Lattice-based Signcryption without Random Oracles ๐๐ข๐ฃ๐จ๐ก๐ฉ ๐๐๐ฎ๐ฉ Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan
Overview โข Lattice-based Cryptography โข The cryptosystem is based on lattice problems and has quantum-resistance. โข It is possible to realize a lot of functionalities of cryptosystems. โข Signcryption โข Cryptosystem meeting both securities of public key encryption (PKE) and digital signatures (DSs) โข The public-key based โauthenticated encryptionโ We propose โข A construction of signcryption based on lattice problems, and โข Hybrid encryption of signcryption based on this construction with data encapsulation mechanism (DEM) 2
Lattice The lattice generated by ๐ linearly independent vectors ๐ ๐ , ๐ ๐ , โฆ , ๐ ๐ โ โ ๐ is defined as ๐ ๐ ๐ , โฆ , ๐ ๐ = โ๐ฆ ๐ ๐ ๐ ๐ฆ ๐ โ โค . It is often written by ๐ โ โค ๐ , ๐ ๐ช = ๐ช๐ where ๐ช โ ๐ ๐ , โฆ , ๐ ๐ โ โ ๐ร๐ is the lattice basis. As the norm of vectors, we consider the Euclid norm: 2 + โฏ + ๐ค ๐ 2 ๐ = ๐ค 1 for ๐ = ๐ค 1 , โฆ , ๐ค ๐ โ โ ๐ . 3
Lattice Problems โข ๐ฟ : ๐ป๐๐๐๐๐ โข Given a lattice basis ๐ช , ๐ โ โ , โข Decide whether the shortest vector ๐(โ ๐ ๐ช โ ๐ท ) fulfills โค ๐ or ๐ค ๐ค > ๐ฟ โ ๐ โข Learning with Errors and Small Integer Solution (LWE and SIS) โ It is possible to reduce from lattice problems to these problems. โ The average-case problems are at least as hard as the worst-case problems. It is possible to realize a lot of cryptosystems such as fully โ homomorphic encryption, attribute-based encryption, searchable encryption and so on. 4
Definitions of LWE and SIS โข ๐ด๐ฟ๐ญ ๐,๐ฝ (Decisional version) โข The LWE distribution ๐ต(๐, ๐) : ๐ and a Gaussian distribution ๐ with the center โข Input: ๐ โ โค ๐ 0 and the standard deviation ๐ฝ๐ ๐ ร โค ๐ , โข Output (*): ๐ 1 , ๐ 1 , โฆ , ๐ ๐ , ๐ ๐ โ โค ๐ ๐ โค ๐ where ๐ ๐ = ๐ โค ๐ ๐ + ๐ ๐ , ๐ ๐ ี ๐ , ๐ ๐ ี ๐ for ๐ โ {1, โฆ , ๐} ๐ ร โค ๐ , โข Input: ๐ 1 , ๐ 1 , โฆ , ๐ ๐ , ๐ ๐ โ โค ๐ โข Decide whether the input sequence is sampled from the ๐ ร โค ๐ LWE distribution or uniformly at random in โค ๐ (*) Let ๐ฉ โ ๐ 1 , โฆ , ๐ ๐ and ๐ โค โ ๐ 1 , โฆ , ๐ ๐ , then the LWE samples can be expressed by ๐ = ๐ โค ๐ฉ + ๐ โค mod ๐ โข ๐ป๐ฑ๐ป ๐,๐พ โข Input: ๐ฉ โ โค ๐ ๐ร๐ , Find: ๐ โ โค ๐ s.t. ๐ฉ๐ = ๐ mod ๐ and ๐ โข โค ๐พ 5
Signcryption [Z97] โข Signcryption schemes meet both functionalities of PKE and DS (both of confidentiality and integrity). โข It is used to construct secure channels from insecure ones such as the Internet Sender Receiver Receiverโs Senderโs Senderโs Receiverโs Secret-Key Secret-Key Public-Key Public-Key Signcrypt Unsigncrypt or Ciphertext Message invalid [Z97] Y. Zheng, โDigital Signcryption or how to achieve cost(signature & encryption) << cost(signature) + cost(encryption),โ CRYPTO 1997. 6
The Security Model [ADR02] We consider IND-CCA and sUF-CMA security against insiders in the multi-user setting (MU-IND-iCCA and MU-sUF-iCMA). โข Securities in the two-user setting doesnโt always imply ones in the multi- user setting. โข Inside adversaries are stronger than outside ones. Mutli-User setting Two-User setting Outsider Insider [ADR02] J. H. An, Y. Dodis, and T. Rabin, โOn the security of joint signature and encryption,โ 7 EUROCRYPT 2002.
Our Proposal Main purpose: To construct a lattice-based signcryption scheme โข Meeting both of MU-IND-iCCA and MU-sUF-iCMA security โข More efficient than the existing constructions in terms of key- sizes and ciphertext-size To achieve these, we propose the following constructions 1. A direct construction based on lattice problems 2. Hybrid encryption variant of signcryption (hybrid signcryption) obtained by combining this construction and an IND-OT secure DEM. The existing constructions [CMSM11,NS13]: โข These are generic constructions satisfying both securities of MU-IND- iCCA and MU-sUF-iCMA. โข We can obtain lattice-based ones by applying lattice-based primitives. 8
The Model Setup phase ๏ผ Sender Receiver ๐๐ ๐ ี Setup(1 ๐ ) Key-Generation : Key-Generation: (๐๐ ๐ , ๐ก๐ ๐ ) ี KeyGen ๐ (๐๐ ๐) (๐๐ ๐ , ๐ก๐ ๐ ) ี KeyGen ๐ (๐๐ ๐) Unsigncrypt: Signcrypt: ๐ท ๐ท ี SC (๐๐ ๐ , ๐ก๐ ๐ , ๐) ๐/โฅี USC (๐๐ ๐ , ๐ก๐ ๐ , ๐ท) Security parameter, ๐๐ ๐: Public parameter, ๐: ๐๐ ๐ : Senderโs public key, ๐๐ ๐ : Receiverโs public key, ๐ก๐ ๐ : Senderโs secret key, ๐ก๐ ๐ : Receiverโs secret key, Message, Ciphertext ๐: ๐ท: โฅ : Invalid 9
The Security Definition (1/2) MU-IND-iCCA security In the following game, if any adversary ๐ต โฒ s advatage 1 MUโINDโiCCA (๐) โ | Pr ๐ โฒ = ๐ โ 2 | < negl ๐ holds, ๐ต๐๐ค ๐ต Signcryption meets MU-IND-iCCA security. Challenger Adversary ๐ต ๐๐ ๐ ี Setup(1 ๐ ) Unsigncrypt Oracle ๐๐ ๐ , ๐ก๐ ๐ ี KeyGen ๐ (๐๐ ๐) โ ), ๐๐ ๐ (โ ๐๐ ๐ โ , ๐ก๐ ๐ โ ๐ 0 , ๐ 1 , ๐๐ ๐ ๐ท(โ ๐ท โ ) ๐ {0,1} ๐ ี ๐ ๐ท โ ๐ท โ ี SC(๐๐ ๐ , ๐ก๐ ๐ โ , ๐ ๐ ) ๐โฒ ๐ โฒ ? = ๐ ๐โฒ โ {0,1} MU-IND-iCCA=Multi-User Indistinguishability against insider Chosen Ciphertext Attack 10
The Security Definition (2/2) MU-sUF-iCMA security In the following game, if any adversary ๐ตโs advantage MUโsUFโiCMA ๐ โ Pr ๐ต wins < negl(๐) holds, ๐ต๐๐ค ๐ต Signcryption meets MU-sUF-iCMA security. Challenger Signcrypt Adversary ๐ต Oracle ๐๐ ๐ ี Setup(1 ๐ ) ๐๐ ๐, ๐๐ ๐ (๐) ๐ (๐) , ๐๐ ๐ ๐๐ ๐ , ๐ก๐ ๐ ี KeyGen ๐ (๐๐ ๐) ๐ท (๐) โ , ๐ก๐ ๐ โ , ๐ท โ ๐๐ ๐ ๐ queries [๐ต wins]: โ , ๐ท โ = ๐ โ โง USC ๐๐ ๐, ๐๐ ๐ , ๐ก๐ ๐ ๐ , ๐ ๐ , ๐ท (๐) โ , ๐ โ , ๐ท โ โ ๐๐ ๐ โ๐ โ 1, โฆ , ๐ , ๐๐ ๐ MU-sUF-iCMA=Multi-User strong Unforgeability against insider Chosen Message Attack 11
Primitives used in Our Construction Direct Construction Tag-based Trapdoor Collision-Resistant Digital Signature + + Function Hash Function (sUF-naCMA) [MP12] [MR07] [MP12] Based on LWE Based on SIS Signcryption Unforgeability Confidentiality + MU-sUF-iCMA MU-IND-iCCA [MP12] D. Micciancio, C. Peikert: โTrapdoor for lattices: Simpler, tighter, faster, smaller,โ EUROCRYPT 2012. [MR07] D. Micciancio, O. Regev: โWorst-case to average-case reductions based on gaussian measures,โ SIAM J. Comput. 2007. 12
The Problem of Sign-then-Encrypt paradigm In the MU-sUF-iCMA game, inside adversaries can generate forgeries as follows: 1. Submit a query to the signcrypt oracle and receive the response, 2. Decrypt the message/signature-pair (๐, ๐) by using ๐ก๐ ๐ , 3. Encrypt (๐, ๐) again and output a forgery ๐ท โ . Signcrypt Oracle Adversary ๐, ๐๐ ๐ ๐ท Sign ๐ก๐ ๐ , ๐ โ ๐ Dec ๐ก๐ ๐ , ๐ โ ๐||๐ Enc ๐๐ ๐ , (๐||๐); ๐ โ ๐ท Enc ๐๐ ๐ , (๐||๐); ๐ โ โ ๐ท โ where ๐ is a random number A valid forgery (๐๐ ๐ , ๐ก๐ ๐ , ๐ท โ ) in the MU-sUF-iCMA game 13
าง Basic Idea of Our Construction Our Idea to solve the problem: Generate a signature on injective tag-based trapdoor functions ๐ [MP12] (TDFs) of LWE ๐ ๐ต ๐ข๐๐, ๐ก; ๐ฆ = ๐ก โค ๐ต ๐ข๐๐ + ๐ฆ โค โ โค ๐ Overview of SC algorithm ๐ข๐๐ ๐ ๐ถ (๐๐ ๐ , ๐ ) ๐ = ๐ ๐ต (๐ข๐๐, ๐ก; ๐ฆ) ๐ = Sign(๐ก๐ ๐ , ๐|| าง ๐) ๐ : Message Encryption: ๐ = าง ๐ + (๐ โฅ ๐) ๐ก, ๐ฆ : The input of LWE-based TDFs ๐ : Random value โ ciphertext ๐ท = (๐, ๐ ) ๐ถ (โ ) : Lattice-based collision-resistant ๐ hash function (with a parameter ๐ถ ) 14
Why can the Idea solve the Problem ? โข The reason that simple Sign-then-Encrypt constructions are broken: By using a new random number, it is possible to compute a ciphertext on the message/signature pair generated by the SC oracle. โข The process of our Construction Our ๐๐ท algorithm generates a signature on both of a message and the input (random number) of the LWE-based trapdoor function [MP12] โ To use new random numbers, adversaries have to break the underlying digital signature. 15
Recommend
More recommend