Abstract
Since hash proof system (HPS) can be utilized to build versatilely cryptographic schemes, the study on realizing this cryptographic primitive has been a very active research area. With the increasing concerns on the huge progress in quantum computing, it urges cryptographers to explore the existence of quantum-resistant HPS schemes, such as the one relying on some lattice-based assumptions. However, most lattice-based HPS proposals are relatively inefficient (e.g., simply outputting one-bit key), even though lattice-based schemes can enjoy many advantageous features: worst-case to average-case reduction, resistance so far to quantum algorithms, and good asymptotic efficiency. Therefore, efficient HPS schemes based on lattice problems are deeply in demand. Through a comprehensive analysis, we found that some lattice-based HPS schemes can be rephrased as their corresponding key encapsulation mechanism (KEM) forms, which generally rely on diverse reconciliation mechanisms and directly imply key exchange protocols under lattice-based assumptions. In this paper, inspired by a novel reconciliation mechanism based on the learning with errors (LWE) problem, we first properly adapt this LWE-based reconciliation mechanism for arbitrary modulus. Then using this improved reconciliation mechanism, we propose an efficient LWE-based HPS scheme which can generate multiple encapsulated key bits and perform better in both computation and storage costs than other related results. Moreover, our proposed lattice-based HPS scheme can be also extended to identity-based and updatable settings for demonstrating its diverse applications.
Highlights
The notion of hash proof system (HPS) was first proposed by Cramer and Shoup [1] in order to achieve indistinguishability against chosen-ciphertext attacks (IND-CCA) security from indistinguishability against chosen-plaintext attacks (IND-CPA) encryption schemes
Inspired by an efficient learning with errors (LWE)-based HPS scheme in [14], we found that the rationale behind this scheme is very similar to the LWE-based version of reconciliation mechanism proposed in [26], but it outputs a single key bit from each entry of key material matrix
TWO EXTENSIONS: IB-HPS AND UHPS Based on the improved HPS in Section IV, we further extend it into the identity-based setting and make it updatable to be secure against continual leakage, i.e., identity-based HPS (IB-HPS) and updatable HPS (UHPS)
Summary
The notion of hash proof system (HPS) was first proposed by Cramer and Shoup [1] in order to achieve indistinguishability against chosen-ciphertext attacks (IND-CCA) security from indistinguishability against chosen-plaintext attacks (IND-CPA) encryption schemes. The prover only needs to make a mono-directional interaction from him to the verifier for finishing the proof Due to this special property, HPS has been widely used to develop other cryptographic schemes, such as password-based authenticated key exchange [2], oblivious transfer [3], extractable commitment [4], lossy trapdoor functions [5], leakage-resilient public-key encryption [6], privacy-preserving interactive protocols [7], and cryptographic reverse firewall [8]. Afterwards, Benhamouda et al presented the first word-independent (i.e., the projection key does not depend on the ciphertext) HPS scheme [15] in the standard lattice setting, and showed that how to amplify the approximate correctness into a statistical one These three proposals can output one single key bit.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
