Today, at 18:30, Kathrin Hövelmanns (Chair for Cryptography) will give an online talk on CCA encryption in the QROM at the Workshop “Lattices: From Theory to Practice” at the Simons Institute, Berkeley. She will present a survey of knowledge with regards to how directly active security can be derived from weaker building blocks, assuming quantum attackers.
The event is held as a zoom webinar and is accessible via https://simons.berkeley.edu/workshops/lattices-2020-3
Title: CCA encryption in the QROM
Abstract: In the context of the NIST competition, the last three years have seen a lot of research to be invested in the construction of public-key primitives that remain actively secure even in the presence of quantum adversaries. All current NIST proposals follow the approach to achieve active security by first constructing a weaker primitive, and then applying a variant of the Fujisaki-Okamoto transformation.
The Fujisaki-Okamoto transformation and its variants turns any scheme with a weak security level into a scheme with the desired active security level, in a generic way. All of its variants, however, are constructed relative to hash functions, and quantum attackers might interact with these hash functions in a more sophisticated way than classical attackers would be capable of. This possibility is reflected in the security bounds that have been proven for quantum adversaries: They are less tight than in the classical setting.
In this context, tight bounds mean that the derived scheme is as secure as the underlying building block, whereas less tight results relate the derived scheme's security to the weaker building block in a less immediate manner. To still achieve a sufficient level of security for the derived scheme, the underlying primitive's level of security would have to be scaled up, leading to less efficient schemes. Gradual progress towards tighter security bounds has been made within the last years, but it comes at the price of additional restrictions for the weaker building block.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.