tighter security proofs for gpv ibe in the quantum random
play

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle - PowerPoint PPT Presentation

Jan 09, 2024 •348 likes •1.22k views

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1 Post Quantum Cryptography

  1. Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1

  2. Post Quantum Cryptography Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. In General… Scheme secure under a PQ Scheme is secure against assumption in the standard model quantum algorithms 2

  3. Post Quantum Cryptography Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. In General… Scheme secure under a PQ Scheme is secure against assumption in the standard model quantum algorithms However… Scheme may NOT be secure Scheme secure under a PQ against quantum algorithms (*) assumption in the RO model (*) [BDF+11] Boneh et al. “Random oracles in a quantum world”. EUROCRYPT. 3

  4. Post Quantum Cryptography Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. Many practical algorithms rely on ROM! Recent Works on QROM In General… p Signatures: [Zha12][ARU14][Unr17][KLS18]… p PKE: [TU16][JZC+18][SXY18]… Scheme secure under a PQ Scheme is secure against assumption in the standard model quantum algorithms However… Scheme may NOT be secure Scheme secure under a PQ against quantum algorithms (*) assumption in the RO model (*) [BDF+11] Boneh et al. “Random oracles in a quantum world”. EUROCRYPT. 4

  5. Post Quantum Cryptography Owing to NIST’s announcement, PQ Crypto has been gathering increasingly more attention. Many practical algorithms rely on ROM! Recent Works on QROM In General… p Signatures: [Zha12][ARU14][Unr17][KLS18]… p PKE: [TU16][JZC+18][SXY18]… Scheme secure under a PQ Scheme is secure against assumption in the standard model quantum algorithms This work is on Identity-based Encryptions (IBEs) However… Scheme may NOT be secure Scheme secure under a PQ against quantum algorithms (*) assumption in the RO model (*) [BDF+11] Boneh et al. “Random oracles in a quantum world”. EUROCRYPT. 5

  6. IBEs from Post Quantum Assumptions There are few IBEs secure under PQ assumptions. p Lattice-based IBEs ROM : [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]…. p Code-based IBEs This line of work is ROM : [GHPT17] quantumly secure. 6

  7. IBEs from Post Quantum Assumptions There are few IBEs secure under PQ assumptions. p Lattice-based IBEs ROM : [GPV08][ABB10][CHKP10] Standard: [ABB10][CHKP10][Yam16][KY16]…. p Code-based IBEs This line of work is ROM : [GHPT17] quantumly secure. What can we say about efficient schemes proven secure in the ROM?? 7

  8. IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. [Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO. 8

  9. IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. However… ü Comes at a cost of a huge reduction loss . ü Requires descent knowledge on quantum computation. [Zha12] Zhandry. “Secure identity-based encryption in the quantum random oracle model”. CRYPTO. 9

  10. IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. ü Proved security of lattice-based IBEs of [GPV08], [ABB10],[CHKP10] in QROM. However… ü Comes at a cost of a huge reduction loss . ü Requires descent knowledge on quantum computation. B solves LWE problem A breaks IBE with with advantage ≈ 𝜗 # /𝑅 & ' advantage 𝜗 𝑅 & := #RO query 10

  11. IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. If we want 128 -bit secure IBE 𝜗 = 2 *+#, , ü Proved security of lattice-based IBEs of [GPV08], assuming 𝑅 & = 2 +-- . [ABB10],[CHKP10] in QROM. We need at least 656 -bit secure LWE problem!! However… ü Comes at a cost of a huge reduction loss . ü Requires descent knowledge on quantum computation. B solves LWE problem A breaks IBE with with advantage ≈ 𝜗 # /𝑅 & ' advantage 𝜗 𝑅 & := #RO query 11

  12. IBEs Secure in the QROM Work of Zhandry [Zha12] ü Presented a general technique to use in QROM. If we want 128 -bit secure IBE 𝜗 = 2 *+#, , ü Proved security of lattice-based IBEs of [GPV08], assuming 𝑅 & = 2 +-- . [ABB10],[CHKP10] in QROM. We need at least 656 -bit secure LWE problem!! However… ü Comes at a cost of a huge reduction loss . ü Requires descent knowledge on quantum computation. Question B solves LWE problem A breaks IBE with with advantage ≈ 𝜗 # /𝑅 & ' Can we construct tightly secure IBEs in QROM?? advantage 𝜗 𝑅 & := #RO query 12

  13. Summary of Our Result ① Tight security proof for GPV-IBE in QROM in the single-challenge setting. ② (Almost) tight security proof for a variant of GPV-IBE in QROM in the multi-challenge setting. ü Our proofs are much simpler than [Zha12]. ü Easy to follow for non-experts of quantum computation. 13

  14. Overview of This Talk Review of GPV-IBE 1 What Goes Wrong in QROM 2 3 Result 1: Tightly Secure GPV-IBE in QROM 4 Result 2: Extending it to Multi-Challenge *Kangaroo...? 14

  15. 1. Review of GPV-IBE 15

  16. Identity-based Encryption [Sha84] Public Key Generator I sk 78 9:;<= alice@example.com ID 01234 Any string can be a public key! ciphertext Al Alice Bob Bob [Sha84]: A. Shamir. “Identity-Based Cryptosystems and Signature Schemes”. Crypto. 16

  17. IND-CPA Security of IBE in ROM mpk, msk ← SetUp(1 H ) Random mpk Oracle 𝐉𝐄 𝐈: 𝑱𝑬 → 𝒂 𝐚 𝐚 ← 𝐕𝐨𝐣(𝒂) 𝐉𝐄 𝐣 KeyGen ID 2 , msk → sk 78 ; sk 𝐉𝐄 𝐣 (𝐉𝐄 ∗ ≠ 𝐉𝐄 𝐣 , 𝐍) b′ b ← {0, 1} Pr b′ = b ≈ 1 𝐃𝐔 ∗ 2 17

  18. IND-CPA Security of IBE in ROM mpk, msk ← SetUp(1 H ) Random mpk Oracle 𝐉𝐄 𝐈: 𝑱𝑬 → 𝒂 𝐚 𝐚 ← 𝐕𝐨𝐣(𝒂) 𝐉𝐄 𝐣 KeyGen ID 2 , msk Multi-Challenge if → sk 78 ; sk 𝐉𝐄 𝐣 can obtain challenge ciphertext multi-times. (𝐉𝐄 ∗ ≠ 𝐉𝐄 𝐣 , 𝐍) b′ b ← {0, 1} Pr b′ = b ≈ 1 𝐃𝐔 ∗ 2 18

  19. Gentry-Peikert-Vaikuntanathan IBE p mpk, msk A H: 0,1 ∗ → ℤ h i×k , i mpk = ∈ ℤ h • *Programmed as RO msk = trapdoof T 0 for A • [GPV08] Gentry, Peikert, and Vaikuntanathan. “Trapdoors for hard lattices and new cryptographic constructions”. STOC. 19

  20. Gentry-Peikert-Vaikuntanathan IBE p mpk, msk A H: 0,1 ∗ → ℤ h i×k , i mpk = ∈ ℤ h • *Programmed as RO msk = trapdoof T 0 for A • p Secret Key sk 78 A 𝐟 𝐉𝐄 = 𝐯 𝐉𝐄 Short vector e 78 ∈ ℤ w s. t. • : = 𝐈(𝐉𝐄) 20

  21. Gentry-Peikert-Vaikuntanathan IBE p mpk, msk A H: 0,1 ∗ → ℤ h i×k , i mpk = ∈ ℤ h • *Programmed as RO msk = trapdoof T 0 for A • p Secret Key sk 78 A 𝐟 𝐉𝐄 = 𝐯 𝐉𝐄 Short vector e 78 ∈ ℤ w s. t. • : = 𝐈(𝐉𝐄) p Encryption CT 78 of M LWE instance for ( A, u 78 ): • + x′ +𝐍 𝒓 𝐭 A 𝐭 c + = c - = 𝐲 𝐯 𝐉𝐄 , + 𝟑 21

  22. Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID ∗ Sample e 78 and program RO as H ID ≔ Ae 78 . Simulator (LWE adversary) LWE Problem 𝐭 𝐁 𝐯 + [𝐲|x′] Ø For ID ∗ Program RO as H ID ∗ ≔ u . 22

  23. Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID ∗ Sample e 78 and program RO as H ID ≔ Ae 78 . Sim. knows secret key. Simulator (LWE adversary) LWE Problem 𝐭 𝐁 𝐯 + [𝐲|x′] Ø For ID ∗ Program RO as H ID ∗ ≔ u . Sim. doesn’t know secret key. 23

  24. Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID ∗ Sample e 78 and program RO as H ID ≔ Ae 78 . Sim. knows secret key. Simulator (LWE adversary) Can answer secret key queries. LWE Problem 𝐭 𝐁 𝐯 + [𝐲|x′] Ø For ID ∗ Program RO as H ID ∗ ≔ u . Sim. doesn’t know secret key. Embed into chall. ciphertext. 24

  25. Security Proof in Classical ROM p Proof similar to FDH-signature p Simulator guesses one ID to embed LWE problem Ø For ID ≠ ID ∗ Guess challenge ID ∗ and programs RO Sample e 78 and program RO as differently for ID ∗ . H ID ≔ Ae 78 . Sim. knows secret key. Simulator (LWE adversary) Can answer secret key queries. LWE Problem 𝐭 𝐁 𝐯 + [𝐲|x′] Ø For ID ∗ Program RO as H ID ∗ ≔ u . Sim. doesn’t know secret key. Embed into chall. ciphertext. 25

  26. 2. What Goes Wrong in QROM 26

  27. Minimum Preparation for Qunt. Crypt . Qbits is a register in superposition between a few states: 0, 1, ... Notation: (Generally ∑ 𝛽 Œ |𝑦⟩ ) 𝜚 = 𝛽 - 0 + 𝛽 + 1 �Œ 𝛽 - # + 𝛽 + # = 1 • 𝛽 • # = Prob. of getting 𝑐 when measuring 𝜚 • 27

Recommend

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number generator with non-iid generator at 17 Gbps samples Tobias Gehring et al. Marco Avesani et al. 1 The need for random numbers Alice quantum Rx laser

346 views • 32 slides
Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne

Quantum zero-knowledge from Locally Simulatable Proofs Alex Bredariol Grilo joint work with Anne Broadbent (U. of Ottawa) arxiv:1911.07782 Quantum found. QZK Crypto TCS 2 / 19 Interactive proofs 3 / 19 Interactive proofs L NP P V 0

1.06k views • 89 slides
Safety &amp; Security - #1 Priority School Safety - Community Input Tighter control of

Safety &amp; Security - #1 Priority School Safety - Community Input Tighter control of

Safety &amp; Security - #1 Priority School Safety - Community Input Tighter control of access to buildings &amp; classrooms Hardening facilities (physical and technology barriers) Internal crisis communication tools

737 views • 37 slides
Security proofs for continuous-variable quantum key distribution Anthony Leverrier Inria Paris

Security proofs for continuous-variable quantum key distribution Anthony Leverrier Inria Paris

Security proofs for continuous-variable quantum key distribution Anthony Leverrier Inria Paris QCrypt 2020 - virtual 10 August 2020 Anthony Leverrier (Inria) QCrypt 2020 1 / 24 Disclaimer there wont be any COVID joke, sorry! I

711 views • 32 slides
Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris Majenz Chris Schaffner Jelle Don CWI and UvA UvA CWI Leiden University Our Result in Short Let S be a S -protocol, FS[ S ] its Fiat-Shamir

422 views • 40 slides
Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge Fehr, Christian Majenz and Christian Schaffner QIP 2020 Hilton Shenzhen Shekou Nanhai Hotel, Shenzhen, China Two facts of life Two facts of life

1.38k views • 98 slides
Renormalization of random quantum magnets Ferenc Igl oi (Budapest) in collaboration with acs ,

Renormalization of random quantum magnets Ferenc Igl oi (Budapest) in collaboration with acs ,

Renormalization of random quantum magnets Ferenc Igl oi (Budapest) in collaboration with acs , R Istv an Kov obert Juh asz Cargese, August 25- September 6, 2014 1 Introduction Quantum phase transitions quantum spin

796 views • 28 slides
Efficient Simulation of Random States and Random Unitaries Gorjan Alagic, Christian Majenz and

Efficient Simulation of Random States and Random Unitaries Gorjan Alagic, Christian Majenz and

Efficient Simulation of Random States and Random Unitaries Gorjan Alagic, Christian Majenz and Alexander Russell QCrypt 2020, in Cyberspace Results overview We study the simulation of random quantum objects , i.e. random quantum states

1.08k views • 72 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
Liouville Quantum gravity and KPZ Scott Sheffield Scaling limits of random planar maps Central

Liouville Quantum gravity and KPZ Scott Sheffield Scaling limits of random planar maps Central

Liouville Quantum gravity and KPZ Scott Sheffield Scaling limits of random planar maps Central mathematical puzzle: Show that the scaling limit of some kind of discrete quantum gravity (perhaps decorated by random loops, random trees, etc.) is

704 views • 29 slides
Quantum Diffusion and Delocalization for Random Band Matrices Antti Knowles Harvard University

Quantum Diffusion and Delocalization for Random Band Matrices Antti Knowles Harvard University

Quantum Diffusion and Delocalization for Random Band Matrices Antti Knowles Harvard University Warwick 12 January 2012 Joint work with L aszl o Erd os Two standard models of quantum disorder Consider the two random Hamiltonians on

616 views • 23 slides
Quam Bene Non Quantum Identifying Bias in a Commercial Quantum Random Number Generator Darren

Quam Bene Non Quantum Identifying Bias in a Commercial Quantum Random Number Generator Darren

The UKs European university Real World Crypto 2018 Quam Bene Non Quantum Identifying Bias in a Commercial Quantum Random Number Generator Darren Hurley-Smith &amp; Julio Hernandez-Castro Index Introduction Related works Aims Experimental

563 views • 11 slides
Unitary designs from statistical mechanics in random quantum circuits Nick Hunter-Jones

Unitary designs from statistical mechanics in random quantum circuits Nick Hunter-Jones

Unitary designs from statistical mechanics in random quantum circuits Nick Hunter-Jones Perimeter Institute June 10, 2019 Yukawa Institute for Theoretical Physics Based on: NHJ, 1905.12053 Random quantum circuits are efficient implementations

708 views • 40 slides
Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
Phylogenetics as quantum computation from quantum random walks to maximum likelihood Peter

Phylogenetics as quantum computation from quantum random walks to maximum likelihood Peter

Phylogenetics as quantum computation from quantum random walks to maximum likelihood Peter Jarvis School of Physical Sciences University of Tasmania peter.jarvis@utas.edu.au Joint work with Demosthenes Ellinas, Technical University Crete,

666 views • 34 slides
UGLY PROOFS and BOOK PROOFS Joel Spencer 1 Tournament T on n players Ranking fit = NonUpsets

UGLY PROOFS and BOOK PROOFS Joel Spencer 1 Tournament T on n players Ranking fit = NonUpsets

DIMACS, April 2006 UGLY PROOFS and BOOK PROOFS Joel Spencer 1 Tournament T on n players Ranking fit = NonUpsets - Upsets Erd os-Moon (1965): There exists T for all fit ( T, ) n 3 / 2 ln n Proof: Random Tournament JS (1972,

299 views • 8 slides
Quantum Communications (and their implications for Information Security) The Quantum

Quantum Communications (and their implications for Information Security) The Quantum

Quantum Communications (and their implications for Information Security) The Quantum Communications Hub Director: Professor Tim Spiller New Quantum Technologies Quantum technologies form a whole new technology sector. These technologies

222 views • 11 slides
Spectral Properties of the Quantum Random Energy Model Simone Warzel Zentrum Mathematik, TUM

Spectral Properties of the Quantum Random Energy Model Simone Warzel Zentrum Mathematik, TUM

Spectral Properties of the Quantum Random Energy Model Simone Warzel Zentrum Mathematik, TUM Cargese September 4, 2014 1. The Quantum Random Energy Model Q N := { 1 , 1 } N Hamming cube: configuration space of N spins ( )( )

451 views • 15 slides
Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides
Random Probing Security Verification, Composition, Expansion and New Constructions Sonia Belad 1

Random Probing Security Verification, Composition, Expansion and New Constructions Sonia Belad 1

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion Random Probing Security Verification, Composition, Expansion and New Constructions Sonia Belad 1 , Jean-Sbastien Coron 2 Emmanuel

1.04k views • 99 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University @claudiorlandi Based on joint work with: Meliisa Chase (Microsoft) David Derler (TU Graz) Tore Frederiksen (BIU) Irene Giacomelli

1.21k views • 77 slides

More recommend