a generic hybrid encryption construction in the …a generic hybrid encryption construction in the...
TRANSCRIPT
A Generic Hybrid Encryption Construction in theQuantum Random Oracle Model
Presented by: Angela Robinson
Department of Mathematical Sciences, Florida Atlantic University
April 4, 2018
MotivationQuantum-resistance
Shor’s Algorithm (1994) solves the following problems in quantumpolynomial-time
• the integer factorization problem
• the discrete logarithm problem
• elliptic-curve discrete logarithm problem
Progress in the area of quantum information and computation hasinfluenced the growth of quantum-resistant cryptography.
• Defeated cryptosystems: RSA, DSA, Elliptic Curve-based, . . .
• Potential survivors: Code-, lattice-, multivariate-, isogeny-,and hash-based
MotivationHybrid Encryption
Symmetric key encryption
• Usually faster runnning times
• Requires a shared secret in advance of the protocol
Asymmetric encryption
• Does not require a shared secret between sender and recipient
• Can run slower for long messages
Hybrid Encryption idea
Encrypt message using symmetric component under random stringk , then encrypt k under the asymmetric component
Hybrid EncryptionSecurity Definitions
IND-CCAAn encryption scheme satisfies indistinguishability underchosen-ciphertext attack if, given access to the decryption oracle,the advantage of an adversary A winning this game is negligible:
• A selects two messages m0,m1 and sends to a challenger C• C selects b ∈R 0, 1 and sends cb = Enc(mb) to A• A submits b∗ ∈ 0, 1 to C and wins if b = b∗.
Naive approach
Combine IND-CCA secure symmetric component with IND-CCAsecure asymmetric component to achieve IND-CCA secure hybridencryption.
Fujisaki Okamoto transform
Weaker security assumptions
Fujisaki and Okamoto (1999) combined one-time symmetricencryption with one-way asymmetric encryption to achieveIND-CCA security.
HY.Encpk(m) = ASYM.Encpk(r ;H(r ,m))||SYM.EncG(r)(m)
Observations:
• The asymmetric component encrypts randomness r
• The symmetric component encrypts message m under hash ofrandomness r
• There are, in a sense, two components.
Unruh’s QROM-secure Fujisaki Okamoto
Security in QROM
Targhi and Unruh show how to modify FO transform to achievesecurity in the QROM.
HY.Encpk(m; r) =ASYM.Encpk(r ;H(r ||SYM.EncG(r)(m))),SYM.EncG(r)(m),H
′(r)
Observations:
• The asymmetric component encrypts randomness r
• The symmetric component encrypts message m under hash ofrandomness r
• There is a third component that is simply the hash value ofrandomness r
Our contribution: QROM-secure HybridEncryption
Let KEM.Enc(1n, pk; r) = (k, c).Our QROM-secure hybrid construction is:
HY.Encpk(m; r) = c ,SYM.EncG(k)(m),H(k ||r).
Observations:
• The asymmetric component is the ciphertext of anencapsulated key k
• The symmetric component encrypts message m under hash ofencapsulated key k
• The third component is the hash value of encapsulated key kwith random string r .
Hybrid EncryptionSecurity Definitions
One-way secure
An asymmetric encryption scheme is said to be one-way if nopolynomial-time adversary A can recover the whole plaintext froma given ciphertext.
One-time secureA symmetric encryption scheme is one-time secure if nopolynomial-time adversary A can distinguish between theencryption of two messages when a fresh key is used for encryption.
PreliminariesQuantum Random Oracle Model
Classical Random Oracle
• Theoretical black box
• Responds to every unique query with a truly random response
• Disadvantage: cannot be implemented in polynomial space
• Advantage: enables security proofs, can be simulated inpolynomial time and space
A cryptosystem in the random oracle model is a cryptosystemwhere one or more hash functions are replaced by oracle queries tothe random function.
PreliminariesQuantum Random Oracle Model
Quantum information
• Described by qubits
• A single qubit can have a state of |0〉, |1〉, or any linearcombination
α0 |0〉+ α1 |1〉
satisfying α0, α1 ∈ C where |α0|2 + |α1|2 = 1
• Observation permanently alters the state of a qubit
Differences between QRO and RO
• There is no “transcript” of all queries to QRO
• Queries to the QRO in a “superposition” of all possible hashfunction inputs are allowed.
Generic Hybrid Encryption SchemeTools
KEMLet ΠKEM = (KEM.Gen,KEM.Enc,KEM.Dec) be a keyencapsulation mechanism with
• coinspace COINKEM = 0, 1n1
• key space KKEM = 0, 1n2
• ciphertext space CKEM = 0, 1n3 .
The parameters n1, n2, n3 depend on the security parameter n andshould each be of size 2ω(log n).
Generic Hybrid Encryption SchemeTools
ΠKEM consists of the following three algorithms:
KEM.Gen(1n)→ (pk, sk)
KEM.Enc(1n, pk ; r)→ (k , c)
KEM.Dec(c, sk)→ (k , r) or ⊥ .
δ-spread
A key encapsulation mechanism is δ-spread if for every pkgenerated,
maxy∈0,1∗ Pr[y = c |(k , c)← KEM.Enc(1n, pk; r),
r$←− COINKEM] ≤ 1
2−δ.
As defined, by Unruh, we say that the KEM ΠKEM is well-spread ifδ = ω(log(n)).
Generic Hybrid Encryption SchemeTools
Let ΠSYM = (SYM.Enc, SYM.Dec) be a symmetric encryptionscheme with key space KSYM, and message space MSYM.
Two hash functions
H : 0, 1n2 → KSYM
G : 0, 1n1+n3 → 0, 1l
Generic Hybrid Encryption SchemeProtocol
The hybrid encryption scheme Enc, on input m and securityparameter n runs as follows:
1 Gen runs KEM.Gen(1n) to produce (pk, sk)
2 Enc chooses r$←− COINKEM, then runs
KEM.Enc(1n, pk ; r) = (k, c). Enc defines• α := c• β := SYM.EncG(k)(m)• γ := H(k ||r)
3 Enc returns ciphertext (α, β, γ)
Generic Hybrid Encryption Scheme
The hybrid decryption scheme Dec, on input (α, β, γ), sk runs asfollows:
1 Compute (k , r) := KEM.Dec(α, sk). If value is ⊥, return ⊥.
2 If γ 6= H(k ||r), return ⊥.
3 Otherwise, m := SYM.DecG(k)(β). Return m.
TheoremThe hybrid scheme ΠHY is IND-CCA secure in the quantumrandom oracle model if ΠKEM is one-way secure and well-spread,and if ΠSYM is one-time secure.
Security Proof - Game 0
Generate:
H$←− ΩH ,G
$←− ΩG
(pk, sk)$←− KEM.Gen(1n), r
$←−COINKEM
m0,m1 ← AG ,H,Dechy (pk)
b$←− 0, 1
Challenge:
(k∗, c∗)$←− KEM.Enc(1n, pk; r)
α∗ ← c∗
β∗ ← SYM.EncG(k∗)(mb)γ∗ ← H(k∗||r)
Guess:
b′ ← AG ,H,Dechy (α∗, β∗, γ∗)
Return b = b′
Generic Hybrid Encryption SchemeProof techniques
We must apply OW2H Lemma by Unruh.
LemmaOne Way to Hiding Lemma: Let H : 0, 1l1 → 0, 1l2 be arandom oracle. Consider an oracle algorithm A1 that makes atmost q queries to H. Let C1 be an oracle algorithm that on input xdoes the following:
1 Pick i$←− 1, . . . , q, y $←− 0, 1l2
2 Run AH1 (x , y) until (just before) the i-th query.
3 Measure the argument of the query in the computational basisand return the measurement outcome. If AH
1 makes less thani queries to H, then return ⊥.
Generic Hybrid Encryption SchemeProof techniques
Let P1A,P
2A,PC be defined as follows:
P1A := Pr[b′ = 1|H $←− ΩH , x
$←− 0, 1l1 , b′ ← AH1 (x ,H(x))]
P2A := Pr[b′ = 1|H $←− ΩH , x
$←− 0, 1l1 , b′ ← AH1 (x , y)]
PC := Pr[x ′ = x |H $←− ΩH , x$←− 0, 1l1 , x ′ ← CH1 (x , i)]
Then
|P1A − P2
A| ≤ 2q√PC .
Generic Hybrid Encryption SchemeResults
Proof by sequence of security games. Combining probabilities, thisyields an upper bound on the success probability in Game 0:
Pr[1← Game0] <1
2+ negl(n)KEM + negl(n)SYM + 2q
√2−ω(logn).
This scheme contributes IND-CCA secure hybrid encryptionscheme believed to be quantum-resistant.
Potential constructions
• BIKE-KEM + AES-GCM
• Frodo-KEM + AES-GCM
• Kyber-KEM + AES-GCM
https://csrc.nist.gov/projects/
post-quantum-cryptography/round-1-submissions
References
• “Secure Integration of Asymmetric and Symmetric EncryptionSchemes”, Fujisaki, Eiichiro and Okamoto, Tatsuaki,CRYPTO ’99, 1999
• “Post-Quantum Security of the Fujisaki-Okamoto and OAEPTransforms”, Targhi, Ehsan Ebrahimi and Unruh, Dominique,14th International Conference on Theory of Cryptography,2016
• “REACT: Rapid Enhanced-Security Asymmetric CryptosystemTransform”, Okamoto, Tatsuaki and Pointcheval, David,Proceedings of the 2001 Conference on Topics in Cryptology,2001
• Quantum Computation and Quantum Information by Nielsenand Chuang, 2000
Formal Security DefinitionsOne-way secure
DefinitionA key encapsulation mechanismΠKEM = (KEM.Gen,KEM.Enc,KEM.Dec) is one-way secure if noquantum polynomial-time adversary A can win in theGameOW
A,ΠKEM(n) game, except with probability at most negl(n)KEM:
KeyGen: The challenger C runs KEM.Gen(1n) toobtain a pair of keys (pk, sk)
Query: C selects r$←− COINKEM and runs
KEM.Enc(1n, pk; r) to obtain a random key andciphertext pair (k , c). C sends c to A.
Guess: The adversary on input (pk, c) produces a bitstring k ′ and wins if k = k ′.
Formal Security DefinitionsOne-time secure
DefinitionA symmetric encryption scheme ΠSYM = (SYM.Enc,SYM.Dec) isone-time secure if no quantum polynomial-time adversary A canwin in game GameOT
A,ΠSYM(n), except with probability at most12 + negl(n)SYM:
KeyGen: The challenger C picks a key k$←− KSYM
Query: On input 1n, A chooses two messages m0,m1
of the same length and sends them to the challenger.
C chooses b$←− 0, 1 and responds with
c$←− SYM.Enck(mb)
Guess: A produces a bit b′ and wins if b = b′.
Formal Security DefinitionsIND-CCA in QROM
DefinitionA hybrid encryption scheme ΠHY is IND-CCA in the QROM if noefficient quantum adversary A can win in the GameCCA−QRO
A,ΠHY (n),
except with probability at most 12 + negl(n):
KeyGen: The challenger runs Gen on input n, whichruns KEM.Gen(1n) to produce (pk, sk).
Query: The adversary A is given the public key pkalong with classical access to the decryption oracleand quantum access to the random oracles G ,H. Achooses two messages m0,m1 of the same length andsends them to the challenger C. C chooses
b$←− 0, 1 and responds with c ← Encpk(mb).
Guess: A continues to send classical decryptionqueries to Dec, but may not query c . A also sendsquantum queries to random oracles G ,H.