tighter security proofs for gpv-ibe in the quantum random ... · tighter security proofs for...

(TheUniversityofTokyo/AIST)

1

ShuichiKatsumata(TheUniversityofTokyo/AIST)

TighterSecurityProofsforGPV-IBEintheQuantumRandomOracleModel

ShotaYamada(AIST)

TakashiYamakawa(NTT)

*Pronouncedas

2

Post Quantum CryptographyOwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.

SchemesecureunderaPQassumptioninthestandardmodel

Schemeissecure againstquantumalgorithms

InGeneral…

SchemesecureunderaPQassumptionintheROmodel

OwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.

SchemesecureunderaPQassumptioninthestandardmodel

Schemeissecure againstquantumalgorithms

InGeneral…

3

Post Quantum Cryptography

However…SchememayNOT besecureagainstquantumalgorithms(*)

(*)[BDF+11]Boneh etal.“Randomoraclesinaquantumworld”.EUROCRYPT.

SchemesecureunderaPQassumptionintheROmodel

OwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.

SchemesecureunderaPQassumptioninthestandardmodel

Schemeissecure againstquantumalgorithms

InGeneral…

4

Post Quantum Cryptography

However…SchememayNOT besecureagainstquantumalgorithms(*)

ManypracticalalgorithmsrelyonROM!RecentWorksonQROM

p Signatures:[Zha12][ARU14][Unr17][KLS18]…p PKE:[TU16][JZC+18][SXY18]…

(*)[BDF+11]Boneh etal.“Randomoraclesinaquantumworld”.EUROCRYPT.

SchemesecureunderaPQassumptionintheROmodel

OwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.

SchemesecureunderaPQassumptioninthestandardmodel

Schemeissecure againstquantumalgorithms

InGeneral…

5

Post Quantum Cryptography

However…SchememayNOT besecureagainstquantumalgorithms(*)

ManypracticalalgorithmsrelyonROM!RecentWorksonQROM

p Signatures:[Zha12][ARU14][Unr17][KLS18]…p PKE:[TU16][JZC+18][SXY18]…

ThisworkisonIdentity-basedEncryptions(IBEs)

(*)[BDF+11]Boneh etal.“Randomoraclesinaquantumworld”.EUROCRYPT.

6

IBEs from Post Quantum Assumptions TherearefewIBEssecureunderPQassumptions.

pLattice-basedIBEs

pCode-basedIBEsROM:[GHPT17]

ROM:[GPV08][ABB10][CHKP10]Standard:[ABB10][CHKP10][Yam16][KY16]….

Thislineofworkisquantumlysecure.

7

IBEs from Post Quantum Assumptions TherearefewIBEssecureunderPQassumptions.

pLattice-basedIBEs

pCode-basedIBEs

WhatcanwesayaboutefficientschemesprovensecureintheROM??

ROM:[GHPT17]

ROM:[GPV08][ABB10][CHKP10]Standard:[ABB10][CHKP10][Yam16][KY16]….

Thislineofworkisquantumlysecure.

8

IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],

[ABB10],[CHKP10]inQROM.

[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.

9

IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],

[ABB10],[CHKP10]inQROM.

However…ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.

[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.

10

IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],

[ABB10],[CHKP10]inQROM.

However…

A breaksIBEwithadvantage 𝜖

B solvesLWEproblemwithadvantage ≈ 𝜖#/𝑄&'

𝑄&:=#ROquery

ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.

ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.

11

IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],

[ABB10],[CHKP10]inQROM.

However…

A breaksIBEwithadvantage 𝜖

B solvesLWEproblemwithadvantage ≈ 𝜖#/𝑄&'

𝑄&:=#ROquery

Ifwewant128-bitsecureIBE 𝜖 = 2*+#, ,assuming𝑄& = 2+--.

Weneedatleast656-bitsecureLWEproblem!!

ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.

12

IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],

[ABB10],[CHKP10]inQROM.

However…

A breaksIBEwithadvantage 𝜖

B solvesLWEproblemwithadvantage ≈ 𝜖#/𝑄&'

𝑄&:=#ROquery

Ifwewant128-bitsecureIBE 𝜖 = 2*+#, ,assuming𝑄& = 2+--.

Weneedatleast656-bitsecureLWEproblem!!

QuestionCanweconstructtightlysecureIBEsinQROM??

13

Summary of Our Result

① TightsecurityproofforGPV-IBEinQROMinthesingle-challenge setting.

② (Almost)tightsecurityproofforavariantofGPV-IBEinQROMinthemulti-challenge setting.

ü Ourproofsaremuch simplerthan[Zha12].ü Easytofollowfornon-expertsofquantumcomputation.

14

Overview of This Talk

ReviewofGPV-IBE

WhatGoesWronginQROM

1

2

3 Result1:

4 Result2:TightlySecureGPV-IBEinQROM

ExtendingittoMulti-Challenge

*Kangaroo...?

15

1.ReviewofGPV-IBE

16

Identity-based Encryption [Sha84]

Alice Bob

I

ID01234sk789:;<=

Public Key Generator

ciphertext

alice@example.com

[Sha84]:A.Shamir.“Identity-BasedCryptosystemsandSignatureSchemes”.Crypto.

Anystringcanbeapublickey!

17

IND-CPA Security of IBE in ROMmpk,msk ← SetUp(1H)

mpk𝐈𝐃

𝐙 ← 𝐔𝐧𝐢(𝒁)𝐈𝐃𝐢

sk𝐈𝐃𝐢

(𝐈𝐃∗ ≠ 𝐈𝐃𝐢,𝐌)

RandomOracle𝐇: 𝑰𝑫 → 𝒁

KeyGen ID2,msk→ sk78;

𝐂𝐓∗

𝐙

b ← {0, 1}

Pr b′ = b ≈12

b′

18

IND-CPA Security of IBE in ROMmpk,msk ← SetUp(1H)

mpk𝐈𝐃

𝐙 ← 𝐔𝐧𝐢(𝒁)𝐈𝐃𝐢

sk𝐈𝐃𝐢

(𝐈𝐃∗ ≠ 𝐈𝐃𝐢,𝐌)

RandomOracle𝐇: 𝑰𝑫 → 𝒁

KeyGen ID2,msk→ sk78;

𝐂𝐓∗

𝐙

b ← {0, 1}

Pr b′ = b ≈12

b′

Multi-Challenge ifcanobtainchallengeciphertextmulti-times.

19

Gentry-Peikert-Vaikuntanathan IBEp mpk,msk

• mpk = A ∈ ℤhi×k, H: 0,1 ∗ → ℤhi*ProgrammedasRO

• msk = trapdoofT0forA

[GPV08]Gentry,Peikert,andVaikuntanathan.“Trapdoorsforhardlatticesandnewcryptographicconstructions”.STOC.

20

Gentry-Peikert-Vaikuntanathan IBEp mpk,msk

• mpk = A ∈ ℤhi×k, H: 0,1 ∗ → ℤhi*ProgrammedasRO

• msk = trapdoofT0forA

pSecretKeysk78A• Shortvectore78 ∈ ℤws. t. 𝐞𝐈𝐃 =

:= 𝐇(𝐈𝐃)𝐮𝐈𝐃

21

Gentry-Peikert-Vaikuntanathan IBEp mpk,msk

• mpk = A ∈ ℤhi×k, H: 0,1 ∗ → ℤhi*ProgrammedasRO

• msk = trapdoofT0forA

pSecretKeysk78A• Shortvectore78 ∈ ℤws. t. 𝐞𝐈𝐃 =

:= 𝐇(𝐈𝐃)

pEncryptionCT78 ofM

A𝐬

𝐮𝐈𝐃

𝐬 𝐮𝐈𝐃+ 𝐱 +x′+𝐌𝒒𝟐

• LWEinstancefor(A, u78):

c-= c+=,

22

Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem

Ø ForID ≠ ID∗

𝐬 𝐀 𝐮 + [𝐱|x′]

Simulator(LWE adversary)

Sample e78 and program RO as H ID ≔ Ae78.

Ø ForID∗Program RO as H ID∗ ≔ u.

LWE Problem

23

Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem

Ø ForID ≠ ID∗

𝐬 𝐀 𝐮 + [𝐱|x′]

Simulator(LWE adversary)

Sample e78 and program RO as H ID ≔ Ae78.

Ø ForID∗Program RO as H ID∗ ≔ u.

Sim.knows secretkey.

Sim.doesn’tknowsecretkey.

LWE Problem

24

Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem

Ø ForID ≠ ID∗

𝐬 𝐀 𝐮 + [𝐱|x′]

Simulator(LWE adversary)

Sample e78 and program RO as H ID ≔ Ae78.

Ø ForID∗Program RO as H ID∗ ≔ u.

Sim.knows secretkey.

Sim.doesn’tknowsecretkey.Embedintochall.ciphertext.

LWE Problem Cananswersecretkeyqueries.

25

Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem

Ø ForID ≠ ID∗

𝐬 𝐀 𝐮 + [𝐱|x′]

Simulator(LWE adversary)

Sample e78 and program RO as H ID ≔ Ae78.

Ø ForID∗Program RO as H ID∗ ≔ u.

Sim.knows secretkey.

Sim.doesn’tknowsecretkey.Embedintochall.ciphertext.

LWE Problem Cananswersecretkeyqueries.

Guess challenge ID∗and programs RO differently for ID∗.

26

2.WhatGoesWronginQROM

27

Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...

Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )

• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙

28

Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...

Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )

• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙

∑ 𝛼�|𝑥⟩�� → ∑ 𝛼�|𝑥, H 𝑥 ⟩�

�

Inshort…

Aquantumadversary canevaluatehashfunctionHoverqbits inreal-world.

29

Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...

Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )

• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙

∑ 𝛼�|𝑥⟩�� → ∑ 𝛼�|𝑥, H 𝑥 ⟩�

�

Inshort…

Aquantumadversary canevaluatehashfunctionHoverqbits inreal-world.

QROMshouldmodelthiscapability!

30

What this Means for QROM

FDH-typeproofsinROMdoesn’tholdinQROM!

Why?

…

ID+ID#

ID��

ClassicalRO

InROM…

31

What this Means for QROM

FDH-typeproofsinROMdoesn’tholdinQROM!

Why?

…

ID+ID#

ID��

ClassicalRO

InROM…

∑ 𝛼��� |ID�⟩ Quantum

RO

InQROM…

*Querysuperposition ofall ID

32

What this Means for QROM

FDH-typeproofsinROMdoesn’tholdinQROM!

Why?

…

ID+ID#

ID��

∑ 𝛼��� |ID�⟩ Quantum

ROClassical

RO*Querysuperposition ofall ID

Guess 𝑖 ∈ [𝑄&] andprogram ROdifferentlyonsingleID∗ ≔ ID2

InROM… InQROM…

33

What this Means for QROM

FDH-typeproofsinROMdoesn’tholdinQROM!

Why?InROM…

…

ID+ID#

ID��Guess 𝑖 ∈ [𝑄&] andprogram ROdifferentlyonsingleID∗ ≔ ID2

∑ 𝛼��� |ID�⟩

InQROM…

QuantumRO

ClassicalRO

*Querysuperposition ofall ID

Can’tguess𝐈𝐃∗!!*withmorethannegl.prob.

34

Overcoming the Difficulty [Zha12]

Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.

[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.

35

Overcoming the Difficulty [Zha12]

Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.

[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.

TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.

Ø ProgramROonmany pointsinsteadofasingle point.

36

Overcoming the Difficulty [Zha12]

Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.

[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.

TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.

Ø ProgramROonmany pointsinsteadofasingle point.

DownsideThereductionlossishuge.

𝜖 ≈ 𝜖#/𝑄&'Adv.ofbreakingIBE Adv.ofsolvingLWE

37

3.Result1:TightlySecureGPV-IBEinQROM

38

Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.

Non-partitioningtechnique??

39

Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.

Non-partitioningtechnique??p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.

40

Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.

Non-partitioningtechnique??p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.

Isthisevenpossible?

41

Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.

Non-partitioningtechnique??p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.

Isthisevenpossible?

Yes!SimilartoCramer-Shoup PKEUsesecretkeytoconstructchallengeciphertextJ

*Ideaalsousedinpairing-basedGentry’sIBE.

42

Knowing the Secret Key of All IDsLetusconsiderthefirsttwoproblem.

p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.

43

Knowing the Secret Key of All IDsLetusconsiderthefirsttwoproblem.

p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.

UnlikeoriginalGPV-IBEproof…

Sample e78 and program RO as H ID ≔ Ae78.Ø For∀𝐈𝐃

44

Knowing the Secret Key of All IDsLetusconsiderthefirsttwoproblem.

p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.

UnlikeoriginalGPV-IBEproof…

Sample e78 and program RO as H ID ≔ Ae78.Ø For∀𝐈𝐃

MainObservationGiven A, u78 = H ID , the secret key e78retains sufficient entropy.

JustlikeCramer-Shoup!

45

Simulating the Challenge CiphertextRemainingproblem.

p Simulatorcangeneratechall.cipher.forall identity.

AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.

46

Simulating the Challenge CiphertextRemainingproblem.

p Simulatorcangeneratechall.cipher.forall identity.

Simulator

AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.

c- = sA + xc+ = c-, e78∗ + Mh

#secretkey

47

Simulating the Challenge CiphertextRemainingproblem.

p Simulatorcangeneratechall.cipher.forall identity.

Simulator

AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.

c- = sA + xc+ = c-, e78∗ + Mh

#= sAe78∗ + x, e78∗ + Mh

#

48

Simulating the Challenge CiphertextRemainingproblem.

p Simulatorcangeneratechall.cipher.forall identity.

Simulator

AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.

c- = sA + xc+ = c-, e78∗ + Mh

#= sAe78∗ + x, e78∗ + Mh

#≈ ⟨s, u78∗⟩ + x� + M

�#

Sameasinreal-worldmodulosmalldifferenceinnoisedistribution.

49

Simulating the Challenge CiphertextRemainingproblem.

p Simulatorcangeneratechall.cipher.forall identity.

Simulator

AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.

c- = sA + xc+ = c-, e78∗ + Mh

#= sAe78∗ + x, e78∗ + Mh

#≈ ⟨s, u78∗⟩ + x� + M

�#

Sameasinreal-worldmodulosmalldifferenceinnoisedistribution.

Whyisthissecure??

50

Simulating the Challenge CiphertextRemainingproblem.

p Simulatorcangeneratechall.cipher.forall identity.

𝐬𝐀 + 𝐱Simulator LWE Problem

AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.

c- = sA + xc+ = c-, e78∗ + Mh

#

c- = b (randominℤhk)c+ = b, e78∗ + Mh

#

Hybrid1

51

Simulating the Challenge CiphertextRemainingproblem.

p Simulatorcangeneratechall.cipher.forall identity.

Simulator

AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.

c- = b (randominℤhk)c+ = b, e78∗ + Mh

#

52

Simulating the Challenge CiphertextRemainingproblem.

p Simulatorcangeneratechall.cipher.forall identity.

Simulator

AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.

c- = b (randominℤhk)c+ = b, e78∗ + Mh

#Left over hash lemmausing entropy of 𝐞𝐈𝐃∗ Hybrid2

c- = b (randominℤhk)c+ = r (randominℤh )

53

Simulating the Challenge CiphertextRemainingproblem.

p Simulatorcangeneratechall.cipher.forall identity.

Simulator

AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.

c- = b (randominℤhk)c+ = b, e78∗ + Mh

#Left over hash lemmausing entropy of 𝐞𝐈𝐃∗ Hybrid2

c- = b (randominℤhk)c+ = r (randominℤh )

NoinformationonM!!

54

Combining Everything Togetherp SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.

üüü

55

Combining Everything Togetherp SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.

üüü

ProofnaturallyfitstheQROMsetting!

56

Combining Everything Togetherp SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.

üüü

ProofnaturallyfitstheQROMsetting!

Moreover…Ø Sincethesimulatorneveraborts,thesecurity

proofistight.Ø Proofis (almost)assimple asintheclassical

settingJ

57

4.Result2:ExtendingittoMulti-Challenge

58

Tight Security for Multi-ChallengeAnadversarygetstoquerymanychallengeciphertext:

c-(+) = s+A + x+c+(+) = s+u78 + x+� + M+

h#

c-(�) = s�A + x�c+(�) = s�u78 + x�� + M�

h#

⋯CT(+) CT(�)⋯

59

Tight Security for Multi-ChallengeAnadversarygetstoquerymanychallengeciphertext:

c-(+) = s+A + x+c+(+) = s+u78 + x+� + M+

h#

c-(�) = s�A + x�c+(�) = s�u78 + x�� + M�

h#

⋯CT(+) CT(�)⋯

FactØ Single-chall.canbereducedtoMulti-chall.security.Ø However,thereductionisnottight andlosesafactor

ofN inthereduction.

60

Tight Security for Multi-ChallengeAnadversarygetstoquerymanychallengeciphertext:

c-(+) = s+A + x+c+(+) = s+u78 + x+� + M+

h#

c-(�) = s�A + x�c+(�) = s�u78 + x�� + M�

h#

⋯CT(+) CT(�)⋯

FactØ Single-chall.canbereducedtoMulti-chall.security.

CanwemakethereductionlossindependentofN??

Ø However,thereductionisnottight andlosesafactorofN inthereduction.Question

61

Requires New Technique

Previoustechniquedoesnotworkanymore…

62

Requires New Technique

Previoustechniquedoesnotworkanymore…

Why?*ProofofSingle-Challenge

63

Requires New Technique

Previoustechniquedoesnotworkanymore…

Why?*ProofofSingle-Challenge

Notenoughentropyinsecretkey𝐞𝐈𝐃 tomodifyallN = poly(λ) ciphertexttorandom!!

64

Requires New Technique

Previoustechniquedoesnotworkanymore…

Why?*ProofofSingle-Challenge

Notenoughentropyinsecretkey𝐞𝐈𝐃 tomodifyallN = poly(λ) ciphertexttorandom!!

Needtogetmoreentropyfromsomeothersource…

65

Idea: Use Lossy LWE to Boost Entropy

StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k

uniquelydetermines𝐬

66

Idea: Use Lossy LWE to Boost Entropy

StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k

uniquelydetermines𝐬

LossyLWE: (𝐀�, 𝐬𝐀� + 𝐱) where𝐀� ← Lossy(⋅)leaksalmostnoinformationon𝐬

67

Idea: Use Lossy LWE to Boost Entropy

StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k

uniquelydetermines𝐬

LossyLWE: (𝐀�, 𝐬𝐀� + 𝐱) where𝐀� ← Lossy(⋅)leaksalmostnoinformationon𝐬

IndistinguishableassumingtheLWEproblemJ

68

Idea: Use Lossy LWE to Boost Entropy

StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k

uniquelydetermines𝐬

LossyLWE: (𝐀�, 𝐬𝐀� + 𝐱) where𝐀� ← Lossy(⋅)leaksalmostnoinformationon𝐬

IndistinguishableassumingtheLWEproblemJ

Useentropyof 𝐬 22∈[�] toproceedwithLHL.

69

Attempt to Change CT to Random

c-(¢) = s2A + x2, c+

(¢) = s2u78 + x2� + M2h#CT(2):

Program RO to answer to secret keys query

c-(¢) = s2A + x2, c+

(¢) = s2Ae78 + x2� + M2h#CT(2):

70

Attempt to Change CT to Random

c-(¢) = s2A + x2, c+

(¢) = s2u78 + x2� + M2h#CT(2):

Program RO to answer to secret keys query

c-(¢) = s2A + x2, c+

(¢) = s2Ae78 + x2� + M2h#CT(2):

c-(¢) = s2A� + x2, c+

(¢) = s2A�e78 + x2� + M2h#CT(2):

Change to Lossy LWE

71

Attempt to Change CT to Random

c-(¢) = s2A + x2, c+

(¢) = s2u78 + x2� + M2h#CT(2):

Program RO to answer to secret keys query

c-(¢) = s2A + x2, c+

(¢) = s2Ae78 + x2� + M2h#CT(2):

c-(¢) = s2A� + x2, c+

(¢) = s2A�e78 + x2� + M2h#CT(2):

Change to Lossy LWE

c-(¢) = s2A� + x2, c+

(¢) = rCT(2): Left over hash lemma

*Leaks almost no information of s2

using entropy of 𝐬𝐢

72

Attempt to Change CT to Random

c-(¢) = s2A + x2, c+

(¢) = s2u78 + x2� + M2h#CT(2):

Program RO to answer to secret keys query

c-(¢) = s2A + x2, c+

(¢) = s2Ae78 + x2� + M2h#CT(2):

c-(¢) = s2A� + x2, c+

(¢) = s2A�e78 + x2� + M2h#CT(2):

Change to Lossy LWE

c-(¢) = s2A� + x2, c+

(¢) = rCT(2): Left over hash lemmausing entropy of 𝐬𝐢

*Leaks almost no information of s2

WRONG!!WhenA� isinLossymode,A�e78 isnolongeruniform overℤhi!!

73

Attempt to Change CT to Random

c-(¢) = s2A + x2, c+

(¢) = s2u78 + x2� + M2h#CT(2):

Program RO to answer to secret keys query

c-(¢) = s2A + x2, c+

(¢) = s2Ae78 + x2� + M2h#CT(2):

c-(¢) = s2A� + x2, c+

(¢) = s2A�e78 + x2� + M2h#CT(2):

Change to Lossy LWE

c-(¢) = s2A� + x2, c+

(¢) = rCT(2): Left over hash lemmausing entropy of 𝐬𝐢

*Leaks almost no information of s2

WRONG!!

A�e78 isnotuniversal,socannotapplyLHL!

WhenA� isinLossymode,A�e78 isnolongeruniform overℤhi!!

74

Fixing it by Katz-Wang TechniqueDoubletheciphertextanduseKatz-Wangtechnique.

c-(¢) = s2A + x2,

c+||-(¢) = s2u78||- + x2||-� + M2

h#CT(2):

c+||+(¢) = s2u78||+ + x2||+� + M2

h#

where𝐮𝐈𝐃||𝐛 ≔ 𝐇(𝐈𝐃||𝐛)

[KW03]KatzandWang.“Efficiencyimprovementsforsignatureschemeswithtightsecurityreductions”.CCS.

75

Fixing it by Katz-Wang TechniqueDoubletheciphertextanduseKatz-Wangtechnique.

c-(¢) = s2A + x2,

c+||-(¢) = s2u78||- + x2||-� + M2

h#CT(2):

c+||+(¢) = s2u78||+ + x2||+� + M2

h#

where𝐮𝐈𝐃||𝐛 ≔ 𝐇(𝐈𝐃||𝐛)

[KW03]KatzandWang.“Efficiencyimprovementsforsignatureschemeswithtightsecurityreductions”.CCS.

Inscheme,onlygiveoutonesecretkeye78 s.t. Ae78 = u78||¤ forrandombitb.

76

Fixing it by Katz-Wang TechniqueDoubletheciphertextanduseKatz-Wangtechnique.

c-(¢) = s2A + x2,

c+||-(¢) = s2u78||- + x2||-� + M2

h#CT(2):

c+||+(¢) = s2u78||+ + x2||+� + M2

h#

where𝐮𝐈𝐃||𝐛 ≔ 𝐇(𝐈𝐃||𝐛)

DuringSimulation

[KW03]KatzandWang.“Efficiencyimprovementsforsignatureschemeswithtightsecurityreductions”.CCS.

p Sim.ProgramsH(ID| b ≔ u78||¤ = A�e78 forrandombitb.p ProgramsH(ID| 1 − b ≔ u78||+*¤ ← ℤhi.p UseLHLonu78||+*¤ whichisnowuniversalandrepeatJ

77

5.Conclusion

78

Conclusion

① TightsecurityproofforGPV-IBEinQROMinthesingle-challenge setting.

② (Almost)tightsecurityproofforavariantofGPV-IBEinQROMinthemulti-challenge setting.

ü Ourproofsaremuch simplerthan[Zha12].ü Easytofollowfornon-expertsofquantumcomputation.

79

80

*Key Lemma Used in ProofWecanset(e78, u78)in reverseorder!

1.Setu78: = H(ID)

2.Sampleshorte78 s.t.Ae78 = u78

3.Output(e78, u78)

1.Sampleshorte78 fromappropriatedistribution.

2.ProgramROas

3.Output(e78, u78)

*DiscreteGaussian

H ID ≔ Ae78

RequirestrapdoorT0 Doesn’trequiretrapdoorT0

81

Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...

Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )

• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙

Givenanyclassicalfunction𝑓,cancompute:∑ 𝛼�|𝑥⟩�� → ∑ 𝛼�|𝑥, 𝑓 𝑥 ⟩�

�

Inparticular…

AquantumadversarycanevaluatehashfunctionHoverqbits.

82

Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.

Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.

[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.

83

Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.

Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.

[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.

84

Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.

Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.ü Hopethechall.identiy 𝐈𝐃∗ ∈{p-fractionsofinputs}.

[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.

85

Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.

Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.ü Hopethechall.identiy 𝐈𝐃∗ ∈{p-fractionsofinputs}.

TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.

[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.

86

Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.

Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.ü Hopethechall.identiy 𝐈𝐃∗ ∈{p-fractionsofinputs}.

TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.

DownsideThereductionlossishuge.

𝜖 ≈ 𝜖#/𝑄&'Adv.ofbreakingIBE Adv.ofsolvingLWE

[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.