Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Similar documents
How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Cryptology. Scribe: Fabrice Mouhartem M2IF

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

BEYOND POST QUANTUM CRYPTOGRAPHY

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

A survey on quantum-secure cryptographic systems

6.892 Computing on Encrypted Data October 28, Lecture 7

Random Oracles in a Quantum World

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Lossy Trapdoor Functions and Their Applications

Identity-based encryption

Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World. Dan Boneh and Mark Zhandry Stanford University

SIS-based Signatures

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Searchable encryption & Anonymous encryption

Random Oracles in a Quantum World

Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)

Efficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption

Recent Advances in Identity-based Encryption Pairing-free Constructions

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption

Cryptographical Security in the Quantum Random Oracle Model

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

ECS 189A Final Cryptography Spring 2011

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Provable security. Michel Abdalla

Chosen-Ciphertext Security from Subset Sum

Applied cryptography

Boneh-Franklin Identity Based Encryption Revisited

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Secure and Practical Identity-Based Encryption

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

How to Delegate a Lattice Basis

REMARKS ON IBE SCHEME OF WANG AND CAO

Gentry IBE Paper Reading

Pairing-Based Cryptography An Introduction

G Advanced Cryptography April 10th, Lecture 11

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Post-quantum security models for authenticated encryption

1 Number Theory Basics

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

On Post-Quantum Cryptography

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Open problems in lattice-based cryptography

Identity Based Encryption

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Notes for Lecture 16

Efficient Identity-Based Encryption Without Random Oracles

Lossy Trapdoor Functions and Their Applications

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Revisiting Post-Quantum Fiat-Shamir

Digital Signatures. Adam O Neill based on

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Lectures 2+3: Provable Security

Lattice-Based Dual Receiver Encryption and More

Revocable Identity-Based Encryption from Lattices

Post-quantum key exchange for the Internet based on lattices

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

ASYMMETRIC ENCRYPTION

Simple SK-ID-KEM 1. 1 Introduction

Efficient Lattice (H)IBE in the Standard Model

On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

Titanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality

Public Key Cryptography

Lattice-Based Non-Interactive Arugment Systems

A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION

A New Paradigm of Hybrid Encryption Scheme

Efficient Identity-based Encryption Without Random Oracles

Secure Certificateless Public Key Encryption without Redundancy

CRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018

CRYPTANALYSIS OF COMPACT-LWE

Chosen Ciphertext Security with Optimal Ciphertext Overhead

Smooth Projective Hash Function and Its Applications

What are we talking about when we talk about post-quantum cryptography?

Short Exponent Diffie-Hellman Problems

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Part 2 LWE-based cryptography

The Cramer-Shoup Cryptosystem

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Lecture 10 - MAC s continued, hash & MAC

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Attribute-based Encryption & Delegation of Computation

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

CRYPTOGRAPHY IN THE AGE OF QUANTUM COMPUTERS

On the power of non-adaptive quantum chosen-ciphertext attacks

Generic Constructions for Chosen-Ciphertext Secure Attribute Based Encryption

Efficient chosen ciphertext secure identity-based encryption against key leakage attacks

A Group Signature Scheme from Lattice Assumptions

CS Topics in Cryptography January 28, Lecture 5

f (x) f (x) easy easy

Transcription:

1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa (NTT)

2 Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. In General Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms

Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. In General Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms However Scheme secure under a PQ assumption in the RO model Scheme may NOT be secure against quantum algorithms (*) (*) [BDF+11] Boneh et al. Random oracles in a quantum world. EUROCRYPT. 3

Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. Many practical algorithms rely on ROM! In General Recent Works on QROM p Signatures: [Zha12][ARU14][Unr17][KLS18] p PKE: [TU16][JZC+18][SXY18] Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms However Scheme secure under a PQ assumption in the RO model Scheme may NOT be secure against quantum algorithms (*) (*) [BDF+11] Boneh et al. Random oracles in a quantum world. EUROCRYPT. 4

Post Quantum Cryptography Owing to NIST s announcement, PQ Crypto has been gathering increasingly more attention. Many practical algorithms rely on ROM! In General Recent Works on QROM p Signatures: [Zha12][ARU14][Unr17][KLS18] p PKE: [TU16][JZC+18][SXY18] Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms This work is on Identity-based Encryptions (IBEs) However Scheme secure under a PQ assumption in the RO model Scheme may NOT be secure against quantum algorithms (*) (*) [BDF+11] Boneh et al. Random oracles in a quantum world. EUROCRYPT. 5

6 IBEs from Post Quantum Assumptions There are few IBEs secure under PQ assumptions. plattice-based IBEs ROM: [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]. pcode-based IBEs ROM: [GHPT17] This line of work is quantumly secure.

7 IBEs from Post Quantum Assumptions There are few IBEs secure under PQ assumptions. plattice-based IBEs ROM: [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]. pcode-based IBEs ROM: [GHPT17] This line of work is quantumly secure. What can we say about efficient schemes proven secure in the ROM??

IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 8

9 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. However ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.

10 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. However ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. A breaks IBE with advantage ε B solves LWE problem with advantage ε # /Q & ' Q & := #RO query

11 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security If we want of lattice-based 128-bit secure IBEs of ε [GPV08], = 2 *+#,, [ABB10],[CHKP10] assuming Q in & = QROM. 2 +--. However We need at least 656-bit secure LWE problem!! ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. A breaks IBE with advantage ε B solves LWE problem with advantage ε # /Q & ' Q & := #RO query

12 IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security If we want of lattice-based 128-bit secure IBEs of ε [GPV08], = 2 *+#,, [ABB10],[CHKP10] assuming Q in & = QROM. 2 +--. However We need at least 656-bit secure LWE problem!! ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation. Question A breaks IBE with advantage ε B solves LWE problem with advantage ε # ' /Q & Can we construct tightly secure IBEs in QROM?? Q & := #RO query

13 Summary of Our Result 1 Tight security proof for GPV-IBE in QROM in the single-challenge setting. 2 (Almost) tight security proof for a variant of GPV-IBE in QROM in the multi-challenge setting. ü Our proofs are much simpler than [Zha12]. ü Easy to follow for non-experts of quantum computation.

Overview of This Talk 1 2 Review of GPV-IBE What Goes Wrong in QROM 3 Result 1: 4 Result 2: Tightly Secure GPV-IBE in QROM Extending it to Multi-Challenge *Kangaroo...? 14

1. Review of GPV-IBE 15

Identity-based Encryption [Sha84] Public Key Generator I sk 789:;<= alice@example.com ID 01234 Any string can be a public key! ciphertext Alice Bob [Sha84]: A. Shamir. Identity-Based Cryptosystems and Signature Schemes. Crypto. 16

17 IND-CPA Security of IBE in ROM mpk, msk SetUp(1 H ) mpk b Pr b = b 1 2 ID Z ID i sk IDi (ID ID i, M) CT Random Oracle H: ID Z Z Uni(Z) KeyGen ID 2, msk sk 78; b {0, 1}

18 IND-CPA Security of IBE in ROM mpk, msk SetUp(1 H ) mpk Multi-Challenge if can obtain challenge ciphertext multi-times. b Pr b = b 1 2 ID Z ID i sk IDi (ID ID i, M) CT Random Oracle H: ID Z Z Uni(Z) KeyGen ID 2, msk sk 78; b {0, 1}

Gentry-Peikert-Vaikuntanathan IBE p mpk, msk mpk = A Z i k h, H: 0,1 i Z h msk = trapdoof T 0 for A *Programmed as RO [GPV08] Gentry, Peikert, and Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. STOC. 19

20 Gentry-Peikert-Vaikuntanathan IBE p mpk, msk mpk = A Z i k h, H: 0,1 i Z h msk = trapdoof T 0 for A *Programmed as RO psecret Key sk 78 Short vector e A 78 Z w s. t. e ID = u ID : = H(ID)

21 Gentry-Peikert-Vaikuntanathan IBE p mpk, msk mpk = A Z i k h, H: 0,1 i Z h msk = trapdoof T 0 for A *Programmed as RO psecret Key sk 78 Short vector e A 78 Z w s. t. e ID = pencryption CT 78 of M LWE instance for (A, u 78 ): u ID : = H(ID) A s u ID c s + x +x +M q - =, c + = 2

22 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Ø For ID Sample e 78 and program RO as H ID Ae 78. Program RO as H ID u.

23 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Ø For ID Sample e 78 and program RO as H ID Ae 78. Sim. knows secret key. Program RO as H ID u. Sim. doesn t know secret key.

24 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Ø For ID Sample e 78 and program RO as H ID Ae 78. Sim. knows secret key. Can answer secret key queries. Program RO as H ID u. Sim. doesn t know secret key. Embed into chall. ciphertext.

25 Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Simulator (LWE adversary) LWE Problem s A u + [x x ] Ø For ID ID Guess challenge ID and programs RO differently for ID. Ø For ID Sample e 78 and program RO as H ID Ae 78. Sim. knows secret key. Can answer secret key queries. Program RO as H ID u. Sim. doesn t know secret key. Embed into chall. ciphertext.

2. What Goes Wrong in QROM 26

27 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α - 0 + α + 1 (Generally Œ α Œ x ) α - # + α + # = 1 α # = Prob. of getting b when measuring φ

28 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α - 0 + α + 1 (Generally Œ α Œ x ) In short α - # + α + # = 1 α # = Prob. of getting b when measuring φ A quantum adversary can evaluate hash function H over qbits in real-world. Œ α Œ x Œ α Œ x, H x

29 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α - 0 + α + 1 (Generally Œ α Œ x ) In short α - # + α + # = 1 α # = Prob. of getting b when measuring φ A quantum adversary can evaluate hash function H over qbits in real-world. Œ α Œ x Œ α Œ x, H x QROM should model this capability!

30 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM ID + ID # ID Classical RO

31 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM In QROM ID + ID # ID Classical RO Œ α Œ ID Œ Quantum RO *Query superposition of all ID

32 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM In QROM ID + ID # ID Classical RO Œ α Œ ID Œ Quantum RO *Query superposition of all ID Guess i [Q & ] and program RO differently on single ID ID 2

33 What this Means for QROM FDH-type proofs in ROM doesn t hold in QROM! Why? In ROM In QROM ID + ID # ID Classical RO Œ α Œ ID Œ Quantum RO *Query superposition of all ID Guess i [Q & ] and program RO differently on single ID ID 2 Can t guess ID!! *with more than negl. prob.

Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 34

Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. Ø Program RO on many points instead of a single point. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 35

Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. Downside The reduction loss is huge. Technique is conceptually similar to the partitioning technique used to prove adaptively ε secure IBEs in the ε # /Q' standard & model. Adv. Ø Program of breaking RO on IBE many points Adv. of instead solving of LWE a single point. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 36

37 3. Result 1: Tightly Secure GPV-IBE in QROM

38 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique??

39 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity.

40 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. Is this even possible?

41 Idea: Depart from Partitioning Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. Is this even possible? Yes! Similar to Cramer-Shoup PKE Use secret key to construct challenge ciphertext J *Idea also used in pairing-based Gentry s IBE.

42 Knowing the Secret Key of All IDs Let us consider the first two problem. p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries.

43 Knowing the Secret Key of All IDs Let us consider the first two problem. p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. Unlike original GPV-IBE proof Ø For ID Sample e 78 and program RO as H ID Ae 78.

44 Knowing the Secret Key of All IDs Let us consider the first two problem. p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. Unlike original GPV-IBE proof Ø For ID Sample e 78 and program RO as H ID Ae 78. Main Observation Just like Cramer-Shoup! Given A, u 78 = H ID, the secret key e 78 retains sufficient entropy.

45 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher.

46 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. Simulator c - = sa + x c + = c -, e 78 + M h # secret key

47 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator = sae 78 + x, e 78 + M h #

48 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator = sae 78 + x, e 78 + M h # s, u 78 + x + M # Same as in real-world modulo small difference in noise distribution.

49 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator Why is this secure?? = sae 78 + x, e 78 + M h # s, u 78 + x + M # Same as in real-world modulo small difference in noise distribution.

50 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = sa + x c + = c -, e 78 + M h # Simulator LWE Problem sa + x c - = b (random in Z k h ) c + = b, e 78 + M h # Hybrid 1

51 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. Simulator c - = b (random in Z k h ) c + = b, e 78 + M h #

52 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = b (random in Z h k ) Simulator c + = b, e 78 + M h # Left over hash lemma using entropy of e ID Hybrid 2 c - = b (random in Z h k ) c + = r (random in Z h )

53 Simulating the Challenge Ciphertext Remaining problem. p Simulator can generate chall. cipher. for all identity. As in Cramer-Shoup, use secret key to construct chall. cipher. c - = b (random in Z h k ) Simulator c + = b, e 78 + M h # Left over hash lemma No information on M!! c - = b (random in Z k h ) c + = r (random in Z h ) using entropy of e ID Hybrid 2

54 Combining Everything Together p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. ü ü ü

55 Combining Everything Together pü Simulator programs RO identically for all inputs. pü Simulator can answer all secret key queries. pü Simulator can generate chall. cipher. for all identity. Proof naturally fits the QROM setting!

Combining Everything Together pü Simulator programs RO identically for all inputs. pü Simulator can answer all secret key queries. pü Simulator can generate chall. cipher. for all identity. Proof naturally fits the QROM setting! Moreover Ø Since the simulator never aborts, the security proof is tight. Ø Proof is (almost) as simple as in the classical setting J 56

57 4. Result 2: Extending it to Multi-Challenge

58 Tight Security for Multi-Challenge An adversary gets to query many challenge ciphertext: c - (+) = s+ A + x + c + (+) = s+ u 78 + x + + M + h CT (+) # c - ( ) = s A + x c + ( ) = s u 78 + x + M h CT ( ) #

59 Tight Security for Multi-Challenge An adversary gets to query many challenge ciphertext: c - (+) = s+ A + x + c + (+) = s+ u 78 + x + + M + h CT (+) # c - ( ) = s A + x c + ( ) = s u 78 + x + M h CT ( ) Fact Ø Single-chall. can be reduced to Multi-chall. security. Ø However, the reduction is not tight and loses a factor of N in the reduction. #

60 Tight Security for Multi-Challenge An adversary gets to query many challenge ciphertext: c - (+) = s+ A + x + c + (+) = s+ u 78 + x + + M + h CT (+) # c - ( ) = s A + x c + ( ) = s u 78 + x + M h CT ( ) Fact Ø Single-chall. can be reduced to Multi-chall. security. Ø However, the reduction is not tight and loses a factor of N in the reduction. Question Can we make the reduction loss independent of N?? #

61 Requires New Technique Previous technique does not work anymore

62 Requires New Technique Previous technique does not work anymore Why? *Proof of Single-Challenge

63 Requires New Technique Previous technique does not work anymore Why? Not enough entropy in secret key e ID to modify all N = poly(λ) ciphertext to random!! *Proof of Single-Challenge

64 Requires New Technique Previous technique does not work anymore Why? Not enough entropy in secret key e ID to modify all N = poly(λ) ciphertext to random!! *Proof of Single-Challenge Need to get more entropy from some other source

65 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s

66 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s Lossy LWE: (AŸ, saÿ + x) where AŸ Lossy( ) leaks almost no information on s

67 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s Indistinguishable assuming the LWE problem J Lossy LWE: (AŸ, saÿ + x) where AŸ Lossy( ) leaks almost no information on s

68 Idea: Use Lossy LWE to Boost Entropy Standard LWE: (A, sa + x) where A Z h i k uniquely determines s Indistinguishable assuming the LWE problem J Lossy LWE: (AŸ, saÿ + x) where AŸ Lossy( ) leaks almost no information on s Use entropy of s 2 2 [ ] to proceed with LHL.

69 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, Program RO to answer to secret keys query c - ( ) = s2 A + x 2, c + ( ) = s2 u 78 + x 2 + M 2 h c + ( ) = s2 Ae 78 + x 2 + M 2 h # #

70 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, Program RO to answer to secret keys query c - ( ) = s2 A + x 2, c + ( ) = s2 u 78 + x 2 + M 2 h c + ( ) = s2 Ae 78 + x 2 + M 2 h Change to Lossy LWE # # CT (2) : c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h #

71 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, Program RO to answer to secret keys query c - ( ) = s2 A + x 2, c + ( ) = s2 u 78 + x 2 + M 2 h c + ( ) = s2 Ae 78 + x 2 + M 2 h Change to Lossy LWE # # CT (2) : CT (2) : c - ( ) = s2 AŸ + x 2, *Leaks almost no information of s 2 c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h c + ( ) = r Left over hash lemma using entropy of s i #

72 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, c - ( ) = s2 A + x 2, WRONG!! c + ( ) = s2 u 78 + x 2 + M 2 h When Program AŸ is RO in to Lossy answer mode, AŸe to secret keys query 78 is no longer uniform over Z i h!! c + ( ) = s2 Ae 78 + x 2 + M 2 h Change to Lossy LWE # # CT (2) : CT (2) : c - ( ) = s2 AŸ + x 2, *Leaks almost no information of s 2 c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h c + ( ) = r # Left over hash lemma using entropy of s i

73 Attempt to Change CT to Random CT (2) : CT (2) : c - ( ) = s2 A + x 2, c - ( ) = s2 A + x 2, WRONG!! c + ( ) = s2 u 78 + x 2 + M 2 h When Program AŸ is RO in to Lossy answer mode, AŸe to secret keys query 78 is no longer uniform over Z i h!! c + ( ) = s2 Ae 78 + x 2 + M 2 h AŸe 78 is not universal, so cannot apply LHL! Change to Lossy LWE # # CT (2) : CT (2) : c - ( ) = s2 AŸ + x 2, *Leaks almost no information of s 2 c - ( ) = s2 AŸ + x 2, c + ( ) = s2 AŸe 78 + x 2 + M 2 h c + ( ) = r # Left over hash lemma using entropy of s i

Fixing it by Katz-Wang Technique Double the ciphertext and use Katz-Wang technique. CT (2) : c - ( ) = s2 A + x 2, ( ) c + - ( ) c + + = s 2 u 78 - + x 2 - = s 2 u 78 + + x 2 + h + M 2 # h + M 2 # where u ID b H(ID b) [KW03] Katz and Wang. Efficiency improvements for signature schemes with tight security reductions. CCS. 74

Fixing it by Katz-Wang Technique Double the ciphertext and use Katz-Wang technique. CT (2) : c - ( ) = s2 A + x 2, ( ) c + - ( ) c + + = s 2 u 78 - + x 2 - = s 2 u 78 + + x 2 + In scheme, only give out one secret key e 78 s.t. Ae 78 = u 78 for random bit b. h + M 2 # h + M 2 # where u ID b H(ID b) [KW03] Katz and Wang. Efficiency improvements for signature schemes with tight security reductions. CCS. 75

Fixing it by Katz-Wang Technique Double the ciphertext and use Katz-Wang technique. CT (2) : c - ( ) = s2 A + x 2, During Simulation ( ) c + - ( ) c + + = s 2 u 78 - + x 2 - = s 2 u 78 + + x 2 + h + M 2 # h + M 2 # where u ID b H(ID b) p Sim. Programs H(ID b u 78 = AŸe 78 for random bit b. p Programs H(ID 1 b u 78 +* Z h i. p Use LHL on u 78 +* which is now universal and repeat J [KW03] Katz and Wang. Efficiency improvements for signature schemes with tight security reductions. CCS. 76

5. Conclusion 77

78 Conclusion 1 Tight security proof for GPV-IBE in QROM in the single-challenge setting. 2 (Almost) tight security proof for a variant of GPV-IBE in QROM in the multi-challenge setting. ü Our proofs are much simpler than [Zha12]. ü Easy to follow for non-experts of quantum computation.

79

80 *Key Lemma Used in Proof We can set (e 78, u 78 ) in reverse order! 1. Set u 78 : = H(ID) 2. Sample short e 78 s.t. Ae 78 = u 78 3. Output (e 78, u 78 ) 1. Sample short e 78 from appropriate distribution. 2. Program RO as H ID Ae 78 3. Output (e 78, u 78 ) *Discrete Gaussian Requires trapdoor T 0 Doesn t require trapdoor T 0

81 Minimum Preparation for Qunt. Crypt. Qbits is a register in superposition between a few states: 0, 1,... Notation: φ = α - 0 + α + 1 (Generally Œ α Œ x ) α - # + α + # = 1 α # = Prob. of getting b when measuring φ Given any classical function f, can compute: Œ α Œ x Œ α Œ x, f x In particular A quantum adversary can evaluate hash function H over qbits.

82 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.

83 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.

84 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. ü Hope the chall. identiy ID {p-fractions of inputs}. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.

85 Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. ü Hope the chall. identiy ID {p-fractions of inputs}. Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO.

Overcoming the Difficulty [Zha12] Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is Downside The reduction loss is huge. ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such ε programmed ROs are ind. from random functions. ü Hope the chall. identiy ID ε # /Q' {p-fractions of inputs}. & Adv. of breaking IBE Adv. of solving LWE Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. [Zha12] Zhandry. Secure identity-based encryption in the quantum random oracle model. CRYPTO. 86

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback