Skip to main content
SpringerLink
Log in

Tighter QCCA-Secure Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14085))

Included in the following conference series:

Abstract

Hofheinz et al. (TCC 2017) proposed several key encapsulation mechanism (KEM) variants of Fujisaki-Okamoto (FO) transformation, including and \(\textsf {QFO}_m^\bot \), and they are widely used in the post-quantum cryptography standardization launched by NIST. These transformations are divided into two types, the implicit and explicit rejection type, including and \(\{\textsf {FO}^{\bot }\), \(\textsf {FO}_m^\bot \), \(\textsf {QFO}_m^\bot \}\), respectively. The decapsulation algorithm of the implicit (resp. explicit) rejection type returns a pseudorandom value (resp. an abort symbol \(\bot \)) for an invalid ciphertext.

For the implicit rejection type, the IND-CCA security reduction of in the quantum random oracle model (QROM) can avoid the quadratic security loss, as shown by Kuchta et al. (EUROCRYPT 2020). However, for the explicit rejection type, the best known IND-CCA security reduction in the QROM presented by Hövelmanns et al. (ASIACRYPT 2022) for \(\textsf {FO}_m^\bot \) still suffers from a quadratic security loss. Moreover, it is not clear until now whether the implicit rejection type is more secure than the explicit rejection type.

In this paper, a QROM security reduction of \(\textsf {FO}_m^\bot \) without incurring a quadratic security loss is provided. Furthermore, our reduction achieves IND-qCCA security, which is stronger than the IND-CCA security. To achieve our result, two steps are taken: The first step is to prove that the IND-qCCA security of \(\textsf {FO}_m^\bot \) can be tightly reduced to the IND-CPA security of \(\textsf {FO}_m^\bot \) by using the online extraction technique proposed by Don et al. (EUROCRYPT 2022). The second step is to prove that the IND-CPA security of \(\textsf {FO}_m^\bot \) can be reduced to the IND-CPA security of the underlying public key encryption (PKE) scheme without incurring quadratic security loss by using the Measure-Rewind-Measure One-Way to Hiding Lemma (EUROCRYPT 2020).

In addition, we prove that (at least from a theoretic point of view), security is independent of whether the rejection type is explicit (\(\textsf {FO}_m^\bot \)) or implicit () if the underlying PKE scheme is weakly \(\gamma \)-spread.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Indeed, in the IND-CCA security reduction of [15], Game \(\mathbf {G_1}\) records the decapsulation query \(c_i\) \((i=1,\ldots , q_D)\) and computes \(\textsf {eCO.E}(c_i)\) for each \(c_i\) via the extraction interface eCO.E in its end. The record procedure is available in the IND-CCA security reduction. However, due to the quantum no-cloning principle, it is infeasible to perfectly record the quantum decapsulation queries in the IND-qCCA security reduction.

  2. 2.

    If a PKE/KEM scheme is IND-qCCA-secure, it is also IND-CCA-secure, because classical decryption/decapsulation queries can be implemented by quantum decryption/decapsulation queries. That is why we say that IND-qCCA security is a stronger security.

  3. 3.

    For simplify, we do not consider the case of \(c=c^*\) here. \(c^*\) is the challenge ciphertext.

  4. 4.

    Actually, this theorem is a generalization of the compress oracle O2H theorem (Theorem 10) in [7], since the quantum oracle algorithm in this theorem can also make database read queries.

  5. 5.

    (Here we abbreviate other registers that may entangled with the database register (e.g. registers of the adversary) as Z.)

  6. 6.

    Note that any IND-qCCA adversary against can be efficiently transformed to an IND-qCCA adversary against \(\textsf {FO}_m^{\bot }\).

  7. 7.

    Unitary variants of quantum oracle algorithms is explained in Appendix A of [12].

  8. 8.

    The property that \(\textsf {CNOT} _{\textsf {YD} _q}^x\) acts trivially on the state \(|y, D\rangle \) satisfies \(D(x)=\bot \), as defined in [9], is actually equivalent to the property that "\(y\oplus \bot =y\)" defined in [28].

  9. 9.

    In fact, even if \(q_1>q\), Theorem 1 is still valid. We require \(q_1\le q\) here because we have set the query upper bound for the compressed standard oracle to a constant value of q.

  10. 10.

    Here we embed the set \(\{0,1\}^m\cup \bot \) into the set \(\{0,1\}^{m+1}\) as explained in Appendix A of [12].

  11. 11.

    Although [9] defined an inefficient version of the extractable RO-simulator, the total runtime of the efficient version is given instead in the Theorem 4.3 of [9].

  12. 12.

    This is because we have set the query upper bound for the compressed standard oracle to a constant value of q.

  13. 13.

    Here we embed the set \(\{0,1\}^{n^\prime }\cup \bot \) (resp. \(\{0,1\}^{m}\cup \bot \)) into the set \(\{0,1\}^{n^\prime +1}\) (resp. \(\{0,1\}^{m+1}\)) as explained in Appendix A of [12]..

  14. 14.

    Here and in what follows, we following [16] to make the convention that \(q_H\) and \(q_G\) counts the total number of times H and G is queried in the security game, respectively.

  15. 15.

    Note that the codomain of function \(f_1\) is the union of \(\mathcal {C}\) and \(\bot \). However, we ignore the extraction with input \(\bot \) in \(\textsf {Ext}_{f_1}\), which is different from its definition as shown in Definition 2. That is to say, we restrict the adversary \(\mathcal {A}\) from querying the decapsulation oracle by \(\bot \) in our reduction. Indeed, this is reasonable since \(\bot \notin \mathcal {C}\).

  16. 16.

    Here we embed the set \(\{0,1\}^{n^\prime }\cup \bot \) into the set \(\{0,1\}^{n^\prime +1}\) as explained in Appendix A of [12].

References

  1. Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_10

    Chapter  Google Scholar 

  2. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: CCS ’93, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, November 3–5, 1993, pp. 62–73. ACM (1993). https://doi.org/10.1145/168588.168596

  3. Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3

    Chapter  MATH  Google Scholar 

  4. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3

    Chapter  MATH  Google Scholar 

  5. Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21

    Chapter  MATH  Google Scholar 

  6. Chung, K.-M., Fehr, S., Huang, Y.-H., Liao, T.-N.: On the compressed-oracle technique, and post-quantum security of proofs of sequential work. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 598–629. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_21

    Chapter  Google Scholar 

  7. Czajkowski, J., Majenz, C., Schaffner, C., Zur, S.: Quantum lazy sampling and game-playing proofs for quantum indifferentiability. Cryptology ePrint Archive, Paper 2019/428 (2019). https://eprint.iacr.org/2019/428

  8. Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12

    Chapter  Google Scholar 

  9. Don, J., Fehr, S., Majenz, C., Schaffner, C.: Online-extractability in the quantum random-oracle model. In: Advances in Cryptology - EUROCRYPT 2022–41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, May 30 - June 3, 2022, Proceedings, Part III, pp. 677–706. Springer (2022). https://doi.org/10.1007/978-3-031-07082-2_24

  10. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2011). https://doi.org/10.1007/s00145-011-9114-1

    Article  MathSciNet  MATH  Google Scholar 

  11. Ge, J., Shan, T., Xue, R.: On the fujisaki-okamoto transform: from classical cca security to quantum cca security. Cryptology ePrint Archive, Paper 2023/792 (2023). https://eprint.iacr.org/2023/792

  12. Ge, J., Shan, T., Xue, R.: Tighter qcca-secure key encapsulation mechanism with explicit rejection in the quantum random oracle model. Cryptology ePrint Archive, Paper 2023/862 (2023). https://eprint.iacr.org/2023/862

  13. Grubbs, P., Maram, V., Paterson, K.G.: Anonymous, robust post-quantum public key encryption. In: Advances in Cryptology - EUROCRYPT 2022–41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, May 30 - June 3, 2022, Proceedings, Part III, pp. 402–432. Springer (2022). https://doi.org/10.1007/978-3-031-07082-2_15

  14. Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the fujisaki-okamoto transformation. In: Theory of Cryptography Conference, pp. 341–371. Springer (2017). https://doi.org/10.1007/978-3-319-70500-2_12

  15. Hövelmanns, K., Hülsing, A., Majenz, C.: Failing gracefully: Decryption failures and the fujisaki-okamoto transform. In: Advances in Cryptology - ASIACRYPT 2022–28th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, December 5–9, 2022, Proceedings, Part IV, pp. 414–443. Springer (2022)

    Google Scholar 

  16. Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4

    Chapter  Google Scholar 

  17. Jiang, H., Zhang, Z., Ma, Z.: Key encapsulation mechanism with explicit rejection in the quantum random oracle model. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 618–645. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_21

    Chapter  Google Scholar 

  18. Jiang, H., Zhang, Z., Ma, Z.: Tighter security proofs for generic key encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 227–248. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_13

    Chapter  Google Scholar 

  19. Jiang, H., Zhang, Z., Ma, Z.: On the non-tightness of measurement-based reductions for key encapsulation mechanism in the quantum random oracle model. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 487–517. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_17

    Chapter  Google Scholar 

  20. Kuchta, V., Sakzad, A., Stehlé, D., Steinfeld, R., Sun, S.-F.: Measure-rewind-measure: tighter quantum random oracle model proofs for one-way to hiding and CCA Security. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 703–728. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_24

    Chapter  Google Scholar 

  21. Liu, X., Wang, M.: QCCA-secure generic key encapsulation mechanism with tighter security in the quantum random oracle model. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12710, pp. 3–26. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_1

    Chapter  Google Scholar 

  22. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information (10th Anniversary edition). Cambridge University Press (2016)

    Google Scholar 

  23. NIST: National institute for standards and technology. post quantum crypto project. https://csrc.nist.gov/projects/post-quantum-cryptography (2017)

  24. Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17

    Chapter  MATH  Google Scholar 

  25. Unruh, D.: Revocable quantum timed-release encryption. J. ACM 62(6), 49:1–49:76 (2015). https://doi.org/10.1145/2817206

  26. Xagawa, K., Yamakawa, T.: (Tightly) QCCA-Secure key-encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 249–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_14

    Chapter  MATH  Google Scholar 

  27. Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44

    Chapter  MATH  Google Scholar 

  28. Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9

    Chapter  Google Scholar 

Download references

Acknowledgments

We thank the anonymous reviewers of CRYPTO 2023, and Shujiao Cao for their insightful comments and suggestions. This work is supported by National Natural Science Foundation of China (Grants No. 62172405).

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China

    Jiangxia Ge, Tianshu Shan & Rui Xue

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, 100049, China

    Jiangxia Ge, Tianshu Shan & Rui Xue

Authors
  1. Jiangxia Ge
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tianshu Shan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rui Xue
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rui Xue .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ge, J., Shan, T., Xue, R. (2023). Tighter QCCA-Secure Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14085. Springer, Cham. https://doi.org/10.1007/978-3-031-38554-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38554-4_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38553-7

  • Online ISBN: 978-3-031-38554-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation