PostQuantum Security of the FujisakiOkamoto and OAEP Transforms
Abstract
In this paper, we present a hybrid encryption scheme that is chosen ciphertext secure in the quantum random oracle model. Our scheme is a combination of an asymmetric and a symmetric encryption scheme that are secure in a weak sense. It is a slight modification of the FujisakiOkamoto transform that is secure against classical adversaries. In addition, we modify the OAEPcryptosystem and prove its security in the quantum random oracle model based on the existence of a partialdomain oneway injective function secure against quantum adversaries.
Keywords
Quantum Random oracle Indistinguishability against chosen ciphertext attacks1 Introduction
The interest in verifying the security of cryptosystems in the presence of a quantum adversary increased after the celebrated paper of Shor [10]. Shor showed that any cryptosystem based on the factoring problem and the discrete logarithm problem is breakable in the presence of a quantum adversary. Also, many efficient classical cryptosystems are proved to be secure in the random oracle model [3] and many of them still lack an equivalent proof in the quantum setting. Therefore, even if we find a cryptographic primitive immune to quantum attacks, to construct an efficient cryptosystem secure against quantum adversaries, we may have to consider its security in the quantum random oracle model in which the adversary has quantum access to the random oracle.
Fujisaki and Okamoto [8] constructed a hybrid encryption scheme that is secure against chosen ciphertext attacks (INDCCA) in the random oracle model. Their scheme is a combination of a symmetric and an asymmetric encryption scheme using two hash functions where the symmetric and asymmetric encryption schemes are secure in a very weak sense. However, their proof of security works against only classical adversaries and it is not clear how one can fix their proof in the quantum setting. In the following, we mention the parts of the classical proof that may not work in the quantum setting.
 (a)
The classical proof uses the list of all queries made to the random oracles to simulate the decryption algorithm without possessing the secret key of the asymmetric encryption scheme. In the quantum case, where the adversary has quantum access to the random oracles and submits queries in superpositions, such a list is not a welldefined concept.
 (b)
Also, the classical proof uses the fact that using a random value \(h^*\) instead of a given random oracle output H(x) cannot be noticed by the adversary, provided that the adversary never queries x from the random oracle. In the quantum setting, the adversary may in a certain sense always query all values x by querying the random oracle on the superposition \(\sum _x  x {\small \rangle }\) of all values. The situation gets especially difficult since the value x depends in turn on messages produced by the adversary.
 (c)
Finally, the classical proof uses the fact that for a randomized encryption scheme, it is hard to find values \(x\ne x'\) such that encrypting a message m with randomness H(x) or \(H(x')\) leads to the same ciphertext. (Note: this does not follow directly from the collision resistance of the random oracle H.)
Consequently, the quantum security of the scheme is left as an open problem by Boneh et al. [6] and Zhandry [17].
We show how to circumvent those problems. Problem (c) is solved by using a recent result showing the collision resistance of random functions with outputs sampled from a nonuniform distribution [12]. Problem (b) is solved by the “oneway to hiding” lemmas from [13, 14] which gives us a tool for handling the reprogramming of the random oracle. Problem (a) remains. In fact, we do not have a proof for the unmodified FujisakiOkamoto scheme. However, we show how to solve the problem by adding one more hash value \(H'(\delta )\) to the ciphertext. Although in general, it may not be welldefined in the quantum setting what the list of queries to the random oracle is, we can show it to be welldefined in this case, using the fact that range and domain of \(H'\) have the same size. (A similar idea was used by [15] for the construction of quantumsecure noninteractive zeroknowledge proofs.)
Bellare and Rogaway [4] proposed another method, named OAEP, for converting a trapdoor permutation into an encryption scheme. It was believed that the OAEPcryptosystem is provable secure in the random oracle model based on onewayness of trapdoor permutation, but Shoup [11] showed it is an unjustified belief. Later, Fujisaki et al. [9] proved INDCCA security of the OAEPcryptosystem based on a stronger assumption, namely, partialdomain onewayness of the underlying permutation. As pointed out by [6], the proof of OAEP security uses preimage awareness (i.e., that the preimage of a random oracle query is welldefined and known to the algorithm making it), a technique that does not seem to work in the quantum setting. This problem is the same as problem (a) above, we show that a similar approach works also in the case of OAEP.
Note that our modification increases the ciphertext size by only a single hash value \(H'(\delta )\) and is computationally inexpensive.
As already mentioned above, the added hash value \(H'(\delta )\) solves problem (a) because given \(H'(\delta )\), it is welldefined what \(\delta \) is. This is because \(H'\) is chosen to have the same domain and range size, and hence is indistinguishable from a permutation [16]. However, in the formal proof, we do not directly use that fact, instead our proof goes along the following lines: We replace \(H'\) with a random polynomial to force the adversary to submit the input that has been used to obtain the ciphertext. This can be done due to a result by Zhandry [17] that shows a random oracle is indistinguishable from a 2qwise independent function where q is the number of queries that the adversary makes to the oracle function. In addition, we use the “one way to hiding” lemmas presented in [13, 14]. As soon \(H'\) is implemented as a polynomial, we can use the fact that roots of a polynomial can be found in polynomialtime; this allows us to efficiently get all candidates for \(\delta \) given \(H'(\delta )\).
Also, we modify OAEPcryptosystem and prove its security in the quantum random oracle model based on the existence of a partialdomain oneway trapdoor injective function secure against quantum adversaries. This will remain theoretical until a candidate for a quantum secure partialdomain oneway trapdoor injective function is discovered. The proof follows similar lines as that of the FujisakiOkamoto transform.
A note on superposition queries. Following [6], we use the quantum random oracle model in which the adversary can make queries to the random oracle in superposition (that is, given a superposition of inputs, he can get a superposition of output values). This is necessary since a quantum adversary attacking a scheme based on a real hash function is necessarily able to evaluate that function in superposition. Hence the random oracle model must reflect that ability.
However, we do not model superposition queries to the encryption and decryption oracles. (As was done, for example, in [7].) We do strive to achieve security for the case where the encryption is used within a classical protocol (this is modeled by the fact that plaintexts and ciphertexts are classical, while the adversary is quantum), which is probably the most important use case for postquantum secure encryption schemes.
In contrast, [7] considers security where an encryption scheme intended for classical plaintexts is used with a quantum superposition of plaintexts. And [1] considers the case where an encryption scheme intended for encrypting quantum data is used.
On the necessity of our modifications. We have slightly modified both the FujisakiOkamoto and the OAEPcryptosystem by adding one additional hash to the ciphertexts. Although these additions are not very costly, it is a natural question whether they are necessary, especially in light of the question whether existing implementations are postquantum secure. Although it is clear that our proof technique strongly relies on these additional hashes, this does not mean that the original schemes are insecure. However, we urge the reader not to assume that they are postquantum secure just because they are classically secure. For example, in [2] it was shown that (at least relative to a specific oracle) the FiatShamir transform is insecure in the quantum setting (using quantum random oracles). Their setting is similar to ours, so while there are no known attacks on FujisakiOkamoto or OAEP, we should not rely on their security until a security proof is found. We leave finding either an attack or a proof as a (highly nontrivial) open problem.
Organization. In Sect. 2, we present the required security definitions and other definitions, as well as various theorems related to random oracles that we import from the prior works. In Sect. 3, we define our variant of the FujisakiOkamoto transform and prove its security. In Sect. 5, we define our variant of OAEP and present its security proof.
2 Preliminaries
Let KSP and MSP stand for the key space and the message space respectively. The notation \(x \xleftarrow \$ X\) means that x is chosen uniformly at random from the set X. A symmetric encryption scheme and an asymmetric encryption scheme are defined as follows:
 1.
Enc, the encryption algorithm, is a probabilistic algorithm which takes as input a key \(k \in \texttt {KSP}\) and a message \(m \in \texttt {MSP}\) and outputs a ciphertext \(c \leftarrow {Enc}_{k}(m)\). The message space can be infinite and may depend on the security parameter.
 2.
Dec, the decryption algorithm, is a deterministic algorithm that takes as input a key k and a ciphertext c and returns message the \(m:= {Dec}_{k}(c)\). It is required that decryption algorithm returns the original message, i.e., \({Dec}_{k}({Enc}_{k}(m)) = m\), for every \(k \in \texttt {KSP}\) and every \(m \in \texttt {MSP}\).
 1.
Gen, the key generation algorithm, is a probabilistic algorithm which on input \(1^ n \) outputs a pair of keys, \((pk, sk)\leftarrow {Gen}(1^n)\), called the public key and the secret key for the encryption scheme, respectively.
 2.
Enc, the encryption algorithm, is a probabilistic algorithm which takes as input a public key pk and a message \(m \in \texttt {MSP}\) and outputs a ciphertext \(c \leftarrow {Enc}_{pk}(m)\). The message space, \(\texttt {MSP}\), may depend on pk.
 3.
Dec, the decryption algorithm, is a deterministic algorithm that takes as input a secret key sk and a ciphertext c and returns message the \(m:= {Dec}_{sk}(c)\). It is required that the decryption algorithm returns the original message, i.e., \({Dec}_{sk}({Enc}_{pk}(m)) = m\), for every \((pk, sk)\leftarrow {Gen}(1^n)\) and every \(m \in \texttt {MSP}\). The algorithm Dec returns \(\perp \) if ciphertext c is not decryptable.
Let \(y := Enc_{pk}(x;h)\) be the encryption of message x using the public key pk and the randomness \(h \in \texttt {COIN}\) where COIN stands for the coin space of the encryption scheme. \(\Pr [P: G]\) is the probability that the predicate P holds true where free variables in P are assigned according to the program in G.
Definition 1
Definition 2
2.1 Security Definitions
Let negl(n) be any nonnegative function that is smaller than the inverse of any nonnegative polynomial p(n) for sufficiently large n. That is, \(\lim _{n \rightarrow \infty } \textsf {negl(n)}p(n) = 0\) for any polynomial p(n). In the following, we present the security definitions that are needed in this paper. Note that the definitions are the same as the security definitions in [8], except they have been represented in the presence of a quantum adversary in this paper. As the following two security definitions will both be used in the security proof of our scheme, we differentiate between them by using \(\textsf {negl(n)}^{sy}\) and \(\textsf {negl(n)}^{asy}\) in the definitions.
Definition 3
(Onetime secure). A symmetric encryption scheme \(\varPi = (Enc,Dec)\) is onetime secure if no quantum polynomial time adversary \(\mathcal {A}\) can win in the \(PrivK^{OT}_{\mathcal {A},\varPi }(n)\) game, except with probability at most 1/2 + \(\textsf {negl(n)}^{sy}\):
\(\underline{\pmb {PrivK}^{\pmb {OT}}_{\pmb {\mathcal {A},\varPi }}(n) game:}\)
Key Gen: The challenger picks up a key k from \(\texttt {KSP}\) uniformly at random, i.e., \(k \xleftarrow {\$} \texttt {KSP} \).
Query: The adversary \(\mathcal {A}\) on input \((1^n)\) chooses two messages \(m_{0},m_{1}\) of the same length and sends them to the challenger. The challenger chooses \(b\xleftarrow {\$}\{0,1\}\) and responds with \(c^{*} \leftarrow {Enc}_{k}(m_{b})\).
Guess: The adversary \(\mathcal {A}\) produces a bit \(b'\), and wins if b = \(b'\).
Definition 4
(Oneway secure). An asymmetric encryption scheme \(\varPi = (Gen, Enc, Dec)\) is oneway secure if no quantum polynomial time adversary \(\mathcal {A}\) can win in the \(PubK^{OW}_{\mathcal {A},\varPi }(n)\) game, except with probability at most \(\textsf {negl(n)}^{asy}\):
\(\underline{\pmb {PubK}^{\pmb {OW}}_{\pmb {\mathcal {A},\varPi }}(n) game}\):
Key Gen: The challenger runs \(Gen(1^{n})\) to obtain a pair of keys (pk, sk).
Challenge Query: The challenger picks a uniformly random x from the message space, i.e., \(x \xleftarrow \$ \texttt {MSP}\), and encrypts it using the encryption algorithm \(Enc_{pk}\) to obtain the ciphertext \(y \leftarrow Enc_{pk}(x)\), and sends y to the adversary \(\mathcal {A}\).
Guess: The adversary \(\mathcal {A}\) on input (pk, y) produces a bit string \(x'\), and wins if \(x'\) = x.
In the next definition, we say that the quantum algorithm \(\mathcal {A}\) has quantum access to the random oracle H if \(\mathcal {A}\) can submit queries in superposition and the oracle H answers to these queries by applying a unitary transformation that maps \( x, y {\small \rangle }\) to \(  x, y \oplus H(x) {\small \rangle }\).
Definition 5
(INDCCA in the quantum random oracle model). An asymmetric encryption scheme \(\varPi ^{asy} = (Gen,Enc,Dec)\) is INDCCA secure if no quantum polynomial time adversary \(\mathcal {A}\) can win in the \(PubK^{CCAQRO}_{\mathcal {A},\varPi }(n)\) game, except with probability at most 1/2 + negl(n):
\(\underline{\pmb {PubK}^{\pmb {CCAQRO}}_{\pmb {\mathcal {A},\varPi }}(n)}\) game:
Key Gen: The challenger runs \(Gen(1^{n})\) to obtain a pair of keys (pk, sk) and chooses random oracles.
Query: The adversary \(\mathcal {A}\) is given the public key pk and with classical oracle access to the decryption oracle and quantum access to the random oracles chooses two messages \(m_{0},m_{1}\) of the same length and sends them to the challenger. The challenger chooses \(b\xleftarrow {\$}\{0,1\}\) and responds with \(c^{*} \leftarrow {Enc}_{pk}(m_{b})\).
Guess: The adversary \(\mathcal {A}\) continues to query the decryption oracle and the random oracles, but may not query the ciphertext \(c^{*}\) in a decryption query. Finally, the adversary \(\mathcal {A}\) produces a bit \(b'\), and wins if b = \(b'\).
2.2 Quantum Accessible Random Oracles
In this section, we present some existing results about random oracles that we need to prove the security of our scheme.
Lemma 1
(One way to hiding (O2H) [14]). Let \(H: \{0,1\}^{n}\rightarrow \{0,1\}^{m}\) be a random oracle. Consider an oracle algorithm \(A_{1}\) that makes at most \(q_{1}\) queries to H. Let C be an oracle algorithm that on input x does the following: pick \(i\xleftarrow {\$}\{1,\ldots ,q_{1}\}\) and \(y\xleftarrow {\$}\{0,1\}^{m}\), run \(A_{1}^{H}(x,y)\) until (just before) the ith query, measure the argument of the query in the computational basis, and output the measurement outcome. (When \(A_{1}\) makes less than i queries, C outputs \(\bot \notin \{0,1\}^{n}\).)
Lemma 2
(One way to hiding, adaptive (O2HA) [13]). Let \(H: \{0,1\}^{*}\rightarrow \{0,1\}^{n}\) be a random oracle. Consider an oracle algorithm \(A_{0}\) that makes at most \(q_{0}\) queries to H. Consider an oracle algorithm \(A_{1}\) that uses the final state of \(A_0\) and makes at most \(q_{1}\) queries to H. Let C be an oracle algorithm that on input (j, B, x) does the following: run \(A_{1}^{H}(x,B)\) until (just before) the jth query, measure the argument of the query in the computational basis, and output the measurement outcome. (When \(A_{1}\) makes less than j queries, C outputs \(\bot \notin \{0,1\}^{\ell }\).)
Lemma 3
(Corollary 6 of [12]). Let \(f: \{0, 1\}^{n_1} \rightarrow \{0, 1\}^{n_2}\) be a function with minentropy k. Let \(H: \{0, 1\}^{*} \rightarrow \{0, 1\}^{n_1}\) be a random oracle. Then any quantum algorithm A making q queries to H returns a collision for \(f\circ H\) with probability at most \(O\left( \frac{q^{9/5}}{2^{k/5}}\right) \).
3 The Hybrid Scheme and Its Security
In this section, we combine an asymmetric encryption scheme with a symmetric encryption scheme by using three hash functions in order to gain an \(\textsf {INDCCA}\) secure public encryption scheme \(\varPi ^{hy}= ({Gen}^{hy}, {Enc}^{hy}, {Dec}^{hy})\) in the quantum random oracle model.
 1.
\(Gen^{hy}\), the key generation algorithm, on input \(1^{n}\) runs \(Gen^{asy}\) to obtain a pair of keys (pk, sk).
 2.\(Enc^{hy}\), the encryption algorithm, on input pk and message m \(\in \) \(\texttt {MSP}^{hy}\) \(:=\texttt {MSP}^{sy}\) does the following:

Select \(\delta \xleftarrow {\$} \texttt {MSP}^{asy}\).

Compute \(c \leftarrow {Enc}_{a}^{sy}(m)\), where \(a:= G(\delta )\).

Compute \(e := {Enc}_{pk}^{asy}(\delta ; h)\), where \(h:= H(\delta \Vert c)\).

Finally, output (e, c, d) as \(Enc^{hy}_{pk}(m; \delta )\), where \(d:= H'(\delta )\).

 3.\(Dec^{hy}\), the decryption algorithm, on input sk and ciphertext (e, c, d) does the following:

Compute \(\hat{\delta }:= Dec^{asy}_{sk}(e).\)

If \(\hat{\delta }=\perp \): abort and output \(\perp \).

Otherwise set \(\hat{h}:= H(\hat{\delta } \Vert c)\).

If \(e \ne Enc^{asy}_{pk}(\hat{\delta }; \hat{h})\): abort and output \(\perp \).
 Else if \(d = H'(\hat{\delta })\):

Compute \(\hat{a}:= G(\hat{\delta })\) and output \(Dec^{sy}_{\hat{a}}(c)\).


Else output \(\perp \).

Note that our construction is the same as the FujisakiOkamoto construction, except that we use an extra random oracle \(H'\). Consequently, the ciphertext has one more component, the encryption algorithm has an additional instruction to compute \(H'(\delta )\) and the decryption algorithm has an additional check corresponding to \(H'\).
Theorem 1
The hybrid scheme \(\varPi ^{hy}\) constructed above is \(\textsf {INDCCA}\) secure in the quantum random oracle model if \(\varPi ^{sy}\) is an onetime secure symmetric encryption scheme and \(\varPi ^{asy}\) is a wellspread oneway secure asymmetric encryption scheme.
Proof
Let \(A_{hy}\) be a quantum polynomial time adversary that attacks \(\varPi ^{hy}\) in the sense of INDCCA in the quantum random oracle model. Suppose that \(A_{hy}\) makes at most \(q_H\), \(q_G\) and \(q_{H'}\) quantum queries to the random oracles H, G and \(H'\), respectively, and \(q_{dec}\) classical decryption queries. Set \(q_{hy}:= q_H + q_G + q_{H'} + q_{dec} + 1\), i.e., the total number of queries that the adversary \(A_{hy}\) may make, including the challenge query. Let \(\varOmega _H\), \(\varOmega _{G}\), \(\varOmega _{H'}\) be the set of all function \(H: \{0, 1\}^{*}\rightarrow \{0, 1\}^{n_2}\), \(G: \{0, 1\}^{n_1}\rightarrow \{0, 1\}^{m}\) and \(H': \{0, 1\}^{n_1}\rightarrow \{0, 1\}^{n_1}\), respectively. The following game shows the chosen ciphertext attack by the adversary \(A_{hy}\) in the quantum setting where the adversary \(A_{hy}\) has quantum access to the random oracles H, G and \(H'\) and classical access to the decryption algorithm \(Dec^{hy}\).
In order to show that the success probability of Game 0 is at most \(1/2 + \textsf {negl(n)}\), we shall introduce a sequence of games and compute the difference between their success probabilities. For simplicity, we omit the definitions of random variables that appear with the same distribution and without any changes in all of the following games. These random variables are: \(H \xleftarrow {\$} \varOmega _{H}, G \xleftarrow {\$} \varOmega _{G}\), \(\delta ^{*} \xleftarrow {\$} \texttt {MSP}^{asy}, (pk, sk)\leftarrow Gen^{asy}(1^n)\), and \(b \xleftarrow {\$} \{0, 1\}\).
 1.
If \(e^*\) is defined and \(e = e^*\): abort and return \(\perp \).
 2.Else do:

Compute \(\hat{\delta }:= Dec^{asy}_{sk}(e)\).

If \(\hat{\delta } = \perp \): query \(H'(\delta ^* \oplus 1)\),^{1} abort and output \(\perp \).

Otherwise set \(\hat{h}:= H(\hat{\delta } \Vert c)\).

If \(e \ne Enc^{asy}_{pk}(\hat{\delta }; \hat{h})\): query \(H'(\delta ^* \oplus 1),\) (see Footnote 1) abort and output \(\perp \).

Else if \(d = H'(\hat{\delta })\): compute \(\hat{a}:= G(\hat{\delta })\) and output \(Dec^{sy}_{\hat{a}}(c)\).

Else: output \(\perp \).

We prove that the probabilities of success in Game 0 and Game 1 have negligible difference. We can conclude the result by the fact that the asymmetric encryption scheme is wellspread. We present the proof of the following lemma in Sect. 4.
Lemma 4
It is clear that \(\ell (n)\) is a negligible function and as a result Game 0 and Game 1 have negligible difference.
Now, we can prove that \(\Pr [1 \leftarrow Game\ 2]= 1/2 + \textsf {negl(n)}^{sy}\). This follows from the onetime security assumption of the symmetric encryption scheme. We postpone the detailed proof of the following lemma to Sect. 4 in favor of having a simple proof.
Lemma 5
If the symmetric encryption scheme \(\varPi ^{sy}\) is onetime secure, then \(\Pr [1 \leftarrow Game\ 2]= 1/2 + \textsf {negl(n)}^{sy}\).
By using Lemma 5, we only need to show that the difference between the success probabilities of Game 1 and Game 2 is negligible.
Note that if we were in the classical random oracle setting, we could define the bad event to be querying G or \(H'\) on input \(\delta ^*\) and argue that the two games are indistinguishable until the bad event happens. However, there is no welldefined concept for the bad event when the adversary A can query G and \(H'\) in superposition and each quantum query can contain \(\delta ^*\) in some sense. Therefore, we use the O2H Lemma 1 to obtain an upper bound for \(\Big \)Pr\([1 \leftarrow Game\ 1]\)  Pr\([1 \leftarrow Game\ 2]\Big \).
Note that the adversary \(A^{G \times H'}_{}\) makes at most \(q_{o2h} := q_{G} + q_{H'} + 2q_{dec}\) queries to the random oracle \(G\times H'\) in order to respond to the \(A_{hy}\)queries.^{2}
Due to a result by Zhandry [17], a \(2(q_{H'} + q_{dec})\)wise independent function \(H'\) is perfectly indistinguishable from a random function when the adversary makes at most \(q_{H'} + q_{dec} \) queries to \(H'\). Therefore, Game 3 and Game 4 are identical.
 1.
If \(e^*\) is defined and \(e = e^*\): output \(\perp \).
 2.Else do:

Calculate all roots of the polynomial \(H'd\). Let S be the set of those roots.
 If there exists \(\hat{\delta } \in S\setminus \{\delta ^*\}\) such that \(e= Enc_{pk}^{asy}\big (\hat{\delta }; H(\hat{\delta } \Vert c)\big )\):

query \(H'\) on input \(\hat{\delta }\).

compute \(\hat{a}:= G(\hat{\delta })\) and return \(Dec_{\hat{a}}^{sy}(c)\).

 Else if \(e= Enc_{pk}^{asy}\big (\delta ^*; H(\delta ^* \Vert c)\big )\):

If \(H'(\delta ^*) = d\), then compute \(\hat{a}:= G(\delta ^*)\) and return \(Dec_{\hat{a}}^{sy}(c)\).

Else: return \(\perp \).


Else: query \(H'\) on random input \(\delta \xleftarrow \$ (\texttt {MSP}^{asy} \setminus \{\delta ^*\})\), and output \(\perp \).

In order to show that Game 4 and Game 5 are identical, we need to prove that the two decryption algorithms \(Dec^{*}\) and \(Dec^{**}\) return the same output. Also, note that Game 4 and Game 5 succeed if they measure a query containing the argument \(\delta ^*\). Therefore, we have to prove that the total number of queries submitted to the random oracles G and \(H'\) are equal in two decryption algorithms and the number of queries with argument \(\delta ^*\) are equal and appear at the same time.
 1.
If \(\hat{\delta } = \perp \): In this case, both decryption algorithms return \(\perp \) and query the random oracle \(H'\), but not on input \(\delta ^*\).
 2.If \(\hat{\delta } \ne \perp ,\ \hat{\delta } \ne \delta ^*\) and \(H'(\hat{\delta }) \ne d\): Note that \(\hat{\delta } \ne \delta ^*\) implies that \(e \ne e^*\) and \(e \ne Enc^{asy}_{pk}(\delta ^{*}; H(\delta ^* \Vert c))\). Therefore, there are two subcases:
 (a)
If \(e \ne Enc^{asy}_{pk}(\hat{\delta }; H(\hat{\delta } \parallel c))\), then the decryption algorithm \(Dec^{*}\) queries the random oracle \(H'\) on input \(\delta ^* \oplus 1\) and the decryption algorithm \(Dec^{**}\) queries \(H'\) on a random element from \(\texttt {MSP}^{asy} \setminus \{\delta ^*\}\) since \(\hat{\delta } \not \in S\). Both algorithms return \(\perp \).
 (b)
Else, the decryption algorithm \(Dec^{*}\) queries random oracle \(H'\) on input \(\hat{\delta }\) and the decryption algorithm \(Dec^{**}\) queries \(H'\) on a random element from \(\texttt {MSP}^{asy} \setminus \{\delta ^*\}\) since \(\hat{\delta } \not \in S\). Both algorithms return \(\perp \).
 (a)
 3.If \(\hat{\delta } \ne \perp , \hat{\delta } \ne \delta ^*\) and \(H'(\hat{\delta }) = d\): Note that \(\hat{\delta } \ne \delta ^*\) implies that \(e \ne e^*\) and \(e \ne Enc^{asy}_{pk}(\delta ^{*}; H(\delta ^* \Vert c))\). Therefore, there are two subcases:
 (a)
If \(e \ne Enc^{asy}_{pk}(\hat{\delta }; H(\hat{\delta } \parallel c))\), then the decryption algorithm \(Dec^{*}\) queries the random oracle \(H'\) on input \(\delta ^* \oplus 1\) and outputs \(\perp \), and the decryption algorithm \(Dec^{**}\) queries \(H'\) on a random element from \(\texttt {MSP}^{asy} \setminus \{\delta ^*\}\) and outputs \(\perp \).
 (b)
Else, both decryption algorithms query random oracles G and \(H^{\prime }\) on input \(\hat{\delta }\) and output \(Dec_{G(\hat{\delta })}^{sy}\).
 (a)
 4.If \(\hat{\delta } = \delta ^*\) and \(H'(\hat{\delta }) \ne d\): There are three subcases:
 (a)
If \(e^*\) is defined and \(e = e^*\): Then both decryption algorithms return \(\perp \) without any query to the random oracles G and \(H'\).
 (b)
Else if \(e \ne Enc^{asy}_{pk}(\delta ^{*}; H(\delta ^* \Vert c))\): Then the decryption algorithm \(Dec^{*}\) queries the random oracle \(H'\) on input \(\delta ^* \oplus 1\) and the decryption algorithm \(Dec^{**}\) queries \(H'\) on a random element from \(\texttt {MSP}^{asy} \setminus \{\delta ^*\}\). Both decryption algorithms return \(\perp \).
 (c)
Else, both decryption algorithms query \(H'\) on input \(\delta ^*\) and output \(\perp \).
 (a)
 5.If \(\hat{\delta } = \delta ^*\) and \(H'(\hat{\delta }) = d\): There are three subcases:
 (a)
If \(e^*\) is defined and \(e = e^*\): Then both decryption algorithms return \(\perp \) without any query to the random oracles G and \(H'\).
 (b)
Else if \(e \ne Enc^{asy}_{pk}(\delta ^{*}; H(\delta ^* \Vert c))\): Then the decryption algorithm \(Dec^{*}\) queries the random oracle \(H'\) on input \(\delta ^* \oplus 1\) and decryption algorithm \(Dec^{**}\) queries \(H'\) on a random element from \(\texttt {MSP}^{asy} \setminus \{\delta ^*\}\). Both decryption algorithms return \(\perp \).
 (c)
Else, both decryption algorithms query random oracles G and \(H'\) on input \(\delta ^*\) and output \(Dec_{G(\delta ^*)}^{sy}\).
 (a)
Hence, Pr\([1 \leftarrow Game\ 4] = \) Pr\([1 \leftarrow Game\ 5]\).
Note that \(Dec^{**}\) does not use the secret key of the asymmetric encryption scheme to decrypt the ciphertext. This will allow us below to make use of the oneway security of \(\varPi ^{asy}\) (This is only possible if the secret key is never used).
Note that the adversary \(A_0^H\) may be stopped before receiving the challenge query (or when \(i \le q_{0GH'}\)), in this case the adversary \(A_1^{H}\) measures the argument \(\tilde{\delta }\) of ith query to the random oracle \(G \times H'\) and outputs \([\tilde{\delta } = \delta ^{*}]\). If \(i > q_{0GH'}\), then the adversary \(A_1^{H}\) continues to run the adversary \(A_{hy}\) till the \((i  q_{0GH'})\)th query to the random oracle \(G \times H'\) and measures the argument \(\tilde{\delta }\) of ith query to the random oracle \(G \times H'\) and outputs \([\tilde{\delta } = \delta ^{*}]\). Note that with these definitions we have \(P_A^1 = \Pr [1 \leftarrow Game\ 5]\) and \(P_A^2 = \Pr [1 \leftarrow Game\ 6]\) where \(P_A^1\) and \(P_A^2\) are as in the O2HA Lemma 2 for the random oracle H.
The next lemma shows that the success probabilities in Game 6 and Game 7 are negligible. We present the proof of the lemma in Sect. 4.
Lemma 6
4 Deferred Proofs
4.1 Proof of Lemma 4
Proof
We list all the possibilities that the adversary can do to differentiate between the two games. Suppose that the adversary sends the ciphertext (e, c, d). Note that if \(e \ne e^*\) or \(e^*\) is not defined, then two decryption algorithms \(Dec^{hy}\) and \(Dec^*\) return the same output and nothing is left to show. Therefore we analyze the following cases where \(e^*\) is defined and \(e = e^*\).
 1.
\((e = e^*, c = c^*, d \ne d^*)\) or \((e = e^*, c \ne c^*, d \ne d^*)\): In these two cases, the two decryption algorithms return \(\perp \).
 2.
\((e = e^*, c \ne c^*, d = d^*)\): This means that \(Enc^{asy}_{pk}(\delta ^{*}; H(\delta ^* \Vert c)) = Enc^{asy}_{pk}(\delta ^{*}; H(\delta ^* \Vert c^*))\). This is a collision in the sense of Lemma 3 since \(\delta ^*\) is chosen randomly and the \(Enc^{asy}_{pk}(\delta ^{*}; H(\delta ^* \Vert \cdot ))\) has minentropy \(\omega (\log (n))\). Therefore, it occurs with probability at most \(O\left( \frac{(q_H + q_{dec} + 1)^{9/5}}{2^{\omega (\log (n))/5}}\right) \).
 3.
\((e = e^*, c = c^*, d = d^*)\). This query never occurs.
4.2 Proof of Lemma 5
Proof
 1.
Run \(Gen^{asy}(1^n)\) to obtain (pk, sk).
 2.
Run the adversary \(A_{hy}(pk)\).
 3.
Use a \(2(q_H + q_{dec} + 1)\)wise independent function, a \(2(q_G + q_{dec})\)wise independent function, and a \(2(q_{H'} + q_{dec})\)wise independent function to answer the queries submitted to the random oracles H, G and \(H'\), respectively.
 4.Whenever \(A_{hy}\) outputs challenge messages \((m_0, m_1)\), do the following:

Select \(b \xleftarrow {\$} \{0, 1\}\), \(r \xleftarrow {\$}{} \texttt {COIN}^{sy}\), \(\delta ^{*} \xleftarrow {\$} \texttt {MSP}^{asy}\), \({a}^{*} \leftarrow \texttt {KSP}^{sy}\), \({d}^{*} \xleftarrow \$ \{0, 1\}^{n_1}\).

Set \(c^{*} := Enc^{sy}_{{a}^{*}}(m_b; r)\) and \(e^{*} := Enc^{asy}_{pk}(\delta ^{*}; H({\delta }^*, c^*))\).

Send \((e^{*}, c^{*}, {d}^{*})\) to the adversary \(A_{hy}\).

 5.
Answer the random oracle queries and decryption queries as before.
 6.
When \(A_{hy}\) returns bit \(b^{\prime }\), output the same bit \(b'\).
It is obvious that Pr\([PriK^{OT}_{A^{sy}, \varPi ^{sy}} = 1] = \varepsilon (n)\). Therefore, \(\varepsilon (n) \le 1/2 +\) \( \textsf {negl(n)}^{sy}\). \(\square \)
4.3 Proof of Lemma 6
As the proof for two games is similar we provide the instances for Game 7 in brackets \(\llbracket \dots \rrbracket \) wherever there is a difference.
Proof
 1.
Run the adversary \(A_{hy}(pk)\).
 2.
Use a \(2(q_H + q_{dec})\)wise independent function, a \(2(q_G + q_{dec})\)wise independent function, and a polynomial of degree \(2(q_{H'} + q_{dec})  1\) to answer the queries submitted to random oracles H, G and \(H'\), respectively.
 3.
Answer the decryption queries using \(Dec^{**}\).
 4.Whenever \(A_{hy}\) outputs challenge messages \((m_0, m_1)\), do the following:

Select \(b \xleftarrow {\$} \{0, 1\}\), \(r \xleftarrow {\$}{} \texttt {COIN}^{sy}\), \({a}^{*} \leftarrow \texttt {KSP}^{sy}\), \({d}^{*} \xleftarrow \$ \{0, 1\}^{n_1}\).

Set \(c^{*} := Enc^{sy}_{{a}^{*}}(m_b; r)\) and \(e^{*} := y\).

Send \((e^{*}, c^{*}, {d}^{*})\) to the adversary \(A_{hy}\).

 5.
Answer the random oracle queries as before and to the decryption queries using \(Dec^{**}\).
 6.
When \(A_{hy}\) returns bit \(b^{\prime }\) and halts, \(A^{asy}\) selects \(i\xleftarrow \$ \{ 1, \cdots , q_{o2h}\}\ \llbracket i\xleftarrow \$ \{ 1, \cdots , q_{1}\} \rrbracket \) and measures the argument \(\hat{\delta }\) of ith \(\llbracket \) \((i + q_0)\)th \(\rrbracket \) query to the random oracle \(G\times H'\ \llbracket H \rrbracket \) and outputs \(\hat{\delta }\) (When \(A_{hy}\) makes less than i queries output \(\perp \)).
It is obvious that Pr\([PubK^{OW}_{A^{asy}, \varPi ^{asy}} = 1] = \varepsilon (n)\). Therefore, \(\varepsilon (n) \le \textsf {negl(n)}^{asy}\). \(\square \)
5 A Variant of OAEP
The following definitions are similar to the definitions presented in [9], except we define them in the presence of a quantum adversary.
Definition 6
Definition 7
 1.
Gen: Specifies an instance of the injective function f and its inverse \(f^{1}\). Therefore, the public key and secret key are f and \(f^{1}\) respectively.
 2.Enc: Given a message \(m \in \{0, 1\}^{n}\), the encryption algorithm computeswhere \(r \xleftarrow \$ \{0, 1\}^{k_0}\), and outputs the ciphertext \((c, d) := \Big (f(s,t), H'(s\Vert t)\Big )\).$$s := m  0^{k_1} \oplus G(r) \ \ \text {and} \ \ t := r \oplus H(s),$$
 3.Dec: Given a ciphertext (c, d), the decryption algorithm does the following:
 When \(c \notin {{\mathrm{Im}}}f\):
 (a)
If \(c^*\) is defined (where \(c^*\) is the challenge ciphertext), then query the random oracle \(H'\) on input \((s^*\Vert t^*) \oplus 1\) (where \(f(s^*, t^*) = c^*\)) and return \(\perp \).
 (b)
If \(c^*\) is not defined, then query the random oracle \(H'\) on a random input and return \(\perp \).
 (a)
 When \(c \in {{\mathrm{Im}}}f\), the decryption algorithm extracts \((s,t) = f^{1}(c)\). If \(H'(s\Vert t) \ne d\) it returns \(\perp \), otherwise it does the following:
 (a)
query the random oracle H on input s and compute \(r:= t \oplus H(s)\).
 (b)
query the random oracle G on input r and compute \(M := s \oplus G(r)\).
 (c)
if the \(k_1\) least significant bits of M are zero then return the n most significant bits of M, otherwise return \(\perp \).
 (a)

Note that \(k_0\) and k depend on the security parameter n.
Note that Dec contains several unnecessary oracle calls (after it already decided to output \(\perp \)). These obviously do not effect correctness or security, but make the proof a bit simple to formulate.
Theorem 2
If the underlying injective function is quantum partialdomain oneway, then the QOAEP scheme is INDCCA secure in the quantum random oracle model.
Proof
 1.
It calculates the roots of polynomial \(H'  d\). Let S be the set of all the roots.
 2.
If there exists \((s,t) \in S\) such that \(f(s,t) = c\), then it outputs a message m using (s, t) and similar to the algorithm Dec. Otherwise it outputs \(\perp \).
 1.
If \(c \notin {{{\mathrm{Im}}}}\ f\), then both decryption algorithms return \(\perp \) with no query to the random oracle H.
 2.If \(c \in {{\mathrm{Im}}}\ f\). Let \((\hat{s}, \hat{t}):= f^{1}(c)\). There are two subcases:

If \(H'(\hat{s}\Vert \hat{t}) \ne d\), then both algorithms return \(\perp \) with no query to the random oracle H.

If \(H'(\hat{s}\Vert \hat{t}) = d\), then both decryption algorithms return the same output and query H on input \(\hat{s}\) for the reason that \((\hat{s}, \hat{t}) \in S\) and \(f(\hat{s}, \hat{t})=c.\)

 1.
It calculates the roots of polynomial \(H'  d\). Let S be the set of all the roots.
 2.
If there exists \((s,t) \in S\) such that \(f(s,t) = c\), then it queries the random oracle \(H'\) on input \((s\Vert t)\) and outputs a message m using (s, t) and similar to the algorithm Dec.
 3.Else:

If \(c^*\) is defined and \(c=c^*\), then query \(H'\) on input \((s^*\Vert t^*)\) and return \(\perp \).

If \(c^*\) is defined and \(c\ne c^*\), then query \(H'\) on input \((s^*\Vert t^*) \oplus 1\) and return \(\perp \).

If \(c^*\) is not defined then query \(H'\) on a random input and return \(\perp \).

 1.
If \(c \notin {{\mathrm{Im}}}\ f\), then both decryption algorithms return \(\perp \) and query the random oracle \(H'\) on a random input or on input \((s^*\Vert t^*) \oplus 1\).
 2.If \(c \in {{\mathrm{Im}}}\ f\) and \(c^*\) is defined. Let \((\hat{s}, \hat{t}) := f^{1}(c)\). Then:

If \(H'(\hat{s}\Vert \hat{t}) = d\), then both decryption algorithms return the same output and query \(H'\) on input \((\hat{s}\Vert \hat{t})\).

If \(H'(\hat{s}\Vert \hat{t}) \ne d\) and \(c \ne c^*\), then both algorithms return \(\perp \) and query the random oracle \(H'\) on an input different from \((s^*\Vert t^*)\).

If \(H'(\hat{s}\Vert \hat{t}) \ne d\) and \(c = c^*\), then both algorithms return \(\perp \) and query the random oracle \(H'\) on input \((s^*\Vert t^*)\).

 3.If \(c \in {{\mathrm{Im}}}\ f\) and \(c^*\) is not defined. Let \((\hat{s}, \hat{t}) := f^{1}(c)\). Then:

If \(H'(\hat{s}\Vert \hat{t}) \ne d\), then both algorithms return \(\perp \) and query the random oracle \(H'\) on an input.

If \(H'(\hat{s}\Vert \hat{t}) = d\), then both decryption algorithms return the same output and query \(H'\) on input \((\hat{s}\Vert \hat{t})\).

Footnotes
 1.
This extra query is needed later to prove that Game 4 and Game 5 are identical.
 2.
For example, to respond to a query to the random oracle G with input register I and output register O, the adversary \(A^{G\times H'}\) prepares an additional register T (for the output of \(H'\)) in state \(+{\small \rangle }^{n_{1}}\) and invokes \(U_{G\times H'}\) on I, O, T. It is easy to verify that this leaves T unchanged and applies \(U_G\) to I, O. (This idea was already used in [18] to ignore part of the output of an oracle.)
Notes
Acknowledgments
This work was supported by the Estonian ICT program 20112015 (3.2.1201.130022), the European Union through the European Regional Development Fund through the submeasure “Supporting the development of R&D of info and communication technology”, by the European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa, by the Estonian Centre of Excellence in Computer Science, EXCS.
References
 1.Alagic, G., Broadbent, A., Fefferman, B., Gagliardoni, T., Schaffner, C., Jules, M.S.: Computational security of quantum encryption. IACR ePrint 2016/424, April 2016Google Scholar
 2.Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems (the hardness of quantum rewinding). In: FOCS 2014, pp. 474–483. IEEE, October 2014Google Scholar
 3.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 1993, 3–5 November 1993, Fairfax, Virginia, USA, pp. 62–73. ACM (1993)Google Scholar
 4.Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995). doi: 10.1007/BFb0053428 Google Scholar
 5.BenOr, M.: Probabilistic algorithms in finite fields. In: 22nd Annual Symposium on Foundations of Computer Science, 28–30 October 1981, Nashville, Tennessee, USA, pp. 394–398. IEEE Computer Society (1981)Google Scholar
 6.Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). doi: 10.1007/9783642253850_3 CrossRefGoogle Scholar
 7.Boneh, D., Zhandry, M.: Secure signatures and chosen ciphertext security in a quantum computing world. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 361–379. Springer, Heidelberg (2013). doi: 10.1007/9783642400841_21 CrossRefGoogle Scholar
 8.Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). doi: 10.1007/3540484051_34 Google Scholar
 9.Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSAOAEP is secure under the RSA assumption. J. Cryptology 17(2), 81–104 (2004)MathSciNetCrossRefMATHGoogle Scholar
 10.Shor, P.W.: Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefMATHGoogle Scholar
 11.Shoup, V.: OAEP reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001). doi: 10.1007/3540446478_15 CrossRefGoogle Scholar
 12.Targhi, E.E., Tabia, G.N., Unruh, D.: Quantum collisionresistance of nonuniformly distributed functions. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 79–85. Springer, Heidelberg (2016). doi: 10.1007/9783319293608_6 CrossRefGoogle Scholar
 13.Unruh, D.: Quantum position verification in the random oracle model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 1–18. Springer, Heidelberg (2014). doi: 10.1007/9783662443811_1 CrossRefGoogle Scholar
 14.Unruh, D.: Revocable quantum timedrelease encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 129–146. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_8 CrossRefGoogle Scholar
 15.Unruh, D.: Noninteractive zeroknowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). doi: 10.1007/9783662468036_25 Google Scholar
 16.Yuen, H.: A quantum lower bound for distinguishing random functions from random permutations. Quantum Inf. Comput. 14(13–14), 1089–1097 (2014)MathSciNetGoogle Scholar
 17.Zhandry, M.: Secure identitybased encryption in the quantum random oracle model. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). doi: 10.1007/9783642320095_44 CrossRefGoogle Scholar
 18.Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Inf. Comput. 15(7&8), 557–567 (2015)MathSciNetGoogle Scholar