Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1
Post Quantum Cryptography Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. In General… Scheme secure under a PQ Scheme is secure against assumption in the standard model quantum algorithms 2
Post Quantum Cryptography Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. In General… Scheme secure under a PQ Scheme is secure against assumption in the standard model quantum algorithms However… Scheme may NOT be secure Scheme secure under a PQ against quantum algorithms (*) assumption in the RO model (*) [BDF+11] Boneh et al. “Random oracles in a quantum world”. EUROCRYPT. 3
Post Quantum Cryptography Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. Many practical algorithms rely on ROM! Recent Works on QROM In General… p Signatures: [Zha12][ARU14][Unr17][KLS18]… p PKE: [TU16][JZC+18][SXY18]… Scheme secure under a PQ Scheme is secure against assumption in the standard model quantum algorithms However… Scheme may NOT be secure Scheme secure under a PQ against quantum algorithms (*) assumption in the RO model (*) [BDF+11] Boneh et al. “Random oracles in a quantum world”. EUROCRYPT. 4
Post Quantum Cryptography Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. Many practical algorithms rely on ROM! Recent Works on QROM In General… p Signatures: [Zha12][ARU14][Unr17][KLS18]… p PKE: [TU16][JZC+18][SXY18]… Scheme secure under a PQ Scheme is secure against assumption in the standard model quantum algorithms This work is on Identity-based Encryptions (IBEs) However… Scheme may NOT be secure Scheme secure under a PQ against quantum algorithms (*) assumption in the RO model (*) [BDF+11] Boneh et al. “Random oracles in a quantum world”. EUROCRYPT. 5
IBEs from Post Quantum Assumptions There are few IBEs secure under PQ assumptions. p Lattice-based IBEs ROM : [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]…. p Code-based IBEs This line of work is ROM : [GHPT17] quantumly secure. 6
IBEs from Post Quantum Assumptions There are few IBEs secure under PQ assumptions. p Lattice-based IBEs ROM : [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]…. p Code-based IBEs This line of work is ROM : [GHPT17] quantumly secure. What can we say about efficient schemes proven secure in the ROM?? 7
IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. [Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO. 8
IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. However… ü Comes at a cost of a huge reduction loss . ü Requires descent knowledge on quantum computation. [Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO. 9
IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. However… ü Comes at a cost of a huge reduction loss . ü Requires descent knowledge on quantum computation. B solves LWE problem A breaks IBE with with advantage ≈ 𝜗 # /𝑅 & ' advantage 𝜗 𝑅 & := #RO query 10
IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. If we want 128 -bit secure IBE 𝜗 = 2 *+#, , ü Proved security of lattice-based IBEs of [GPV08], assuming 𝑅 & = 2 +-- . [ABB10],[CHKP10] in QROM. We need at least 656 -bit secure LWE problem!! However… ü Comes at a cost of a huge reduction loss . ü Requires descent knowledge on quantum computation. B solves LWE problem A breaks IBE with with advantage ≈ 𝜗 # /𝑅 & ' advantage 𝜗 𝑅 & := #RO query 11
IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. If we want 128 -bit secure IBE 𝜗 = 2 *+#, , ü Proved security of lattice-based IBEs of [GPV08], assuming 𝑅 & = 2 +-- . [ABB10],[CHKP10] in QROM. We need at least 656 -bit secure LWE problem!! However… ü Comes at a cost of a huge reduction loss . ü Requires descent knowledge on quantum computation. Question B solves LWE problem A breaks IBE with with advantage ≈ 𝜗 # /𝑅 & ' Can we construct tightly secure IBEs in QROM?? advantage 𝜗 𝑅 & := #RO query 12
Summary of Our Result ① Tight security proof for GPV-IBE in QROM in the single-challenge setting. ② (Almost) tight security proof for a variant of GPV-IBE in QROM in the multi-challenge setting. ü Our proofs are much simpler than [Zha12]. ü Easy to follow for non-experts of quantum computation. 13
Overview of This Talk Review of GPV-IBE 1 What Goes Wrong in QROM 2 3 Result 1: Tightly Secure GPV-IBE in QROM 4 Result 2: Extending it to Multi-Challenge *Kangaroo...? 14
1. Review of GPV-IBE 15
Identity-based Encryption [Sha84] Public Key Generator I sk 78 9:;<= alice@example.com ID 01234 Any string can be a public key! ciphertext Al Alice Bob Bob [Sha84]: A. Shamir. “Identity-Based Cryptosystems and Signature Schemes”. Crypto. 16
IND-CPA Security of IBE in ROM mpk, msk ← SetUp(1 H ) Random mpk Oracle 𝐉𝐄 𝐈: 𝑱𝑬 → 𝒂 𝐚 𝐚 ← 𝐕𝐨𝐣(𝒂) 𝐉𝐄 𝐣 KeyGen ID 2 , msk → sk 78 ; sk 𝐉𝐄 𝐣 (𝐉𝐄 ∗ ≠ 𝐉𝐄 𝐣 , 𝐍) b′ b ← {0, 1} Pr b′ = b ≈ 1 𝐃𝐔 ∗ 2 17
IND-CPA Security of IBE in ROM mpk, msk ← SetUp(1 H ) Random mpk Oracle 𝐉𝐄 𝐈: 𝑱𝑬 → 𝒂 𝐚 𝐚 ← 𝐕𝐨𝐣(𝒂) 𝐉𝐄 𝐣 KeyGen ID 2 , msk Multi-Challenge if → sk 78 ; sk 𝐉𝐄 𝐣 can obtain challenge ciphertext multi-times. (𝐉𝐄 ∗ ≠ 𝐉𝐄 𝐣 , 𝐍) b′ b ← {0, 1} Pr b′ = b ≈ 1 𝐃𝐔 ∗ 2 18
Gentry-Peikert-Vaikuntanathan IBE p mpk, msk A H: 0,1 ∗ → ℤ h i×k , i mpk = ∈ ℤ h • *Programmed as RO msk = trapdoof T 0 for A • [GPV08] Gentry, Peikert, and Vaikuntanathan. “Trapdoors for hard lattices and new cryptographic constructions”. STOC. 19
Gentry-Peikert-Vaikuntanathan IBE p mpk, msk A H: 0,1 ∗ → ℤ h i×k , i mpk = ∈ ℤ h • *Programmed as RO msk = trapdoof T 0 for A • p Secret Key sk 78 A 𝐟 𝐉𝐄 = 𝐯 𝐉𝐄 Short vector e 78 ∈ ℤ w s. t. • : = 𝐈(𝐉𝐄) 20
Gentry-Peikert-Vaikuntanathan IBE p mpk, msk A H: 0,1 ∗ → ℤ h i×k , i mpk = ∈ ℤ h • *Programmed as RO msk = trapdoof T 0 for A • p Secret Key sk 78 A 𝐟 𝐉𝐄 = 𝐯 𝐉𝐄 Short vector e 78 ∈ ℤ w s. t. • : = 𝐈(𝐉𝐄) p Encryption CT 78 of M LWE instance for ( A, u 78 ): • + x′ +𝐍 𝒓 𝐭 A 𝐭 c + = c - = 𝐲 𝐯 𝐉𝐄 , + 𝟑 21
Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID ∗ Sample e 78 and program RO as H ID ≔ Ae 78 . Simulator (LWE adversary) LWE Problem 𝐭 𝐁 𝐯 + [𝐲|x′] Ø For ID ∗ Program RO as H ID ∗ ≔ u . 22
Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID ∗ Sample e 78 and program RO as H ID ≔ Ae 78 . Sim. knows secret key. Simulator (LWE adversary) LWE Problem 𝐭 𝐁 𝐯 + [𝐲|x′] Ø For ID ∗ Program RO as H ID ∗ ≔ u . Sim. doesn’t know secret key. 23
Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID ∗ Sample e 78 and program RO as H ID ≔ Ae 78 . Sim. knows secret key. Simulator (LWE adversary) Can answer secret key queries. LWE Problem 𝐭 𝐁 𝐯 + [𝐲|x′] Ø For ID ∗ Program RO as H ID ∗ ≔ u . Sim. doesn’t know secret key. Embed into chall. ciphertext. 24
Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID ∗ Guess challenge ID ∗ and programs RO Sample e 78 and program RO as differently for ID ∗ . H ID ≔ Ae 78 . Sim. knows secret key. Simulator (LWE adversary) Can answer secret key queries. LWE Problem 𝐭 𝐁 𝐯 + [𝐲|x′] Ø For ID ∗ Program RO as H ID ∗ ≔ u . Sim. doesn’t know secret key. Embed into chall. ciphertext. 25
2. What Goes Wrong in QROM 26
Minimum Preparation for Qunt. Crypt . Qbits is a register in superposition between a few states: 0, 1, ... Notation: (Generally ∑ 𝛽 Œ |𝑦⟩ ) 𝜚 = 𝛽 - 0 + 𝛽 + 1 �Œ 𝛽 - # + 𝛽 + # = 1 • 𝛽 • # = Prob. of getting 𝑐 when measuring 𝜚 • 27
Recommend
More recommend
