A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Similar documents
Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms

CTR mode of operation

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

On Post-Quantum Cryptography

A New Paradigm of Hybrid Encryption Scheme

Lecture 5, CPA Secure Encryption from PRFs

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

CPA-Security. Definition: A private-key encryption scheme

Post-quantum security models for authenticated encryption

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Public Key Cryptography

ASYMMETRIC ENCRYPTION

REMARKS ON IBE SCHEME OF WANG AND CAO

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

The Cramer-Shoup Cryptosystem

arxiv: v2 [cs.cr] 14 Feb 2018

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Simple SK-ID-KEM 1. 1 Introduction

BEYOND POST QUANTUM CRYPTOGRAPHY

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

From NewHope to Kyber. Peter Schwabe April 7, 2017

Strong Security Models for Public-Key Encryption Schemes

Smooth Projective Hash Function and Its Applications

On the power of non-adaptive quantum chosen-ciphertext attacks

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Applied cryptography

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

RSA-OAEP and Cramer-Shoup

Modern Cryptography Lecture 4

Chapter 11 : Private-Key Encryption

5199/IOC5063 Theory of Cryptology, 2014 Fall

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups

1 Number Theory Basics

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Boneh-Franklin Identity Based Encryption Revisited

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

III. Pseudorandom functions & encryption

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Short Exponent Diffie-Hellman Problems

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 7: CPA Security, MACs, OWFs

On the Security of EPOC and TSH-ESIGN

A Strong Identity Based Key-Insulated Cryptosystem

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Provable security. Michel Abdalla

A Posteriori Openable Public Key Encryption *

Modern symmetric-key Encryption

Block ciphers And modes of operation. Table of contents

On the Selective-Opening Security of DHIES

Gentry IBE Paper Reading

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Katz, Lindell Introduction to Modern Cryptrography

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Secure Certificateless Public Key Encryption without Redundancy

Lecture Note 3 Date:

Lossy Trapdoor Functions and Their Applications

Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes

Cryptographical Security in the Quantum Random Oracle Model

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Oblivious Transfer (OT) and OT Extension

Type-based Proxy Re-encryption and its Construction

Lecture 18: Message Authentication Codes & Digital Signa

El Gamal A DDH based encryption scheme. Table of contents

15 Public-Key Encryption

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Lecture 17: Constructions of Public-Key Encryption

On the CCA1-Security of Elgamal and Damgård s Elgamal

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Lecture 2: Perfect Secrecy and its Limitations

Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange

G Advanced Cryptography April 10th, Lecture 11

2 Message authentication codes (MACs)

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Advanced Cryptography 1st Semester Public Encryption

RSA OAEP is Secure under the RSA Assumption

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Chosen Ciphertext Security with Optimal Ciphertext Overhead

Lecture 1: Introduction to Public key cryptography

Chosen-Ciphertext Security (I)

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Computational security & Private key encryption

HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction

Introduction to Cybersecurity Cryptography (Part 4)

Unforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

Public Key Cryptography

Lectures 2+3: Provable Security

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Cryptography and Security Midterm Exam

Transcription:

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018

Motivation Quantum-resistance Shor s Algorithm (1994) solves the following problems in quantum polynomial-time the integer factorization problem the discrete logarithm problem elliptic-curve discrete logarithm problem Progress in the area of quantum information and computation has influenced the growth of quantum-resistant cryptography. Defeated cryptosystems: RSA, DSA, Elliptic Curve-based,... Potential survivors: Code-, lattice-, multivariate-, isogeny-, and hash-based

Motivation Hybrid Encryption Symmetric key encryption Usually faster runnning times Requires a shared secret in advance of the protocol Asymmetric encryption Does not require a shared secret between sender and recipient Can run slower for long messages Hybrid Encryption idea Encrypt message using symmetric component under random string k, then encrypt k under the asymmetric component

Hybrid Encryption Security Definitions IND-CCA An encryption scheme satisfies indistinguishability under chosen-ciphertext attack if, given access to the decryption oracle, the advantage of an adversary A winning this game is negligible: A selects two messages m 0, m 1 and sends to a challenger C C selects b R {0, 1} and sends c b = Enc(m b ) to A A submits b {0, 1} to C and wins if b = b. Naive approach Combine IND-CCA secure symmetric component with IND-CCA secure asymmetric component to achieve IND-CCA secure hybrid encryption.

Fujisaki Okamoto transform Weaker security assumptions Fujisaki and Okamoto (1999) combined one-time symmetric encryption with one-way asymmetric encryption to achieve IND-CCA security. HY.Enc pk (m) = ASYM.Enc pk (r; H(r, m)) SYM.Enc G(r) (m) Observations: The asymmetric component encrypts randomness r The symmetric component encrypts message m under hash of randomness r There are, in a sense, two components.

Unruh s QROM-secure Fujisaki Okamoto Security in QROM Targhi and Unruh show how to modify FO transform to achieve security in the QROM. HY.Enc pk (m; r) = ASYM.Enc pk (r; H(r SYM.Enc G(r) (m))), SYM.Enc G(r) (m), H (r) Observations: The asymmetric component encrypts randomness r The symmetric component encrypts message m under hash of randomness r There is a third component that is simply the hash value of randomness r

Our contribution: QROM-secure Hybrid Encryption Let KEM.Enc(1 n, pk; r) = (k, c). Our QROM-secure hybrid construction is: Observations: HY.Enc pk (m; r) = c, SYM.Enc G(k) (m), H(k r). The asymmetric component is the ciphertext of an encapsulated key k The symmetric component encrypts message m under hash of encapsulated key k The third component is the hash value of encapsulated key k with random string r.

Hybrid Encryption Security Definitions One-way secure An asymmetric encryption scheme is said to be one-way if no polynomial-time adversary A can recover the whole plaintext from a given ciphertext. One-time secure A symmetric encryption scheme is one-time secure if no polynomial-time adversary A can distinguish between the encryption of two messages when a fresh key is used for encryption.

Preliminaries Quantum Random Oracle Model Classical Random Oracle Theoretical black box Responds to every unique query with a truly random response Disadvantage: cannot be implemented in polynomial space Advantage: enables security proofs, can be simulated in polynomial time and space A cryptosystem in the random oracle model is a cryptosystem where one or more hash functions are replaced by oracle queries to the random function.

Preliminaries Quantum Random Oracle Model Quantum information Described by qubits A single qubit can have a state of 0, 1, or any linear combination α 0 0 + α 1 1 satisfying α 0, α 1 C where α 0 2 + α 1 2 = 1 Observation permanently alters the state of a qubit Differences between QRO and RO There is no transcript of all queries to QRO Queries to the QRO in a superposition of all possible hash function inputs are allowed.

Generic Hybrid Encryption Scheme Tools KEM Let Π KEM = (KEM.Gen, KEM.Enc, KEM.Dec) be a key encapsulation mechanism with coinspace COIN KEM = {0, 1} n 1 key space K KEM = {0, 1} n 2 ciphertext space C KEM = {0, 1} n 3. The parameters n 1, n 2, n 3 depend on the security parameter n and should each be of size 2 ω(log n).

Generic Hybrid Encryption Scheme Tools Π KEM consists of the following three algorithms: KEM.Gen(1 n ) (pk, sk) KEM.Enc(1 n, pk; r) (k, c) KEM.Dec(c, sk) (k, r) or. δ-spread A key encapsulation mechanism is δ-spread if for every pk generated, max y {0,1} Pr[y = c (k, c) KEM.Enc(1 n, pk; r), $ r COIN KEM ] 1 2 δ. As defined, by Unruh, we say that the KEM Π KEM is well-spread if δ = ω(log(n)).

Generic Hybrid Encryption Scheme Tools Let Π SYM = (SYM.Enc, SYM.Dec) be a symmetric encryption scheme with key space K SYM, and message space M SYM. Two hash functions H : {0, 1} n 2 K SYM G : {0, 1} n 1+n 3 {0, 1} l

Generic Hybrid Encryption Scheme Protocol The hybrid encryption scheme Enc, on input m and security parameter n runs as follows: 1 Gen runs KEM.Gen(1 n ) to produce (pk, sk) $ 2 Enc chooses r COIN KEM, then runs KEM.Enc(1 n, pk; r) = (k, c). Enc defines α := c β := SYM.Enc G(k) (m) γ := H(k r) 3 Enc returns ciphertext (α, β, γ)

Generic Hybrid Encryption Scheme The hybrid decryption scheme Dec, on input (α, β, γ), sk runs as follows: 1 Compute (k, r) := KEM.Dec(α, sk). If value is, return. 2 If γ H(k r), return. 3 Otherwise, m := SYM.Dec G(k) (β). Return m. Theorem The hybrid scheme Π HY is IND-CCA secure in the quantum random oracle model if Π KEM is one-way secure and well-spread, and if Π SYM is one-time secure.

Security Proof - Game 0 Generate: Challenge: Guess: Return b = b H $ Ω H, G $ Ω G (pk, sk) $ KEM.Gen(1 n ), r COIN KEM m 0, m 1 A G,H,Dec hy (pk) b $ {0, 1} $ (k, c ) $ KEM.Enc(1 n, pk; r) α c β SYM.Enc G(k )(m b ) γ H(k r) b A G,H,Dec hy (α, β, γ )

Generic Hybrid Encryption Scheme Proof techniques We must apply OW2H Lemma by Unruh. Lemma One Way to Hiding Lemma: Let H : {0, 1} l 1 {0, 1} l 2 be a random oracle. Consider an oracle algorithm A 1 that makes at most q queries to H. Let C 1 be an oracle algorithm that on input x does the following: 1 Pick i $ {1,..., q}, y $ {0, 1} l 2 2 Run A H 1 (x, y) until (just before) the i-th query. 3 Measure the argument of the query in the computational basis and return the measurement outcome. If A H 1 makes less than i queries to H, then return.

Generic Hybrid Encryption Scheme Proof techniques Let PA 1, P2 A, P C be defined as follows: PA 1 := Pr[b = 1 H $ Ω H, x $ {0, 1} l 1, b A H 1 (x, H(x))] PA 2 := Pr[b = 1 H $ Ω H, x $ {0, 1} l 1, b A H 1 (x, y)] P C := Pr[x = x H $ Ω H, x $ {0, 1} l 1, x C1 H (x, i)] Then PA 1 PA 2 2q P C.

Generic Hybrid Encryption Scheme Results Proof by sequence of security games. Combining probabilities, this yields an upper bound on the success probability in Game 0: Pr[1 Game0] < 1 2 + negl(n)kem + negl(n) SYM + 2q 2 ω(logn). This scheme contributes IND-CCA secure hybrid encryption scheme believed to be quantum-resistant.

Potential constructions BIKE-KEM + AES-GCM Frodo-KEM + AES-GCM Kyber-KEM + AES-GCM https://csrc.nist.gov/projects/ post-quantum-cryptography/round-1-submissions

References Secure Integration of Asymmetric and Symmetric Encryption Schemes, Fujisaki, Eiichiro and Okamoto, Tatsuaki, CRYPTO 99, 1999 Post-Quantum Security of the Fujisaki-Okamoto and OAEP Transforms, Targhi, Ehsan Ebrahimi and Unruh, Dominique, 14th International Conference on Theory of Cryptography, 2016 REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform, Okamoto, Tatsuaki and Pointcheval, David, Proceedings of the 2001 Conference on Topics in Cryptology, 2001 Quantum Computation and Quantum Information by Nielsen and Chuang, 2000

Additional slides

Formal Security Definitions One-way secure Definition A key encapsulation mechanism Π KEM = (KEM.Gen, KEM.Enc, KEM.Dec) is one-way secure if no quantum polynomial-time adversary A can win in the Game OW A,Π KEM (n) game, except with probability at most negl(n) KEM : KeyGen: The challenger C runs KEM.Gen(1 n ) to obtain a pair of keys (pk, sk) $ Query: C selects r COIN KEM and runs KEM.Enc(1 n, pk; r) to obtain a random key and ciphertext pair (k, c). C sends c to A. Guess: The adversary on input (pk, c) produces a bit string k and wins if k = k.

Formal Security Definitions One-time secure Definition A symmetric encryption scheme Π SYM = (SYM.Enc, SYM.Dec) is one-time secure if no quantum polynomial-time adversary A can win in game Game OT (n), except with probability at most A,Π SYM 1 2 + negl(n)sym : KeyGen: The challenger C picks a key k $ K SYM Query: On input 1 n, A chooses two messages m 0, m 1 of the same length and sends them to the challenger. C chooses b $ {0, 1} and responds with c $ SYM.Enc k (m b ) Guess: A produces a bit b and wins if b = b.

Formal Security Definitions IND-CCA in QROM Definition A hybrid encryption scheme Π HY is IND-CCA in the QROM if no efficient quantum adversary A can win in the Game CCA QRO (n), A,Π HY except with probability at most 1 2 + negl(n): KeyGen: The challenger runs Gen on input n, which runs KEM.Gen(1 n ) to produce (pk, sk). Query: The adversary A is given the public key pk along with classical access to the decryption oracle and quantum access to the random oracles G, H. A chooses two messages m 0, m 1 of the same length and sends them to the challenger C. C chooses b $ {0, 1} and responds with c Enc pk (m b ). Guess: A continues to send classical decryption queries to Dec, but may not query c. A also sends quantum queries to random oracles G, H.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback