A Generic Hybrid Encryption Construction in theQuantum Random Oracle Model

Presented by: Angela Robinson

Department of Mathematical Sciences, Florida Atlantic University

April 4, 2018

MotivationQuantum-resistance

Shor’s Algorithm (1994) solves the following problems in quantumpolynomial-time

• the integer factorization problem

• the discrete logarithm problem

• elliptic-curve discrete logarithm problem

Progress in the area of quantum information and computation hasinfluenced the growth of quantum-resistant cryptography.

• Defeated cryptosystems: RSA, DSA, Elliptic Curve-based, . . .

• Potential survivors: Code-, lattice-, multivariate-, isogeny-,and hash-based

MotivationHybrid Encryption

Symmetric key encryption

• Usually faster runnning times

• Requires a shared secret in advance of the protocol

Asymmetric encryption

• Does not require a shared secret between sender and recipient

• Can run slower for long messages

Hybrid Encryption idea

Encrypt message using symmetric component under random stringk , then encrypt k under the asymmetric component

Hybrid EncryptionSecurity Definitions

IND-CCAAn encryption scheme satisfies indistinguishability underchosen-ciphertext attack if, given access to the decryption oracle,the advantage of an adversary A winning this game is negligible:

• A selects two messages m0,m1 and sends to a challenger C• C selects b ∈R 0, 1 and sends cb = Enc(mb) to A• A submits b∗ ∈ 0, 1 to C and wins if b = b∗.

Naive approach

Combine IND-CCA secure symmetric component with IND-CCAsecure asymmetric component to achieve IND-CCA secure hybridencryption.

Fujisaki Okamoto transform

Weaker security assumptions

Fujisaki and Okamoto (1999) combined one-time symmetricencryption with one-way asymmetric encryption to achieveIND-CCA security.

HY.Encpk(m) = ASYM.Encpk(r ;H(r ,m))||SYM.EncG(r)(m)

Observations:

• The asymmetric component encrypts randomness r

• The symmetric component encrypts message m under hash ofrandomness r

• There are, in a sense, two components.

Unruh’s QROM-secure Fujisaki Okamoto

Security in QROM

Targhi and Unruh show how to modify FO transform to achievesecurity in the QROM.

HY.Encpk(m; r) =ASYM.Encpk(r ;H(r ||SYM.EncG(r)(m))),SYM.EncG(r)(m),H

′(r)

Observations:

• The asymmetric component encrypts randomness r

• The symmetric component encrypts message m under hash ofrandomness r

• There is a third component that is simply the hash value ofrandomness r

Our contribution: QROM-secure HybridEncryption

Let KEM.Enc(1n, pk; r) = (k, c).Our QROM-secure hybrid construction is:

HY.Encpk(m; r) = c ,SYM.EncG(k)(m),H(k ||r).

Observations:

• The asymmetric component is the ciphertext of anencapsulated key k

• The symmetric component encrypts message m under hash ofencapsulated key k

• The third component is the hash value of encapsulated key kwith random string r .

Hybrid EncryptionSecurity Definitions

One-way secure

An asymmetric encryption scheme is said to be one-way if nopolynomial-time adversary A can recover the whole plaintext froma given ciphertext.

One-time secureA symmetric encryption scheme is one-time secure if nopolynomial-time adversary A can distinguish between theencryption of two messages when a fresh key is used for encryption.

PreliminariesQuantum Random Oracle Model

Classical Random Oracle

• Theoretical black box

• Responds to every unique query with a truly random response

• Disadvantage: cannot be implemented in polynomial space

• Advantage: enables security proofs, can be simulated inpolynomial time and space

A cryptosystem in the random oracle model is a cryptosystemwhere one or more hash functions are replaced by oracle queries tothe random function.

PreliminariesQuantum Random Oracle Model

Quantum information

• Described by qubits

• A single qubit can have a state of |0〉, |1〉, or any linearcombination

α0 |0〉+ α1 |1〉

satisfying α0, α1 ∈ C where |α0|2 + |α1|2 = 1

• Observation permanently alters the state of a qubit

Differences between QRO and RO

• There is no “transcript” of all queries to QRO

• Queries to the QRO in a “superposition” of all possible hashfunction inputs are allowed.

Generic Hybrid Encryption SchemeTools

KEMLet ΠKEM = (KEM.Gen,KEM.Enc,KEM.Dec) be a keyencapsulation mechanism with

• coinspace COINKEM = 0, 1n1

• key space KKEM = 0, 1n2

• ciphertext space CKEM = 0, 1n3 .

The parameters n1, n2, n3 depend on the security parameter n andshould each be of size 2ω(log n).

Generic Hybrid Encryption SchemeTools

ΠKEM consists of the following three algorithms:

KEM.Gen(1n)→ (pk, sk)

KEM.Enc(1n, pk ; r)→ (k , c)

KEM.Dec(c, sk)→ (k , r) or ⊥ .

δ-spread

A key encapsulation mechanism is δ-spread if for every pkgenerated,

maxy∈0,1∗ Pr[y = c |(k , c)← KEM.Enc(1n, pk; r),

r$←− COINKEM] ≤ 1

2−δ.

As defined, by Unruh, we say that the KEM ΠKEM is well-spread ifδ = ω(log(n)).

Generic Hybrid Encryption SchemeTools

Let ΠSYM = (SYM.Enc, SYM.Dec) be a symmetric encryptionscheme with key space KSYM, and message space MSYM.

Two hash functions

H : 0, 1n2 → KSYM

G : 0, 1n1+n3 → 0, 1l

Generic Hybrid Encryption SchemeProtocol

The hybrid encryption scheme Enc, on input m and securityparameter n runs as follows:

1 Gen runs KEM.Gen(1n) to produce (pk, sk)

2 Enc chooses r$←− COINKEM, then runs

KEM.Enc(1n, pk ; r) = (k, c). Enc defines• α := c• β := SYM.EncG(k)(m)• γ := H(k ||r)

3 Enc returns ciphertext (α, β, γ)

Generic Hybrid Encryption Scheme

The hybrid decryption scheme Dec, on input (α, β, γ), sk runs asfollows:

1 Compute (k , r) := KEM.Dec(α, sk). If value is ⊥, return ⊥.

2 If γ 6= H(k ||r), return ⊥.

3 Otherwise, m := SYM.DecG(k)(β). Return m.

TheoremThe hybrid scheme ΠHY is IND-CCA secure in the quantumrandom oracle model if ΠKEM is one-way secure and well-spread,and if ΠSYM is one-time secure.

Security Proof - Game 0

Generate:

H$←− ΩH ,G

$←− ΩG

(pk, sk)$←− KEM.Gen(1n), r

$←−COINKEM

m0,m1 ← AG ,H,Dechy (pk)

b$←− 0, 1

Challenge:

(k∗, c∗)$←− KEM.Enc(1n, pk; r)

α∗ ← c∗

β∗ ← SYM.EncG(k∗)(mb)γ∗ ← H(k∗||r)

Guess:

b′ ← AG ,H,Dechy (α∗, β∗, γ∗)

Return b = b′

Generic Hybrid Encryption SchemeProof techniques

We must apply OW2H Lemma by Unruh.

LemmaOne Way to Hiding Lemma: Let H : 0, 1l1 → 0, 1l2 be arandom oracle. Consider an oracle algorithm A1 that makes atmost q queries to H. Let C1 be an oracle algorithm that on input xdoes the following:

1 Pick i$←− 1, . . . , q, y $←− 0, 1l2

2 Run AH1 (x , y) until (just before) the i-th query.

3 Measure the argument of the query in the computational basisand return the measurement outcome. If AH

1 makes less thani queries to H, then return ⊥.

Generic Hybrid Encryption SchemeProof techniques

Let P1A,P

2A,PC be defined as follows:

P1A := Pr[b′ = 1|H $←− ΩH , x

$←− 0, 1l1 , b′ ← AH1 (x ,H(x))]

P2A := Pr[b′ = 1|H $←− ΩH , x

$←− 0, 1l1 , b′ ← AH1 (x , y)]

PC := Pr[x ′ = x |H $←− ΩH , x$←− 0, 1l1 , x ′ ← CH1 (x , i)]

Then

|P1A − P2

A| ≤ 2q√PC .

Generic Hybrid Encryption SchemeResults

Proof by sequence of security games. Combining probabilities, thisyields an upper bound on the success probability in Game 0:

Pr[1← Game0] <1

2+ negl(n)KEM + negl(n)SYM + 2q

√2−ω(logn).

This scheme contributes IND-CCA secure hybrid encryptionscheme believed to be quantum-resistant.

Potential constructions

• BIKE-KEM + AES-GCM

• Frodo-KEM + AES-GCM

• Kyber-KEM + AES-GCM

https://csrc.nist.gov/projects/

post-quantum-cryptography/round-1-submissions

References

• “Secure Integration of Asymmetric and Symmetric EncryptionSchemes”, Fujisaki, Eiichiro and Okamoto, Tatsuaki,CRYPTO ’99, 1999

• “Post-Quantum Security of the Fujisaki-Okamoto and OAEPTransforms”, Targhi, Ehsan Ebrahimi and Unruh, Dominique,14th International Conference on Theory of Cryptography,2016

• “REACT: Rapid Enhanced-Security Asymmetric CryptosystemTransform”, Okamoto, Tatsuaki and Pointcheval, David,Proceedings of the 2001 Conference on Topics in Cryptology,2001

• Quantum Computation and Quantum Information by Nielsenand Chuang, 2000

Additional slides

Formal Security DefinitionsOne-way secure

DefinitionA key encapsulation mechanismΠKEM = (KEM.Gen,KEM.Enc,KEM.Dec) is one-way secure if noquantum polynomial-time adversary A can win in theGameOW

A,ΠKEM(n) game, except with probability at most negl(n)KEM:

KeyGen: The challenger C runs KEM.Gen(1n) toobtain a pair of keys (pk, sk)

Query: C selects r$←− COINKEM and runs

KEM.Enc(1n, pk; r) to obtain a random key andciphertext pair (k , c). C sends c to A.

Guess: The adversary on input (pk, c) produces a bitstring k ′ and wins if k = k ′.

Formal Security DefinitionsOne-time secure

DefinitionA symmetric encryption scheme ΠSYM = (SYM.Enc,SYM.Dec) isone-time secure if no quantum polynomial-time adversary A canwin in game GameOT

A,ΠSYM(n), except with probability at most12 + negl(n)SYM:

KeyGen: The challenger C picks a key k$←− KSYM

Query: On input 1n, A chooses two messages m0,m1

of the same length and sends them to the challenger.

C chooses b$←− 0, 1 and responds with

c$←− SYM.Enck(mb)

Guess: A produces a bit b′ and wins if b = b′.

Formal Security DefinitionsIND-CCA in QROM

DefinitionA hybrid encryption scheme ΠHY is IND-CCA in the QROM if noefficient quantum adversary A can win in the GameCCA−QRO

A,ΠHY (n),

except with probability at most 12 + negl(n):

KeyGen: The challenger runs Gen on input n, whichruns KEM.Gen(1n) to produce (pk, sk).

Query: The adversary A is given the public key pkalong with classical access to the decryption oracleand quantum access to the random oracles G ,H. Achooses two messages m0,m1 of the same length andsends them to the challenger C. C chooses

b$←− 0, 1 and responds with c ← Encpk(mb).

Guess: A continues to send classical decryptionqueries to Dec, but may not query c . A also sendsquantum queries to random oracles G ,H.