tighter security proofs for gpv-ibe in the quantum random ... · tighter security proofs for...
TRANSCRIPT
![Page 1: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/1.jpg)
(TheUniversityofTokyo/AIST)
1
ShuichiKatsumata(TheUniversityofTokyo/AIST)
TighterSecurityProofsforGPV-IBEintheQuantumRandomOracleModel
ShotaYamada(AIST)
TakashiYamakawa(NTT)
*Pronouncedas
![Page 2: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/2.jpg)
2
Post Quantum CryptographyOwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.
SchemesecureunderaPQassumptioninthestandardmodel
Schemeissecure againstquantumalgorithms
InGeneral…
![Page 3: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/3.jpg)
SchemesecureunderaPQassumptionintheROmodel
OwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.
SchemesecureunderaPQassumptioninthestandardmodel
Schemeissecure againstquantumalgorithms
InGeneral…
3
Post Quantum Cryptography
However…SchememayNOT besecureagainstquantumalgorithms(*)
(*)[BDF+11]Boneh etal.“Randomoraclesinaquantumworld”.EUROCRYPT.
![Page 4: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/4.jpg)
SchemesecureunderaPQassumptionintheROmodel
OwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.
SchemesecureunderaPQassumptioninthestandardmodel
Schemeissecure againstquantumalgorithms
InGeneral…
4
Post Quantum Cryptography
However…SchememayNOT besecureagainstquantumalgorithms(*)
ManypracticalalgorithmsrelyonROM!RecentWorksonQROM
p Signatures:[Zha12][ARU14][Unr17][KLS18]…p PKE:[TU16][JZC+18][SXY18]…
(*)[BDF+11]Boneh etal.“Randomoraclesinaquantumworld”.EUROCRYPT.
![Page 5: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/5.jpg)
SchemesecureunderaPQassumptionintheROmodel
OwingtoNIST’sannouncement,PQCrypto hasbeengatheringincreasinglymoreattention.
SchemesecureunderaPQassumptioninthestandardmodel
Schemeissecure againstquantumalgorithms
InGeneral…
5
Post Quantum Cryptography
However…SchememayNOT besecureagainstquantumalgorithms(*)
ManypracticalalgorithmsrelyonROM!RecentWorksonQROM
p Signatures:[Zha12][ARU14][Unr17][KLS18]…p PKE:[TU16][JZC+18][SXY18]…
ThisworkisonIdentity-basedEncryptions(IBEs)
(*)[BDF+11]Boneh etal.“Randomoraclesinaquantumworld”.EUROCRYPT.
![Page 6: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/6.jpg)
6
IBEs from Post Quantum Assumptions TherearefewIBEssecureunderPQassumptions.
pLattice-basedIBEs
pCode-basedIBEsROM:[GHPT17]
ROM:[GPV08][ABB10][CHKP10]Standard:[ABB10][CHKP10][Yam16][KY16]….
Thislineofworkisquantumlysecure.
![Page 7: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/7.jpg)
7
IBEs from Post Quantum Assumptions TherearefewIBEssecureunderPQassumptions.
pLattice-basedIBEs
pCode-basedIBEs
WhatcanwesayaboutefficientschemesprovensecureintheROM??
ROM:[GHPT17]
ROM:[GPV08][ABB10][CHKP10]Standard:[ABB10][CHKP10][Yam16][KY16]….
Thislineofworkisquantumlysecure.
![Page 8: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/8.jpg)
8
IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],
[ABB10],[CHKP10]inQROM.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
![Page 9: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/9.jpg)
9
IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],
[ABB10],[CHKP10]inQROM.
However…ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
![Page 10: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/10.jpg)
10
IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],
[ABB10],[CHKP10]inQROM.
However…
A breaksIBEwithadvantage 𝜖
B solvesLWEproblemwithadvantage ≈ 𝜖#/𝑄&'
𝑄&:=#ROquery
ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.
![Page 11: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/11.jpg)
ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.
11
IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],
[ABB10],[CHKP10]inQROM.
However…
A breaksIBEwithadvantage 𝜖
B solvesLWEproblemwithadvantage ≈ 𝜖#/𝑄&'
𝑄&:=#ROquery
Ifwewant128-bitsecureIBE 𝜖 = 2*+#, ,assuming𝑄& = 2+--.
Weneedatleast656-bitsecureLWEproblem!!
![Page 12: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/12.jpg)
ü Comesatacostofahugereductionloss.ü Requiresdescentknowledgeonquantumcomputation.
12
IBEs Secure in the QROMWorkofZhandry [Zha12]ü PresentedageneraltechniquetouseinQROM.ü Provedsecurityoflattice-basedIBEsof[GPV08],
[ABB10],[CHKP10]inQROM.
However…
A breaksIBEwithadvantage 𝜖
B solvesLWEproblemwithadvantage ≈ 𝜖#/𝑄&'
𝑄&:=#ROquery
Ifwewant128-bitsecureIBE 𝜖 = 2*+#, ,assuming𝑄& = 2+--.
Weneedatleast656-bitsecureLWEproblem!!
QuestionCanweconstructtightlysecureIBEsinQROM??
![Page 13: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/13.jpg)
13
Summary of Our Result
① TightsecurityproofforGPV-IBEinQROMinthesingle-challenge setting.
② (Almost)tightsecurityproofforavariantofGPV-IBEinQROMinthemulti-challenge setting.
ü Ourproofsaremuch simplerthan[Zha12].ü Easytofollowfornon-expertsofquantumcomputation.
![Page 14: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/14.jpg)
14
Overview of This Talk
ReviewofGPV-IBE
WhatGoesWronginQROM
1
2
3 Result1:
4 Result2:TightlySecureGPV-IBEinQROM
ExtendingittoMulti-Challenge
*Kangaroo...?
![Page 15: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/15.jpg)
15
1.ReviewofGPV-IBE
![Page 16: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/16.jpg)
16
Identity-based Encryption [Sha84]
Alice Bob
I
ID01234sk789:;<=
Public Key Generator
ciphertext
[Sha84]:A.Shamir.“Identity-BasedCryptosystemsandSignatureSchemes”.Crypto.
Anystringcanbeapublickey!
![Page 17: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/17.jpg)
17
IND-CPA Security of IBE in ROMmpk,msk ← SetUp(1H)
mpk𝐈𝐃
𝐙 ← 𝐔𝐧𝐢(𝒁)𝐈𝐃𝐢
sk𝐈𝐃𝐢
(𝐈𝐃∗ ≠ 𝐈𝐃𝐢,𝐌)
RandomOracle𝐇: 𝑰𝑫 → 𝒁
KeyGen ID2,msk→ sk78;
𝐂𝐓∗
𝐙
b ← {0, 1}
Pr b′ = b ≈12
b′
![Page 18: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/18.jpg)
18
IND-CPA Security of IBE in ROMmpk,msk ← SetUp(1H)
mpk𝐈𝐃
𝐙 ← 𝐔𝐧𝐢(𝒁)𝐈𝐃𝐢
sk𝐈𝐃𝐢
(𝐈𝐃∗ ≠ 𝐈𝐃𝐢,𝐌)
RandomOracle𝐇: 𝑰𝑫 → 𝒁
KeyGen ID2,msk→ sk78;
𝐂𝐓∗
𝐙
b ← {0, 1}
Pr b′ = b ≈12
b′
Multi-Challenge ifcanobtainchallengeciphertextmulti-times.
![Page 19: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/19.jpg)
19
Gentry-Peikert-Vaikuntanathan IBEp mpk,msk
• mpk = A ∈ ℤhi×k, H: 0,1 ∗ → ℤhi*ProgrammedasRO
• msk = trapdoofT0forA
[GPV08]Gentry,Peikert,andVaikuntanathan.“Trapdoorsforhardlatticesandnewcryptographicconstructions”.STOC.
![Page 20: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/20.jpg)
20
Gentry-Peikert-Vaikuntanathan IBEp mpk,msk
• mpk = A ∈ ℤhi×k, H: 0,1 ∗ → ℤhi*ProgrammedasRO
• msk = trapdoofT0forA
pSecretKeysk78A• Shortvectore78 ∈ ℤws. t. 𝐞𝐈𝐃 =
:= 𝐇(𝐈𝐃)𝐮𝐈𝐃
![Page 21: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/21.jpg)
21
Gentry-Peikert-Vaikuntanathan IBEp mpk,msk
• mpk = A ∈ ℤhi×k, H: 0,1 ∗ → ℤhi*ProgrammedasRO
• msk = trapdoofT0forA
pSecretKeysk78A• Shortvectore78 ∈ ℤws. t. 𝐞𝐈𝐃 =
:= 𝐇(𝐈𝐃)
pEncryptionCT78 ofM
A𝐬
𝐮𝐈𝐃
𝐬 𝐮𝐈𝐃+ 𝐱 +x′+𝐌𝒒𝟐
• LWEinstancefor(A, u78):
c-= c+=,
![Page 22: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/22.jpg)
22
Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem
Ø ForID ≠ ID∗
𝐬 𝐀 𝐮 + [𝐱|x′]
Simulator(LWE adversary)
Sample e78 and program RO as H ID ≔ Ae78.
Ø ForID∗Program RO as H ID∗ ≔ u.
LWE Problem
![Page 23: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/23.jpg)
23
Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem
Ø ForID ≠ ID∗
𝐬 𝐀 𝐮 + [𝐱|x′]
Simulator(LWE adversary)
Sample e78 and program RO as H ID ≔ Ae78.
Ø ForID∗Program RO as H ID∗ ≔ u.
Sim.knows secretkey.
Sim.doesn’tknowsecretkey.
LWE Problem
![Page 24: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/24.jpg)
24
Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem
Ø ForID ≠ ID∗
𝐬 𝐀 𝐮 + [𝐱|x′]
Simulator(LWE adversary)
Sample e78 and program RO as H ID ≔ Ae78.
Ø ForID∗Program RO as H ID∗ ≔ u.
Sim.knows secretkey.
Sim.doesn’tknowsecretkey.Embedintochall.ciphertext.
LWE Problem Cananswersecretkeyqueries.
![Page 25: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/25.jpg)
25
Security Proof in Classical ROMp ProofsimilartoFDH-signaturep SimulatorguessesoneIDtoembedLWEproblem
Ø ForID ≠ ID∗
𝐬 𝐀 𝐮 + [𝐱|x′]
Simulator(LWE adversary)
Sample e78 and program RO as H ID ≔ Ae78.
Ø ForID∗Program RO as H ID∗ ≔ u.
Sim.knows secretkey.
Sim.doesn’tknowsecretkey.Embedintochall.ciphertext.
LWE Problem Cananswersecretkeyqueries.
Guess challenge ID∗and programs RO differently for ID∗.
![Page 26: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/26.jpg)
26
2.WhatGoesWronginQROM
![Page 27: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/27.jpg)
27
Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...
Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )
• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙
![Page 28: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/28.jpg)
28
Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...
Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )
• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙
∑ 𝛼�|𝑥⟩�� → ∑ 𝛼�|𝑥, H 𝑥 ⟩�
�
Inshort…
Aquantumadversary canevaluatehashfunctionHoverqbits inreal-world.
![Page 29: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/29.jpg)
29
Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...
Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )
• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙
∑ 𝛼�|𝑥⟩�� → ∑ 𝛼�|𝑥, H 𝑥 ⟩�
�
Inshort…
Aquantumadversary canevaluatehashfunctionHoverqbits inreal-world.
QROMshouldmodelthiscapability!
![Page 30: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/30.jpg)
30
What this Means for QROM
FDH-typeproofsinROMdoesn’tholdinQROM!
Why?
…
ID+ID#
ID��
ClassicalRO
InROM…
![Page 31: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/31.jpg)
31
What this Means for QROM
FDH-typeproofsinROMdoesn’tholdinQROM!
Why?
…
ID+ID#
ID��
ClassicalRO
InROM…
∑ 𝛼��� |ID�⟩ Quantum
RO
InQROM…
*Querysuperposition ofall ID
![Page 32: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/32.jpg)
32
What this Means for QROM
FDH-typeproofsinROMdoesn’tholdinQROM!
Why?
…
ID+ID#
ID��
∑ 𝛼��� |ID�⟩ Quantum
ROClassical
RO*Querysuperposition ofall ID
Guess 𝑖 ∈ [𝑄&] andprogram ROdifferentlyonsingleID∗ ≔ ID2
InROM… InQROM…
![Page 33: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/33.jpg)
33
What this Means for QROM
FDH-typeproofsinROMdoesn’tholdinQROM!
Why?InROM…
…
ID+ID#
ID��Guess 𝑖 ∈ [𝑄&] andprogram ROdifferentlyonsingleID∗ ≔ ID2
∑ 𝛼��� |ID�⟩
InQROM…
QuantumRO
ClassicalRO
*Querysuperposition ofall ID
Can’tguess𝐈𝐃∗!!*withmorethannegl.prob.
![Page 34: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/34.jpg)
34
Overcoming the Difficulty [Zha12]
Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
![Page 35: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/35.jpg)
35
Overcoming the Difficulty [Zha12]
Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.
Ø ProgramROonmany pointsinsteadofasingle point.
![Page 36: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/36.jpg)
36
Overcoming the Difficulty [Zha12]
Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.
Ø ProgramROonmany pointsinsteadofasingle point.
DownsideThereductionlossishuge.
𝜖 ≈ 𝜖#/𝑄&'Adv.ofbreakingIBE Adv.ofsolvingLWE
![Page 37: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/37.jpg)
37
3.Result1:TightlySecureGPV-IBEinQROM
![Page 38: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/38.jpg)
38
Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.
Non-partitioningtechnique??
![Page 39: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/39.jpg)
39
Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.
Non-partitioningtechnique??p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
![Page 40: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/40.jpg)
40
Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.
Non-partitioningtechnique??p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
Isthisevenpossible?
![Page 41: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/41.jpg)
41
Idea: Depart from PartitioningPartitioningtechniquesarenotgoodwithtightreduction.
Non-partitioningtechnique??p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
Isthisevenpossible?
Yes!SimilartoCramer-Shoup PKEUsesecretkeytoconstructchallengeciphertextJ
*Ideaalsousedinpairing-basedGentry’sIBE.
![Page 42: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/42.jpg)
42
Knowing the Secret Key of All IDsLetusconsiderthefirsttwoproblem.
p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.
![Page 43: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/43.jpg)
43
Knowing the Secret Key of All IDsLetusconsiderthefirsttwoproblem.
p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.
UnlikeoriginalGPV-IBEproof…
Sample e78 and program RO as H ID ≔ Ae78.Ø For∀𝐈𝐃
![Page 44: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/44.jpg)
44
Knowing the Secret Key of All IDsLetusconsiderthefirsttwoproblem.
p SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.
UnlikeoriginalGPV-IBEproof…
Sample e78 and program RO as H ID ≔ Ae78.Ø For∀𝐈𝐃
MainObservationGiven A, u78 = H ID , the secret key e78retains sufficient entropy.
JustlikeCramer-Shoup!
![Page 45: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/45.jpg)
45
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
![Page 46: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/46.jpg)
46
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = sA + xc+ = c-, e78∗ + Mh
#secretkey
![Page 47: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/47.jpg)
47
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = sA + xc+ = c-, e78∗ + Mh
#= sAe78∗ + x, e78∗ + Mh
#
![Page 48: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/48.jpg)
48
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = sA + xc+ = c-, e78∗ + Mh
#= sAe78∗ + x, e78∗ + Mh
#≈ ⟨s, u78∗⟩ + x� + M
�#
Sameasinreal-worldmodulosmalldifferenceinnoisedistribution.
![Page 49: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/49.jpg)
49
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = sA + xc+ = c-, e78∗ + Mh
#= sAe78∗ + x, e78∗ + Mh
#≈ ⟨s, u78∗⟩ + x� + M
�#
Sameasinreal-worldmodulosmalldifferenceinnoisedistribution.
Whyisthissecure??
![Page 50: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/50.jpg)
50
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
𝐬𝐀 + 𝐱Simulator LWE Problem
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = sA + xc+ = c-, e78∗ + Mh
#
c- = b (randominℤhk)c+ = b, e78∗ + Mh
#
Hybrid1
![Page 51: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/51.jpg)
51
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = b (randominℤhk)c+ = b, e78∗ + Mh
#
![Page 52: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/52.jpg)
52
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = b (randominℤhk)c+ = b, e78∗ + Mh
#Left over hash lemmausing entropy of 𝐞𝐈𝐃∗ Hybrid2
c- = b (randominℤhk)c+ = r (randominℤh )
![Page 53: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/53.jpg)
53
Simulating the Challenge CiphertextRemainingproblem.
p Simulatorcangeneratechall.cipher.forall identity.
Simulator
AsinCramer-Shoup,usesecretkeytoconstructchall.cipher.
c- = b (randominℤhk)c+ = b, e78∗ + Mh
#Left over hash lemmausing entropy of 𝐞𝐈𝐃∗ Hybrid2
c- = b (randominℤhk)c+ = r (randominℤh )
NoinformationonM!!
![Page 54: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/54.jpg)
54
Combining Everything Togetherp SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
üüü
![Page 55: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/55.jpg)
55
Combining Everything Togetherp SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
üüü
ProofnaturallyfitstheQROMsetting!
![Page 56: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/56.jpg)
56
Combining Everything Togetherp SimulatorprogramsROidenticallyforall inputs.p Simulatorcananswerall secretkeyqueries.p Simulatorcangeneratechall.cipher.forall identity.
üüü
ProofnaturallyfitstheQROMsetting!
Moreover…Ø Sincethesimulatorneveraborts,thesecurity
proofistight.Ø Proofis (almost)assimple asintheclassical
settingJ
![Page 57: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/57.jpg)
57
4.Result2:ExtendingittoMulti-Challenge
![Page 58: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/58.jpg)
58
Tight Security for Multi-ChallengeAnadversarygetstoquerymanychallengeciphertext:
c-(+) = s+A + x+c+(+) = s+u78 + x+� + M+
h#
c-(�) = s�A + x�c+(�) = s�u78 + x�� + M�
h#
⋯CT(+) CT(�)⋯
![Page 59: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/59.jpg)
59
Tight Security for Multi-ChallengeAnadversarygetstoquerymanychallengeciphertext:
c-(+) = s+A + x+c+(+) = s+u78 + x+� + M+
h#
c-(�) = s�A + x�c+(�) = s�u78 + x�� + M�
h#
⋯CT(+) CT(�)⋯
FactØ Single-chall.canbereducedtoMulti-chall.security.Ø However,thereductionisnottight andlosesafactor
ofN inthereduction.
![Page 60: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/60.jpg)
60
Tight Security for Multi-ChallengeAnadversarygetstoquerymanychallengeciphertext:
c-(+) = s+A + x+c+(+) = s+u78 + x+� + M+
h#
c-(�) = s�A + x�c+(�) = s�u78 + x�� + M�
h#
⋯CT(+) CT(�)⋯
FactØ Single-chall.canbereducedtoMulti-chall.security.
CanwemakethereductionlossindependentofN??
Ø However,thereductionisnottight andlosesafactorofN inthereduction.Question
![Page 61: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/61.jpg)
61
Requires New Technique
Previoustechniquedoesnotworkanymore…
![Page 62: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/62.jpg)
62
Requires New Technique
Previoustechniquedoesnotworkanymore…
Why?*ProofofSingle-Challenge
![Page 63: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/63.jpg)
63
Requires New Technique
Previoustechniquedoesnotworkanymore…
Why?*ProofofSingle-Challenge
Notenoughentropyinsecretkey𝐞𝐈𝐃 tomodifyallN = poly(λ) ciphertexttorandom!!
![Page 64: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/64.jpg)
64
Requires New Technique
Previoustechniquedoesnotworkanymore…
Why?*ProofofSingle-Challenge
Notenoughentropyinsecretkey𝐞𝐈𝐃 tomodifyallN = poly(λ) ciphertexttorandom!!
Needtogetmoreentropyfromsomeothersource…
![Page 65: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/65.jpg)
65
Idea: Use Lossy LWE to Boost Entropy
StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k
uniquelydetermines𝐬
![Page 66: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/66.jpg)
66
Idea: Use Lossy LWE to Boost Entropy
StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k
uniquelydetermines𝐬
LossyLWE: (𝐀�, 𝐬𝐀� + 𝐱) where𝐀� ← Lossy(⋅)leaksalmostnoinformationon𝐬
![Page 67: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/67.jpg)
67
Idea: Use Lossy LWE to Boost Entropy
StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k
uniquelydetermines𝐬
LossyLWE: (𝐀�, 𝐬𝐀� + 𝐱) where𝐀� ← Lossy(⋅)leaksalmostnoinformationon𝐬
IndistinguishableassumingtheLWEproblemJ
![Page 68: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/68.jpg)
68
Idea: Use Lossy LWE to Boost Entropy
StandardLWE: (𝐀, 𝐬𝐀 + 𝐱) where𝐀 ← ℤhi×k
uniquelydetermines𝐬
LossyLWE: (𝐀�, 𝐬𝐀� + 𝐱) where𝐀� ← Lossy(⋅)leaksalmostnoinformationon𝐬
IndistinguishableassumingtheLWEproblemJ
Useentropyof 𝐬 22∈[�] toproceedwithLHL.
![Page 69: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/69.jpg)
69
Attempt to Change CT to Random
c-(¢) = s2A + x2, c+
(¢) = s2u78 + x2� + M2h#CT(2):
Program RO to answer to secret keys query
c-(¢) = s2A + x2, c+
(¢) = s2Ae78 + x2� + M2h#CT(2):
![Page 70: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/70.jpg)
70
Attempt to Change CT to Random
c-(¢) = s2A + x2, c+
(¢) = s2u78 + x2� + M2h#CT(2):
Program RO to answer to secret keys query
c-(¢) = s2A + x2, c+
(¢) = s2Ae78 + x2� + M2h#CT(2):
c-(¢) = s2A� + x2, c+
(¢) = s2A�e78 + x2� + M2h#CT(2):
Change to Lossy LWE
![Page 71: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/71.jpg)
71
Attempt to Change CT to Random
c-(¢) = s2A + x2, c+
(¢) = s2u78 + x2� + M2h#CT(2):
Program RO to answer to secret keys query
c-(¢) = s2A + x2, c+
(¢) = s2Ae78 + x2� + M2h#CT(2):
c-(¢) = s2A� + x2, c+
(¢) = s2A�e78 + x2� + M2h#CT(2):
Change to Lossy LWE
c-(¢) = s2A� + x2, c+
(¢) = rCT(2): Left over hash lemma
*Leaks almost no information of s2
using entropy of 𝐬𝐢
![Page 72: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/72.jpg)
72
Attempt to Change CT to Random
c-(¢) = s2A + x2, c+
(¢) = s2u78 + x2� + M2h#CT(2):
Program RO to answer to secret keys query
c-(¢) = s2A + x2, c+
(¢) = s2Ae78 + x2� + M2h#CT(2):
c-(¢) = s2A� + x2, c+
(¢) = s2A�e78 + x2� + M2h#CT(2):
Change to Lossy LWE
c-(¢) = s2A� + x2, c+
(¢) = rCT(2): Left over hash lemmausing entropy of 𝐬𝐢
*Leaks almost no information of s2
WRONG!!WhenA� isinLossymode,A�e78 isnolongeruniform overℤhi!!
![Page 73: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/73.jpg)
73
Attempt to Change CT to Random
c-(¢) = s2A + x2, c+
(¢) = s2u78 + x2� + M2h#CT(2):
Program RO to answer to secret keys query
c-(¢) = s2A + x2, c+
(¢) = s2Ae78 + x2� + M2h#CT(2):
c-(¢) = s2A� + x2, c+
(¢) = s2A�e78 + x2� + M2h#CT(2):
Change to Lossy LWE
c-(¢) = s2A� + x2, c+
(¢) = rCT(2): Left over hash lemmausing entropy of 𝐬𝐢
*Leaks almost no information of s2
WRONG!!
A�e78 isnotuniversal,socannotapplyLHL!
WhenA� isinLossymode,A�e78 isnolongeruniform overℤhi!!
![Page 74: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/74.jpg)
74
Fixing it by Katz-Wang TechniqueDoubletheciphertextanduseKatz-Wangtechnique.
c-(¢) = s2A + x2,
c+||-(¢) = s2u78||- + x2||-� + M2
h#CT(2):
c+||+(¢) = s2u78||+ + x2||+� + M2
h#
where𝐮𝐈𝐃||𝐛 ≔ 𝐇(𝐈𝐃||𝐛)
[KW03]KatzandWang.“Efficiencyimprovementsforsignatureschemeswithtightsecurityreductions”.CCS.
![Page 75: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/75.jpg)
75
Fixing it by Katz-Wang TechniqueDoubletheciphertextanduseKatz-Wangtechnique.
c-(¢) = s2A + x2,
c+||-(¢) = s2u78||- + x2||-� + M2
h#CT(2):
c+||+(¢) = s2u78||+ + x2||+� + M2
h#
where𝐮𝐈𝐃||𝐛 ≔ 𝐇(𝐈𝐃||𝐛)
[KW03]KatzandWang.“Efficiencyimprovementsforsignatureschemeswithtightsecurityreductions”.CCS.
Inscheme,onlygiveoutonesecretkeye78 s.t. Ae78 = u78||¤ forrandombitb.
![Page 76: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/76.jpg)
76
Fixing it by Katz-Wang TechniqueDoubletheciphertextanduseKatz-Wangtechnique.
c-(¢) = s2A + x2,
c+||-(¢) = s2u78||- + x2||-� + M2
h#CT(2):
c+||+(¢) = s2u78||+ + x2||+� + M2
h#
where𝐮𝐈𝐃||𝐛 ≔ 𝐇(𝐈𝐃||𝐛)
DuringSimulation
[KW03]KatzandWang.“Efficiencyimprovementsforsignatureschemeswithtightsecurityreductions”.CCS.
p Sim.ProgramsH(ID| b ≔ u78||¤ = A�e78 forrandombitb.p ProgramsH(ID| 1 − b ≔ u78||+*¤ ← ℤhi.p UseLHLonu78||+*¤ whichisnowuniversalandrepeatJ
![Page 77: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/77.jpg)
77
5.Conclusion
![Page 78: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/78.jpg)
78
Conclusion
① TightsecurityproofforGPV-IBEinQROMinthesingle-challenge setting.
② (Almost)tightsecurityproofforavariantofGPV-IBEinQROMinthemulti-challenge setting.
ü Ourproofsaremuch simplerthan[Zha12].ü Easytofollowfornon-expertsofquantumcomputation.
![Page 79: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/79.jpg)
79
![Page 80: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/80.jpg)
80
*Key Lemma Used in ProofWecanset(e78, u78)in reverseorder!
1.Setu78: = H(ID)
2.Sampleshorte78 s.t.Ae78 = u78
3.Output(e78, u78)
1.Sampleshorte78 fromappropriatedistribution.
2.ProgramROas
3.Output(e78, u78)
*DiscreteGaussian
H ID ≔ Ae78
RequirestrapdoorT0 Doesn’trequiretrapdoorT0
![Page 81: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/81.jpg)
81
Minimum Preparation for Qunt. Crypt.Qbits isaregisterinsuperposition betweenafewstates:0,1,...
Notation: 𝜙 = 𝛼- 0 + 𝛼+ 1 (Generally∑ 𝛼�|𝑥⟩�� )
• 𝛼- # + 𝛼+ # = 1• 𝛼� # = Prob.ofgetting𝑏 whenmeasuring 𝜙
Givenanyclassicalfunction𝑓,cancompute:∑ 𝛼�|𝑥⟩�� → ∑ 𝛼�|𝑥, 𝑓 𝑥 ⟩�
�
Inparticular…
AquantumadversarycanevaluatehashfunctionHoverqbits.
![Page 82: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/82.jpg)
82
Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
![Page 83: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/83.jpg)
83
Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
![Page 84: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/84.jpg)
84
Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.ü Hopethechall.identiy 𝐈𝐃∗ ∈{p-fractionsofinputs}.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
![Page 85: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/85.jpg)
85
Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.ü Hopethechall.identiy 𝐈𝐃∗ ∈{p-fractionsofinputs}.
TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.
![Page 86: Tighter Security Proofs for GPV-IBE in the Quantum Random ... · Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model Shota Yamada (AIST) Takashi Yamakawa (NTT)](https://reader033.vdocuments.site/reader033/viewer/2022053006/5f098aa37e708231d427527c/html5/thumbnails/86.jpg)
86
Overcoming the Difficulty [Zha12]Zhandry [Zha12]introducedsemi-constantdistributions toprovesecurityofFDH-typeproofsinQROM.
Highlevelideais…ü Onp-fractionsofinputs,programROtoembedhardproblem.ü Ontheotherfraction,programROtooutputrandomvalues.ü ShowthatsuchprogrammedROsareind.fromrandomfunctions.ü Hopethechall.identiy 𝐈𝐃∗ ∈{p-fractionsofinputs}.
TechniqueisconceptuallysimilartothepartitioningtechniqueusedtoproveadaptivelysecureIBEsinthestandardmodel.
DownsideThereductionlossishuge.
𝜖 ≈ 𝜖#/𝑄&'Adv.ofbreakingIBE Adv.ofsolvingLWE
[Zha12]Zhandry.“Secureidentity-basedencryptioninthequantumrandomoraclemodel”.CRYPTO.