cca2 key-privacy for code-based encryption in the … · code-based encryption in the standard...
TRANSCRIPT
YusukeYoshidawithKirillMorozovandKeisukeTanaka
fromTokyoInstituteofTechnology,Japan
1
CCA2Key-PrivacyforCode-BasedEncryptionintheStandardModel
Contents
3
Contents
Key-PrivacyforPKE
Indistinguishabilityofkeys(IK)
Code-BasedEncryption
Niederreiter
Contents
4
CCA2securePKEinthestandardmodel
k-repetitionparadigm
Key-PrivacyforPKE
Indistinguishabilityofkeys(IK)
Code-BasedEncryption
Niederreiter
Contents
Contents
5
CCA2securePKEinthestandardmodel
k-repetitionparadigm
Key-PrivacyforPKE
Indistinguishabilityofkeys(IK)
Code-BasedEncryption
Niederreiter
Ourresult:CCA2Key-Privacyfor
Code-BasedEncryptionintheStandardModel
Weprovedthatthek-repetitionparadigminstantiatedwithNiederreiter
isIK-CCA2inthestandardmodel.
Contents
Contents
6
CCA2securePKEinthestandardmodel
k-repetitionparadigm
Key-PrivacyforPKE
Indistinguishabilityofkeys(IK)
Code-BasedEncryption
Niederreiter
Contents
Key-Privacy(Anonymity)forPKEIndistinguishabilityofkeys(IK)• wasproposedbyBellare etal.*
7
*Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001.
Key-Privacy(Anonymity)forPKEIndistinguishabilityofkeys(IK)• wasproposedbyBellare etal.*• meansaciphertextdoesnotleakinformationaboutpk.
8
*Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001.
sender
+
whoisthereceiver?
? truereceiver
Key-Privacy(Anonymity)forPKEIndistinguishabilityofkeys(IK)• wasproposedbyBellare etal.*• meansaciphertextdoesnotleakinformationaboutpk.• againstCPA,CCA2couldbeconsidered.
9
IK-CPA < IK-CCA2
IND-CPA < IND-CCA2
*Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001.
cf.)
Key-Privacy(Anonymity)forPKEIndistinguishabilityofkeys(IK)• wasproposedbyBellare etal.*• meansaciphertextdoesnotleakinformationaboutpk.• againstCPA,CCA2couldbeconsidered.• doesnotimply/isnotimpliedbyINDsecurity.
10
IK-CPA
⇎ ⇎IK-CCA2
IND-CPA IND-CCA2
*Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001.
DefinitionofIK-CPA
12
AdversaryChallenger
pk0,pk1
m*c*b←{0,1}
c*←Enc(m*,pkb)
pk0,sk0←Gen(1λ)pk1,sk1←Gen(1λ)
DefinitionofIK-CPA
13
AdversaryChallenger
pk0,pk1
m*c*
b’
b←{0,1}c*←Enc(m*,pkb)
pk0,sk0←Gen(1λ)pk1,sk1←Gen(1λ)
APKEisIK-CPA⇔ |Pr[b=b’]– ½|isnegligible
DefinitionofIK-CCA2
14
AdversaryChallenger
pk0,pk1
m*c*
b’
b←{0,1}c*←Enc(m*,pkb)
pk0,sk0←Gen(1λ)pk1,sk1←Gen(1λ)
APKEisIK-CCA2⇔ |Pr[b=b’]– ½|isnegligible
c≠c*,0/1m/⊥
c,0/1m/⊥m/⊥←Dec(c,sk0/1)
m/⊥←Dec(c,sk0/1)
Contents
15
CCA2securePKEinthestandardmodel
k-repetitionparadigm
Key-PrivacyforPKE
Indistinguishabilityofkeys(IK)
Code-BasedEncryption
Niederreiter
Contents
LinearCodesAbinary 𝑛, 𝑘 linearcode𝒞
isa𝑘-dimensional subspaceof𝔽)*.
= 𝑥𝐺 ∈ 𝔽)*|𝑥 ∈ 𝔽)1 forageneratormatrix𝐺.McElieceencryption.
17
LinearCodesAbinary 𝑛, 𝑘 linearcode𝒞
isa𝑘-dimensional subspaceof𝔽)*.
= 𝑥𝐺 ∈ 𝔽)*|𝑥 ∈ 𝔽)1 forageneratormatrix𝐺.McElieceencryption.
= 𝑥 ∈ 𝔽)*|𝐻𝑥3 = 0 foraparitycheckmatrix𝐻.Niederreiterencryption.
18
LinearCodesAbinary 𝑛, 𝑘 linearcode𝒞
isa𝑘-dimensional subspaceof𝔽)*.
= 𝑥 ∈ 𝔽)*|𝐻𝑥3 = 0 foraparitycheckmatrix𝐻.Niederreiterencryption.
19
LinearCodesAbinary 𝑛, 𝑘 linearcode𝒞
isa𝑘-dimensional subspaceof𝔽)*.
= 𝑥 ∈ 𝔽)*|𝐻𝑥3 = 0 foraparitycheckmatrix𝐻.Niederreiterencryption.
iserror-correctinguptoHammingweight𝑡.⇔ Cancompute𝑥 fromsyndrome𝑠 = 𝐻𝑥3,if𝑤𝑡 𝑥 ≤ 𝑡.
20
SyndromeDecodingProblem
21
SyndromeDecodingProblemGivenaparitycheckmatrixofrandomcode𝑅andasyndrome𝑠 = 𝑅𝑥3 forarandomlow-weighterror𝑥.Find𝑥.
*Fischer, J.-B., Stern, J.: An efficient pseudo-random generator provably as secure as syndrome decoding. In: Maurer, U. (ed.) EUROCRYPT 1996.
SyndromeDecodingProblem
IfSDproblemishard,thedecisional versionisalsohard*.
22
SyndromeDecodingProblemGivenaparitycheckmatrixofrandomcode𝑅andasyndrome𝑠 = 𝑅𝑥3 forarandomlow-weighterror𝑥.Find𝑥.
*Fischer, J.-B., Stern, J.: An efficient pseudo-random generator provably as secure as syndrome decoding. In: Maurer, U. (ed.) EUROCRYPT 1996.
DecisionalversionofSDproblemGiven(𝑅,u)whereu isauniformrandomvector
or 𝑅, 𝑠 ,wheres = 𝑅𝑥3 asabove.Decide,whichisthecase.
Niederreiter*
23
Keygeneration 𝐻<:paritycheckmatrixof𝑡-errorcorrectingcode.𝑆:randomnon-singularmatrix, 𝑃:randompermutationmatrixPublickey𝑝𝑘 = 𝐻 = 𝑆𝐻<𝑃
(Weassume𝐻 isindistinguishablefromrandomR)Secretkeys𝑘 = 𝑆,𝐻<, 𝑃
*Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory-Probl. Upravleniya I Teorii Informatsii 15(2), 159–166 (1986)
Niederreiter*
24
*Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory-Probl. Upravleniya I Teorii Informatsii 15(2), 159–166 (1986)
Encryption Plaintextis𝑚 ∈ 𝔽)*, 𝑤𝑡 𝑚 ≤ 𝑡.Ciphertextis𝑐 = 𝐻𝑚3
Keygeneration 𝐻<:paritycheckmatrixof𝑡-errorcorrectingcode.𝑆:randomnon-singularmatrix, 𝑃:randompermutationmatrixPublickey𝑝𝑘 = 𝐻 = 𝑆𝐻<𝑃
(Weassume𝐻 isindistinguishablefromrandomR)Secretkeys𝑘 = 𝑆,𝐻<, 𝑃
Niederreiter*
25
*Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory-Probl. Upravleniya I Teorii Informatsii 15(2), 159–166 (1986)
Decryption Compute𝑃CD𝐶𝑜𝑟𝑟𝑒𝑐𝑡 𝑆CD𝑐 = 𝑃CD𝑃𝑚3 = 𝑚3
𝐶𝑜𝑟𝑟𝑒𝑐𝑡 istheerrorcorrectionalgorithmfor𝐻<.
Encryption Plaintextis𝑚 ∈ 𝔽)*, 𝑤𝑡 𝑚 ≤ 𝑡.Ciphertextis𝑐 = 𝐻𝑚3
Keygeneration 𝐻<:paritycheckmatrixof𝑡-errorcorrectingcode.𝑆:randomnon-singularmatrix, 𝑃:randompermutationmatrixPublickey𝑝𝑘 = 𝐻 = 𝑆𝐻<𝑃
(Weassume𝐻 isindistinguishablefromrandomR)Secretkeys𝑘 = 𝑆,𝐻<, 𝑃
RandomizedNiederreiter*
26
*Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Crypt. 49(1–3), 289–305 (2008)
Decryption Compute𝑃CD𝐶𝑜𝑟𝑟𝑒𝑐𝑡 𝑆CD𝑐 = 𝑃CD𝑃 𝑚||𝑟 3 = 𝑚||𝑟 3
Pick𝑚 from 𝑚||𝑟 3.
Encryption Plaintextis𝑚, Takearandompaddingvectorr𝑚||𝑟 ∈ 𝔽)*, 𝑤𝑡 𝑚||𝑟 ≤ 𝑡.Ciphertextis𝑐 = 𝐻(𝑚||𝑟)3
Keygeneration 𝐻<:paritycheckmatrixof𝑡-errorcorrectingcode.𝑆:randomnon-singularmatrix, 𝑃:randompermutationmatrixPublickey𝑝𝑘 = 𝐻 = 𝑆𝐻<𝑃
(Weassume𝐻 isindistinguishablefromrandomR)Secretkeys𝑘 = 𝑆,𝐻<, 𝑃
Key-PrivacyforCode-BasedEncryptionYamakawa etal.*firststudiedkey-privacyforcode-basedencryption,andshow
27
*Yamakawa,S.,Cui,Y.,Kobara,K.,Hagiwara,M.,Imai,H.:Onthekey-privacyissueofMcEliecepublic-keyencryption.In:Bozta̧s,S.,Lu,H.-F.F.(eds.)AAECC2007.
IK-CPAnotIK-CPA IK-CCA2
McEliece
Key-PrivacyforCode-BasedEncryptionYamakawa etal.*firststudiedkey-privacyforcode-basedencryption,andshow
28
*Yamakawa,S.,Cui,Y.,Kobara,K.,Hagiwara,M.,Imai,H.:Onthekey-privacyissueofMcEliecepublic-keyencryption.In:Bozta̧s,S.,Lu,H.-F.F.(eds.)AAECC2007.
IK-CPAnotIK-CPA IK-CCA2
McEliece RandomizedMcEliece
Key-PrivacyforCode-BasedEncryptionYamakawa etal.*firststudiedkey-privacyforcode-basedencryption,andshow
29
*Yamakawa,S.,Cui,Y.,Kobara,K.,Hagiwara,M.,Imai,H.:Onthekey-privacyissueofMcEliecepublic-keyencryption.In:Bozta̧s,S.,Lu,H.-F.F.(eds.)AAECC2007.
IK-CPAnotIK-CPA IK-CCA2
McEliece RandomizedMcEliece
RandomOracle
Kobara andImai’sconversion†Persichetti’shybridencryption‡
StandardModel
†Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems-conversions for McEliece PKC. In: Kim, K. (ed.) PKC 2001. ‡Persichetti, E.: Secure and anonymous hybrid encryption from coding theory. In: Gaborit, P. (ed.) PQCrypto 2013.
Key-PrivacyforCode-BasedEncryptionYamakawa etal.*firststudiedkey-privacyforcode-basedencryption,andshow
30
*Yamakawa,S.,Cui,Y.,Kobara,K.,Hagiwara,M.,Imai,H.:Onthekey-privacyissueofMcEliecepublic-keyencryption.In:Bozta̧s,S.,Lu,H.-F.F.(eds.)AAECC2007.
IK-CPAnotIK-CPA IK-CCA2
McEliece RandomizedMcEliece
RandomOracle
Kobara andImai’sconversion†Persichetti’shybridencryption‡
StandardModel
†Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems-conversions for McEliece PKC. In: Kim, K. (ed.) PKC 2001. ‡Persichetti, E.: Secure and anonymous hybrid encryption from coding theory. In: Gaborit, P. (ed.) PQCrypto 2013.
IK-CCA2forcode-basedencryptioninthestandardmodel?
?
31
CCA2securePKEinthestandardmodel
k-repetitionparadigm
Key-PrivacyforPKE
Indistinguishabilityofkeys(IK)
Code-BasedEncryption
Niederreiter
Contents
32
k-repetitionParadigm
*Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009.
RosenandSegev*
Onewaytrapdoork-wiseproducts
Hardcorepredicate
One-timesignature
IND-CCA2PKEfor1-bit
33
k-repetitionParadigm
*Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009.
One-way↓
Indistinguishability
k-wiseproduct+
one-timesignature↓
CCAsecurity
RosenandSegev*
Onewaytrapdoork-wiseproducts
Hardcorepredicate
One-timesignature
IND-CCA2PKEfor1-bit
34
Code-BasedCCAConstruction
*Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. †Döttling, N., Dowsley, R., Muller-Quade, J., Nascimento, A.C.A.: A CCA2 secure variant of the mceliece cryptosystem. IEEE Trans. Inf. Theory 58(10), 6672–6680 (2012)
RosenandSegev* Döttlingetal.†
Onewaytrapdoork-wiseproducts
Hardcorepredicate
One-timesignature
IND-CCA2PKEfor1-bit
k-repeatedMcElieceRandompadding
One-timesignature
FULLconstruction
SIMPLEconstruction
35
Code-BasedCCAConstruction
*Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. †Döttling, N., Dowsley, R., Muller-Quade, J., Nascimento, A.C.A.: A CCA2 secure variant of the mceliece cryptosystem. IEEE Trans. Inf. Theory 58(10), 6672–6680 (2012)
IND-CCA2
IND-CPA
RosenandSegev* Döttling etal.†
Onewaytrapdoork-wiseproducts
Hardcorepredicate
One-timesignature
IND-CCA2PKEfor1-bit
k-repeatedMcElieceRandompadding
One-timesignature
FULLconstruction
SIMPLEconstruction
RosenandSegev* Döttling etal.†
36
k-wiseNiederreiter
Hardcorepredicate
One-timesignature
IND-CCA2PKEfor1-bit
k-wiseNiederreiter
Randompadding
One-timesignature
FULLconstruction
SIMPLEconstruction
*Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. †Döttling, N., Dowsley, R., Muller-Quade, J., Nascimento, A.C.A.: A CCA2 secure variant of the mceliece cryptosystem. IEEE Trans. Inf. Theory 58(10), 6672–6680 (2012)
Code-BasedCCAConstruction
Contents
37
CCA2securePKEinthestandardmodel
k-repetitionparadigm
Key-PrivacyforPKE
Indistinguishabilityofkeys(IK)
Code-BasedEncryption
Niederreiter
Contents
Ourresult:CCA2Key-Privacyfor
Code-BasedEncryptionintheStandardModel
Weprovedthatthek-repetitionparadigminstantiatedwithNiederreiter
isIK-CCA2inthestandardmodel.
RosenandSegev* Döttling etal.†
38
k-wiseNiederreiter
Hardcorepredicate
One-timesignature
IND-CCA2PKEfor1-bit
k-wiseNiederreiter
Randompadding
One-timesignature
FULLconstruction
SIMPLEconstruction
InstantiationwithNiederreiteranditskey-privacy
*Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. †Döttling, N., Dowsley, R., Muller-Quade, J., Nascimento, A.C.A.: A CCA2 secure variant of the mceliece cryptosystem. IEEE Trans. Inf. Theory 58(10), 6672–6680 (2012)
RosenandSegev* Döttling etal.†
39
k-wiseNiederreiter
Hardcorepredicate
One-timesignature
IND-CCA2PKEfor1-bit
k-wiseNiederreiter
Randompadding
One-timesignature
FULLconstruction
SIMPLEconstruction
InstantiationwithNiederreiteranditskey-privacy
*Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. †Döttling, N., Dowsley, R., Muller-Quade, J., Nascimento, A.C.A.: A CCA2 secure variant of the mceliece cryptosystem. IEEE Trans. Inf. Theory 58(10), 6672–6680 (2012)
IK-CCA2
IK-CPA
IK-CCA2
RosenandSegev* Döttling etal.†
40
k-wiseNiederreiter
Hardcorepredicate
One-timesignature
IND-CCA2PKEfor1-bit
k-wiseNiederreiter
Randompadding
One-timesignature
FULLconstruction
SIMPLEconstruction
InstantiationwithNiederreiteranditskey-privacy
*Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. †Döttling, N., Dowsley, R., Muller-Quade, J., Nascimento, A.C.A.: A CCA2 secure variant of the mceliece cryptosystem. IEEE Trans. Inf. Theory 58(10), 6672–6680 (2012)
IK-CCA2
IK-CPA
IK-CCA2
HowtoprovetheFULLconstructionisIK-CCA2
41
TheSIMPLEconstructionwiththeNiederreiter/McEliece
isIK-CPA
TheFULLconstructionwiththeNiederreiter/McElieceisIK-CCA2
IfSIMPLEconstructionisIK-CPAandsignatureissecure
(OT-sEUF-CMA)
thentheFULLconstructionisIK-CCA2
cf.NiederreiterPublickey𝑝𝑘 = 𝐻 = 𝑆𝐻<𝑃Secretkeys𝑘 = 𝑆,𝐻<, 𝑃
SIMPLE ConstructionwithNiederreiter
42
Keygeneration𝑝𝑘 = 𝐻D, 𝐻), … , 𝐻1 ,s𝑘 = 𝑆L, 𝐻L<, 𝑃L , 1 ≤ 𝑖 ≤ 𝑘
SIMPLE ConstructionwithNiederreiter
43
Keygeneration𝑝𝑘 = 𝐻D, 𝐻), … , 𝐻1 ,s𝑘 = 𝑆L, 𝐻L<, 𝑃L , 1 ≤ 𝑖 ≤ 𝑘
EncryptionPickarandompaddingvector𝑟.
𝑐 = (𝐻D×(𝑚| 𝑟 3, 𝐻)×(𝑚| 𝑟 3,...,𝐻1×(𝑚| 𝑟 3)
cf.RandomizedNiederreiterCiphertextis𝑐 = 𝐻(𝑚||𝑟)3
SIMPLE ConstructionwithNiederreiter
44
Keygeneration𝑝𝑘 = 𝐻D, 𝐻), … , 𝐻1 ,s𝑘 = 𝑆L, 𝐻L<, 𝑃L , 1 ≤ 𝑖 ≤ 𝑘
EncryptionPickarandompaddingvector𝑟.
𝑐 = (𝐻D×(𝑚| 𝑟 3, 𝐻)×(𝑚| 𝑟 3,...,𝐻1×(𝑚| 𝑟 3)
DecryptionDecryptallelementsinc.Confirmthatalldecrypted𝑚||𝑟 arethesame.
FULL ConstructionwithNiederreiter
45
Keygeneration
𝑝𝑘 =𝐻D,_, 𝐻),_, … , 𝐻1,_𝐻D,D, 𝐻),D, … , 𝐻1,D
,s𝑘 = 𝑆L,`, 𝐻L,`< , 𝑃L,` , 1 ≤ 𝑖 ≤ 𝑘𝑏 = 0,1
Encryption
generateverification/signingkeypairofone-timesignature𝑣𝑘 = 𝑣𝑘D ∘ ⋯∘ 𝑣𝑘1 ∈ 0,1 1, 𝑑𝑠𝑘
𝑐 = 𝐻D,k1l× 𝑚||𝑟 3, … ,𝐻1,k1m× 𝑚||𝑟 3 , 𝜎 ⟵ 𝑠𝑖𝑔𝑛 𝑑𝑠𝑘, 𝑐
output 𝑣𝑘, 𝑐, 𝜎 .
DecryptionVerifythesignature𝜎. Decryptallelementsinc.Confirmthatalldecrypted𝑚||𝑟 arethesame.
Key-PrivacyforTheseConstruction
46
TheSIMPLEconstructionwiththeNiederreiter/McEliece
isIK-CPA
TheFULLconstructionwiththeNiederreiter/McElieceisIK-CCA2
IfSIMPLEconstructionisIK-CPAandsignatureissecure
(OT-sEUF-CMA)
thentheFULLconstructionisIK-CCA2
ProofOutline
48
𝑝𝑘_ = 𝐻_,D, 𝐻_,), … , 𝐻_,1𝑝𝑘D = 𝐻D,D, 𝐻D,), … , 𝐻D,1
𝐸𝑛𝑐 𝑝𝑘`,𝑚 =
𝐻`,D×(𝑚| 𝑟 3
𝐻`,)×(𝑚| 𝑟 3
:𝐻`,1×(𝑚| 𝑟 3
ProofOutline
49
𝑝𝑘_ = 𝐻_,D, 𝐻_,), … , 𝐻_,1𝑝𝑘D = 𝐻D,D, 𝐻D,), … , 𝐻D,1
𝐸𝑛𝑐 𝑝𝑘`,𝑚 =
𝐻`,D×(𝑚| 𝑟 3
𝐻`,)×(𝑚| 𝑟 3
:𝐻`,1×(𝑚| 𝑟 3
𝑝𝑘_ = 𝑅_,D, 𝑅_,), … , 𝑅_,1 ,𝑝𝑘D = 𝑅D,D, 𝑅D,), … , 𝑅D,1 ,
𝐸𝑛𝑐 𝑝𝑘`,𝑚 =
𝑅`,D×(𝑚| 𝑟 3
𝑅`,)×(𝑚| 𝑟 3
:𝑅`,1×(𝑚| 𝑟 3
thepublickeysareindistinguishablefromrandommatrices.
ProofOutline
50
𝑝𝑘_ = 𝑅_,D, 𝑅_,), … , 𝑅_,1𝑝𝑘D = 𝑅D,D, 𝑅D,), … , 𝑅D,1
𝐸𝑛𝑐 𝑝𝑘`,𝑚 =
𝑅`,D×(𝑚| 𝑟 3
𝑅`,)×(𝑚| 𝑟 3
:𝑅`,1×(𝑚| 𝑟 3
ProofOutline
51
𝑝𝑘_ = 𝑅_,D, 𝑅_,), … , 𝑅_,1𝑝𝑘D = 𝑅D,D, 𝑅D,), … , 𝑅D,1
writethemtogether
𝑝𝑘_ = 𝑅_𝑝𝑘D = 𝑅D 𝐸𝑛𝑐 𝑝𝑘`,𝑚 = 𝑅`× 𝑚||𝑟 3
𝐸𝑛𝑐 𝑝𝑘`,𝑚 =
𝑅`,D×(𝑚| 𝑟 3
𝑅`,)×(𝑚| 𝑟 3
:𝑅`,1×(𝑚| 𝑟 3
ProofOutline
53
𝑝𝑘_ = 𝑅_𝑝𝑘D = 𝑅D 𝐸𝑛𝑐 𝑝𝑘`,𝑚 = 𝑅`× 𝑚||𝑟 3
𝑅`× 𝑚||𝑟 3 = 𝑅s,`×𝑚3 + 𝑅u,`×𝑟3
𝑅s,`×𝑚3 + 𝑢
DecisionalversionofSD
ProofOutline
54
𝑢 Noinformation aboutb!
𝑝𝑘_ = 𝑅_𝑝𝑘D = 𝑅D 𝐸𝑛𝑐 𝑝𝑘`,𝑚 = 𝑅`× 𝑚||𝑟 3
𝑅`× 𝑚||𝑟 3 = 𝑅s,`×𝑚3 + 𝑅u,`×𝑟3
𝑅s,`×𝑚3 + 𝑢
DecisionalversionofSD
IK-CPAnotIK-CPA IK-CCA2
McEliece RandomizedMcEliece
RandomOracle
Kobara andImai’sconversion†Persichetti’shybridencryption‡
StandardModel
Conclusion
55
?
IK-CPAnotIK-CPA IK-CCA2
McEliece RandomizedMcEliece
RandomOracle
Kobara andImai’sconversion†Persichetti’shybridencryption‡
StandardModel
k-wiseNiederreiter
Randompadding
One-timesignature
FULLconstruction
SIMPLEconstruction
IK-CCA2
IK-CPA
Conclusion
56
IK-CPAnotIK-CPA IK-CCA2
McEliece RandomizedMcEliece
RandomOracle
Kobara andImai’sconversion†Persichetti’shybridencryption‡
StandardModel
k-wiseNiederreiter
Randompadding
One-timesignature
FULLconstruction
SIMPLEconstruction
IK-CCA2
IK-CPA
Conclusion
57
? ? ? ? ? ? ? ? OpenQuestion? ? ? ? ? ????Moreefficientscheme??
??? inthestandardmodel???? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?