684 research outputs found
On Public Key Encryption from Noisy Codewords
Several well-known public key encryption schemes, including those of Alekhnovich (FOCS 2003), Regev (STOC 2005), and Gentry, Peikert and Vaikuntanathan (STOC 2008), rely on the conjectured intractability of inverting noisy linear encodings. These schemes are limited in that they either require the underlying field to grow with the security parameter, or alternatively they can work over the binary field but have a low noise entropy that gives rise to sub-exponential attacks.
Motivated by the goal of efficient public key cryptography, we study the possibility of obtaining improved security over the binary field by using different noise distributions.
Inspired by an abstract encryption scheme of Micciancio (PKC 2010), we consider an abstract encryption scheme that unifies all the three schemes mentioned above and allows for arbitrary choices of the underlying field and noise distributions.
Our main result establishes an unexpected connection between the power of such encryption schemes and additive combinatorics. Concretely, we show that under the ``approximate duality conjecture from additive combinatorics (Ben-Sasson and Zewi, STOC 2011), every instance of the abstract encryption scheme over the binary field can be attacked in time , where is the maximum of the ciphertext size and the public key size (and where the latter excludes public randomness used for specifying the code).
On the flip side, counter examples to the above conjecture (if false) may lead to candidate public key encryption schemes with improved security guarantees.
We also show, using a simple argument that relies on agnostic learning of parities (Kalai, Mansour and Verbin, STOC 2008), that any such encryption scheme can be {\em unconditionally} attacked in time , where is the ciphertext size.
Combining this attack with the security proof of Regev\u27s cryptosystem, we immediately obtain an algorithm that solves the {\em learning parity with noise (LPN)} problem in time using only samples, reproducing the result of Lyubashevsky (Random 2005) in a conceptually different way.
Finally, we study the possibility of instantiating the abstract encryption scheme over constant-size rings to yield encryption schemes with no decryption error. We show that over the binary field decryption errors are inherent. On the positive side, building on the construction of matching vector families
(Grolmusz, Combinatorica 2000; Efremenko, STOC 2009; Dvir, Gopalan and Yekhanin, FOCS 2010),
we suggest plausible candidates for secure instances of the framework over constant-size rings that can offer perfectly correct decryption
The Wiretap Channel with Feedback: Encryption over the Channel
In this work, the critical role of noisy feedback in enhancing the secrecy
capacity of the wiretap channel is established. Unlike previous works, where a
noiseless public discussion channel is used for feedback, the feed-forward and
feedback signals share the same noisy channel in the present model. Quite
interestingly, this noisy feedback model is shown to be more advantageous in
the current setting. More specifically, the discrete memoryless modulo-additive
channel with a full-duplex destination node is considered first, and it is
shown that the judicious use of feedback increases the perfect secrecy capacity
to the capacity of the source-destination channel in the absence of the
wiretapper. In the achievability scheme, the feedback signal corresponds to a
private key, known only to the destination. In the half-duplex scheme, a novel
feedback technique that always achieves a positive perfect secrecy rate (even
when the source-wiretapper channel is less noisy than the source-destination
channel) is proposed. These results hinge on the modulo-additive property of
the channel, which is exploited by the destination to perform encryption over
the channel without revealing its key to the source. Finally, this scheme is
extended to the continuous real valued modulo- channel where it is
shown that the perfect secrecy capacity with feedback is also equal to the
capacity in the absence of the wiretapper.Comment: Submitted to IEEE Transactions on Information Theor
Continuously non-malleable codes with split-state refresh
Non-malleable codes for the split-state model allow to encode a message into two parts, such that arbitrary independent tampering on each part, and subsequent decoding of the corresponding modified codeword, yields either the same as the original message, or a completely unrelated value. Continuously non-malleable codes further allow to tolerate an unbounded (polynomial) number of tampering attempts, until a decoding error happens. The drawback is that, after an error happens, the system must self-destruct and stop working, otherwise generic attacks become possible. In this paper we propose a solution to this limitation, by leveraging a split-state refreshing procedure. Namely, whenever a decoding error happens, the two parts of an encoding can be locally refreshed (i.e., without any interaction), which allows to avoid the self-destruct mechanism. An additional feature of our security model is that it captures directly security against continual leakage attacks. We give an abstract framework for building such codes in the common reference string model, and provide a concrete instantiation based on the external Diffie-Hellman assumption. Finally, we explore applications in which our notion turns out to be essential. The first application is a signature scheme tolerating an arbitrary polynomial number of split-state tampering attempts, without requiring a self-destruct capability, and in a model where refreshing of the memory happens only after an invalid output is produced. This circumvents an impossibility result from a recent work by Fuijisaki and Xagawa (Asiacrypt 2016). The second application is a compiler for tamper-resilient RAM programs. In comparison to other tamper-resilient compilers, ours has several advantages, among which the fact that, for the first time, it does not rely on the self-destruct feature
Quantum-locked key distribution at nearly the classical capacity rate
Quantum data locking is a protocol that allows for a small secret key to
(un)lock an exponentially larger amount of information, hence yielding the
strongest violation of the classical one-time pad encryption in the quantum
setting. This violation mirrors a large gap existing between two security
criteria for quantum cryptography quantified by two entropic quantities: the
Holevo information and the accessible information. We show that the latter
becomes a sensible security criterion if an upper bound on the coherence time
of the eavesdropper's quantum memory is known. Under this condition we
introduce a protocol for secret key generation through a memoryless qudit
channel. For channels with enough symmetry, such as the d-dimensional erasure
and depolarizing channels, this protocol allows secret key generation at an
asymptotic rate as high as the classical capacity minus one bit.Comment: v2 is close to the published version and contains only the key
distribution protocols (4+5 pages), an extended version of the direct
communication protocol is posted in arXiv:1410.4748 Comments always welcom
Revisiting Deniability in Quantum Key Exchange via Covert Communication and Entanglement Distillation
We revisit the notion of deniability in quantum key exchange (QKE), a topic
that remains largely unexplored. In the only work on this subject by Donald
Beaver, it is argued that QKE is not necessarily deniable due to an
eavesdropping attack that limits key equivocation. We provide more insight into
the nature of this attack and how it extends to other constructions such as QKE
obtained from uncloneable encryption. We then adopt the framework for quantum
authenticated key exchange, developed by Mosca et al., and extend it to
introduce the notion of coercer-deniable QKE, formalized in terms of the
indistinguishability of real and fake coercer views. Next, we apply results
from a recent work by Arrazola and Scarani on covert quantum communication to
establish a connection between covert QKE and deniability. We propose DC-QKE, a
simple deniable covert QKE protocol, and prove its deniability via a reduction
to the security of covert QKE. Finally, we consider how entanglement
distillation can be used to enable information-theoretically deniable protocols
for QKE and tasks beyond key exchange.Comment: 16 pages, published in the proceedings of NordSec 201
Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Encryption schemes based on the rank metric lead to small public key sizes of
order of few thousands bytes which represents a very attractive feature
compared to Hamming metric-based encryption schemes where public key sizes are
of order of hundreds of thousands bytes even with additional structures like
the cyclicity. The main tool for building public key encryption schemes in rank
metric is the McEliece encryption setting used with the family of Gabidulin
codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and
Tretjakov, many systems have been proposed based on different masking
techniques for Gabidulin codes. Nevertheless, over the years all these systems
were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was
not in the McEliece setting. The scheme is very efficient, with small public
keys of size a few kiloBytes and with security closely related to the
linearized polynomial reconstruction problem which corresponds to the decoding
problem of Gabidulin codes. The structure of the scheme differs considerably
from the classical McEliece setting and until our work, the scheme had never
been attacked. We show in this article that this scheme like other schemes
based on Gabidulin codes, is also vulnerable to a polynomial-time attack that
recovers the private key by applying Overbeck's attack on an appropriate public
code. As an example we break concrete proposed bits security parameters in
a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa
- âŠ