conservative code-based cryptography

ly, we are building a correct KEM given a correct deterministic PKE. We want the KEM to achieve IND-CCA2 security, and we want this to be proven to the extent possible, assuming that the PKE achieves OW-CPA security. The PKE functionality is as follows. There is a set of public keys, a set of private keys, a set of plaintexts, and a set of ciphertexts. There is a key-generation algorithm KeyGen that produces a public key and a private key. There is a deterministic encryption algorithm Encrypt that, given a plaintext and a public key, produces a ciphertext. There is a decryption algorithm Decrypt that, given a ciphertext and a private key, produces a plaintext or a failure symbol ⊥ (which is not a plaintext). We require that Decrypt(Encrypt(p,K), k) = p for every (K, k) output by KeyGen() and every plaintext p. We emphasize that Encrypt is not permitted to randomize its output: in other words, any randomness used to produce a ciphertext must be in the plaintext recovered by decryption. We also emphasize that Decrypt is not permitted to fail on valid ciphertexts; even a tiny failure probability is not permitted. These requirements are satisfied by the PKE in this submission, and the literature indicates that these requirements are helpful for security proofs. In this level of generality, our KEM is defined in two modular layers as follows, using three hash functions H0, H1, H2. These hash functions can be modeled in proofs as independent random oracles. If the hash output spaces are the same then this is equivalent to defining Hi(x) = H(i, x) for a single random oracle H, since the input spaces are disjoint. First layer. Write X for the original correct deterministic PKE. We define a modified PKE X2 = ConfirmPlaintext(X,H2) as follows. This modified PKE is also a correct deterministic PKE. The modified key-generation algorithm KeyGen2 is the same as the original key-generation algorithm KeyGen. The set of public keys is the same, and the set of private keys is the same. The modified encryption algorithm Encrypt2 is defined by Encrypt2(p,K) = (Encrypt(p,K),H2(p)). The set of plaintexts is the same, and the modified set of ciphertexts consists of pairs of original ciphertexts and hash values. Finally, the modified decryption algorithm Decrypt2 is defined by Decrypt2((C, h), k) = Decrypt(C, k). Note that Decrypt2 does not check hash values: changing (C, h) to a different (C, h ′) produces the same output from Decrypt2. There was also no requirement for the original PKE X to recognize invalid ciphertexts.

[1]  Alexander May,et al.  On Computing Nearest Neighbors with Applications to Decoding of Binary Linear Codes , 2015, EUROCRYPT.

[2]  Roberto Garello,et al.  Quasi-Cyclic Low-Density Parity-Check Codes in the McEliece Cryptosystem , 2007, 2007 IEEE International Conference on Communications.

[3]  Nicolas Sendrier McEliece Public Key Cryptosystem , 2005, Encyclopedia of Cryptography and Security.

[4]  Anne Canteaut,et al.  Cryptanalysis of the Original McEliece Cryptosystem , 1998, ASIACRYPT.

[5]  Leslie G. Valiant,et al.  A fast parallel algorithm for routing in permutation networks , 1981, IEEE Transactions on Computers.

[6]  Tanja Lange,et al.  Post-quantum cryptography , 2008, Nature.

[7]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[8]  Ernest F. Brickell,et al.  An Observation on the Security of McEliece's Public-Key Cryptosystem , 1988, EUROCRYPT.

[9]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[10]  Falko Strenzke A Timing Attack against the Secret Permutation in the McEliece PKC , 2010, PQCrypto.

[11]  Matthieu Finiasz,et al.  Security Bounds for the Design of Code-Based Cryptosystems , 2009, ASIACRYPT.

[12]  Raphael Overbeck,et al.  Code-based cryptography , 2009 .

[13]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[14]  Eugene Prange,et al.  The use of information sets in decoding cyclic codes , 1962, IRE Trans. Inf. Theory.

[15]  Enrico Thomae,et al.  Decoding Random Linear Codes in Õ(20.054n) , 2012 .

[16]  Tanja Lange,et al.  Attacking and defending the McEliece cryptosystem , 2008, IACR Cryptol. ePrint Arch..

[17]  J. van Tilburg,et al.  Security-analysis of a class of cryptosystems based on linear error-correcting codes , 1994 .

[18]  Jakub Szefer,et al.  FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes , 2018, IACR Cryptol. ePrint Arch..

[19]  Rodney M. Goodman,et al.  The complexity of information set decoding , 1990, IEEE Trans. Inf. Theory.

[20]  Thomas Johansson,et al.  On the complexity of some cryptographic problems based on the general decoding problem , 2002, IEEE Trans. Inf. Theory.

[21]  Nicolas Sendrier,et al.  Finding the permutation between equivalent linear codes: The support splitting algorithm , 2000, IEEE Trans. Inf. Theory.

[22]  Pierre-Louis Cayrel,et al.  Efficient Implementation of a CCA2-Secure Variant of McEliece Using Generalized Srivastava Codes , 2012, Public Key Cryptography.

[23]  Rodney M. Goodman,et al.  New approaches to reduced-complexity decoding , 1991, Discret. Appl. Math..

[24]  Daniel J. Bernstein,et al.  Grover vs. McEliece , 2010, PQCrypto.

[25]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[26]  Pierre Loidreau,et al.  Weak keys in the McEliece public-key cryptosystem , 2001, IEEE Trans. Inf. Theory.

[27]  Alexander W. Dent,et al.  A Designer's Guide to KEMs , 2003, IMACC.

[28]  Henk C. A. van Tilborg,et al.  Sloppy Alice Attacks! Adaptive chosen ciphertext attacks on the McEliece public-key cryptosystem , 2002 .

[29]  Tung Chou,et al.  McBits Revisited , 2017, CHES.

[30]  Anne Canteaut,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length , 1998 .

[31]  Paulo S. L. M. Barreto,et al.  MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes , 2013, 2013 IEEE International Symposium on Information Theory.

[32]  Nicolas Sendrier Post-Quantum Cryptography, Third International Workshop, PQCrypto 2010, Darmstadt, Germany, May 25-28, 2010. Proceedings , 2010, PQCrypto.

[33]  Nicolas Sendrier,et al.  Analysis of Information Set Decoding for a Sub-linear Error Weight , 2016, PQCrypto.

[34]  Daniel J. Bernstein,et al.  Explicit bounds for generic decoding algorithms for code-based cryptography , 2009 .

[35]  Nicolas Sendrier,et al.  A Non Asymptotic Analysis of Information Set Decoding , 2013, IACR Cryptol. ePrint Arch..

[36]  Edoardo Persichetti,et al.  Code-Based Key Encapsulation from McEliece's Cryptosystem , 2017, MACIS.

[37]  Thierry P. Berger,et al.  Reducing Key Length of the McEliece Cryptosystem , 2009, AFRICACRYPT.

[38]  Jean-Charles Faugère,et al.  A Distinguisher for High-Rate McEliece Cryptosystems , 2011, IEEE Transactions on Information Theory.

[39]  F. Chabaud Asymptotic Analysis of Probabilistic Algorithms for Finding Short Codewords , 1993 .

[40]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[41]  Nicolas Sendrier,et al.  Decoding One Out of Many , 2011, PQCrypto.

[42]  Anne Canteaut,et al.  A further improvement of the work factor in an attempt at breaking McEliece's cryptosystem , 1994 .

[43]  Paulo S. L. M. Barreto,et al.  Compact McEliece Keys from Goppa Codes , 2009, IACR Cryptol. ePrint Arch..

[44]  Jeffrey S. Leon,et al.  A probabilistic algorithm for computing minimum weights of large error-correcting codes , 1988, IEEE Trans. Inf. Theory.

[45]  Tanja Lange,et al.  Smaller decoding exponents: ball-collision decoding , 2011, IACR Cryptol. ePrint Arch..

[46]  J. K. Gibson,et al.  Equivalent Goppa Codes and Trapdoors to McEliece's Public Key Cryptosystem , 1991, EUROCRYPT.

[47]  Edoardo Persichetti Secure and Anonymous Hybrid Encryption from Coding Theory , 2013, PQCrypto.

[48]  Bo-Yin Yang Post-Quantum Cryptography - 4th International Workshop, PQCrypto 2011, Taipei, Taiwan, November 29 - December 2, 2011. Proceedings , 2011, PQCrypto.

[49]  Alain Couvreur,et al.  Polynomial Time Attack on Wild McEliece Over Quadratic Extensions , 2017, IEEE Transactions on Information Theory.

[50]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[51]  Edoardo Persichetti,et al.  Compact McEliece keys based on quasi-dyadic Srivastava codes , 2012, J. Math. Cryptol..

[52]  Gernot Heiser,et al.  For Safety’s Sake: We Need a New Hardware-Software Contract! , 2018, IEEE Design & Test.

[53]  Peter Schwabe,et al.  McBits: Fast Constant-Time Code-Based Cryptography , 2013, CHES.