  Kazukuni Kobara,et al.  Semantic security for the McEliece cryptosystem without random oracles , 2008, Des. Codes Cryptogr..

[70]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[71]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[72]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[73]  Laila El Aimani,et al.  Toward a Generic Construction of Universally Convertible Undeniable Signatures from Pairing-Based Signatures , 2008, INDOCRYPT.

[74]  Daniel J. Bernstein,et al.  Grover vs. McEliece , 2010, PQCrypto.

[75]  Jacques Stern,et al.  A new paradigm for public key identification , 1996, IEEE Trans. Inf. Theory.

[76]  Claude E. Shannon,et al.  A Universal Turing Machine with Two Internal States , 1956 .

[77]  Ursula Dresdner,et al.  Computation Finite And Infinite Machines , 2016 .

[78]  Tatsuaki Okamoto,et al.  Designated Confirmer Signatures and Public-Key Encryption are Equivalent , 1994, CRYPTO.

[79]  Tanja Lange,et al.  Smaller decoding exponents: ball-collision decoding , 2011, IACR Cryptol. ePrint Arch..

[80]  Keita Xagawa,et al.  Cryptography with Lattices , 2010 .

[81]  Silvio Micali,et al.  Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing , 1996, CRYPTO.

[82]  Markus Michels,et al.  Generic Constructions for Secure and Efficient Confirmer Signature Schemes , 1998, EUROCRYPT.

[83]  Pascal Véron,et al.  Improved identification schemes based on error-correcting codes , 2009, Applicable Algebra in Engineering, Communication and Computing.

[84]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[85]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[86]  Sidi Mohamed El Yousfi Alaoui,et al.  A Zero-Knowledge Identification Scheme Based on the q-ary Syndrome Decoding Problem , 2010, Selected Areas in Cryptography.

[87]  Moti Yung,et al.  Symmetric Public-Key Encryption , 1985, CRYPTO.

[88]  Tsuyoshi Takagi,et al.  On Zero-Knowledge Identification Based on Q-ary Syndrome Decoding , 2013, 2013 Eighth Asia Joint Conference on Information Security.

[89]  Steven D. Galbraith,et al.  Invisibility and Anonymity of Undeniable and Confirmer Signatures , 2003, CT-RSA.

[90]  B.K. Yi,et al.  Digital signatures , 2006, IEEE Potentials.

[91]  Stephan Krenn,et al.  Commitments and Efficient Zero-Knowledge Proofs from Learning Parity with Noise , 2012, ASIACRYPT.

[92]  Keisuke Tanaka,et al.  Concurrently Secure Identification Schemes Based on the Worst-Case Hardness of Lattice Problems , 2008, ASIACRYPT.

[93]  Thomas M. Cover,et al.  Enumerative source encoding , 1973, IEEE Trans. Inf. Theory.

[94]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[95]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[96]  Kazukuni Kobara,et al.  Privacy Enhanced and Light Weight RFID System without Tag Synchronization and Exhaustive Search , 2006, 2006 IEEE International Conference on Systems, Man and Cybernetics.

[97]  Matthieu Finiasz,et al.  Security Bounds for the Design of Code-Based Cryptosystems , 2009, ASIACRYPT.

[98]  Gregory A. Kabatiansky,et al.  A Digital Signature Scheme Based on Random Error-Correcting Codes , 1997, IMACC.

[99]  Ernest F. Brickell,et al.  An Observation on the Security of McEliece's Public-Key Cryptosystem , 1988, EUROCRYPT.

[100]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[101]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[102]  Jonathan Katz,et al.  Efficient and Non-malleable Proofs of Plaintext Knowledge and Applications , 2003, EUROCRYPT.

[103]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[104]  Ivan Damgård,et al.  Lectures on Data Security, Modern Cryptology in Theory and Practice, Summer School, Aarhus, Denmark, July 1998 , 1999 .

[105]  Alexander Russell,et al.  McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks , 2011, CRYPTO.

[106]  Pascal Véron Cryptanalysis of Harari's Identification Scheme , 1995, IMACC.

[107]  Steve Szabo,et al.  Complexity Issues in Coding Theory , 1997 .

[108]  Sidi Mohamed El Yousfi Alaoui,et al.  Improved Identity-Based Identification and Signature Schemes Using Quasi-Dyadic Goppa Codes , 2011, ISA.

[109]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[110]  Aaron D. Wyner,et al.  A Universal Turing Machine with Two Internal States , 1993 .

[111]  Robert H. Deng,et al.  On the equivalence of McEliece's and Niederreiter's public-key cryptosystems , 1994, IEEE Trans. Inf. Theory.

[112]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[113]  Nicolas Sendrier,et al.  On the Security of the McEliece Public-Key Cryptosystem , 2002 .

[114]  Ivan Damgård,et al.  Threshold Decryption and Zero-Knowledge Proofs for Lattice-Based Cryptosystems , 2010, TCC.

[115]  Kouichi Sakurai,et al.  An Anonymous Electronic Bidding Protocol Based on a New Convertible Group Signature Scheme , 2000, ACISP.

[116]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.