2 research outputs found
Tightly Secure Ring-LWE Based Key Encapsulation with Short Ciphertexts
We provide a tight security proof for an IND-CCA Ring-LWE based Key Encapsulation Mechanism that is derived from a generic construction of Dent (IMA Cryptography and Coding, 2003). Such a tight reduction is not known for the generic construction. The resulting scheme has shorter ciphertexts than can be achieved with other generic constructions of Dent or by using the well-known Fujisaki-Okamoto constructions (PKC 1999, Crypto 1999). Our tight security proof is obtained by reducing to the security of the underlying Ring-LWE problem, avoiding an intermediate reduction to a CPA-secure encryption scheme. The proof technique maybe of interest for other schemes based on LWE and Ring-LWE
Quantum Indistinguishability for Public Key Encryption
In this work we study the quantum security of public key encryption schemes
(PKE). Boneh and Zhandry (CRYPTO'13) initiated this research area for PKE and
symmetric key encryption (SKE), albeit restricted to a classical
indistinguishability phase. Gagliardoni et al. (CRYPTO'16) advanced the study
of quantum security by giving, for SKE, the first definition with a quantum
indistinguishability phase. For PKE, on the other hand, no notion of quantum
security with a quantum indistinguishability phase exists. Our main result is a
novel quantum security notion (qIND-qCPA) for PKE with a quantum
indistinguishability phase, which closes the aforementioned gap. We show a
distinguishing attack against code-based schemes and against LWE-based schemes
with certain parameters. We also show that the canonical hybrid PKE-SKE
encryption construction is qIND-qCPA-secure, even if the underlying PKE scheme
by itself is not. Finally, we classify quantum-resistant PKE schemes based on
the applicability of our security notion. Our core idea follows the approach of
Gagliardoni et al. by using so-called type-2 operators for encrypting the
challenge message. At first glance, type-2 operators appear unnatural for PKE,
as the canonical way of building them requires both the secret and the public
key. However, we identify a class of PKE schemes - which we call recoverable -
and show that for this class type-2 operators require merely the public key.
Moreover, recoverable schemes allow to realise type-2 operators even if they
suffer from decryption failures, which in general thwarts the reversibility
mandated by type-2 operators. Our work reveals that many real-world
quantum-resistant PKE schemes, including most NIST PQC candidates and the
canonical hybrid construction, are indeed recoverable