tighter security proofs for gpv-ibe in the quantum random ... · tighter security proofs for...
Post on 20-Jun-2020
2 Views
Preview:
TRANSCRIPT
(TheUniversityofTokyo/AIST)
1
ShuichiKatsumata(TheUniversityofTokyo/AIST)
TighterSecurityProofsforGPV-IBEintheQuantumRandomOracleModel
ShotaYamada(AIST)
TakashiYamakawa(NTT)
*Pronouncedas
2
Post Quantum CryptographyOwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.
SchemesecureunderaPQassumptioninthestandardmodel
Schemeissecure againstquantumalgorithms
InGeneral…
SchemesecureunderaPQassumptionintheROmodel
OwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.
SchemesecureunderaPQassumptioninthestandardmodel
Schemeissecure againstquantumalgorithms
InGeneral…
3
Post Quantum Cryptography
However…SchememayNOT besecureagainstquantumalgorithms(*)
(*)[BDF+11]Boneh etal.“Randomoraclesinaquantumworld”.EUROCRYPT.
SchemesecureunderaPQassumptionintheROmodel
OwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.
SchemesecureunderaPQassumptioninthestandardmodel
Schemeissecure againstquantumalgorithms
InGeneral…
4
Post Quantum Cryptography
However…SchememayNOT besecureagainstquantumalgorithms(*)
ManypracticalalgorithmsrelyonROM!RecentWorksonQROM
p Signatures:[Zha12][ARU14][Unr17][KLS18]…p PKE:[TU16][JZC+18][SXY18]…
(*)[BDF+11]Boneh etal.“Randomoraclesinaquantumworld”.EUROCRYPT.
SchemesecureunderaPQassumptionintheROmodel
OwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.
SchemesecureunderaPQassumptioninthestandardmodel
Schemeissecure againstquantumalgorithms
InGeneral…
5
Post Quantum Cryptography
However…SchememayNOT besecureagainstquantumalgorithms(*)
ManypracticalalgorithmsrelyonROM!RecentWorksonQROM
p Signatures:[Zha12][ARU14][Unr17][KLS18]…p PKE:[TU16][JZC+18][SXY18]…
ThisworkisonIdentity-basedEncryptions(IBEs)
(*)[BDF+11]Boneh etal.“Randomoraclesinaquantumworld”.EUROCRYPT.
6
IBEs from Post Quantum Assumptions TherearefewIBEssecureunderPQassumptions.
pLattice-basedIBEs
pCode-basedIBEsROM:[GHPT17]
ROM:[GPV08][ABB10][CHKP10]Standard:[ABB10][CHKP10][Yam16][KY16]….
Thislineofworkisquantumlysecure.
7
IBEs from Post Quantum Assumptions TherearefewIBEssecureunderPQassumptions.
pLattice-basedIBEs
pCode-basedIBEs
WhatcanwesayaboutefficientschemesprovensecureintheROM??
ROM:[GHPT17]
ROM:[GPV08][ABB10][CHKP10]Standard:[ABB10][CHKP10][Yam16][KY16]….
Thislineofworkisquantumlysecure.
8
IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],
[ABB10],[CHKP10]inQROM.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
9
IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],
[ABB10],[CHKP10]inQROM.
However…ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
10
IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],
[ABB10],[CHKP10]inQROM.
However…
A breaksIBEwithadvantage 𝜖
B solvesLWEproblemwithadvantage ≈ 𝜖#/𝑄&'
𝑄&:=#ROquery
ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.
ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.
11
IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],
[ABB10],[CHKP10]inQROM.
However…
A breaksIBEwithadvantage 𝜖
B solvesLWEproblemwithadvantage ≈ 𝜖#/𝑄&'
𝑄&:=#ROquery
Ifwewant128-bitsecureIBE 𝜖 = 2*+#, ,assuming𝑄& = 2+--.
Weneedatleast656-bitsecureLWEproblem!!
ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.
12
IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],
[ABB10],[CHKP10]inQROM.
However…
A breaksIBEwithadvantage 𝜖
B solvesLWEproblemwithadvantage ≈ 𝜖#/𝑄&'
𝑄&:=#ROquery
Ifwewant128-bitsecureIBE 𝜖 = 2*+#, ,assuming𝑄& = 2+--.
Weneedatleast656-bitsecureLWEproblem!!
QuestionCanweconstructtightlysecureIBEsinQROM??
13
Summary of Our Result
① TightsecurityproofforGPV-IBEinQROMinthesingle-challenge setting.
② (Almost)tightsecurityproofforavariantofGPV-IBEinQROMinthemulti-challenge setting.
ü Ourproofsaremuch simplerthan[Zha12].ü Easytofollowfornon-expertsofquantumcomputation.
14
Overview of This Talk
ReviewofGPV-IBE
WhatGoesWronginQROM
1
2
3 Result1:
4 Result2:TightlySecureGPV-IBEinQROM
ExtendingittoMulti-Challenge
*Kangaroo...?
15
1.ReviewofGPV-IBE
16
Identity-based Encryption [Sha84]
Alice Bob
I
ID01234sk789:;<=
Public Key Generator
ciphertext
alice@example.com
[Sha84]:A.Shamir.“Identity-BasedCryptosystemsandSignatureSchemes”.Crypto.
Anystringcanbeapublickey!
17
IND-CPA Security of IBE in ROMmpk,msk ← SetUp(1H)
mpk𝐈𝐃
𝐙 ← 𝐔𝐧𝐢(𝒁)𝐈𝐃𝐢
sk𝐈𝐃𝐢
(𝐈𝐃∗ ≠ 𝐈𝐃𝐢,𝐌)
RandomOracle𝐇: 𝑰𝑫 → 𝒁
KeyGen ID2,msk→ sk78;
𝐂𝐓∗
𝐙
b ← {0, 1}
Pr b′ = b ≈12
b′
18
IND-CPA Security of IBE in ROMmpk,msk ← SetUp(1H)
mpk𝐈𝐃
𝐙 ← 𝐔𝐧𝐢(𝒁)𝐈𝐃𝐢
sk𝐈𝐃𝐢
(𝐈𝐃∗ ≠ 𝐈𝐃𝐢,𝐌)
RandomOracle𝐇: 𝑰𝑫 → 𝒁
KeyGen ID2,msk→ sk78;
𝐂𝐓∗
𝐙
b ← {0, 1}
Pr b′ = b ≈12
b′
Multi-Challenge ifcanobtainchallengeciphertextmulti-times.
19
Gentry-Peikert-Vaikuntanathan IBEp mpk,msk
• mpk = A ∈ ℤhi×k, H: 0,1 ∗ → ℤhi*ProgrammedasRO
• msk = trapdoofT0forA
[GPV08]Gentry,Peikert,andVaikuntanathan.“Trapdoorsforhardlatticesandnewcryptographicconstructions”.STOC.
20
Gentry-Peikert-Vaikuntanathan IBEp mpk,msk
• mpk = A ∈ ℤhi×k, H: 0,1 ∗ → ℤhi*ProgrammedasRO
• msk = trapdoofT0forA
pSecretKeysk78A• Shortvectore78 ∈ ℤws. t. 𝐞𝐈𝐃 =
:= 𝐇(𝐈𝐃)𝐮𝐈𝐃
21
Gentry-Peikert-Vaikuntanathan IBEp mpk,msk
• mpk = A ∈ ℤhi×k, H: 0,1 ∗ → ℤhi*ProgrammedasRO
• msk = trapdoofT0forA
pSecretKeysk78A• Shortvectore78 ∈ ℤws. t. 𝐞𝐈𝐃 =
:= 𝐇(𝐈𝐃)
pEncryptionCT78 ofM
A𝐬
𝐮𝐈𝐃
𝐬 𝐮𝐈𝐃+ 𝐱 +x′+𝐌𝒒𝟐
• LWEinstancefor(A, u78):
c-= c+=,
22
Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem
Ø ForID ≠ ID∗
𝐬 𝐀 𝐮 + [𝐱|x′]
Simulator(LWE adversary)
Sample e78 and program RO as H ID ≔ Ae78.
Ø ForID∗Program RO as H ID∗ ≔ u.
LWE Problem
23
Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem
Ø ForID ≠ ID∗
𝐬 𝐀 𝐮 + [𝐱|x′]
Simulator(LWE adversary)
Sample e78 and program RO as H ID ≔ Ae78.
Ø ForID∗Program RO as H ID∗ ≔ u.
Sim.knows secretkey.
Sim.doesn’tknowsecretkey.
LWE Problem
24
Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem
Ø ForID ≠ ID∗
𝐬 𝐀 𝐮 + [𝐱|x′]
Simulator(LWE adversary)
Sample e78 and program RO as H ID ≔ Ae78.
Ø ForID∗Program RO as H ID∗ ≔ u.
Sim.knows secretkey.
Sim.doesn’tknowsecretkey.Embedintochall.ciphertext.
LWE Problem Cananswersecretkeyqueries.
25
Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem
Ø ForID ≠ ID∗
𝐬 𝐀 𝐮 + [𝐱|x′]
Simulator(LWE adversary)
Sample e78 and program RO as H ID ≔ Ae78.
Ø ForID∗Program RO as H ID∗ ≔ u.
Sim.knows secretkey.
Sim.doesn’tknowsecretkey.Embedintochall.ciphertext.
LWE Problem Cananswersecretkeyqueries.
Guess challenge ID∗and programs RO differently for ID∗.
26
2.WhatGoesWronginQROM
27
Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...
Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )
• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙
28
Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...
Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )
• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙
∑ 𝛼�|𝑥⟩�� → ∑ 𝛼�|𝑥, H 𝑥 ⟩�
�
Inshort…
Aquantumadversary canevaluatehashfunctionHoverqbits inreal-world.
29
Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...
Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )
• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙
∑ 𝛼�|𝑥⟩�� → ∑ 𝛼�|𝑥, H 𝑥 ⟩�
�
Inshort…
Aquantumadversary canevaluatehashfunctionHoverqbits inreal-world.
QROMshouldmodelthiscapability!
30
What this Means for QROM
FDH-typeproofsinROMdoesn’tholdinQROM!
Why?
…
ID+ID#
ID��
ClassicalRO
InROM…
31
What this Means for QROM
FDH-typeproofsinROMdoesn’tholdinQROM!
Why?
…
ID+ID#
ID��
ClassicalRO
InROM…
∑ 𝛼��� |ID�⟩ Quantum
RO
InQROM…
*Querysuperposition ofall ID
32
What this Means for QROM
FDH-typeproofsinROMdoesn’tholdinQROM!
Why?
…
ID+ID#
ID��
∑ 𝛼��� |ID�⟩ Quantum
ROClassical
RO*Querysuperposition ofall ID
Guess 𝑖 ∈ [𝑄&] andprogram ROdifferentlyonsingleID∗ ≔ ID2
InROM… InQROM…
33
What this Means for QROM
FDH-typeproofsinROMdoesn’tholdinQROM!
Why?InROM…
…
ID+ID#
ID��Guess 𝑖 ∈ [𝑄&] andprogram ROdifferentlyonsingleID∗ ≔ ID2
∑ 𝛼��� |ID�⟩
InQROM…
QuantumRO
ClassicalRO
*Querysuperposition ofall ID
Can’tguess𝐈𝐃∗!!*withmorethannegl.prob.
34
Overcoming the Difficulty [Zha12]
Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
35
Overcoming the Difficulty [Zha12]
Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.
Ø ProgramROonmany pointsinsteadofasingle point.
36
Overcoming the Difficulty [Zha12]
Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.
Ø ProgramROonmany pointsinsteadofasingle point.
DownsideThereductionlossishuge.
𝜖 ≈ 𝜖#/𝑄&'Adv.ofbreakingIBE Adv.ofsolvingLWE
37
3.Result1:TightlySecureGPV-IBEinQROM
38
Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.
Non-partitioningtechnique??
39
Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.
Non-partitioningtechnique??p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
40
Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.
Non-partitioningtechnique??p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
Isthisevenpossible?
41
Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.
Non-partitioningtechnique??p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
Isthisevenpossible?
Yes!SimilartoCramer-Shoup PKEUsesecretkeytoconstructchallengeciphertextJ
*Ideaalsousedinpairing-basedGentry’sIBE.
42
Knowing the Secret Key of All IDsLetusconsiderthefirsttwoproblem.
p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.
43
Knowing the Secret Key of All IDsLetusconsiderthefirsttwoproblem.
p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.
UnlikeoriginalGPV-IBEproof…
Sample e78 and program RO as H ID ≔ Ae78.Ø For∀𝐈𝐃
44
Knowing the Secret Key of All IDsLetusconsiderthefirsttwoproblem.
p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.
UnlikeoriginalGPV-IBEproof…
Sample e78 and program RO as H ID ≔ Ae78.Ø For∀𝐈𝐃
MainObservationGiven A, u78 = H ID , the secret key e78retains sufficient entropy.
JustlikeCramer-Shoup!
45
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
46
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = sA + xc+ = c-, e78∗ + Mh
#secretkey
47
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = sA + xc+ = c-, e78∗ + Mh
#= sAe78∗ + x, e78∗ + Mh
#
48
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = sA + xc+ = c-, e78∗ + Mh
#= sAe78∗ + x, e78∗ + Mh
#≈ ⟨s, u78∗⟩ + x� + M
�#
Sameasinreal-worldmodulosmalldifferenceinnoisedistribution.
49
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = sA + xc+ = c-, e78∗ + Mh
#= sAe78∗ + x, e78∗ + Mh
#≈ ⟨s, u78∗⟩ + x� + M
�#
Sameasinreal-worldmodulosmalldifferenceinnoisedistribution.
Whyisthissecure??
50
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
𝐬𝐀 + 𝐱Simulator LWE Problem
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = sA + xc+ = c-, e78∗ + Mh
#
c- = b (randominℤhk)c+ = b, e78∗ + Mh
#
Hybrid1
51
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = b (randominℤhk)c+ = b, e78∗ + Mh
#
52
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = b (randominℤhk)c+ = b, e78∗ + Mh
#Left over hash lemmausing entropy of 𝐞𝐈𝐃∗ Hybrid2
c- = b (randominℤhk)c+ = r (randominℤh )
53
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = b (randominℤhk)c+ = b, e78∗ + Mh
#Left over hash lemmausing entropy of 𝐞𝐈𝐃∗ Hybrid2
c- = b (randominℤhk)c+ = r (randominℤh )
NoinformationonM!!
54
Combining Everything Togetherp SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
üüü
55
Combining Everything Togetherp SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
üüü
ProofnaturallyfitstheQROMsetting!
56
Combining Everything Togetherp SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
üüü
ProofnaturallyfitstheQROMsetting!
Moreover…Ø Sincethesimulatorneveraborts,thesecurity
proofistight.Ø Proofis (almost)assimple asintheclassical
settingJ
57
4.Result2:ExtendingittoMulti-Challenge
58
Tight Security for Multi-ChallengeAnadversarygetstoquerymanychallengeciphertext:
c-(+) = s+A + x+c+(+) = s+u78 + x+� + M+
h#
c-(�) = s�A + x�c+(�) = s�u78 + x�� + M�
h#
⋯CT(+) CT(�)⋯
59
Tight Security for Multi-ChallengeAnadversarygetstoquerymanychallengeciphertext:
c-(+) = s+A + x+c+(+) = s+u78 + x+� + M+
h#
c-(�) = s�A + x�c+(�) = s�u78 + x�� + M�
h#
⋯CT(+) CT(�)⋯
FactØ Single-chall.canbereducedtoMulti-chall.security.Ø However,thereductionisnottight andlosesafactor
ofN inthereduction.
60
Tight Security for Multi-ChallengeAnadversarygetstoquerymanychallengeciphertext:
c-(+) = s+A + x+c+(+) = s+u78 + x+� + M+
h#
c-(�) = s�A + x�c+(�) = s�u78 + x�� + M�
h#
⋯CT(+) CT(�)⋯
FactØ Single-chall.canbereducedtoMulti-chall.security.
CanwemakethereductionlossindependentofN??
Ø However,thereductionisnottight andlosesafactorofN inthereduction.Question
61
Requires New Technique
Previoustechniquedoesnotworkanymore…
62
Requires New Technique
Previoustechniquedoesnotworkanymore…
Why?*ProofofSingle-Challenge
63
Requires New Technique
Previoustechniquedoesnotworkanymore…
Why?*ProofofSingle-Challenge
Notenoughentropyinsecretkey𝐞𝐈𝐃 tomodifyallN = poly(λ) ciphertexttorandom!!
64
Requires New Technique
Previoustechniquedoesnotworkanymore…
Why?*ProofofSingle-Challenge
Notenoughentropyinsecretkey𝐞𝐈𝐃 tomodifyallN = poly(λ) ciphertexttorandom!!
Needtogetmoreentropyfromsomeothersource…
65
Idea: Use Lossy LWE to Boost Entropy
StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k
uniquelydetermines𝐬
66
Idea: Use Lossy LWE to Boost Entropy
StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k
uniquelydetermines𝐬
LossyLWE: (𝐀�, 𝐬𝐀� + 𝐱) where𝐀� ← Lossy(⋅)leaksalmostnoinformationon𝐬
67
Idea: Use Lossy LWE to Boost Entropy
StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k
uniquelydetermines𝐬
LossyLWE: (𝐀�, 𝐬𝐀� + 𝐱) where𝐀� ← Lossy(⋅)leaksalmostnoinformationon𝐬
IndistinguishableassumingtheLWEproblemJ
68
Idea: Use Lossy LWE to Boost Entropy
StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k
uniquelydetermines𝐬
LossyLWE: (𝐀�, 𝐬𝐀� + 𝐱) where𝐀� ← Lossy(⋅)leaksalmostnoinformationon𝐬
IndistinguishableassumingtheLWEproblemJ
Useentropyof 𝐬 22∈[�] toproceedwithLHL.
69
Attempt to Change CT to Random
c-(¢) = s2A + x2, c+
(¢) = s2u78 + x2� + M2h#CT(2):
Program RO to answer to secret keys query
c-(¢) = s2A + x2, c+
(¢) = s2Ae78 + x2� + M2h#CT(2):
70
Attempt to Change CT to Random
c-(¢) = s2A + x2, c+
(¢) = s2u78 + x2� + M2h#CT(2):
Program RO to answer to secret keys query
c-(¢) = s2A + x2, c+
(¢) = s2Ae78 + x2� + M2h#CT(2):
c-(¢) = s2A� + x2, c+
(¢) = s2A�e78 + x2� + M2h#CT(2):
Change to Lossy LWE
71
Attempt to Change CT to Random
c-(¢) = s2A + x2, c+
(¢) = s2u78 + x2� + M2h#CT(2):
Program RO to answer to secret keys query
c-(¢) = s2A + x2, c+
(¢) = s2Ae78 + x2� + M2h#CT(2):
c-(¢) = s2A� + x2, c+
(¢) = s2A�e78 + x2� + M2h#CT(2):
Change to Lossy LWE
c-(¢) = s2A� + x2, c+
(¢) = rCT(2): Left over hash lemma
*Leaks almost no information of s2
using entropy of 𝐬𝐢
72
Attempt to Change CT to Random
c-(¢) = s2A + x2, c+
(¢) = s2u78 + x2� + M2h#CT(2):
Program RO to answer to secret keys query
c-(¢) = s2A + x2, c+
(¢) = s2Ae78 + x2� + M2h#CT(2):
c-(¢) = s2A� + x2, c+
(¢) = s2A�e78 + x2� + M2h#CT(2):
Change to Lossy LWE
c-(¢) = s2A� + x2, c+
(¢) = rCT(2): Left over hash lemmausing entropy of 𝐬𝐢
*Leaks almost no information of s2
WRONG!!WhenA� isinLossymode,A�e78 isnolongeruniform overℤhi!!
73
Attempt to Change CT to Random
c-(¢) = s2A + x2, c+
(¢) = s2u78 + x2� + M2h#CT(2):
Program RO to answer to secret keys query
c-(¢) = s2A + x2, c+
(¢) = s2Ae78 + x2� + M2h#CT(2):
c-(¢) = s2A� + x2, c+
(¢) = s2A�e78 + x2� + M2h#CT(2):
Change to Lossy LWE
c-(¢) = s2A� + x2, c+
(¢) = rCT(2): Left over hash lemmausing entropy of 𝐬𝐢
*Leaks almost no information of s2
WRONG!!
A�e78 isnotuniversal,socannotapplyLHL!
WhenA� isinLossymode,A�e78 isnolongeruniform overℤhi!!
74
Fixing it by Katz-Wang TechniqueDoubletheciphertextanduseKatz-Wangtechnique.
c-(¢) = s2A + x2,
c+||-(¢) = s2u78||- + x2||-� + M2
h#CT(2):
c+||+(¢) = s2u78||+ + x2||+� + M2
h#
where𝐮𝐈𝐃||𝐛 ≔ 𝐇(𝐈𝐃||𝐛)
[KW03]KatzandWang.“Efficiencyimprovementsforsignatureschemeswithtightsecurityreductions”.CCS.
75
Fixing it by Katz-Wang TechniqueDoubletheciphertextanduseKatz-Wangtechnique.
c-(¢) = s2A + x2,
c+||-(¢) = s2u78||- + x2||-� + M2
h#CT(2):
c+||+(¢) = s2u78||+ + x2||+� + M2
h#
where𝐮𝐈𝐃||𝐛 ≔ 𝐇(𝐈𝐃||𝐛)
[KW03]KatzandWang.“Efficiencyimprovementsforsignatureschemeswithtightsecurityreductions”.CCS.
Inscheme,onlygiveoutonesecretkeye78 s.t. Ae78 = u78||¤ forrandombitb.
76
Fixing it by Katz-Wang TechniqueDoubletheciphertextanduseKatz-Wangtechnique.
c-(¢) = s2A + x2,
c+||-(¢) = s2u78||- + x2||-� + M2
h#CT(2):
c+||+(¢) = s2u78||+ + x2||+� + M2
h#
where𝐮𝐈𝐃||𝐛 ≔ 𝐇(𝐈𝐃||𝐛)
DuringSimulation
[KW03]KatzandWang.“Efficiencyimprovementsforsignatureschemeswithtightsecurityreductions”.CCS.
p Sim.ProgramsH(ID| b ≔ u78||¤ = A�e78 forrandombitb.p ProgramsH(ID| 1 − b ≔ u78||+*¤ ← ℤhi.p UseLHLonu78||+*¤ whichisnowuniversalandrepeatJ
77
5.Conclusion
78
Conclusion
① TightsecurityproofforGPV-IBEinQROMinthesingle-challenge setting.
② (Almost)tightsecurityproofforavariantofGPV-IBEinQROMinthemulti-challenge setting.
ü Ourproofsaremuch simplerthan[Zha12].ü Easytofollowfornon-expertsofquantumcomputation.
79
80
*Key Lemma Used in ProofWecanset(e78, u78)in reverseorder!
1.Setu78: = H(ID)
2.Sampleshorte78 s.t.Ae78 = u78
3.Output(e78, u78)
1.Sampleshorte78 fromappropriatedistribution.
2.ProgramROas
3.Output(e78, u78)
*DiscreteGaussian
H ID ≔ Ae78
RequirestrapdoorT0 Doesn’trequiretrapdoorT0
81
Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...
Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )
• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙
Givenanyclassicalfunction𝑓,cancompute:∑ 𝛼�|𝑥⟩�� → ∑ 𝛼�|𝑥, 𝑓 𝑥 ⟩�
�
Inparticular…
AquantumadversarycanevaluatehashfunctionHoverqbits.
82
Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
83
Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
84
Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.ü Hopethechall.identiy 𝐈𝐃∗ ∈{p-fractionsofinputs}.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
85
Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.ü Hopethechall.identiy 𝐈𝐃∗ ∈{p-fractionsofinputs}.
TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
86
Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.ü Hopethechall.identiy 𝐈𝐃∗ ∈{p-fractionsofinputs}.
TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.
DownsideThereductionlossishuge.
𝜖 ≈ 𝜖#/𝑄&'Adv.ofbreakingIBE Adv.ofsolvingLWE
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
top related