SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL - - PowerPoint PPT Presentation

secure identity based encryption in the quantum random
SMART_READER_LITE
LIVE PREVIEW

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL - - PowerPoint PPT Presentation

Feb 10, 2023 118 likes •514 views

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we cant prove a scheme secure in the standard model. Instead, model a hash function as a

slide-1
SLIDE 1

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL

Mark Zhandry – Stanford University

slide-2
SLIDE 2

Random Oracle Model (ROM)

  • Sometimes, we can’t prove a scheme secure in the

standard model.

  • Instead, model a hash function as a random oracle, and

prove security in this model [BR 1993]

slide-3
SLIDE 3

Why Use the Random Oracle Model?

  • Most efficient schemes are often only proved secure in

the random oracle model

  • True even in post-quantum world
  • RO-based GPV signatures more efficient that non-RO CHKP and

ABB signatures [GPV 2009, CHKP 2010, ABB 2010]

  • RO-based Hierarchical IBE more efficient than non-RO versions
  • Unfortunately, these schemes are only proved secure in

the classical ROM

  • Only consider classical queries to the random oracle
slide-4
SLIDE 4

The Quantum Random Oracle Model

  • Interaction with primitives is still classical
  • Allow quantum queries to random oracle
  • When instantiated, random oracle replaced with hash function
  • Code for hash function is part of specification
  • Adversary can evaluate hash function on quantum superposition
slide-5
SLIDE 5

The Quantum Random Oracle Model (QROM)

Alice Bob Adversary

Communication stays classical

H

x H(x)

slide-6
SLIDE 6

Security in the QROM

Adversary Challenger

Example: Signatures

pk

mi

(m, σ) SignH(sk, mi)

P

x αx|xi

P

x αx|H(x)i

0 or 1

slide-7
SLIDE 7

Security Proofs in the QROM

  • Classical random oracle model security proofs do not

carry over to the quantum setting

  • Difficulties:
  • Simulating the random oracle
  • Peaking into the adversary
  • Programming the random oracle
slide-8
SLIDE 8

Previous Results [Boneh et al. 2011]

  • Separation: there exist schemes secure in the classical

ROM against quantum adversaries, but that are insecure in the quantum ROM

  • Some classical proofs can be adapted to the quantum

setting:

  • Answer RO queries randomly, same across all queries
  • Use pseudorandom function to generate randomness
  • Examples: GPV Signatures [GPV 2009]

Full Domain Hash with specific trapdoor permutations [Coron 2000] Katz-Wang Signatures [KW 2003] Hybrid encryption scheme

slide-9
SLIDE 9

Our Results

  • Simulating the random oracle without additional

assumptions

  • New security proofs in the quantum random oracle model
  • Identity-Based Encryption
  • Hierarchical Identity-Based Encryption
  • Generic Full-Domain Hash
  • New tools for arguing the indistinguishability of oracle

distributions by quantum adversaries.

slide-10
SLIDE 10

Common Proof Technique in Classical ROM

  • Start with an adversary A that makes q queries to random
  • racle H
  • Construct B that solves some problem:
  • Pick a random query i
  • For all other queries, answer in way that looks random
  • For query i, plug in some challenge c
  • If A happens to use query i, then we can solve our problem
  • A uses query i with probability 1/q, so happens with non-negligible

probability

slide-11
SLIDE 11

Common Proof Technique in Classical ROM

Oracle seen by adversary Adversary

slide-12
SLIDE 12

Common Proof Technique in Classical ROM

R1

Oracle seen by adversary Adversary

R1 x1

slide-13
SLIDE 13

Common Proof Technique in Classical ROM

R1 R2

Oracle seen by adversary Adversary

R2 x2

slide-14
SLIDE 14

Common Proof Technique in Classical ROM

R1 R2

Oracle seen by adversary Adversary

c

c x3

slide-15
SLIDE 15

Common Proof Technique in Classical ROM

R1 R2 R4

Oracle seen by adversary Adversary

c

R4 x4

slide-16
SLIDE 16

Quantum Attempt 1

Oracle seen by adversary Adversary

Pick query i at random

slide-17
SLIDE 17

Quantum Attempt 1

R1 R2 R3 R4 R6 R7 R8

Oracle seen by adversary Adversary

P

x αx|xi

R5

P

x αx|Rxi

Pick query i at random

slide-18
SLIDE 18

Quantum Attempt 1

R1 R2 R3 R4 R6 R7 R8 R1 R2 R3 R4 R6 R7 R8

Oracle seen by adversary Adversary

R5 R5

P

x βx|xi

P

x βx|Rxi

Pick query i at random

slide-19
SLIDE 19

Quantum Attempt 1

R1 R2 R3 R4 R6 R7 R8 R1 R2 R3 R4 R6 R7 R8

Oracle seen by adversary Adversary

R5 R5 c c c c c c c c

P

x γx|xi

P

x γx|ci

Pick query i at random

slide-20
SLIDE 20

Quantum Attempt 1

R1 R2 R3 R4 R6 R7 R8 R1 R2 R3 R4 R6 R7 R8 R1 R2 R3 R4 R6 R7 R8

Oracle seen by adversary Adversary

R5 R5 R5 c c c c c c c c

P

x δx|xi

P

x δx|Rxi

Pick query i at random

slide-21
SLIDE 21

Quantum Attempt 1

R1 R2 R3 R4 R6 R7 R8 R1 R2 R3 R4 R6 R7 R8 R1 R2 R3 R4 R6 R7 R8

Oracle seen by adversary Adversary

R5 R5 R5 c c c c c c c c

P

x δx|xi

P

x δx|Rxi

Pick query i at random

Query i is inconsistent and does not look random

slide-22
SLIDE 22

Quantum Attempt 2

Oracle seen by adversary Adversary

Pick x* at random

slide-23
SLIDE 23

Quantum Attempt 2

R1 R2 R3 R4 R6 R7 R8 R1 R2 R3 R4 R6 R7 R8 R1 R2 R3 R4 R6 R7 R8

Oracle seen by adversary Adversary

P

x αx|xi

R1 R2 R3 R4 R6 R7 R8 c c c c

|ψi = X

x6=x⇤

αx|Rxi + αx⇤|ci |ψi

Pick x* at random

slide-24
SLIDE 24

Quantum Attempt 2

R1 R2 R3 R4 R6 R7 R8 R1 R2 R3 R4 R6 R7 R8 R1 R2 R3 R4 R6 R7 R8

Oracle seen by adversary Adversary

P

x αx|xi

R1 R2 R3 R4 R6 R7 R8 c c c c

|ψi

Pick x* at random

Adversary uses c with exponentially small probability

slide-25
SLIDE 25

Our Solution

Oracle seen by adversary Adversary

Pick small set S at random

slide-26
SLIDE 26

Our Solution

R1 R2 R4 R6 R7 R1 R2 R4 R6 R7 R1 R2 R4 R6 R7

Oracle seen by adversary Adversary

P

x αx|xi

R1 R2 R4 R6 R7 c c c c

|ψi

c c c c c c c c

|ψi = X

x/ ∈S

αx|Rxi + X

x∈S

αx|ci

Pick small set S at random

slide-27
SLIDE 27

Semi-Constant Distributions

  • Parameterized by λ
  • Pick a set S as follows: each x in the domain is in S with

probability λ

  • Pick a random c
  • For all x in S, set H(x) = c
  • For all other x, chose H(x) randomly and independently
slide-28
SLIDE 28

Semi-Constant Distributions

  • Parameterized by λ
  • Pick a set S as follows: each x in the domain is in S with

probability λ

  • Pick a random c
  • For all x in S, set H(x) = c
  • For all other x, chose H(x) randomly and independently

Theorem: Any quantum adversary making q queries to a semi-constant function can only tell it’s not random with probability O(q4λ2)

slide-29
SLIDE 29

Quantum Security Proof

  • Suppose adversary wins with probability ε
  • Pick the set S, still let oracle be random
  • Probability adversary uses one of the points in S: λ
  • Probability wins and uses a point in S: λε
  • Set H(x) = c for all x in S
  • Probability we succeed: λε-O(q4λ2)
  • Choose λ to maximize
  • Succeed with probability O(ε2/q4)
slide-30
SLIDE 30

Generating the Random Values

R1 R2 R4 R6 R7 R1 R2 R4 R6 R7 R1 R2 R4 R6 R7

Oracle seen by adversary

R1 R2 R4 R6 R7 c c c c c c c c c c c c

Need to generate random values for exponentially many positions

slide-31
SLIDE 31

Generating the Random Values

  • BDF+ 2011:
  • Assume existence of quantum-secure PRF
  • Pick a random key k before any queries
  • Let Rx = PRF(k,x)
  • Our solution:
  • Adversary makes some polynomial q of queries
  • Pick a random 2q-wise independent function f
  • Let Rx = f(x)
  • We show 2q-wise independence suffices using a standard

technique called the polynomial method

slide-32
SLIDE 32

Generating the Random Values

  • BDF+ 2011:
  • Assume existence of quantum-secure PRF
  • Pick a random key k before any queries
  • Let Rx = PRF(k,x)
  • Our solution:
  • Adversary makes some polynomial q of queries
  • Pick a random 2q-wise independent function f
  • Let Rx = f(x)
  • We show 2q-wise independence suffices using a standard

technique called the polynomial method We can remove the quantum-secure PRF assumption from prior results as well

slide-33
SLIDE 33

Applications of this method

  • IBE scheme [GPV 2009]
  • Generic Full Domain Hash
  • Previous results only showed for specific trapdoor permutations
  • Apply iteratively for Hierarchical IBE [CHPK 2010, ABB

2010]

  • Security degrades doubly exponentially in depth of identity tree
  • Classically, only singly exponential
slide-34
SLIDE 34

Quantum-Secure PRFs [Zhandry, FOCS 2012]

  • So far, only considered case where interaction with

primitive remains classical

  • What if we allow quantum queries to primitive?
  • Example: pseudorandom functions
slide-35
SLIDE 35

Standard Security vs Quantum Security

Adversary PRF

k

0 or 1

vs

x

PRF(k, x)

Adversary PRF

k

P

x αx|xi

0 or 1

P

x αx|PRF(k, x)i

slide-36
SLIDE 36

Quantum-Secure PRFs

  • Results [Zhandry, FOCS 2012]
  • In general, PRF secure against classical queries not secure against

quantum queries

  • However, several classical constructions remain secure, even

against quantum queries

  • From pseudorandom generators [GGM 1984]
  • From pseudorandom synthesizers [NR 1995]
  • Direct constructions based on lattices [BPR 2011]
  • Also have MACs secure when adversary can get tags on

a superposition

slide-37
SLIDE 37

Open Questions

  • Proving the quantum security of constructions based on

Fiat-Shamir [FS 1987]

  • Signatures
  • Group Signatures
  • CS Proofs
  • Other constructions
  • CCA security from weaker notions [FO 1999]
slide-38
SLIDE 38

Open Questions

  • Proving the quantum security of constructions based on

Fiat-Shamir [FS 1987]

  • Signatures
  • Group Signatures
  • CS Proofs
  • Other constructions
  • CCA security from weaker notions [FO 1999]

Thank You!