post-quantum cryptography #4 - university of waterloo€¦ · jeudi 18 juillet 13 206. 4 equivalent...
TRANSCRIPT
![Page 1: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/1.jpg)
Post-Quantum Cryptography #4
Prof. Claude CrépeauMcGill University
http://crypto.cs.mcgill.ca/~crepeau/WATERLOO
185jeudi 18 juillet 13
![Page 2: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/2.jpg)
(186jeudi 18 juillet 13
![Page 3: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/3.jpg)
Attack scenarios
Ciphertext-only attack: This is the most basic type of attack and refers to the scenario where the adversary just observes a ciphertext (or multiple ciphertexts) and attempts to determine the underlying plaintext (or plaintexts).
WWiillllyyoouummaarrrryymmee?? c
m?
187jeudi 18 juillet 13
![Page 4: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/4.jpg)
Known-plaintext attack: The adversary learns one or more pairs of plaintexts/ciphertexts encrypted under the same key. The aim is to determine the plaintext that was encrypted in some other ciphertext.
Attack scenarios
WWiillllyyoouummaarrrryymmee?? c’WWiillllyyoouummaarrrryymmee?? c
mm’?
188jeudi 18 juillet 13
![Page 5: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/5.jpg)
Attack scenarios
Chosen-plaintext attack: The adversary has the ability to obtain the encryption of plaintexts of its choice. It then attempts to determine the plaintext that was encrypted in some other ciphertext.
WWiillllyyoouummaarrrryymmee?? c’WWiillllyyoouummaarrrryymmee?? cm
m’?
189jeudi 18 juillet 13
![Page 6: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/6.jpg)
Attack scenarios
Chosen-ciphertext attack: The adversary is even given the capability to obtain the decryption of ciphertexts of its choice. The adversary’s aim, once again, is to determine the plaintext that was encrypted in some other ciphertext.
WWiillllyyoouummaarrrryymmee?? c’WWiillllyyoouummaarrrryymmee?? c
mc
m’?
190jeudi 18 juillet 13
![Page 7: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/7.jpg)
What issecure encryption?
Answer 1 — an encryption scheme is secure if no adversary can find the secret key when given a ciphertext.
191jeudi 18 juillet 13
![Page 8: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/8.jpg)
secure encryption.
Answer 2 — an encryption scheme is secure if no adversary can find the plaintext that corresponds to the ciphertext.
192jeudi 18 juillet 13
![Page 9: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/9.jpg)
secure encryption.
Answer 3 — an encryption scheme is secure if no adversary can determine any character of the plaintext that corresponds to the ciphertext.
193jeudi 18 juillet 13
![Page 10: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/10.jpg)
secure encryption.
Answer 4 — an encryption scheme is secure if no adversary can derive any meaningful information about the plaintext from the ciphertext.
Definitions of security should suffice for all potential applications.
194jeudi 18 juillet 13
![Page 11: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/11.jpg)
secure encryption.
The Final Answer — an encryption scheme is secure if no adversary can compute any function of the plaintext from the ciphertext.
195jeudi 18 juillet 13
![Page 12: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/12.jpg)
Perfect Secrecy
DEFINITION 2.1 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if for every probability distribution over M, every message m ∈ M, and every ciphertext c ∈ C for which Pr[C = c] > 0 : Pr[M = m | C = c] = Pr[M = m].
196jeudi 18 juillet 13
![Page 13: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/13.jpg)
An equivalent formulation
LEMMA 2.2 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, every messagem ∈ M, and every ciphertext c ∈ C :
Pr[C = c | M = m] = Pr[C = c].
197jeudi 18 juillet 13
![Page 14: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/14.jpg)
Perfect indistinguishability
LEMMA 2.3 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, every m0, m1 ∈ M, and every c ∈ C :
Pr[ C = c | M = m0 ] = Pr[ C = c | M = m1 ].
198jeudi 18 juillet 13
![Page 15: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/15.jpg)
Adversarial indistinguishability.
199jeudi 18 juillet 13
![Page 16: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/16.jpg)
Adversarial indistinguishability.
This other definition is based on an experiment involving an adversary A, and formalizes A’s inability to distinguish the encryption of one plaintext from the encryption of another; we thus call it adversarial indistinguishability.
199jeudi 18 juillet 13
![Page 17: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/17.jpg)
Adversarial indistinguishability.
This other definition is based on an experiment involving an adversary A, and formalizes A’s inability to distinguish the encryption of one plaintext from the encryption of another; we thus call it adversarial indistinguishability.
This definition will serve as our starting point when we introduce the notion of computational security in the next chapter.
199jeudi 18 juillet 13
![Page 18: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/18.jpg)
Adversarial indistinguishability.
200jeudi 18 juillet 13
![Page 19: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/19.jpg)
Adversarial indistinguishability.
The experiment is defined for any encryption scheme Π = (Gen, Enc, Dec) over message space M and for any adversary A.
200jeudi 18 juillet 13
![Page 20: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/20.jpg)
Adversarial indistinguishability.
The experiment is defined for any encryption scheme Π = (Gen, Enc, Dec) over message space M and for any adversary A.
We let PrivKeAa,vΠ denote an execution of the
experiment for a given Π and A. The experiment is defined as follows:
200jeudi 18 juillet 13
![Page 21: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/21.jpg)
PrivKeAa,vΠ
A
201jeudi 18 juillet 13
![Page 22: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/22.jpg)
m0, m1 ∈ M
PrivKeAa,vΠ
A
201jeudi 18 juillet 13
![Page 23: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/23.jpg)
m0, m1 ∈ M
PrivKeAa,vΠ
A
k ← Gen
201jeudi 18 juillet 13
![Page 24: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/24.jpg)
m0, m1 ∈ M
PrivKeAa,vΠ
A
b ← { 0, 1 }k ← Gen
201jeudi 18 juillet 13
![Page 25: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/25.jpg)
m0, m1 ∈ M
PrivKeAa,vΠ
Ac ← Enck(mb)b ← { 0, 1 }k ← Gen
201jeudi 18 juillet 13
![Page 26: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/26.jpg)
m0, m1 ∈ M
c
PrivKeAa,vΠ
Ac ← Enck(mb)b ← { 0, 1 }k ← Gen
201jeudi 18 juillet 13
![Page 27: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/27.jpg)
m0, m1 ∈ M
c
b
PrivKeAa,vΠ
Ac ← Enck(mb)b ← { 0, 1 }k ← Gen
201jeudi 18 juillet 13
![Page 28: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/28.jpg)
m0, m1 ∈ M
c
b b′
PrivKeAa,vΠ
Ac ← Enck(mb)b ← { 0, 1 }k ← Gen
201jeudi 18 juillet 13
![Page 29: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/29.jpg)
m0, m1 ∈ M
b = b′ ?
c
b b′
PrivKeAa,vΠ
Ac ← Enck(mb)b ← { 0, 1 }k ← Gen
201jeudi 18 juillet 13
![Page 30: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/30.jpg)
Adversarial indistinguishability.
202jeudi 18 juillet 13
![Page 31: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/31.jpg)
Adversarial indistinguishability.
PrivKeAa,vΠ :
202jeudi 18 juillet 13
![Page 32: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/32.jpg)
Adversarial indistinguishability.
PrivKeAa,vΠ :
1. Adversary A outputs a pair of messages m0, m1 ∈ M.
202jeudi 18 juillet 13
![Page 33: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/33.jpg)
Adversarial indistinguishability.
PrivKeAa,vΠ :
1. Adversary A outputs a pair of messages m0, m1 ∈ M.
2. A random key k is generated by running Gen, and a random bit b ← { 0, 1 } is chosen (by some imaginary entity that is running the experiment with A.) A ciphertext c ← Enck(mb) is computed and given to A.
202jeudi 18 juillet 13
![Page 34: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/34.jpg)
Adversarial indistinguishability.
PrivKeAa,vΠ :
1. Adversary A outputs a pair of messages m0, m1 ∈ M.
2. A random key k is generated by running Gen, and a random bit b ← { 0, 1 } is chosen (by some imaginary entity that is running the experiment with A.) A ciphertext c ← Enck(mb) is computed and given to A.
3. A outputs a bit b′.
202jeudi 18 juillet 13
![Page 35: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/35.jpg)
Adversarial indistinguishability.
PrivKeAa,vΠ :
1. Adversary A outputs a pair of messages m0, m1 ∈ M.
2. A random key k is generated by running Gen, and a random bit b ← { 0, 1 } is chosen (by some imaginary entity that is running the experiment with A.) A ciphertext c ← Enck(mb) is computed and given to A.
3. A outputs a bit b′.
4. The output of the experiment is defined to be 1 ifb′ = b, and 0 otherwise.
202jeudi 18 juillet 13
![Page 36: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/36.jpg)
Adversarial indistinguishability.
203jeudi 18 juillet 13
![Page 37: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/37.jpg)
Adversarial indistinguishability.
We write PrivKeAa,vΠ = 1 if the output is 1 and in
this case we say that A succeeded.
203jeudi 18 juillet 13
![Page 38: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/38.jpg)
Adversarial indistinguishability.
We write PrivKeAa,vΠ = 1 if the output is 1 and in
this case we say that A succeeded.
One should think of A as trying to guess the value of b that is chosen in the experiment, and A succeeds when its guess b′ is correct.
203jeudi 18 juillet 13
![Page 39: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/39.jpg)
Adversarial indistinguishability.
We write PrivKeAa,vΠ = 1 if the output is 1 and in
this case we say that A succeeded.
One should think of A as trying to guess the value of b that is chosen in the experiment, and A succeeds when its guess b′ is correct.
The alternate definition we now give states that an encryption scheme is perfectly secret if no adversary A can succeed with probability any better than 1/2.
203jeudi 18 juillet 13
![Page 40: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/40.jpg)
A
PrivKeAa,vΠ
204jeudi 18 juillet 13
![Page 41: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/41.jpg)
A
m0, m1 ∈ M
c ← Enck(mb)b ← { 0, 1 }k ← Gen
c
PrivKeAa,vΠ
204jeudi 18 juillet 13
![Page 42: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/42.jpg)
b
A
m0, m1 ∈ M
c ← Enck(mb)b ← { 0, 1 }k ← Gen
c
PrivKeAa,vΠ
204jeudi 18 juillet 13
![Page 43: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/43.jpg)
b b′
A
m0, m1 ∈ M
c ← Enck(mb)b ← { 0, 1 }k ← Gen
c
PrivKeAa,vΠ
204jeudi 18 juillet 13
![Page 44: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/44.jpg)
Pr[ b = b′ ] = 1/2
b b′
A
m0, m1 ∈ M
c ← Enck(mb)b ← { 0, 1 }k ← Gen
c
PrivKeAa,vΠ
204jeudi 18 juillet 13
![Page 45: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/45.jpg)
Pr[ b = b′ ] = 1/2
perfectly secretb b′
A
m0, m1 ∈ M
c ← Enck(mb)b ← { 0, 1 }k ← Gen
c
PrivKeAa,vΠ
204jeudi 18 juillet 13
![Page 46: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/46.jpg)
Adversarial indistinguishability.
DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message space M is perfectly secret if for every adversary A it holds that
Pr[ PrivKeAa,vΠ = 1 ] = 1/2 .
205jeudi 18 juillet 13
![Page 47: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/47.jpg)
Adversarial indistinguishability.
PROPOSITION 2.5 Let (Gen, Enc, Dec) be an encryption scheme over a message space M. Then (Gen, Enc, Dec) is perfectly secret with respect to Definition 2.1 if and only if it is perfectly secret with respect to Definition 2.4.
206jeudi 18 juillet 13
![Page 48: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/48.jpg)
4 Equivalent Formulations
DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message space M is perfectly secret if for every adversary A it holds that
Pr[ PrivKeAa,vΠ = 1 ] = 1/2 .
LEMMA 2.2 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, every messagem ∈ M, and every ciphertext c ∈ C :
Pr[C = c | M = m] = Pr[C = c].
DEFINITION 2.1 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if for every probability distribution over M, every message m ∈ M, and every ciphertext c ∈ C for which Pr[C = c] > 0 : Pr[M = m | C = c] = Pr[M = m].
LEMMA 2.3 An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and only if for every probability distribution over M, every m0, m1 ∈ M, and every c ∈ C :
Pr[ C = c | M = m0 ] = Pr[ C = c | M = m1 ].
207jeudi 18 juillet 13
![Page 49: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/49.jpg)
3.2 Defining Computationally-Secure Encryption
DEFINITION 3.7 A private-key encryption scheme is a tuple of probabilistic polynomial-time algorithms (Gen, Enc, Dec) such that:
1/3. The key-generation algorithm Gen takes as input the security parameter 1n and outputs a key k; we write this as k ← Gen(1n) (thus emphasizing the fact that Gen is a randomized algorithm). We will assume without loss of generality that any key k ← Gen(1n) satisfies |k| ≤ n.
208jeudi 18 juillet 13
![Page 50: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/50.jpg)
Defining Computationally-Secure Encryption
DEFINITION 3.7 A private-key encryption scheme is a tuple of probabilistic polynomial-time algorithms (Gen, Enc, Dec) such that:
2/3. The encryption algorithm Enc takes as input a
key k and a plaintext message m ∈ {0,1}∗, and outputs a ciphertext c. Since Enc may be randomized, we write c ← Enck(m).
209jeudi 18 juillet 13
![Page 51: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/51.jpg)
DEFINITION 3.7 A private-key encryption scheme is a tuple of probabilistic polynomial-time algorithms (Gen, Enc, Dec) such that:
3/3. The decryption algorithm Dec takes as input a key k and a ciphertext c, and outputs a message m. We assume that Dec is deterministic, and so write this as m ≔ Deck(c).
Defining Computationally-Secure Encryption
210jeudi 18 juillet 13
![Page 52: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/52.jpg)
Defining Computationally-Secure Encryption
It is required that for every n, every key k output
by Gen(1n), and every m ∈ {0,1}∗, it holds that Deck(Enck(m)) = m.
If (Gen, Enc, Dec) is such that for k output by Gen(1n), algorithm Enck is only defined for m ∈ {0,1}ℓ(n), then we say that (Gen, Enc, Dec)
is a fixed-length private-key encryption scheme for messages of length ℓ(n).
211jeudi 18 juillet 13
![Page 53: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/53.jpg)
Indistinguishability in the presence of an eavesdropper
An experiment is defined for any private-key encryption scheme Π = (Gen, Enc, Dec), any PPT adversary A and any value n for the security parameter.
The eavesdropping indistinguishability experiment
PrivKeAa,vΠ(n) :
212jeudi 18 juillet 13
![Page 54: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/54.jpg)
A
PrivKeAa,vΠ
1n
213jeudi 18 juillet 13
![Page 55: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/55.jpg)
A
PrivKeAa,vΠ
m0, m1 ∈ M
1n
213jeudi 18 juillet 13
![Page 56: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/56.jpg)
A
PrivKeAa,vΠ
m0, m1 ∈ Mk ← Gen(1n)
1n
213jeudi 18 juillet 13
![Page 57: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/57.jpg)
A
PrivKeAa,vΠ
m0, m1 ∈ Mb ← { 0, 1 }k ← Gen(1n)
1n
213jeudi 18 juillet 13
![Page 58: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/58.jpg)
A
PrivKeAa,vΠ
m0, m1 ∈ M
c ← Enck(mb)b ← { 0, 1 }k ← Gen(1n)
1n
213jeudi 18 juillet 13
![Page 59: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/59.jpg)
A
PrivKeAa,vΠ
m0, m1 ∈ M
cc ← Enck(mb)b ← { 0, 1 }k ← Gen(1n)
1n
213jeudi 18 juillet 13
![Page 60: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/60.jpg)
A
b
PrivKeAa,vΠ
m0, m1 ∈ M
cc ← Enck(mb)b ← { 0, 1 }k ← Gen(1n)
1n
213jeudi 18 juillet 13
![Page 61: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/61.jpg)
A
b b′
PrivKeAa,vΠ
m0, m1 ∈ M
cc ← Enck(mb)b ← { 0, 1 }k ← Gen(1n)
1n
213jeudi 18 juillet 13
![Page 62: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/62.jpg)
A
Pr[ b = b′ ]≤ ½ + negl(n)b b′
PrivKeAa,vΠ
m0, m1 ∈ M
cc ← Enck(mb)b ← { 0, 1 }k ← Gen(1n)
1n
213jeudi 18 juillet 13
![Page 63: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/63.jpg)
A
Pr[ b = b′ ]≤ ½ + negl(n)
computationally secretb b′
PrivKeAa,vΠ
m0, m1 ∈ M
cc ← Enck(mb)b ← { 0, 1 }k ← Gen(1n)
1n
213jeudi 18 juillet 13
![Page 64: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/64.jpg)
PrivKeAa,vΠ(n)
1. The adversary A is given input 1n, and outputs a pair of messages m0 , m1 of the same length.
2. A key k is generated by running Gen(1n), and a random bit b ← {0,1} is chosen. A (challenge) ciphertext c ← Enck(mb) is computed and given to A.
3. A outputs a bit b′.
4. The output of the experiment is defined to be 1if b′ = b, and 0 otherwise. (If PrivKe
Aa,vΠ(n) = 1, we say that A succeeded.)
214jeudi 18 juillet 13
![Page 65: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/65.jpg)
PrivKeAa,vΠ(n)
If Π is a fixed-length scheme for messages of length ℓ(n), the previous experiment is modified
by requiring m0, m1 ∈ {0,1} ℓ(n).
215jeudi 18 juillet 13
![Page 66: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/66.jpg)
Defining Computationally-Secure Encryption
DEFINITION 3.8 A private-key encryption scheme Π = (Gen, Enc, Dec) has indistinguishable encryptions in the presence of an eavesdropper if for all PPT adversaries A there exists a negligible function negl such that
Pr[ PrivKeAa,vΠ(n) = 1 ] ≤ ½ + negl(n),
where the probability is taken over the random coins used by A, as well as the random coins used in the experiment (for choosing the key, the random bit b, and any random coins used in the encryption process).
216jeudi 18 juillet 13
![Page 67: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/67.jpg)
3.2.2* Properties of the Definition
DEFINITION 3.12 A private-key encryption scheme(Gen, Enc, Dec) is semantically secure in the presence of an eavesdropper if for every PPT algorithm A there exists a PPT algorithm A′ such that for all efficiently-sampleable distributions X = (X1,...) and all polynomial-time computable functions f and h, there exists a negligible function negl s.t.
| Pr[ A(1n, Enck(m), h(m)) = f(m) ] − Pr[ A′(1n, h(m)) = f(m) ] | ≤ negl(n),
where m is chosen according to distribution Xn , and the probabilities are taken over the choice of m and the key k, and any random coins used by A, A′, and the encryption process.
217jeudi 18 juillet 13
![Page 68: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/68.jpg)
A
218jeudi 18 juillet 13
![Page 69: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/69.jpg)
A
1n
218jeudi 18 juillet 13
![Page 70: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/70.jpg)
A
k ← Gen(1n) 1n
218jeudi 18 juillet 13
![Page 71: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/71.jpg)
Ac ← Enck(m)
k ← Gen(1n) 1n
218jeudi 18 juillet 13
![Page 72: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/72.jpg)
Ac ← Enck(m)
k ← Gen(1n) 1n
h(m)
218jeudi 18 juillet 13
![Page 73: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/73.jpg)
Acc ← Enck(m)
k ← Gen(1n) 1n
h(m)
218jeudi 18 juillet 13
![Page 74: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/74.jpg)
z
Acc ← Enck(m)
k ← Gen(1n) 1n
h(m)
218jeudi 18 juillet 13
![Page 75: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/75.jpg)
z
Acc ← Enck(m)
k ← Gen(1n) 1n
h(m)
218jeudi 18 juillet 13
![Page 76: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/76.jpg)
z
Acc ← Enck(m)
k ← Gen(1n) 1n
h(m)
A′
218jeudi 18 juillet 13
![Page 77: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/77.jpg)
z
Acc ← Enck(m)
k ← Gen(1n) 1n
h(m)
1n
A′
218jeudi 18 juillet 13
![Page 78: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/78.jpg)
z
Acc ← Enck(m)
k ← Gen(1n) 1n
h(m)
1n
h(m)
A′
218jeudi 18 juillet 13
![Page 79: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/79.jpg)
z′
z
Acc ← Enck(m)
k ← Gen(1n) 1n
h(m)
1n
h(m)
A′
218jeudi 18 juillet 13
![Page 80: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/80.jpg)
z′
z
Acc ← Enck(m)
k ← Gen(1n) 1n
h(m)
1n
h(m)
A′
| Pr[z = f(m)] − Pr[z′ = f(m)] | ≤ negl(n),
218jeudi 18 juillet 13
![Page 81: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/81.jpg)
Semantic SecurityTHEOREM 3.13 A private-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper
if and only if
it is semantically secure in the presence of an eavesdropper.
Shafi Goldwasser Silvio Micali219jeudi 18 juillet 13
![Page 82: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/82.jpg)
)220jeudi 18 juillet 13
![Page 83: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/83.jpg)
Post-Quantum Cryptography
Finite Fields based cryptography
Codes
Multi-variate Polynomials
Integers based cryptography
Approximate Integer GCD
Lattices
221jeudi 18 juillet 13
![Page 84: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/84.jpg)
b2
x
0
3b1+2b2
b1
Lattice based cryptography
§
222jeudi 18 juillet 13
![Page 85: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/85.jpg)
Lattices
Given n-linearly independent vectors b1,...,bn∈ℝn, the lattice they generate is the set of vectors
𝓛(b1,...,bn) = ∑in=1 xibi :xi∈ℤ.
The vectors b1,...,bn are known as a basis of the lattice.
223jeudi 18 juillet 13
![Page 86: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/86.jpg)
b2
x
0
Lattices
3b1+2b2
b1
224jeudi 18 juillet 13
![Page 87: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/87.jpg)
Integer Lattices
Given n-linearly independent vectors b1,...,bn∈ℤn, the lattice they generate is the set of vectors
𝓛(b1,...,bn) = ∑in=1 xibi :xi∈ℤ.
The vectors b1,...,bn are known as a basis of the lattice.
225jeudi 18 juillet 13
![Page 88: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/88.jpg)
0
x
b1+b2
Lattices
b2b1
226jeudi 18 juillet 13
![Page 89: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/89.jpg)
Closest Vector Problem
Given a basis b1,...,bn∈ℝn, and a vector t∈ℝn find the closest vector in the lattice 𝓛(b1,...,bn)
(x1,...,xn)∈ℤn : d(t, ∑in=1 xibi) is minimal.
d(u,v) is Euclidean distance
√∑in=1 (ui-vi)2
227jeudi 18 juillet 13
![Page 90: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/90.jpg)
0
CVP
b2b1
t
Analoguous to correcting errors in codes228jeudi 18 juillet 13
![Page 91: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/91.jpg)
0
CVP
b2b1
t
Analoguous to correcting errors in codes229jeudi 18 juillet 13
![Page 92: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/92.jpg)
Shortest Vector Problem
Given a basis b1,...,bn∈ℝn find the shortest vector in the lattice 𝓛(b1,...,bn)
(x1,...,xn)∈ℤn\0 : d(0, ∑in=1 xibi) is minimal.
d(u,v) is Euclidean distance
√∑in=1 (ui-vi)2
230jeudi 18 juillet 13
![Page 93: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/93.jpg)
0
SVP
b1shortest
shortest
Analoguous to finding min distance in code
b2
231jeudi 18 juillet 13
![Page 94: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/94.jpg)
GGH
232jeudi 18 juillet 13
![Page 95: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/95.jpg)
GGHThe GGH cryptosystem, proposed by Goldreich, Goldwasser, and Halevi is essentially a lattice analogue of the McEliece/Niederreiter cryptosystem
232jeudi 18 juillet 13
![Page 96: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/96.jpg)
GGHThe GGH cryptosystem, proposed by Goldreich, Goldwasser, and Halevi is essentially a lattice analogue of the McEliece/Niederreiter cryptosystem
The private key is a “good” lattice basis B.
232jeudi 18 juillet 13
![Page 97: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/97.jpg)
GGHThe GGH cryptosystem, proposed by Goldreich, Goldwasser, and Halevi is essentially a lattice analogue of the McEliece/Niederreiter cryptosystem
The private key is a “good” lattice basis B.
Typically, a good basis consists of short, almost orthogonal vectors.
232jeudi 18 juillet 13
![Page 98: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/98.jpg)
GGHThe GGH cryptosystem, proposed by Goldreich, Goldwasser, and Halevi is essentially a lattice analogue of the McEliece/Niederreiter cryptosystem
The private key is a “good” lattice basis B.
Typically, a good basis consists of short, almost orthogonal vectors.
Algorithmically, good bases allow to efficiently solve certain instances of the closest vector problem in 𝓛(B), e.g., instances where the target is very close to the lattice.
232jeudi 18 juillet 13
![Page 99: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/99.jpg)
GGH/HNF
233jeudi 18 juillet 13
![Page 100: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/100.jpg)
GGH/HNF
The public key H is a “bad” basis for the same lattice 𝓛(H) = 𝓛(B).
233jeudi 18 juillet 13
![Page 101: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/101.jpg)
GGH/HNF
The public key H is a “bad” basis for the same lattice 𝓛(H) = 𝓛(B).
Micciancio proposed to use the Hermite Normal Form (HNF) of B. This normal form gives a lower triangular basis for 𝓛(B).
233jeudi 18 juillet 13
![Page 102: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/102.jpg)
GGH/HNF
The public key H is a “bad” basis for the same lattice 𝓛(H) = 𝓛(B).
Micciancio proposed to use the Hermite Normal Form (HNF) of B. This normal form gives a lower triangular basis for 𝓛(B).
Notice that any attack on the HNF public key can be easily adapted to work with any other basis B′ of
𝓛(B) by first computing H from B′.
233jeudi 18 juillet 13
![Page 103: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/103.jpg)
GGH/HNF
234jeudi 18 juillet 13
![Page 104: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/104.jpg)
GGH/HNFThe encryption process consists of adding a short noise vector r (somehow encoding the message to be encrypted) to a properly chosen lattice point v.
234jeudi 18 juillet 13
![Page 105: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/105.jpg)
GGH/HNFThe encryption process consists of adding a short noise vector r (somehow encoding the message to be encrypted) to a properly chosen lattice point v.
It was proposed to select the vector v such that all the coordinates of (r + v) are reduced modulo the corresponding element along the diagonal of the HNF public basis H.
234jeudi 18 juillet 13
![Page 106: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/106.jpg)
GGH/HNFThe encryption process consists of adding a short noise vector r (somehow encoding the message to be encrypted) to a properly chosen lattice point v.
It was proposed to select the vector v such that all the coordinates of (r + v) are reduced modulo the corresponding element along the diagonal of the HNF public basis H.
The resulting vector is denoted r mod H, and it provably makes cryptanalysis hardest because r mod H can be efficiently computed from any vector of the form (r + v) with v∈𝓛(B).
234jeudi 18 juillet 13
![Page 107: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/107.jpg)
GGH/HNF
235jeudi 18 juillet 13
![Page 108: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/108.jpg)
GGH/HNFThe decryption problem corresponds to finding the lattice point v closest to the target ciphertext c = (r mod H) = v+r, and the error vector r = c−v.
235jeudi 18 juillet 13
![Page 109: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/109.jpg)
GGH/HNFThe decryption problem corresponds to finding the lattice point v closest to the target ciphertext c = (r mod H) = v+r, and the error vector r = c−v.
The correctness of the GGH/HNF cryptosystem rests on the fact that the error vector r is short enough so that the lattice point v can be recovered from the ciphertext v+r using the private basis B, e.g., by using Babai’s rounding procedure, which gives v = B[B−1(v + r)]
where [x] stands for the nearest integer to x
235jeudi 18 juillet 13
![Page 110: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/110.jpg)
236jeudi 18 juillet 13
![Page 111: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/111.jpg)
q-ary Lattices
Given n-linearly independent vectors b1,...,bn∈ℤn, the q-ary lattice they generate is the set of vectors
𝓛(b1,...,bn,q1,...,qn) = ∑in=1 xibi mod q:xi∈ℤ
where each vector qi is of the form (0,...,0,q,0,...,0)
237jeudi 18 juillet 13
![Page 112: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/112.jpg)
b2
x
0
q-ary Lattices
3b1+2b2
b1
mod q
238jeudi 18 juillet 13
![Page 113: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/113.jpg)
q-ary Lattices
239jeudi 18 juillet 13
![Page 114: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/114.jpg)
q-ary Lattices
Structure very similar to linear codes
239jeudi 18 juillet 13
![Page 115: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/115.jpg)
q-ary Lattices
Structure very similar to linear codes
We define two types of q-ary lattices from a matrix A∈ℤqnxm
Λq(A)={y∈ℤqm : y = ATs mod q, s∈ℤqn}
Λ⟂q(A)={y∈ℤqm : Ay = 0 mod q}
239jeudi 18 juillet 13
![Page 116: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/116.jpg)
Learning With Errors
LWE uses a discrete normal
distribution -Ψ-α with mean 0 and
standard deviation qα/√2π defined as
[ Ψα ] mod q
240jeudi 18 juillet 13
![Page 117: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/117.jpg)
-q/2
Learning With Errors
+q/2
LWE uses a discrete normal
distribution -Ψ-α with mean 0 and
standard deviation qα/√2π defined as
[ Ψα ] mod q
241jeudi 18 juillet 13
![Page 118: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/118.jpg)
Learning With ErrorsA generalization of Learning Paritywith Noise where q=2 and Bernouilli errors.
242jeudi 18 juillet 13
![Page 119: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/119.jpg)
Learning With Errors
LWE is parametrized by n and q=poly(n)
A generalization of Learning Paritywith Noise where q=2 and Bernouilli errors.
242jeudi 18 juillet 13
![Page 120: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/120.jpg)
Learning With Errors
LWE is parametrized by n and q=poly(n)
A: ℤqmxn, a uniform public matrix
A generalization of Learning Paritywith Noise where q=2 and Bernouilli errors.
242jeudi 18 juillet 13
![Page 121: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/121.jpg)
Learning With Errors
LWE is parametrized by n and q=poly(n)
A: ℤqmxn, a uniform public matrix
S: ℤqn, a uniform secret (trapdoor) vector
A generalization of Learning Paritywith Noise where q=2 and Bernouilli errors.
242jeudi 18 juillet 13
![Page 122: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/122.jpg)
Learning With Errors
LWE is parametrized by n and q=poly(n)
A: ℤqmxn, a uniform public matrix
S: ℤqn, a uniform secret (trapdoor) vector
E: ℤqm, a secret vector where each entry has
distribution -Ψ-α with α s.t. αq≈√n
(reductions & there is an exp((αq)2)-time attack)
A generalization of Learning Paritywith Noise where q=2 and Bernouilli errors.
242jeudi 18 juillet 13
![Page 123: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/123.jpg)
Learning With Errors
LWE is parametrized by n and q=poly(n)
A: ℤqmxn, a uniform public matrix
S: ℤqn, a uniform secret (trapdoor) vector
E: ℤqm, a secret vector where each entry has
distribution -Ψ-α with α s.t. αq≈√n
(reductions & there is an exp((αq)2)-time attack)
(search-)LWE: Given A and P=AS+E find S.
A generalization of Learning Paritywith Noise where q=2 and Bernouilli errors.
242jeudi 18 juillet 13
![Page 124: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/124.jpg)
Learning With Errors
243jeudi 18 juillet 13
![Page 125: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/125.jpg)
Learning With Errors
Decision-LWE is made of
243jeudi 18 juillet 13
![Page 126: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/126.jpg)
Learning With Errors
Decision-LWE is made of
A: ℤqmxn, a uniform public matrix
243jeudi 18 juillet 13
![Page 127: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/127.jpg)
Learning With Errors
Decision-LWE is made of
A: ℤqmxn, a uniform public matrix
S: ℤqn, a uniform secret (trapdoor) vector
243jeudi 18 juillet 13
![Page 128: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/128.jpg)
Learning With Errors
Decision-LWE is made of
A: ℤqmxn, a uniform public matrix
S: ℤqn, a uniform secret (trapdoor) vector
E: ℤqm, a secret vector where each entry has
distribution -Ψ-α.
243jeudi 18 juillet 13
![Page 129: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/129.jpg)
Learning With Errors
Decision-LWE is made of
A: ℤqmxn, a uniform public matrix
S: ℤqn, a uniform secret (trapdoor) vector
E: ℤqm, a secret vector where each entry has
distribution -Ψ-α.
Decision LWE : Given either A and P=AS+E or A,P for unfiorm P, identify which is the case.
243jeudi 18 juillet 13
![Page 130: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/130.jpg)
Learning With Errors
Decision-LWE is made of
A: ℤqmxn, a uniform public matrix
S: ℤqn, a uniform secret (trapdoor) vector
E: ℤqm, a secret vector where each entry has
distribution -Ψ-α.
Decision LWE : Given either A and P=AS+E or A,P for unfiorm P, identify which is the case.
Equivalent to the search problem.
243jeudi 18 juillet 13
![Page 131: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/131.jpg)
LWE hardness
GapSVPSIVP
≤ search-LWE ≤ decision-LWE ≤ crypto
244jeudi 18 juillet 13
![Page 132: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/132.jpg)
LWE hardness
GapSVPSIVP
≤ search-LWE ≤ decision-LWE ≤ crypto
Quantum!!!
244jeudi 18 juillet 13
![Page 133: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/133.jpg)
LWE based cryptography
245jeudi 18 juillet 13
![Page 134: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/134.jpg)
LWE based cryptography
Private key: S: ℤqn, E: ℤqm sampled using -Ψ-α
245jeudi 18 juillet 13
![Page 135: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/135.jpg)
LWE based cryptography
Private key: S: ℤqn, E: ℤqm sampled using -Ψ-α
Public Key: A: ℤqmxn, P=AS+E
245jeudi 18 juillet 13
![Page 136: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/136.jpg)
LWE based cryptography
Private key: S: ℤqn, E: ℤqm sampled using -Ψ-α
Public Key: A: ℤqmxn, P=AS+E
Input message: b: {0,1}
245jeudi 18 juillet 13
![Page 137: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/137.jpg)
LWE based cryptography
Private key: S: ℤqn, E: ℤqm sampled using -Ψ-α
Public Key: A: ℤqmxn, P=AS+E
Input message: b: {0,1}
EncAP(v) := (ATa,PTa+bq/2) where a: {0,1}m
245jeudi 18 juillet 13
![Page 138: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/138.jpg)
LWE based cryptography
Private key: S: ℤqn, E: ℤqm sampled using -Ψ-α
Public Key: A: ℤqmxn, P=AS+E
Input message: b: {0,1}
EncAP(v) := (ATa,PTa+bq/2) where a: {0,1}m
DecS(u,c) := 1 (0) iff c-STu is closer to q/2 (0) c-STu = PTa+bq/2-STATa = PTa+bq/2-PTa+Ea = bq/2+Ea
245jeudi 18 juillet 13
![Page 139: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/139.jpg)
LWE based cryptography
246jeudi 18 juillet 13
![Page 140: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/140.jpg)
LWE based cryptography
In the first part, one shows that distinguishing between public keys (A,P) as generated by the cryptosystem and pairs chosen
uniformly at random from ℤqmxn × ℤqm implies a solution to the
LWE problem with parameters n,m,q,-Ψ-α.
246jeudi 18 juillet 13
![Page 141: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/141.jpg)
LWE based cryptography
In the first part, one shows that distinguishing between public keys (A,P) as generated by the cryptosystem and pairs chosen
uniformly at random from ℤqmxn × ℤqm implies a solution to the
LWE problem with parameters n,m,q,-Ψ-α.
The second part consists of showing that if one tries to encrypt with a public key (A,P) chosen at random, then with very high probability, the result carries essentially no statistical information about the encrypted message. (m > n log q)
246jeudi 18 juillet 13
![Page 142: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/142.jpg)
LWE based cryptography
In the first part, one shows that distinguishing between public keys (A,P) as generated by the cryptosystem and pairs chosen
uniformly at random from ℤqmxn × ℤqm implies a solution to the
LWE problem with parameters n,m,q,-Ψ-α.
The second part consists of showing that if one tries to encrypt with a public key (A,P) chosen at random, then with very high probability, the result carries essentially no statistical information about the encrypted message. (m > n log q)
Together, these two parts establish the security of the cryptosystem (under chosen plaintext attacks).
246jeudi 18 juillet 13
![Page 143: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/143.jpg)
LWE-2 based cryptography
247jeudi 18 juillet 13
![Page 144: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/144.jpg)
LWE-2 based cryptography
Private key: S,E: ℤqn both sampled using -Ψ-α,
247jeudi 18 juillet 13
![Page 145: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/145.jpg)
LWE-2 based cryptography
Private key: S,E: ℤqn both sampled using -Ψ-α,
Public Key: A: ℤqnxn, P=AS+E
247jeudi 18 juillet 13
![Page 146: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/146.jpg)
LWE-2 based cryptography
Private key: S,E: ℤqn both sampled using -Ψ-α,
Public Key: A: ℤqnxn, P=AS+E
Input message: b: {0,1}
247jeudi 18 juillet 13
![Page 147: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/147.jpg)
LWE-2 based cryptography
Private key: S,E: ℤqn both sampled using -Ψ-α,
Public Key: A: ℤqnxn, P=AS+E
Input message: b: {0,1}
EncAP(v) := (ATa+x,PTa+bq/2+E’), a,x,E’: ℤqn using -Ψ-α
247jeudi 18 juillet 13
![Page 148: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/148.jpg)
LWE-2 based cryptography
Private key: S,E: ℤqn both sampled using -Ψ-α,
Public Key: A: ℤqnxn, P=AS+E
Input message: b: {0,1}
EncAP(v) := (ATa+x,PTa+bq/2+E’), a,x,E’: ℤqn using -Ψ-α
DecS(u,c) := 1 (0) iff c-STu is closer to q/2 (0) c-STu = PTa+bq/2+E’-STATa-STx = PTa+bq/2+E’-PTa+Ea-STx = bq/2+Ea+E’-STx
247jeudi 18 juillet 13
![Page 149: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/149.jpg)
LWE based cryptography
©Peikert
feb 2012
2004 2005 2006 2007 2008 2009 2010 2011 20120
1
2
3
4
5
6
8
7
248jeudi 18 juillet 13
![Page 150: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/150.jpg)
Lattice based cryptography
§
249jeudi 18 juillet 13
![Page 151: Post-Quantum Cryptography #4 - University of Waterloo€¦ · jeudi 18 juillet 13 206. 4 Equivalent Formulations DEFINITION 2.4 An encryption scheme Π = (Gen, Enc, Dec) over a message](https://reader031.vdocument.in/reader031/viewer/2022011922/604963d0502c3f032644782b/html5/thumbnails/151.jpg)
Post-Quantum Cryptography
Prof. Claude CrépeauMcGill University
http://crypto.cs.mcgill.ca/~crepeau/WATERLOO
250jeudi 18 juillet 13