Lattice-based Signcryption without Random Oracles - - PowerPoint PPT Presentation

Lattice-based Signcryption without Random Oracles

𝐓𝐢𝐣𝐨𝐡𝐩 𝐓𝐛𝐮𝐩 Junji Shikata

Graduate School of Environment and Information Sciences, Yokohama National University, Japan

Overview

• Lattice-based Cryptography
• The cryptosystem is based on lattice problems and has

quantum-resistance.

• It is possible to realize a lot of functionalities of

cryptosystems.

• Signcryption
• Cryptosystem meeting both securities of public key

encryption (PKE) and digital signatures (DSs)

• The public-key based “authenticated encryption”

We propose

• A construction of signcryption based on lattice problems, and
• Hybrid encryption of signcryption based on this construction

with data encapsulation mechanism (DEM)

2

Lattice

The lattice generated by 𝑜 linearly independent vectors 𝒄𝟐, 𝒄𝟑, … , 𝒄𝒐 ∈ ℝ𝑛 is defined as 𝑀 𝒄𝟐, … , 𝒄𝒐 = ∑𝑦𝒋𝒄𝒋 𝑦𝒋 ∈ ℤ . It is often written by 𝑀 𝑪 = 𝑪𝒚 𝒚 ∈ ℤ𝑜 , where 𝑪 ≔ 𝒄𝟐, … , 𝒄𝒐 ∈ ℝ𝑛×𝑜 is the lattice basis. As the norm of vectors, we consider the Euclid norm: 𝒘 = 𝑤1

2 + ⋯ + 𝑤𝑜 2

for 𝒘 = 𝑤1, … , 𝑤𝑜 ∈ ℝ𝑜. 3

Lattice Problems

• 𝐻𝑏𝑞𝑇𝑊𝑄

𝛿:

• Given a lattice basis 𝑪, 𝑠 ∈ ℝ,
• Decide whether the shortest vector 𝒘(∈ 𝑀 𝑪 ∖ 𝑷 ) fulfills

𝑤 ≤ 𝑠 or 𝑤 > 𝛿 ⋅ 𝑠

• Learning with Errors and Small Integer Solution

(LWE and SIS) ✓ It is possible to reduce from lattice problems to these problems. ✓ The average-case problems are at least as hard as the worst-case problems. ✓ It is possible to realize a lot of cryptosystems such as fully homomorphic encryption, attribute-based encryption, searchable encryption and so on.

4

Definitions of LWE and SIS

• 𝑴𝑿𝑭𝑟,𝛽 (Decisional version)
• The LWE distribution 𝐵(𝒕, 𝜚):
• Input: 𝒕 ∈ ℤ𝒓

𝒐 and a Gaussian distribution 𝜚 with the center

0 and the standard deviation 𝛽𝑟

• Output (*): 𝒃1, 𝑐1 , … , 𝒃𝑛, 𝑐𝑛 ∈ ℤ𝑟

𝑜 × ℤ𝑟,

where 𝑐𝑗 = 𝒕⊤𝒃𝑗 + 𝑓𝑗, 𝒃𝑗 ՚

𝑉 ℤ𝑟 𝑜, 𝑓𝑗 ՚ 𝜚 for 𝑗 ∈ {1, … , 𝑛}

• Input: 𝒃1, 𝑐1 , … , 𝒃𝑛, 𝑐𝑛 ∈ ℤ𝑟

𝑜 × ℤ𝑟,

• Decide whether the input sequence is sampled from the

LWE distribution or uniformly at random in ℤ𝑟

𝑜 × ℤ𝑟

(*) Let 𝑩 ≔ 𝒃1, … , 𝒃𝑛 and 𝒇⊤ ≔ 𝑓1, … , 𝑓𝑛 , then the LWE samples can be expressed by 𝒄 = 𝒕⊤𝑩 + 𝒇⊤ mod 𝑟

• 𝑻𝑱𝑻𝑟,𝛾
• Input: 𝑩 ∈ ℤ𝑟

𝑜×𝑛,

• Find: 𝒇 ∈ ℤ𝑛 s.t. 𝑩𝒇 = 𝟏 mod 𝑟 and 𝒇

≤ 𝛾

5

Signcryption [Z97]

6

• Signcryption schemes meet both functionalities of PKE and DS

(both of confidentiality and integrity).

• It is used to construct secure channels from insecure ones such

as the Internet

Message

Unsigncrypt

Receiver’s Public-Key Sender’s Secret-Key Sender’s Public-Key Receiver’s Secret-Key Ciphertext

Signcrypt

Sender Receiver

• r

invalid

[Z97] Y. Zheng, “Digital Signcryption or how to achieve cost(signature & encryption) << cost(signature) + cost(encryption),” CRYPTO 1997.

The Security Model [ADR02]

7

We consider IND-CCA and sUF-CMA security against insiders in the multi-user setting (MU-IND-iCCA and MU-sUF-iCMA).

• Securities in the two-user setting doesn’t always imply ones in the multi-

user setting.

• Inside adversaries are stronger than outside ones.

Mutli-User setting Two-User setting

Outsider Insider

[ADR02] J. H. An, Y. Dodis, and T. Rabin, “On the security of joint signature and encryption,” EUROCRYPT 2002.

Our Proposal

Main purpose:

To construct a lattice-based signcryption scheme

• Meeting both of MU-IND-iCCA and MU-sUF-iCMA security
• More efficient than the existing constructions in terms of key-

sizes and ciphertext-size

To achieve these, we propose the following constructions

1. A direct construction based on lattice problems 2. Hybrid encryption variant of signcryption (hybrid signcryption)

• btained by combining this construction and an IND-OT secure

DEM.

The existing constructions [CMSM11,NS13]:

• These are generic constructions satisfying both securities of MU-IND-

iCCA and MU-sUF-iCMA.

• We can obtain lattice-based ones by applying lattice-based primitives.

8

The Model

9

Setup phase： 𝑞𝑠𝑛 ՚ Setup(1𝑜) Key-Generation: (𝑞𝑙𝑇, 𝑡𝑙𝑇) ՚ KeyGen𝑇(𝑞𝑠𝑛) Key-Generation: (𝑞𝑙𝑆, 𝑡𝑙𝑆) ՚ KeyGen𝑆(𝑞𝑠𝑛) Signcrypt: 𝐷 ՚ SC (𝑞𝑙𝑆, 𝑡𝑙𝑇, 𝜈) Unsigncrypt: 𝜈/⊥՚ USC (𝑞𝑙𝑇, 𝑡𝑙𝑆, 𝐷)

𝐷

𝑜: Security parameter, 𝑞𝑠𝑛: Public parameter, 𝑞𝑙𝑇: Sender’s public key, 𝑞𝑙𝑆: Receiver’s public key, 𝑡𝑙𝑇: Sender’s secret key, 𝑡𝑙𝑆: Receiver’s secret key, 𝜈: Message, 𝐷: Ciphertext ⊥: Invalid

Sender Receiver

The Security Definition (1/2)

10 MU-IND-iCCA security

In the following game, if any adversary 𝐵′s advatage 𝐵𝑒𝑤𝐵

MU−IND−iCCA(𝑜) ≔ | Pr 𝑐′ = 𝑐 − 1 2 | < negl 𝑜 holds,

Signcryption meets MU-IND-iCCA security.

Challenger Adversary 𝐵 𝜈0, 𝜈1, 𝑞𝑙𝑇

∗, 𝑡𝑙𝑇 ∗

𝑐 ՚

𝑉 {0,1}

𝐷∗ ՚ SC(𝑞𝑙𝑆, 𝑡𝑙𝑇

∗, 𝜈𝑐)

𝐷∗ 𝑐′ 𝑞𝑙𝑇(≠ 𝑞𝑙𝑇

∗),

𝐷(≠ 𝐷∗) 𝜈 Unsigncrypt Oracle 𝑐′ ∈ {0,1} 𝑐′ ? = 𝑐 𝑞𝑠𝑛 ՚ Setup(1𝑜) 𝑞𝑙𝑆, 𝑡𝑙𝑆 ՚ KeyGen𝑆 (𝑞𝑠𝑛)

MU-IND-iCCA=Multi-User Indistinguishability against insider Chosen Ciphertext Attack

The Security Definition (2/2)

11 MU-sUF-iCMA security

In the following game, if any adversary 𝐵’s advantage 𝐵𝑒𝑤𝐵

MU−sUF−iCMA 𝑜 ≔ Pr 𝐵 wins < negl(𝑜) holds,

Signcryption meets MU-sUF-iCMA security.

Challenger Adversary 𝐵 𝑞𝑠𝑛, 𝑞𝑙𝑇 𝑞𝑠𝑛 ՚ Setup(1𝑜) 𝑞𝑙𝑇, 𝑡𝑙𝑇 ՚ KeyGen𝑇 (𝑞𝑠𝑛) 𝑞𝑙𝑆

∗, 𝑡𝑙𝑆 ∗, 𝐷∗

𝜈(𝑗), 𝑞𝑙𝑆

(𝑗)

𝐷(𝑗) Signcrypt Oracle [𝐵 wins]: USC 𝑞𝑠𝑛, 𝑞𝑙𝑇, 𝑡𝑙𝑆

∗, 𝐷∗ = 𝜈∗ ∧

∀𝑗 ∈ 1, … , 𝑅 , 𝑞𝑙𝑆

∗, 𝜈∗, 𝐷∗ ≠ 𝑞𝑙𝑆 𝑗 , 𝜈 𝑗 , 𝐷(𝑗)

𝑅 queries

MU-sUF-iCMA=Multi-User strong Unforgeability against insider Chosen Message Attack

Primitives used in Our Construction

12

Tag-based Trapdoor Function [MP12] Digital Signature (sUF-naCMA) [MP12]

+

Direct Construction

Unforgeability MU-sUF-iCMA

+

Signcryption Confidentiality MU-IND-iCCA

Collision-Resistant Hash Function [MR07]

+

Based on LWE Based on SIS [MP12] D. Micciancio, C. Peikert: “Trapdoor for lattices: Simpler, tighter, faster, smaller,” EUROCRYPT 2012. [MR07] D. Micciancio, O. Regev: “Worst-case to average-case reductions based on gaussian measures,” SIAM J. Comput. 2007.

The Problem of Sign-then-Encrypt paradigm

13

Adversary

𝜈, 𝑞𝑙𝑆 𝐷

Signcrypt Oracle

Dec 𝑡𝑙𝑆, 𝜏 → 𝜈||𝑇 Enc 𝑞𝑙𝑆, (𝜈||𝑇); 𝑠’ → 𝐷∗ A valid forgery (𝑞𝑙𝑆, 𝑡𝑙𝑆, 𝐷∗) in the MU-sUF-iCMA game Sign 𝑡𝑙𝑇, 𝜈 → 𝑇 Enc 𝑞𝑙𝑆, (𝜈||𝑇); 𝑠 → 𝐷 where 𝑠 is a random number

In the MU-sUF-iCMA game, inside adversaries can generate forgeries as follows: 1. Submit a query to the signcrypt oracle and receive the response, 2. Decrypt the message/signature-pair (𝜈, 𝑇) by using 𝑡𝑙𝑆, 3. Encrypt (𝜈, 𝑇) again and output a forgery 𝐷∗.

Basic Idea of Our Construction

Our Idea to solve the problem: Generate a signature on injective tag-based trapdoor functions (TDFs) of LWE 𝑕𝐵 𝑢𝑏𝑕, 𝑡; 𝑦 = 𝑡⊤𝐵𝑢𝑏𝑕 + 𝑦⊤ ∈ ℤ𝑟

𝑛 [MP12]

14

ҧ 𝑑 = 𝑕𝐵(𝑢𝑏𝑕, 𝑡; 𝑦)

𝑇 = Sign(𝑡𝑙𝑇, 𝜈|| ҧ 𝑑) Encryption: 𝑑 = ҧ 𝑑 + (𝜈 ∥ 𝑇) ⇒ ciphertext 𝐷 = (𝑑, 𝑠)

𝑔

𝐶(𝑞𝑙𝑇, 𝑠)

𝑢𝑏𝑕

𝜈: Message 𝑡, 𝑦: The input of LWE-based TDFs 𝑠: Random value 𝑔

𝐶(⋅): Lattice-based collision-resistant

hash function (with a parameter 𝐶) Overview of SC algorithm

Why can the Idea solve the Problem ?

• The reason that simple Sign-then-Encrypt constructions

are broken: By using a new random number, it is possible to compute a ciphertext on the message/signature pair generated by the SC oracle.

• The process of our Construction

Our 𝑇𝐷 algorithm generates a signature on both of a message and the input (random number) of the LWE-based trapdoor function [MP12] ⇒ To use new random numbers, adversaries have to break the underlying digital signature. 15

Our Lattice-based Signcryption (1/3)

𝑞𝑠𝑛 ՚ 𝑇𝑓𝑢𝑣𝑞 1𝑜 :

• 𝑟 = 𝑞𝑝𝑚𝑧(𝑜)
• ഥ

𝑛 = 𝑃 𝑜log 𝑟

• 𝑛 = ഥ

𝑛 + 𝑜 log 𝑟

• 𝛽−1 = 𝑃 𝑜log 𝑟 ⋅ 𝜕( log 𝑜)
• 𝜀 = 𝑃 𝑜log 𝑟 ⋅ 𝜕( log 𝑜)
• ℓ: the bit-length of messages
• 𝑞 = Ω(𝑟𝜀−1)
• 𝐻: a gadget matrix [MP12]
• 𝐵1, … , 𝐵𝑜 log 𝑟 ՚ ℤ𝑟

𝑜×𝑛

• 𝐶 ՚ ℤ𝑟

𝑜×𝑛

• Output

𝑞𝑠𝑛 = (𝑜, 𝑟, ഥ 𝑛, 𝑛, 𝛽, 𝜀, ℓ, 𝑞, 𝐻, 𝐵1, … , 𝐵𝑜 log 𝑟 ,𝐶)

𝑞𝑙𝑆, 𝑡𝑙𝑆 ՚ 𝐿𝑓𝑧𝐻𝑓𝑜𝑆 𝑞𝑠𝑛

1. ҧ 𝐵𝑆 ՚ ℤ𝑟

𝑜×𝑛,

2. 𝑈𝑆 ՚ 𝐸𝜀

ഥ 𝑛×𝑜⌈log 𝑟⌉

3. 𝐵𝑆 = [𝐵𝑆 ∣ −𝐵𝑆 ⋅ 𝑈𝑆] 4. Output 𝑞𝑙𝑆 = 𝐵𝑆, 𝑡𝑙𝑆 = 𝑈𝑆

𝑞𝑙𝑇, 𝑡𝑙𝑇 ՚ 𝐿𝑓𝑧𝐻𝑓𝑜𝑇(𝑞𝑠𝑛)

1. ҧ 𝐵𝑇 ՚ ℤ𝑟

𝑜×𝑛,

2. 𝑈

𝑇 ՚ 𝐸𝜀 ഥ 𝑛×𝑜⌈log 𝑟⌉

3. 𝐵𝑇 = [𝐵𝑇 ∣ 𝐻 − 𝐵𝑇 ⋅ 𝑈

𝑇]

4. Output 𝑞𝑙𝑇 = 𝐵𝑇, 𝑡𝑙𝑇 = 𝑈

𝑇

16

Our Lattice-based Signcryption (2/3)

𝐷 ՚ 𝑇𝐷(𝑞𝑙𝑆, 𝑡𝑙𝑇, 𝜈):

1. 𝑠

𝑓, 𝑠 𝑡 ՚ 𝐸𝜕 log 𝑜 𝑛

, 2. 𝑢 = 𝑔𝐵𝑆 𝑞𝑙𝑡 + 𝑔

𝐶 𝑠 𝑓 ∈ ℤ𝑟 𝑜,

3. 𝐵𝑆 = [𝐵𝑆 ∣ 𝐼 𝑢 𝐻 − 𝐵𝑆 ⋅ 𝑈𝑆] 4. 𝑡 ՚ ℤ𝑟

𝑜, 𝑦0 ՚ 𝐸𝛽𝑟 𝑛 , 𝑦1 ՚ 𝐸𝛽𝑟 ℓ ,

5. ഥ 𝑑0 = 𝑡⊤𝐵𝑆,𝑢 + 𝑞𝑦0

⊤ ∈ ℤ𝑟 𝑛,

6. ഥ 𝑑1 = 𝑡⊤𝑉 + 𝑞𝑦1

⊤ ∈ ℤ𝑟 ℓ

7. ҧ 𝐷 = ( ഥ 𝑑0, ഥ 𝑑1, 𝑠

𝑓),

8. Generate a signature on 𝜈 ∥ 𝑞𝑙𝑆 ∥ ҧ 𝐷,

• ℎ = 𝑔

𝐵𝑇 𝜈 ∥ 𝑞𝑙𝑆 ∥

ҧ 𝐷 + 𝑔

𝐶 𝑠 𝑡 ∈ ℤ𝑟 𝑜,

• 𝐵𝑇,ℎ =

𝐵𝑇 𝐵0 + ∑𝑗=1

𝑜⌈log 𝑟⌉ ℎ𝑗 ⋅ 𝐵𝑗 ,

• 𝑓 ՚ 𝑇𝑏𝑛𝑞𝑚𝑓 𝑈

𝑇, 𝐵𝑇,ℎ, 𝑣𝑇, 𝜀 ,

• (𝑓, 𝑠

𝑡) is the signature,

9. 𝑑0 = ഥ 𝑑0 + 𝑠

𝑡 ∈ ℤ𝑟 𝑛, 𝑑1 = ഥ

𝑑1 + 𝑞 ⋅ 𝜈

𝑟 2 ∈ ℤ𝑟 ℓ

• 10. Output 𝐷 = (𝑑0, 𝑑1, 𝑠

𝑓, 𝑓)

17

Our Lattice-based Signcryption (3/3)

𝜈/⊥՚ 𝑉𝑇𝐷 𝑞𝑙𝑇, 𝑡𝑙𝑆, 𝐷 :

1. 𝑢 = 𝑔𝐵𝑆 𝑞𝑙𝑇 + 𝑔

𝐶 𝑠 𝑓 ∈ ℤ𝑟 𝑜,

2. 𝑨, 𝑠

𝑡 ՚ 𝐽𝑜𝑤𝑓𝑠𝑢 𝑈𝑆, 𝐵𝑆,𝑢, 𝑑0 ,

3. 𝐹 ՚ 𝑇𝑏𝑛𝑞𝑚𝑓 𝑈𝑆, 𝐵𝑆,𝑢, 𝑉, 𝜀 , 4. 𝑤⊤ = 𝑑1

⊤ − 𝑑0 ⊤𝐹 = 𝑞 ቀ

ቁ 𝑦1

⊤ +

𝜈

𝑟 2 − 𝑦0 ⊤𝐹 ,

5. Recover 𝜈 from 𝑤/𝑞 6. Output 𝜈 if 𝐵𝑇,ℎ ⋅ 𝑓 = 𝑣𝑇 mod 𝑟 and 𝒇 ≤ 𝜀 𝑛 + 𝑜⌈log 𝑟⌉ , or

• utput ⊥ otherwise.

where

• ഥ

𝑑0: = 𝑑0 − 𝑠

𝑡, ഥ

𝑑1: = 𝑑1 − 𝑞 ⋅ 𝜈

𝑟 2 , ҧ

𝐷: = ഥ 𝑑0, ഥ 𝑑1, 𝑠

𝑓 ,

• ℎ: = 𝑔𝐵𝑇 𝜈 ∥ 𝑞𝑙𝑆 ∥

ҧ 𝐷 + 𝑔

𝐶(𝑠 𝑡),

• 𝐵𝑇,ℎ: = [𝐵𝑇 ∣ 𝐵0 + ∑𝑗=1

⌈𝑜log 𝑟⌉ 𝐵𝑗],

18

The Security of the Lattice-based Signcryption

Theorem 1.

• Our lattice-based signcryption meets MU-IND-iCCA

security, if the 𝑀𝑋𝐹𝑟,𝛽 assumption holds for 𝛽−1 = 𝑃 𝑜2log2 𝑟 ⋅ 𝜕 log 𝑜 .

• Our lattice-based signcryption meets MU-sUF-iCMA

security, if the 𝑇𝐽𝑇𝑟,𝛾 assumption holds for 𝛾 = 𝑃 𝑜2.5log2.5 𝑟 ⋅ 𝜕(log 𝑜). 19

Hybrid enc. version of Our Signcryption (HSC)

𝐷 ՚ 𝑇𝐷(𝑞𝑙𝑆, 𝑡𝑙𝑇, 𝜈):

1. 𝐿 ՚ 0,1 ℓ,𝑠

𝑓, 𝑠 𝑡 ՚ 𝐸𝜕 log 𝑜 𝑛

, 2. 𝑢 = 𝑔𝐵𝑆 𝑞𝑙𝑡 + 𝑔

𝐶 𝑠 𝑓 ∈ ℤ𝑟 𝑜,

3. 𝐵𝑆 = [𝐵𝑆 ∣ 𝐼 𝑢 𝐻 − 𝐵𝑆 ⋅ 𝑈𝑆] 4. 𝑡 ՚ ℤ𝑟

𝑜, 𝑦0 ՚ 𝐸𝛽𝑟 𝑛 , 𝑦1 ՚ 𝐸𝛽𝑟 ℓ ,

5. ഥ 𝑑0 = 𝑡⊤𝐵𝑆,𝑢 + 𝑞𝑦0

⊤ ∈ ℤ𝑟 𝑛,

6. ഥ 𝑑1 = 𝑡⊤𝑉 + 𝑞𝑦1

⊤ ∈ ℤ𝑟 ℓ

7. ҧ 𝐷 = ( ഥ 𝑑0, ഥ 𝑑1, 𝑠

𝑓),

8. Generate a signature on 𝜈 ∥ 𝑞𝑙𝑆 ∥ ҧ 𝐷 ∥ 𝐿,

• ℎ = 𝑔

𝐵𝑇 𝜈 ∥ 𝑞𝑙𝑆 ∥

ҧ 𝐷 ∥ 𝐿 + 𝑔

𝐶 𝑠 𝑡 ∈

ℤ𝑟

𝑜,

• 𝐵𝑇,ℎ =

𝐵𝑇 𝐵0 + ∑𝑗=1

𝑜⌈log 𝑟⌉ ℎ𝑗 ⋅ 𝐵𝑗 ,

• 𝑓 ՚ 𝑇𝑏𝑛𝑞𝑚𝑓 𝑈

𝑇, 𝐵𝑇,ℎ, 𝑣𝑇, 𝜀 ,

• (𝑓, 𝑠

𝑡) is the signature,

9. 𝑑0 = ഥ 𝑑0 + 𝑠

𝑡 ∈ ℤ𝑟 𝑛,

𝑑1 = ഥ 𝑑1 + 𝑞 ⋅ 𝐿 𝑟 2 ∈ ℤ𝑟

ℓ,

10. 𝑑2 = 𝐸𝐹𝑁. 𝐹𝑜𝑑(𝐿, 𝜈),

• 11. Output 𝐷 = (𝑑0, 𝑑1, 𝑑2, 𝑠

𝑓, 𝑓)

20

𝑇𝑓𝑢𝑣𝑞, 𝐿𝑓𝑧𝐻𝑓𝑜𝑆, 𝐿𝑓𝑧𝐻𝑓𝑜𝑇, 𝑉𝑇𝐷 are almost the same as those of the lattice-based construction.

The Security of HSC

Theorem 2.

• HSC meets MU-IND-iCCA security, if the 𝑀𝑋𝐹𝑟,𝛽

assumption holds for 𝛽−1 = 𝑃 𝑜2log2 𝑟 ⋅ 𝜕 log 𝑜 and DEM satisfies IND-OT security.

• HSC meets MU-sUF-iCMA security, if the 𝑇𝐽𝑇𝑟,𝛾

assumption holds for 𝛾 = 𝑃 𝑜2.5log2.5 𝑟 ⋅ 𝜕(log 𝑜) and DEM is one-to-one (*).

(*) one-to-one property: DEM is one-to-one if for any message 𝜈 and any key 𝐿, there is only one ciphertext 𝑑 such that 𝜈 = 𝐸𝐹𝑁. 𝐸𝑓𝑑(𝐿, 𝑑).

21

Lattice-based Constructions

Construction Primitive 𝑇𝐷𝑈𝐿 [CMSM11]

• IND-Tag-CCA secure Tag-based KEM
• IND-CCA secure DEM
• sUF-CMA secure DS

𝑇𝐷𝐿𝐹𝑁 [CMSM11]

• IND-CCA secure KEM
• IND-OT secure DEM
• sUF-CMA secure DS
• sUF-OT secure MAC

𝑇𝐷𝐷𝐼𝐿 [NS13]

• IND-sID-CPA secure ID-based Encryption
• UF-CMA secure DS
• sUF-OT secure One-time Signature

Our Construction 𝐼𝑇𝐷

• The First Lattice-based Construction
• IND-OT secure DEM

22

To compare lattice-based schemes fairly, we compare our hybrid Signcryption (HSC) scheme with others, because other constructions [CMSM11] are based on the KEM/DEM framework.

Concrete Existing Constructions

Existing Construction Applied Constructions of Primitives 𝑇𝐷𝑈𝐿 [CMSM11]

• Tag-based KEM ([MP12] and [CHKP12])
• DEM
• DS ([MP12] and [CHKP12])

𝑇𝐷𝐿𝐹𝑁 [CMSM11]

• KEM ([MP12] and [BCHK07])
• DEM
• DS ([MP12] and [CHKP12])
• MAC

𝑇𝐷𝐷𝐼𝐿 [NS13]

• ID-based Encryption [ABB10]
• DS [B10]
• One-time Signature [LM08]

23

[ABB10] S. Agrawal, D. Boneh, X. Boyen, “Efficient lattice (H)IBE in the standard model,” EUROCRYPT 2010. [B10] X. Boyen, “Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more,” PKC 2010. [CHKP12] D. Cash, D. Hofheinz, E. Kiltz, C. Peikert: “Bonsai trees, or how to delegate a lattice basis,” J. Cryptology 2012. [LM08] V. Lyubashevsky, D. Micciancio, “Asymptotically efficient lattice-based digital signatures,” TCC 2008.

Comparison

24

Construction Receiver’s key size Sender’s key size Ciphertext size Public key Secret key Public key Secret key 𝑇𝐷𝑈𝐿 3𝑜𝑛 log 𝑟 + 𝑜𝐿 log 𝑟 𝑜𝑛log 𝑟 log 𝑒 3𝑜𝑛 log 𝑟 𝑜𝑛log 𝑟 log 𝑒 𝑛 + 𝐿 log 𝑟 + 3𝑛 log 𝑒 + ℓ 𝑇𝐷𝐿𝐹𝑁 2𝑜𝑛 log 𝑟 + 𝑜𝐿 log 𝑟 2𝑛 + 𝐿 log 𝑟 + 2𝑛 log 𝑒 + 2𝑜log 𝑟 + ℓ 𝑇𝐷𝐷𝐼𝐿 𝑜𝑛 log 𝑟 + 𝑜𝐿 log 𝑟 (Best) 𝑜𝑛 log 𝑟 (Best) 2𝑛 + 𝐿 log 𝑟 + 𝑛 log 𝑒 + ℓ + |𝑤𝑙| Our Const. 𝐼𝑇𝐷 𝑛 + 𝐿 log 𝑟 + 2𝑛 log 𝑒 + ℓ 𝑜: security parameter, 𝑟: a large enough prime, |𝜈|: the bit-length of a message 𝑛 = Ω(𝑜log 𝑟), 𝐿: DEM’s symmetric key, 𝑒 < 𝑟: a positive integer |𝑤𝑙|: the bit-lenthg of One-Time Signature’s verification key size

Comparison Based on Parameters of [LP11]

25

Comparison of ciphertext Ciphertext-Size (Bit-length) 𝑇𝐷𝑈𝐿 5.5 × 105 𝑇𝐷𝐿𝐹𝑁 5.2 × 105 𝑇𝐷𝐷𝐼𝐿 45.3 × 105 Our Const. 𝐼𝑇𝐷 4.0 × 105 (Best) Parameters Size [bits] 𝑜 256 𝑟 4093 𝑛 9215 𝐿 512 𝑒 49148 𝑤𝑙 ≈ 𝑜2log2 𝑜 42.0 × 105

[ACF+15] M.R. Albrecht, C. Cid, J. Faug ư ere, R. Fitzpatrick, L. Perret: “On the complexity of the BKW algorithm on LWE,” Des. Codes Cryptography 2015. [LP11] R. Lindner, C. Peikert: “Better ey sizes (and attacks) for LWE-based encryption,” CT-RSA 2011.

Note: We can observe that our construction is best, even if we apply other parameters in [ACF+15].

Conclusion

We did the following:

• Proposing a lattice-based construction meeting both MU-

IND-iCCA and MU-sUF-iCMA security;

• Constructing a hybrid signcryption by combining the

lattice-based construction and an IND-OT secure DEM;

• Showing that public-key sizes and ciphertext size of the

hybrid signcryption are smaller than those of the existing constructions. 26