Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Transcription

1 1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa (NTT)

2 2 Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. In General Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms

3 Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. In General Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms However Scheme secure under a PQ assumption in the RO model Scheme may NOT be secure against quantum algorithms (*) (*) [BDF+11] Boneh et al. Random oracles in a quantum world. EUROCRYPT. 3

4 Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. Many practical algorithms rely on ROM! In General Recent Works on QROM p Signatures: [Zha12][ARU14][Unr17][KLS18] p PKE: [TU16][JZC+18][SXY18] Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms However Scheme secure under a PQ assumption in the RO model Scheme may NOT be secure against quantum algorithms (*) (*) [BDF+11] Boneh et al. Random oracles in a quantum world. EUROCRYPT. 4

5 Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. Many practical algorithms rely on ROM! In General Recent Works on QROM p Signatures: [Zha12][ARU14][Unr17][KLS18] p PKE: [TU16][JZC+18][SXY18] Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms This work is on Identity-based Encryptions (IBEs) However Scheme secure under a PQ assumption in the RO model Scheme may NOT be secure against quantum algorithms (*) (*) [BDF+11] Boneh et al. Random oracles in a quantum world. EUROCRYPT. 5

6 6 IBEs from Post Quantum Assumptions There are few IBEs secure under PQ assumptions. plattice-based IBEs ROM: [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]. pcode-based IBEs ROM: [GHPT17] This line of work is quantumly secure.

7 7 IBEs from Post Quantum Assumptions There are few IBEs secure under PQ assumptions. plattice-based IBEs ROM: [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]. pcode-based IBEs ROM: [GHPT17] This line of work is quantumly secure. What can we say about efficient schemes proven secure in the ROM??

8 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 8

9 9 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. However ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.

10 10 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. However ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. A breaks IBE with advantage ε B solves LWE problem with advantage ε # /Q & ' Q & := #RO query

11 11 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security If we want of lattice-based 128-bit secure IBEs of ε [GPV08], = 2 *+#,, [ABB10],[CHKP10] assuming Q in & = QROM However We need at least 656-bit secure LWE problem!! ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. A breaks IBE with advantage ε B solves LWE problem with advantage ε # /Q & ' Q & := #RO query

12 12 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security If we want of lattice-based 128-bit secure IBEs of ε [GPV08], = 2 *+#,, [ABB10],[CHKP10] assuming Q in & = QROM However We need at least 656-bit secure LWE problem!! ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. Question A breaks IBE with advantage ε B solves LWE problem with advantage ε # ' /Q & Can we construct tightly secure IBEs in QROM?? Q & := #RO query

13 13 Summary of Our Result 1 Tight security proof for GPV-IBE in QROM in the single-challenge setting. 2 (Almost) tight security proof for a variant of GPV-IBE in QROM in the multi-challenge setting. ü Our proofs are much simpler than [Zha12]. ü Easy to follow for non-experts of quantum computation.

14 Overview of This Talk 1 2 Review of GPV-IBE What Goes Wrong in QROM 3 Result 1: 4 Result 2: Tightly Secure GPV-IBE in QROM Extending it to Multi-Challenge *Kangaroo...? 14

15 1. Review of GPV-IBE 15

16 Identity-based Encryption [Sha84] Public Key Generator I sk 789:;<= alice@example.com ID Any string can be a public key! ciphertext Alice Bob [Sha84]: A. Shamir. Identity-Based Cryptosystems and Signature Schemes. Crypto. 16

17 17 IND-CPA Security of IBE in ROM mpk, msk SetUp(1 H ) mpk b Pr b = b 1 2 ID Z ID i sk IDi (ID ID i, M) CT Random Oracle H: ID Z Z Uni(Z) KeyGen ID 2, msk sk 78; b {0, 1}

18 18 IND-CPA Security of IBE in ROM mpk, msk SetUp(1 H ) mpk Multi-Challenge if can obtain challenge ciphertext multi-times. b Pr b = b 1 2 ID Z ID i sk IDi (ID ID i, M) CT Random Oracle H: ID Z Z Uni(Z) KeyGen ID 2, msk sk 78; b {0, 1}

19 Gentry-Peikert-Vaikuntanathan IBE p mpk, msk mpk = A Z i k h, H: 0,1 i Z h msk = trapdoof T 0 for A *Programmed as RO [GPV08] Gentry, Peikert, and Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. STOC. 19

20 20 Gentry-Peikert-Vaikuntanathan IBE p mpk, msk mpk = A Z i k h, H: 0,1 i Z h msk = trapdoof T 0 for A *Programmed as RO psecret Key sk 78 Short vector e A 78 Z w s. t. e ID = u ID : = H(ID)

21 21 Gentry-Peikert-Vaikuntanathan IBE p mpk, msk mpk = A Z i k h, H: 0,1 i Z h msk = trapdoof T 0 for A *Programmed as RO psecret Key sk 78 Short vector e A 78 Z w s. t. e ID = pencryption CT 78 of M LWE instance for (A, u 78 ): u ID : = H(ID) A s u ID c s + x +x +M q - =, c + = 2

22 22 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Ø For ID Sample e 78 and program RO as H ID Ae 78. Program RO as H ID u.

23 23 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Ø For ID Sample e 78 and program RO as H ID Ae 78. Sim. knows secret key. Program RO as H ID u. Sim. doesn t know secret key.

24 24 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Ø For ID Sample e 78 and program RO as H ID Ae 78. Sim. knows secret key. Can answer secret key queries. Program RO as H ID u. Sim. doesn t know secret key. Embed into chall. ciphertext.

25 25 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Guess challenge ID and programs RO differently for ID. Ø For ID Sample e 78 and program RO as H ID Ae 78. Sim. knows secret key. Can answer secret key queries. Program RO as H ID u. Sim. doesn t know secret key. Embed into chall. ciphertext.

26 2. What Goes Wrong in QROM 26

27 27 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α α + 1 (Generally Œ α Œ x ) α - # + α + # = 1 α # = Prob. of getting b when measuring φ

28 28 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α α + 1 (Generally Œ α Œ x ) In short α - # + α + # = 1 α # = Prob. of getting b when measuring φ A quantum adversary can evaluate hash function H over qbits in real-world. Œ α Œ x Œ α Œ x, H x

29 29 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α α + 1 (Generally Œ α Œ x ) In short α - # + α + # = 1 α # = Prob. of getting b when measuring φ A quantum adversary can evaluate hash function H over qbits in real-world. Œ α Œ x Œ α Œ x, H x QROM should model this capability!

30 30 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM ID + ID # ID Classical RO

31 31 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM In QROM ID + ID # ID Classical RO Œ α Œ ID Œ Quantum RO *Query superposition of all ID

32 32 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM In QROM ID + ID # ID Classical RO Œ α Œ ID Œ Quantum RO *Query superposition of all ID Guess i [Q & ] and program RO differently on single ID ID 2

33 33 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM In QROM ID + ID # ID Classical RO Œ α Œ ID Œ Quantum RO *Query superposition of all ID Guess i [Q & ] and program RO differently on single ID ID 2 Can t guess ID!! *with more than negl. prob.

34 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 34

35 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. Ø Program RO on many points instead of a single point. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 35

36 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. Downside The reduction loss is huge. Technique is conceptually similar to the partitioning technique used to prove adaptively ε secure IBEs in the ε # /Q' standard & model. Adv. Ø Program of breaking RO on IBE many points Adv. of instead solving of LWE a single point. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 36

37 37 3. Result 1: Tightly Secure GPV-IBE in QROM

38 38 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique??

39 39 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity.

40 40 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. Is this even possible?

41 41 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. Is this even possible? Yes! Similar to Cramer-Shoup PKE Use secret key to construct challenge ciphertext J *Idea also used in pairing-based Gentry s IBE.

42 42 Knowing the Secret Key of All IDs Let us consider the first two problem. p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries.

43 43 Knowing the Secret Key of All IDs Let us consider the first two problem. p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. Unlike original GPV-IBE proof Ø For ID Sample e 78 and program RO as H ID Ae 78.

44 44 Knowing the Secret Key of All IDs Let us consider the first two problem. p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. Unlike original GPV-IBE proof Ø For ID Sample e 78 and program RO as H ID Ae 78. Main Observation Just like Cramer-Shoup! Given A, u 78 = H ID, the secret key e 78 retains sufficient entropy.

45 45 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher.

46 46 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. Simulator c - = sa + x c + = c -, e 78 + M h # secret key

47 47 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator = sae 78 + x, e 78 + M h #

48 48 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator = sae 78 + x, e 78 + M h # s, u 78 + x + M # Same as in real-world modulo small difference in noise distribution.

49 49 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator Why is this secure?? = sae 78 + x, e 78 + M h # s, u 78 + x + M # Same as in real-world modulo small difference in noise distribution.

50 50 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator LWE Problem sa + x c - = b (random in Z k h ) c + = b, e 78 + M h # Hybrid 1

51 51 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. Simulator c - = b (random in Z k h ) c + = b, e 78 + M h #

52 52 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = b (random in Z h k ) Simulator c + = b, e 78 + M h # Left over hash lemma using entropy of e ID Hybrid 2 c - = b (random in Z h k ) c + = r (random in Z h )

53 53 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = b (random in Z h k ) Simulator c + = b, e 78 + M h # Left over hash lemma No information on M!! c - = b (random in Z k h ) c + = r (random in Z h ) using entropy of e ID Hybrid 2

54 54 Combining Everything Together p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. ü ü ü

55 55 Combining Everything Together pü Simulator programs RO identically for all inputs. pü Simulator can answer all secret key queries. pü Simulator can generate chall. cipher. for all identity. Proof naturally fits the QROM setting!

56 Combining Everything Together pü Simulator programs RO identically for all inputs. pü Simulator can answer all secret key queries. pü Simulator can generate chall. cipher. for all identity. Proof naturally fits the QROM setting! Moreover Ø Since the simulator never aborts, the security proof is tight. Ø Proof is (almost) as simple as in the classical setting J 56

57 57 4. Result 2: Extending it to Multi-Challenge

58 58 Tight Security for Multi-Challenge An adversary gets to query many challenge ciphertext: c - (+) = s+ A + x + c + (+) = s+ u 78 + x + + M + h CT (+) # c - ( ) = s A + x c + ( ) = s u 78 + x + M h CT ( ) #

59 59 Tight Security for Multi-Challenge An adversary gets to query many challenge ciphertext: c - (+) = s+ A + x + c + (+) = s+ u 78 + x + + M + h CT (+) # c - ( ) = s A + x c + ( ) = s u 78 + x + M h CT ( ) Fact Ø Single-chall. can be reduced to Multi-chall. security. Ø However, the reduction is not tight and loses a factor of N in the reduction. #

60 60 Tight Security for Multi-Challenge An adversary gets to query many challenge ciphertext: c - (+) = s+ A + x + c + (+) = s+ u 78 + x + + M + h CT (+) # c - ( ) = s A + x c + ( ) = s u 78 + x + M h CT ( ) Fact Ø Single-chall. can be reduced to Multi-chall. security. Ø However, the reduction is not tight and loses a factor of N in the reduction. Question Can we make the reduction loss independent of N?? #

61 61 Requires New Technique Previous technique does not work anymore

62 62 Requires New Technique Previous technique does not work anymore Why? *Proof of Single-Challenge

63 63 Requires New Technique Previous technique does not work anymore Why? Not enough entropy in secret key e ID to modify all N = poly(λ) ciphertext to random!! *Proof of Single-Challenge

64 64 Requires New Technique Previous technique does not work anymore Why? Not enough entropy in secret key e ID to modify all N = poly(λ) ciphertext to random!! *Proof of Single-Challenge Need to get more entropy from some other source

65 65 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s

66 66 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s Lossy LWE: (AŸ, saÿ + x) where AŸ Lossy( ) leaks almost no information on s

67 67 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s Indistinguishable assuming the LWE problem J Lossy LWE: (AŸ, saÿ + x) where AŸ Lossy( ) leaks almost no information on s

68 68 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s Indistinguishable assuming the LWE problem J Lossy LWE: (AŸ, saÿ + x) where AŸ Lossy( ) leaks almost no information on s Use entropy of s 2 2 [ ] to proceed with LHL.

69 69 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, Program RO to answer to secret keys query c - ( ) = s2 A + x 2, c + ( ) = s2 u 78 + x 2 + M 2 h c + ( ) = s2 Ae 78 + x 2 + M 2 h # #

70 70 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, Program RO to answer to secret keys query c - ( ) = s2 A + x 2, c + ( ) = s2 u 78 + x 2 + M 2 h c + ( ) = s2 Ae 78 + x 2 + M 2 h Change to Lossy LWE # # CT (2) : c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h #

71 71 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, Program RO to answer to secret keys query c - ( ) = s2 A + x 2, c + ( ) = s2 u 78 + x 2 + M 2 h c + ( ) = s2 Ae 78 + x 2 + M 2 h Change to Lossy LWE # # CT (2) : CT (2) : c - ( ) = s2 AŸ + x 2, *Leaks almost no information of s 2 c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h c + ( ) = r Left over hash lemma using entropy of s i #

72 72 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, c - ( ) = s2 A + x 2, WRONG!! c + ( ) = s2 u 78 + x 2 + M 2 h When Program AŸ is RO in to Lossy answer mode, AŸe to secret keys query 78 is no longer uniform over Z i h!! c + ( ) = s2 Ae 78 + x 2 + M 2 h Change to Lossy LWE # # CT (2) : CT (2) : c - ( ) = s2 AŸ + x 2, *Leaks almost no information of s 2 c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h c + ( ) = r # Left over hash lemma using entropy of s i

73 73 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, c - ( ) = s2 A + x 2, WRONG!! c + ( ) = s2 u 78 + x 2 + M 2 h When Program AŸ is RO in to Lossy answer mode, AŸe to secret keys query 78 is no longer uniform over Z i h!! c + ( ) = s2 Ae 78 + x 2 + M 2 h AŸe 78 is not universal, so cannot apply LHL! Change to Lossy LWE # # CT (2) : CT (2) : c - ( ) = s2 AŸ + x 2, *Leaks almost no information of s 2 c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h c + ( ) = r # Left over hash lemma using entropy of s i

74 Fixing it by Katz-Wang Technique Double the ciphertext and use Katz-Wang technique. CT (2) : c - ( ) = s2 A + x 2, ( ) c + - ( ) c + + = s 2 u x 2 - = s 2 u x 2 + h + M 2 # h + M 2 # where u ID b H(ID b) [KW03] Katz and Wang. Efficiency improvements for signature schemes with tight security reductions. CCS. 74

75 Fixing it by Katz-Wang Technique Double the ciphertext and use Katz-Wang technique. CT (2) : c - ( ) = s2 A + x 2, ( ) c + - ( ) c + + = s 2 u x 2 - = s 2 u x 2 + In scheme, only give out one secret key e 78 s.t. Ae 78 = u 78 for random bit b. h + M 2 # h + M 2 # where u ID b H(ID b) [KW03] Katz and Wang. Efficiency improvements for signature schemes with tight security reductions. CCS. 75

76 Fixing it by Katz-Wang Technique Double the ciphertext and use Katz-Wang technique. CT (2) : c - ( ) = s2 A + x 2, During Simulation ( ) c + - ( ) c + + = s 2 u x 2 - = s 2 u x 2 + h + M 2 # h + M 2 # where u ID b H(ID b) p Sim. Programs H(ID b u 78 = AŸe 78 for random bit b. p Programs H(ID 1 b u 78 +* Z h i. p Use LHL on u 78 +* which is now universal and repeat J [KW03] Katz and Wang. Efficiency improvements for signature schemes with tight security reductions. CCS. 76

77 5. Conclusion 77

78 78 Conclusion 1 Tight security proof for GPV-IBE in QROM in the single-challenge setting. 2 (Almost) tight security proof for a variant of GPV-IBE in QROM in the multi-challenge setting. ü Our proofs are much simpler than [Zha12]. ü Easy to follow for non-experts of quantum computation.

79 79

80 80 *Key Lemma Used in Proof We can set (e 78, u 78 ) in reverse order! 1. Set u 78 : = H(ID) 2. Sample short e 78 s.t. Ae 78 = u Output (e 78, u 78 ) 1. Sample short e 78 from appropriate distribution. 2. Program RO as H ID Ae Output (e 78, u 78 ) *Discrete Gaussian Requires trapdoor T 0 Doesn t require trapdoor T 0

81 81 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α α + 1 (Generally Œ α Œ x ) α - # + α + # = 1 α # = Prob. of getting b when measuring φ Given any classical function f, can compute: Œ α Œ x Œ α Œ x, f x In particular A quantum adversary can evaluate hash function H over qbits.

82 82 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.

83 83 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.

84 84 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. ü Hope the chall. identiy ID {p-fractions of inputs}. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.

85 85 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. ü Hope the chall. identiy ID {p-fractions of inputs}. Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.

86 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is Downside The reduction loss is huge. ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such ε programmed ROs are ind. from random functions. ü Hope the chall. identiy ID ε # /Q' {p-fractions of inputs}. & Adv. of breaking IBE Adv. of solving LWE Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 86