lattice based signcryption without random oracles
play

Lattice-based Signcryption without Random Oracles - PowerPoint PPT Presentation

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography


  1. Lattice-based Signcryption without Random Oracles ๐“๐ข๐ฃ๐จ๐ก๐ฉ ๐“๐›๐ฎ๐ฉ Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan

  2. Overview โ€ข Lattice-based Cryptography โ€ข The cryptosystem is based on lattice problems and has quantum-resistance. โ€ข It is possible to realize a lot of functionalities of cryptosystems. โ€ข Signcryption โ€ข Cryptosystem meeting both securities of public key encryption (PKE) and digital signatures (DSs) โ€ข The public-key based โ€œauthenticated encryptionโ€ We propose โ€ข A construction of signcryption based on lattice problems, and โ€ข Hybrid encryption of signcryption based on this construction with data encapsulation mechanism (DEM) 2

  3. Lattice The lattice generated by ๐‘œ linearly independent vectors ๐’„ ๐Ÿ , ๐’„ ๐Ÿ‘ , โ€ฆ , ๐’„ ๐’ โˆˆ โ„ ๐‘› is defined as ๐‘€ ๐’„ ๐Ÿ , โ€ฆ , ๐’„ ๐’ = โˆ‘๐‘ฆ ๐’‹ ๐’„ ๐’‹ ๐‘ฆ ๐’‹ โˆˆ โ„ค . It is often written by ๐’š โˆˆ โ„ค ๐‘œ , ๐‘€ ๐‘ช = ๐‘ช๐’š where ๐‘ช โ‰” ๐’„ ๐Ÿ , โ€ฆ , ๐’„ ๐’ โˆˆ โ„ ๐‘›ร—๐‘œ is the lattice basis. As the norm of vectors, we consider the Euclid norm: 2 + โ‹ฏ + ๐‘ค ๐‘œ 2 ๐’˜ = ๐‘ค 1 for ๐’˜ = ๐‘ค 1 , โ€ฆ , ๐‘ค ๐‘œ โˆˆ โ„ ๐‘œ . 3

  4. Lattice Problems โ€ข ๐›ฟ : ๐ป๐‘๐‘ž๐‘‡๐‘Š๐‘„ โ€ข Given a lattice basis ๐‘ช , ๐‘  โˆˆ โ„ , โ€ข Decide whether the shortest vector ๐’˜(โˆˆ ๐‘€ ๐‘ช โˆ– ๐‘ท ) fulfills โ‰ค ๐‘  or ๐‘ค ๐‘ค > ๐›ฟ โ‹… ๐‘  โ€ข Learning with Errors and Small Integer Solution (LWE and SIS) โœ“ It is possible to reduce from lattice problems to these problems. โœ“ The average-case problems are at least as hard as the worst-case problems. It is possible to realize a lot of cryptosystems such as fully โœ“ homomorphic encryption, attribute-based encryption, searchable encryption and so on. 4

  5. Definitions of LWE and SIS โ€ข ๐‘ด๐‘ฟ๐‘ญ ๐‘Ÿ,๐›ฝ (Decisional version) โ€ข The LWE distribution ๐ต(๐’•, ๐œš) : ๐’ and a Gaussian distribution ๐œš with the center โ€ข Input: ๐’• โˆˆ โ„ค ๐’“ 0 and the standard deviation ๐›ฝ๐‘Ÿ ๐‘œ ร— โ„ค ๐‘Ÿ , โ€ข Output (*): ๐’ƒ 1 , ๐‘ 1 , โ€ฆ , ๐’ƒ ๐‘› , ๐‘ ๐‘› โˆˆ โ„ค ๐‘Ÿ ๐‘‰ โ„ค ๐‘Ÿ where ๐‘ ๐‘— = ๐’• โŠค ๐’ƒ ๐‘— + ๐‘“ ๐‘— , ๐’ƒ ๐‘— ีš ๐‘œ , ๐‘“ ๐‘— ีš ๐œš for ๐‘— โˆˆ {1, โ€ฆ , ๐‘›} ๐‘œ ร— โ„ค ๐‘Ÿ , โ€ข Input: ๐’ƒ 1 , ๐‘ 1 , โ€ฆ , ๐’ƒ ๐‘› , ๐‘ ๐‘› โˆˆ โ„ค ๐‘Ÿ โ€ข Decide whether the input sequence is sampled from the ๐‘œ ร— โ„ค ๐‘Ÿ LWE distribution or uniformly at random in โ„ค ๐‘Ÿ (*) Let ๐‘ฉ โ‰” ๐’ƒ 1 , โ€ฆ , ๐’ƒ ๐‘› and ๐’‡ โŠค โ‰” ๐‘“ 1 , โ€ฆ , ๐‘“ ๐‘› , then the LWE samples can be expressed by ๐’„ = ๐’• โŠค ๐‘ฉ + ๐’‡ โŠค mod ๐‘Ÿ โ€ข ๐‘ป๐‘ฑ๐‘ป ๐‘Ÿ,๐›พ โ€ข Input: ๐‘ฉ โˆˆ โ„ค ๐‘Ÿ ๐‘œร—๐‘› , Find: ๐’‡ โˆˆ โ„ค ๐‘› s.t. ๐‘ฉ๐’‡ = ๐Ÿ mod ๐‘Ÿ and ๐’‡ โ€ข โ‰ค ๐›พ 5

  6. Signcryption [Z97] โ€ข Signcryption schemes meet both functionalities of PKE and DS (both of confidentiality and integrity). โ€ข It is used to construct secure channels from insecure ones such as the Internet Sender Receiver Receiverโ€™s Senderโ€™s Senderโ€™s Receiverโ€™s Secret-Key Secret-Key Public-Key Public-Key Signcrypt Unsigncrypt or Ciphertext Message invalid [Z97] Y. Zheng, โ€œDigital Signcryption or how to achieve cost(signature & encryption) << cost(signature) + cost(encryption),โ€ CRYPTO 1997. 6

  7. The Security Model [ADR02] We consider IND-CCA and sUF-CMA security against insiders in the multi-user setting (MU-IND-iCCA and MU-sUF-iCMA). โ€ข Securities in the two-user setting doesnโ€™t always imply ones in the multi- user setting. โ€ข Inside adversaries are stronger than outside ones. Mutli-User setting Two-User setting Outsider Insider [ADR02] J. H. An, Y. Dodis, and T. Rabin, โ€œOn the security of joint signature and encryption,โ€ 7 EUROCRYPT 2002.

  8. Our Proposal Main purpose: To construct a lattice-based signcryption scheme โ€ข Meeting both of MU-IND-iCCA and MU-sUF-iCMA security โ€ข More efficient than the existing constructions in terms of key- sizes and ciphertext-size To achieve these, we propose the following constructions 1. A direct construction based on lattice problems 2. Hybrid encryption variant of signcryption (hybrid signcryption) obtained by combining this construction and an IND-OT secure DEM. The existing constructions [CMSM11,NS13]: โ€ข These are generic constructions satisfying both securities of MU-IND- iCCA and MU-sUF-iCMA. โ€ข We can obtain lattice-based ones by applying lattice-based primitives. 8

  9. The Model Setup phase ๏ผš Sender Receiver ๐‘ž๐‘ ๐‘› ีš Setup(1 ๐‘œ ) Key-Generation : Key-Generation: (๐‘ž๐‘™ ๐‘‡ , ๐‘ก๐‘™ ๐‘‡ ) ีš KeyGen ๐‘‡ (๐‘ž๐‘ ๐‘›) (๐‘ž๐‘™ ๐‘† , ๐‘ก๐‘™ ๐‘† ) ีš KeyGen ๐‘† (๐‘ž๐‘ ๐‘›) Unsigncrypt: Signcrypt: ๐ท ๐ท ีš SC (๐‘ž๐‘™ ๐‘† , ๐‘ก๐‘™ ๐‘‡ , ๐œˆ) ๐œˆ/โŠฅีš USC (๐‘ž๐‘™ ๐‘‡ , ๐‘ก๐‘™ ๐‘† , ๐ท) Security parameter, ๐‘ž๐‘ ๐‘›: Public parameter, ๐‘œ: ๐‘ž๐‘™ ๐‘‡ : Senderโ€™s public key, ๐‘ž๐‘™ ๐‘† : Receiverโ€™s public key, ๐‘ก๐‘™ ๐‘‡ : Senderโ€™s secret key, ๐‘ก๐‘™ ๐‘† : Receiverโ€™s secret key, Message, Ciphertext ๐œˆ: ๐ท: โŠฅ : Invalid 9

  10. The Security Definition (1/2) MU-IND-iCCA security In the following game, if any adversary ๐ต โ€ฒ s advatage 1 MUโˆ’INDโˆ’iCCA (๐‘œ) โ‰” | Pr ๐‘ โ€ฒ = ๐‘ โˆ’ 2 | < negl ๐‘œ holds, ๐ต๐‘’๐‘ค ๐ต Signcryption meets MU-IND-iCCA security. Challenger Adversary ๐ต ๐‘ž๐‘ ๐‘› ีš Setup(1 ๐‘œ ) Unsigncrypt Oracle ๐‘ž๐‘™ ๐‘† , ๐‘ก๐‘™ ๐‘† ีš KeyGen ๐‘† (๐‘ž๐‘ ๐‘›) โˆ— ), ๐‘ž๐‘™ ๐‘‡ (โ‰  ๐‘ž๐‘™ ๐‘‡ โˆ— , ๐‘ก๐‘™ ๐‘‡ โˆ— ๐œˆ 0 , ๐œˆ 1 , ๐‘ž๐‘™ ๐‘‡ ๐ท(โ‰  ๐ท โˆ— ) ๐‘‰ {0,1} ๐‘ ีš ๐œˆ ๐ท โˆ— ๐ท โˆ— ีš SC(๐‘ž๐‘™ ๐‘† , ๐‘ก๐‘™ ๐‘‡ โˆ— , ๐œˆ ๐‘ ) ๐‘โ€ฒ ๐‘ โ€ฒ ? = ๐‘ ๐‘โ€ฒ โˆˆ {0,1} MU-IND-iCCA=Multi-User Indistinguishability against insider Chosen Ciphertext Attack 10

  11. The Security Definition (2/2) MU-sUF-iCMA security In the following game, if any adversary ๐ตโ€™s advantage MUโˆ’sUFโˆ’iCMA ๐‘œ โ‰” Pr ๐ต wins < negl(๐‘œ) holds, ๐ต๐‘’๐‘ค ๐ต Signcryption meets MU-sUF-iCMA security. Challenger Signcrypt Adversary ๐ต Oracle ๐‘ž๐‘ ๐‘› ีš Setup(1 ๐‘œ ) ๐‘ž๐‘ ๐‘›, ๐‘ž๐‘™ ๐‘‡ (๐‘—) ๐œˆ (๐‘—) , ๐‘ž๐‘™ ๐‘† ๐‘ž๐‘™ ๐‘‡ , ๐‘ก๐‘™ ๐‘‡ ีš KeyGen ๐‘‡ (๐‘ž๐‘ ๐‘›) ๐ท (๐‘—) โˆ— , ๐‘ก๐‘™ ๐‘† โˆ— , ๐ท โˆ— ๐‘ž๐‘™ ๐‘† ๐‘… queries [๐ต wins]: โˆ— , ๐ท โˆ— = ๐œˆ โˆ— โˆง USC ๐‘ž๐‘ ๐‘›, ๐‘ž๐‘™ ๐‘‡ , ๐‘ก๐‘™ ๐‘† ๐‘— , ๐œˆ ๐‘— , ๐ท (๐‘—) โˆ— , ๐œˆ โˆ— , ๐ท โˆ— โ‰  ๐‘ž๐‘™ ๐‘† โˆ€๐‘— โˆˆ 1, โ€ฆ , ๐‘… , ๐‘ž๐‘™ ๐‘† MU-sUF-iCMA=Multi-User strong Unforgeability against insider Chosen Message Attack 11

  12. Primitives used in Our Construction Direct Construction Tag-based Trapdoor Collision-Resistant Digital Signature + + Function Hash Function (sUF-naCMA) [MP12] [MR07] [MP12] Based on LWE Based on SIS Signcryption Unforgeability Confidentiality + MU-sUF-iCMA MU-IND-iCCA [MP12] D. Micciancio, C. Peikert: โ€œTrapdoor for lattices: Simpler, tighter, faster, smaller,โ€ EUROCRYPT 2012. [MR07] D. Micciancio, O. Regev: โ€œWorst-case to average-case reductions based on gaussian measures,โ€ SIAM J. Comput. 2007. 12

  13. The Problem of Sign-then-Encrypt paradigm In the MU-sUF-iCMA game, inside adversaries can generate forgeries as follows: 1. Submit a query to the signcrypt oracle and receive the response, 2. Decrypt the message/signature-pair (๐œˆ, ๐‘‡) by using ๐‘ก๐‘™ ๐‘† , 3. Encrypt (๐œˆ, ๐‘‡) again and output a forgery ๐ท โˆ— . Signcrypt Oracle Adversary ๐œˆ, ๐‘ž๐‘™ ๐‘† ๐ท Sign ๐‘ก๐‘™ ๐‘‡ , ๐œˆ โ†’ ๐‘‡ Dec ๐‘ก๐‘™ ๐‘† , ๐œ โ†’ ๐œˆ||๐‘‡ Enc ๐‘ž๐‘™ ๐‘† , (๐œˆ||๐‘‡); ๐‘  โ†’ ๐ท Enc ๐‘ž๐‘™ ๐‘† , (๐œˆ||๐‘‡); ๐‘ โ€™ โ†’ ๐ท โˆ— where ๐‘  is a random number A valid forgery (๐‘ž๐‘™ ๐‘† , ๐‘ก๐‘™ ๐‘† , ๐ท โˆ— ) in the MU-sUF-iCMA game 13

  14. าง Basic Idea of Our Construction Our Idea to solve the problem: Generate a signature on injective tag-based trapdoor functions ๐‘› [MP12] (TDFs) of LWE ๐‘• ๐ต ๐‘ข๐‘๐‘•, ๐‘ก; ๐‘ฆ = ๐‘ก โŠค ๐ต ๐‘ข๐‘๐‘• + ๐‘ฆ โŠค โˆˆ โ„ค ๐‘Ÿ Overview of SC algorithm ๐‘ข๐‘๐‘• ๐‘” ๐ถ (๐‘ž๐‘™ ๐‘‡ , ๐‘ ) ๐‘‘ = ๐‘• ๐ต (๐‘ข๐‘๐‘•, ๐‘ก; ๐‘ฆ) ๐‘‡ = Sign(๐‘ก๐‘™ ๐‘‡ , ๐œˆ|| าง ๐‘‘) ๐œˆ : Message Encryption: ๐‘‘ = าง ๐‘‘ + (๐œˆ โˆฅ ๐‘‡) ๐‘ก, ๐‘ฆ : The input of LWE-based TDFs ๐‘  : Random value โ‡’ ciphertext ๐ท = (๐‘‘, ๐‘ ) ๐ถ (โ‹…) : Lattice-based collision-resistant ๐‘” hash function (with a parameter ๐ถ ) 14

  15. Why can the Idea solve the Problem ? โ€ข The reason that simple Sign-then-Encrypt constructions are broken: By using a new random number, it is possible to compute a ciphertext on the message/signature pair generated by the SC oracle. โ€ข The process of our Construction Our ๐‘‡๐ท algorithm generates a signature on both of a message and the input (random number) of the LWE-based trapdoor function [MP12] โ‡’ To use new random numbers, adversaries have to break the underlying digital signature. 15

Recommend


More recommend