Memory-Tight Reductions for Practical Key Encapsulation Mechanisms

Abstract

The efficiency of a black-box reduction is an important goal of modern cryptography. Traditionally, the time complexity and the success probability were considered as the main aspects of efficiency measurements. In CRYPTO 2017, Auerbach et al. introduced the notion of memory-tightness in cryptographic reductions and showed a memory-tight reduction of the existential unforgeability of the RSA-FDH signature scheme. Unfortunately, their techniques do not extend directly to the reductions involving intricate RO-programming. The problem seems to be inherent as all the other existing results on memory-tightness are lower bounds and impossibility results. In fact, Auerbach et al. conjectured that a memory-tight reduction for security of Hashed-ElGamal KEM is impossible.

• We refute the above conjecture. Using a simple RO simulation technique, we provide memory-tight reductions of security of the Cramer-Shoup and the ECIES version of Hashed-ElGamal KEM.

• We prove memory-tight reductions for different variants of Fujisaki-Okamoto Transformation. We analyze the modular transformations introduced by Hofheinz, Hövermanns and Kiltz (TCC 2017). In addition to the constructions involving implicit rejection, we present a memory-tight reduction for the security of the transformation \(\mathsf{\text {QFO}_m^\perp }\). Our techniques can withstand correctness-errors, and applicable to several lattice-based KEM candidates.

1 Introduction

Memory Efficiency of Black-Box Reductions. Black-box reduction is an imperative tool in modern cryptography. The security of any scheme S is typically argued by an algorithm \(\mathtt{R}\). Given an adversary, \(\mathcal {A}_S\) against S, R with black-box access to \(\mathcal {A}\) is shown to solve some underlying hard problem \(\mathcal {P}\). The efficiency of a black-box reduction is measured by the resources \(\mathtt{R}\) uses, typically in terms of \(\mathcal {A}\). Traditionally the reductions aimed at optimizing the time complexity and/or the success probability [4, 5, 11]. However, Auerbach et al. [3] observed that some reductions which are tight in success probability and time complexity, require a large amount of memory. If the underlying problem is memory sensitive (easier to solve with larger memory), then a memory loose reduction does not rule out the existence of an efficient adversary. They noted further that many of the standard assumptions including LPN, SVP, Discrete Logarithm Problem in prime fields, factoring are memory sensitive. Hence it is imperative to find memory-efficient reductions when the security is based on the hardness of these problems.

Unfortunately, most of the existing results on memory-tight reductions are lower bounds. In [3], authors ruled out memory-tight, restricted black-box reductions for the security of multi-signatures from unique signatures, and multicollision resistance from collision resistance. In [21], Wang et al. showed lower bounds for a larger class of black-box reductions including the security of public-key encryption and signature schemes in the multi-user setting. In [14], Demay et al. considered the indifferentiability notion in the memory restricted setting, and proved the impossibility of domain extension of hash functions (even by one bit).

On the other hand, to the best of our knowledge, the only positive result so far is the memory-efficient reduction for RSA FDH in the Random Oracle model [3]. The authors introduced new techniques for the random oracle model and showed, using pseudo-random functions and the power of rewinding the adversary once, one can prove a memory-tight reduction of the existential unforgeability of RSA-FDH from RSA assumption. Their technique seems to be generally applicable for hash and sign paradigm, where the domain of the underlying trapdoor permutation enjoys some form of homomorphism (required for applying Coron’s technique [12]).

Key Encapsulation Mechanisms. A Key Encapsulation Mechanism (KEM) is a fundamental primitive to construct efficient public-key cryptosystem. Research in KEM design has been rejuvenated in the last few years due to the ongoing effort to standardize post-quantum cryptographic algorithms. While constructions of secure KEM in the “classical” setting have been known for years (see [15] for a comprehensive treatment), the reductions were non-tight, and required perfect correctness from the underlying public-key encryption scheme. There are numerous recent works on KEM in the quantum setting [10, 16, 17, 19, 20]. However, not much progress has been made in the classical setting until the work of Hofheinz, Hövermanns and Kiltz [16]. HHK revisited the KEM version of Fujisaki Okamoto transformations and presented a modular analysis of multiple variants. Their results, notably include, tight reduction (traditional sense) even when underlying public-key encryption scheme has some correctness error.

1.1 Our Contributions

In this paper, we present memory-efficient reductions of the security of hashed-ElGamal and other variants of Fujisaki-Okamoto transformations.

Memory-Tight Reduction for Hashed-ElGamal. Our starting point is the following conjecture of Auerbach et al. [3].

Conjecture 1

[3]. Memory-tight Reduction for Hashed-ElGamal does not exist.

In this paper, we refute the above conjecture. We introduce a simple “map-then-prf” technique to simulate the random oracle in a memory-efficient way. Our technique programs the Random Oracle non-adaptively, avoiding the need to tabulate the Random Oracle queries. We consider two versions of Hashed-ElGamal KEM, ECIES [1, 2] and HEG [13]. We summarize these results in the following two informal theorems.

Theorem 2

(Informal). Let \(\mathbb {G}\) be a prime-order cyclic group. Let be a prf. There exists a memory-tight reduction, in the random oracle model, of the security of HEG over \(\mathbb {G}\) and \(\mathcal {K}\) from the gap-Diffie-Hellman problem over \(\mathbb {G}\).

Theorem 3

(Informal). Let \(\mathbb {G},\mathbb {G}_T\) be prime-order cyclic groups and \(\hat{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) be a bilinear map. Let be a prf. There exists a memory-tight reduction, in the random oracle model, of the security of ECIES over \(\mathbb {G}\) and \(\mathcal {K}\) from the Computational-Diffie-Hellman problem over\(\mathbb {G}\).

Memory-Tight Reduction for Variants of Fujisaki-Okamoto Transformations. Fujisaki-Okamoto transformation and other related KEM constructions have gained particular importance in recent years for their applications in constructing post-quantum KEM schemes. In particular, the modular analysis in [16] has been applied widely in constructing lattice-based candidates. In this paper, we prove memory-tight reduction for three variants of Fujisaki-Okamoto transformations (described in Table 1).

We revisit the analysis in [16] and show techniques for memory-tight reductions for all the modules, even withstanding the correctness errors. We summarize the results below.

• Transformations \(\mathrm {U}^{\not \perp },\mathrm {U}_m^{\not \perp },\mathrm {U}^\perp ,\mathrm {U}_m^{\perp }\). In [16], the authors presented four closely related modules to construct an secure KEM from a public-key encryption scheme \(\mathsf{PKE}\). The security requirement from \(\mathsf{PKE}\) depends on the specific variant of \(\mathrm {U}\). In this paper, we show new RO simulation techniques for all the four variants to convert corresponding the reductions in [16] into memory-tight ones.

• Preprocessing Module T. In [16], the transformation T was presented as the preprocessing module to convert (with a tight reduction) an secure public-key encryption scheme \(\overline{\mathsf{PKE}}\) to a deterministic secure public-key encryption scheme. We observe that the RO simulation technique of Auerbach et al. [3], is sufficient for a memory-tight reduction for security of \(T[\overline{\mathsf{PKE}}]\). When applied with the new reductions for \(\mathrm {U}^{\not \perp }\) and \(\mathrm {U}^{\not \perp }\), this gives a memory-tight reduction for the security of \(\text {KEM}^{\not \perp }\) and \(\text {KEM}_m^{\not \perp }\) respectively.

• A new intermediate module V. The modules with explicit reject, (namely \(U_m^\perp \) and \(U^{\perp }\)) require security relative to a ciphertext verification oracle. Unfortunately, our technique only proves security of T. To bridge the gap, we present a transformation V to convert a deterministic public-key encryption scheme to a deterministic public-key encryption scheme via a memory-efficient reduction. When applied with T and \(U_m^\perp \), we get a memory efficient reduction (in the classical setting) for the scheme \(\text {QKEM}_m^\perp \) of [16] (Table 4 in [15]).

Table 1. Considered variants of Fujisaki-Okamoto transformations. \(\overline{\mathsf{PKE}}=(\overline{\mathtt{Keygen}},\overline{\mathtt{Enc}},\overline{\mathtt{Dec}})\) is an secure public-key encryption scheme. In the column \(\mathtt{Decap}\), s is a random string, \(sk'=sk||s\).

Other Implications. Besides memory efficiency, we found two additional implications of our work. This result refutes the folklore idea that the additional hash present in the \(\text {QKEM}_m^\perp \) transformation is redundant in the classical setting [15,16,17]. The second implication is that V composed with T gives a secure encryption scheme from an secure encryption scheme without the \(\gamma \)-spread requirement of [16].

1.2 Overview of Our Techniques

Challenges with Existing Technique. The memory-efficient technique to simulate an RO in [3] (and later suggested in [8] in the context of KEM) is to evaluate a PRF on the input. However, in the security reduction for key encapsulation mechanisms, the reduction often needs to adaptively program the output of the RO. Evaluating the prf directly on the query input does not provide the required programming capability.

For example, consider the basic construction of a Key Encapsulation Mechanism from a deterministic public-key encryption scheme \(\mathsf{PKE}=(\mathtt{Gen}, \mathtt{Enc},\) \(\mathtt{Dec})\). The public-key, secret-key of the KEM would be a key pair \((pk,sk)\leftarrow \mathtt{Gen}\). An encapsulation involves choosing a random message m, and computing

The output of the encapsulation is (c, k). A traditional security proof assuming \(\mathtt {H}\) to be a random oracle would be to maintain a table containing the queries and corresponding responses of \(\mathtt {H}\) queries. Whenever the adversary makes a decapsulation query on \(\hat{c}\), the reduction will check the table whether it contains an entry \((\hat{m},\hat{c},\hat{h})\) such that \(\mathtt{Enc}(pk,\hat{m})\) returns \(\hat{c}\). If such an entry exists, the answer tothe decapsulation query would be \(\hat{h}\). Otherwise the reduction would return a randomly sampled element \(\hat{h}'\), and save \((-,\hat{c},\hat{h}')\) in the list. The first entry will be filled up when, in a future hash query, the adversary submits \((\hat{m},\hat{c})\) where \(\hat{c}=\mathtt{Enc}(pk,\hat{m})\).

Now consider a memory-efficient reduction where simulation of \(\mathtt {H}\) is performed using a prf F(k, .). A hash query on \((\hat{m},\hat{c})\) is returned with \(F(k, \hat{m},\hat{c})\). The problem arises when simulating the decapsulation query \(\hat{c}\). As the entries are no longer saved in a table, the reduction cannot find the required \(\hat{m}\) to complete the prf evaluation! One may attempt to solve the issue by answering the hash query with \(F(k,\hat{c})\). In that case, the decapsulation queries can be answered. However, two hash queries with the same \(\hat{c}\) but different \(\hat{m}\) would result in a collision! Hence, this idea fails as well.

Core of our Idea: “injectively map and prf”. Our method originates from the following observation. Let us call \((\hat{m},\hat{c})\) a good pair if \(\hat{c}=\mathtt{Enc}(pk,\hat{m})\). In the security game, the answer to a decapsulation query \(\hat{c}\) needs to match with the response of a hash query \((\hat{m},\hat{c})\) only when \((\hat{m},\hat{c})\) is a good pair. When answering hash queries on a good pair \((\hat{m},\hat{c})\), we can “program” the output to be \(F(k,m_0,\hat{c})\) (\(m_0\) being any fixed message). For pairs which are not good, we can query an independent prf \(F'(k,\hat{m},\hat{c})\) to compute the responses. Answer to a decapsulation query on (a valid ciphertext) \(\hat{c}\) will simply be \(F(k,m_0,\hat{c})\). The idea can be generalized as “Apply an appropriate injective function \(\phi \) on the input, and then apply the prf”. As the composition of an injective function with a prf results into a prf, we can use the arguments of [3]. This basic technique can readily be applied to the Cramer-Shoup version of Hashed-ElGamal, as well as the modules \(\mathbf{\mathrm {U}^{\not \perp }}\), and \(\mathbf{\mathrm {U}^\perp }\).

Technique for \(\mathbf{U_m^{\not \perp },U_m^\perp }\). In these cases, the hash function is evaluated only on m. Thus, the above idea is not applicable directly. However, as \(\mathsf{PKE}\) is deterministic, the reduction can still construct a good pair by simply computing \(\hat{c}=\mathtt{Enc}(pk,\hat{m})\), and respond a hash query on \(\hat{m}\) by \(F(k,\hat{c})\). We no longer need to use the independent prf \(F'\), as the hash query only contains the message.

Interestingly, the technique works even if \(\mathsf{PKE}\) has amall correctness errors. Although, \(\mathtt{Enc}(pk,.)\) is no longer injective, finding a collision in the output of \(\mathtt{Enc}(pk,.)\) implies finding a correctness error. Conditioned on no collision in the output of \(\mathtt{Enc}(pk,.)\), the argument of [3] goes through. However, one needs to be careful here, as pointed out in [8]. In some definition of deterministic encryption, it is easy to come up with a scheme where a ciphertext decrypts to a message which in turn encrypts to a different ciphertext. To solve the issue, we require that for every message \(\hat{m}\) there exists a single ciphertext \(\hat{c}\) that decrypts to \(\hat{m}\). Our definition of deterministic encryption is carefully considered to maintain this property. Moreover, the schemes generated by the transformation T of [16] satisfies the definition.

Technique for ECIES. In the case of ECIES, we have a group \(\mathbb {G}\) of prime order q with a generator \(g\in \mathbb {G}\). A public-key is a random element X with the corresponding secret-key x such that \(X=g^x\). The encapsulation involves choosing a random \(y\) and computing

$$\begin{aligned} Y=g^y\qquad Z=Y^x \qquad k=\mathtt {H}(Z) \end{aligned}$$

The output of the encapsulation is (Y, k). While ECIES is analogous to \(U_m^{\not \perp }\), we cannot find Y from Z! Hence, we cannot “map to ciphertext space” and applyF.

Fortunately, the “map-then-prf” technique is not limited to mapping to the ciphertext space. We note, when ECIES is implemented using a pairing friendly curve, there exists a bilinear map \(\hat{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) for some \(\mathbb {G}_T\). Moreover, by the bilinear property, \(\hat{e}(g^x,g^y)=\hat{e}(g,g^{xy})\). We simulate the random oracle using \(F(k,\hat{e}(g,.))\). The decapsulation oracle can maintain consistency by using \(F(k,\hat{e}(X,.))\).

2 Notations and Preliminaries

If S is a set |S| denotes the size of S. denotes the process of choosing x uniformly at random from S. [n] denotes the set of first n natural numbers. Composition of two functions is denoted by \(\circ \). If \(\hat{F}=F\circ \phi \), then \(\hat{F}(x)= F(\phi (x))\).

Algorithms and Security Games. The algorithms and complexities considered in the papers are in the RAM model. The algorithms have access to memory and constant number of registers, each having size of one word. For a deterministic (resp. probabilistic) algorithm \(\mathcal {A}\), (resp ) denotes y is the (resp. uniformly sampled) output of \(\mathcal {A}\) on input x. \(\mathcal {A}^\mathcal {O}\) denotes that \(\mathcal {A}\) has access to \(\mathcal {O}\) as an oracle. The oracles in this paper may be stateful; \(st_\mathcal {O}\) denotes the state of the RAM \(\mathcal {O}\). As followed in [3], \(\mathcal {A}\) with oracle access to \(\mathcal {O}\) cannot access \(st_\mathcal {O}\).

Security Games. The results are proven in the framework of code based games of [6]. A game G consists an algorithm consists of a main oracle, and zero or more stateful oracles \(O_1,O_2,\cdots , O_n\). If a game G is implemented using a function f, we write G[f] to denote the game.

Complexity Measures. In this paper, we consider the following three complexity measures of an algorithm.

Success Probability. The success probability of an algorithm \(\mathcal {A}\) in game G is defined by .

Time Complexity. The time complexity of an algorithm \(\mathcal {A}\), denoted by , is the number of computation steps performed by \(\mathcal {A}\) in the worst case over all possible input of size . When \(\mathcal {A}\) plays a security game G, the time complexity of the game, denoted by , is the time complexity of \(\mathcal {A}\) plus the number of queries \(\mathcal {A}\) makes to the oracle.¹

Memory Complexity. Following [3, 21], we define the memory complexity of an algorithm \(\mathcal {A}\) to be the size of the code plus the worst-case number of registers used in memory at any step in computation, over all possible input of size and random coins. denotes the memory complexity of \(\mathcal {A}\) (not the oracles) in the security game G.

Reductions and Efficiency. We follow the definition of black-box reductions proposed in [18]. A cryptographic primitive \(\mathcal {P}\) is a family of efficiently computable functions \(f:\{0,1\}^{*}\rightarrow \{0,1\}^{*}\). Security of \(\mathcal {P}\) is described using a game G. An adversary \(\mathcal {A}\) is said to \(\mathcal {P}\)-break f with probability \(\epsilon \), if

$$\begin{aligned} \text{ Succ }_{\mathcal {A},G[f]}=\epsilon . \end{aligned}$$

We follow the following definition of a cryptographic reduction.

Definition 1

Let \(\mathcal {P},\mathcal {Q}\) be cryptographic primitives and \(G_P\) and \(G_Q\) be the corresponding security games respectively. A reduction from \(\mathcal {P}\) to \(\mathcal {Q}\) is a pair of algorithms \(\mathtt{C},\mathtt{R}\) such that

• \(\mathtt{C}^f\in \mathcal {Q} \text { for all } f \in \mathcal {P}\)

• For all \(f\in \mathcal {P}\), for all adversary \(\mathcal {A}\) that \(\mathcal {Q}\)-breaks \(\mathtt{C}^f\), the algorithm \(\mathtt{R}^\mathcal {A}\) \(\mathcal {P}\)-breaks f.

Memory-Tight Reductions. Following [3, 21], we define memory-tight reductions as follows.

Definition 2

A Cryptographic reduction \((\mathtt{C},\mathtt{R})\) from \(\mathcal {P}\) to \(\mathcal {Q}\) is called memory-tight, if for all \(f\in \mathcal {P}\),

Fig. 1.

\(\mathsf{CDH}\) game and game. In game, \(\mathcal {A}\) has oracle access to

Hardness Assumptions. The security proofs of Hashed-ElGamal variants are reduced from the Computational Diffie-Hellman and gap-Diffie-Hellman assumption. Consider the \(\mathsf{CDH}\) game described in Fig. 1.

Definition 3

(gap-Diffie-Hellman Assumption). Let q be a prime. Let \(\mathbb {G}=\langle g \rangle \) be a cyclic group of order q. The \((t,\mu ,\epsilon )\) gap-Diffie-Hellman () assumption states that for all adversary \(\mathcal {A}\) that runs in times t and uses \(\mu \) bites of memory,

The Computational Diffie-Hellman assumption is defined in the same way, except the condition that \(\mathcal {A}\) has no access to the oracle.

Key Encapsulation Mechanism. A key encapsulation mechanism \(\mathsf KEM\) consists of three algorithms; \(\mathtt{Gen},\mathtt{Encap},\mathtt{Decap}\). The key generation algorithm \(\mathtt{Gen}\) takes a security parameter as input and outputs a public key pk and a secret key sk. The encapsulation algorithm \(\mathtt{Encap}\), on input pk, outputs a key-ciphertext pair (c, K), where \(K \in \mathcal {K}\) for some non-empty set \(\mathcal {K}\). c is said to be the encapsulation of K. The deterministic decapsulation algorithm \(\mathtt{Decap}\) takes an encapsulation c as input along with sk, and outputs a key \(K\in \mathcal {K}\). A \(\mathsf{PKE}\) is called \(\delta \)-correct if

$$\begin{aligned} \text {Prob}[\mathtt{Decap}(sk,c)\ne K| (pk,sk)\leftarrow \mathtt{Gen}; (c,K)\leftarrow \mathtt{Encap}(pk)]\le \delta \end{aligned}$$

IND-CCA security of a Key Encapsulation Mechanism. We recall the security game for a Key Encapsulation Mechanism in Fig. 2. The advantage of an adversary \(\mathcal {A}\) against \(\mathsf{PKE}\) is defined as

Fig. 2.

game for KEM

Fig. 3.

Correctness game for PKE

Public-Key Encryption. A public-key encryption scheme consists of three algorithms, \(\mathsf{PKE}=(\mathtt{Gen},\mathtt{Enc},\mathtt{Dec})\). There are three sets associated with \(\mathsf{PKE}\), the message space \(\mathcal {M}\), the randomness space \(\mathcal {R}\), and the ciphertext space \(\mathcal {C}\). The key generation algorithm takes the security parameter as input and outputs a public-key, secret-key pair (pk, sk). The encryption algorithm takes the public key pk, and a message \(m\in \mathcal {M}\) as input, samples a random string , and outputs a ciphertext.\(c\leftarrow \mathtt{Enc}(pk,m,r)\). The decryption algorithm \(\mathtt{Dec}\), on input sk and a ciphertext c, outputs a message \(m=\mathtt{Dec}(sk,c)\in \mathcal {M}\) or a special symbol \(\perp \,\notin \mathcal {M}\). We say, c is an invalid ciphertext, if \(\mathtt{Dec}(sk,c)=\perp \).

Deterministic Public Key Encryption. We call a public-key encryption scheme PKE deterministic, if the algorithm \(\mathtt{Enc}\) is deterministic and for every message \(m\in \mathcal {M}\), there exists a unique \(c\in \mathcal {C}\) such that \(\mathtt{Dec}(sk,c)=m\). We write \(c\leftarrow \mathtt{Enc}(pk,m)\) for deterministic encryption.

Correctness. Following [16], we define the correctness of a public-key encryption scheme by the security game \(\mathsf{COR}\) in Fig. 3.

Definition 4

Let be an increasing function. Consider the game \(\mathsf{COR}\) in Fig. 3. A public-key encryption scheme \(\mathsf{PKE}\) is called \(\delta \)-correct, if for all adversary \(\mathcal {A}\) with running time bounded by t,

$$\begin{aligned} {\text{ Succ }}_{\mathcal {A},\mathsf{COR}[\mathsf{PKE}]}\le \delta (t) \end{aligned}$$

where the probability is taken over the randomness of \(\mathtt{Gen}\) and \(\mathcal {A}\). Moreover, we say \(\mathsf{PKE}\) is strongly \(\overline{\delta }\) correct, if \(\forall ~t,\delta (t)\le \overline{\delta }\).

Fig. 4.

Game . In the game (resp. ), \(\mathcal {A}\) has oracle access to only (resp. ).

Security. Following [16], we define three security games for a public-key encryption scheme, , , and in Fig. 4. In game, the adversary has oracle access to . In the game, the adversary has oracle access to . In game, the adversary has oracle access to both and . For , we define the corresponding advantages of an adversary \(\mathcal {A}\) against \(\mathsf{PKE}\) as

Random Oracles. An (idealized) function is said to be a Random Oracle, if for all , the output \(\mathcal {F}(x)\) is independently and uniformly distributed over .

Pseudo-random Functions

Definition 5

Let be a deterministic algorithm and let \(\mathcal {A}\) be an algorithm. The prf advantage of \(\mathcal {A}\) is defined as

F is said to implement a family of \((t,d,\epsilon )\)-pseudo-random functions if for all adversary \(\mathcal {A}\) that runs in time t and uses memory d,

$$ \text{ Adv }_{\mathcal {A},F}^\mathrm{prf}\le \epsilon $$

Simulating Random Oracle Using PRF. If a game G is defined in the random oracle model, then one procedure of the game defines the random oracle . The standard technique to implement the random oracle procedure is via lazy sampling. However, the lazy sampling technique requires additional memory where \(q_h\) is the number of \(\mathtt {H}\) queries made by the adversary. In [3], the authors formalized the technique, originally suggested in [7], of simulating the Random Oracle using a prf. Let \(G[\mathtt {H}]\) be a game where \(\mathtt {H}\) is a random oracle used in G. Let G[F] be the same game where the random oracle is implemented using a prf F. Specifically, the oracle \(\mathtt {H}\) is implemented using F(k, .) for a randomly sampled key k (Fig. 6).

Fig. 5.

PRF security game

Fig. 6.

Memory efficient simulation of Random Oracle

Lemma 1

(RO simulation using prf [3]). For all adversary \(\mathcal {A}\) against G making at most \(q_h\) queries to the random oracle, there exists a \(\mathcal {B}_F\) against F in the prf game such that

$$\begin{aligned} \left| {\text{ Succ }}_{\mathcal {A}^\mathtt {H},G[\mathtt {H}]}- {\text{ Succ }}_{\mathcal {A}^\mathtt {H},G[F]}\right| \le \text{ Adv }_{\mathcal {B}_{F},F}^\mathrm{prf} \end{aligned}$$

Moreover, it holds that

$$\begin{aligned} \mathbf{LocalTime}(\mathcal {B}_{F})&= \mathbf{LocalTime}(\mathcal {A})+\mathbf{LocalTime}(G)+q_h\\ \mathbf{LocalMem}(\mathcal {B}_{F})&= \mathbf{LocalMem}(\mathcal {A})+\mathbf{LocalMem}(G)\\ \end{aligned}$$

3 Memory-Tight Reductions for Hashed-ElGamal

3.1 Cramer-Shoup Variant

Fig. 7.

HEG: Cramer-Shoup Version of Hashed-ElGamal KEM. \(\mathtt {H}:\mathbb {G}\times \mathbb {G}\rightarrow \mathcal {K}\) is a cryptographic hash function

In this section we present a memory-tight reduction of Cramer-Shoup version of hashed-ElGamal Key Encapsulation mechanism [13]. We describe the scheme in Fig. 7. \(\mathbb {G}\) is a cyclic group of prime order q. Let \(\mathtt {H}:\mathbb {G}\times \mathbb {G}\rightarrow \mathcal {K}\) be a hash function. Our main result in this section is the following theorem.

Theorem 4

Let q be a prime and \(\mathbb {G}\) be any gap group of order q. Let be the Decisional Diffie Hellman oracle on \(\mathbb {G}\). Let \(\mathtt{DH}\) be the Diffie Hellman instance generation algorithm over \(\mathbb {G}\). Let be a prf. Let \(\Pi \) be the HEG KEM scheme over \(\mathbb {G}\) and \(\mathcal {K}\), with security parameter .

Let \(\mathcal {A}\) be any adversary in the game of \(\Pi \). Suppose \(\mathcal {A}\) makes \(q_H\) hash queries and \(q_D\) decapsulation queries. Then, in the random oracle model, there exists an adversary \(\mathcal {B}_{DH}\) in the game, and an adversary \(\mathcal {B}_{F}\) such that

Moreover, it holds that

Before proving the Theorem 4, we construct a prf that we shall use in the proof.

Construction of \({\varvec{\hat{F}}}\). Let be the decisional Diffie-Hellman oracle such that , if (X, Y, Z) is a valid Diffie-Hellman tuple.

Construction 5

Let \(\mathbb {G}\) be a group of prime order q and let g be a generator of \(\mathbb {G}\). Fix \(X\in \mathbb {G}\). Let . We define as follows

In order to use the map then prf technique, we need the following lemma.

Lemma 2

If F is a prf, then \(\hat{F}_X\) is a prf. Moreover, for every adversary \(\mathcal {B}_{\hat{F}}\) against \(\hat{F}_X\), there exists a \(\mathcal {B}_{F}\) against F such that,

where q is the number of queries made by \(\mathcal {B}_{\hat{F}}\).

Proof

Fix \(X\in \mathbb {G}\). Note that for every \(Y\in \mathbb {G}\), there exists a unique \(Z\in G\) such that . We define as

It is easy to verify that \(\psi _X\) is an injective function. Moreover, \(\hat{F}_X=F\circ \psi _X\).

Let be the oracle of \(\mathcal {B}_F\). \(\mathcal {B}_F\) chooses \(x \in \mathbb {Z}_q^*\), set \(X=g^x\) and invokes \(\mathcal {B}_{\hat{F}}\). For every query (Y, Z) of \(\mathcal {B}_{\hat{F}}\), \(\mathcal {B}_F\) checks whether \(Y^x=Z\), computes \(\psi _X(Y,Z)\) accordingly and queries . The response of the oracle is passed to \(\mathcal {B}_{\hat{F}}\). When \(\mathcal {B}_{\hat{F}}\) outputs a bit b, \(\mathcal {B}_F\) outputs b. This perfectly simulates the prf game of \(\hat{F}_X\).

We assume the computation time of \(\psi _X\) is constant. In order to simulate the prf game of \(\hat{F}_X\), \(\mathcal {B}_F\) needs to compute \(\psi _X\) for q many times. Moreover, \(\mathcal {B}_F\) needs store x and a temporary variable for passing the values. The lemma follows.   \(\square \)

The Reduction. Theorem 4 is proven via a sequence of games. Formal description of the games are given in Figs. 8 and 9.

Fig. 8.

The games \(\mathbf{G}_0\) and \(\mathbf{G}_1\). In game \(\mathbf{G}_1\), Line 9 in replaced by the boxed statement

Game \(\mathbf{G}_0\). The game \(\mathbf{G}_0\) is the original game.

Game \(\mathbf{G}_1\): We predefine \(K_0^*=\mathtt {H}(Y^*,Z^*)\) by sampling a random element from the keyspace \(\mathcal {K}\). \(Y^*\) is the challenge ciphertext sent in the KEM game and \(Z^*={Y^*}^x\). The hash oracle is modified to return \(K_0^*\) for the input \((Y^*,Z^*)\). As \(K_0^*\) is still uniformly chosen at random, and the hash oracle output is consistent, there is no change in the distribution of adversary’s view.

$$\begin{aligned} \text {Prob}[\mathbf{G}_0^\mathcal {A}=1]=\text {Prob}[\mathbf{G}_1^\mathcal {A}=1] \end{aligned}$$

Game \(\mathbf{G}_2\). In this game the oracles \(\mathtt {H}\) and \(\mathtt{Decap}\) are changed. We replace the random oracle by a prf . By Lemma 1, there exists an adversary \(\mathcal {B}_{\hat{F}}\) such that

Game \(\mathbf{G}_3\). We rewrite the prf evaluation of \(\hat{F}_X\) using a prf F as defined in Construction 5. In the procedure \(\mathtt{Decap}\) of the game \(\mathbf{G}_2\), Step 2 (\(Z=Y^x\)) ensures that \(\hat{F}_X(k,Y,Z)\) in that procedure always evaluates to F(k, 1, Y, g). As the view of the adversary remains unchanged,

$$\begin{aligned} \text {Prob}[\mathbf{G}_2^\mathcal {A}=1]=\text {Prob}[\mathbf{G}_3^\mathcal {A}=1] \end{aligned}$$

Game \(\mathbf{G}_4\): In this game, we set a flag Flag and abort on the event that \(\mathcal {A}\) queries \(\mathtt {H}\) on \((Y^*,Z^*)\) where \(Y^*\) is the challenge in the KEM game and \((X,Y^*,Z^*)\) is a valid diffie hellman tuple. By the fundamental lemma of game playing proofs

$$\begin{aligned} \left| \text {Prob}[\mathbf{G}_3^\mathcal {A}=1]-\text {Prob}[\mathbf{G}_4^\mathcal {A}=1]\right| \le \text {Prob}[\text {Flag}=1]. \end{aligned}$$

In the game \(\mathbf{G}_4\), the adversary \(\mathcal {A}\) is unable to compute \(\mathtt {H}(Y^*,Z^*)\) using either the hash oracle or the decapsulation oracle. The decapsulation oracle outputs \(\perp \) whenever the input Y is equal to \(Y^*\). The hash oracle aborts for the input \((Y^*,Z^*)\). This implies that the bit b is independent from the adversary’s view. Hence

$$\begin{aligned} \text {Prob}[\mathbf{G}_3^\mathcal {A}]=\frac{1}{2}. \end{aligned}$$

To bound \(\text {Prob}[\text {Flag}=1]\), we construct an algorithm \(\mathcal {B}_{DH}\) against the security of \(\mathbb {G}\). \(\mathcal {B}_{DH}\) simulates game \(\mathbf{G}_4\) for \(\mathcal {A}\).

Fig. 9.

IND-CCA game of HEG: highlighted statements are the modifications from the previous game

Adversary . Formal code of is given in Fig. 10. simulates \(\mathbf{G}_4\). In order to execute line 1 of the game , uses the oracle. By the definition of game, X and \(Y^*\) are uniformly and independently distributed. Hence the simulation of \(\mathbf{G}_4\) is perfect. Flag = 1 implies that \(\mathcal {A}\) queried where \(Y=Y^*\) and . returns that Z and wins the game. Hence,

Collecting the probabilities, we get

Fig. 10.

Diffie Hellman adversary

Efficiency of \(\mathcal {B}_{DH}\). \(\mathcal {B}_{DH}\) runs \(\mathcal {A}\), queries oracle for \(q_H\) many times, computes the prf F for \((q_H+q_D)\) many times. is the cost of other operations in \(\mathbf{G}_4\).

The last \(q_H\) term in the right-hand side of the above equation is to denote the number of queries made to the oracle.

Memory Efficiency of \(\mathcal {B}_{DH}\). \(\mathcal {B}_{DH}\) needs to save the code of \(\mathcal {A}\), and F. In addition, counting the registers in \(\mathbf{G}_4\),

So far, we have proven that there exist adversaries \(\mathcal {B}_{DH}\) and \(\mathcal {B}_{\hat{F}}\)

Applying Lemma 2, we get the adversary \(\mathcal {B}_{F}\) such that

Hence, there exist adversaries \(\mathcal {B}_{DH}\) and \(\mathcal {B}_{F}\) such that

The following lemma finds the efficiency of \(\mathcal {B}_F\)

Lemma 3

3.2 ECIES

Let \(\mathbb {G}=\langle g \rangle \) be a cyclic group of prime order q, equipped with a pairing \(\hat{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\). Let \(\mathtt {H}:\mathbb {G}\rightarrow \mathcal {K}\) be a hash function. In this section, we present a memory tight reduction of the underlying Key Encapsulation Mechanism of ECIES from the Computational Diffie-Hellman assumption over \(\mathbb {G}\). We describe the ECIES KEM scheme in Fig. 11. Our main result in this section is the following theorem.

Fig. 11.

ECIES KEM. is a cryptographic hash function

Theorem 6

Let q be a prime and \(\mathbb {G}\) be a group of order q equipped with a pairing \(\hat{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\). Let \(\mathtt{DH}\) be the Diffie Hellman instance generation algorithm over \(\mathbb {G}\). Let be a prf. Let \(\hat{\Pi }\) be the ECIES-KEM scheme over \(\mathbb {G}\) and \(\mathcal {K}\), with security parameter .

Let \(\mathcal {A}\) be an adversary in the game of \(\hat{\Pi }\). Suppose \(\mathcal {A}\) makes \(q_h\) hash queries and \(q_D\) decapsulation queries. Then, in the random oracle model, there exists an adversary \(\mathcal {B}_{DH}\) in the \(\mathsf {CDH}\) game, and an adversary \(\mathcal {B}_{F}\) such that

Moreover, it holds that

The reduction to prove Theorem 6 is almost the same as in the previous section. The only difference is in the construction of the intermediate prf \(\hat{F}\) and the reduced \(\mathsf{CDH}\)-adversary \(\mathcal {B}_{DH}\). As the details are almost same to the reduction of HEG, we only describe \(\hat{F}\) and \(\mathcal {B}_{DH}\) here. The reader is referred to the full version of the paper [9] for the rest of the reduction.

Construction 7

(Construction of \(\hat{F}\)). Let \(\mathbb {G}\) be a group of prime order q and let g be a generator of \(\mathbb {G}\). Let \(\hat{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) be a bilinear map. Let . We define as follows

$$\begin{aligned} \hat{F}(k,Z)=F(k,\hat{e}(g,Z)) \end{aligned}$$

Lemma 4

If F is a prf, then \(\hat{F}\) is a prf. Moreover, for every adversary \(\mathcal {B}_{\hat{F}}\) against \(\hat{F}\), there exists a \(\mathcal {B}_{F}\) against F such that,

where q is the number of queries made by \(\mathcal {B}_{\hat{F}}\) to its oracle.

Description of \({\varvec{\mathcal {B}_{DH}}}\): The Adversary to Game \({\varvec{\mathsf {CDH}}}\). Formal code of \(\mathcal {B}_{DH}\) is given in Fig. 12. \(\mathcal {B}_{DH}\) gets \((g,X,Y^*)\) as input, where \(X,Y^*\) are distributed uniformly over \(\mathbb {G}\). Flag = 1 implies that \(\mathcal {A}\) queried \(\mathtt {H}(Z)\) where \((X,Y^*,Z)\) is a valid Diffie Hellman tuple. If Flag is set for some query made by \(\mathcal {A}\), \(\mathcal {B}_{DH}\) returns that corresponding Z and wins the \(\mathsf {CDH}\) game.

Fig. 12.

Diffie Hellman adversary \(\mathcal {B}_{DH}\)

Efficiency of \(\mathcal {B}_{DH}\). \(\mathcal {B}_{DH}\) runs \(\mathcal {A}\), computes the pairing \(\hat{e}(.,.)\) oracle for \(q_D+3q_H\) many times, computes the prf F for \((q_H+q_D)\) many times. As the rest of the steps in the algorithm takes time,

$$\begin{aligned} \mathbf{LocalTime}(\mathcal {B}_{DH})\approx&\mathbf{LocalTime}(\mathcal {A})+ (q_H+q_D)\mathbf{LocalTime}(F)\\ {}&+(q_D+3q_H) \mathbf{LocalTime}(\hat{e}) \end{aligned}$$

Memory Efficiency of \(\mathcal {B}_{DH}\). \(\mathcal {B}_{DH}\) needs to save the code of \(\mathcal {A}\), \(\hat{e}\), and F. Counting the registers, we get

4 Transformation V: PKE to PKE

In this section, we introduce a transformation V to construct secure deterministic PKE from a secure PKE. Our main result is a memory-tight reduction of V. The main application of V will be in Sect. 5, where we shall use V to get a memory-tight reductions of the security of \(\text{ QKEM }^\perp \) and \(\text{ QKEM }_m^\perp \).

4.1 The Transformation

We start with a deterministic \(\delta \)-correct secure public key encryption scheme, \(\mathsf{PKE}=(\mathtt{Gen},\) \(\mathtt{Enc},\mathtt{Dec})\). Let \(\mathcal {M}=\{0,1\}^n\) be the message space, and \(\mathcal {C}\) be the ciphertext space. Let \(\mathtt {H}':\mathcal {M} \rightarrow \{0,1\}^{\eta }\) be a hash function. The transformed scheme is described as \(\mathsf{PKE}_1=(\mathtt{Gen},\mathtt{Enc}_1,\mathtt{Dec}_1)\).

Our main result of this section is the following theorem.

Fig. 13.

secure encryption scheme

Theorem 8

Let \(\mathsf{PKE}=(\mathtt{Gen},\) \(\mathtt{Enc},\mathtt{Dec})\) be a deterministic \(\delta \) correct secure public key encryption scheme. Let \(\mathcal {M}\) be the message space, and \(\mathcal {C}\) be the ciphertext space of \(\mathsf{PKE}\). Let \(\mathsf{PKE_1}\) be the transformed public encryption scheme. Let be a prf. Let \(\mathcal {A}\) be any adversary in the game of \(\mathsf{PKE}_1\). Suppose \(\mathcal {A}\) makes \(q_{h'}\) queries to . Let \(q_P\) denote the number of plaintext checking queries and \(q_V\) denote the number of validity checking queries made by \(\mathcal {A}\).

\(\mathsf{PKE}_1\) is \(\delta \)-correct. Moreover, in the random oracle model, there exists an adversary \(\mathcal {B}\) in the game of \(\mathsf{PKE}_1\), and an adversary \(\mathcal {B}_{F'}\) in the prf game of \(F'\), such that

Moreover it holds that

Similar to previous section, we first construct a prf \(\hat{F}\).

4.2 Construction of \(\hat{F}\)

Construction 9

Fix a public key pk of \(\mathsf{PKE}\). Let . We define \(\hat{F}\) as

$$\begin{aligned} \hat{F}(k,m)= F' (k, \mathtt{Enc}(pk,m)) \end{aligned}$$

In order to use the map then prf technique, we need the following lemma.

Lemma 5

Fix pk. For every \(\mathrm{prf}\)-adversary \(\mathcal {B}_{\hat{F}}\) against \(\hat{F}\), there exists a \(\mathcal {B}_{F'}\) against \(F'\) such that,

where q is the number of queries made by \(\mathcal {B}_{\hat{F}}\).

The main difference in Lemma 5 with the ones in the previous section is the decryption error of \(\mathsf{PKE}\). In other words, we can not claim that \(\mathtt{Enc}(pk,.)\) is an injective function. However, if \(\mathcal {B}_{\hat{F}}\) can query with messages \(m_1,m_2\) such that \(\mathtt{Enc}(pk,m_1)=\mathtt{Enc}(pk,m_2)\), implying a decryption error for either \(m_1\) or \(m_2\).

Proof

First, we prove that if \(F'\) is a prf, then \(\hat{F}\) is a prf. Let be the oracle of \(\mathcal {B}_{F'}\). \(\mathcal {B}_{F'}\) runs \(\mathtt{Gen}\) to receive pk, sk, and invokes \(\mathcal {B}_{\hat{F}}\). For every query m of \(\mathcal {B}_{\hat{F}}\), \(\mathcal {B}_{F'}\), computes \(c=\mathtt{Enc}(pk,m)\), and checks whether \(m=\mathtt{Dec}(sk,c)\). If the check fails \(\mathcal {B}_{F'}\) aborts. If the check succeeds, \(\mathcal {B}_{F'}\) queries , and the response of the oracle is passed to \(\mathcal {B}_{\hat{F}}\). When \(\mathcal {B}_{\hat{F}}\) outputs a bit b, \(\mathcal {B}_F\) outputs b.

If \(\mathcal {B}_{F'}\) aborts on input m, then correctness error occurs in \(\mathtt{Dec}(sk,\mathtt{Enc}(pk,m))\). By assumption, probability of this event is bounded by \(\delta (q)\). Conditioned on that \(\mathcal {B}_{F'}\) does not abort, the output of \(\mathtt{Enc}(pk,m)\) are unique for all m queried by \(\mathcal {B}_{\hat{F}}\). In that case, \(\mathcal {B}_{F'}\) perfectly simulates the prf game of \(\hat{F}\). When \(\mathtt {O}\) is a random function, the simulation implements a random function. When \(\mathtt {O}\) is implemented by \(F'\), \(\mathcal {B}_{F'}\) implements \(\hat{F}\). Thus we get,

$$\begin{aligned} \text{ Succ }_{\mathcal {B}_{\hat{F}},\mathrm{prf}[\hat{F}]}&= \text{ Succ }_{\mathcal {B}_{F'},\mathrm{prf}[F']} +\text {Prob}[\mathcal {B}_{F'}~\text{ aborts }]\le \text{ Succ }_{\mathcal {B}_{F'},\mathrm{prf}[F']}+\delta (q)\\ \implies \text{ Adv }_{\mathcal {B}_{\hat{F}},\hat{F}}^\mathrm{prf}&\le \text{ Adv }_{\mathcal {B}_{F'},F'}^\mathrm{prf} +\delta (q) \end{aligned}$$

In order to simulate the prf game of \(\hat{F}\), \(\mathcal {B}_F\) needs to run \(\mathtt{Enc}\) for q many times. Moreover, \(\mathcal {B}_F\) needs store pk, sk and a temporary variable for passing the values. The lemma follows.

4.3 Proof of Theorem 8

It is obvious that the correctness holds. We prove rest of Theorem 8 via a sequence of games. Formal description of the games are given in the Figs. 14 and 15.

Fig. 14.

The main function of games \(\mathbf{G_0}-\mathbf{G_7}\). The boxed statement is not executed in \(\mathbf{G_0}\). Right hand side figure describes the oracles in \(\mathbf{G_0}\)

Game \(\mathbf {G_0}\). \(G_0\) is the security game of \(\mathsf{PKE}_1\).

Game \(\mathbf {G_1}\). In this game, we replace \(\mathtt {H}'\) by prf \(\hat{F}\). By Lemma 1, there exists adversary, \(\mathcal {B}_{\hat{F}}\) such that

$$\begin{aligned} \left| \text {Prob}[G_1^\mathcal {A}=1]-\text {Prob}[G_0^f=1]\right| \le {\mathbf{Adv}}_{\mathcal {B}_{\hat{F}},\hat{F}}^\mathrm{prf} \end{aligned}$$

(1)

Fig. 15.

The oracles in \(\mathbf{G_1,G_2,G_3}\)

Game \(\mathbf {G_2}\). In this game, we modify the oracle simulation. Instead of the decryption, \( m'=\mathtt{Dec}(sk,c_1)\), and equality check \(m=m'\), we only check whether, \(c_1=\mathtt{Enc}(pk,m)\). Notice, the condition \(c_2=\hat{F}(k',m)\) remains unchanged. Conditioned on correctness error does not happen, \(c_1'=c_1=\mathtt{Enc}(pk,m)\) implies that \(m'=\mathtt{Dec}(sk,c_1')=m\). Hence, this change does not affect the transcript distribution until correctness error occurs in \(\mathsf{PKE}\).

$$\begin{aligned} \left| \text {Prob}[G_1^\mathcal {A}=1]-\text {Prob}[G_2^\mathcal {A}=1]\right| \le \delta (q_P) \end{aligned}$$

Game \(\mathbf {G_3}\). In this game we replace \(\hat{F}\) as defined. The change is syntactical and does not change the distribution of any output.

$$\begin{aligned} \text {Prob}[G_2^\mathcal {A}=1]= \text {Prob}[G_3^\mathcal {A}=1] \end{aligned}$$

Game \(\mathbf {G_4}\). In this game, we change how the oracles \(\mathtt {PCO}\) and \(\mathtt {CVO}\) responds. For a \(\mathtt {PCO}(m,c)\) query, we no longer encrypt m to compute \(c_2'\). Instead, we run the plaintext checking oracle \(\overline{\mathtt {PCO}}\), provided for \(\mathsf{PKE}\), to check correctness of \((m,c_1)\). If \(c_1\) is indeed a valid ciphertext of m, then by deterministic property of \(\mathsf{PKE}\), \(F'(k,\mathtt{Enc}(pk,m))\) is equal to \(F'(k,c_1)\). Hence we only check whether \(F'(k,c_1)=c_2\). The change in \(\mathtt {PCO}\) is syntactical, and does not change output distribution of the oracle.

Similarly, in \(\mathtt {CVO}\), we change the computation of \(c_2'\), which is now computed as \(F(k',c_1)\). If \(c_1=c_1'\), then the change is syntactical and has no effect in the check in Step 5. If \(c_1\ne c_1'\), the condition in Step 5 rejects irrespective of the value of \(c_2'\). Hence, this change does not change the output distribution of the oracles as well.

$$\begin{aligned} \text {Prob}[G_3^\mathcal {A}=1]= \text {Prob}[G_4^\mathcal {A}=1] \end{aligned}$$

Fig. 16.

The oracles in \(\mathbf{G_4,G_5,G_6,G_7}\). \(\overline{\mathtt {PCO}}\) is the plaintext checking oracle for \(\mathsf{PKE}\).

Game \(\mathbf {G_5}\). We change the description of the oracle \(\mathtt {CVO}(c)\). We raise a flag Bad, if \(c_2'=c_2\) but \(c_1\) is not a valid ciphertext of \(\mathsf{PKE}\), i.e \(m'\notin \mathcal {M}\) or \(c_1\ne \mathtt{Enc}(pk,m')\) where \(m'=\mathtt{Dec}(c_1)\). However, we do not change the output of the oracle. still return 0 when Bad is set.

$$\begin{aligned} \text {Prob}[G_4^\mathcal {A}=1]= \text {Prob}[G_5^\mathcal {A}=1] \end{aligned}$$

Game \(\mathbf {G_6}\). In game \(\mathbf{G_6}\), \(\mathtt {CVO}(c)\) returns 1, when Bad is set. Rest of the games remain unchanged. By the fundamental lemma of game playing proofs,

$$\begin{aligned} \left| \text {Prob}[G_5^\mathcal {A}=1]-\text {Prob}[G_6^\mathcal {A}=1]\right| \le \text {Prob}[\text {{Bad}}] \end{aligned}$$

Note, in the game \(\mathbf{G_6}\), the oracle \(\mathtt {CVO}\) returns 1, if and only if \(c_2=F'(k',c_1)\).

Game \(\mathbf {G_7}\). We rewrite the description of . We no longer run \(\mathtt{Dec}\) and \(\mathtt{Enc}\). The oracle parses c as \(c_1||c_2\), and returns 1 if \(c_2=F'(k',c_1)\) and returns 0 otherwise. Rest of the game remain unchanged. As the output distribution of all the procedures in \(\mathbf {G_7}\) is same as that in \(\mathbf {G_6}\).

$$\begin{aligned} \text {Prob}[G_6^\mathcal {A}=1]= \text {Prob}[G_7^\mathcal {A}=1] \end{aligned}$$

Bounding Prob\({\varvec{[G_7^\mathcal {A}=1]}}\). In Fig. 17, we construct an adversary \(\mathcal {B}\) against OW-PCA security of PKE. \(\mathcal {B}\) receives \((pk,c^*)\), invokes \(\mathcal {A}(pk,c^*)\) and perfectly simulates the game \(\mathbf{G_7}\) for \(\mathcal {A}\). When \(\mathcal {A}\) returns a message m, \(\mathcal {B}\) returns m.

Fig. 17.

adversary \(\mathcal {B}\)

Efficiency of \(\mathcal {B}\). Algorithm \(\mathcal {B}\) runs \(\mathcal {A}\), queries \(\mathtt {PCO}\) for \(q_P\) many times, runs \(\mathtt{Enc}\) for \(q_{h'}\) many times, and computes \(F'\) for \((1+q_{h'}+q_V+q_P)\) many times. Rest of the steps take time.

The last \(q_P\) term in the right hand side denotes the number of queries made to \(\mathtt {PCO}\).

Memory Efficiency of \(\mathcal {B}\). \(\mathcal {B}\) needs to save the code of \(\mathcal {A}\), \(\mathtt{Enc}\), and \(F'\). In addition, there are following size registers, \(c^*,c_1,c_2,k',m,c,c_2',h'\).

Bounding Prob[Bad]. To bound \(\text {Prob}[\text {Bad}]\), we construct a prf adversary \({\mathcal {B}}_{F'}^{(1)}\) against \(F'\). Recall that Bad occurs when for a \(\mathtt {CVO}(c)\) query, we get

$$\begin{aligned} c_2'=c_2\text { and } (m'\notin \mathcal {M} \text { or } c_1'\ne c_1) \end{aligned}$$

where \(c=c_1||c_2\), \(m'=\mathtt{Dec}(sk,c_1)\), \(c_1'=\mathtt{Enc}(pk,m')\), and \(c_2'= F'(k',c_1)\).

• Case \(m'\in \mathcal {M}\) and \(c_1'\ne c_1\). In this case correctness error occurs in \(\mathsf{PKE}\). Probability of this event is bounded by \(\delta (q_V)\).

• Case \(m'\notin \mathcal {M}\). In this case, for an invalid ciphertext \(c_1\) in \(\mathsf{PKE}\), \(\mathcal {A}\) can produce a \(c_2\) such that \(c_2=F'(k',c_1)\). As \(\mathcal {A}\) has no direct access to \(F'(k',.)\) evaluation, and \(c_1\) is an invalid ciphertext, there is no \(H'(m)\) or \(\mathtt {PCO}(m,c)\) query in the transcript for which \(F'(k',c_1)\) was evaluated. Notice that, in \(\mathtt {PCO}(m,c)\) evaluates \(F'(k',c_1)\) only when \(\mathtt {PCO}(m,c_1)=1\), which can not occur here. So, \(\text {Bad}=1\) implies that \(\mathcal {A}\) can “guess” the output of \(F'(k',c_1)\) for some \(c_1\in \mathcal {C}\). For random function this can happen with probability \(\frac{q_V}{2^\eta }\). If Bad happens in significantly more probability in \(\mathcal {G}_5\), that can be used to break the prf security of \(F'\).

Formal description of \({\mathcal {B}}_{F'}^{(1)}\) is given in Fig. 18. \({\mathcal {B}}_{F'}^{(1)}\) perfectly simulates game \(G_5\) with the help of its oracle \(\mathtt {O}_{F'}\). If \(\mathcal {A}\) ever submits a \(\mathtt {CVO}(c)\) query for which Bad occurs, \({\mathcal {B}}_{F'}^{(1)}\) outputs 1 and halts. If no such query is made, then at the end of the simulation, \({\mathcal {B}}_{F'}^{(1)}\) outputs 0. If \(\mathtt {O}_{F'}\) is a random function, then for a fixed \(\mathtt {CVO}(c)\) query, \(\text {Prob}[{\mathcal {B}}_{F'}^{(1)}=1]\) is at most \(\frac{1}{2^\eta }\). Taking union bound over all the \(\mathtt {CVO}(c)\) queries made by \(\mathcal {A}\), when \(\mathtt {O}_{F'}\) is a random function, \(\text {Prob}[{\mathcal {B}}_{F'}^{(1)}=1]\) is at most \(\frac{q_V}{2^\eta }\). When \(\mathtt {O}_{F'}\) is the prf \(F'\), \(\text {Prob}[{\mathcal {B}}_{F'}^{(1)}=1]\) is exactly \(\text {Prob}[\text {Bad}]\) in \(G_5\).

Fig. 18.

The PRF adversary \({\mathcal {B}}_{F'}^{(1)}\)

$$\begin{aligned} \text{ Adv }_{{\mathcal {B}}_{F'}^{(1)},F'}^\mathrm{prf}\ge \left| \text {Prob}[\text{ Bad }] - \frac{q_V}{2^\eta }-\delta (q_V)\right| \\ \implies \text {Prob}[\text{ Bad }]\le \text{ Adv }_{{\mathcal {B}}_{F'}^{(1)},F'}^\mathsf{prf} + \frac{q_V}{2^\eta } +\delta (q_V) \end{aligned}$$

Efficiency of \({\mathcal {B}}_{F'}^{(1)}\). \({\mathcal {B}}_{F'}^{(1)}\) runs \(\mathcal {A}\) once, algorithm \(\mathtt{Gen}\) once, algorithm \(\mathtt{Enc}\) for \((1+q_{h'}+q_P+q_V)\) times, and \(\mathtt{Dec}\) for \(q_V\) times. Additionally \({\mathcal {B}}_{F'}^{(1)}\) queries the oracle \(\mathtt {O}_{F'}\) for \((1+q_{h'}+q_P+q_V)\) times.

$$\begin{aligned} \mathbf{LocalTime}(\mathcal {B}_{{F'}}^{(1)})\approx&\mathbf{LocalTime}(\mathcal {A})+\mathbf{LocalTime}(\mathtt{Gen}) + q_V\cdot \mathbf{LocalTime}(\mathtt{Dec})\\ {}&+(1+q_{h'}+q_P+q_V)(1+\mathbf{LocalTime}(\mathtt{Enc})) \end{aligned}$$

\({\mathcal {B}}_{F'}^{(1)}\) needs to save the code of \(\mathcal {A},\mathtt{Gen},\mathtt{Enc}\), and \(\mathtt{Dec}\). In addition, it needs to save eight size and a flag of a single bit. registers.

Finishing the Proof of Theorem 8. Collecting the probabilities of the games, we have proven so far, there exist adversaries \(\mathcal {B}, \mathcal {B}_{\hat{F}},\) and \(\mathcal {B}_{{F'}}^{(1)}\), such that

Applying Lemma 5, we get a \(\mathcal {B}_{{F'}}^{(2)}\) such that,

Efficiency of \(\mathcal {B}_{{F'}}^{(2)}\) is bounded using following lemma.

Lemma 6

Merging \(\mathcal {B}_{F'}^{(1)}\) and \(\mathcal {B}_{F'}^{(2)}\) into one adversary \(\mathcal {B}_{F'}\), and taking upper bound of their efficiencies, we get Theorem 8.

5 Memory-Tight Reductions for Fujisaki-Okamoto Transformation and Variants

In this section, we prove memory-tight reduction of the security of four different variants of the Fujisaki-Okamoto transformation, following the modular approach of [16]. Before describing the exact transformations we consider, first we recall the modules introduces in [16].

5.1 Brief Overview of Modules from [16]

We recall the modules in the top-down fashion. First we describe the transformations from a public key encryption scheme to a key encapsulation mechanisms.

Table 2. Variants of transformation \(\mathrm {U}\). In the column \(\mathtt{Decap}\), s is a random string, \(sk'=sk||s\), and \(m=\mathtt{Dec}_1(sk,c)\).

Outer Modules: \(\mathrm {U}^{\not \perp }\), \(\mathrm {U}_m^{\not \perp }\), \(\mathrm {U}^{\perp }\), \(\mathrm {U}_m^{\perp }\). Let \(\mathsf{PKE}_1=(\mathtt{Gen}_1,\mathtt{Enc}_1,\mathtt{Dec}_1)\) be a public key encryption scheme with the message space \(\mathcal {M}\) and let \(\mathtt {H}:\mathcal {M}\rightarrow \mathcal {K}\) be a hash function. Table 2 describes the variants of module \(\mathrm {U}\) to construct a KEM using \(\mathsf{PKE}_1\) and \(\mathtt {H}\). The transformations yield KEM of two categories. Transformations \(\mathrm {U}^{\not \perp }\) and \(\mathrm {U}_m^{\not \perp }\) are in the category of implicit rejection, as the decapsulation algorithms in these transformations do not output \(\perp \), when queried with an invalid ciphertext. Transformation \(\mathrm {U}^{\perp }\), \(\mathrm {U}_m^{\perp }\) are in the category of explicit rejection, implying that the decapsulation algorithms, given any invalid ciphertext, indeed output \(\perp \).

Inner Module: T. Let \(\overline{\mathsf{PKE}}=(\mathtt{Gen},\overline{\mathtt{Enc}},\) \(\overline{\mathtt{Dec}})\) be an secure public key encryption scheme. Let \(\mathcal {M}\) \(=\{0,1\}^n\) be the message space, \(\mathcal {C}\) be the ciphertext space, and \(\mathcal {R}\) be the randomness space. Let be a hash function. The transformation T results in a deterministic public key encryption scheme . Formal description of T is given in Fig. 19.

Fig. 19.

Encryption scheme \(\mathsf{PKE}=T[\overline{\mathsf{PKE}}]\)

5.2 Considered Variants and the Reductions

We consider three other variants of FO transformations. The variants and their modular decomposition are listed in Table 3. For each transformation we start with an secure public key encryption \(\overline{PKE}\). We prove memory-tight reduction for each of the modules next.

Table 3. Variants of FO transformations and their modular breakup

Memory-Tight Reduction for T : .

Theorem 10

Let \(\mathcal {A}\) be any adversary in the game of \(\mathsf{PKE}\). Suppose \(\mathcal {A}\) makes \(q_g\) queries to . Let \(q_p\) denote the number of plaintext checking queries made by \(\mathcal {A}\). Then, in the random oracle model, there exists adversaries \(\mathcal {B}\) in the game against \(\overline{\mathsf{PKE}}\), and \(\mathcal {B}_{F}\) in the prf game, such that

$$\begin{aligned} \mathbf{LocalTime}({\mathcal {B}}) \approx&\mathbf{LocalTime}(\mathcal {A})+(q_g+q_p) \mathbf{LocalTime}(F)\\ \mathbf{LocalMem}({\mathcal {B}})\approx&\mathbf{LocalMem}(\mathcal {A})+\mathbf{LocalMem}(F) \end{aligned}$$

The proof of the above theorem follows exactly from the proof of analogous Theorem 3.2 of [16] and using the random oracle simulation by a prf F. Moreover, from [16], we get that, if \(\mathsf{PKE}\) is strongly \(\overline{\delta }\) correct, then \(\mathsf{PKE}\) is \(\delta (q_g+q_p)\) correct where \(\delta (x)=x\overline{\delta }\).

Memory-Tight Reduction for V: . It follows from Theorem 8.

Memory-Tight Reduction for Variants of U. Table 2 lists four variants of \(\mathrm {U}\) with different security implications. The memory-efficient reductions of these implications are in principle same as the proofs presented in [16]. The only difference is in the simulation of the Random Oracle \(\mathtt {H}\). In Table 4, we write the precise functions to be used to simulate the random oracles in the reductions. We assume the message space of the underlying encryption scheme to be . \(\mathtt {PCO}(m,c)\) returns 1 if c decrypts to m. returns 0 if c decrypts to \(\perp \).

Table 4. Random oracle simulation for \(\mathrm {U}^{\not \perp }\), \(\mathrm {U}_m^{\not \perp }\), \(\mathrm {U}^{\perp }\), \(\mathrm {U}_m^{\perp }\). We assume \(\mathcal {M}=\{0,1\}^{\mu }\) is the message space of the underlying encryption scheme