Lattice-based Signcryption without Random Oracles - PowerPoint PPT Presentation

Lattice-based Signcryption without Random Oracles 𝐓𝐢𝐣𝐨𝐡𝐩 𝐓𝐛𝐮𝐩 Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan

Overview • Lattice-based Cryptography • The cryptosystem is based on lattice problems and has quantum-resistance. • It is possible to realize a lot of functionalities of cryptosystems. • Signcryption • Cryptosystem meeting both securities of public key encryption (PKE) and digital signatures (DSs) • The public-key based “authenticated encryption” We propose • A construction of signcryption based on lattice problems, and • Hybrid encryption of signcryption based on this construction with data encapsulation mechanism (DEM) 2

Lattice The lattice generated by 𝑜 linearly independent vectors 𝒄 𝟐 , 𝒄 𝟑 , … , 𝒄 𝒐 ∈ ℝ 𝑛 is defined as 𝑀 𝒄 𝟐 , … , 𝒄 𝒐 = ∑𝑦 𝒋 𝒄 𝒋 𝑦 𝒋 ∈ ℤ . It is often written by 𝒚 ∈ ℤ 𝑜 , 𝑀 𝑪 = 𝑪𝒚 where 𝑪 ≔ 𝒄 𝟐 , … , 𝒄 𝒐 ∈ ℝ 𝑛×𝑜 is the lattice basis. As the norm of vectors, we consider the Euclid norm: 2 + ⋯ + 𝑤 𝑜 2 𝒘 = 𝑤 1 for 𝒘 = 𝑤 1 , … , 𝑤 𝑜 ∈ ℝ 𝑜 . 3

Lattice Problems • 𝛿 : 𝐻𝑏𝑞𝑇𝑊𝑄 • Given a lattice basis 𝑪 , 𝑠 ∈ ℝ , • Decide whether the shortest vector 𝒘(∈ 𝑀 𝑪 ∖ 𝑷 ) fulfills ≤ 𝑠 or 𝑤 𝑤 > 𝛿 ⋅ 𝑠 • Learning with Errors and Small Integer Solution (LWE and SIS) ✓ It is possible to reduce from lattice problems to these problems. ✓ The average-case problems are at least as hard as the worst-case problems. It is possible to realize a lot of cryptosystems such as fully ✓ homomorphic encryption, attribute-based encryption, searchable encryption and so on. 4

Definitions of LWE and SIS • 𝑴𝑿𝑭 𝑟,𝛽 (Decisional version) • The LWE distribution 𝐵(𝒕, 𝜚) : 𝒐 and a Gaussian distribution 𝜚 with the center • Input: 𝒕 ∈ ℤ 𝒓 0 and the standard deviation 𝛽𝑟 𝑜 × ℤ 𝑟 , • Output (*): 𝒃 1 , 𝑐 1 , … , 𝒃 𝑛 , 𝑐 𝑛 ∈ ℤ 𝑟 𝑉 ℤ 𝑟 where 𝑐 𝑗 = 𝒕 ⊤ 𝒃 𝑗 + 𝑓 𝑗 , 𝒃 𝑗 ՚ 𝑜 , 𝑓 𝑗 ՚ 𝜚 for 𝑗 ∈ {1, … , 𝑛} 𝑜 × ℤ 𝑟 , • Input: 𝒃 1 , 𝑐 1 , … , 𝒃 𝑛 , 𝑐 𝑛 ∈ ℤ 𝑟 • Decide whether the input sequence is sampled from the 𝑜 × ℤ 𝑟 LWE distribution or uniformly at random in ℤ 𝑟 (*) Let 𝑩 ≔ 𝒃 1 , … , 𝒃 𝑛 and 𝒇 ⊤ ≔ 𝑓 1 , … , 𝑓 𝑛 , then the LWE samples can be expressed by 𝒄 = 𝒕 ⊤ 𝑩 + 𝒇 ⊤ mod 𝑟 • 𝑻𝑱𝑻 𝑟,𝛾 • Input: 𝑩 ∈ ℤ 𝑟 𝑜×𝑛 , Find: 𝒇 ∈ ℤ 𝑛 s.t. 𝑩𝒇 = 𝟏 mod 𝑟 and 𝒇 • ≤ 𝛾 5

Signcryption [Z97] • Signcryption schemes meet both functionalities of PKE and DS (both of confidentiality and integrity). • It is used to construct secure channels from insecure ones such as the Internet Sender Receiver Receiver’s Sender’s Sender’s Receiver’s Secret-Key Secret-Key Public-Key Public-Key Signcrypt Unsigncrypt or Ciphertext Message invalid [Z97] Y. Zheng, “Digital Signcryption or how to achieve cost(signature & encryption) << cost(signature) + cost(encryption),” CRYPTO 1997. 6

The Security Model [ADR02] We consider IND-CCA and sUF-CMA security against insiders in the multi-user setting (MU-IND-iCCA and MU-sUF-iCMA). • Securities in the two-user setting doesn’t always imply ones in the multi- user setting. • Inside adversaries are stronger than outside ones. Mutli-User setting Two-User setting Outsider Insider [ADR02] J. H. An, Y. Dodis, and T. Rabin, “On the security of joint signature and encryption,” 7 EUROCRYPT 2002.

Our Proposal Main purpose: To construct a lattice-based signcryption scheme • Meeting both of MU-IND-iCCA and MU-sUF-iCMA security • More efficient than the existing constructions in terms of key- sizes and ciphertext-size To achieve these, we propose the following constructions 1. A direct construction based on lattice problems 2. Hybrid encryption variant of signcryption (hybrid signcryption) obtained by combining this construction and an IND-OT secure DEM. The existing constructions [CMSM11,NS13]: • These are generic constructions satisfying both securities of MU-IND- iCCA and MU-sUF-iCMA. • We can obtain lattice-based ones by applying lattice-based primitives. 8

The Model Setup phase ： Sender Receiver 𝑞𝑠𝑛 ՚ Setup(1 𝑜 ) Key-Generation : Key-Generation: (𝑞𝑙 𝑇 , 𝑡𝑙 𝑇 ) ՚ KeyGen 𝑇 (𝑞𝑠𝑛) (𝑞𝑙 𝑆 , 𝑡𝑙 𝑆 ) ՚ KeyGen 𝑆 (𝑞𝑠𝑛) Unsigncrypt: Signcrypt: 𝐷 𝐷 ՚ SC (𝑞𝑙 𝑆 , 𝑡𝑙 𝑇 , 𝜈) 𝜈/⊥՚ USC (𝑞𝑙 𝑇 , 𝑡𝑙 𝑆 , 𝐷) Security parameter, 𝑞𝑠𝑛: Public parameter, 𝑜: 𝑞𝑙 𝑇 : Sender’s public key, 𝑞𝑙 𝑆 : Receiver’s public key, 𝑡𝑙 𝑇 : Sender’s secret key, 𝑡𝑙 𝑆 : Receiver’s secret key, Message, Ciphertext 𝜈: 𝐷: ⊥ : Invalid 9

The Security Definition (1/2) MU-IND-iCCA security In the following game, if any adversary 𝐵 ′ s advatage 1 MU−IND−iCCA (𝑜) ≔ | Pr 𝑐 ′ = 𝑐 − 2 | < negl 𝑜 holds, 𝐵𝑒𝑤 𝐵 Signcryption meets MU-IND-iCCA security. Challenger Adversary 𝐵 𝑞𝑠𝑛 ՚ Setup(1 𝑜 ) Unsigncrypt Oracle 𝑞𝑙 𝑆 , 𝑡𝑙 𝑆 ՚ KeyGen 𝑆 (𝑞𝑠𝑛) ∗ ), 𝑞𝑙 𝑇 (≠ 𝑞𝑙 𝑇 ∗ , 𝑡𝑙 𝑇 ∗ 𝜈 0 , 𝜈 1 , 𝑞𝑙 𝑇 𝐷(≠ 𝐷 ∗ ) 𝑉 {0,1} 𝑐 ՚ 𝜈 𝐷 ∗ 𝐷 ∗ ՚ SC(𝑞𝑙 𝑆 , 𝑡𝑙 𝑇 ∗ , 𝜈 𝑐 ) 𝑐′ 𝑐 ′ ? = 𝑐 𝑐′ ∈ {0,1} MU-IND-iCCA=Multi-User Indistinguishability against insider Chosen Ciphertext Attack 10

The Security Definition (2/2) MU-sUF-iCMA security In the following game, if any adversary 𝐵’s advantage MU−sUF−iCMA 𝑜 ≔ Pr 𝐵 wins < negl(𝑜) holds, 𝐵𝑒𝑤 𝐵 Signcryption meets MU-sUF-iCMA security. Challenger Signcrypt Adversary 𝐵 Oracle 𝑞𝑠𝑛 ՚ Setup(1 𝑜 ) 𝑞𝑠𝑛, 𝑞𝑙 𝑇 (𝑗) 𝜈 (𝑗) , 𝑞𝑙 𝑆 𝑞𝑙 𝑇 , 𝑡𝑙 𝑇 ՚ KeyGen 𝑇 (𝑞𝑠𝑛) 𝐷 (𝑗) ∗ , 𝑡𝑙 𝑆 ∗ , 𝐷 ∗ 𝑞𝑙 𝑆 𝑅 queries [𝐵 wins]: ∗ , 𝐷 ∗ = 𝜈 ∗ ∧ USC 𝑞𝑠𝑛, 𝑞𝑙 𝑇 , 𝑡𝑙 𝑆 𝑗 , 𝜈 𝑗 , 𝐷 (𝑗) ∗ , 𝜈 ∗ , 𝐷 ∗ ≠ 𝑞𝑙 𝑆 ∀𝑗 ∈ 1, … , 𝑅 , 𝑞𝑙 𝑆 MU-sUF-iCMA=Multi-User strong Unforgeability against insider Chosen Message Attack 11

Primitives used in Our Construction Direct Construction Tag-based Trapdoor Collision-Resistant Digital Signature + + Function Hash Function (sUF-naCMA) [MP12] [MR07] [MP12] Based on LWE Based on SIS Signcryption Unforgeability Confidentiality + MU-sUF-iCMA MU-IND-iCCA [MP12] D. Micciancio, C. Peikert: “Trapdoor for lattices: Simpler, tighter, faster, smaller,” EUROCRYPT 2012. [MR07] D. Micciancio, O. Regev: “Worst-case to average-case reductions based on gaussian measures,” SIAM J. Comput. 2007. 12

The Problem of Sign-then-Encrypt paradigm In the MU-sUF-iCMA game, inside adversaries can generate forgeries as follows: 1. Submit a query to the signcrypt oracle and receive the response, 2. Decrypt the message/signature-pair (𝜈, 𝑇) by using 𝑡𝑙 𝑆 , 3. Encrypt (𝜈, 𝑇) again and output a forgery 𝐷 ∗ . Signcrypt Oracle Adversary 𝜈, 𝑞𝑙 𝑆 𝐷 Sign 𝑡𝑙 𝑇 , 𝜈 → 𝑇 Dec 𝑡𝑙 𝑆 , 𝜏 → 𝜈||𝑇 Enc 𝑞𝑙 𝑆 , (𝜈||𝑇); 𝑠 → 𝐷 Enc 𝑞𝑙 𝑆 , (𝜈||𝑇); 𝑠’ → 𝐷 ∗ where 𝑠 is a random number A valid forgery (𝑞𝑙 𝑆 , 𝑡𝑙 𝑆 , 𝐷 ∗ ) in the MU-sUF-iCMA game 13

ҧ Basic Idea of Our Construction Our Idea to solve the problem: Generate a signature on injective tag-based trapdoor functions 𝑛 [MP12] (TDFs) of LWE 𝑕 𝐵 𝑢𝑏𝑕, 𝑡; 𝑦 = 𝑡 ⊤ 𝐵 𝑢𝑏𝑕 + 𝑦 ⊤ ∈ ℤ 𝑟 Overview of SC algorithm 𝑢𝑏𝑕 𝑔 𝐶 (𝑞𝑙 𝑇 , 𝑠) 𝑑 = 𝑕 𝐵 (𝑢𝑏𝑕, 𝑡; 𝑦) 𝑇 = Sign(𝑡𝑙 𝑇 , 𝜈|| ҧ 𝑑) 𝜈 : Message Encryption: 𝑑 = ҧ 𝑑 + (𝜈 ∥ 𝑇) 𝑡, 𝑦 : The input of LWE-based TDFs 𝑠 : Random value ⇒ ciphertext 𝐷 = (𝑑, 𝑠) 𝐶 (⋅) : Lattice-based collision-resistant 𝑔 hash function (with a parameter 𝐶 ) 14

Why can the Idea solve the Problem ? • The reason that simple Sign-then-Encrypt constructions are broken: By using a new random number, it is possible to compute a ciphertext on the message/signature pair generated by the SC oracle. • The process of our Construction Our 𝑇𝐷 algorithm generates a signature on both of a message and the input (random number) of the LWE-based trapdoor function [MP12] ⇒ To use new random numbers, adversaries have to break the underlying digital signature. 15