More Efficient Adaptively Secure Lattice-based IBE with Equality Test in the Standard Model

Identity-based encryption with equality test (IBEET) is a variant of identity-based encryption (IBE), where any users who have trapdoors can check whether two ciphertexts are encryption of the same plaintext. Although several lattice-based IBEET schemes have been proposed, they have drawbacks in either security or efficiency. Specifically, most schemes satisfy only selective security, while adaptively secure schemes in the standard model suffer from large master public keys that consist of linear numbers of matrices. In other words, known lattice-based IBEET schemes perform poorly compared to the state-of-the-art lattice-based IBE schemes (without equality test). In this paper, we propose a semi-generic construction of CCA-secure lattice-based IBEET from a certain class of lattice-based IBE schemes. As a result, we obtain the first lattice-based IBEET schemes with adaptive security and CCA security in the standard model. Furthermore, our semi-generic construction can use several state-of-the-art lattice-based IBE schemes as underlying schemes. Then, we have adaptively secure lattice-based IBEET schemes whose public keys have only poly-log matrices

Contributions to Lattice–based Cryptography

Post–quantum cryptography (PQC) is a new and fast–growing part of Cryptography. It focuses on developing cryptographic algorithms and protocols that resist quantum adversaries (i.e., the adversaries who have access to quantum computers). To construct a new PQC primitive, a designer must use a mathematical problem intractable for the quantum adversary. Many intractability assumptions are being used in PQC. There seems to be a consensus in the research community that the most promising are intractable/hard problems in lattices. However, lattice–based cryptography still needs more research to make it more efficient and practical. The thesis contributes toward achieving either the novelty or the practicality of lattice– based cryptographic systems

Learning with Errors is easy with quantum samples

Learning with Errors is one of the fundamental problems in computational learning theory and has in the last years become the cornerstone of post-quantum cryptography. In this work, we study the quantum sample complexity of Learning with Errors and show that there exists an efficient quantum learning algorithm (with polynomial sample and time complexity) for the Learning with Errors problem where the error distribution is the one used in cryptography. While our quantum learning algorithm does not break the LWE-based encryption schemes proposed in the cryptography literature, it does have some interesting implications for cryptography: first, when building an LWE-based scheme, one needs to be careful about the access to the public-key generation algorithm that is given to the adversary; second, our algorithm shows a possible way for attacking LWE-based encryption by using classical samples to approximate the quantum sample state, since then using our quantum learning algorithm would solve LWE

Puncturable Encryption: A Generic Construction from Delegatable Fully Key-Homomorphic Encryption

Puncturable encryption (PE), proposed by Green and Miers at IEEE S&P 2015, is a kind of public key encryption that allows recipients to revoke individual messages by repeatedly updating decryption keys without communicating with senders. PE is an essential tool for constructing many interesting applications, such as asynchronous messaging systems, forward-secret zero round-trip time protocols, public-key watermarking schemes and forward-secret proxy re-encryptions. This paper revisits PEs from the observation that the puncturing property can be implemented as efficiently computable functions. From this view, we propose a generic PE construction from the fully key-homomorphic encryption, augmented with a key delegation mechanism (DFKHE) from Boneh et al. at Eurocrypt 2014. We show that our PE construction enjoys the selective security under chosen plaintext attacks (that can be converted into the adaptive security with some efficiency loss) from that of DFKHE in the standard model. Basing on the framework, we obtain the first post-quantum secure PE instantiation that is based on the learning with errors problem, selective secure under chosen plaintext attacks (CPA) in the standard model. We also discuss about the ability of modification our framework to support the unbounded number of ciphertext tags inspired from the work of Brakerski and Vaikuntanathan at CRYPTO 2016

On the Feasibility of Identity-based Encryption with Equality Test against Insider Attacks

As a generalization of public key encryption with keyword search, public key encryption with equality test was proposed, and identity-based encryption with equality test (IBEET) is its identity-based variant. In IBEET, anyone can check whether two ciphertexts of distinct identities are encryptions of the same plaintext or not using trapdoors. Due to its functionality, IBEET cannot provide any indistinguishability-based security for trapdoor holders. As a variant of IBEET, IBEET against insider attacks (IBEETIA) was proposed, where a token is defined for each identity and is used for encryption, and anyone can check whether two ciphertexts of distinct identities are encryptions of the same plaintext or not without using trapdoors, and an indistinguishability security of IBEETIA was defined. Lee et al. (ACISP 2018) and Duong et al. (ProvSec 2019) proposed a paring-based and a lattice-based constructions, respectively. That is, current concrete IBEETIA schemes are constructed by identity-based encryption (IBE) related complexity assumptions. According to the implication result shown by Boneh et al. (FOCS 2008), IBE is recognized as a strong cryptographic primitive because no black-box construction of IBE from trapdoor permutations exist. However, Emura and Takayasu (IEICE Transactions 2023) demonstrated that symmetric key encryption and pseudo-random permutations are sufficient to construct IBEETIA which is secure in the previous security definition. These results suggest us to explore a condition of IBEETIA that requires to employ IBE-related complexity assumptions. In this paper, we demonstrate a sufficient condition that IBEETIA implies IBE. We define one-wayness against chosen-plaintext/ciphertext attacks for the token generator (OW-TG-CPA/CCA) and for token holders (OW-TH-CPA/CCA), which were not considered in the previous security definition. We show that OW-TG-CPA secure IBEETIA with additional conditions implies OW-CPA secure IBE, and show that Lee et al. and Duong et al. schemes provide the OW-TG-CPA security. On the other hand, we propose a generic construction of OW-TH-CCA secure IBEETIA from public key encryption. Our results suggest a design principle to efficiently construct IBEETIA without employing IBE-related complexity assumptions

Vector Encoding over Lattices and Its Applications

In this work, we design a new lattice encoding structure for vectors. Our encoding can be used to achieve a packed FHE scheme that allows some SIMD operations and can be used to improve all the prior IBE schemes and signatures in the series. In particular, with respect to FHE setting, our method improves over the prior packed GSW structure of Hiromasa et al. (PKC \u2715), as we do not rely on a circular assumption as required in their work. Moreover, we can use the packing and unpacking method to extract each single element, so that the homomorphic operation supports element-wise and cross-element-wise computation as well. In the IBE scenario, we improves over previous constructions supporting $O(\Lambda)$-bit length identity from lattices substantially, such as Yamada (Eurocrypt \u2716), Katsumata, Yamada (Asiacrypt \u2716) and Yamada (Crypto \u2717), by shrinking the master public key to three matrices from standard Learning With Errors assumption. Additionally, our techniques from IBE can be adapted to construct a compact digital signature scheme, which achieves existential unforgeability under the standard Short Integer Solution (SIS) assumption with small polynomial parameters