INDCCASecure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited
Abstract
With the gradual progress of NIST’s postquantum cryptography standardization, the Round1 KEM proposals have been posted for public to discuss and evaluate. Among the INDCCAsecure KEM constructions, mostly, an INDCPAsecure (or OWCPAsecure) publickey encryption (PKE) scheme is first introduced, then some generic transformations are applied to it. All these generic transformations are constructed in the random oracle model (ROM). To fully assess the postquantum security, security analysis in the quantum random oracle model (QROM) is preferred. However, current works either lacked a QROM security proof or just followed Targhi and Unruh’s proof technique (TCCB 2016) and modified the original transformations by adding an additional hash to the ciphertext to achieve the QROM security.
In this paper, by using a novel proof technique, we present QROM security reductions for two widely used generic transformations without suffering any ciphertext overhead. Meanwhile, the security bounds are much tighter than the ones derived by utilizing Targhi and Unruh’s proof technique. Thus, our QROM security proofs not only provide a solid postquantum security guarantee for NIST Round1 KEM schemes, but also simplify the constructions and reduce the ciphertext sizes. We also provide QROM security reductions for HofheinzHövelmannsKiltz modular transformations (TCC 2017), which can help to obtain a variety of combined transformations with different requirements and properties.
Keywords
Quantum random oracle model Key encapsulation mechanism INDCCA security Generic transformation1 Introduction
As a foundational cryptography primitive, key encapsulation mechanism (KEM) is efficient and versatile. It can be used to construct, in a blackbox manner, PKE (the KEMDEM paradigm [1]), key exchange and authenticated key exchange [2, 3]. Compared with designing a full PKE scheme, the KEM construction is usually somewhat easier or more efficient. In December 2016, National Institute of Standards and Technology (NIST) announced a competition with the goal to standardize postquantum cryptographic (PQC) algorithms including digitalsignature, publickey encryption (PKE), and KEM (or key exchange) with security against quantum adversaries [4]. Among the 69 Round1 algorithm submissions, posted in December 2017 by NIST for public to discuss and evaluate [4], there are 39 proposals for KEM constructions.
Indistinguishability against chosenciphertext attacks (INDCCA) [5] is widely accepted as a standard security notion for many cryptography applications. However, the security is usually much more difficult to prove than INDCPA (and OWCPA) security, i.e., indistinguishability (and oneway) against chosenplaintext attacks. Mostly, generic transformations [6, 7] are used to create an INDCCAsecure KEM from some weakly secure (OWCPA or INDCPA) PKEs.
Recently, considering the drawbacks of previous analysis of FujisakiOkamoto (FO) transformation [8, 9], such as a nontight security reduction and the need for a perfectly correct scheme, Hofheinz, Hövelmanns and Kiltz [7] revisited the KEM version of FO transformation [6] and provided a finegrained and modular toolkit of transformations Open image in new window , \(\mathrm {U}^{\perp }\), Open image in new window , \(\mathrm {U}_m^{\perp }\), Open image in new window and \(\mathrm {QU}_m^{\perp }\) (In what follows, these transformations will be categorized as modular FO transformations for brevity), where m (without m) means \(K=H(m)\) (\(K=H(m,c)\)), Open image in new window (\(\perp \)) means implicit (explicit) rejection^{1} and \(\mathrm {Q}\) means adding an additional hash to the ciphertext. Combing these modular transformations, they obtained several variants of FO transformation Open image in new window , \(\mathrm {FO}^{\perp }\), Open image in new window , \(\mathrm {FO}_m^\perp \), Open image in new window and \(\mathrm {QFO}_m^{\perp }\) (These transformations will be categorized as FO transformations in the following).
All the (modular) FO transformations are in the random oracle model (ROM) [10]. When the KEM scheme is instantiated, the random oracle is usually replaced by a hash function, which a quantum adversary may evaluate on a quantum superposition of inputs. As a result, to fully assess postquantum security, we should analyze security in the quantum random oracle model (QROM), as introduced in [11]. However, proving security in the QROM is quite challenging, as many classical ROM proof techniques will be invalid [11].
In [7], Hofheinz et al. presented QROM security reductions for Open image in new window , \(\mathrm {QU}_m^{\perp }\), Open image in new window and \(\mathrm {QFO}_m^{\perp }\). For these transformations, there is an additional hash in the ciphertext, which plays an important role in their reductions. The security reductions for Open image in new window , \(\mathrm {U}^{\perp }\), Open image in new window , \(\mathrm {U}_m^{\perp }\), Open image in new window , \(\mathrm {FO}^{\perp }\), Open image in new window and \(\mathrm {FO}_m^\perp \) are just presented in the ROM.
Among the 39 KEM submissions, there are 35 schemes that take INDCCA as the security goal. Particularly, 25 INDCCAsecure KEM schemes are constructed by utilizing above transformations (see Table 1) from different PKE schemes, with different security notions (e.g., INDCPA vs OWCPA), and underlying hardness of certain problems over lattice, code theory and isogeny. In the submissions of LAC, Odd Manhattan, LEDAkem and SIKE, the QROM security is not considered. In the 16 submissions including FrodoKEM etc., Open image in new window ^{2}, \(\mathrm {QFO}^{\perp }\), Open image in new window and \(\mathrm {QFO}_m^{\perp }\) are used, where an additional hash is appended to the ciphertext. In the other 5 submissions including CRYSTALSKyber, LIMA, SABER, ThreeBears and Classic McEliece, the additional hash is removed according to recent works [12, 13].
For the (modular) FO transformations, the underlying PKE schemes differ in the following aspects including additional hash, correctness, determinacy, and security.

Additional hash. Additional hash here is a lengthpreserving hash function (that has the same domain and range size) appended to the ciphertext, which was first introduced by Targhi and Unruh [14] to prove the QROM security of the variants of FO transformation [8, 9] and OAEP transformation [15, 16]. Following Targhi and Unruh’s trick, Hofheinz et al. gave the transformations Open image in new window , \(\mathrm {QU}_m^{\perp }\), Open image in new window and \(\mathrm {QFO}_m^{\perp }\) by adding an additional hash to the corresponding ROM constructions, and presented the QROM security reductions for them.
Among NIST Round1 submissions of an INDCCAsecure KEM, 16 proposals use this trick to achieve QROM security. Intuitively, for 128bit postquantum security, this additional hash merely increases the ciphertext size by 256 bits [17]. However, we note that the QROM security proof in [7, 14] requires the additional hash to be lengthpreserving. Thus, for some schemes where the message space is strictly larger than the output space of the hash function, the increasement of ciphertext size is significant. Hülsing et al. [18] tried several ways to circumvent this issue, unfortunately all straight forward approaches failed. For their specific NTRUbased KEM, additional 1128 bits are needed, which accounts for \(11\%\) of the final encapsulation size.
In the ROM, this additional hash is clearly redundant for the constructions of an INDCCAsecure KEM [6, 7]. Some proposals, e.g., ThreeBears [19], believe this additional hash adds no security. To accomplish the QROM security proof, this additional hash was deliberately introduced, which increased the ciphertext size and complicated the implementation. Thus, a natural question is that: can we improve the QROM security proofs without suffering any ciphertext overhead for these constructions?

Correctness error. For many practical postquantum PKE schemes, e.g., DXL [20], Peikert [21], BCNS [22], New hope [23], Frodo [24], Lizard [25], Kyber [26], NTRUEncrypt [27], NTRU Prime [28], and QCMDPC [29], there exists a small correctness error \(\delta \), i.e., the probability of decryption failure in a legitimate execution of the scheme. Specially, among the KEM submissions in Table 1, there are 18 proposals that have a correctness error issue.
From a security point of view, it turns out that correctness errors not only influence the validity of a security proof, but also leak information on the private key [30]. Particularly, the chosenciphertext attacks by exploiting the gathered correctness errors [30, 31] were demonstrated for CCA versions of NTRUEncrypt and QCMDPC obtained by using generic transformations, whose securities were proved assuming the underlying PKEs perfectly correct. Additionally, recently, Bernstein et al. [32] showed that the HILA5 KEM [33] does not provide INDCCA security by demonstrating a keyrecovery attack in the standard INDCCA attack model using the information obtained from the correctness errors.
To date, it is not clear how highly these correctness errors can affect the CCA security of these KEM schemes and how high these correctness errors should be to achieve a fixed security strength. To the best of our knowledge, for all previous security analyses about (modular) FO transformations except the work [7], perfect correctness, i.e., \(\delta =0\), is assumed. Therefore, QROM security analyses of above (modular) FO transformations with correctness errors into consideration are preferred.

Determinacy. According to the work [7], an INDCCAsecure KEM in the ROM can be easily constructed by applying the transformation \(\mathrm {U}_m^{\perp }\) (or Open image in new window ) to a deterministic PKE (DPKE). Saito et al. [12] showed that a DPKE can be constructed based on the concepts of the GPV trapdoor function for LWE [34], NTRU [27], the McEliece PKE [35], and the Niederreiter PKE [36]. However, the popular LWE cryptosystem and variants [37, 38, 39, 40] are probabilistic encryption, which are referred by CRYSTALSKyber, EMBLEM and R.EMBLEM, FrodoKEM, KINDI, LAC, Lepton, LIMA, Lizard, NewHope, Round2, SABER and ThreeBears [4]. Particularly, of the underlying PKEs in the KEM proposals in Table 1, DPKEs just account for 28%.

Security notion. INDCPA security and OWCPA security are widely accepted as standard security notions for PKE. In the KEM submissions in Table 1, all the underlying PKE schemes satisfy the OWCPA security. The INDCPA security is taken as a security goal of a PKE/KEM scheme during NIST’s PQC standardization, and satisfied for most latticedbased and isogenybased PKE schemes. FO transformations are widely used as they just require the PKE schemes to have the standard CPA security.
There are also some nonstandard security notions, e.g., oneway against plaintext checking attacks (OWPCA), oneway against validity checking attacks (OWVA), oneway against plaintext and validity checking attacks (OWPVCA) for PKE [6, 7] and disjoint simulatability (DS) for DPKE [12]. According to [7, 12], if the underlying PKE satisfies these nonstandard securities, modular FO transformations can be used to construct an INDCCAsecure KEM with a tighter security reduction. Particularly, Saito et al. [12] presented a tight security proof for Open image in new window with stronger assumptions for underlying DPKE scheme, DS security and perfect correctness, which are satisfied by Classical McEliece in Table 1.
List of KEM submissions based on (modular) FO transformations.
Proposals  Transformations  Correctness error  DPKE?  QROM consideration? 

CRYSTALSKyber  Y  N  Y  
EMBLEM and R.EMBLEM  \(\mathrm {QFO}^{{\perp }}\)  Y  N  Y 
FrodoKEM  Y  N  Y  
KINDI  Y  N  Y  
LAC  Y  N  N  
Lepton  \(\mathrm {QFO}^{\perp }\)  Y  N  Y 
LIMA  \(\mathrm {FO}_m^{\perp }\)  N\(^\mathrm{a}\)  N  Y 
Lizard  Y  N  Y  
NewHope  Y  N  Y  
NTRUHRSSKEM  \(\mathrm {QFO}_m^{\perp }\)  N  N  Y 
Odd Manhattan  \(\mathrm {U}_m^{\perp }\)  N  N  N 
OKCNAKCNCNKE  Y  N  Y  
Round2  Y  N  Y  
SABER  Y  N  Y  
ThreeBears  \(\mathrm {FO}_m^{{\perp }}\)  Y  N  Y 
Titanium  Y  N  Y  
BIG QUAKE  \(\mathrm {QFO}^{{\perp }}\)  N  N  Y 
DAGS  \(\mathrm {QFO}_m^{\perp }\)  N  N  Y 
HQC  \(\mathrm {QFO}^{\perp }\)  Y  N  Y 
LEDAkem  Y  Y  N  
LOCKER  \(\mathrm {QFO}^{\perp }\)  Y  N  Y 
QCMDPC  \(\mathrm {QFO}_m^{\perp }\)  Y  N  Y 
RQC  \(\mathrm {QFO}^{\perp }\)  N  N  Y 
SIKE  N  N  N 
FO transformations from standard security assumptions.
Transformation  Underlying security  Security bound  Additional hash  Perfectly correct? 

Open image in new window and \(\mathrm {QFO}_m^{{\perp }}\) [7]  OWCPA  \(q\sqrt{q^2\delta + q\sqrt{\epsilon }}\)  Y  N 
INDCPA  \( q\sqrt{\epsilon }\)  N  Y  
Open image in new window and Open image in new window Our work  OWCPA  \(q\sqrt{\delta } + q\sqrt{\epsilon }\)  N  N 
Modular FO transformations from nonstandard security assumptions.
Transformation  Underlying security  Security bound  Additional hash  DPKE  Perfectly correct? 

\(\mathrm {QU}_m^{\perp }\) [7]  OWPCA  \(q\sqrt{\epsilon }\)  Y  N  N 
OWPCA  \(q\sqrt{\epsilon }\)  Y  N  N  
DS  \(\epsilon \)  N  Y  Y  
Open image in new window Our work  OWqPCA  \( q\sqrt{\epsilon }\)  N  N  N 
\(\mathrm {U}^{{\perp }}\) Our work  OWqPVCA  \( q\sqrt{\epsilon }\)  N  N  N 
Open image in new window Our work  OWCPA  \(q\sqrt{\delta } + q\sqrt{\epsilon }\)  N  Y  N 
Open image in new window Our work  DS  \(q\sqrt{\delta } + \epsilon \)  N  Y  N 
\(\mathrm {U}_m^{{\perp }}\) Our work  OWVA  \(q\sqrt{\delta } + q\sqrt{\epsilon }\)  N  Y  N 
1.1 Our Contributions
 1.
For any correctness error \(\delta \) (\(0\le \delta < 1\)), we prove the QROM security of two generic transformations, Open image in new window and Open image in new window in [7], by reducing the standard OWCPA security of the underlying PKE to the INDCCA security of KEM, see Table 2.
The obtained security bounds are both \(\epsilon ' \approx q\sqrt{\delta } + q\sqrt{\epsilon } \), where \(\epsilon '\) is the success probability of an adversary against the INDCCA security of the resulting KEM, \(\epsilon \) is the success probability of another adversary against the OWCPA security of the underlying PKE, and q is the total number of Open image in new window ’s queries to various oracles. Our security bounds are much better than \(\epsilon ' \approx q\sqrt{q^2\delta + q\sqrt{\epsilon }}\), achieved by [7]. Meanwhile, the additional hash is not required as it is redundant for our security proofs. In [12], Saito et al. also obtained a same tight security bound \(\epsilon ' \approx { q\sqrt{\epsilon }}\) for a variant of Open image in new window , Open image in new window ^{3}, by assuming the underlying PKE scheme INDCPAsecure and perfectly correct (i.e., \(\delta =0\)).
With our tighter QROM security proofs, 16 KEM constructions including FrodoKEM etc., where Open image in new window , \(\mathrm {QFO}^{\perp }\), Open image in new window and \(\mathrm {QFO}_m^{\perp }\) are used, can be simplified by cutting off the additional hash and improved in performance with respect to speed and sizes. Additionally, although LAC and SIKE are constructed by using Open image in new window without the additional hash, the QROM security proof is not considered in their proposals. Thus, our proofs also provide a solid postquantum security guarantee for these two KEM schemes without any additional ciphertext overhead.
 2.
For modular FO transformations including Open image in new window , \(\mathrm {U}^{\perp }\), Open image in new window and \(\mathrm {U}_m^{\perp }\) in [7], we provide QROM security reductions without additional hash for any correctness error \(\delta \) (\(0\le \delta < 1\)), see Table 3.
Specifically, we first define the quantum version of OWPCA and OWPVCA by oneway against quantum plaintext checking attacks (OWqPCA) and oneway against quantum plaintext and (classical) validity checking attacks (OWqPVCA) (quantum plaintext checking attacks mean that the adversary can make quantum queries to the plaintext checking oracle). For any correctness error \(\delta \) (\(0\le \delta < 1\)), we provide QROM security reductions for, Open image in new window from OWqPCA, \(\mathrm {U}^{\perp }\) from OWqPVCA, Open image in new window from OWCPA (and DS), \(\mathrm {U}_m^{\perp }\) from OWVA, to INDCCA without additional hash.
OWqPCA (OWqPVCA) security is just a proof artefact for simulating H. Compared with the DS security notion introduced by [12], the OWqPCA security is less restrained and weaker. We note that the DS security notion is defined for the DPKE scheme which satisfies (1) statistical disjointness and (2) ciphertextindistinguishability. Actually, all the DPKE schemes satisfy the OWqPCA security as the plaintext checking oracle can be simulated by reencryption in a quantum computer. Therefore, all the instantiations of DSsecure DPKE in [12] are also OWqPCAsecure. Particularly, the OWqPCA security is not restrained to the DPKE scheme. Many postquantum PKE schemes satisfy OWqPCA security, e.g., NTRU [27], McEliece [35], and Niederreiter [36]. Additionally, we show that the resulting PKE scheme achieved by applying the transformation \(\mathrm {T}\) to a OWCPAsecure PKE [7] is also OWqPCAsecure.
Our security reductions preserve the tightness of the ones in [7, 12] without additional hash for any correctness error \(\delta \) (\(0\le \delta < 1\)), see Table 3. Our QROM security analyses not only provide postquantum security guarantees for the KEM schemes constructed by using these modular FO transformations, e.g., Odd Manhattan, Classic McEliece and LEDAkem, but also can help to obtain a variety of combined transformations with different requirements and properties.
1.2 Techniques
Remove the additional hash. As explained by Targhi and Unruh [14], their proof technique strongly relies on the additional hash. In their paper, they discussed the QROM security of a variant of FO transformation from a OWCPAsecure PKE to an INDCCAsecure PKE. To implement the security reduction, one needs to simulate the decryption oracle without possessing the secret key. In classical proof, a ROquery list is used to simulate such an oracle. In the QROM, the simulator has no way to learn the actual content of adversarial RO queries, therefore such a ROquery list does not exist. Targhi and Unruh circumvented this issue by adding an additional lengthpreserving hash (modeled as a RO) to the ciphertext. In the security reduction, this additional RO is simulated by a kwise independent function. For every output of this RO, the simulator can recover the corresponding input by inverting this function. Thereby, the simulator can answer the decryption queries without a secret key.
When considering the generic transformations from a weakly secure PKE to an INDCCAsecure KEM, one needs to simulate the decapsulation oracle \(\textsc {Decaps}\) without the secret key. Indeed, obviously, we can modify the transformations by adding an additional lengthpreserving hash to the ciphertext so that the simulator can carry out the decryption. Thus, using the keyderivationfunction (KDF, modeled as a random oracle H), he can easily simulate the \(\textsc {Decaps}\) oracle.
In [11, Theorem 6], Boneh et al. proved the QROM security of a generic hybrid encryption scheme [10], built from an injective trapdoor function and symmetric key encryption scheme. Inspired by their proof idea, we present a novel approach to simulate the \(\textsc {Decaps}\) oracle^{4}.
The high level idea is that we associate the random oracle H (KDF in the KEM) with a secret random function \(H'\) by setting \(H=H' \circ g \) such that \(H'(\cdot )=\textsc {Decaps}(sk,\cdot )\). We demand that the function g should be indistinguishable from an injective function for any efficient quantum adversary. Thus, in the view of the adversary against the INDCCA security of KEM, H is indeed a random oracle. Meanwhile, we can simulate the \(\textsc {Decaps}\) oracle just by using \(H'\). Note that in our simulation of the \(\textsc {Decaps}\) oracle, we circumvent the decryption computation. Thereby, there is no need to read the content of adversarial RO queries, which makes it unnecessary to add an additional lengthpreserving hash to the ciphertext.
Tighten the security bound. When proving the INDCCA security of KEM from the OWCPA security of underlying PKE for Open image in new window and Open image in new window , reprogramming the random oracles G and H is a natural approach. In quantum setting, the oneway to hiding (OW2H) lemma [42, Lemma 6.2] is a practical tool to argue the indistinguishability between games where the random oracles are reprogrammed. However, the OW2H lemma inherently incurs a quadratic security loss.
To tighten the security bounds, we have to decrease the times of the usage of the OW2H lemma. [7] analyzed the QROM security of Open image in new window (and \(\mathrm {QFO}_m^{{\perp }}\)) by two steps. First, they presented a QROM security reduction from the OWCPA security of the underlying PKE to the OWPCA security of an intermediate scheme PKE\('\). In this step, the random oracle G was reprogrammed, thus by using the OW2H lemma they obtained that \(\epsilon '' \le q^2\delta +q\sqrt{\epsilon }\), where \(\epsilon ''\) is the success probability of an adversary against the OWPCA security of PKE\('\). In the second step, they reduced the OWPCA security of PKE\('\) to the INDCCA security of KEM, where the random oracles H and \(H''\) (the additional hash) were reprogrammed. Again, by using the OW2H lemma, they gained \(\epsilon '\le q \sqrt{\epsilon ''}\). Finally, combing above two bounds, they obtained the security bound of KEM, \(\epsilon '\le q \sqrt{q^2\delta +q \sqrt{\epsilon }}\). Direct combination of the modular analyses leads to twice utilization of the OW2H lemma, which makes the security bound highly nontight.
When considering the QROM security of Open image in new window and Open image in new window , instead of modular analysis, we choose to reduce the OWCPA security of underlying PKE to the INDCCA security of KEM directly without introducing an intermediate scheme PKE\('\). In this way, G and H are reprogrammed simultaneously, thus the OW2H lemma is used only once in our reductions.
We also find that the order of the games can highly affect the tightness of the security bound. If we reprogram G and H before simulating the \(\textsc {Decaps}\) oracle with the secret random function \(H'\), the obtained security bound will be \(q \sqrt{\epsilon +q\sqrt{\delta }} \), where the \(\epsilon \) term has quadratic loss and the \(\delta \) term has quartic loss. Therefore, we choose to simulate the \(\textsc {Decaps}\) oracle with \(H'\) before reprogramming G and H. But, in this way, when using the OW2H lemma to argue the indistinguishability between games where G and H are reprogrammed, one has to guarantee the consistency of H and \(H'\). We solve this by generalizing the OW2H lemma to the case where the reprogrammed oracle and other redundant oracle can be sampled simultaneously according to some joint distribution (for complete description of the generalized OW2H lemma, see Lemma 3).
Finally, our derived security bound is \(q\sqrt{\delta } + q\sqrt{\epsilon }\), which is much tighter than the bound \(q\sqrt{q^2\delta + q\sqrt{\epsilon }}\) obtained by [7].
1.3 Discussion
Tightness. Having a tight security reduction is a desirable property for practice cryptography, especially in largescale scenarios. In the ROM, if we assume that the underlying PKE scheme in Open image in new window and Open image in new window is INDCPAsecure, we can obtain a tight reduction from the INDCPA security of underlying PKE to INDCCA security of resulting KEM [7]. Specially, if the PKE scheme in Open image in new window is instantiated with a RingLWEbased PKE scheme [39], the security of the underlying RingLWE problem can be reduced to the INDCCA security of KEM [43]. In [12], Saito et al. presented a tight security reduction for Open image in new window by assuming a stronger underlying DPKE, which is only satisfied by Classic McEliece in Table 1. For the widely used Open image in new window and Open image in new window , quadratic security loss still exists even assuming the INDCPA security of the underlying PKE scheme, see Table 2. For the tight ROM security reductions in [7, 43], the simulators need to make an elaborate analysis of the ROquery inputs and determine which one of the query inputs can be used to break the INDCPA security of the underlying PKE scheme [7] or solve a decision RingLWE problem [43]. However, in the QROM, such a proof technique will be invalid for the reason that there is no way for the simulators to learn the ROquery inputs [44, 45]. Thus, in the QROM, it is still an important open problem that whether one can develop a novel proof technique to obtain a tight reduction for Open image in new window and Open image in new window assuming standard INDCPA security of the underlying PKE.
Implicit rejection. For most of the previous generic transformations from a OWCPAsecure (or INDCPAsecure) PKE to an INDCCAsecure KEM, explicit rejection is adopted. In [7], Hofheinz et al. presented several transformations with implicit rejection. These two different versions (explicit rejection and implicit rejection) have their own merits. The transformation with implicit rejection [7] does not require the underlying PKE scheme to be \(\gamma \)spread [8, 9] (meaning that the ciphertexts generated by the probabilistic encryption algorithm have sufficiently large entropy), which may allow choosing better system parameters for the same security level. Whereas, the ones with explicit rejection have a relatively simple decapsulation algorithm.
In our paper, we just give QROM security reductions for the transformations with implicit rejection. It is not obvious how to extend our QROM security proofs for the transformations with explicit rejection, since the simulator has no way to tell if the submitted ciphertext is valid. In classical ROM, we usually assume the underlying PKE is \(\gamma \)spread. Then, we can recognize invalid ciphertexts just by testing if they are in the ROquery list, as the probability that the adversary makes queries to the decapsulation oracle with a valid ciphertext which is not in the ROquery list is negligible [7, 8, 9, 43]. Unfortunately, in the QROM, the adversary makes quantum queries to the RO, above ROquery list does not exist. Thus, the ROM proof technique for the recognition of invalid ciphertexts is invalid in the QROM. Here, we leave it as an open problem to prove the QROM security of the transformations Open image in new window and Open image in new window with explicit rejection.
2 Preliminaries
Symbol description. Denote \(\mathcal {K}\), \(\mathcal {M}\), \(\mathcal {C}\) and \(\mathcal {R}\) as key space, message space, ciphertext space and randomness space, respectively. For a finite set X, we denote the sampling of a uniform random element x by \(x \overset{\$}{\leftarrow } X\), and we denote the sampling according to some distribution D by \(x {\leftarrow } D\). By \(x=?y\) we denote the integer that is 1 if \(x=y\), and otherwise 0. \(\Pr [P : G]\) is the probability that the predicate P holds true where free variables in P are assigned according to the program in G. Denote deterministic (probabilistic) computation of an algorithm A on input x by \(y:=A(x)\) (\(y \leftarrow A(x)\)). \(A^{H}\) means that the algorithm A gets access to the oracle H.
2.1 Quantum Random Oracle Model
In the ROM [10], we assume the existence of a random function H, and give all parties oracle access to this function. The algorithms comprising any cryptographic protocol can use H, as can the adversary. Thus we modify the security games for all cryptographic systems to allow the adversary to make random oracle queries.
When a random oracle scheme is implemented, some suitable hash function H is included in the specification. Any algorithm (including the adversary) replaces oracle queries with evaluations of this hash function. In quantum setting, because a quantum algorithm can evaluate H on an arbitrary superposition of inputs, we must allow the quantum adversary to make quantum queries to the random oracle. We call this the quantum random oracle model [11]. Unless otherwise specified, the queries to random oracles are quantum in our paper.
Tools. Next we state four lemmas that we will use throughout the paper. The first two lemmas have been proved in other works, and the complete proofs of last two are presented in the full version [13]. We refer the reader to [46] for basic of quantum computation. Here, we just recall two facts about quantum computation.

Fact 1. Any classical computation can be implemented on a quantum computer.

Fact 2. Any function that has an efficient classical algorithm computing it can be implemented efficiently as a quantumaccessible oracle.
Lemma 1
(Simulating the random oracle [47, Theorem 6.1]). Let H be an oracle drawn from the set of 2qwise independent functions uniformly at random. Then the advantage any quantum algorithm making at most q queries to H has in distinguishing H from a truly random function is identically 0.
Lemma 2
Note. [48, Lemma 37] and [49, Theorem 1] just consider the specific case where all \(p_z\)s are equal to \(\gamma \). But in our security proof, we need to consider the case where \(p_z \le \gamma \) and \(p_z\)s are in general different from each other. Fortunately, it is not difficult to verify that the proof of [48, Lemma 37] can be extended to this generic case.
The oneway to hiding (OW2H) lemma [42, Lemma 6.2] is a useful tool for reducing a hiding (i.e., indistinguishability) property to a guessing (i.e., onewayness) property in the security proof. Roughly speaking, the lemma states that if there exists an oracle algorithm A who issuing at most \(q_1\) queries to random oracle \(\mathcal {O}_1\) can distinguish \((x,\mathcal {O}_1(x))\) from (x, y), where y is chosen uniformly at random, we can construct another oracle algorithm B who can find x by running A and measuring one of A’s query. However, in our security proof, the oracle \(\mathcal {O}_1\) is not a perfect random function and A can have access to other oracle \(\mathcal {O}_2\) associated to \(\mathcal {O}_1\). Therefore, we generalize the OW2H lemma.
Lemma 3
(Oneway to hiding, with redundant oracle). Let oracles \(\mathcal {O}_1\), \(\mathcal {O}_2\), input parameter inp and x be sampled from some joint distribution D, where \(x \in \{0,1\}^n\) (the domain of \(\mathcal {O}_1\)) and \(\mathcal {O}_1(x)\) is uniformly distributed on \( \{0,1\}^m\) (the codomain of \(\mathcal {O}_1\)) conditioned on any fixed \(\mathcal {O}_1(x')\) for all \(x'\ne x\), \(\mathcal {O}_2\), inp and x, and independent from \(\mathcal {O}_2\).
Note that \(\mathcal {O}_2\) is unchanged during the reprogramming of \(\mathcal {O}_1\) at x. Thus, intuitively, \(\mathcal {O}_2\) is redundant and unhelpful for A distinguishing \((x,\mathcal {O}_1(x))\) from (x, y). The complete proof of Lemma 3 is similar to the proof of the OW2H lemma [42, Lemma 6.2] and we present it in the full version [13].
Lemma 4
We now sketch the proof of Lemma 4. For the complete proof, please refer to the full version [13].
Proof sketch. In classical setting, it is obvious that Open image in new window can be bounded by the probability that A performs an Hquery with input \((x,*)\). As x is independent from \(A^{H,F_i}\)’s view, Open image in new window . In quantum setting, it is not welldefined that Open image in new window queries \((x,*)\) from H, since H can be queried in superposition. To circumvent this problem, we follow Unruh’s proof technique in [42, Lemma 6.2] and define a new adversary B who runs A, but at some random query stops and measures the query input. Let \(P_B\) be the probability that B measures x. Similarly to [42, Lemma 6.2], we can bound Open image in new window by \(2q\sqrt{P_B}\). Since x is independent from the \(A^{H,F_i}\)’s view, \(P_B=\frac{1}{2^{n_1}}\). Thus, Open image in new window
2.2 Cryptographic Primitives
Definition 1
(Publickey encryption). A publickey encryption scheme \(\mathrm {PKE}=(Gen, Enc, Dec)\) consists of a triple of polynomial time (in the security parameter \(\lambda \)) algorithms and a finite message space \(\mathcal {M}\). Gen, the key generation algorithm, is a probabilistic algorithm which on input \(1^{\lambda }\) outputs a public/secret keypair (pk, sk). The encryption algorithm Enc, on input pk and a message \(m \in \mathcal {M}\), outputs a ciphertext \(c\leftarrow Enc(pk,m)\). If necessary, we make the used randomness of encryption explicit by writing \(c:=Enc(pk,m;r)\), where \(r \overset{\$}{\leftarrow } \mathcal {R}\) (\(\mathcal {R}\) is the randomness space). Dec, the decryption algorithm, is a deterministic algorithm which on input sk and a ciphertext c outputs a message \(m:=Dec({sk},c)\) or a special symbol \(\perp \notin \mathcal {M}\) to indicate that c is not a valid ciphertext.
Definition 2
We now define four security notions for publickey encryption: oneway against chosen plaintext attacks (OWCPA), oneway against validity checking attacks (OWVA), oneway against quantum plaintext checking attacks (OWqPCA) and oneway against quantum plaintext and (classical) validity checking attacks (OWqPVCA).
Definition 3
Remark
We note that the security game OWqPCA (OWqPVCA) is the same as OWPCA (OWPVCA) except the adversary Open image in new window ’s queries to the Pco oracle. In OWqPCA (OWqPVCA) game, Open image in new window can make quantum queries to the Pco oracle, while in OWPCA (OWPVCA) game only the classical queries are allowed. These two new security notations will be used in the security analysis of modular FO transformations in Sect. 4.
Definition 4
(DSsecure DPKE [12]). Let \(D_\mathcal {M}\) denote an efficiently sampleable distribution on \(\mathcal {M}\). A DPKE scheme (Gen,Enc,Dec) with plaintext and ciphertext spaces \(\mathcal {M}\) and \(\mathcal {C}\) is \(D_\mathcal {M}\)disjoint simulatable if there exists a PPT algorithm S that satisfies (1) Statistical disjointness: \({\textsc {Disj}}_{\mathrm {PKE},S}:=\mathop {\mathrm {max}}\limits _{pk} \Pr [c\in Enc(pk,\mathcal {M}): c \leftarrow S(pk)] \) is negligible. (2) Ciphertextindistinguishability: For any PPT adversary Open image in new window , Open image in new window is negligible.
Definition 5
(Key encapsulation). A key encapsulation mechanism KEM consists of three algorithms Gen, Encaps and Decaps. The key generation algorithm Gen outputs a key pair (pk, sk). The encapsulation algorithm Encaps, on input pk, outputs a tuple (K, c) where c is said to be an encapsulation of the key K which is contained in key space \(\mathcal {K}\). The deterministic decapsulation algorithm Decaps, on input sk and an encapsulation c, outputs either a key \(K := Decaps(sk, c) \in \mathcal {K}\) or a special symbol \(\perp \notin \mathcal {K}\) to indicate that c is not a valid encapsulation.
We now define a security notion for KEM: indistinguishability against chosen ciphertext attacks (INDCCA).
Definition 6
(INDCCAsecure KEM). We define the INDCCA game as in Fig. 2 and the INDCCA advantage function of an adversary Open image in new window against \(\mathrm {KEM}\) as Open image in new window .
We also define OWATK security of PKE, DS security of DPKE and INDCCA security of KEM in the QROM, where adversary Open image in new window can make quantum queries to random oracles. Following the work [7], we also make the convention that the number \(q_H\) of adversarial queries to a random oracle H counts the total number of times H is executed in the experiment. That is, the number of Open image in new window ’s explicit queries to H plus the number of implicit queries to H made by the experiment.
3 Security Proofs for Two Generic KEM Constructions in the QROM
To a publickey encryption scheme PKE = (Gen, Enc, Dec) with message space \(\mathcal {M}\) and randomness space \(\mathcal {R}\), hash functions \(G:\mathcal {M} \rightarrow \mathcal {R}\), \(H :\{0,1\}^{*} \rightarrow \{0,1\}^{n}\) and a pseudorandom function (PRF) f with key space \(\mathcal {K}^{prf}\), we associate KEMI= Open image in new window [PKE,G,H] and KEMII= Open image in new window [PKE,G,H,f]^{5} shown in Figs. 3 and 4, respectively. The following two theorems establish that INDCCA securities of KEMI and KEMII can both reduce to the OWCPA security of PKE, in the QROM.
Theorem 1
(PKE OWCPA \(\overset{{QROM}}{\Rightarrow }\) KEMI INDCCA). If \(\mathrm {PKE}\) is \(\delta \)correct, for any INDCCA Open image in new window against \(\text {KEMI}\), issuing at most \(q_D\) queries to the decapsulation oracle Decaps, at most \(q_G\) queries to the random oracle G and at most \(q_H\) queries to the random oracle H, there exists a OWCPA adversary Open image in new window against \(\mathrm {PKE}\) such that Open image in new window and the running time of Open image in new window is about that of Open image in new window .
Proof
Let Open image in new window be an adversary against the INDCCA security of KEMI, issuing at most \(q_D\) queries to Decaps, at most \(q_G\) queries to G and at most \(q_H\) queries to H. Denote \(\varOmega _G\), \(\varOmega _H\) and \(\varOmega _{H'}\) as the sets of all functions \(G:\mathcal {M} \rightarrow \mathcal {R}\), \(H:\mathcal {M} \times \mathcal {C} \rightarrow \mathcal {K}\) and \({H'}:\mathcal {C} \rightarrow \mathcal {K}\), respectively. Consider the games in Figs. 5 and 9.
Let \(N_1\) be the function such that \(N_1(m)\) is sampled from the Bernoulli distribution \(B_{\delta (pk,sk,m)}\), i.e., \(\Pr [N_1(m)=1]={\delta (pk,sk,m)}\) and \(\Pr [N_1(m)=0]={1\delta (pk,sk,m)}\). Let \(N_2\) be a constant function that always outputs 0 for any input. Next, we will show that any algorithm that distinguishes G from \(G'\) can be converted into an algorithm that distinguishes \(N_1\) from \(N_2\).
For any efficient quantum adversary \(B^{\widetilde{G}}(pk,sk)\), we can construct an adversary \(A^N(pk,sk)\) as in Fig. 7. \({Sample}(\mathcal {Y})\) is a probabilistic algorithm that returns a uniformly distributed \(y\overset{\$}{\leftarrow } \mathcal {Y}\). \({Sample}(\mathcal {Y};f(m))\) denotes the deterministic execution of \({Sample}(\mathcal {Y})\) using explicitly given randomness f(m).

Case 1: \(Enc(pk,m';G(m'))= c\). In this case, \(H(m',c)=H_1(c)\). Thus, both Decaps oracles in \(G_2\) and \(G_3\) return the same value.

Case 2: \(Enc(pk,m';G(m')) \ne c\). Random values \(H_2(c)\) and \(H_1(c)\) are returned in \(G_2\) and \(G_3\) respectively. In \(G_2\), \(H_2\) is a random function independent of the oracles G and H, thus \(H_2(c)\) is uniform at random in Open image in new window ’s view. In \(G_3\), Open image in new window ’s queries to H can only help him get access to \(H_1\) at \(\hat{c}\) such that \(g(\hat{m}) = \hat{c}\) for some \(\hat{m}\). Consequently, if Open image in new window can not find a \(m''\) such that \(g(m'') = c\), \(H_1(c)\) is also a fresh random key just like \(H_2(c)\) in his view. Since \(m'' \ne m'\), finding such an \(m''\) is exactly the event E that Open image in new window finds a plaintext \(m''\) such that \(Dec(sk,g(m''))\ne m''\). That is, in this case, if E does not happen, the output distributions of the \(\textsc {Decaps}\) oracles in \(G_2\) and \(G_3\) are same in Open image in new window ’s view.
Let \((G \times H_1^g)(x):=(G(x), H_1^g(x))\)^{6}. \(H_1^g\) and \(H_3\) are internal random oracles that Open image in new window can have access to only by querying the oracle H. Then, the number of total queries to \(G\times H_1^g\) is at most \(q_G+q_H\). Let \(H'_1\) be the function such that \(H'_1(g(m^*))=\perp \) and \(H'_1=H_1\) everywhere else. \(H'_1\) is exactly the Decaps oracle in \(G_3\) and \(G_4\) and unchanged during the reprogramming of \(G \times H_1^g\).
Let \(A^{G \times H_1^g, H'_1}\) be an oracle algorithm that has quantum access to \(G \times H_1^g\) and \(H'_1\), see Fig. 8. Sample G, \(H_1\), \(H_1^g\) and pk in the same way as \(G_3\) and \(G_4\), i.e., \((pk,sk') \leftarrow Gen', G \overset{\$}{\leftarrow } \varOmega _G, H_1 \overset{\$}{\leftarrow } \varOmega _{H'}, H_1^g:=H_1 \circ g.\) Let \(m^*\overset{\$}{\leftarrow } \mathcal {M}\).
Then, if \(r^*:=G(m^*) \) and \(k_0^*:=H_1^g(m^{*})\), \(A^{G \times H_1^g,H'_1}\) on input \((pk, m^{*}, (r^{*}, k_0^{*}) )\) perfectly simulates \(G_3\). And, if \(r^*\overset{\$}{\leftarrow } \mathcal {R}\) and \(k_0^*\overset{\$}{\leftarrow } \mathcal {K}\), \(A^{G \times H_1^g,H'_1}\) on input \((pk, m^{*}, (r^{*}, k_0^{*}) )\) perfectly simulates \(G_4\). Let \(B^{G\times H_1^g,H'_1}\) be an oracle algorithm that on input \((pk,m^*)\) does the following: pick \(i \overset{\$}{\leftarrow } \{1,\ldots ,q_G+q_H\}\), \(r^*\overset{\$}{\leftarrow } \mathcal {R}\) and \(k_0^*\overset{\$}{\leftarrow } \mathcal {K}\), run \(A^{G\times H_1^g,H'_1 }(pk, m^{*}, (r^{*}, k_0^{*}) )\) until the ith query to \(G\times H_1^g\), measure the argument of the query in the computational basis, output the measurement outcome (when \(A^{G\times H_1^g,H'_1 }\) makes less than i queries, output \(\bot \)). Define game \(G_5\) as in Fig. 9. Then, Open image in new window .
 1.
Run the adversary Open image in new window in Game \(G_5\).
 2.
Use a \(2q_G\)wise independent function and two different \(2q_H\)wise independent functions to simulate the random oracles G, \(H_1\) and \(H_3\) respectively. The random oracle H is simulated in the same way as the one in game \(G_5\).
 3.
Answer the decapsulation queries by using the Decaps oracle in Fig. 9.
 4.
Select \(k^*\overset{\$}{\leftarrow } \mathcal {K}\) and respond to Open image in new window ’s challenge query with (c, \(k^{*}\)).
 5.
Select \( i \overset{\$}{\leftarrow } \{1,\ldots ,q_G+q_H\}\), measure the argument \(\hat{m}\) of ith query to \(G\times H_1^g\) and output \(\hat{m}\).
Theorem 2
(PKE OWCPA \(\overset{{QROM}}{\Rightarrow }\) KEMII INDCCA). If \(\mathrm {PKE}\) is \(\delta \)correct, for any INDCCA Open image in new window against \(\text {KEMII}\), issuing at most \(q_D\) classical queries to the decapsulation oracle Decaps and at most \(q_G\) (\(q_H\)) queries to random oracle G (H), there exist a quantum OWCPA adversary Open image in new window against \(\mathrm {PKE}\) and an adversary Open image in new window against the security of \(\mathrm {PRF}\) with at most \(q_D\) classical queries such that Open image in new window and the running time of Open image in new window is about that of Open image in new window .
The only difference between \(\text {KEMI}\) and \(\text {KEMII}\) is the KDF function. In \(\text {KEMI}\), \(K=H(m,c)\), while \(K=H(m)\) in \(\text {KEMII}\). Note that given pk and random oracle G, c is determined by m. The proof of Theorem 2 is similar to the one of Theorem 1 and we present it in the full version [13].
4 Modular Analysis of FO Transformation in the QROM
In [7], Hofheinz et al. introduced seven modular transformations \(\mathrm {T}\), Open image in new window , \(\mathrm {U}^{\perp }\), Open image in new window , \(\mathrm {U}_m^{\perp }\), Open image in new window and \(\mathrm {QU}_m^{\perp }\). But, they just presented QROM security reductions for the transformations \(\mathrm {T}\), Open image in new window and \(\mathrm {QU}_m^{\perp }\). Different from the transformations Open image in new window , \(\mathrm {U}^{\perp }\), Open image in new window and \(\mathrm {U}_m^{\perp }\), the transformations Open image in new window and \(\mathrm {QU}_m^{\perp }\) have an additional lengthpreserving hash in the ciphertext, thus they can follow the proof technique in [14, 52] to give QROM security reductions for them. As they pointed [14], their QROM security reductions quite rely on this additional hash. And, QROM security reductions for Open image in new window , \(\mathrm {U}^{\perp }\), Open image in new window and \(\mathrm {U}_m^{\perp }\) are missing in [7]. In [12], Saito et al. presented a tight QROM security reduction for Open image in new window with stronger assumptions for underlying DPKE scheme, DSsecurity and perfect correctness.
In this section, we revisit the transformations Open image in new window , \(\mathrm {U}^{\perp }\), Open image in new window and \(\mathrm {U}_m^{\perp }\), and argue their QROM security without any modification to the constructions and with correctness error into consideration. [7] has shown that the transformation \(\mathrm {T}\) can turn a OWCPAsecure PKE into a OWPCAsecure PKE in the QROM. In Sect. 4.1, we first show that the resulting PKE scheme by applying \(\mathrm {T}\) to a OWCPAsecure PKE is also OWqPCAsecure. The QROM security reduction for Open image in new window (\(\mathrm {U}^{\perp }\)) from the OWqPCA (OWqPVCA) security of PKE to the INDCCA security of KEM is given in Sect. 4.2 (4.3). In Sect. 4.4, we show that Open image in new window (\(\mathrm {U}_m^{\perp }\)) transforms any OWCPAsecure or DSsecure (OWVAsecure) DPKE into an INDCCAsecure KEM in the QROM.
4.1 \(\mathrm {T}\): from OWCPA to OWqPCA in the QROM
To a publickey encryption PKE = (Gen, Enc, Dec) with message space \(\mathcal {M}\) and randomness space R, and a hash function \(G:\mathcal {M} \rightarrow \mathcal {R}\), we associate \(\mathrm {PKE}'=T[\mathrm {PKE},G]\). The algorithms of PKE\('\) = (Gen, \(Enc'\), \(Dec'\)) are defined in Fig. 10.
Theorem 3
(PKE OWCPA \(\overset{{QROM}}{\Rightarrow }\) PKE\('\) OWqPCA). If \(\mathrm {PKE}\) is \(\delta \)correct, for any OWqPCA Open image in new window against \(\mathrm {PKE}'\), issuing at most \(q_G\) quantum queries to the random oracle G and at most \(q_P\) quantum queries to the plaintext checking oracle \(\textsc {Pco}\), there exists a OWCPA adversary Open image in new window against PKE such that Open image in new window and the running time of Open image in new window is about that of Open image in new window .
4.2 Open image in new window : from OWqPCA to INDCCA in the QROM
Theorem 4
(PKE\('\) OWqPCA \(\overset{{QROM}}{\Rightarrow }\) KEMIII INDCCA). If \(\mathrm {PKE}'\) is \(\delta \)correct, for any INDCCA Open image in new window against \(\text {KEMIII}\), issuing at most \(q_D\) (classical) queries to the decapsulation oracle Decaps and at most \(q_H\) queries to the quantum random oracle H, there exists a quantum OWqPCA adversary Open image in new window against PKE\('\) that makes at most \(q_H\) queries to the Pco oracle such that Open image in new window and the running time of Open image in new window is about that of Open image in new window .
The proof skeleton of Theorem 4 is essentially the same as the one of Theorem 1. Here, we briefly state the main differences. The complete proof is presented in the full version [13].
4.3 \(\mathrm {U}^{\perp }\): from OWqPVCA to INDCCA in the QROM
To a publickey encryption PKE\('\) = (\(Gen'\), \(Enc'\), \(Dec'\)) and a hash function H, we associate \(\text {KEMIV}=U^{\perp }[\mathrm {PKE}',H]\). We remark that \(\mathrm {U}^{\perp }\) is essentially the transformation [6, Table 2], a KEM variant of the REACT/GEM transformations [53, 54]. The algorithms of KEMIV = (Gen,Encaps,\(Decaps^{\perp }\)) are defined in Fig. 12.
Theorem 5
(PKE\('\) OWqPVCA \(\overset{{QROM}}{\Rightarrow }\) KEMIV INDCCA). If \(\mathrm {PKE}'\) is \(\delta \)correct, for any INDCCA Open image in new window against \(\text {KEMIV}\), issuing at most \(q_D\) (classical) queries to the decapsulation oracle Decaps and at most \(q_H\) queries to the quantum random oracle H, there exists a OWqPVCA adversary Open image in new window against PKE\('\) that makes at most \(q_H\) queries to the Pco oracle and at most \(q_D\) queries to the Val oracle such that Open image in new window and the running time of Open image in new window is about that of Open image in new window .
The only difference between KEMIII and KEMIV is the response to the invalid ciphertext in the decapsulation algorithm. When the ciphertext c is invalid, the decapsulation algorithm in KEMIII returns a pseudorandom key related to c. In this way, whatever the ciphertext (valid or invalid) is submitted, the return values have the same distribution. As a result, Open image in new window can easily simulate the decapsulation oracle Decaps without recognition of the invalid ciphertexts. While the decapsulation algorithm in KEMIV returns \(\perp \) when the submitted c is invalid. Thus, in order to simulate Decaps, Open image in new window needs to judge if the ciphertext c is valid. As we assume that the scheme PKE\('\) is OWqPVCAsecure, Open image in new window can query the Val oracle to fulfill such a judgement. Then, it is easy to verify that by using the same proof method in Theorem 4 we can obtain the desired security bound.
4.4 Open image in new window : from OWCPA/OWVA to INDCCA for Deterministic Encryption in the QROM
We note that for a deterministic PKE scheme the OWPCA security is equivalent to the OWCPA security as we can simulate the Pco oracle via reencryption during the proof. Thus, combing the proofs of Theorem 2, Theorem 4, Theorem 5 and [12, Theorem 4.1], we can easily obtain the following two theorems.
Theorem 6
(PKE\('\) OWCPA \(\overset{{QROM}}{\Rightarrow }\) KEMV INDCCA). If \(\mathrm {PKE}'\) is \(\delta \)correct and deterministic, for any INDCCA Open image in new window against \(\text {KEMV}\), issuing at most \(q_E\) quantum queries to the encryption oracle^{7}, at most \(q_D\) (classical) queries to the decapsulation oracle Decaps and at most \(q_H\) quantum queries to the random oracle H, there exist a quantum OWCPA adversary Open image in new window against \(\mathrm {PKE}'\), an adversary Open image in new window against the security of \(\mathrm {PRF}\) with at most \(q_D\) classical queries and an adversary Open image in new window against the \(U_\mathcal {M}\)DS security with a simulator S of \(\mathrm {PKE}'\) (\(U_\mathcal {M}\) is the uniform distribution in \(\mathcal {M}\)) such that Open image in new window and Open image in new window , and the running time of Open image in new window ( Open image in new window ) is about that of Open image in new window .
Theorem 7
(PKE\('\) OWVA \(\overset{{QROM}}{\Rightarrow }\) KEMVI INDCCA). If \(\mathrm {PKE}'\) is \(\delta \)correct and deterministic, for any INDCCA Open image in new window against \(\text {KEMVI}\), issuing at most \(q_E\) quantum queries to the encryption oracle, at most \(q_D\) (classical) queries to the decapsulation oracle Decaps and at most \(q_H\) quantum queries to the random oracle H, there exists a quantum OWVA adversary Open image in new window against \(\mathrm {PKE}'\) who makes at most \(q_D\) queries to the Val oracle such that Open image in new window and the running time of Open image in new window is about that of Open image in new window .
Footnotes
 1.
In implicit (explicit) rejection, a pseudorandom key (an abnormal symbol \(\perp \)) is returned for an invalid ciphertext.
 2.
\(\mathrm {QFO}^{\perp }\) ( Open image in new window ) is the same as \(\mathrm {QFO}_m^{{\perp }}\) ( Open image in new window ) except that \(K=H(m,c)\). Its security proof can be easily obtained from the one for \(\mathrm {QFO}_m^{{\perp }}\) ( Open image in new window ) in [7].
 3.
\(\mathrm {TPunc}\) is a variant of T in [7].
 4.
This method is also used by a concurrent and independent work [12].
 5.
Open image in new window here is the generic version of Open image in new window in [7]. In their work, such a pseudorandom function f is instantiated with \(H(s,\cdot )\) (s is a random seed and contained in the secret key \(sk'\)).
 6.
 7.
For the deterministic scheme PKE\('\), given public key pk, quantum adversary Open image in new window can execute the encryption algorithm \(Enc'\) in a quantum computer.
Notes
Acknowledgements
We would like to thank anonymous reviews of Crypto 2018, Keita Xagawa, Takashi Yamakawa, Jiang Zhang, and Edoardo Persichetti for their helpful comments and suggestions. This work is supported by the National Key Research and Development Program of China (No. 2017YFB0802000), the National Natural Science Foundation of China (No. U1536205, 61472446, 61701539, 61501514), and the Open Project Program of the State Key Laboratory of Mathematical Engineering and Advanced Computing (No. 2016A01).
References
 1.Cramer, R., Shoup, V.: Design and analysis of practical publickey encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)MathSciNetCrossRefGoogle Scholar
 2.Boyd, C., Cliff, Y., Gonzalez Nieto, J., Paterson, K.G.: Efficient oneround key exchange in the standard model. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 69–83. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540705000_6CrossRefGoogle Scholar
 3.Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. Des. Codes Crypt. 76(3), 469–504 (2015)MathSciNetCrossRefGoogle Scholar
 4.NIST: National institute for standards and technology. Post quantum crypto project (2017). https://csrc.nist.gov/projects/postquantumcryptography/round1submissions
 5.Rackoff, C., Simon, D.R.: Noninteractive zeroknowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992). https://doi.org/10.1007/3540467661_35CrossRefGoogle Scholar
 6.Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540409748_12CrossRefGoogle Scholar
 7.Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the FujisakiOkamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/9783319705002_12CrossRefzbMATHGoogle Scholar
 8.Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3540484051_34CrossRefGoogle Scholar
 9.Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 1–22 (2013)MathSciNetCrossRefGoogle Scholar
 10.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) Proceedings of the 1st ACM Conference on Computer and Communications Security  CCS 1993, pp. 62–73. ACM (1993)Google Scholar
 11.Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642253850_3CrossRefzbMATHGoogle Scholar
 12.Saito, T., Xagawa, K., Yamakawa, T.: Tightlysecure keyencapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/9783319783727_17CrossRefzbMATHGoogle Scholar
 13.Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: INDCCAsecure key encapsulation mechanism in the quantum random oracle model, revisited. Technical report, Cryptology ePrint Archive, Report 2017/1096 (2017). https://eprint.iacr.org/2017/1096
 14.Targhi, E.E., Unruh, D.: Postquantum security of the FujisakiOkamoto and OAEP transforms. In: Hirt, M., Smith, A.D. (eds.) TCC 2016B. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662536445_8CrossRefzbMATHGoogle Scholar
 15.Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053428CrossRefGoogle Scholar
 16.Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSAOAEP is secure under the RSA assumption. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 260–274. Springer, Heidelberg (2001). https://doi.org/10.1007/3540446478_16CrossRefGoogle Scholar
 17.Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Miller, G.L. (ed.) Proceedings of the TwentyEighth Annual ACM Symposium on Theory of Computing  STOC 1996, pp. 212–219. ACM (1996)Google Scholar
 18.Hülsing, A., Rijneveld, J., Schanck, J.M., Schwabe, P.: Highspeed key encapsulation from NTRU. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 232–252. Springer, Cham (2017). https://doi.org/10.1007/9783319667874_12CrossRefGoogle Scholar
 19.Hamburg, M.: ModuleLWE: the three bears. Technical report. https://www.shiftleft.org/papers/threebears/
 20.Ding, J.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptology ePrint Archive 2012/688 (2012)Google Scholar
 21.Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). https://doi.org/10.1007/9783319116594_12CrossRefzbMATHGoogle Scholar
 22.Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Postquantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy  SP 2015, pp. 553–570 (2015)Google Scholar
 23.Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Postquantum key exchange  a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium  USENIX Security 2016, pp. 327–343. USENIX Association (2016)Google Scholar
 24.Bos, J.W., Costello, C., Ducas, L., Mironov, I., Naehrig, M., Nikolaenko, V., Raghunathan, A., Stebila, D.: Frodo: take off the ring! Practical, quantumsecure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security  CCS 2016, pp. 1006–1018. ACM (2016)Google Scholar
 25.Cheon, J.H., Kim, D., Lee, J., Song, Y.S.: Lizard: cut off the tail! practical postquantum publickey encryption from LWE and LWR. Technical report, Cryptology ePrint Archive, Report 2016/1126 (2016). http://eprint.iacr.org/2016/1126
 26.Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehlé, D.: Crystalskyber: a CCAsecure modulelatticebased KEM. In: 2018 IEEE European Symposium on Security and Privacy  EuroSP 2018 (2018, to appear)Google Scholar
 27.Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ringbased public key cryptosystem. In: Buhler, J.P. (ed.) ANTSIII 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868CrossRefGoogle Scholar
 28.Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime: reducing attack surface at low cost. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 235–260. Springer, Cham (2018). https://doi.org/10.1007/9783319725659_12CrossRefGoogle Scholar
 29.Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.: MDPCMcEliece: new McEliece variants from moderate density paritycheck codes. In: Proceedings of the 2013 IEEE International Symposium on Information Theory (ISIT), pp. 2069–2073. IEEE (2013)Google Scholar
 30.HowgraveGraham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540451464_14CrossRefGoogle Scholar
 31.Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538876_29CrossRefGoogle Scholar
 32.Bernstein, D.J., Groot Bruinderink, L., Lange, T., Panny, L.: HILA5 pindakaas: on the CCA security of latticebased encryption with error correction. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 203–216. Springer, Cham (2018). https://doi.org/10.1007/9783319893396_12CrossRefGoogle Scholar
 33.Saarinen, M.J.O.: HILA5: on reliability, reconciliation, and error correction for ringLWE encryption. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 192–212. Springer, Cham (2018). https://doi.org/10.1007/9783319725659_10CrossRefGoogle Scholar
 34.Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Dwork, C. (ed.) Proceedings of the 40th Annual ACM Symposium on Theory of Computing  STOC 2008, pp. 197–206. ACM (2008)Google Scholar
 35.Mceliece, R.J.: A publickey cryptosystem based on algebraic. DSN progress report 4244, pp. 114–116 (1978)Google Scholar
 36.Niederreiter, H.: Knapsacktype cryptosystems and algebraic coding theory. Probl. Control Inf. Theory 15(2), 159–166 (1986)MathSciNetzbMATHGoogle Scholar
 37.Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 34 (2009)MathSciNetCrossRefGoogle Scholar
 38.Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWEbased encryption. In: Kiayias, A. (ed.) CTRSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642190742_21CrossRefGoogle Scholar
 39.Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642131905_1CrossRefGoogle Scholar
 40.Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ringLWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642383489_3CrossRefGoogle Scholar
 41.Google: PQCforum. LIMA (2018). https://groups.google.com/a/list.nist.gov/forum/#!topic/pqcforum/6khIivE2KE0
 42.Unruh, D.: Revocable quantum timedrelease encryption. J. ACM 62(6), 49:1–49:76 (2015)MathSciNetCrossRefGoogle Scholar
 43.Albrecht, M.R., Orsini, E., Paterson, K.G., Peer, G., Smart, N.P.: Tightly secure ringLWE based key encapsulation with short ciphertexts. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 29–46. Springer, Cham (2017). https://doi.org/10.1007/9783319664026_4CrossRefGoogle Scholar
 44.Giovannetti, V., Lloyd, S., Maccone, L.: Quantum private queries. Phys. Rev. Lett. 100(23), 230502 (2008)MathSciNetCrossRefGoogle Scholar
 45.De Martini, F., Giovannetti, V., Lloyd, S., Maccone, L., Nagali, E., Sansoni, L., Sciarrino, F.: Experimental quantum private queries with linear optics. Phys. Rev. A 80(1), 010302 (2009)CrossRefGoogle Scholar
 46.Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information, no 2. Cambridge University Press, Cambridge (2000)Google Scholar
 47.Zhandry, M.: Secure identitybased encryption in the quantum random oracle model. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642320095_44CrossRefzbMATHGoogle Scholar
 48.Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 55th IEEE Annual Symposium on Foundations of Computer Science  FOCS 2014, pp. 474–483. IEEE (2014)Google Scholar
 49.Hülsing, A., Rijneveld, J., Song, F.: Mitigating multitarget attacks in hashbased signatures. In: Cheng, C.M., Chung, K.M., Persiano, G., Yang, B.Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662493847_15CrossRefGoogle Scholar
 50.Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400841_21CrossRefzbMATHGoogle Scholar
 51.Zhandry, M.: A note on the quantum collision and set equality problems. Quant. Inf. Comput. 15(7–8), 557–567 (2015)MathSciNetGoogle Scholar
 52.Unruh, D.: Noninteractive zeroknowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468036_25CrossRefzbMATHGoogle Scholar
 53.Okamoto, T., Pointcheval, D.: REACT: rapid enhancedsecurity asymmetric cryptosystem transform. In: Naccache, D. (ed.) CTRSA 2001. LNCS, vol. 2020, pp. 159–174. Springer, Heidelberg (2000). https://doi.org/10.1007/3540453539_13CrossRefGoogle Scholar
 54.JeanSébastien, C., Handschuh, H., Joye, M., Paillier, P., Pointcheval, D., Tymen, C.: GEM: a generic chosenciphertext secure encryption method. In: Preneel, B. (ed.) CTRSA 2002. LNCS, vol. 2271, pp. 263–276. Springer, Heidelberg (2002). https://doi.org/10.1007/3540457607_18CrossRefGoogle Scholar