![Page 1: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/1.jpg)
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry – Stanford University
![Page 2: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/2.jpg)
Random Oracle Model (ROM) • Sometimes, we can’t prove a scheme secure in the
standard model. • Instead, model a hash function as a random oracle, and
prove security in this model [BR 1993]
![Page 3: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/3.jpg)
Why Use the Random Oracle Model? • Most efficient schemes are often only proved secure in
the random oracle model • True even in post-quantum world
• RO-based GPV signatures more efficient that non-RO CHKP and ABB signatures [GPV 2009, CHKP 2010, ABB 2010]
• RO-based Hierarchical IBE more efficient than non-RO versions
• Unfortunately, these schemes are only proved secure in the classical ROM • Only consider classical queries to the random oracle
![Page 4: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/4.jpg)
The Quantum Random Oracle Model • Interaction with primitives is still classical • Allow quantum queries to random oracle
• When instantiated, random oracle replaced with hash function • Code for hash function is part of specification • Adversary can evaluate hash function on quantum superposition
![Page 5: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/5.jpg)
The Quantum Random Oracle Model (QROM)
Alice Bob
Adversary
Communication stays classical
H
x H(x)
![Page 6: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/6.jpg)
Security in the QROM
Adversary Challenger
Example: Signatures pk
mi
(m,�)
SignH(sk,mi)P
x
↵
x
|xiPx
↵x
|H(x)i
0 or 1
![Page 7: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/7.jpg)
Security Proofs in the QROM • Classical random oracle model security proofs do not
carry over to the quantum setting • Difficulties:
• Simulating the random oracle • Peaking into the adversary • Programming the random oracle
![Page 8: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/8.jpg)
Previous Results [Boneh et al. 2011] • Separation: there exist schemes secure in the classical
ROM against quantum adversaries, but that are insecure in the quantum ROM
• Some classical proofs can be adapted to the quantum setting: • Answer RO queries randomly, same across all queries • Use pseudorandom function to generate randomness • Examples: GPV Signatures [GPV 2009]
Full Domain Hash with specific trapdoor permutations [Coron 2000] Katz-Wang Signatures [KW 2003] Hybrid encryption scheme
![Page 9: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/9.jpg)
Our Results • Simulating the random oracle without additional
assumptions • New security proofs in the quantum random oracle model
• Identity-Based Encryption • Hierarchical Identity-Based Encryption • Generic Full-Domain Hash
• New tools for arguing the indistinguishability of oracle distributions by quantum adversaries.
![Page 10: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/10.jpg)
Common Proof Technique in Classical ROM
• Start with an adversary A that makes q queries to random oracle H
• Construct B that solves some problem: • Pick a random query i • For all other queries, answer in way that looks random • For query i, plug in some challenge c • If A happens to use query i, then we can solve our problem • A uses query i with probability 1/q, so happens with non-negligible
probability
![Page 11: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/11.jpg)
Common Proof Technique in Classical ROM
Oracle seen by adversary
Adversary
![Page 12: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/12.jpg)
Common Proof Technique in Classical ROM
R1
Oracle seen by adversary
Adversary R1
x1
![Page 13: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/13.jpg)
Common Proof Technique in Classical ROM
R1
R2
Oracle seen by adversary
Adversary R2
x2
![Page 14: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/14.jpg)
Common Proof Technique in Classical ROM
R1
R2
Oracle seen by adversary
Adversary c
c
x3
![Page 15: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/15.jpg)
Common Proof Technique in Classical ROM
R1
R2
R4
Oracle seen by adversary
Adversary c
R4
x4
![Page 16: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/16.jpg)
Quantum Attempt 1
Oracle seen by adversary
Adversary
Pick query i at random
![Page 17: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/17.jpg)
Quantum Attempt 1
R1 R2 R3 R4 R6 R7 R8
Oracle seen by adversary
Adversary
Px
↵
x
|xiR5
Px
↵x
|Rx
i
Pick query i at random
![Page 18: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/18.jpg)
Quantum Attempt 1
R1 R2 R3 R4 R6 R7 R8
R1 R2 R3 R4 R6 R7 R8
Oracle seen by adversary
Adversary
R5
R5
Px
�
x
|xiP
x
�x
|Rx
i
Pick query i at random
![Page 19: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/19.jpg)
Quantum Attempt 1
R1 R2 R3 R4 R6 R7 R8
R1 R2 R3 R4 R6 R7 R8
Oracle seen by adversary
Adversary
R5
R5
c c c c c c c c
Px
�
x
|xiP
x
�x
|ci
Pick query i at random
![Page 20: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/20.jpg)
Quantum Attempt 1
R1 R2 R3 R4 R6 R7 R8
R1 R2 R3 R4 R6 R7 R8
R1 R2 R3 R4 R6 R7 R8
Oracle seen by adversary
Adversary
R5
R5
R5
c c c c c c c c
Px
�
x
|xiP
x
�x
|Rx
i
Pick query i at random
![Page 21: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/21.jpg)
Quantum Attempt 1
R1 R2 R3 R4 R6 R7 R8
R1 R2 R3 R4 R6 R7 R8
R1 R2 R3 R4 R6 R7 R8
Oracle seen by adversary
Adversary
R5
R5
R5
c c c c c c c c
Px
�
x
|xiP
x
�x
|Rx
i
Pick query i at random
Query i is inconsistent and does not look random
![Page 22: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/22.jpg)
Quantum Attempt 2
Oracle seen by adversary
Adversary
Pick x* at random
![Page 23: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/23.jpg)
Quantum Attempt 2
R1 R2 R3 R4 R6 R7 R8
R1 R2 R3 R4 R6 R7 R8
R1 R2 R3 R4 R6 R7 R8
Oracle seen by adversary
Adversary
Px
↵
x
|xi
R1 R2 R3 R4 R6 R7 R8
c
c
c
c
| i =X
x 6=x⇤↵x
|Rx
i+ ↵x⇤|ci
| i
Pick x* at random
![Page 24: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/24.jpg)
Quantum Attempt 2
R1 R2 R3 R4 R6 R7 R8
R1 R2 R3 R4 R6 R7 R8
R1 R2 R3 R4 R6 R7 R8
Oracle seen by adversary
Adversary
Px
↵
x
|xi
R1 R2 R3 R4 R6 R7 R8
c
c
c
c
| i
Pick x* at random
Adversary uses c with exponentially small probability
![Page 25: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/25.jpg)
Our Solution
Oracle seen by adversary
Adversary
Pick small set S at random
![Page 26: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/26.jpg)
Our Solution
R1 R2 R4 R6 R7
R1 R2 R4 R6 R7
R1 R2 R4 R6 R7
Oracle seen by adversary
Adversary
Px
↵
x
|xi
R1 R2 R4 R6 R7
c
c
c
c
| i
c
c
c
c
c
c
c
c
| i =X
x/2S
↵x
|Rx
i+X
x2S
↵x
|ci
Pick small set S at random
![Page 27: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/27.jpg)
Semi-Constant Distributions • Parameterized by λ • Pick a set S as follows: each x in the domain is in S with
probability λ • Pick a random c • For all x in S, set H(x) = c • For all other x, chose H(x) randomly and independently
![Page 28: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/28.jpg)
Semi-Constant Distributions • Parameterized by λ • Pick a set S as follows: each x in the domain is in S with
probability λ • Pick a random c • For all x in S, set H(x) = c • For all other x, chose H(x) randomly and independently
Theorem: Any quantum adversary making q queries to a semi-constant function can only tell it’s not random with probability O(q4λ2)
![Page 29: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/29.jpg)
Quantum Security Proof • Suppose adversary wins with probability ε • Pick the set S, still let oracle be random • Probability adversary uses one of the points in S: λ • Probability wins and uses a point in S: λε • Set H(x) = c for all x in S • Probability we succeed: λε-O(q4λ2) • Choose λ to maximize • Succeed with probability O(ε2/q4)
![Page 30: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/30.jpg)
Generating the Random Values
R1 R2 R4 R6 R7
R1 R2 R4 R6 R7
R1 R2 R4 R6 R7
Oracle seen by adversary
R1 R2 R4 R6 R7
c
c
c
c
c
c
c
c
c
c
c
c
Need to generate random values for exponentially many positions
![Page 31: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/31.jpg)
Generating the Random Values • BDF+ 2011:
• Assume existence of quantum-secure PRF • Pick a random key k before any queries • Let Rx = PRF(k,x)
• Our solution: • Adversary makes some polynomial q of queries • Pick a random 2q-wise independent function f • Let Rx = f(x) • We show 2q-wise independence suffices using a standard
technique called the polynomial method
![Page 32: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/32.jpg)
Generating the Random Values • BDF+ 2011:
• Assume existence of quantum-secure PRF • Pick a random key k before any queries • Let Rx = PRF(k,x)
• Our solution: • Adversary makes some polynomial q of queries • Pick a random 2q-wise independent function f • Let Rx = f(x) • We show 2q-wise independence suffices using a standard
technique called the polynomial method
We can remove the quantum-secure PRF assumption from prior results as well
![Page 33: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/33.jpg)
Applications of this method • IBE scheme [GPV 2009] • Generic Full Domain Hash
• Previous results only showed for specific trapdoor permutations
• Apply iteratively for Hierarchical IBE [CHPK 2010, ABB 2010] • Security degrades doubly exponentially in depth of identity tree • Classically, only singly exponential
![Page 34: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/34.jpg)
Quantum-Secure PRFs [Zhandry, FOCS 2012]
• So far, only considered case where interaction with primitive remains classical
• What if we allow quantum queries to primitive? • Example: pseudorandom functions
![Page 35: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/35.jpg)
Standard Security vs Quantum Security
Adversary PRF
k
0 or 1
vs
x
PRF(k, x)
Adversary PRF
k Px
↵
x
|xi
0 or 1
Px
↵
x
|PRF(k, x)i
![Page 36: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/36.jpg)
Quantum-Secure PRFs • Results [Zhandry, FOCS 2012]
• In general, PRF secure against classical queries not secure against quantum queries
• However, several classical constructions remain secure, even against quantum queries • From pseudorandom generators [GGM 1984] • From pseudorandom synthesizers [NR 1995] • Direct constructions based on lattices [BPR 2011]
• Also have MACs secure when adversary can get tags on a superposition
![Page 37: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/37.jpg)
Open Questions • Proving the quantum security of constructions based on
Fiat-Shamir [FS 1987] • Signatures • Group Signatures • CS Proofs
• Other constructions • CCA security from weaker notions [FO 1999]
![Page 38: SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM … · • Simulating the random oracle without additional assumptions • New security proofs in the quantum random oracle model •](https://reader030.vdocuments.mx/reader030/viewer/2022040914/5e8bd847d246652ac3741702/html5/thumbnails/38.jpg)
Open Questions • Proving the quantum security of constructions based on
Fiat-Shamir [FS 1987] • Signatures • Group Signatures • CS Proofs
• Other constructions • CCA security from weaker notions [FO 1999]
Thank You!