Abstract
Hofheinz et al. (TCC 2017) proposed several key encapsulation mechanism (KEM) variants of Fujisaki-Okamoto (FO) transformation, including and \(\textsf {QFO}_m^\bot \), and they are widely used in the post-quantum cryptography standardization launched by NIST. These transformations are divided into two types, the implicit and explicit rejection type, including and \(\{\textsf {FO}^{\bot }\), \(\textsf {FO}_m^\bot \), \(\textsf {QFO}_m^\bot \}\), respectively. The decapsulation algorithm of the implicit (resp. explicit) rejection type returns a pseudorandom value (resp. an abort symbol \(\bot \)) for an invalid ciphertext.
For the implicit rejection type, the IND-CCA security reduction of in the quantum random oracle model (QROM) can avoid the quadratic security loss, as shown by Kuchta et al. (EUROCRYPT 2020). However, for the explicit rejection type, the best known IND-CCA security reduction in the QROM presented by Hövelmanns et al. (ASIACRYPT 2022) for \(\textsf {FO}_m^\bot \) still suffers from a quadratic security loss. Moreover, it is not clear until now whether the implicit rejection type is more secure than the explicit rejection type.
In this paper, a QROM security reduction of \(\textsf {FO}_m^\bot \) without incurring a quadratic security loss is provided. Furthermore, our reduction achieves IND-qCCA security, which is stronger than the IND-CCA security. To achieve our result, two steps are taken: The first step is to prove that the IND-qCCA security of \(\textsf {FO}_m^\bot \) can be tightly reduced to the IND-CPA security of \(\textsf {FO}_m^\bot \) by using the online extraction technique proposed by Don et al. (EUROCRYPT 2022). The second step is to prove that the IND-CPA security of \(\textsf {FO}_m^\bot \) can be reduced to the IND-CPA security of the underlying public key encryption (PKE) scheme without incurring quadratic security loss by using the Measure-Rewind-Measure One-Way to Hiding Lemma (EUROCRYPT 2020).
In addition, we prove that (at least from a theoretic point of view), security is independent of whether the rejection type is explicit (\(\textsf {FO}_m^\bot \)) or implicit () if the underlying PKE scheme is weakly \(\gamma \)-spread.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Indeed, in the IND-CCA security reduction of [15], Game \(\mathbf {G_1}\) records the decapsulation query \(c_i\) \((i=1,\ldots , q_D)\) and computes \(\textsf {eCO.E}(c_i)\) for each \(c_i\) via the extraction interface eCO.E in its end. The record procedure is available in the IND-CCA security reduction. However, due to the quantum no-cloning principle, it is infeasible to perfectly record the quantum decapsulation queries in the IND-qCCA security reduction.
- 2.
If a PKE/KEM scheme is IND-qCCA-secure, it is also IND-CCA-secure, because classical decryption/decapsulation queries can be implemented by quantum decryption/decapsulation queries. That is why we say that IND-qCCA security is a stronger security.
- 3.
For simplify, we do not consider the case of \(c=c^*\) here. \(c^*\) is the challenge ciphertext.
- 4.
Actually, this theorem is a generalization of the compress oracle O2H theorem (Theorem 10) in [7], since the quantum oracle algorithm in this theorem can also make database read queries.
- 5.
(Here we abbreviate other registers that may entangled with the database register (e.g. registers of the adversary) as Z.)
- 6.
Note that any IND-qCCA adversary against can be efficiently transformed to an IND-qCCA adversary against \(\textsf {FO}_m^{\bot }\).
- 7.
Unitary variants of quantum oracle algorithms is explained in Appendix A of [12].
- 8.
- 9.
In fact, even if \(q_1>q\), Theorem 1 is still valid. We require \(q_1\le q\) here because we have set the query upper bound for the compressed standard oracle to a constant value of q.
- 10.
Here we embed the set \(\{0,1\}^m\cup \bot \) into the set \(\{0,1\}^{m+1}\) as explained in Appendix A of [12].
- 11.
- 12.
This is because we have set the query upper bound for the compressed standard oracle to a constant value of q.
- 13.
Here we embed the set \(\{0,1\}^{n^\prime }\cup \bot \) (resp. \(\{0,1\}^{m}\cup \bot \)) into the set \(\{0,1\}^{n^\prime +1}\) (resp. \(\{0,1\}^{m+1}\)) as explained in Appendix A of [12]..
- 14.
Here and in what follows, we following [16] to make the convention that \(q_H\) and \(q_G\) counts the total number of times H and G is queried in the security game, respectively.
- 15.
Note that the codomain of function \(f_1\) is the union of \(\mathcal {C}\) and \(\bot \). However, we ignore the extraction with input \(\bot \) in \(\textsf {Ext}_{f_1}\), which is different from its definition as shown in Definition 2. That is to say, we restrict the adversary \(\mathcal {A}\) from querying the decapsulation oracle by \(\bot \) in our reduction. Indeed, this is reasonable since \(\bot \notin \mathcal {C}\).
- 16.
Here we embed the set \(\{0,1\}^{n^\prime }\cup \bot \) into the set \(\{0,1\}^{n^\prime +1}\) as explained in Appendix A of [12].
References
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_10
Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: CCS ’93, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, November 3–5, 1993, pp. 62–73. ACM (1993). https://doi.org/10.1145/168588.168596
Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_21
Chung, K.-M., Fehr, S., Huang, Y.-H., Liao, T.-N.: On the compressed-oracle technique, and post-quantum security of proofs of sequential work. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 598–629. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_21
Czajkowski, J., Majenz, C., Schaffner, C., Zur, S.: Quantum lazy sampling and game-playing proofs for quantum indifferentiability. Cryptology ePrint Archive, Paper 2019/428 (2019). https://eprint.iacr.org/2019/428
Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Online-extractability in the quantum random-oracle model. In: Advances in Cryptology - EUROCRYPT 2022–41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, May 30 - June 3, 2022, Proceedings, Part III, pp. 677–706. Springer (2022). https://doi.org/10.1007/978-3-031-07082-2_24
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2011). https://doi.org/10.1007/s00145-011-9114-1
Ge, J., Shan, T., Xue, R.: On the fujisaki-okamoto transform: from classical cca security to quantum cca security. Cryptology ePrint Archive, Paper 2023/792 (2023). https://eprint.iacr.org/2023/792
Ge, J., Shan, T., Xue, R.: Tighter qcca-secure key encapsulation mechanism with explicit rejection in the quantum random oracle model. Cryptology ePrint Archive, Paper 2023/862 (2023). https://eprint.iacr.org/2023/862
Grubbs, P., Maram, V., Paterson, K.G.: Anonymous, robust post-quantum public key encryption. In: Advances in Cryptology - EUROCRYPT 2022–41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, May 30 - June 3, 2022, Proceedings, Part III, pp. 402–432. Springer (2022). https://doi.org/10.1007/978-3-031-07082-2_15
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the fujisaki-okamoto transformation. In: Theory of Cryptography Conference, pp. 341–371. Springer (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Hövelmanns, K., Hülsing, A., Majenz, C.: Failing gracefully: Decryption failures and the fujisaki-okamoto transform. In: Advances in Cryptology - ASIACRYPT 2022–28th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, December 5–9, 2022, Proceedings, Part IV, pp. 414–443. Springer (2022)
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4
Jiang, H., Zhang, Z., Ma, Z.: Key encapsulation mechanism with explicit rejection in the quantum random oracle model. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 618–645. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_21
Jiang, H., Zhang, Z., Ma, Z.: Tighter security proofs for generic key encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 227–248. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_13
Jiang, H., Zhang, Z., Ma, Z.: On the non-tightness of measurement-based reductions for key encapsulation mechanism in the quantum random oracle model. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 487–517. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_17
Kuchta, V., Sakzad, A., Stehlé, D., Steinfeld, R., Sun, S.-F.: Measure-rewind-measure: tighter quantum random oracle model proofs for one-way to hiding and CCA Security. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 703–728. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_24
Liu, X., Wang, M.: QCCA-secure generic key encapsulation mechanism with tighter security in the quantum random oracle model. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12710, pp. 3–26. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_1
Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information (10th Anniversary edition). Cambridge University Press (2016)
NIST: National institute for standards and technology. post quantum crypto project. https://csrc.nist.gov/projects/post-quantum-cryptography (2017)
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Unruh, D.: Revocable quantum timed-release encryption. J. ACM 62(6), 49:1–49:76 (2015). https://doi.org/10.1145/2817206
Xagawa, K., Yamakawa, T.: (Tightly) QCCA-Secure key-encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 249–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_14
Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_44
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Acknowledgments
We thank the anonymous reviewers of CRYPTO 2023, and Shujiao Cao for their insightful comments and suggestions. This work is supported by National Natural Science Foundation of China (Grants No. 62172405).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Ge, J., Shan, T., Xue, R. (2023). Tighter QCCA-Secure Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14085. Springer, Cham. https://doi.org/10.1007/978-3-031-38554-4_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-38554-4_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38553-7
Online ISBN: 978-3-031-38554-4
eBook Packages: Computer ScienceComputer Science (R0)