Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle - - PowerPoint PPT Presentation

(The University of Tokyo /AIST)

1

Shuichi Katsumata

(The University of Tokyo /AIST)

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model

Shota Yamada

(AIST)

Takashi Yamakawa

(NTT)

*Pronounced as

2

Post Quantum Cryptography

Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms In General…

Scheme secure under a PQ assumption in the RO model Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms In General…

3

Post Quantum Cryptography

However… Scheme may NOT be secure against quantum algorithms(*)

(*) [BDF+11] Boneh et al. “Random oracles in a quantum world”. EUROCRYPT.

Scheme secure under a PQ assumption in the RO model Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms In General…

4

Post Quantum Cryptography

However… Scheme may NOT be secure against quantum algorithms(*) Many practical algorithms rely on ROM!

Recent Works on QROM p Signatures: [Zha12][ARU14][Unr17][KLS18]… p PKE: [TU16][JZC+18][SXY18]…

(*) [BDF+11] Boneh et al. “Random oracles in a quantum world”. EUROCRYPT.

Scheme secure under a PQ assumption in the RO model Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. Scheme secure under a PQ assumption in the standard model Scheme is secure against quantum algorithms In General…

5

Post Quantum Cryptography

However… Scheme may NOT be secure against quantum algorithms(*) Many practical algorithms rely on ROM!

Recent Works on QROM p Signatures: [Zha12][ARU14][Unr17][KLS18]… p PKE: [TU16][JZC+18][SXY18]… This work is on Identity-based Encryptions (IBEs)

(*) [BDF+11] Boneh et al. “Random oracles in a quantum world”. EUROCRYPT.

6

IBEs from Post Quantum Assumptions

There are few IBEs secure under PQ assumptions.

pLattice-based IBEs pCode-based IBEs

ROM: [GHPT17] ROM: [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]…. This line of work is quantumly secure.

7

IBEs from Post Quantum Assumptions

There are few IBEs secure under PQ assumptions.

pLattice-based IBEs pCode-based IBEs What can we say about efficient schemes proven secure in the ROM??

ROM: [GHPT17] ROM: [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]…. This line of work is quantumly secure.

8

IBEs Secure in the QROM

Work of Zhandry [Zha12]

ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM.

[Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO.

9

IBEs Secure in the QROM

Work of Zhandry [Zha12]

ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM.

However…

ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation.

[Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO.

10

IBEs Secure in the QROM

Work of Zhandry [Zha12]

ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM.

However…

A breaks IBE with advantage 𝜗 B solves LWE problem with advantage ≈ 𝜗#/𝑅&

'

𝑅&:= #RO query

ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation.

ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation.

11

IBEs Secure in the QROM

Work of Zhandry [Zha12]

ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM.

However…

A breaks IBE with advantage 𝜗 B solves LWE problem with advantage ≈ 𝜗#/𝑅&

'

𝑅&:= #RO query

If we want 128-bit secure IBE 𝜗 = 2*+#, , assuming 𝑅& = 2+--. We need at least 656-bit secure LWE problem!!

ü Comes at a cost of a huge reduction loss. ü Requires descent knowledge on quantum computation.

12

IBEs Secure in the QROM

Work of Zhandry [Zha12]

ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM.

However…

A breaks IBE with advantage 𝜗 B solves LWE problem with advantage ≈ 𝜗#/𝑅&

'

𝑅&:= #RO query

If we want 128-bit secure IBE 𝜗 = 2*+#, , assuming 𝑅& = 2+--. We need at least 656-bit secure LWE problem!!

Question

Can we construct tightly secure IBEs in QROM??

13

Summary of Our Result

① Tight security proof for GPV-IBE in QROM in the single-challenge setting. ② (Almost) tight security proof for a variant of GPV-IBE in QROM in the multi-challenge setting.

ü Our proofs are much simpler than [Zha12]. ü Easy to follow for non-experts of quantum computation.

14

Overview of This Talk

Review of GPV-IBE What Goes Wrong in QROM

1 2 3 Result 1: 4 Result 2: Tightly Secure GPV-IBE in QROM Extending it to Multi-Challenge

*Kangaroo...?

15

• 1. Review of GPV-IBE

16

Identity-based Encryption [Sha84]

Al Alice Bob Bob

I ID01234

sk789:;<= Public Key Generator

ciphertext

alice@example.com

[Sha84]: A. Shamir. “Identity-Based Cryptosystems and Signature Schemes”. Crypto.

Any string can be a public key!

17

IND-CPA Security of IBE in ROM

mpk, msk ← SetUp(1H) mpk 𝐉𝐄

𝐚 ← 𝐕𝐨𝐣(𝒂)

𝐉𝐄𝐣 sk𝐉𝐄𝐣 (𝐉𝐄∗ ≠ 𝐉𝐄𝐣, 𝐍)

Random Oracle

𝐈: 𝑱𝑬 → 𝒂 KeyGen ID2, msk → sk78;

𝐃𝐔∗

𝐚

b ← {0, 1} Pr b′ = b ≈ 1 2 b′

18

IND-CPA Security of IBE in ROM

mpk, msk ← SetUp(1H) mpk 𝐉𝐄

𝐚 ← 𝐕𝐨𝐣(𝒂)

𝐉𝐄𝐣 sk𝐉𝐄𝐣 (𝐉𝐄∗ ≠ 𝐉𝐄𝐣, 𝐍)

Random Oracle

𝐈: 𝑱𝑬 → 𝒂 KeyGen ID2, msk → sk78;

𝐃𝐔∗

𝐚

b ← {0, 1} Pr b′ = b ≈ 1 2 b′ Multi-Challenge if

can obtain challenge ciphertext multi-times.

19

Gentry-Peikert-Vaikuntanathan IBE

p mpk, msk

• mpk =

A

∈ ℤh

i×k,

H: 0,1 ∗ → ℤh

i

*Programmed as RO

• msk = trapdoof T0 for A

[GPV08] Gentry, Peikert, and Vaikuntanathan. “Trapdoors for hard lattices and new cryptographic constructions”. STOC.

20

Gentry-Peikert-Vaikuntanathan IBE

p mpk, msk

• mpk =

A

∈ ℤh

i×k,

H: 0,1 ∗ → ℤh

i

*Programmed as RO

• msk = trapdoof T0 for A

pSecret Key sk78

A

• Short vector e78 ∈ ℤw s. t.

𝐟𝐉𝐄 =

: = 𝐈(𝐉𝐄)

𝐯𝐉𝐄

21

Gentry-Peikert-Vaikuntanathan IBE

p mpk, msk

• mpk =

A

∈ ℤh

i×k,

H: 0,1 ∗ → ℤh

i

*Programmed as RO

• msk = trapdoof T0 for A

pSecret Key sk78

A

• Short vector e78 ∈ ℤw s. t.

𝐟𝐉𝐄 =

: = 𝐈(𝐉𝐄)

pEncryption CT78 of M

A

𝐭

𝐯𝐉𝐄

𝐭

𝐯𝐉𝐄

+

𝐲

+x′+𝐍 𝒓

𝟑

• LWE instance for (A, u78):

c-= c+= ,

22

Security Proof in Classical ROM

p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID∗

𝐭 𝐁 𝐯 + [𝐲|x′]

Simulator (LWE adversary)

Sample e78 and program RO as H ID ≔ Ae78.

Ø For ID∗

Program RO as H ID∗ ≔ u.

LWE Problem

23

Security Proof in Classical ROM

p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID∗

𝐭 𝐁 𝐯 + [𝐲|x′]

Simulator (LWE adversary)

Sample e78 and program RO as H ID ≔ Ae78.

Ø For ID∗

Program RO as H ID∗ ≔ u.

• Sim. knows secret key.
• Sim. doesn’t know secret key.

LWE Problem

24

Security Proof in Classical ROM

p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID∗

𝐭 𝐁 𝐯 + [𝐲|x′]

Simulator (LWE adversary)

Sample e78 and program RO as H ID ≔ Ae78.

Ø For ID∗

Program RO as H ID∗ ≔ u.

• Sim. knows secret key.
• Sim. doesn’t know secret key.

Embed into chall. ciphertext.

LWE Problem

Can answer secret key queries.

25

Security Proof in Classical ROM

p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID∗

𝐭 𝐁 𝐯 + [𝐲|x′]

Simulator (LWE adversary)

Sample e78 and program RO as H ID ≔ Ae78.

Ø For ID∗

Program RO as H ID∗ ≔ u.

• Sim. knows secret key.
• Sim. doesn’t know secret key.

Embed into chall. ciphertext.

LWE Problem

Can answer secret key queries.

Guess challenge ID∗ and programs RO differently for ID∗.

26

• 2. What Goes Wrong in QROM

27

Minimum Preparation for Qunt. Crypt.

Qbits is a register in superposition between a few states: 0, 1, ...

Notation:

𝜚 = 𝛽- 0 + 𝛽+ 1 (Generally ∑ 𝛽Œ|𝑦⟩

Œ

)

• 𝛽- # + 𝛽+ # = 1
• 𝛽• # = Prob. of getting 𝑐 when measuring 𝜚

28

Minimum Preparation for Qunt. Crypt.

Qbits is a register in superposition between a few states: 0, 1, ...

Notation:

𝜚 = 𝛽- 0 + 𝛽+ 1 (Generally ∑ 𝛽Œ|𝑦⟩

Œ

)

• 𝛽- # + 𝛽+ # = 1
• 𝛽• # = Prob. of getting 𝑐 when measuring 𝜚

∑ 𝛽Œ|𝑦⟩

Œ

→ ∑ 𝛽Œ|𝑦, H 𝑦 ⟩

Œ

In short… A quantum adversary can evaluate hash function H over qbits in real-world.

29

Minimum Preparation for Qunt. Crypt.

Qbits is a register in superposition between a few states: 0, 1, ...

Notation:

𝜚 = 𝛽- 0 + 𝛽+ 1 (Generally ∑ 𝛽Œ|𝑦⟩

Œ

)

• 𝛽- # + 𝛽+ # = 1
• 𝛽• # = Prob. of getting 𝑐 when measuring 𝜚

∑ 𝛽Œ|𝑦⟩

Œ

→ ∑ 𝛽Œ|𝑦, H 𝑦 ⟩

Œ

In short… A quantum adversary can evaluate hash function H over qbits in real-world.

QROM should model this capability!

30

What this Means for QROM

FDH-type proofs in ROM doesn’t hold in QROM! Why?

…

ID+ ID# ID’“

Classical RO

In ROM…

31

What this Means for QROM

FDH-type proofs in ROM doesn’t hold in QROM! Why?

…

ID+ ID# ID’“

Classical RO

In ROM…

∑ 𝛽Œ

Œ

|IDŒ⟩

Quantum RO

In QROM…

*Query superposition of all ID

32

What this Means for QROM

FDH-type proofs in ROM doesn’t hold in QROM! Why?

…

ID+ ID# ID’“ ∑ 𝛽Œ

Œ

|IDŒ⟩

Quantum RO Classical RO

*Query superposition of all ID

Guess 𝑗 ∈ [𝑅&] and program RO differently

• n single ID∗ ≔ ID2

In ROM… In QROM…

33

What this Means for QROM

FDH-type proofs in ROM doesn’t hold in QROM! Why? In ROM…

…

ID+ ID# ID’“

Guess 𝑗 ∈ [𝑅&] and program RO differently

• n single ID∗ ≔ ID2

∑ 𝛽Œ

Œ

|IDŒ⟩

In QROM…

Quantum RO Classical RO

*Query superposition of all ID

Can’t guess 𝐉𝐄∗!!

*with more than negl. prob.

34

Overcoming the Difficulty [Zha12]

Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM.

[Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO.

35

Overcoming the Difficulty [Zha12]

Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM.

[Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO.

Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. Ø Program RO on many points instead of a single point.

36

Overcoming the Difficulty [Zha12]

Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM.

[Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO.

Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model. Ø Program RO on many points instead of a single point.

Downside

The reduction loss is huge.

𝜗 ≈ 𝜗#/𝑅&

'

• Adv. of breaking IBE
• Adv. of solving LWE

37

• 3. Result 1:

Tightly Secure GPV-IBE in QROM

38

Idea: Depart from Partitioning

Partitioning techniques are not good with tight reduction. Non-partitioning technique??

39

Idea: Depart from Partitioning

Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity.

40

Idea: Depart from Partitioning

Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. Is this even possible?

41

Idea: Depart from Partitioning

Partitioning techniques are not good with tight reduction. Non-partitioning technique?? p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity. Is this even possible? Yes! Similar to Cramer-Shoup PKE Use secret key to construct challenge ciphertext J

*Idea also used in pairing-based Gentry’s IBE.

42

Knowing the Secret Key of All IDs

Let us consider the first two problem.

p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries.

43

Knowing the Secret Key of All IDs

Let us consider the first two problem.

p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries.

Unlike original GPV-IBE proof…

Sample e78 and program RO as H ID ≔ Ae78.

Ø For ∀𝐉𝐄

44

Knowing the Secret Key of All IDs

Let us consider the first two problem.

p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries.

Unlike original GPV-IBE proof…

Sample e78 and program RO as H ID ≔ Ae78.

Ø For ∀𝐉𝐄 Main Observation

Given A, u78 = H ID , the secret key e78 retains sufficient entropy.

Just like Cramer-Shoup!

45

Simulating the Challenge Ciphertext

Remaining problem.

p Simulator can generate chall. cipher. for all identity.

As in Cramer-Shoup, use secret key to construct chall. cipher.

46

Simulating the Challenge Ciphertext

Remaining problem.

p Simulator can generate chall. cipher. for all identity.

Simulator

As in Cramer-Shoup, use secret key to construct chall. cipher.

c- = sA + x c+ = c-, e78∗ + M

h #

secret key

47

Simulating the Challenge Ciphertext

Remaining problem.

p Simulator can generate chall. cipher. for all identity.

Simulator

As in Cramer-Shoup, use secret key to construct chall. cipher.

c- = sA + x c+ = c-, e78∗ + M

h #

= sAe78∗ + x, e78∗ + M

h #

48

Simulating the Challenge Ciphertext

Remaining problem.

p Simulator can generate chall. cipher. for all identity.

Simulator

As in Cramer-Shoup, use secret key to construct chall. cipher.

c- = sA + x c+ = c-, e78∗ + M

h #

= sAe78∗ + x, e78∗ + M

h #

≈ ⟨s, u78∗⟩ + x— + M

˜ #

Same as in real-world modulo

small difference in noise distribution.

49

Simulating the Challenge Ciphertext

Remaining problem.

p Simulator can generate chall. cipher. for all identity.

Simulator

As in Cramer-Shoup, use secret key to construct chall. cipher.

c- = sA + x c+ = c-, e78∗ + M

h #

= sAe78∗ + x, e78∗ + M

h #

≈ ⟨s, u78∗⟩ + x— + M

˜ #

Same as in real-world modulo

small difference in noise distribution.

Why is this secure??

50

Simulating the Challenge Ciphertext

Remaining problem.

p Simulator can generate chall. cipher. for all identity.

𝐭𝐁 + 𝐲

Simulator LWE Problem

As in Cramer-Shoup, use secret key to construct chall. cipher.

c- = sA + x c+ = c-, e78∗ + M

h #

c- = b (random in ℤh

k)

c+ = b, e78∗ + M

h #

Hybrid 1

51

Simulating the Challenge Ciphertext

Remaining problem.

p Simulator can generate chall. cipher. for all identity.

Simulator

As in Cramer-Shoup, use secret key to construct chall. cipher.

c- = b (random in ℤh

k)

c+ = b, e78∗ + M

h #

52

Simulating the Challenge Ciphertext

Remaining problem.

p Simulator can generate chall. cipher. for all identity.

Simulator

As in Cramer-Shoup, use secret key to construct chall. cipher.

c- = b (random in ℤh

k)

c+ = b, e78∗ + M

h #

Left over hash lemma using entropy of 𝐟𝐉𝐄∗

Hybrid 2

c- = b (random in ℤh

k)

c+ = r (random in ℤh )

53

Simulating the Challenge Ciphertext

Remaining problem.

p Simulator can generate chall. cipher. for all identity.

Simulator

As in Cramer-Shoup, use secret key to construct chall. cipher.

c- = b (random in ℤh

k)

c+ = b, e78∗ + M

h #

Left over hash lemma using entropy of 𝐟𝐉𝐄∗

Hybrid 2

c- = b (random in ℤh

k)

c+ = r (random in ℤh ) No information on M!!

54

Combining Everything Together

p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity.

ü ü ü

55

Combining Everything Together

p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity.

ü ü ü

Proof naturally fits the QROM setting!

56

Combining Everything Together

p Simulator programs RO identically for all inputs. p Simulator can answer all secret key queries. p Simulator can generate chall. cipher. for all identity.

ü ü ü

Proof naturally fits the QROM setting! Moreover… Ø Since the simulator never aborts, the security proof is tight. Ø Proof is (almost) as simple as in the classical setting J

57

• 4. Result 2:

Extending it to Multi-Challenge

58

Tight Security for Multi-Challenge

An adversary gets to query many challenge ciphertext:

c-

(+) = s+A + x+

c+

(+) = s+u78 + x+ — + M+ h #

c-

(™) = s™A + x™

c+

(™) = s™u78 + x™ — + M™ h #

⋯

CT(+) CT(™)

⋯

59

Tight Security for Multi-Challenge

An adversary gets to query many challenge ciphertext:

c-

(+) = s+A + x+

c+

(+) = s+u78 + x+ — + M+ h #

c-

(™) = s™A + x™

c+

(™) = s™u78 + x™ — + M™ h #

⋯

CT(+) CT(™)

⋯

Fact Ø Single-chall. can be reduced to Multi-chall. security. Ø However, the reduction is not tight and loses a factor

• f N in the reduction.

60

Tight Security for Multi-Challenge

An adversary gets to query many challenge ciphertext:

c-

(+) = s+A + x+

c+

(+) = s+u78 + x+ — + M+ h #

c-

(™) = s™A + x™

c+

(™) = s™u78 + x™ — + M™ h #

⋯

CT(+) CT(™)

⋯

Fact Ø Single-chall. can be reduced to Multi-chall. security. Can we make the reduction loss independent of N?? Ø However, the reduction is not tight and loses a factor

• f N in the reduction.

Question

61

Requires New Technique

Previous technique does not work anymore…

62

Requires New Technique

Previous technique does not work anymore… Why?

*Proof of Single-Challenge

63

Requires New Technique

Previous technique does not work anymore… Why?

*Proof of Single-Challenge

Not enough entropy in secret key 𝐟𝐉𝐄 to modify all N = poly(λ) ciphertext to random!!

64

Requires New Technique

Previous technique does not work anymore… Why?

*Proof of Single-Challenge

Not enough entropy in secret key 𝐟𝐉𝐄 to modify all N = poly(λ) ciphertext to random!!

Need to get more entropy from some other source…

65

Idea: Use Lossy LWE to Boost Entropy

Standard LWE: (𝐁, 𝐭𝐁 + 𝐲) where 𝐁 ← ℤh

i×k

uniquely determines 𝐭

66

Idea: Use Lossy LWE to Boost Entropy

Standard LWE: (𝐁, 𝐭𝐁 + 𝐲) where 𝐁 ← ℤh

i×k

uniquely determines 𝐭 Lossy LWE: (𝐁 Ÿ, 𝐭𝐁 Ÿ + 𝐲) where 𝐁 Ÿ ← Lossy(⋅) leaks almost no information on 𝐭

67

Idea: Use Lossy LWE to Boost Entropy

Standard LWE: (𝐁, 𝐭𝐁 + 𝐲) where 𝐁 ← ℤh

i×k

uniquely determines 𝐭 Lossy LWE: (𝐁 Ÿ, 𝐭𝐁 Ÿ + 𝐲) where 𝐁 Ÿ ← Lossy(⋅) leaks almost no information on 𝐭 Indistinguishable assuming the LWE problem J

68

Idea: Use Lossy LWE to Boost Entropy

Standard LWE: (𝐁, 𝐭𝐁 + 𝐲) where 𝐁 ← ℤh

i×k

uniquely determines 𝐭 Lossy LWE: (𝐁 Ÿ, 𝐭𝐁 Ÿ + 𝐲) where 𝐁 Ÿ ← Lossy(⋅) leaks almost no information on 𝐭 Indistinguishable assuming the LWE problem J Use entropy of 𝐭 2

2∈[™] to proceed with LHL.

69

Attempt to Change CT to Random

c-

(¢) = s2A + x2,

c+

(¢) = s2u78 + x2 — + M2 h #

CT(2):

Program RO to answer to secret keys query

c-

(¢) = s2A + x2,

c+

(¢) = s2Ae78 + x2 — + M2 h #

CT(2):

70

Attempt to Change CT to Random

c-

(¢) = s2A + x2,

c+

(¢) = s2u78 + x2 — + M2 h #

CT(2):

Program RO to answer to secret keys query

c-

(¢) = s2A + x2,

c+

(¢) = s2Ae78 + x2 — + M2 h #

CT(2):

c-

(¢) = s2A

Ÿ + x2, c+

(¢) = s2A

Ÿe78 + x2

— + M2 h #

CT(2):

Change to Lossy LWE

71

Attempt to Change CT to Random

c-

(¢) = s2A + x2,

c+

(¢) = s2u78 + x2 — + M2 h #

CT(2):

Program RO to answer to secret keys query

c-

(¢) = s2A + x2,

c+

(¢) = s2Ae78 + x2 — + M2 h #

CT(2):

c-

(¢) = s2A

Ÿ + x2, c+

(¢) = s2A

Ÿe78 + x2

— + M2 h #

CT(2):

Change to Lossy LWE

c-

(¢) = s2A

Ÿ + x2, c+

(¢) = r

CT(2):

Left over hash lemma

*Leaks almost no information of s2

using entropy of 𝐭𝐣

72

Attempt to Change CT to Random

c-

(¢) = s2A + x2,

c+

(¢) = s2u78 + x2 — + M2 h #

CT(2):

Program RO to answer to secret keys query

c-

(¢) = s2A + x2,

c+

(¢) = s2Ae78 + x2 — + M2 h #

CT(2):

c-

(¢) = s2A

Ÿ + x2, c+

(¢) = s2A

Ÿe78 + x2

— + M2 h #

CT(2):

Change to Lossy LWE

c-

(¢) = s2A

Ÿ + x2, c+

(¢) = r

CT(2):

Left over hash lemma using entropy of 𝐭𝐣

*Leaks almost no information of s2

WRONG!!

When A Ÿ is in Lossy mode, A Ÿe78 is no longer uniform over ℤh

i!!

73

Attempt to Change CT to Random

c-

(¢) = s2A + x2,

c+

(¢) = s2u78 + x2 — + M2 h #

CT(2):

Program RO to answer to secret keys query

c-

(¢) = s2A + x2,

c+

(¢) = s2Ae78 + x2 — + M2 h #

CT(2):

c-

(¢) = s2A

Ÿ + x2, c+

(¢) = s2A

Ÿe78 + x2

— + M2 h #

CT(2):

Change to Lossy LWE

c-

(¢) = s2A

Ÿ + x2, c+

(¢) = r

CT(2):

Left over hash lemma using entropy of 𝐭𝐣

*Leaks almost no information of s2

WRONG!!

A Ÿe78 is not universal, so cannot apply LHL! When A Ÿ is in Lossy mode, A Ÿe78 is no longer uniform over ℤh

i!!

74

Fixing it by Katz-Wang Technique

Double the ciphertext and use Katz-Wang technique.

c-

(¢) = s2A + x2,

c+||-

(¢) = s2u78||- + x2||- —

+ M2

h #

CT(2):

c+||+

(¢) = s2u78||+ + x2||+ —

+ M2

h #

where 𝐯𝐉𝐄||𝐜 ≔ 𝐈(𝐉𝐄||𝐜)

[KW03] Katz and Wang. “Efficiency improvements for signature schemes with tight security reductions”. CCS.

75

Fixing it by Katz-Wang Technique

Double the ciphertext and use Katz-Wang technique.

c-

(¢) = s2A + x2,

c+||-

(¢) = s2u78||- + x2||- —

+ M2

h #

CT(2):

c+||+

(¢) = s2u78||+ + x2||+ —

+ M2

h #

where 𝐯𝐉𝐄||𝐜 ≔ 𝐈(𝐉𝐄||𝐜)

[KW03] Katz and Wang. “Efficiency improvements for signature schemes with tight security reductions”. CCS.

In scheme, only give out one secret key e78 s.t. Ae78 = u78||¤ for random bit b.

76

Fixing it by Katz-Wang Technique

Double the ciphertext and use Katz-Wang technique.

c-

(¢) = s2A + x2,

c+||-

(¢) = s2u78||- + x2||- —

+ M2

h #

CT(2):

c+||+

(¢) = s2u78||+ + x2||+ —

+ M2

h #

where 𝐯𝐉𝐄||𝐜 ≔ 𝐈(𝐉𝐄||𝐜)

During Simulation

[KW03] Katz and Wang. “Efficiency improvements for signature schemes with tight security reductions”. CCS.

p Sim. Programs H(ID| b ≔ u78||¤ = A Ÿe78 for random bit b. p Programs H(ID| 1 − b ≔ u78||+*¤ ← ℤh

i.

p Use LHL on u78||+*¤ which is now universal and repeat J

77

• 5. Conclusion

78

Conclusion

① Tight security proof for GPV-IBE in QROM in the single-challenge setting. ② (Almost) tight security proof for a variant of GPV-IBE in QROM in the multi-challenge setting.

ü Our proofs are much simpler than [Zha12]. ü Easy to follow for non-experts of quantum computation.

79

80

*Key Lemma Used in Proof We can set (e78, u78) in reverse order!

• 1. Set u78: = H(ID)
• 2. Sample short e78 s.t.

Ae78 = u78

• 3. Output (e78, u78)
• 1. Sample short e78 from

appropriate distribution.

• 2. Program RO as
• 3. Output (e78, u78)

*Discrete Gaussian

H ID ≔ Ae78 Requires trapdoor T0 Doesn’t require trapdoor T0

81

Minimum Preparation for Qunt. Crypt.

Qbits is a register in superposition between a few states: 0, 1, ...

Notation:

𝜚 = 𝛽- 0 + 𝛽+ 1 (Generally ∑ 𝛽Œ|𝑦⟩

Œ

)

• 𝛽- # + 𝛽+ # = 1
• 𝛽• # = Prob. of getting 𝑐 when measuring 𝜚

Given any classical function 𝑔, can compute: ∑ 𝛽Œ|𝑦⟩

Œ

→ ∑ 𝛽Œ|𝑦, 𝑔 𝑦 ⟩

Œ

In particular… A quantum adversary can evaluate hash function H over qbits.

82

Overcoming the Difficulty [Zha12]

Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is…

ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values.

[Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO.

83

Overcoming the Difficulty [Zha12]

Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is…

ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions.

[Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO.

84

Overcoming the Difficulty [Zha12]

Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is…

ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. ü Hope the chall. identiy 𝐉𝐄∗ ∈ {p-fractions of inputs}.

[Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO.

85

Overcoming the Difficulty [Zha12]

Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is…

ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. ü Hope the chall. identiy 𝐉𝐄∗ ∈ {p-fractions of inputs}.

Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model.

[Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO.

86

Overcoming the Difficulty [Zha12]

Zhandry [Zha12] introduced semi-constant distributions to prove security of FDH-type proofs in QROM. High level idea is…

ü On p-fractions of inputs, program RO to embed hard problem. ü On the other fraction, program RO to output random values. ü Show that such programmed ROs are ind. from random functions. ü Hope the chall. identiy 𝐉𝐄∗ ∈ {p-fractions of inputs}.

Technique is conceptually similar to the partitioning technique used to prove adaptively secure IBEs in the standard model.

Downside

The reduction loss is huge.

𝜗 ≈ 𝜗#/𝑅&

'

• Adv. of breaking IBE
• Adv. of solving LWE

[Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO.