15647

CCA encryption in the QROM I

APA

(2020). CCA encryption in the QROM I. The Simons Institute for the Theory of Computing. https://simons.berkeley.edu/talks/cca-encryption-qrom-i

MLA

CCA encryption in the QROM I. The Simons Institute for the Theory of Computing, Apr. 28, 2020, https://simons.berkeley.edu/talks/cca-encryption-qrom-i

BibTex

          @misc{ scivideos_15647,
            doi = {},
            url = {https://simons.berkeley.edu/talks/cca-encryption-qrom-i},
            author = {},
            keywords = {},
            language = {en},
            title = {CCA encryption in the QROM I},
            publisher = {The Simons Institute for the Theory of Computing},
            year = {2020},
            month = {apr},
            note = {15647 see, \url{https://scivideos.org/index.php/Simons-Institute/15647}}
          }
          
Kathrin Hövelmanns, RUB
Talk number15647
Source RepositorySimons Institute

Abstract

In the context of the NIST competition, the last three years have seen a lot of research to be invested in the construction of public-key primitives that remain actively secure even in the presence of quantum adversaries. All current NIST proposals follow the approach to achieve active security by first constructing a weaker primitive, and then applying a variant of the Fujisaki-Okamoto transformation. The Fujisaki-Okamoto transformation and its variants turns any scheme with a weak security level into a scheme with the desired active security level, in a generic way. All of its variants, however, are constructed relative to hash functions, and quantum attackers might interact with these hash functions in a more sophisticated way than classical attackers would be capable of. This possibility is reflected in the security bounds that have been proven for quantum adversaries: They are less tight than in the classical setting. In this context, tight bounds mean that the derived scheme is as secure as the underlying building block, whereas less tight results relate the derived scheme's security to the weaker building block in a less immediate manner. To still achieve a sufficent level of security for the derived scheme, the underlying primitive's level of security would have to be scaled up, leading to less efficient schemes. Gradual progress towards tighter security bounds has been made within the last years, but it comes at the price of additional restrictions for the weaker building block. This talk offers a survey of knowledge with regards to how directly active security can be derived from the weaker building block, when assuming attackers that are quantum.