Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
|
|
- Neal Spencer
- 5 years ago
- Views:
Transcription
1 1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa (NTT)
2 2 Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. In General Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms
3 Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. In General Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms However Scheme secure under a PQ assumption in the RO model Scheme may NOT be secure against quantum algorithms (*) (*) [BDF+11] Boneh et al. Random oracles in a quantum world. EUROCRYPT. 3
4 Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. Many practical algorithms rely on ROM! In General Recent Works on QROM p Signatures: [Zha12][ARU14][Unr17][KLS18] p PKE: [TU16][JZC+18][SXY18] Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms However Scheme secure under a PQ assumption in the RO model Scheme may NOT be secure against quantum algorithms (*) (*) [BDF+11] Boneh et al. Random oracles in a quantum world. EUROCRYPT. 4
5 Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. Many practical algorithms rely on ROM! In General Recent Works on QROM p Signatures: [Zha12][ARU14][Unr17][KLS18] p PKE: [TU16][JZC+18][SXY18] Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms This work is on Identity-based Encryptions (IBEs) However Scheme secure under a PQ assumption in the RO model Scheme may NOT be secure against quantum algorithms (*) (*) [BDF+11] Boneh et al. Random oracles in a quantum world. EUROCRYPT. 5
6 6 IBEs from Post Quantum Assumptions There are few IBEs secure under PQ assumptions. plattice-based IBEs ROM: [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]. pcode-based IBEs ROM: [GHPT17] This line of work is quantumly secure.
7 7 IBEs from Post Quantum Assumptions There are few IBEs secure under PQ assumptions. plattice-based IBEs ROM: [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]. pcode-based IBEs ROM: [GHPT17] This line of work is quantumly secure. What can we say about efficient schemes proven secure in the ROM??
8 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 8
9 9 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. However ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.
10 10 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. However ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. A breaks IBE with advantage ε B solves LWE problem with advantage ε # /Q & ' Q & := #RO query
11 11 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security If we want of lattice-based 128-bit secure IBEs of ε [GPV08], = 2 *+#,, [ABB10],[CHKP10] assuming Q in & = QROM However We need at least 656-bit secure LWE problem!! ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. A breaks IBE with advantage ε B solves LWE problem with advantage ε # /Q & ' Q & := #RO query
12 12 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security If we want of lattice-based 128-bit secure IBEs of ε [GPV08], = 2 *+#,, [ABB10],[CHKP10] assuming Q in & = QROM However We need at least 656-bit secure LWE problem!! ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. Question A breaks IBE with advantage ε B solves LWE problem with advantage ε # ' /Q & Can we construct tightly secure IBEs in QROM?? Q & := #RO query
13 13 Summary of Our Result 1 Tight security proof for GPV-IBE in QROM in the single-challenge setting. 2 (Almost) tight security proof for a variant of GPV-IBE in QROM in the multi-challenge setting. ü Our proofs are much simpler than [Zha12]. ü Easy to follow for non-experts of quantum computation.
14 Overview of This Talk 1 2 Review of GPV-IBE What Goes Wrong in QROM 3 Result 1: 4 Result 2: Tightly Secure GPV-IBE in QROM Extending it to Multi-Challenge *Kangaroo...? 14
15 1. Review of GPV-IBE 15
16 Identity-based Encryption [Sha84] Public Key Generator I sk 789:;<= alice@example.com ID Any string can be a public key! ciphertext Alice Bob [Sha84]: A. Shamir. Identity-Based Cryptosystems and Signature Schemes. Crypto. 16
17 17 IND-CPA Security of IBE in ROM mpk, msk SetUp(1 H ) mpk b Pr b = b 1 2 ID Z ID i sk IDi (ID ID i, M) CT Random Oracle H: ID Z Z Uni(Z) KeyGen ID 2, msk sk 78; b {0, 1}
18 18 IND-CPA Security of IBE in ROM mpk, msk SetUp(1 H ) mpk Multi-Challenge if can obtain challenge ciphertext multi-times. b Pr b = b 1 2 ID Z ID i sk IDi (ID ID i, M) CT Random Oracle H: ID Z Z Uni(Z) KeyGen ID 2, msk sk 78; b {0, 1}
19 Gentry-Peikert-Vaikuntanathan IBE p mpk, msk mpk = A Z i k h, H: 0,1 i Z h msk = trapdoof T 0 for A *Programmed as RO [GPV08] Gentry, Peikert, and Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. STOC. 19
20 20 Gentry-Peikert-Vaikuntanathan IBE p mpk, msk mpk = A Z i k h, H: 0,1 i Z h msk = trapdoof T 0 for A *Programmed as RO psecret Key sk 78 Short vector e A 78 Z w s. t. e ID = u ID : = H(ID)
21 21 Gentry-Peikert-Vaikuntanathan IBE p mpk, msk mpk = A Z i k h, H: 0,1 i Z h msk = trapdoof T 0 for A *Programmed as RO psecret Key sk 78 Short vector e A 78 Z w s. t. e ID = pencryption CT 78 of M LWE instance for (A, u 78 ): u ID : = H(ID) A s u ID c s + x +x +M q - =, c + = 2
22 22 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Ø For ID Sample e 78 and program RO as H ID Ae 78. Program RO as H ID u.
23 23 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Ø For ID Sample e 78 and program RO as H ID Ae 78. Sim. knows secret key. Program RO as H ID u. Sim. doesn t know secret key.
24 24 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Ø For ID Sample e 78 and program RO as H ID Ae 78. Sim. knows secret key. Can answer secret key queries. Program RO as H ID u. Sim. doesn t know secret key. Embed into chall. ciphertext.
25 25 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Guess challenge ID and programs RO differently for ID. Ø For ID Sample e 78 and program RO as H ID Ae 78. Sim. knows secret key. Can answer secret key queries. Program RO as H ID u. Sim. doesn t know secret key. Embed into chall. ciphertext.
26 2. What Goes Wrong in QROM 26
27 27 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α α + 1 (Generally Œ α Œ x ) α - # + α + # = 1 α # = Prob. of getting b when measuring φ
28 28 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α α + 1 (Generally Œ α Œ x ) In short α - # + α + # = 1 α # = Prob. of getting b when measuring φ A quantum adversary can evaluate hash function H over qbits in real-world. Œ α Œ x Œ α Œ x, H x
29 29 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α α + 1 (Generally Œ α Œ x ) In short α - # + α + # = 1 α # = Prob. of getting b when measuring φ A quantum adversary can evaluate hash function H over qbits in real-world. Œ α Œ x Œ α Œ x, H x QROM should model this capability!
30 30 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM ID + ID # ID Classical RO
31 31 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM In QROM ID + ID # ID Classical RO Œ α Œ ID Œ Quantum RO *Query superposition of all ID
32 32 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM In QROM ID + ID # ID Classical RO Œ α Œ ID Œ Quantum RO *Query superposition of all ID Guess i [Q & ] and program RO differently on single ID ID 2
33 33 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM In QROM ID + ID # ID Classical RO Œ α Œ ID Œ Quantum RO *Query superposition of all ID Guess i [Q & ] and program RO differently on single ID ID 2 Can t guess ID!! *with more than negl. prob.
34 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 34
35 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. Ø Program RO on many points instead of a single point. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 35
36 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. Downside The reduction loss is huge. Technique is conceptually similar to the partitioning technique used to prove adaptively ε secure IBEs in the ε # /Q' standard & model. Adv. Ø Program of breaking RO on IBE many points Adv. of instead solving of LWE a single point. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 36
37 37 3. Result 1: Tightly Secure GPV-IBE in QROM
38 38 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique??
39 39 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity.
40 40 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. Is this even possible?
41 41 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. Is this even possible? Yes! Similar to Cramer-Shoup PKE Use secret key to construct challenge ciphertext J *Idea also used in pairing-based Gentry s IBE.
42 42 Knowing the Secret Key of All IDs Let us consider the first two problem. p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries.
43 43 Knowing the Secret Key of All IDs Let us consider the first two problem. p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. Unlike original GPV-IBE proof Ø For ID Sample e 78 and program RO as H ID Ae 78.
44 44 Knowing the Secret Key of All IDs Let us consider the first two problem. p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. Unlike original GPV-IBE proof Ø For ID Sample e 78 and program RO as H ID Ae 78. Main Observation Just like Cramer-Shoup! Given A, u 78 = H ID, the secret key e 78 retains sufficient entropy.
45 45 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher.
46 46 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. Simulator c - = sa + x c + = c -, e 78 + M h # secret key
47 47 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator = sae 78 + x, e 78 + M h #
48 48 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator = sae 78 + x, e 78 + M h # s, u 78 + x + M # Same as in real-world modulo small difference in noise distribution.
49 49 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator Why is this secure?? = sae 78 + x, e 78 + M h # s, u 78 + x + M # Same as in real-world modulo small difference in noise distribution.
50 50 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator LWE Problem sa + x c - = b (random in Z k h ) c + = b, e 78 + M h # Hybrid 1
51 51 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. Simulator c - = b (random in Z k h ) c + = b, e 78 + M h #
52 52 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = b (random in Z h k ) Simulator c + = b, e 78 + M h # Left over hash lemma using entropy of e ID Hybrid 2 c - = b (random in Z h k ) c + = r (random in Z h )
53 53 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = b (random in Z h k ) Simulator c + = b, e 78 + M h # Left over hash lemma No information on M!! c - = b (random in Z k h ) c + = r (random in Z h ) using entropy of e ID Hybrid 2
54 54 Combining Everything Together p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. ü ü ü
55 55 Combining Everything Together pü Simulator programs RO identically for all inputs. pü Simulator can answer all secret key queries. pü Simulator can generate chall. cipher. for all identity. Proof naturally fits the QROM setting!
56 Combining Everything Together pü Simulator programs RO identically for all inputs. pü Simulator can answer all secret key queries. pü Simulator can generate chall. cipher. for all identity. Proof naturally fits the QROM setting! Moreover Ø Since the simulator never aborts, the security proof is tight. Ø Proof is (almost) as simple as in the classical setting J 56
57 57 4. Result 2: Extending it to Multi-Challenge
58 58 Tight Security for Multi-Challenge An adversary gets to query many challenge ciphertext: c - (+) = s+ A + x + c + (+) = s+ u 78 + x + + M + h CT (+) # c - ( ) = s A + x c + ( ) = s u 78 + x + M h CT ( ) #
59 59 Tight Security for Multi-Challenge An adversary gets to query many challenge ciphertext: c - (+) = s+ A + x + c + (+) = s+ u 78 + x + + M + h CT (+) # c - ( ) = s A + x c + ( ) = s u 78 + x + M h CT ( ) Fact Ø Single-chall. can be reduced to Multi-chall. security. Ø However, the reduction is not tight and loses a factor of N in the reduction. #
60 60 Tight Security for Multi-Challenge An adversary gets to query many challenge ciphertext: c - (+) = s+ A + x + c + (+) = s+ u 78 + x + + M + h CT (+) # c - ( ) = s A + x c + ( ) = s u 78 + x + M h CT ( ) Fact Ø Single-chall. can be reduced to Multi-chall. security. Ø However, the reduction is not tight and loses a factor of N in the reduction. Question Can we make the reduction loss independent of N?? #
61 61 Requires New Technique Previous technique does not work anymore
62 62 Requires New Technique Previous technique does not work anymore Why? *Proof of Single-Challenge
63 63 Requires New Technique Previous technique does not work anymore Why? Not enough entropy in secret key e ID to modify all N = poly(λ) ciphertext to random!! *Proof of Single-Challenge
64 64 Requires New Technique Previous technique does not work anymore Why? Not enough entropy in secret key e ID to modify all N = poly(λ) ciphertext to random!! *Proof of Single-Challenge Need to get more entropy from some other source
65 65 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s
66 66 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s Lossy LWE: (AŸ, saÿ + x) where AŸ Lossy( ) leaks almost no information on s
67 67 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s Indistinguishable assuming the LWE problem J Lossy LWE: (AŸ, saÿ + x) where AŸ Lossy( ) leaks almost no information on s
68 68 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s Indistinguishable assuming the LWE problem J Lossy LWE: (AŸ, saÿ + x) where AŸ Lossy( ) leaks almost no information on s Use entropy of s 2 2 [ ] to proceed with LHL.
69 69 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, Program RO to answer to secret keys query c - ( ) = s2 A + x 2, c + ( ) = s2 u 78 + x 2 + M 2 h c + ( ) = s2 Ae 78 + x 2 + M 2 h # #
70 70 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, Program RO to answer to secret keys query c - ( ) = s2 A + x 2, c + ( ) = s2 u 78 + x 2 + M 2 h c + ( ) = s2 Ae 78 + x 2 + M 2 h Change to Lossy LWE # # CT (2) : c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h #
71 71 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, Program RO to answer to secret keys query c - ( ) = s2 A + x 2, c + ( ) = s2 u 78 + x 2 + M 2 h c + ( ) = s2 Ae 78 + x 2 + M 2 h Change to Lossy LWE # # CT (2) : CT (2) : c - ( ) = s2 AŸ + x 2, *Leaks almost no information of s 2 c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h c + ( ) = r Left over hash lemma using entropy of s i #
72 72 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, c - ( ) = s2 A + x 2, WRONG!! c + ( ) = s2 u 78 + x 2 + M 2 h When Program AŸ is RO in to Lossy answer mode, AŸe to secret keys query 78 is no longer uniform over Z i h!! c + ( ) = s2 Ae 78 + x 2 + M 2 h Change to Lossy LWE # # CT (2) : CT (2) : c - ( ) = s2 AŸ + x 2, *Leaks almost no information of s 2 c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h c + ( ) = r # Left over hash lemma using entropy of s i
73 73 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, c - ( ) = s2 A + x 2, WRONG!! c + ( ) = s2 u 78 + x 2 + M 2 h When Program AŸ is RO in to Lossy answer mode, AŸe to secret keys query 78 is no longer uniform over Z i h!! c + ( ) = s2 Ae 78 + x 2 + M 2 h AŸe 78 is not universal, so cannot apply LHL! Change to Lossy LWE # # CT (2) : CT (2) : c - ( ) = s2 AŸ + x 2, *Leaks almost no information of s 2 c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h c + ( ) = r # Left over hash lemma using entropy of s i
74 Fixing it by Katz-Wang Technique Double the ciphertext and use Katz-Wang technique. CT (2) : c - ( ) = s2 A + x 2, ( ) c + - ( ) c + + = s 2 u x 2 - = s 2 u x 2 + h + M 2 # h + M 2 # where u ID b H(ID b) [KW03] Katz and Wang. Efficiency improvements for signature schemes with tight security reductions. CCS. 74
75 Fixing it by Katz-Wang Technique Double the ciphertext and use Katz-Wang technique. CT (2) : c - ( ) = s2 A + x 2, ( ) c + - ( ) c + + = s 2 u x 2 - = s 2 u x 2 + In scheme, only give out one secret key e 78 s.t. Ae 78 = u 78 for random bit b. h + M 2 # h + M 2 # where u ID b H(ID b) [KW03] Katz and Wang. Efficiency improvements for signature schemes with tight security reductions. CCS. 75
76 Fixing it by Katz-Wang Technique Double the ciphertext and use Katz-Wang technique. CT (2) : c - ( ) = s2 A + x 2, During Simulation ( ) c + - ( ) c + + = s 2 u x 2 - = s 2 u x 2 + h + M 2 # h + M 2 # where u ID b H(ID b) p Sim. Programs H(ID b u 78 = AŸe 78 for random bit b. p Programs H(ID 1 b u 78 +* Z h i. p Use LHL on u 78 +* which is now universal and repeat J [KW03] Katz and Wang. Efficiency improvements for signature schemes with tight security reductions. CCS. 76
77 5. Conclusion 77
78 78 Conclusion 1 Tight security proof for GPV-IBE in QROM in the single-challenge setting. 2 (Almost) tight security proof for a variant of GPV-IBE in QROM in the multi-challenge setting. ü Our proofs are much simpler than [Zha12]. ü Easy to follow for non-experts of quantum computation.
79 79
80 80 *Key Lemma Used in Proof We can set (e 78, u 78 ) in reverse order! 1. Set u 78 : = H(ID) 2. Sample short e 78 s.t. Ae 78 = u Output (e 78, u 78 ) 1. Sample short e 78 from appropriate distribution. 2. Program RO as H ID Ae Output (e 78, u 78 ) *Discrete Gaussian Requires trapdoor T 0 Doesn t require trapdoor T 0
81 81 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α α + 1 (Generally Œ α Œ x ) α - # + α + # = 1 α # = Prob. of getting b when measuring φ Given any classical function f, can compute: Œ α Œ x Œ α Œ x, f x In particular A quantum adversary can evaluate hash function H over qbits.
82 82 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.
83 83 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.
84 84 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. ü Hope the chall. identiy ID {p-fractions of inputs}. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.
85 85 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. ü Hope the chall. identiy ID {p-fractions of inputs}. Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.
86 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is Downside The reduction loss is huge. ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such ε programmed ROs are ind. from random functions. ü Hope the chall. identiy ID ε # /Q' {p-fractions of inputs}. & Adv. of breaking IBE Adv. of solving LWE Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 86
How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationSECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we can t prove a scheme secure in the standard model. Instead,
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationSecure Signatures and Chosen Ciphertext Security in a Quantum Computing World. Dan Boneh and Mark Zhandry Stanford University
Secure Signatures and Chosen Ciphertext Security in a Quantu Coputing World Dan Boneh and Mark Zhandry Stanford University Classical Chosen Message Attack (CMA) σ = S(sk, ) signing key sk Classical CMA
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationRandom Oracles in a Quantum World
Random Oracles in a Quantum World AsiaISG Research Seminars 2011/2012 Özgür Dagdelen, Marc Fischlin (TU Darmstadt) Dan Boneh, Mark Zhandry (Stanford University) Anja Lehmann (IBM Zurich) Christian Schaffner
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationEfficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption
Appl. Math. Inf. Sci. 8, No. 2, 633-638 (2014) 633 Applied Mathematics & Information Sciences An International Journal http://dx.doi.org/10.12785/amis/080221 Efficient Chosen-Ciphtertext Secure Public
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationHow to Delegate a Lattice Basis
How to Delegate a Lattice Basis David Cash Dennis Hofheinz Eike Kiltz July 24, 2009 Abstract We present a technique, which we call basis delegation, that allows one to use a short basis of a given lattice
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationSecure Signatures and Chosen Ciphertext Security in a Post-Quantum World
Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World Dan Boneh Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract We initiate the study of quantum-secure digital
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationOn Post-Quantum Cryptography
On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend
More informationLossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems
Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Brett Hemenway UCLA bretth@mathuclaedu Rafail Ostrovsky UCLA rafail@csuclaedu January 9, 2010 Abstract In STOC 08, Peikert and Waters
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationLossy Trapdoor Functions and Their Applications
Lossy Trapdoor Functions and Their Applications Chris Peikert SRI International Brent Waters SRI International August 29, 2008 Abstract We propose a general cryptographic primitive called lossy trapdoor
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationRevisiting Post-Quantum Fiat-Shamir
Revisiting Post-Quantum Fiat-Shamir Qipeng Liu, Mark Zhandry Princeton University, Princeton NJ 08544, USA Abstract. The Fiat-Shamir transformation is a useful approach to building non-interactive arguments
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationLattice-Based Dual Receiver Encryption and More
Lattice-Based Dual Receiver Encryption and More Daode Zhang 1,2, Kai Zhang 3,(, Bao Li 1,2, Xianhui Lu 1,2, Haiyang Xue 1,2, and Jie Li 1,2 1 School of Cyber Security, University of Chinese Academy of
More informationRevocable Identity-Based Encryption from Lattices
Revocable Identity-Based Encryption from Lattices Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Khoa Nguyen Nanyang Technological University, Singapore s080001@e.ntu.edu.sg {hoonwei,lingsan,hxwang}@ntu.edu.sg
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationEfficient Lattice (H)IBE in the Standard Model
Efficient Lattice (H)IBE in the Standard Model Shweta Agrawal University of Texas, Austin Dan Boneh Stanford University Xavier Boyen PARC Abstract We construct an efficient identity based encryption system
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationPost-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.
OFB, CTR, In CBC, Ehsan Ebrahimi Targhi, Gelo Noel Tabia, Dominique Unruh University of Tartu February 4, 2016 Table of contents In CBC 1 2 3 4 In CBC PRF under quantum 5 6 Being optimistic about the emergence
More informationTitanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality
Titanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality Ron Steinfeld, Amin Sakzad, Raymond K. Zhao Monash University ron.steinfeld@monash.edu Ron Steinfeld
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationA ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION
A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced ELGAMAL ENCRYPTION & BASIC CONCEPTS CDH / DDH Computational
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationChosen Ciphertext Security with Optimal Ciphertext Overhead
Chosen Ciphertext Security with Optimal Ciphertext Overhead Masayuki Abe 1, Eike Kiltz 2 and Tatsuaki Okamoto 1 1 NTT Information Sharing Platform Laboratories, NTT Corporation, Japan 2 CWI Amsterdam,
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationPart 2 LWE-based cryptography
Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, 2017 https://www.douglas.stebila.ca/research/presentations Funding acknowledgements: SAC Summer School 2017-08-14
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationDual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions
Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationCRYPTOGRAPHY IN THE AGE OF QUANTUM COMPUTERS
CRYPTOGRAPHY IN THE AGE OF QUANTUM COMPUTERS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationGeneric Constructions for Chosen-Ciphertext Secure Attribute Based Encryption
Generic Constructions for Chosen-Ciphertext Secure Attribute Based Encryption Shota Yamada 1, Nuttapong Attrapadung 2, Goichiro Hanaoka 2 and Noboru Kunihiro 1 1 The University of Tokyo. {yamada@it., kunihiro@}
More informationEfficient chosen ciphertext secure identity-based encryption against key leakage attacks
SECURITY AND COMMUNICATION NETWORKS Security Comm Networks 26; 9:47 434 Published online 2 February 26 in Wiley Online Library (wileyonlinelibrarycom) DOI: 2/sec429 RESEARCH ARTICLE Efficient chosen ciphertext
More informationA Group Signature Scheme from Lattice Assumptions
A Group Signature Scheme from Lattice Assumptions S. Dov Gordon Jonathan Katz Vinod Vaikuntanathan Abstract Group signature schemes allow users to sign messages on behalf of a group while (1) maintaining
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More information