Abstract
The efficiency of a black-box reduction is an important goal of modern cryptography. Traditionally, the time complexity and the success probability were considered as the main aspects of efficiency measurements. In CRYPTO 2017, Auerbach et al. introduced the notion of memory-tightness in cryptographic reductions and showed a memory-tight reduction of the existential unforgeability of the RSA-FDH signature scheme. Unfortunately, their techniques do not extend directly to the reductions involving intricate RO-programming. The problem seems to be inherent as all the other existing results on memory-tightness are lower bounds and impossibility results. In fact, Auerbach et al. conjectured that a memory-tight reduction for security of Hashed-ElGamal KEM is impossible.
-
We refute the above conjecture. Using a simple RO simulation technique, we provide memory-tight reductions of security of the Cramer-Shoup and the ECIES version of Hashed-ElGamal KEM.
-
We prove memory-tight reductions for different variants of Fujisaki-Okamoto Transformation. We analyze the modular transformations introduced by Hofheinz, Hövermanns and Kiltz (TCC 2017). In addition to the constructions involving implicit rejection, we present a memory-tight reduction for the security of the transformation \(\mathsf{\text {QFO}_m^\perp }\). Our techniques can withstand correctness-errors, and applicable to several lattice-based KEM candidates.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Memory Efficiency of Black-Box Reductions. Black-box reduction is an imperative tool in modern cryptography. The security of any scheme S is typically argued by an algorithm \(\mathtt{R}\). Given an adversary, \(\mathcal {A}_S\) against S, R with black-box access to \(\mathcal {A}\) is shown to solve some underlying hard problem \(\mathcal {P}\). The efficiency of a black-box reduction is measured by the resources \(\mathtt{R}\) uses, typically in terms of \(\mathcal {A}\). Traditionally the reductions aimed at optimizing the time complexity and/or the success probability [4, 5, 11]. However, Auerbach et al. [3] observed that some reductions which are tight in success probability and time complexity, require a large amount of memory. If the underlying problem is memory sensitive (easier to solve with larger memory), then a memory loose reduction does not rule out the existence of an efficient adversary. They noted further that many of the standard assumptions including LPN, SVP, Discrete Logarithm Problem in prime fields, factoring are memory sensitive. Hence it is imperative to find memory-efficient reductions when the security is based on the hardness of these problems.
Unfortunately, most of the existing results on memory-tight reductions are lower bounds. In [3], authors ruled out memory-tight, restricted black-box reductions for the security of multi-signatures from unique signatures, and multicollision resistance from collision resistance. In [21], Wang et al. showed lower bounds for a larger class of black-box reductions including the security of public-key encryption and signature schemes in the multi-user setting. In [14], Demay et al. considered the indifferentiability notion in the memory restricted setting, and proved the impossibility of domain extension of hash functions (even by one bit).
On the other hand, to the best of our knowledge, the only positive result so far is the memory-efficient reduction for RSA FDH in the Random Oracle model [3]. The authors introduced new techniques for the random oracle model and showed, using pseudo-random functions and the power of rewinding the adversary once, one can prove a memory-tight reduction of the existential unforgeability of RSA-FDH from RSA assumption. Their technique seems to be generally applicable for hash and sign paradigm, where the domain of the underlying trapdoor permutation enjoys some form of homomorphism (required for applying Coron’s technique [12]).
Key Encapsulation Mechanisms. A Key Encapsulation Mechanism (KEM) is a fundamental primitive to construct efficient public-key cryptosystem. Research in KEM design has been rejuvenated in the last few years due to the ongoing effort to standardize post-quantum cryptographic algorithms. While constructions of secure KEM in the “classical” setting have been known for years (see [15] for a comprehensive treatment), the reductions were non-tight, and required perfect correctness from the underlying public-key encryption scheme. There are numerous recent works on KEM in the quantum setting [10, 16, 17, 19, 20]. However, not much progress has been made in the classical setting until the work of Hofheinz, Hövermanns and Kiltz [16]. HHK revisited the KEM version of Fujisaki Okamoto transformations and presented a modular analysis of multiple variants. Their results, notably include, tight reduction (traditional sense) even when underlying public-key encryption scheme has some correctness error.
1.1 Our Contributions
In this paper, we present memory-efficient reductions of the security of hashed-ElGamal and other variants of Fujisaki-Okamoto transformations.
Memory-Tight Reduction for Hashed-ElGamal. Our starting point is the following conjecture of Auerbach et al. [3].
Conjecture 1
[3]. Memory-tight Reduction for Hashed-ElGamal does not exist.
In this paper, we refute the above conjecture. We introduce a simple “map-then-prf” technique to simulate the random oracle in a memory-efficient way. Our technique programs the Random Oracle non-adaptively, avoiding the need to tabulate the Random Oracle queries. We consider two versions of Hashed-ElGamal KEM, ECIES [1, 2] and HEG [13]. We summarize these results in the following two informal theorems.
Theorem 2
(Informal). Let \(\mathbb {G}\) be a prime-order cyclic group. Let be a prf. There exists a memory-tight reduction, in the random oracle model, of the security of HEG over \(\mathbb {G}\) and \(\mathcal {K}\) from the gap-Diffie-Hellman problem over \(\mathbb {G}\).
Theorem 3
(Informal). Let \(\mathbb {G},\mathbb {G}_T\) be prime-order cyclic groups and \(\hat{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) be a bilinear map. Let be a prf. There exists a memory-tight reduction, in the random oracle model, of the security of ECIES over \(\mathbb {G}\) and \(\mathcal {K}\) from the Computational-Diffie-Hellman problem over\(\mathbb {G}\).
Memory-Tight Reduction for Variants of Fujisaki-Okamoto Transformations. Fujisaki-Okamoto transformation and other related KEM constructions have gained particular importance in recent years for their applications in constructing post-quantum KEM schemes. In particular, the modular analysis in [16] has been applied widely in constructing lattice-based candidates. In this paper, we prove memory-tight reduction for three variants of Fujisaki-Okamoto transformations (described in Table 1).
We revisit the analysis in [16] and show techniques for memory-tight reductions for all the modules, even withstanding the correctness errors. We summarize the results below.
-
Transformations \(\mathrm {U}^{\not \perp },\mathrm {U}_m^{\not \perp },\mathrm {U}^\perp ,\mathrm {U}_m^{\perp }\). In [16], the authors presented four closely related modules to construct an secure KEM from a public-key encryption scheme \(\mathsf{PKE}\). The security requirement from \(\mathsf{PKE}\) depends on the specific variant of \(\mathrm {U}\). In this paper, we show new RO simulation techniques for all the four variants to convert corresponding the reductions in [16] into memory-tight ones.
-
Preprocessing Module T. In [16], the transformation T was presented as the preprocessing module to convert (with a tight reduction) an secure public-key encryption scheme \(\overline{\mathsf{PKE}}\) to a deterministic secure public-key encryption scheme. We observe that the RO simulation technique of Auerbach et al. [3], is sufficient for a memory-tight reduction for security of \(T[\overline{\mathsf{PKE}}]\). When applied with the new reductions for \(\mathrm {U}^{\not \perp }\) and \(\mathrm {U}^{\not \perp }\), this gives a memory-tight reduction for the security of \(\text {KEM}^{\not \perp }\) and \(\text {KEM}_m^{\not \perp }\) respectively.
-
A new intermediate module V. The modules with explicit reject, (namely \(U_m^\perp \) and \(U^{\perp }\)) require security relative to a ciphertext verification oracle. Unfortunately, our technique only proves security of T. To bridge the gap, we present a transformation V to convert a deterministic public-key encryption scheme to a deterministic public-key encryption scheme via a memory-efficient reduction. When applied with T and \(U_m^\perp \), we get a memory efficient reduction (in the classical setting) for the scheme \(\text {QKEM}_m^\perp \) of [16] (Table 4 in [15]).
Other Implications. Besides memory efficiency, we found two additional implications of our work. This result refutes the folklore idea that the additional hash present in the \(\text {QKEM}_m^\perp \) transformation is redundant in the classical setting [15,16,17]. The second implication is that V composed with T gives a secure encryption scheme from an secure encryption scheme without the \(\gamma \)-spread requirement of [16].
1.2 Overview of Our Techniques
Challenges with Existing Technique. The memory-efficient technique to simulate an RO in [3] (and later suggested in [8] in the context of KEM) is to evaluate a PRF on the input. However, in the security reduction for key encapsulation mechanisms, the reduction often needs to adaptively program the output of the RO. Evaluating the prf directly on the query input does not provide the required programming capability.
For example, consider the basic construction of a Key Encapsulation Mechanism from a deterministic public-key encryption scheme \(\mathsf{PKE}=(\mathtt{Gen}, \mathtt{Enc},\) \(\mathtt{Dec})\). The public-key, secret-key of the KEM would be a key pair \((pk,sk)\leftarrow \mathtt{Gen}\). An encapsulation involves choosing a random message m, and computing
The output of the encapsulation is (c, k). A traditional security proof assuming \(\mathtt {H}\) to be a random oracle would be to maintain a table containing the queries and corresponding responses of \(\mathtt {H}\) queries. Whenever the adversary makes a decapsulation query on \(\hat{c}\), the reduction will check the table whether it contains an entry \((\hat{m},\hat{c},\hat{h})\) such that \(\mathtt{Enc}(pk,\hat{m})\) returns \(\hat{c}\). If such an entry exists, the answer tothe decapsulation query would be \(\hat{h}\). Otherwise the reduction would return a randomly sampled element \(\hat{h}'\), and save \((-,\hat{c},\hat{h}')\) in the list. The first entry will be filled up when, in a future hash query, the adversary submits \((\hat{m},\hat{c})\) where \(\hat{c}=\mathtt{Enc}(pk,\hat{m})\).
Now consider a memory-efficient reduction where simulation of \(\mathtt {H}\) is performed using a prf F(k, .). A hash query on \((\hat{m},\hat{c})\) is returned with \(F(k, \hat{m},\hat{c})\). The problem arises when simulating the decapsulation query \(\hat{c}\). As the entries are no longer saved in a table, the reduction cannot find the required \(\hat{m}\) to complete the prf evaluation! One may attempt to solve the issue by answering the hash query with \(F(k,\hat{c})\). In that case, the decapsulation queries can be answered. However, two hash queries with the same \(\hat{c}\) but different \(\hat{m}\) would result in a collision! Hence, this idea fails as well.
Core of our Idea: “injectively map and prf”. Our method originates from the following observation. Let us call \((\hat{m},\hat{c})\) a good pair if \(\hat{c}=\mathtt{Enc}(pk,\hat{m})\). In the security game, the answer to a decapsulation query \(\hat{c}\) needs to match with the response of a hash query \((\hat{m},\hat{c})\) only when \((\hat{m},\hat{c})\) is a good pair. When answering hash queries on a good pair \((\hat{m},\hat{c})\), we can “program” the output to be \(F(k,m_0,\hat{c})\) (\(m_0\) being any fixed message). For pairs which are not good, we can query an independent prf \(F'(k,\hat{m},\hat{c})\) to compute the responses. Answer to a decapsulation query on (a valid ciphertext) \(\hat{c}\) will simply be \(F(k,m_0,\hat{c})\). The idea can be generalized as “Apply an appropriate injective function \(\phi \) on the input, and then apply the prf”. As the composition of an injective function with a prf results into a prf, we can use the arguments of [3]. This basic technique can readily be applied to the Cramer-Shoup version of Hashed-ElGamal, as well as the modules \(\mathbf{\mathrm {U}^{\not \perp }}\), and \(\mathbf{\mathrm {U}^\perp }\).
Technique for \(\mathbf{U_m^{\not \perp },U_m^\perp }\). In these cases, the hash function is evaluated only on m. Thus, the above idea is not applicable directly. However, as \(\mathsf{PKE}\) is deterministic, the reduction can still construct a good pair by simply computing \(\hat{c}=\mathtt{Enc}(pk,\hat{m})\), and respond a hash query on \(\hat{m}\) by \(F(k,\hat{c})\). We no longer need to use the independent prf \(F'\), as the hash query only contains the message.
Interestingly, the technique works even if \(\mathsf{PKE}\) has amall correctness errors. Although, \(\mathtt{Enc}(pk,.)\) is no longer injective, finding a collision in the output of \(\mathtt{Enc}(pk,.)\) implies finding a correctness error. Conditioned on no collision in the output of \(\mathtt{Enc}(pk,.)\), the argument of [3] goes through. However, one needs to be careful here, as pointed out in [8]. In some definition of deterministic encryption, it is easy to come up with a scheme where a ciphertext decrypts to a message which in turn encrypts to a different ciphertext. To solve the issue, we require that for every message \(\hat{m}\) there exists a single ciphertext \(\hat{c}\) that decrypts to \(\hat{m}\). Our definition of deterministic encryption is carefully considered to maintain this property. Moreover, the schemes generated by the transformation T of [16] satisfies the definition.
Technique for ECIES. In the case of ECIES, we have a group \(\mathbb {G}\) of prime order q with a generator \(g\in \mathbb {G}\). A public-key is a random element X with the corresponding secret-key x such that \(X=g^x\). The encapsulation involves choosing a random \(y\) and computing
The output of the encapsulation is (Y, k). While ECIES is analogous to \(U_m^{\not \perp }\), we cannot find Y from Z! Hence, we cannot “map to ciphertext space” and applyF.
Fortunately, the “map-then-prf” technique is not limited to mapping to the ciphertext space. We note, when ECIES is implemented using a pairing friendly curve, there exists a bilinear map \(\hat{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) for some \(\mathbb {G}_T\). Moreover, by the bilinear property, \(\hat{e}(g^x,g^y)=\hat{e}(g,g^{xy})\). We simulate the random oracle using \(F(k,\hat{e}(g,.))\). The decapsulation oracle can maintain consistency by using \(F(k,\hat{e}(X,.))\).
2 Notations and Preliminaries
If S is a set |S| denotes the size of S. denotes the process of choosing x uniformly at random from S. [n] denotes the set of first n natural numbers. Composition of two functions is denoted by \(\circ \). If \(\hat{F}=F\circ \phi \), then \(\hat{F}(x)= F(\phi (x))\).
Algorithms and Security Games. The algorithms and complexities considered in the papers are in the RAM model. The algorithms have access to memory and constant number of registers, each having size of one word. For a deterministic (resp. probabilistic) algorithm \(\mathcal {A}\), (resp ) denotes y is the (resp. uniformly sampled) output of \(\mathcal {A}\) on input x. \(\mathcal {A}^\mathcal {O}\) denotes that \(\mathcal {A}\) has access to \(\mathcal {O}\) as an oracle. The oracles in this paper may be stateful; \(st_\mathcal {O}\) denotes the state of the RAM \(\mathcal {O}\). As followed in [3], \(\mathcal {A}\) with oracle access to \(\mathcal {O}\) cannot access \(st_\mathcal {O}\).
Security Games. The results are proven in the framework of code based games of [6]. A game G consists an algorithm consists of a main oracle, and zero or more stateful oracles \(O_1,O_2,\cdots , O_n\). If a game G is implemented using a function f, we write G[f] to denote the game.
Complexity Measures. In this paper, we consider the following three complexity measures of an algorithm.
Success Probability. The success probability of an algorithm \(\mathcal {A}\) in game G is defined by .
Time Complexity. The time complexity of an algorithm \(\mathcal {A}\), denoted by , is the number of computation steps performed by \(\mathcal {A}\) in the worst case over all possible input of size . When \(\mathcal {A}\) plays a security game G, the time complexity of the game, denoted by , is the time complexity of \(\mathcal {A}\) plus the number of queries \(\mathcal {A}\) makes to the oracle.Footnote 1
Memory Complexity. Following [3, 21], we define the memory complexity of an algorithm \(\mathcal {A}\) to be the size of the code plus the worst-case number of registers used in memory at any step in computation, over all possible input of size and random coins. denotes the memory complexity of \(\mathcal {A}\) (not the oracles) in the security game G.
Reductions and Efficiency. We follow the definition of black-box reductions proposed in [18]. A cryptographic primitive \(\mathcal {P}\) is a family of efficiently computable functions \(f:\{0,1\}^{*}\rightarrow \{0,1\}^{*}\). Security of \(\mathcal {P}\) is described using a game G. An adversary \(\mathcal {A}\) is said to \(\mathcal {P}\)-break f with probability \(\epsilon \), if
We follow the following definition of a cryptographic reduction.
Definition 1
Let \(\mathcal {P},\mathcal {Q}\) be cryptographic primitives and \(G_P\) and \(G_Q\) be the corresponding security games respectively. A reduction from \(\mathcal {P}\) to \(\mathcal {Q}\) is a pair of algorithms \(\mathtt{C},\mathtt{R}\) such that
-
\(\mathtt{C}^f\in \mathcal {Q} \text { for all } f \in \mathcal {P}\)
-
For all \(f\in \mathcal {P}\), for all adversary \(\mathcal {A}\) that \(\mathcal {Q}\)-breaks \(\mathtt{C}^f\), the algorithm \(\mathtt{R}^\mathcal {A}\) \(\mathcal {P}\)-breaks f.
Memory-Tight Reductions. Following [3, 21], we define memory-tight reductions as follows.
Definition 2
A Cryptographic reduction \((\mathtt{C},\mathtt{R})\) from \(\mathcal {P}\) to \(\mathcal {Q}\) is called memory-tight, if for all \(f\in \mathcal {P}\),
Hardness Assumptions. The security proofs of Hashed-ElGamal variants are reduced from the Computational Diffie-Hellman and gap-Diffie-Hellman assumption. Consider the \(\mathsf{CDH}\) game described in Fig. 1.
Definition 3
(gap-Diffie-Hellman Assumption). Let q be a prime. Let \(\mathbb {G}=\langle g \rangle \) be a cyclic group of order q. The \((t,\mu ,\epsilon )\) gap-Diffie-Hellman () assumption states that for all adversary \(\mathcal {A}\) that runs in times t and uses \(\mu \) bites of memory,
The Computational Diffie-Hellman assumption is defined in the same way, except the condition that \(\mathcal {A}\) has no access to the oracle.
Key Encapsulation Mechanism. A key encapsulation mechanism \(\mathsf KEM\) consists of three algorithms; \(\mathtt{Gen},\mathtt{Encap},\mathtt{Decap}\). The key generation algorithm \(\mathtt{Gen}\) takes a security parameter as input and outputs a public key pk and a secret key sk. The encapsulation algorithm \(\mathtt{Encap}\), on input pk, outputs a key-ciphertext pair (c, K), where \(K \in \mathcal {K}\) for some non-empty set \(\mathcal {K}\). c is said to be the encapsulation of K. The deterministic decapsulation algorithm \(\mathtt{Decap}\) takes an encapsulation c as input along with sk, and outputs a key \(K\in \mathcal {K}\). A \(\mathsf{PKE}\) is called \(\delta \)-correct if
IND-CCA security of a Key Encapsulation Mechanism. We recall the security game for a Key Encapsulation Mechanism in Fig. 2. The advantage of an adversary \(\mathcal {A}\) against \(\mathsf{PKE}\) is defined as
Public-Key Encryption. A public-key encryption scheme consists of three algorithms, \(\mathsf{PKE}=(\mathtt{Gen},\mathtt{Enc},\mathtt{Dec})\). There are three sets associated with \(\mathsf{PKE}\), the message space \(\mathcal {M}\), the randomness space \(\mathcal {R}\), and the ciphertext space \(\mathcal {C}\). The key generation algorithm takes the security parameter as input and outputs a public-key, secret-key pair (pk, sk). The encryption algorithm takes the public key pk, and a message \(m\in \mathcal {M}\) as input, samples a random string , and outputs a ciphertext.\(c\leftarrow \mathtt{Enc}(pk,m,r)\). The decryption algorithm \(\mathtt{Dec}\), on input sk and a ciphertext c, outputs a message \(m=\mathtt{Dec}(sk,c)\in \mathcal {M}\) or a special symbol \(\perp \,\notin \mathcal {M}\). We say, c is an invalid ciphertext, if \(\mathtt{Dec}(sk,c)=\perp \).
Deterministic Public Key Encryption. We call a public-key encryption scheme PKE deterministic, if the algorithm \(\mathtt{Enc}\) is deterministic and for every message \(m\in \mathcal {M}\), there exists a unique \(c\in \mathcal {C}\) such that \(\mathtt{Dec}(sk,c)=m\). We write \(c\leftarrow \mathtt{Enc}(pk,m)\) for deterministic encryption.
Correctness. Following [16], we define the correctness of a public-key encryption scheme by the security game \(\mathsf{COR}\) in Fig. 3.
Definition 4
Let be an increasing function. Consider the game \(\mathsf{COR}\) in Fig. 3. A public-key encryption scheme \(\mathsf{PKE}\) is called \(\delta \)-correct, if for all adversary \(\mathcal {A}\) with running time bounded by t,
where the probability is taken over the randomness of \(\mathtt{Gen}\) and \(\mathcal {A}\). Moreover, we say \(\mathsf{PKE}\) is strongly \(\overline{\delta }\) correct, if \(\forall ~t,\delta (t)\le \overline{\delta }\).
Security. Following [16], we define three security games for a public-key encryption scheme, , , and in Fig. 4. In game, the adversary has oracle access to . In the game, the adversary has oracle access to . In game, the adversary has oracle access to both and . For , we define the corresponding advantages of an adversary \(\mathcal {A}\) against \(\mathsf{PKE}\) as
Random Oracles. An (idealized) function is said to be a Random Oracle, if for all , the output \(\mathcal {F}(x)\) is independently and uniformly distributed over .
Pseudo-random Functions
Definition 5
Let be a deterministic algorithm and let \(\mathcal {A}\) be an algorithm. The prf advantage of \(\mathcal {A}\) is defined as
F is said to implement a family of \((t,d,\epsilon )\)-pseudo-random functions if for all adversary \(\mathcal {A}\) that runs in time t and uses memory d,
Simulating Random Oracle Using PRF. If a game G is defined in the random oracle model, then one procedure of the game defines the random oracle . The standard technique to implement the random oracle procedure is via lazy sampling. However, the lazy sampling technique requires additional memory where \(q_h\) is the number of \(\mathtt {H}\) queries made by the adversary. In [3], the authors formalized the technique, originally suggested in [7], of simulating the Random Oracle using a prf. Let \(G[\mathtt {H}]\) be a game where \(\mathtt {H}\) is a random oracle used in G. Let G[F] be the same game where the random oracle is implemented using a prf F. Specifically, the oracle \(\mathtt {H}\) is implemented using F(k, .) for a randomly sampled key k (Fig. 6).
Lemma 1
(RO simulation using prf [3]). For all adversary \(\mathcal {A}\) against G making at most \(q_h\) queries to the random oracle, there exists a \(\mathcal {B}_F\) against F in the prf game such that
Moreover, it holds that
3 Memory-Tight Reductions for Hashed-ElGamal
3.1 Cramer-Shoup Variant
In this section we present a memory-tight reduction of Cramer-Shoup version of hashed-ElGamal Key Encapsulation mechanism [13]. We describe the scheme in Fig. 7. \(\mathbb {G}\) is a cyclic group of prime order q. Let \(\mathtt {H}:\mathbb {G}\times \mathbb {G}\rightarrow \mathcal {K}\) be a hash function. Our main result in this section is the following theorem.
Theorem 4
Let q be a prime and \(\mathbb {G}\) be any gap group of order q. Let be the Decisional Diffie Hellman oracle on \(\mathbb {G}\). Let \(\mathtt{DH}\) be the Diffie Hellman instance generation algorithm over \(\mathbb {G}\). Let be a prf. Let \(\Pi \) be the HEG KEM scheme over \(\mathbb {G}\) and \(\mathcal {K}\), with security parameter .
Let \(\mathcal {A}\) be any adversary in the game of \(\Pi \). Suppose \(\mathcal {A}\) makes \(q_H\) hash queries and \(q_D\) decapsulation queries. Then, in the random oracle model, there exists an adversary \(\mathcal {B}_{DH}\) in the game, and an adversary \(\mathcal {B}_{F}\) such that
Moreover, it holds that
Before proving the Theorem 4, we construct a prf that we shall use in the proof.
Construction of \({\varvec{\hat{F}}}\). Let be the decisional Diffie-Hellman oracle such that , if (X, Y, Z) is a valid Diffie-Hellman tuple.
Construction 5
Let \(\mathbb {G}\) be a group of prime order q and let g be a generator of \(\mathbb {G}\). Fix \(X\in \mathbb {G}\). Let . We define as follows
In order to use the map then prf technique, we need the following lemma.
Lemma 2
If F is a prf, then \(\hat{F}_X\) is a prf. Moreover, for every adversary \(\mathcal {B}_{\hat{F}}\) against \(\hat{F}_X\), there exists a \(\mathcal {B}_{F}\) against F such that,
where q is the number of queries made by \(\mathcal {B}_{\hat{F}}\).
Proof
Fix \(X\in \mathbb {G}\). Note that for every \(Y\in \mathbb {G}\), there exists a unique \(Z\in G\) such that . We define as
It is easy to verify that \(\psi _X\) is an injective function. Moreover, \(\hat{F}_X=F\circ \psi _X\).
Let be the oracle of \(\mathcal {B}_F\). \(\mathcal {B}_F\) chooses \(x \in \mathbb {Z}_q^*\), set \(X=g^x\) and invokes \(\mathcal {B}_{\hat{F}}\). For every query (Y, Z) of \(\mathcal {B}_{\hat{F}}\), \(\mathcal {B}_F\) checks whether \(Y^x=Z\), computes \(\psi _X(Y,Z)\) accordingly and queries . The response of the oracle is passed to \(\mathcal {B}_{\hat{F}}\). When \(\mathcal {B}_{\hat{F}}\) outputs a bit b, \(\mathcal {B}_F\) outputs b. This perfectly simulates the prf game of \(\hat{F}_X\).
We assume the computation time of \(\psi _X\) is constant. In order to simulate the prf game of \(\hat{F}_X\), \(\mathcal {B}_F\) needs to compute \(\psi _X\) for q many times. Moreover, \(\mathcal {B}_F\) needs store x and a temporary variable for passing the values. The lemma follows. \(\square \)
The Reduction. Theorem 4 is proven via a sequence of games. Formal description of the games are given in Figs. 8 and 9.
Game \(\mathbf{G}_0\). The game \(\mathbf{G}_0\) is the original game.
Game \(\mathbf{G}_1\): We predefine \(K_0^*=\mathtt {H}(Y^*,Z^*)\) by sampling a random element from the keyspace \(\mathcal {K}\). \(Y^*\) is the challenge ciphertext sent in the KEM game and \(Z^*={Y^*}^x\). The hash oracle is modified to return \(K_0^*\) for the input \((Y^*,Z^*)\). As \(K_0^*\) is still uniformly chosen at random, and the hash oracle output is consistent, there is no change in the distribution of adversary’s view.
Game \(\mathbf{G}_2\). In this game the oracles \(\mathtt {H}\) and \(\mathtt{Decap}\) are changed. We replace the random oracle by a prf . By Lemma 1, there exists an adversary \(\mathcal {B}_{\hat{F}}\) such that
Game \(\mathbf{G}_3\). We rewrite the prf evaluation of \(\hat{F}_X\) using a prf F as defined in Construction 5. In the procedure \(\mathtt{Decap}\) of the game \(\mathbf{G}_2\), Step 2 (\(Z=Y^x\)) ensures that \(\hat{F}_X(k,Y,Z)\) in that procedure always evaluates to F(k, 1, Y, g). As the view of the adversary remains unchanged,
Game \(\mathbf{G}_4\): In this game, we set a flag Flag and abort on the event that \(\mathcal {A}\) queries \(\mathtt {H}\) on \((Y^*,Z^*)\) where \(Y^*\) is the challenge in the KEM game and \((X,Y^*,Z^*)\) is a valid diffie hellman tuple. By the fundamental lemma of game playing proofs
In the game \(\mathbf{G}_4\), the adversary \(\mathcal {A}\) is unable to compute \(\mathtt {H}(Y^*,Z^*)\) using either the hash oracle or the decapsulation oracle. The decapsulation oracle outputs \(\perp \) whenever the input Y is equal to \(Y^*\). The hash oracle aborts for the input \((Y^*,Z^*)\). This implies that the bit b is independent from the adversary’s view. Hence
To bound \(\text {Prob}[\text {Flag}=1]\), we construct an algorithm \(\mathcal {B}_{DH}\) against the security of \(\mathbb {G}\). \(\mathcal {B}_{DH}\) simulates game \(\mathbf{G}_4\) for \(\mathcal {A}\).
Adversary . Formal code of is given in Fig. 10. simulates \(\mathbf{G}_4\). In order to execute line 1 of the game , uses the oracle. By the definition of game, X and \(Y^*\) are uniformly and independently distributed. Hence the simulation of \(\mathbf{G}_4\) is perfect. Flag = 1 implies that \(\mathcal {A}\) queried where \(Y=Y^*\) and . returns that Z and wins the game. Hence,
Collecting the probabilities, we get
Efficiency of \(\mathcal {B}_{DH}\). \(\mathcal {B}_{DH}\) runs \(\mathcal {A}\), queries oracle for \(q_H\) many times, computes the prf F for \((q_H+q_D)\) many times. is the cost of other operations in \(\mathbf{G}_4\).
The last \(q_H\) term in the right-hand side of the above equation is to denote the number of queries made to the oracle.
Memory Efficiency of \(\mathcal {B}_{DH}\). \(\mathcal {B}_{DH}\) needs to save the code of \(\mathcal {A}\), and F. In addition, counting the registers in \(\mathbf{G}_4\),
So far, we have proven that there exist adversaries \(\mathcal {B}_{DH}\) and \(\mathcal {B}_{\hat{F}}\)
Applying Lemma 2, we get the adversary \(\mathcal {B}_{F}\) such that
Hence, there exist adversaries \(\mathcal {B}_{DH}\) and \(\mathcal {B}_{F}\) such that
The following lemma finds the efficiency of \(\mathcal {B}_F\)
Lemma 3
3.2 ECIES
Let \(\mathbb {G}=\langle g \rangle \) be a cyclic group of prime order q, equipped with a pairing \(\hat{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\). Let \(\mathtt {H}:\mathbb {G}\rightarrow \mathcal {K}\) be a hash function. In this section, we present a memory tight reduction of the underlying Key Encapsulation Mechanism of ECIES from the Computational Diffie-Hellman assumption over \(\mathbb {G}\). We describe the ECIES KEM scheme in Fig. 11. Our main result in this section is the following theorem.
Theorem 6
Let q be a prime and \(\mathbb {G}\) be a group of order q equipped with a pairing \(\hat{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\). Let \(\mathtt{DH}\) be the Diffie Hellman instance generation algorithm over \(\mathbb {G}\). Let be a prf. Let \(\hat{\Pi }\) be the ECIES-KEM scheme over \(\mathbb {G}\) and \(\mathcal {K}\), with security parameter .
Let \(\mathcal {A}\) be an adversary in the game of \(\hat{\Pi }\). Suppose \(\mathcal {A}\) makes \(q_h\) hash queries and \(q_D\) decapsulation queries. Then, in the random oracle model, there exists an adversary \(\mathcal {B}_{DH}\) in the \(\mathsf {CDH}\) game, and an adversary \(\mathcal {B}_{F}\) such that
Moreover, it holds that
The reduction to prove Theorem 6 is almost the same as in the previous section. The only difference is in the construction of the intermediate prf \(\hat{F}\) and the reduced \(\mathsf{CDH}\)-adversary \(\mathcal {B}_{DH}\). As the details are almost same to the reduction of HEG, we only describe \(\hat{F}\) and \(\mathcal {B}_{DH}\) here. The reader is referred to the full version of the paper [9] for the rest of the reduction.
Construction 7
(Construction of \(\hat{F}\)). Let \(\mathbb {G}\) be a group of prime order q and let g be a generator of \(\mathbb {G}\). Let \(\hat{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) be a bilinear map. Let . We define as follows
Lemma 4
If F is a prf, then \(\hat{F}\) is a prf. Moreover, for every adversary \(\mathcal {B}_{\hat{F}}\) against \(\hat{F}\), there exists a \(\mathcal {B}_{F}\) against F such that,
where q is the number of queries made by \(\mathcal {B}_{\hat{F}}\) to its oracle.
Description of \({\varvec{\mathcal {B}_{DH}}}\): The Adversary to Game \({\varvec{\mathsf {CDH}}}\). Formal code of \(\mathcal {B}_{DH}\) is given in Fig. 12. \(\mathcal {B}_{DH}\) gets \((g,X,Y^*)\) as input, where \(X,Y^*\) are distributed uniformly over \(\mathbb {G}\). Flag = 1 implies that \(\mathcal {A}\) queried \(\mathtt {H}(Z)\) where \((X,Y^*,Z)\) is a valid Diffie Hellman tuple. If Flag is set for some query made by \(\mathcal {A}\), \(\mathcal {B}_{DH}\) returns that corresponding Z and wins the \(\mathsf {CDH}\) game.
Efficiency of \(\mathcal {B}_{DH}\). \(\mathcal {B}_{DH}\) runs \(\mathcal {A}\), computes the pairing \(\hat{e}(.,.)\) oracle for \(q_D+3q_H\) many times, computes the prf F for \((q_H+q_D)\) many times. As the rest of the steps in the algorithm takes time,
Memory Efficiency of \(\mathcal {B}_{DH}\). \(\mathcal {B}_{DH}\) needs to save the code of \(\mathcal {A}\), \(\hat{e}\), and F. Counting the registers, we get
4 Transformation V: PKE to PKE
In this section, we introduce a transformation V to construct secure deterministic PKE from a secure PKE. Our main result is a memory-tight reduction of V. The main application of V will be in Sect. 5, where we shall use V to get a memory-tight reductions of the security of \(\text{ QKEM }^\perp \) and \(\text{ QKEM }_m^\perp \).
4.1 The Transformation
We start with a deterministic \(\delta \)-correct secure public key encryption scheme, \(\mathsf{PKE}=(\mathtt{Gen},\) \(\mathtt{Enc},\mathtt{Dec})\). Let \(\mathcal {M}=\{0,1\}^n\) be the message space, and \(\mathcal {C}\) be the ciphertext space. Let \(\mathtt {H}':\mathcal {M} \rightarrow \{0,1\}^{\eta }\) be a hash function. The transformed scheme is described as \(\mathsf{PKE}_1=(\mathtt{Gen},\mathtt{Enc}_1,\mathtt{Dec}_1)\).
Our main result of this section is the following theorem.
Theorem 8
Let \(\mathsf{PKE}=(\mathtt{Gen},\) \(\mathtt{Enc},\mathtt{Dec})\) be a deterministic \(\delta \) correct secure public key encryption scheme. Let \(\mathcal {M}\) be the message space, and \(\mathcal {C}\) be the ciphertext space of \(\mathsf{PKE}\). Let \(\mathsf{PKE_1}\) be the transformed public encryption scheme. Let be a prf. Let \(\mathcal {A}\) be any adversary in the game of \(\mathsf{PKE}_1\). Suppose \(\mathcal {A}\) makes \(q_{h'}\) queries to . Let \(q_P\) denote the number of plaintext checking queries and \(q_V\) denote the number of validity checking queries made by \(\mathcal {A}\).
\(\mathsf{PKE}_1\) is \(\delta \)-correct. Moreover, in the random oracle model, there exists an adversary \(\mathcal {B}\) in the game of \(\mathsf{PKE}_1\), and an adversary \(\mathcal {B}_{F'}\) in the prf game of \(F'\), such that
Moreover it holds that
Similar to previous section, we first construct a prf \(\hat{F}\).
4.2 Construction of \(\hat{F}\)
Construction 9
Fix a public key pk of \(\mathsf{PKE}\). Let . We define \(\hat{F}\) as
In order to use the map then prf technique, we need the following lemma.
Lemma 5
Fix pk. For every \(\mathrm{prf}\)-adversary \(\mathcal {B}_{\hat{F}}\) against \(\hat{F}\), there exists a \(\mathcal {B}_{F'}\) against \(F'\) such that,
where q is the number of queries made by \(\mathcal {B}_{\hat{F}}\).
The main difference in Lemma 5 with the ones in the previous section is the decryption error of \(\mathsf{PKE}\). In other words, we can not claim that \(\mathtt{Enc}(pk,.)\) is an injective function. However, if \(\mathcal {B}_{\hat{F}}\) can query with messages \(m_1,m_2\) such that \(\mathtt{Enc}(pk,m_1)=\mathtt{Enc}(pk,m_2)\), implying a decryption error for either \(m_1\) or \(m_2\).
Proof
First, we prove that if \(F'\) is a prf, then \(\hat{F}\) is a prf. Let be the oracle of \(\mathcal {B}_{F'}\). \(\mathcal {B}_{F'}\) runs \(\mathtt{Gen}\) to receive pk, sk, and invokes \(\mathcal {B}_{\hat{F}}\). For every query m of \(\mathcal {B}_{\hat{F}}\), \(\mathcal {B}_{F'}\), computes \(c=\mathtt{Enc}(pk,m)\), and checks whether \(m=\mathtt{Dec}(sk,c)\). If the check fails \(\mathcal {B}_{F'}\) aborts. If the check succeeds, \(\mathcal {B}_{F'}\) queries , and the response of the oracle is passed to \(\mathcal {B}_{\hat{F}}\). When \(\mathcal {B}_{\hat{F}}\) outputs a bit b, \(\mathcal {B}_F\) outputs b.
If \(\mathcal {B}_{F'}\) aborts on input m, then correctness error occurs in \(\mathtt{Dec}(sk,\mathtt{Enc}(pk,m))\). By assumption, probability of this event is bounded by \(\delta (q)\). Conditioned on that \(\mathcal {B}_{F'}\) does not abort, the output of \(\mathtt{Enc}(pk,m)\) are unique for all m queried by \(\mathcal {B}_{\hat{F}}\). In that case, \(\mathcal {B}_{F'}\) perfectly simulates the prf game of \(\hat{F}\). When \(\mathtt {O}\) is a random function, the simulation implements a random function. When \(\mathtt {O}\) is implemented by \(F'\), \(\mathcal {B}_{F'}\) implements \(\hat{F}\). Thus we get,
In order to simulate the prf game of \(\hat{F}\), \(\mathcal {B}_F\) needs to run \(\mathtt{Enc}\) for q many times. Moreover, \(\mathcal {B}_F\) needs store pk, sk and a temporary variable for passing the values. The lemma follows.
4.3 Proof of Theorem 8
It is obvious that the correctness holds. We prove rest of Theorem 8 via a sequence of games. Formal description of the games are given in the Figs. 14 and 15.
Game \(\mathbf {G_0}\). \(G_0\) is the security game of \(\mathsf{PKE}_1\).
Game \(\mathbf {G_1}\). In this game, we replace \(\mathtt {H}'\) by prf \(\hat{F}\). By Lemma 1, there exists adversary, \(\mathcal {B}_{\hat{F}}\) such that
Game \(\mathbf {G_2}\). In this game, we modify the oracle simulation. Instead of the decryption, \( m'=\mathtt{Dec}(sk,c_1)\), and equality check \(m=m'\), we only check whether, \(c_1=\mathtt{Enc}(pk,m)\). Notice, the condition \(c_2=\hat{F}(k',m)\) remains unchanged. Conditioned on correctness error does not happen, \(c_1'=c_1=\mathtt{Enc}(pk,m)\) implies that \(m'=\mathtt{Dec}(sk,c_1')=m\). Hence, this change does not affect the transcript distribution until correctness error occurs in \(\mathsf{PKE}\).
Game \(\mathbf {G_3}\). In this game we replace \(\hat{F}\) as defined. The change is syntactical and does not change the distribution of any output.
Game \(\mathbf {G_4}\). In this game, we change how the oracles \(\mathtt {PCO}\) and \(\mathtt {CVO}\) responds. For a \(\mathtt {PCO}(m,c)\) query, we no longer encrypt m to compute \(c_2'\). Instead, we run the plaintext checking oracle \(\overline{\mathtt {PCO}}\), provided for \(\mathsf{PKE}\), to check correctness of \((m,c_1)\). If \(c_1\) is indeed a valid ciphertext of m, then by deterministic property of \(\mathsf{PKE}\), \(F'(k,\mathtt{Enc}(pk,m))\) is equal to \(F'(k,c_1)\). Hence we only check whether \(F'(k,c_1)=c_2\). The change in \(\mathtt {PCO}\) is syntactical, and does not change output distribution of the oracle.
Similarly, in \(\mathtt {CVO}\), we change the computation of \(c_2'\), which is now computed as \(F(k',c_1)\). If \(c_1=c_1'\), then the change is syntactical and has no effect in the check in Step 5. If \(c_1\ne c_1'\), the condition in Step 5 rejects irrespective of the value of \(c_2'\). Hence, this change does not change the output distribution of the oracles as well.
Game \(\mathbf {G_5}\). We change the description of the oracle \(\mathtt {CVO}(c)\). We raise a flag Bad, if \(c_2'=c_2\) but \(c_1\) is not a valid ciphertext of \(\mathsf{PKE}\), i.e \(m'\notin \mathcal {M}\) or \(c_1\ne \mathtt{Enc}(pk,m')\) where \(m'=\mathtt{Dec}(c_1)\). However, we do not change the output of the oracle. still return 0 when Bad is set.
Game \(\mathbf {G_6}\). In game \(\mathbf{G_6}\), \(\mathtt {CVO}(c)\) returns 1, when Bad is set. Rest of the games remain unchanged. By the fundamental lemma of game playing proofs,
Note, in the game \(\mathbf{G_6}\), the oracle \(\mathtt {CVO}\) returns 1, if and only if \(c_2=F'(k',c_1)\).
Game \(\mathbf {G_7}\). We rewrite the description of . We no longer run \(\mathtt{Dec}\) and \(\mathtt{Enc}\). The oracle parses c as \(c_1||c_2\), and returns 1 if \(c_2=F'(k',c_1)\) and returns 0 otherwise. Rest of the game remain unchanged. As the output distribution of all the procedures in \(\mathbf {G_7}\) is same as that in \(\mathbf {G_6}\).
Bounding Prob\({\varvec{[G_7^\mathcal {A}=1]}}\). In Fig. 17, we construct an adversary \(\mathcal {B}\) against OW-PCA security of PKE. \(\mathcal {B}\) receives \((pk,c^*)\), invokes \(\mathcal {A}(pk,c^*)\) and perfectly simulates the game \(\mathbf{G_7}\) for \(\mathcal {A}\). When \(\mathcal {A}\) returns a message m, \(\mathcal {B}\) returns m.
Efficiency of \(\mathcal {B}\). Algorithm \(\mathcal {B}\) runs \(\mathcal {A}\), queries \(\mathtt {PCO}\) for \(q_P\) many times, runs \(\mathtt{Enc}\) for \(q_{h'}\) many times, and computes \(F'\) for \((1+q_{h'}+q_V+q_P)\) many times. Rest of the steps take time.
The last \(q_P\) term in the right hand side denotes the number of queries made to \(\mathtt {PCO}\).
Memory Efficiency of \(\mathcal {B}\). \(\mathcal {B}\) needs to save the code of \(\mathcal {A}\), \(\mathtt{Enc}\), and \(F'\). In addition, there are following size registers, \(c^*,c_1,c_2,k',m,c,c_2',h'\).
Bounding Prob[Bad]. To bound \(\text {Prob}[\text {Bad}]\), we construct a prf adversary \({\mathcal {B}}_{F'}^{(1)}\) against \(F'\). Recall that Bad occurs when for a \(\mathtt {CVO}(c)\) query, we get
where \(c=c_1||c_2\), \(m'=\mathtt{Dec}(sk,c_1)\), \(c_1'=\mathtt{Enc}(pk,m')\), and \(c_2'= F'(k',c_1)\).
-
Case \(m'\in \mathcal {M}\) and \(c_1'\ne c_1\). In this case correctness error occurs in \(\mathsf{PKE}\). Probability of this event is bounded by \(\delta (q_V)\).
-
Case \(m'\notin \mathcal {M}\). In this case, for an invalid ciphertext \(c_1\) in \(\mathsf{PKE}\), \(\mathcal {A}\) can produce a \(c_2\) such that \(c_2=F'(k',c_1)\). As \(\mathcal {A}\) has no direct access to \(F'(k',.)\) evaluation, and \(c_1\) is an invalid ciphertext, there is no \(H'(m)\) or \(\mathtt {PCO}(m,c)\) query in the transcript for which \(F'(k',c_1)\) was evaluated. Notice that, in \(\mathtt {PCO}(m,c)\) evaluates \(F'(k',c_1)\) only when \(\mathtt {PCO}(m,c_1)=1\), which can not occur here. So, \(\text {Bad}=1\) implies that \(\mathcal {A}\) can “guess” the output of \(F'(k',c_1)\) for some \(c_1\in \mathcal {C}\). For random function this can happen with probability \(\frac{q_V}{2^\eta }\). If Bad happens in significantly more probability in \(\mathcal {G}_5\), that can be used to break the prf security of \(F'\).
Formal description of \({\mathcal {B}}_{F'}^{(1)}\) is given in Fig. 18. \({\mathcal {B}}_{F'}^{(1)}\) perfectly simulates game \(G_5\) with the help of its oracle \(\mathtt {O}_{F'}\). If \(\mathcal {A}\) ever submits a \(\mathtt {CVO}(c)\) query for which Bad occurs, \({\mathcal {B}}_{F'}^{(1)}\) outputs 1 and halts. If no such query is made, then at the end of the simulation, \({\mathcal {B}}_{F'}^{(1)}\) outputs 0. If \(\mathtt {O}_{F'}\) is a random function, then for a fixed \(\mathtt {CVO}(c)\) query, \(\text {Prob}[{\mathcal {B}}_{F'}^{(1)}=1]\) is at most \(\frac{1}{2^\eta }\). Taking union bound over all the \(\mathtt {CVO}(c)\) queries made by \(\mathcal {A}\), when \(\mathtt {O}_{F'}\) is a random function, \(\text {Prob}[{\mathcal {B}}_{F'}^{(1)}=1]\) is at most \(\frac{q_V}{2^\eta }\). When \(\mathtt {O}_{F'}\) is the prf \(F'\), \(\text {Prob}[{\mathcal {B}}_{F'}^{(1)}=1]\) is exactly \(\text {Prob}[\text {Bad}]\) in \(G_5\).
Efficiency of \({\mathcal {B}}_{F'}^{(1)}\). \({\mathcal {B}}_{F'}^{(1)}\) runs \(\mathcal {A}\) once, algorithm \(\mathtt{Gen}\) once, algorithm \(\mathtt{Enc}\) for \((1+q_{h'}+q_P+q_V)\) times, and \(\mathtt{Dec}\) for \(q_V\) times. Additionally \({\mathcal {B}}_{F'}^{(1)}\) queries the oracle \(\mathtt {O}_{F'}\) for \((1+q_{h'}+q_P+q_V)\) times.
\({\mathcal {B}}_{F'}^{(1)}\) needs to save the code of \(\mathcal {A},\mathtt{Gen},\mathtt{Enc}\), and \(\mathtt{Dec}\). In addition, it needs to save eight size and a flag of a single bit. registers.
Finishing the Proof of Theorem 8. Collecting the probabilities of the games, we have proven so far, there exist adversaries \(\mathcal {B}, \mathcal {B}_{\hat{F}},\) and \(\mathcal {B}_{{F'}}^{(1)}\), such that
Applying Lemma 5, we get a \(\mathcal {B}_{{F'}}^{(2)}\) such that,
Efficiency of \(\mathcal {B}_{{F'}}^{(2)}\) is bounded using following lemma.
Lemma 6
Merging \(\mathcal {B}_{F'}^{(1)}\) and \(\mathcal {B}_{F'}^{(2)}\) into one adversary \(\mathcal {B}_{F'}\), and taking upper bound of their efficiencies, we get Theorem 8.
5 Memory-Tight Reductions for Fujisaki-Okamoto Transformation and Variants
In this section, we prove memory-tight reduction of the security of four different variants of the Fujisaki-Okamoto transformation, following the modular approach of [16]. Before describing the exact transformations we consider, first we recall the modules introduces in [16].
5.1 Brief Overview of Modules from [16]
We recall the modules in the top-down fashion. First we describe the transformations from a public key encryption scheme to a key encapsulation mechanisms.
Outer Modules: \(\mathrm {U}^{\not \perp }\), \(\mathrm {U}_m^{\not \perp }\), \(\mathrm {U}^{\perp }\), \(\mathrm {U}_m^{\perp }\). Let \(\mathsf{PKE}_1=(\mathtt{Gen}_1,\mathtt{Enc}_1,\mathtt{Dec}_1)\) be a public key encryption scheme with the message space \(\mathcal {M}\) and let \(\mathtt {H}:\mathcal {M}\rightarrow \mathcal {K}\) be a hash function. Table 2 describes the variants of module \(\mathrm {U}\) to construct a KEM using \(\mathsf{PKE}_1\) and \(\mathtt {H}\). The transformations yield KEM of two categories. Transformations \(\mathrm {U}^{\not \perp }\) and \(\mathrm {U}_m^{\not \perp }\) are in the category of implicit rejection, as the decapsulation algorithms in these transformations do not output \(\perp \), when queried with an invalid ciphertext. Transformation \(\mathrm {U}^{\perp }\), \(\mathrm {U}_m^{\perp }\) are in the category of explicit rejection, implying that the decapsulation algorithms, given any invalid ciphertext, indeed output \(\perp \).
Inner Module: T. Let \(\overline{\mathsf{PKE}}=(\mathtt{Gen},\overline{\mathtt{Enc}},\) \(\overline{\mathtt{Dec}})\) be an secure public key encryption scheme. Let \(\mathcal {M}\) \(=\{0,1\}^n\) be the message space, \(\mathcal {C}\) be the ciphertext space, and \(\mathcal {R}\) be the randomness space. Let be a hash function. The transformation T results in a deterministic public key encryption scheme . Formal description of T is given in Fig. 19.
5.2 Considered Variants and the Reductions
We consider three other variants of FO transformations. The variants and their modular decomposition are listed in Table 3. For each transformation we start with an secure public key encryption \(\overline{PKE}\). We prove memory-tight reduction for each of the modules next.
Memory-Tight Reduction for T : .
Theorem 10
Let \(\mathcal {A}\) be any adversary in the game of \(\mathsf{PKE}\). Suppose \(\mathcal {A}\) makes \(q_g\) queries to . Let \(q_p\) denote the number of plaintext checking queries made by \(\mathcal {A}\). Then, in the random oracle model, there exists adversaries \(\mathcal {B}\) in the game against \(\overline{\mathsf{PKE}}\), and \(\mathcal {B}_{F}\) in the prf game, such that
The proof of the above theorem follows exactly from the proof of analogous Theorem 3.2 of [16] and using the random oracle simulation by a prf F. Moreover, from [16], we get that, if \(\mathsf{PKE}\) is strongly \(\overline{\delta }\) correct, then \(\mathsf{PKE}\) is \(\delta (q_g+q_p)\) correct where \(\delta (x)=x\overline{\delta }\).
Memory-Tight Reduction for V: . It follows from Theorem 8.
Memory-Tight Reduction for Variants of U. Table 2 lists four variants of \(\mathrm {U}\) with different security implications. The memory-efficient reductions of these implications are in principle same as the proofs presented in [16]. The only difference is in the simulation of the Random Oracle \(\mathtt {H}\). In Table 4, we write the precise functions to be used to simulate the random oracles in the reductions. We assume the message space of the underlying encryption scheme to be . \(\mathtt {PCO}(m,c)\) returns 1 if c decrypts to m. returns 0 if c decrypts to \(\perp \).
Notes
- 1.
In [3], authors defined the local time of the game only by the number of computations of \(\mathcal {A}\). In this paper we explicitly include the number of queries made to the oracle.
References
Abdalla, M., Bellare, M., Rogaway, P.: DHIES: an encryption scheme based on the Diffie-Hellman problem. Contributions to IEEE P1363a, September 1998
Abdalla, M., Bellare, M., Rogaway, P.: The Oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_12
Auerbach, B., Cash, D., Fersch, M., Kiltz, E.: Memory-tight reductions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 101–132. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_4
Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_18
Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25
Bernstein, D.J.: Extending the Salsa20 nonce. In: Workshop Record of Symmetric Key Encryption Workshop 2011 (2011)
Bernstein, D.J., Persichetti, E.: Towards KEM unification. Cryptology ePrint Archive, Report 2018/526 (2018). https://eprint.iacr.org/2018/526
Bhattacharyya, R.: Memory-tight reductions for practical key encapsulation mechanisms. Cryptology ePrint Archive (2020). https://eprint.iacr.org/2020/075
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random Oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Chatterjee, S., Menezes, A., Sarkar, P.: Another look at tightness. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 293–319. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_18
Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_14
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
Demay, G., Gaži, P., Hirt, M., Maurer, U.: Resource-restricted indifferentiability. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 664–683. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_39
Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_12
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_4
Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_1
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_17
Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8
Wang, Y., Matsuda, T., Hanaoka, G., Tanaka, K.: Memory lower bounds of reductions revisited. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 61–90. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_3
Acknowledgements
We thank Eike Kiltz for encouraging us to write up and submit the work. We are thankful to the reviewers for their comments on this and the previous versions of the paper. The author is supported by SERB ECR/2017/001974.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 International Association for Cryptologic Research
About this paper
Cite this paper
Bhattacharyya, R. (2020). Memory-Tight Reductions for Practical Key Encapsulation Mechanisms. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds) Public-Key Cryptography – PKC 2020. PKC 2020. Lecture Notes in Computer Science(), vol 12110. Springer, Cham. https://doi.org/10.1007/978-3-030-45374-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-45374-9_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45373-2
Online ISBN: 978-3-030-45374-9
eBook Packages: Computer ScienceComputer Science (R0)