Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf ·...
Transcript of Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf ·...
![Page 1: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/1.jpg)
CODE-BASED PUBLIC-KEY ENCRYPTION
RESISTANT TO KEY LEAKAGE
Edoardo Persichetti
Warsaw University
10 June 2013
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 1 / 19
![Page 2: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/2.jpg)
OUTLINE OF THE TALK
Preliminaries
Hash Proof Systems
The Construction
Conclusions
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 2 / 19
![Page 3: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/3.jpg)
OUTLINE OF THE TALK
Preliminaries
Hash Proof Systems
The Construction
Conclusions
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 2 / 19
![Page 4: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/4.jpg)
OUTLINE OF THE TALK
Preliminaries
Hash Proof Systems
The Construction
Conclusions
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 2 / 19
![Page 5: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/5.jpg)
OUTLINE OF THE TALK
Preliminaries
Hash Proof Systems
The Construction
Conclusions
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 2 / 19
![Page 6: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/6.jpg)
Part I
PRELIMINARIES
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 3 / 19
![Page 7: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/7.jpg)
LEAKAGE-RESILIENT PUBLIC-KEY ENCRYPTION
Key-leakage attacks: adversary obtains partial information about theprivate key.
Leakage Oracle queries: submit any function f with |f (sk)| ≤ λ.
SEMANTIC SECURITY AGAINST KEY-LEAKAGE
Get public key pk .Perform leakage queries.Choose messages m0 and m1. Challenge ciphertext:c∗ =Enc(pk ,mb) for b ∈ {0,1}.Return b∗.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 4 / 19
![Page 8: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/8.jpg)
LEAKAGE-RESILIENT PUBLIC-KEY ENCRYPTION
Key-leakage attacks: adversary obtains partial information about theprivate key.
Leakage Oracle queries: submit any function f with |f (sk)| ≤ λ.
SEMANTIC SECURITY AGAINST KEY-LEAKAGE
Get public key pk .Perform leakage queries.Choose messages m0 and m1. Challenge ciphertext:c∗ =Enc(pk ,mb) for b ∈ {0,1}.Return b∗.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 4 / 19
![Page 9: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/9.jpg)
LEAKAGE-RESILIENT PUBLIC-KEY ENCRYPTION
Key-leakage attacks: adversary obtains partial information about theprivate key.
Leakage Oracle queries: submit any function f with |f (sk)| ≤ λ.
SEMANTIC SECURITY AGAINST KEY-LEAKAGE
Get public key pk .Perform leakage queries.Choose messages m0 and m1. Challenge ciphertext:c∗ =Enc(pk ,mb) for b ∈ {0,1}.Return b∗.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 4 / 19
![Page 10: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/10.jpg)
LEAKAGE-RESILIENT PUBLIC-KEY ENCRYPTION
Initially modelled by Akavia, Goldwasser and Vaikuntanathan [1].
Work by Naor and Segev [8] provides general construction.
Based on Hash Proof Systems + randomness extractors.
Constructions given for DDH assumption, and variant ofCramer-Shoup cryptosystem.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 5 / 19
![Page 11: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/11.jpg)
LEAKAGE-RESILIENT PUBLIC-KEY ENCRYPTION
Initially modelled by Akavia, Goldwasser and Vaikuntanathan [1].
Work by Naor and Segev [8] provides general construction.
Based on Hash Proof Systems + randomness extractors.
Constructions given for DDH assumption, and variant ofCramer-Shoup cryptosystem.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 5 / 19
![Page 12: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/12.jpg)
LEAKAGE-RESILIENT PUBLIC-KEY ENCRYPTION
Initially modelled by Akavia, Goldwasser and Vaikuntanathan [1].
Work by Naor and Segev [8] provides general construction.
Based on Hash Proof Systems + randomness extractors.
Constructions given for DDH assumption, and variant ofCramer-Shoup cryptosystem.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 5 / 19
![Page 13: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/13.jpg)
LEAKAGE-RESILIENT PUBLIC-KEY ENCRYPTION
Initially modelled by Akavia, Goldwasser and Vaikuntanathan [1].
Work by Naor and Segev [8] provides general construction.
Based on Hash Proof Systems + randomness extractors.
Constructions given for DDH assumption, and variant ofCramer-Shoup cryptosystem.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 5 / 19
![Page 14: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/14.jpg)
Part II
HASH PROOF SYSTEMS
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 6 / 19
![Page 15: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/15.jpg)
HASH PROOF SYSTEMS
Introduced by Cramer and Shoup [3] as a theoretical tool.
Subsequently revisited and used in various settings, for example Kiltzet al. [7] for KEM.
We adapt the “simplified” definition of Alwen et al. [2] given for theIdentity-Based setting.
HPSSetup: sets public parameters.KeyGen: generates public key pk and private key sk .Encap: produces a ciphertext/key pair (c0,K ).Encap∗: produces an “invalid” ciphertext c0.Decap: given sk and c0 outputs a key K ′.
Three requirements for the scheme.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 7 / 19
![Page 16: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/16.jpg)
HASH PROOF SYSTEMS
Introduced by Cramer and Shoup [3] as a theoretical tool.
Subsequently revisited and used in various settings, for example Kiltzet al. [7] for KEM.
We adapt the “simplified” definition of Alwen et al. [2] given for theIdentity-Based setting.
HPSSetup: sets public parameters.KeyGen: generates public key pk and private key sk .Encap: produces a ciphertext/key pair (c0,K ).Encap∗: produces an “invalid” ciphertext c0.Decap: given sk and c0 outputs a key K ′.
Three requirements for the scheme.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 7 / 19
![Page 17: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/17.jpg)
HASH PROOF SYSTEMS
Introduced by Cramer and Shoup [3] as a theoretical tool.
Subsequently revisited and used in various settings, for example Kiltzet al. [7] for KEM.
We adapt the “simplified” definition of Alwen et al. [2] given for theIdentity-Based setting.
HPSSetup: sets public parameters.KeyGen: generates public key pk and private key sk .Encap: produces a ciphertext/key pair (c0,K ).Encap∗: produces an “invalid” ciphertext c0.Decap: given sk and c0 outputs a key K ′.
Three requirements for the scheme.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 7 / 19
![Page 18: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/18.jpg)
HASH PROOF SYSTEMS
Introduced by Cramer and Shoup [3] as a theoretical tool.
Subsequently revisited and used in various settings, for example Kiltzet al. [7] for KEM.
We adapt the “simplified” definition of Alwen et al. [2] given for theIdentity-Based setting.
HPSSetup: sets public parameters.KeyGen: generates public key pk and private key sk .Encap: produces a ciphertext/key pair (c0,K ).Encap∗: produces an “invalid” ciphertext c0.Decap: given sk and c0 outputs a key K ′.
Three requirements for the scheme.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 7 / 19
![Page 19: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/19.jpg)
HASH PROOF SYSTEMS
Introduced by Cramer and Shoup [3] as a theoretical tool.
Subsequently revisited and used in various settings, for example Kiltzet al. [7] for KEM.
We adapt the “simplified” definition of Alwen et al. [2] given for theIdentity-Based setting.
HPSSetup: sets public parameters.KeyGen: generates public key pk and private key sk .Encap: produces a ciphertext/key pair (c0,K ).Encap∗: produces an “invalid” ciphertext c0.Decap: given sk and c0 outputs a key K ′.
Three requirements for the scheme.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 7 / 19
![Page 20: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/20.jpg)
I - CORRECTNESS
Valid ciphertexts should decapsulate correctly.
CORRECTNESS
If (c0,K ) = Encap(pk) and K ′ = Decap(sk , c0), then
pr [K 6= K ′] = negl(θ).
For our purposes, a relaxation of the above is sufficient.
t -APPROXIMATE CORRECTNESS
If (c0,K ) = Encap(pk) and K ′ = Decap(sk , c0), then
pr [d(K ,K ′) > t ] = negl(θ).
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 8 / 19
![Page 21: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/21.jpg)
I - CORRECTNESS
Valid ciphertexts should decapsulate correctly.
CORRECTNESS
If (c0,K ) = Encap(pk) and K ′ = Decap(sk , c0), then
pr [K 6= K ′] = negl(θ).
For our purposes, a relaxation of the above is sufficient.
t -APPROXIMATE CORRECTNESS
If (c0,K ) = Encap(pk) and K ′ = Decap(sk , c0), then
pr [d(K ,K ′) > t ] = negl(θ).
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 8 / 19
![Page 22: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/22.jpg)
I - CORRECTNESS
Valid ciphertexts should decapsulate correctly.
CORRECTNESS
If (c0,K ) = Encap(pk) and K ′ = Decap(sk , c0), then
pr [K 6= K ′] = negl(θ).
For our purposes, a relaxation of the above is sufficient.
t -APPROXIMATE CORRECTNESS
If (c0,K ) = Encap(pk) and K ′ = Decap(sk , c0), then
pr [d(K ,K ′) > t ] = negl(θ).
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 8 / 19
![Page 23: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/23.jpg)
I - CORRECTNESS
Valid ciphertexts should decapsulate correctly.
CORRECTNESS
If (c0,K ) = Encap(pk) and K ′ = Decap(sk , c0), then
pr [K 6= K ′] = negl(θ).
For our purposes, a relaxation of the above is sufficient.
t -APPROXIMATE CORRECTNESS
If (c0,K ) = Encap(pk) and K ′ = Decap(sk , c0), then
pr [d(K ,K ′) > t ] = negl(θ).
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 8 / 19
![Page 24: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/24.jpg)
II - UNIVERSALITY/SMOOTHNESS
Invalid ciphertexts should decapsulate to strings that are almostuniformly distributed.
UNIVERSALITY
An HPS is (η, ν)-universal if
H∞(SK |PK ) ≥ ηpr [Decap(sk , c0) = Decap(sk ′, c0)] ≤ ν
where c0 = Encap∗(pk) and sk 6= sk ′.
SMOOTHNESS
An HPS is smooth if
∆((c0,K ), (c0,K ′)) = negl(θ).
It is λ-leakage smooth if
∆((c0, f (sk),K ), (c0, f (sk),K ′)) = negl(θ),
for c0 = Encap∗(pk), K = Decap(sk , c0), K ′ ← U and |f (sk)| ≤ λ.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 9 / 19
![Page 25: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/25.jpg)
II - UNIVERSALITY/SMOOTHNESS
Invalid ciphertexts should decapsulate to strings that are almostuniformly distributed.
UNIVERSALITY
An HPS is (η, ν)-universal if
H∞(SK |PK ) ≥ ηpr [Decap(sk , c0) = Decap(sk ′, c0)] ≤ ν
where c0 = Encap∗(pk) and sk 6= sk ′.
SMOOTHNESS
An HPS is smooth if
∆((c0,K ), (c0,K ′)) = negl(θ).
It is λ-leakage smooth if
∆((c0, f (sk),K ), (c0, f (sk),K ′)) = negl(θ),
for c0 = Encap∗(pk), K = Decap(sk , c0), K ′ ← U and |f (sk)| ≤ λ.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 9 / 19
![Page 26: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/26.jpg)
II - UNIVERSALITY/SMOOTHNESS
Invalid ciphertexts should decapsulate to strings that are almostuniformly distributed.
UNIVERSALITY
An HPS is (η, ν)-universal if
H∞(SK |PK ) ≥ ηpr [Decap(sk , c0) = Decap(sk ′, c0)] ≤ ν
where c0 = Encap∗(pk) and sk 6= sk ′.
SMOOTHNESS
An HPS is smooth if
∆((c0,K ), (c0,K ′)) = negl(θ).
It is λ-leakage smooth if
∆((c0, f (sk),K ), (c0, f (sk),K ′)) = negl(θ),
for c0 = Encap∗(pk), K = Decap(sk , c0), K ′ ← U and |f (sk)| ≤ λ.(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 9 / 19
![Page 27: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/27.jpg)
III - CIPHERTEXT INDISTINGUISHABILITY
Invalid ciphertexts should be computationally indistinguishable fromvalid ones.
CIPHERTEXT INDISTINGUISHABILITY
Query the challenger for public key/private key pairs (pk , sk).Challenge ciphertext: c0 computed either from Encap(pk∗)(b = 0) or Encap∗(pk∗) (b = 1), for a fixed public key pk∗.Keep performing queries as above.Return b∗.
No restrictions are placed on the queries hence an adversary isallowed to even see the whole of sk∗.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 10 / 19
![Page 28: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/28.jpg)
III - CIPHERTEXT INDISTINGUISHABILITY
Invalid ciphertexts should be computationally indistinguishable fromvalid ones.
CIPHERTEXT INDISTINGUISHABILITY
Query the challenger for public key/private key pairs (pk , sk).Challenge ciphertext: c0 computed either from Encap(pk∗)(b = 0) or Encap∗(pk∗) (b = 1), for a fixed public key pk∗.Keep performing queries as above.Return b∗.
No restrictions are placed on the queries hence an adversary isallowed to even see the whole of sk∗.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 10 / 19
![Page 29: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/29.jpg)
III - CIPHERTEXT INDISTINGUISHABILITY
Invalid ciphertexts should be computationally indistinguishable fromvalid ones.
CIPHERTEXT INDISTINGUISHABILITY
Query the challenger for public key/private key pairs (pk , sk).Challenge ciphertext: c0 computed either from Encap(pk∗)(b = 0) or Encap∗(pk∗) (b = 1), for a fixed public key pk∗.Keep performing queries as above.Return b∗.
No restrictions are placed on the queries hence an adversary isallowed to even see the whole of sk∗.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 10 / 19
![Page 30: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/30.jpg)
Part III
THE CONSTRUCTION
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 11 / 19
![Page 31: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/31.jpg)
THE CONSTRUCTION
HPS
Setup: public parameters are a A $←− Fk×n2 and integers k ,n, ` with
k < n, ` > k . Let δ be the minimum distance of the code having A asgenerator matrix, ρ = δ/n and τ = γρ for γ > 0.The set of encapsulated keys is F`2.
KeyGen: selects matrices M $←− F`×k2 and E ← χ`×n
ρ and outputssk = M and pk = MA + E .Encap: chooses s ← χn
τ and returns (c0,K ) = (AsT ,pk · s).
Encap∗: chooses r $←− Fk2 and returns c0 = r .
Decap: takes as input sk and c0 and computes K ′ = sk · c0.
Choice of parameters important: rate R = k/n needs to be highenough for ρ to be less than 1/
√n.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 12 / 19
![Page 32: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/32.jpg)
THE CONSTRUCTION
HPS
Setup: public parameters are a A $←− Fk×n2 and integers k ,n, ` with
k < n, ` > k . Let δ be the minimum distance of the code having A asgenerator matrix, ρ = δ/n and τ = γρ for γ > 0.The set of encapsulated keys is F`2.
KeyGen: selects matrices M $←− F`×k2 and E ← χ`×n
ρ and outputssk = M and pk = MA + E .Encap: chooses s ← χn
τ and returns (c0,K ) = (AsT ,pk · s).
Encap∗: chooses r $←− Fk2 and returns c0 = r .
Decap: takes as input sk and c0 and computes K ′ = sk · c0.
Choice of parameters important: rate R = k/n needs to be highenough for ρ to be less than 1/
√n.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 12 / 19
![Page 33: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/33.jpg)
PROPERTIES
The scheme satisfies the three required properties.
t-Approximate Correctness: follows from a result of Dottling et al. [4].K and K ′ differ by a factor of EsT and this string has weight boundedby t with high probability.
Universality: the first part uses a result from Dumer et al. [5] on theexpected number of codewords in a ball of radius δ, and the fact thatA defines a random linear code, so δ is on the GV bound with highprobability. The second part is a direct consequence of the fact that` > k and that matrices chosen uniformly at random are of full rankwith overwhelming probability.
Ciphertext Indistinguishability: since ρ = O(n−1/2−ε), we expect s tohave weight below the GV bound. As proved by Fischer and Stern in[6], the vector c0 = AsT is therefore pseudorandom. The property issatisfied since the private key M doesn’t carry information about theciphertext.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 13 / 19
![Page 34: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/34.jpg)
PROPERTIES
The scheme satisfies the three required properties.
t-Approximate Correctness: follows from a result of Dottling et al. [4].K and K ′ differ by a factor of EsT and this string has weight boundedby t with high probability.
Universality: the first part uses a result from Dumer et al. [5] on theexpected number of codewords in a ball of radius δ, and the fact thatA defines a random linear code, so δ is on the GV bound with highprobability. The second part is a direct consequence of the fact that` > k and that matrices chosen uniformly at random are of full rankwith overwhelming probability.
Ciphertext Indistinguishability: since ρ = O(n−1/2−ε), we expect s tohave weight below the GV bound. As proved by Fischer and Stern in[6], the vector c0 = AsT is therefore pseudorandom. The property issatisfied since the private key M doesn’t carry information about theciphertext.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 13 / 19
![Page 35: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/35.jpg)
PROPERTIES
The scheme satisfies the three required properties.
t-Approximate Correctness: follows from a result of Dottling et al. [4].K and K ′ differ by a factor of EsT and this string has weight boundedby t with high probability.
Universality: the first part uses a result from Dumer et al. [5] on theexpected number of codewords in a ball of radius δ, and the fact thatA defines a random linear code, so δ is on the GV bound with highprobability. The second part is a direct consequence of the fact that` > k and that matrices chosen uniformly at random are of full rankwith overwhelming probability.
Ciphertext Indistinguishability: since ρ = O(n−1/2−ε), we expect s tohave weight below the GV bound. As proved by Fischer and Stern in[6], the vector c0 = AsT is therefore pseudorandom. The property issatisfied since the private key M doesn’t carry information about theciphertext.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 13 / 19
![Page 36: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/36.jpg)
PROPERTIES
The scheme satisfies the three required properties.
t-Approximate Correctness: follows from a result of Dottling et al. [4].K and K ′ differ by a factor of EsT and this string has weight boundedby t with high probability.
Universality: the first part uses a result from Dumer et al. [5] on theexpected number of codewords in a ball of radius δ, and the fact thatA defines a random linear code, so δ is on the GV bound with highprobability. The second part is a direct consequence of the fact that` > k and that matrices chosen uniformly at random are of full rankwith overwhelming probability.
Ciphertext Indistinguishability: since ρ = O(n−1/2−ε), we expect s tohave weight below the GV bound. As proved by Fischer and Stern in[6], the vector c0 = AsT is therefore pseudorandom. The property issatisfied since the private key M doesn’t carry information about theciphertext.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 13 / 19
![Page 37: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/37.jpg)
THE ENCRYPTION SCHEME
The HPS just described can be used in a “natural” way for public-keyencryption.
Need to incorporate an error-correcting code C into the framework todeal with the error coming from approximate correctness.
ENCRYPTION
Get input m and public-key pk .Run Encap(pk) to obtain (c0,K ).Set c1 = K ⊕ EncodeC(m).Output c = (c0, c1).
DECRYPTION
Get input sk and c = (c0, c1).Calculate K ′ as Decap(sk , c0).Return m = DecodeC(K ′ ⊕ c1).
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 14 / 19
![Page 38: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/38.jpg)
THE ENCRYPTION SCHEME
The HPS just described can be used in a “natural” way for public-keyencryption.
Need to incorporate an error-correcting code C into the framework todeal with the error coming from approximate correctness.
ENCRYPTION
Get input m and public-key pk .Run Encap(pk) to obtain (c0,K ).Set c1 = K ⊕ EncodeC(m).Output c = (c0, c1).
DECRYPTION
Get input sk and c = (c0, c1).Calculate K ′ as Decap(sk , c0).Return m = DecodeC(K ′ ⊕ c1).
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 14 / 19
![Page 39: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/39.jpg)
THE ENCRYPTION SCHEME
The HPS just described can be used in a “natural” way for public-keyencryption.
Need to incorporate an error-correcting code C into the framework todeal with the error coming from approximate correctness.
ENCRYPTION
Get input m and public-key pk .Run Encap(pk) to obtain (c0,K ).Set c1 = K ⊕ EncodeC(m).Output c = (c0, c1).
DECRYPTION
Get input sk and c = (c0, c1).Calculate K ′ as Decap(sk , c0).Return m = DecodeC(K ′ ⊕ c1).
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 14 / 19
![Page 40: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/40.jpg)
THE ENCRYPTION SCHEME
The HPS just described can be used in a “natural” way for public-keyencryption.
Need to incorporate an error-correcting code C into the framework todeal with the error coming from approximate correctness.
ENCRYPTION
Get input m and public-key pk .Run Encap(pk) to obtain (c0,K ).Set c1 = K ⊕ EncodeC(m).Output c = (c0, c1).
DECRYPTION
Get input sk and c = (c0, c1).Calculate K ′ as Decap(sk , c0).Return m = DecodeC(K ′ ⊕ c1).
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 14 / 19
![Page 41: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/41.jpg)
SECURITY
We make use of a result from Alwen et al. [2, Theorem 3.1].
THEOREM
Let H be an (η, ν)-universal HPS with key space {0,1}`. Then H isalso λ-leakage smooth as long as λ ≤ η − `− ω(log θ) andν ≤ 2−`(1 + negl(θ)).
Security is proved using a sequence of games.
SEMANTIC SECURITY AGAINST KEY-LEAKAGE
Game 0: the semantic security game with leakage.Ciphertext indistinguishability
Game 1: replace valid challenge ciphertext with invalid one.Leakage smoothness
Game 2: replace c∗1 with a uniformly random string.
The advantage in Game 2 is 0 since independent from bit b.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 15 / 19
![Page 42: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/42.jpg)
SECURITY
We make use of a result from Alwen et al. [2, Theorem 3.1].
THEOREM
Let H be an (η, ν)-universal HPS with key space {0,1}`. Then H isalso λ-leakage smooth as long as λ ≤ η − `− ω(log θ) andν ≤ 2−`(1 + negl(θ)).
Security is proved using a sequence of games.
SEMANTIC SECURITY AGAINST KEY-LEAKAGE
Game 0: the semantic security game with leakage.Ciphertext indistinguishability
Game 1: replace valid challenge ciphertext with invalid one.Leakage smoothness
Game 2: replace c∗1 with a uniformly random string.
The advantage in Game 2 is 0 since independent from bit b.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 15 / 19
![Page 43: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/43.jpg)
SECURITY
We make use of a result from Alwen et al. [2, Theorem 3.1].
THEOREM
Let H be an (η, ν)-universal HPS with key space {0,1}`. Then H isalso λ-leakage smooth as long as λ ≤ η − `− ω(log θ) andν ≤ 2−`(1 + negl(θ)).
Security is proved using a sequence of games.
SEMANTIC SECURITY AGAINST KEY-LEAKAGE
Game 0: the semantic security game with leakage.Ciphertext indistinguishability
Game 1: replace valid challenge ciphertext with invalid one.Leakage smoothness
Game 2: replace c∗1 with a uniformly random string.
The advantage in Game 2 is 0 since independent from bit b.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 15 / 19
![Page 44: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/44.jpg)
SECURITY
We make use of a result from Alwen et al. [2, Theorem 3.1].
THEOREM
Let H be an (η, ν)-universal HPS with key space {0,1}`. Then H isalso λ-leakage smooth as long as λ ≤ η − `− ω(log θ) andν ≤ 2−`(1 + negl(θ)).
Security is proved using a sequence of games.
SEMANTIC SECURITY AGAINST KEY-LEAKAGE
Game 0: the semantic security game with leakage.
Ciphertext indistinguishability
Game 1: replace valid challenge ciphertext with invalid one.Leakage smoothness
Game 2: replace c∗1 with a uniformly random string.
The advantage in Game 2 is 0 since independent from bit b.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 15 / 19
![Page 45: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/45.jpg)
SECURITY
We make use of a result from Alwen et al. [2, Theorem 3.1].
THEOREM
Let H be an (η, ν)-universal HPS with key space {0,1}`. Then H isalso λ-leakage smooth as long as λ ≤ η − `− ω(log θ) andν ≤ 2−`(1 + negl(θ)).
Security is proved using a sequence of games.
SEMANTIC SECURITY AGAINST KEY-LEAKAGE
Game 0: the semantic security game with leakage.Ciphertext indistinguishability
Game 1: replace valid challenge ciphertext with invalid one.
Leakage smoothness
Game 2: replace c∗1 with a uniformly random string.
The advantage in Game 2 is 0 since independent from bit b.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 15 / 19
![Page 46: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/46.jpg)
SECURITY
We make use of a result from Alwen et al. [2, Theorem 3.1].
THEOREM
Let H be an (η, ν)-universal HPS with key space {0,1}`. Then H isalso λ-leakage smooth as long as λ ≤ η − `− ω(log θ) andν ≤ 2−`(1 + negl(θ)).
Security is proved using a sequence of games.
SEMANTIC SECURITY AGAINST KEY-LEAKAGE
Game 0: the semantic security game with leakage.Ciphertext indistinguishability
Game 1: replace valid challenge ciphertext with invalid one.Leakage smoothness
Game 2: replace c∗1 with a uniformly random string.
The advantage in Game 2 is 0 since independent from bit b.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 15 / 19
![Page 47: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/47.jpg)
SECURITY
We make use of a result from Alwen et al. [2, Theorem 3.1].
THEOREM
Let H be an (η, ν)-universal HPS with key space {0,1}`. Then H isalso λ-leakage smooth as long as λ ≤ η − `− ω(log θ) andν ≤ 2−`(1 + negl(θ)).
Security is proved using a sequence of games.
SEMANTIC SECURITY AGAINST KEY-LEAKAGE
Game 0: the semantic security game with leakage.Ciphertext indistinguishability
Game 1: replace valid challenge ciphertext with invalid one.Leakage smoothness
Game 2: replace c∗1 with a uniformly random string.
The advantage in Game 2 is 0 since independent from bit b.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 15 / 19
![Page 48: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/48.jpg)
Part IV
CONCLUSIONS
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 16 / 19
![Page 49: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/49.jpg)
CONCLUSIONS
First code-based Hash Proof System.
First step towards efficient leakage-resilient code-based encryptionschemes.
Achieves semantic security against leakage attacks without usingrandomness extractors.
CCA security?
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 17 / 19
![Page 50: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/50.jpg)
CONCLUSIONS
First code-based Hash Proof System.
First step towards efficient leakage-resilient code-based encryptionschemes.
Achieves semantic security against leakage attacks without usingrandomness extractors.
CCA security?
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 17 / 19
![Page 51: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/51.jpg)
CONCLUSIONS
First code-based Hash Proof System.
First step towards efficient leakage-resilient code-based encryptionschemes.
Achieves semantic security against leakage attacks without usingrandomness extractors.
CCA security?
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 17 / 19
![Page 52: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/52.jpg)
CONCLUSIONS
First code-based Hash Proof System.
First step towards efficient leakage-resilient code-based encryptionschemes.
Achieves semantic security against leakage attacks without usingrandomness extractors.
CCA security?
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 17 / 19
![Page 53: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/53.jpg)
Thank you
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 18 / 19
![Page 54: Code-based Public-key Encryption Resistant to Key Leakagecbc2013.inria.fr/Persichetti.pdf · CODE-BASED PUBLIC-KEY ENCRYPTION RESISTANT TO KEY LEAKAGE Edoardo Persichetti Warsaw University](https://reader033.fdocuments.us/reader033/viewer/2022052817/60b0e6ef376d5a101f332ee1/html5/thumbnails/54.jpg)
REFERENCES
A. Akavia, S. Goldwasser, and V. Vaikuntanathan.
Simultaneous hardcore bits and cryptography against memory attacks.In O. Reingold, editor, TCC, volume 5444 of Lecture Notes in Computer Science, pages 474–495. Springer, 2009.
J. Alwen, Y. Dodis, M. Naor, G. Segev, S. Walfish, and D. Wichs.
Public-key encryption in the bounded-retrieval model.In Henri Gilbert, editor, EUROCRYPT, volume 6110 of Lecture Notes in Computer Science, pages 113–134. Springer, 2010.
R. Cramer and V. Shoup.
Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption.In L. R. Knudsen, editor, EUROCRYPT, volume 2332 of Lecture Notes in Computer Science, pages 45–64. Springer, 2002.
N. Dottling, J. Muller-Quade, and A. C. A. Nascimento.
Ind-cca secure cryptography based on a variant of the lpn problem.In X. Wang and K. Sako, editors, ASIACRYPT, volume 7658 of Lecture Notes in Computer Science, pages 485–503. Springer,2012.
I. Dumer, D. Micciancio, and M. Sudan.
Hardness of approximating the minimum distance of a linear code.IEEE Transactions on Information Theory, 49(1):22–37, 2003.
J.-B. Fischer and J. Stern.
An efficient pseudo-random generator provably as secure as syndrome decoding.In U. M. Maurer, editor, EUROCRYPT, volume 1070 of Lecture Notes in Computer Science, pages 245–255. Springer, 1996.
E. Kiltz, K. Pietrzak, M. Stam, and M. Yung.
A new randomness extraction paradigm for hybrid encryption.In A. Joux, editor, EUROCRYPT, volume 5479 of Lecture Notes in Computer Science, pages 590–609. Springer, 2009.
M. Naor and G. Segev.
Public-key cryptosystems resilient to key leakage.In S. Halevi, editor, CRYPTO, volume 5677 of Lecture Notes in Computer Science, pages 18–35. Springer, 2009.
(WARSAW UNIVERSITY) LEAKAGE-RESILIENT CODE-BASED 10 JUNE 2013 19 / 19