Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model

Abstract

Key-encapsulation mechanisms secure against chosen ciphertext attacks (IND-CCA-secure KEMs) in the quantum random oracle model have been proposed by Boneh, Dagdelen, Fischlin, Lehmann, Schafner, and Zhandry (CRYPTO 2012), Targhi and Unruh (TCC 2016-B), and Hofheinz, Hövelmanns, and Kiltz (TCC 2017). However, all are non-tight and, in particular, security levels of the schemes obtained by these constructions are less than half of original security levels of their building blocks.

In this paper, we give a conversion that tightly converts a weakly secure public-key encryption scheme into an IND-CCA-secure KEM in the quantum random oracle model. More precisely, we define a new security notion for deterministic public key encryption (DPKE) called the disjoint simulatability, and we propose a way to convert a disjoint simulatable DPKE scheme into an IND-CCA-secure key-encapsulation mechanism scheme without incurring a significant security degradation. In addition, we give DPKE schemes whose disjoint simulatability is tightly reduced to post-quantum assumptions. As a result, we obtain IND-CCA-secure KEMs tightly reduced to various post-quantum assumptions in the quantum random oracle model.

1 Introduction

1.1 Background

Indistinguishability against chosen ciphertext attacks (\({ \textsc {IND}}\hbox {-}{ \textsc {CCA}}\)-security) is considered to be a de facto standard security notion of a public key encryption (PKE) and a key encapsulation mechanism (KEM). For constructing efficient \({ \textsc {IND}}\hbox {-}{ \textsc {CCA}}\)-secure PKEs and KEMs, an idealized model called the random oracle model (ROM) [BR93] is often used. In the ROM, a hash function is idealized to be a publicly accessible oracle that simulates a truly random function. There are many known generic constructions of efficient \({ \textsc {IND}}\hbox {-}{ \textsc {CCA}}\)-secure PKE/KEM in the ROM; Bellare-Rogaway (BR) [BR93], OAEP [BR95, FOPS04], REACT [OP01], GEM [CHJ+02], Fujisaki-Okamoto (FO) [FO99, FO13], etc. KEM variants of these constructions were studied by Dent [Den03], which is summarized in Fig. 10 in Sect. B.

Quantum Random Oracle Model. Though the ROM has been widely used to heuristically analyze security of cryptographic primitives, Boneh et al. [BDF+11] pointed out that the ROM is rather problematic when considering a quantum adversary. The problem is that in the ROM, an adversary is only given a classical access to a random oracle. Since a random oracle is an idealization of a real hash function, a quantum adversary should be able to quantumly compute it. On the basis of this observation, they proposed a new model called the quantum random oracle model (QROM) where an adversary can quantumly access a random oracle. Since many techniques used in the ROM including adaptive programmability or extractability cannot be directly translated into the ones in the QROM, proving security in the QROM often requires different techniques from proofs in the ROM (see [BDF+11] for more details). Nonetheless, some above mentioned IND-CCA-secure PKE/KEMs in the ROM (and their variants) can be shown to also be secure in the QROM: Boneh et al. [BDF+11] proved that a variant of Bellare-Rogaway is IND-CCA-secure in the QROM. Targhi and Unruh [TU16] proposed variants of the Fujisaki-Okamoto and OAEP and proved that they are IND-CCA-secure in the QROM.

Tight Security. When proving the security of a primitive P under the hardness of a problem S, we usually construct a reduction algorithm \(\mathcal {R}\) that uses an adversary \(\mathcal {A}\) against the security of P as a subroutine and solves the problem S. Let \((T,\epsilon )\) and \((T',\epsilon ')\) denote running times and success probabilities of \(\mathcal {A}\) and \(\mathcal {R}\), respectively. We say that a reduction is tight if we have \(T' \approx T\) and \(\epsilon ' \approx \epsilon \). Tight security is desirable since it ensures that breaking the security of P is as hard as solving an underlying hard problem S. Conversely, if a security reduction is non-tight, we cannot immediately conclude that breaking the security of a primitive P is hard even if an underlying problem S is hard. For example, Menezes [Men12] shows an example of a provably secure primitive with non-tight security that is insecure with a realistic parameter setting. Therefore, tight security is important to ensure the real security of a primitive.

From that perspective, the above mentioned IND-CCA-secure PKE/KEMs in the QROM do not serve as satisfactory solutions for constructing post-quantum IND-CCA-secure PKE/KEMs because they are non-tight. To clarify this, we give more details on these results below, where \((T,\epsilon )\) and \((T',\epsilon ')\) denote running times and success probabilities of an adversary and a reduction algorithm, respectively, \(q_{\mathsf {H}}\) denotes the number of random oracle queries, and \(t_{\mathsf {RO}}\) denotes the time needed to simulate one evaluation of a random oracle (for further explanation of \(t_{\mathsf {RO}}\), see Subsect. 2.2).

• Boneh et al. [BDF+11] proved that a KEM variant of Bellare-Rogaway based on a one-way trapdoor function is IND-CCA-secure in the QROM.¹ According to their security proof, we have \(T' \approx T+q_{\mathsf {H}}\cdot t_{F}+(q_{\mathsf {H}}+q_{\mathsf {Dec}})\cdot t_{\mathsf {RO}} \) and \(\epsilon '\approx \epsilon ^2/q_{\mathsf {H}}^2\) where \(t_{F}\) denotes the time needed for evaluating an underlying one-way trapdoor function and \(q_{\mathsf {Dec}}\) denotes the number of decryption queries.

• Targhi and Unruh [TU16] proposed a variant of Fujisaki-Okamoto and proved that their construction is secure in the QROM assuming OW-CPA security of an underlying PKE scheme. According to their security proof, we have \(T'\ge T+O(q^2_{\mathsf {H}}) \) and \(\epsilon ' \approx \epsilon ^4/q_{\mathsf {H}}^6\). We note that Hofheinz et al. [HHK17] subsequently gave a modular analysis for the conversion but did not improve the tightness.

• Targhi and Unruh [TU16] proposed a variant of OAEP and proved that their construction is secure in the QROM assuming a partial domain one-way function. According to their security proof, we have \(T'\ge T+O(q^2_{\mathsf {H}})\) and \(\epsilon ' \approx \epsilon ^8/\mathsf {poly}(q_{\mathsf {H}})\).

As seen above, known constructions of IND-CCA-secure PKE/KEMs in the QROM incur at least quadratic security loss, and their security degrades rapidly as \(q_{\mathsf {H}}\) grows. For example, in the Bellare-Rogaway KEM, if we start from a trapdoor function with 128-bit security (i.e., \(\epsilon '=2^{-128}\)) and set \(q_{\mathsf {H}}=2^{60}\), then the bound given by Boneh et al. [BDF+11] only ensures 4-bit security (i.e., \(\epsilon =2^{-4}\)) for a resulting KEM. Conversely, if we want to ensure 128-bit security (i.e., \(\epsilon =2^{-128}\)) for a resulting KEM, we have to start from a trapdoor function with 376-bit security (\(\epsilon '=2^{-376}\)) which incurs significant blowup of parameters. The other two constructions are even worse in regard to tightness. Therefore, to obtain an efficient construction of post-quantum IND-CCA-secure PKE/KEM, we need a construction with tighter security reduction that does not incur a quadratic security loss.

Fig. 1.

Transformations among PKE, DPKE and KEM in the QROM: D-LWE and S-LWE denote the decisional and search learning-with-errors assumptions; P-LWE denotes the polynomial-LWE assumption; DSPR denotes the decisional small polynomial ratio assumption; LPN denotes the learning-parity-with-noise assumption; McEliece KI and Niederreiter KI denote the McEliece-key-indistinguishability and Niederreiter-key-indistinguishability assumptions, respectively; NTRU OW, McEliece OW, and Niederreiter OW denote onewayness of the NTRU, McEliece encryption, and Niederreiter encryption, respectively; OW-CPA, OW-PCA, IND-CPA, and IND-CCA denote onewayness under chosen-plaintext attacks, onewayness under plaintext-checking attacks, indistinguishability under chosen-plaintext attacks, and indistinguishability under chosen-ciphertext attacks, respectively; SPR denotes the sparse pseudorandomness; and DS denotes the disjoint simulatability. Solid arrows indicate quantum tight reductions, dashed arrows indicate quantum non-tight reductions, thin arrows indicate existing reductions, thick arrows indicate our new reductions, and gray arrows indicate trivial implications.

1.2 Our Contributions

In this paper, we give a construction of an \({ \textsc {IND}}\hbox {-}{ \textsc {CCA}}\)-secure KEM based on a deterministic PKE (DPKE) scheme that satisfies a newly introduced security notion that we call the disjoint simulatability. Our security reduction is much tighter than those of existing constructions of \({ \textsc {IND}}\hbox {-}{ \textsc {CCA}}\)-secure PKE schemes and does not incur quadratic security loss. By using the same notations as in the previous subsection, we have \(T'\approx T+q_{\mathsf {H}}\cdot t_{\mathsf {Enc}} +(q_{\mathsf {H}}+q_{\mathsf {Dec}})\cdot t_{\mathsf {RO}} \) and \(\epsilon '\approx \epsilon \) where \(t_{\mathsf {Enc}}\) denotes a time needed for encryption of an underlying DPKE scheme. We note that \(t_{\mathsf {Enc}}\) is a fixed polynomial of the security parameter, and thus we believe that this blowup is much less significant than the quadratic (or quartic/octic) blowup for \(\epsilon \) as in the previous constructions.

Moreover, we construct some DPKE schemes whose disjoint simulatabilities are tightly reduced to some post-quantum assumptions like learning with errors (LWE) and some other assumptions related to NTRU, the McEliece PKE, and the Niederreiter PKE. As a result, we obtain the first IND-CCA-secure KEMs that do not incur a quadratic security loss in the QROM based on these assumptions. We also construct a disjoint simulatable DPKE scheme from any IND-CPA-secure PKE scheme on an exponentially large message space with quadratic security loss. This gives a construction of an IND-CCA-secure KEM based on an IND-CPA-secure PKE scheme on an exponentially large message space with quadratic (rather than quartic as in previous works) security loss. Our results are summarized in Fig. 1.

We implement an instantiation based on NTRU-HRSS [HRSS17] on a desktop PC and a RasPi. Assuming that NTRU-HRSS is disjoint simulatable, the obtained KEM is CCA secure in the QROM. See Sect. 5.

1.3 Technical Overview

Here, we give a technical overview of our results.

Disjoint Simulatability and Sparse Pseudorandomness. Let \(\mathcal {D}_{\!\mathcal {M}}\) be a distribution over a message space \(\mathcal {M}\). We say that a DPKE scheme is \(\mathcal {D}_{\!\mathcal {M}}\)-disjoint simulatable if a ciphertext of a message that is distributed according to \(\mathcal {D}_{\!\mathcal {M}}\) can be simulated by a simulator that does not know a message, and simulated ciphertext is invalid (i.e., out of the range of an encryption algorithm) with overwhelming probability. For an intermediate step to construct a disjoint simulatable DPKE scheme, we consider another security notion that we call sparse pseudorandomness and show that this is a sufficient condition for disjoint simulatability. We say that a DPKE scheme is \(\mathcal {D}_{\!\mathcal {M}}\)-sparse pseudorandom if a ciphertext of a message that is distributed according to \(\mathcal {D}_{\!\mathcal {M}}\) is pseudorandom and the range of an encryption algorithm is sparse in a ciphertext space. The \(\mathcal {D}_{\!\mathcal {M}}\)-sparse pseudorandomness implies the \(\mathcal {D}_{\!\mathcal {M}}\)-disjoint simulatability because if the sparse pseudorandomness is satisfied, then a simulator that simply outputs a random element of a ciphertext space suffices for the disjoint simulatability².

Instantiations of Disjoint Simulatable DPKE. We construct DPKE schemes based on the concepts of the Gentry–Peikert–Vaikuntanathan (GPV) trapdoor function for LWE [GPV08], NTRU [HPS98], the McEliece PKE [McE78], and the Niederreiter PKE [Nie86] and prove that they are sparse pseudorandom (and thus disjoint simulatable) w.r.t. a certain message distribution under the LWE assumption, or other related assumptions to an underlying PKE scheme. Moreover, the reductions are tight. See Subsect. 3.3 for details of instantiations from concrete assumptions

We also construct a disjoint simulatable DPKE scheme based on any IND-CPA-secure PKE scheme with an exponentially large message space in the QROM. Unfortunately, this reduction is not tight and incurs a square security loss. See Subsect. 3.4 for details.

Previous Construction: BR-KEM. Before describing our construction, we review the construction and security proof of the Bellare-Rogaway KEM (), which was proven IND-CCA-secure in the QROM by Boneh et al. [BDF+11] because our construction is based on their idea. is a construction of an IND-CCA-secure KEM based on a one-way trapdoor function with an efficiently recognizable range³. For compatibility with ours, we treat a one-way trapdoor function as a perfectly correct OW-CPA-secure DPKE scheme by considering a function and an inversion to be an encryption and a decryption, respectively. Let \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) denote algorithms of an underlying DPKE scheme. Then is described as follows:

• \(\mathsf {Gen}_{\mathsf {BR}}\) is exactly the same as \(\mathsf {Gen}\).

• \(\mathsf {Enc}_{\mathsf {BR}}\), given a public key \( ek \) as an input, chooses a randomness m from a message space uniformly at random, computes a ciphertext \(C:=\mathsf {Enc}( ek , m)\) and a key \(K:=\mathsf {H}(m)\) where \(\mathsf {H}\) is a hash function modeled as a random oracle, and outputs (C, K).

• \(\mathsf {Dec}_{\mathsf {BR}}\), given a ciphertext C and a decryption key \( dk \) as an input, checks if C is in the valid ciphertext space and returns \(\bot \) if not. Otherwise it computes \(K:=\mathsf {H}(\mathsf {Dec}( dk ,C))\) and returns K.

In the security proof in the QROM, we first replace a random oracle \(\mathsf {H}\) with \(\mathsf {H}_{q}\circ \mathsf {Enc}( ek ,)\) where \(\mathsf {H}_{q}\) is another random oracle that is not given to an adversary. Since \(\mathsf {Enc}( ek ,\cdot )\) is injective due to its perfect correctness, \(\mathsf {H}_{q} \circ \, \mathsf {Enc}( ek ,\cdot )\) still works as a random oracle from the view of an adversary. After this replacement, we notice that a decryption oracle can be simulated by using \(\mathsf {H}_{q}\) without the help of a decryption key because we have \(\mathsf {H}(\mathsf {Dec}( dk ,c))=\mathsf {H}_{q}\circ \,\mathsf {Enc}( ek ,\mathsf {Dec}( dk ,c))=\mathsf {H}_q(c)\). For proving IND-CCA security, we have to prove that \(\mathsf {H}_q(c^*)\) is pseudorandom from the view of an adversary. If we were in a classical world, then this could be proven quite easily: the only way for an adversary to obtain any information of \(\mathsf {H}_q(c^*)\) is to query \(m^*\) such that \(c^*=\mathsf {Enc}( ek ,m^*)\), in which case the adversary breaks the OW-CPA security of an underlying DPKE scheme. In a quantum world, things do not go as easily because even if an adversary queries a quantum state whose magnitude on \(m^*\) is large, a reduction algorithm cannot notice that immediately. Nonetheless, by using the One-Way to Hiding (OW2H) lemma proven by Unruh [Unr15] (Lemma 2.1), we can show that the advantage for an adversary to distinguish \(\mathsf {H}_q(c^*)\) from a truly random string is at most a square root of the probability that measurement of a randomly chosen adversary’s query to \(\mathsf {H}\) is equal to \(m^*\). Hence, we can reduce the IND-CCA security of to the OW-CPA security of the underlying DPKE scheme with a quadratic security loss. On the other hand, to avoid the quadratic security loss, it seems that we have to avoid the usage of the OW2H lemma because the lemma inherently incurs a quadratic security loss.

Our Conversion, . In the above proof, we used the fact that the only way for an adversary to obtain any information of \(\mathsf {H}_q(c^*)\) is to query \(m^*\) to \(\mathsf {H}\) such that \(c^*=\mathsf {Enc}( ek ,m^*)\). Our key idea is based on the observation that if such \(m^*\) does not exist, i.e., \(c^*\) is out of the range of \(\mathsf {Enc}( ek ,\cdot )\), then it is information-theoretically impossible for an adversary to obtain any information of \(\mathsf {H}_q(c^*)\). Indeed, though \(c^*\) is in the range of \(\mathsf {Enc}( ek ,\cdot )\) in the real game, if we choose an encryption randomness m according to a distribution \(\mathcal {D}_{\!\mathcal {M}}\), then we can replace \(c^*\) with a simulated ciphertext that is out of the range of \(\mathsf {Enc}( ek ,\cdot )\) by using the \(\mathcal {D}_{\!\mathcal {M}}\)-disjoint simulatability. After replacing \(c^*\) with a simulated one, we can information-theoretically bound an adversary’s advantage and need not use the OW2H lemma. This seems to simply resolve the problem, and we obtain an IND-CCA-secure KEM without a quadratic security loss. However, another problem arises here: a valid ciphertext space of a disjoint simulatable DPKE scheme is inherently not efficiently recognizable (otherwise real and simulated ciphertexts are easy to distinguish), whereas the simulation of decryption algorithm has to first verify if a given ciphertext is valid or not. To resolve the problem, we modify the decryption algorithm so that if a ciphertext is invalid, then it returns a random value rather than \(\bot \). In the security proof of , a decryption oracle is simulated just by evaluating a random oracle \(\mathsf {H}_q\) for a ciphertext, and this enables a reduction algorithm to simulate a decryption oracle for both valid and invalid ciphertexts even though it cannot determine if a given ciphertext is valid. Hence, we can reduce the IND-CCA-security of the resulting KEM without using the OW2H lemma and thus without a quadratic security loss.

Curiously, this conversion is essentially the same as \(\mathsf {U}_m^{\not \bot }\) in [HHK17]. This means that we can remove an “additional” hash from \(\mathsf {QU}_m^{\not \bot }\) assuming a stronger underlying DPKE in the QROM. In addition, this means that the obtained KEM is tightly secure assuming that the underlying DPKE is \({ \textsc {OW}}\hbox {-}{ \textsc {CPA}}\) secure in the ROM as shown in [HHK17].

1.4 Related Work

In a concurrent and independent work, Jiang, Zhang, Chen, Wang, and Ma [JZC+17] proposed two new constructions of an IND-CCA-secure KEM based on a OW-CPA-secure PKE scheme with quadratic security loss. However, both constructions incur quadratic security loss.

2 Preliminaries

2.1 Notation

A security parameter is denoted by \(\kappa \). We use the standard O-notations: O, \(\Theta \), \(\Omega \), and \(\omega \). DPT and PPT stand for deterministic polynomial time and probabilistic polynomial time. A function \(f(\kappa )\) is said to be negligible if \(f(\kappa ) = \kappa ^{-\omega (1)}\). We denote a set of negligible functions by \(\mathsf {negl}(\kappa )\). For two finite sets \(\mathcal {X}\) and \(\mathcal {Y}\), \(\mathrm {Map}(\mathcal {X},\mathcal {Y})\) denote a set of all functions whose domain is \(\mathcal {X}\) and codomain is \(\mathcal {Y}\).

For a distribution \(\chi \), we often write “\(x \leftarrow \chi \),” which indicates that we take a sample x from \(\chi \). For a finite set S, U(S) denotes the uniform distribution over S. We often write “\(x \leftarrow S\)” instead of “\(x \leftarrow U(S)\).” For a set S and a deterministic algorithm \(\mathsf {A}\), \(\mathsf {A}(S)\) denotes the set \(\{\mathsf {A}(x) \mid x \in S\}\).

If \(\mathsf {inp}\) is a string, then “\(\mathsf {out} \leftarrow \mathsf {A}(\mathsf {inp})\)” denotes the output of algorithm \(\mathsf {A}\) when run on input \(\mathsf {inp}\). If \(\mathsf {A}\) is deterministic, then \(\mathsf {out}\) is a fixed value and we write “\(\mathsf {out} := \mathsf {A}(\mathsf {inp})\).” We also use the notation “\(\mathsf {out} := \mathsf {A}(\mathsf {inp};r)\)” to make the randomness r explicit.

For the Boolean statement P, \(\mathsf {boole}(P)\) denotes the bit that is 1 if P is true, and 0 otherwise. For example, \(\mathsf {boole}(b' \mathbin {{\mathop {=}\limits ^{?}}}b)\) is 1 if and only if \(b' = b\).

2.2 Quantum Computation

We refer to [NC00] for basic of quantum computation.

Quantum Random Oracle Model. Roughly speaking, the quantum random oracle model (QROM) is an idealized model where a hash function is modeled as a publicly and quantumly accessible random oracle. See [BDF+11] for a more detailed description of the model.

Lemmas. We review some useful lemmas regarding the quantum random oracles. The first one is called the oneway-to-hiding (OW2H) lemma, which is proven by Unruh [Unr15, Lemma 6.2]. Roughly speaking, the lemma states that if any quantum adversary issuing at most q queries to a quantum random oracle \(\mathsf {H}\) can distinguish \((x,\mathsf {H}(x))\) from (x, y), where y is chosen uniformly at random, then we can find x by measuring one of the adversary’s queries even it causes a quadratic security loss. The lemma of the following form is taken from [HHK17].

Lemma 2.1

(Algorithmic Oneway to Hiding [Unr15, HHK17]). Let \(\mathsf {H}: \mathcal {X} \rightarrow \mathcal {Y}\) be a quantum random oracle, and let \(\mathcal {A}\) be an adversary issuing at most q queries to \(\mathsf {H}\) that on input \((x,y) \in \mathcal {X} \times \mathcal {Y}\) outputs either 0 / 1. For all (probabilistic) algorithms \(\mathsf {F}\) whose input space is \(\mathcal {X} \times \mathcal {Y}\) and which do not make any hash queries to \(\mathsf {H}\), we have

$$\begin{aligned}&\left|\begin{array}{l} \Pr [\mathcal {A}^{\mathsf {H}}(\mathrm {inp}) \rightarrow 1 \mid x \leftarrow \mathcal {X}; \mathrm {inp}\leftarrow \mathsf {F}(x,\mathsf {H}(x))] \\ ~~~-\Pr [\mathcal {A}^{\mathsf {H}}(\mathrm {inp}) \rightarrow 1 \mid (x,y) \leftarrow \mathcal {X} \times \mathcal {Y}; \mathrm {inp}\leftarrow \mathsf {F}(x,y)] \end{array} \right|\\&\qquad \le 2 q \cdot \sqrt{\Pr [\mathsf {EXT}^{\mathcal {A},\mathsf {H}}(\mathrm {inp}) \rightarrow x \mid (x,y) \leftarrow \mathcal {X} \times \mathcal {Y}; \mathrm {inp}\leftarrow \mathsf {F}(x,y)]}, \end{aligned}$$

where \(\mathsf {EXT}\) picks \(i \leftarrow \{1,\dots ,q\}\), runs \(\mathcal {A}^{\mathsf {H}}(\mathrm {inp})\) until i-th query to \(\mathsf {H}\), and returns (when \(\mathcal {A}\) makes fewer than i queries, \(\mathsf {EXT}\) outputs \(\bot \not \in \mathcal {X}\)).

(Unruh’s original statement is recovered by letting \(\mathsf {F}\) be an identity function.)

The second one claims that a random oracle can be used as a pseudorandom function even in the quantum setting.

Lemma 2.2

Let \(\ell \) be an integer. Let \(\mathsf {H}:\{0,1\}^{\ell }\times \mathcal {X}\rightarrow \mathcal {Y}\) and \(\mathsf {H}':\mathcal {X}\rightarrow \mathcal {Y}\) be two independent random oracles. If an unbounded time quantum adversary \(\mathcal {A}\) makes a query to \(\mathsf {H}\) at most \(q_{\mathsf {H}}\) times, then we have

$$\left| \Pr [\mathcal {A}^{\mathsf {H},\mathsf {H}(s,\cdot )}() \rightarrow 1 \mid s\leftarrow \{0,1\}^{\ell }] -\Pr [\mathcal {A}^{\mathsf {H},\mathsf {H}'}() \rightarrow 1] \right| \le q_{\mathsf {H}}\cdot 2^{\frac{-\ell +1}{2}}$$

where all oracle accesses of \(\mathcal {A}\) can be quantum.

Though this seems to be a folklore, we give a proof of this lemma in Sect. C for completeness.⁴

Simulation of Random Oracle. In the original quantum random oracle model introduced by Boneh et al. [BDF+11], they do not allow a reduction algorithm to access a random oracle, so it has to simulate a random oracle by itself. In contrast, in this paper, we give a random oracle access to a reduction algorithm. We remark that this is just a convention and not a modification of the model since we can simulate a random oracle against quantum adversaries in several ways.

1. 1.

   The first way is a simulation by a 2q-wise independent hash function, where q denotes the number of random oracle queries by an adversary, as introduced by Zhandry [Zha12b]. The simulation is perfect, that is, no adversary can distinguish the real QRO from the simulated one. A drawback of this simulation is a \(O(q^2)\) blowup for a running time of a reduction algorithm since it has to compute a 2q-wise independent hash function for each random oracle query.

2. 2.

   The second way is a simulation by a quantumly secure PRF as used in [BDF+11]. If we use this simulation, then the blowup of a running time of a reduction algorithm is \(O(q\cdot t_{\mathsf {PRF}})\) where \(t_{\mathsf {PRF}}\) is the time needed for evaluating a PRF, which is usually much smaller than \(O(q^2)\). However, we have to additionally assume the existence of a quantumly secure PRF, which is known to exist if a quantumly secure one-way function exists [Zha12a].

3. 3.

   The third way is a simulation by a real hash function like SHA-2 and to think that this is a “random oracle.” Since we adopt the QROM, we idealize a real hash function as a random oracle in the construction of primitives. Thus, it may be natural to assume the same thing even in a reduction, that is, the reduction algorithm implements the random oracle by a concrete hash function. If we use this simulation, then the blowup of a running time of a reduction algorithm is \(O(q \cdot t_{\mathsf {hash}})\) where \(t_{\mathsf {hash}}\) denotes a time to evaluate a hash function. This gives a tightest reduction at the expense of additional idealization of a hash function. We note that a similar convention is also used by Kiltz et al. [KLS17].

   We finally note that this way strengthens the assumption, that is, we need to assume that some problem is hard in the QROM.

We use \(t_{\mathsf {RO}}\) to denote a time needed to simulate a random oracle. We have \(t_{\mathsf {RO}} = O(q)\), \(t_{\mathsf {PRF}}\), or \(t_{\mathsf {hash}}\), if we use the first, second, or third way, respectively. We note that in the proof of quantum variants of Fujisaki-Okamoto and OAEP [TU16, HHK17], we have to simulate a random oracle in the 1st way, because a simulator has to “invert” a random oracle in a simulation.

2.3 Public-Key Encryption

The model for PKE schemes is summarized as follows:

Definition 2.1

A PKE scheme \(\mathsf {PKE}\) consists of the following triple of polynomial-time algorithms \((\mathsf {Gen}, \mathsf {Enc}, \mathsf {Dec})\).

• \(\mathsf {Gen}(1^{\kappa };r_g) \rightarrow ( ek , dk )\): a key-generation algorithm that on input \(1^\kappa \), where \(\kappa \) is the security parameter, outputs a pair of keys \(( ek , dk )\). \( ek \) and \( dk \) are called the encryption key and decryption key, respectively.

• \(\mathsf {Enc}( ek ,m;r_e) \rightarrow c\): an encryption algorithm that takes as input encryption key \( ek \) and message \(m \in \mathcal {M}\) and outputs ciphertext \(c \in \mathcal {C}\).

• \(\mathsf {Dec}( dk ,c) \rightarrow m/\bot \): a decryption algorithm that takes as input decryption key \( dk \) and ciphertext c and outputs message \(m \in \mathcal {M}\) or a rejection symbol \(\bot \not \in \mathcal {M}\).

Definition 2.2

We say a PKE scheme \(\mathsf {PKE}\) is deterministic if \(\mathsf {Enc}\) is deterministic. DPKE stands for deterministic public key encryption.

Definition 2.3

(Correctness). We say \(\mathsf {PKE}= (\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) has perfect correctness if for any \(( ek , dk )\) generated by \(\mathsf {Gen}\) and for any \(m \in \mathcal {M}\), we have that

$$ \Pr [\mathsf {Dec}( dk ,c) = m \mid c \leftarrow \mathsf {Enc}( ek ,m)] = 1. $$

An additional property, \(\gamma \)-spread, is in Sect. A

Security: Here, we define onewayness under chosen-plaintext attacks (OW-CPA), indistinguishability under chosen-plaintext attacks (IND-CPA), and indistinguishability under chosen-ciphertext attacks (IND-CCA) for a PKE.

Definition 2.4

(Security notions for PKE). For any adversary \(\mathcal {A}\), we define its \({ \textsc {OW}}\hbox {-}{ \textsc {CPA}}\), \({ \textsc {IND}}\hbox {-}{ \textsc {CPA}}\), and \({ \textsc {IND}}\hbox {-}{ \textsc {CCA}}\) advantages against a PKE scheme \(\mathsf {PKE}= (\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) as follows:

where , , and are experiments described in Fig. 2. For \({ \textsc {GOAL}}\hbox {-}{ \textsc {ATK}} \in \{{ \textsc {OW}}\hbox {-}{ \textsc {CPA}}, { \textsc {IND}}\hbox {-}{ \textsc {CPA}}, { \textsc {IND}}\hbox {-}{ \textsc {CCA}}\}\), we say that \(\mathsf {PKE}\) is GOAL-ATK-secure if is negligible for any PPT adversary \(\mathcal {A}\).

Additional definitions are in Sect. A

Fig. 2.

Games for PKE schemes

2.4 Key Encapsulation

The model for KEM schemes is summarized as follows:

Definition 2.5

A KEM scheme \(\mathsf {KEM}\) consists of the following triple of polynomial-time algorithms \((\mathsf {Gen}, \mathsf {Encaps}, \mathsf {Decaps})\):

• \(\mathsf {Gen}(1^{\kappa };r_g) \rightarrow ( ek , dk )\): a key-generation algorithm that on input \(1^\kappa \), where \(\kappa \) is the security parameter, outputs a pair of keys \(( ek , dk )\). \( ek \) and \( dk \) are called the encapsulation key and decapsulation key, respectively.

• \(\mathsf {Encaps}( ek ;r_e) \rightarrow (c,K)\): an encapsulation algorithm that takes as input encapsulation key \( ek \) and outputs ciphertext \(c \in \mathcal {C}\) and key \(K \in \mathcal {K}\).

• \(\mathsf {Decaps}( dk ,c) \rightarrow K/\bot \): a decapsulation algorithm that takes as input decapsulation key \( dk \) and ciphertext c and outputs key K or a rejection symbol \(\bot \not \in \mathcal {K}\).

Definition 2.6

(Correctness). We say \(\mathsf {KEM}= (\mathsf {Gen},\mathsf {Encaps},\mathsf {Decaps})\) has perfect correctness if for any \(( ek , dk )\) generated by \(\mathsf {Gen}\), we have that

$$ \Pr [\mathsf {Decaps}( dk ,c) = K : (c,K) \leftarrow \mathsf {Encaps}( ek )] = 1. $$

Security: We define indistinguishability under chosen-plaintext and chosen-ciphertext attacks (denoted by \({ \textsc {IND}}\hbox {-}{ \textsc {CPA}}\) and \({ \textsc {IND}}\hbox {-}{ \textsc {CCA}}\)) for KEM, respectively.

Definition 2.7

For any adversary \(\mathcal {A}\), we define its \({ \textsc {IND}}\hbox {-}{ \textsc {CPA}}\) and \({ \textsc {IND}}\hbox {-}{ \textsc {CCA}}\) advantages against a KEM scheme \(\mathsf {KEM}= (\mathsf {Gen},\mathsf {Encaps},\mathsf {Decaps})\) as follows:

where and are experiments described in Fig. 3.

Fig. 3.

Games for KEM schemes

For \({ \textsc {ATK}} \in \{{ \textsc {CPA}}, { \textsc {CCA}}\}\), we say that \(\mathsf {KEM}\) is IND-ATK-secure if is negligible for any PPT adversary \(\mathcal {A}\).

2.5 eXtendable-Output Functions

An eXtendable-Output Function (XOF) is a function on input bit strings in which the output can be extended to an arbitrary desired length. An XOF is denoted by \(\mathsf {XOF}(X,L)\), where X is the input bit string and L is the desired output length. We modeled the XOF as a quantumly-accessible random oracle. We employ SHAKE256, standardized as an XOF by NIST [NIS15].

2.6 Assumptions

Preliminaries: Let \(\rho _{s}(x) = \exp (-\pi \Vert x\Vert ^2/s^2)\) for \(x \in \mathbb {R}^n\) be a Gaussian function scaled by a factor s. For any real \(s > 0\) and lattice \(\Lambda \), we define the discrete Gaussian distribution \(D_{\Lambda ,s}\) over \(\Lambda \) with parameter s by

$$ D_{\Lambda , s}(x) = \rho _{s}(x)/\rho _s(\Lambda ) \text { for } x \in \Lambda , $$

where \(\rho _s(\Lambda ) = \sum _{x \in \Lambda } \rho _s(x)\). The following norm bound is useful.

Lemma 2.3

(Adapted version of [MR07, Lemma 4.4]). For \(\sigma = \omega (\sqrt{\log (n)})\), it holds that

$$ \mathop {\Pr }\limits _{e \leftarrow D_{\mathbb {Z}^n,\sigma }}[ \Vert e \Vert > \sigma \sqrt{n}] \le 2^{-n+1}. $$

LWE and its variants: We review the assumptions for lattice-based PKEs. The most basic one is the learning-with-errors (LWE) assumption [Reg09], which is a generalized version of the learning-parity-with-noise assumption [BFKL93, KSS10].

Definition 2.8

(LWE assumption in matrix form). For all \(\kappa \), let \(n = n(\kappa )\) and \(q = q(\kappa )\) be integers and let \(\chi \) be a distribution over \(\mathbb {Z}\).

The decisional learning-with-errors (LWE) assumption \(\mathsf {LWE}_{n,q}\) states that, for any \(m = \mathsf {poly}(\kappa )\),

the following two distributions are computationally hard to distinguish:

• \(A, sA + e\), where \(A \leftarrow \mathbb {Z}_q^{n \times m}\), \(s \leftarrow \mathbb {Z}_q^n\), and \(e \leftarrow \chi ^m\)

• A, u, where \(A \leftarrow \mathbb {Z}_q^{n\times m}\) and \(u \leftarrow \mathbb {Z}_q^m\).

We also review its polynomial version [LPR10, BV11]. We here use the Hermite-normal form of the assumption [ACPS09, LPR10, BV11], where secret s is chosen from the noise distribution.

Definition 2.9

(Poly-LWE assumption – Hermite normal form). For all \(\kappa \), let \(\Phi (x) = \Phi _\kappa (x) \in \mathbb {Z}[x]\) be a polynomial of degree \(n = n(\kappa )\), let \(q = q(\kappa )\) be an integer, let \(R := \mathbb {Z}[x]/(\Phi (x))\) and \(R_q := \mathbb {Z}_q[x]/(\Phi (x))\), and let \(\chi \) denote a distribution over the ring R.

The decisional polynomial learning-with-errors (Poly-LWE) assumption \(\mathsf {PolyLWE}_{\Phi ,q,\chi }\) states that, for any \(\ell = \mathsf {poly}(\kappa )\), the following two distributions are hard to distinguish:

• \(\{(a_i, a_i s + e_i)\}_{i=1,\dots ,\ell }\), where \(a_i \leftarrow R_q\), \(s , e_i \leftarrow \chi \)

• \(\{(a_i, u_i)\}_{i=1,\dots ,\ell }\), where \(a_i, u_i \leftarrow R_q\).

Next, we recall the decisional small polynomial ratio (DSPR) assumption defined by López-Alt, Tromer, and Vaikuntanathan [LTV12]. We here employ an adapted version of the DSPR assumption.

Definition 2.10

(DSPR assumption). For all \(\kappa \), let \(\Phi (x) = \Phi _\kappa (x) \in \mathbb {Z}[x]\) be a polynomial of degree \(n = n(\kappa )\), let \(q = q(\kappa )\) be a positive integer, let \(R := \mathbb {Z}[x]/(\Phi (x))\) and \(R_q := \mathbb {Z}_q[x]/(\Phi (x))\), and let \(\chi \) denote a distribution over the ring R.

The decisional small polynomial ratio (DSPR) assumption \(\mathsf {DSPR}_{\Phi ,q,\chi _g,\chi _f}\) says that the following two distributions are hard to distinguish:

• a polynomial \(h := g \cdot f^{-1} \in R_q\), where \(g \leftarrow \chi _g\) and \(f \leftarrow \chi _f\).

• a polynomial \(u \leftarrow R_q\).

Remark 2.1

Stehlé and Steinfeld [SS11] showed that \(\mathsf {DSPR}_{\Phi ,q,\chi }\) is statistically hard if n is a power of two, \(\Phi (x) = x^n+1\), and \(\chi _g = \chi _f = D_{\mathbb {Z}^n,r}\) for \(r > \sqrt{q} \cdot \mathsf {poly}(\kappa )\).

3 Disjoint Simulatability of Deterministic PKE

Here, we define a new security notion, disjoint simulatability, for DPKE. We also define another security notion called sparse pseudorandomness and prove that it implies the disjoint simulatability. Then we give some instantiations of sparse pseudorandom (and thus disjoint simulatable) deterministic PKE schemes based on the LWE assumption or various assumptions related to NTRU, the McEliece PKE, and the Niederreiter PKE with tight reductions. We also construct a disjoint simulatable DPKE scheme from any IND-CPA-secure PKE scheme with a sufficiently large message space in the QROM, though the reduction is non-tight.

3.1 Definition

We define a new security notion, disjoint simulatability, for DPKE. Intuitively, a deterministic PKE scheme is disjoint simulatable if there exists a simulator that is only given a public key and generates a “fake ciphertext” that is indistinguishable from a real ciphertext of a random message. Moreover, we require that a fake ciphertext falls in a valid ciphertext space with negligible probability. The formal definition is as follows.

Definition 3.1

(Disjoint simulatability). Let \(\mathcal {D}_{\!\mathcal {M}}\) denote an efficiently sampleable distribution on a set \(\mathcal {M}\). A deterministic PKE scheme \(\mathsf {PKE}= (\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) with plaintext and ciphertext spaces \(\mathcal {M}\) and \(\mathcal {C}\) is \(\mathcal {D}_{\!\mathcal {M}}\)-disjoint simulatable if there exists a PPT algorithm \(\mathcal {S}\) that satisfies the following.

• (Statistical disjointness:)

  $$ \mathsf {Disj}_{\mathsf {PKE},\mathcal {S}}(\kappa ):=\max _{( ek , dk )\in \mathsf {Gen}(1^\kappa ; \mathcal {R})}\Pr [c \in \mathsf {Enc}( ek ,\mathcal {M}) \mid c \leftarrow \mathcal {S}( ek )] $$

  is negligible, where \(\mathcal {R}\) denotes a randomness space for \(\mathsf {Gen}\).

• (Ciphertext-indistinguishability:) For any PPT adversary \(\mathcal {A}\),

  

  is negligible.

3.2 Sufficient Condition: Sparse Pseudorandomness

Here, we define another security notion for DPKE called sparse pseudorandomness, which is a sufficient condition to be disjoint simulatable. Intuitively, a deterministic PKE scheme is sparse pseudorandom if valid ciphertexts are sparse in a ciphertext sparse and pseudorandom when a message is randomly chosen. In other words, an encryption algorithm can be seen as a pseudorandom generator (PRG). The formal definition is as follows.

Definition 3.2

(Sparse pseudorandomness). Let \(\mathcal {D}_{\!\mathcal {M}}\) denote an efficiently sampleable distribution on a set \(\mathcal {M}\). A deterministic PKE scheme \(\mathsf {PKE}= (\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) with plaintext and ciphertext spaces \(\mathcal {M}\) and \(\mathcal {C}\) is \(\mathcal {D}_{\!\mathcal {M}}\)-sparse pseudorandom if the following two properties are satisfied.

• (Sparseness:)

  $$ \mathsf {Sparse}_{\mathsf {PKE}}(\kappa ):= \max _{( ek , dk )\in \mathsf {Gen}(1^{\kappa };\mathcal {R})}\frac{|\mathsf {Enc}( ek ,\mathcal {M})|}{|\mathcal {C}|} $$

  is negligible where \(\mathcal {R}\) denotes a randomness space for \(\mathsf {Gen}\).

• (Pseudorandomness:) For any PPT adversary \(\mathcal {A}\),

  

  is negligible.

Then we prove that the sparse pseudorandomness implies the disjoint simulatability if a ciphertext space is efficiently sampleable.

Lemma 3.1

If a deterministic PKE scheme \(\mathsf {PKE}= (\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) with plaintext and ciphertext spaces \(\mathcal {M}\) and \(\mathcal {C}\) is \(\mathcal {D}_{\!\mathcal {M}}\)-sparse pseudorandom and \(\mathcal {C}\) is efficiently sampleable, then \(\mathsf {PKE}\) is also \(\mathcal {D}_{\!\mathcal {M}}\)-disjoint simulatable. In particular, there exists a PPT simulator \(\mathcal {S}\) such that \(\mathsf {Disj}_{\mathsf {PKE},\mathcal {S}}(\kappa )=\mathsf {Sparse}_{\mathsf {PKE}}(\kappa )\) and .

Proof

Let \(\mathcal {S}\) be an algorithm that outputs a random element of \(\mathcal {C}\). Then we clearly have \(\mathsf {Disj}_{\mathsf {PKE},\mathcal {S}}(\kappa )=\mathsf {Sparse}_{\mathsf {PKE}}(\kappa )\) and .    \(\square \)

3.3 Instantiations

Here, we give examples of a DPKE scheme that is disjoint simulatable. In particular, we construct a DPKE scheme that has the sparse pseudorandomness based on the LWE assumption or some other assumptions related to NTRU. (We further construct them based on the McEliece PKE and the Niederreiter PKE in the full version.) We remark that the reductions are tight. By combining those with Lemma 3.1, we obtain disjoint simulatable DPKE schemes based on any of these assumptions with tight security.

LWE-based DPKE. We review the GPV trapdoor function for LWE [GPV08, Pei09, MP12]. The LWE assumption (in matrix form) states that \((A, sA + e)\) and (A, u) are computationally indistinguishable, where \(A \leftarrow \mathbb {Z}_q^{n \times m}\), \(s \leftarrow \mathbb {Z}_q^n\), \(e \leftarrow \chi ^m\), and \(u \leftarrow \mathbb {Z}_q^m\). The GPV trapdoor function for LWE exploited that if we have a “short” matrix T satisfying \(AT \equiv O \bmod {q}\), we can retrieve s and e from \(c = sA + e\). The trapdoor T for A is generated by an algorithm \(\mathsf {TrapGen}\):

Theorem 3.1

([Ajt99, AP11]). For any positive integers n and \(q \ge 3\), any \(\delta > 0 \) and \(m \ge (2+\delta ) n \lg {q}\), there is a probabilistic polynomial-time algorithm \(\mathsf {TrapGen}\) that outputs a pair \(T \in \mathbb {Z}^{m \times m}\) and \(A \in \mathbb {Z}_q^{n \times m}\) such that: the distribution of A is within a negligible statistical distance of uniform over \(\mathbb {Z}_q^{n \times m}\), T is non-singular (over the rationals), \(\Vert t_i\Vert \le L = O(m \lg {m})\) for every column vector \(t_i\) of  T, and \(A T \equiv O \pmod {q}\).

Let us construct a DPKE scheme \(\mathsf {PKE}= (\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) as follows:

• Parameters: We require several parameters: the dimension \(n = n(\kappa )\), the modulus \(q = q(\kappa )\), and \(m = m(\kappa )\). We also employ \(L = O(m \lg {m})\), \(\sigma = \omega (\sqrt{\lg n})\), \(\beta = \sigma \sqrt{n}\).

  We require that \(\beta L < q/2\) and \(q^m \gg q^n \cdot (2\beta +1)^m\).

  • The plaintext space \(\mathcal {M}:= \mathbb {Z}_q^n \times B_m(\beta )\), where \(B_m(\beta ) := \{e \in \mathbb {Z}^m \mid \) \(\Vert e\Vert \le \beta \}\).

  • The sampler \(\mathcal {D}_{\!\mathcal {M}}\) samples \(s \leftarrow \mathbb {Z}_q^n\) and \(e \leftarrow D_{\mathbb {Z}^m, \sigma }\) conditioned on \(\Vert e\Vert \le \beta \).

  • The ciphertext space \(\mathcal {C}:= \mathbb {Z}_q^m\)

• Key Generation: \(\mathsf {Gen}(1^\kappa )\) invokes \(\mathsf {TrapGen}(1^n,1^m,q)\) and obtains \(A \in \mathbb {Z}_q^{n \times m}\) and \(T \in \mathbb {Z}^{m \times m}\). It outputs \( ek = A\) and \( dk = (A,T)\).

• Encryption: \(\mathsf {Enc}( ek , (s,e))\) outputs \(c = sA + e \bmod {q}\).

• Decryption: \(\mathsf {Dec}( dk , c)\) computes \(e = (c \cdot T \bmod {q}) \cdot T^{-1}\) and \(s = (c - e) \cdot A^+ \bmod {q}\), where \(A^+ := A^\top \cdot (A \cdot A^{\top }) \in \mathbb {Z}_q^{m \times n}\), the left inverse of A.

The properties of PKE are summarized as follows:

• Perfect Correctness: We know \(c\, \cdot \, T \equiv s A T + e T \equiv e T \pmod {q}\). If \(\Vert e T\Vert _{\infty } < q/2\), then \(c \cdot T \bmod {q} = e T \in \mathbb {Z}^m\) holds and e is recovered by \(e = (c \cdot T \bmod {q}) \cdot T^{-1}\). Once correct e is obtained, s is recovered by \((c-e) \cdot A^+ \in \mathbb {Z}_q^n\). The condition \(\Vert e T\Vert _{\infty } < q/2\) is satisfied because \(\Vert e T\Vert _{\infty } \le \max _{i} \Vert e\Vert \cdot \Vert t_i\Vert \le \beta L < q/2\), where \(t_i\) is the column vectors of T.

• Sparseness: \(|\mathcal {C}|= q^m\) and \(|\mathsf {Enc}( ek ,\mathcal {M})|\le \mathcal {M}= |\mathbb {Z}_q^n \times B_m(\beta ) |\le q^n \cdot (2\beta +1)^m\). Sparseness follows from the fact \(q^m \gg q^n \cdot (2\beta +1)^m\).

• Pseudorandomness: We consider the following hybrid games:

  • (Original game 1:) The adversary is given \((A,c^*)\), where \((A,T) \leftarrow \mathsf {TrapGen}(1^n,1^m,q)\), \((s,e) \leftarrow \mathcal {D}_{\!\mathcal {M}}\), and \(c^* \leftarrow \mathbb {Z}_q^m\).

  • (Hybrid game 1:) Let us replace the public key A. We consider \((A,c^*)\), where \(A \leftarrow \mathbb {Z}_q^{n \times m}\), \((s,e) \leftarrow \mathcal {D}_{\!\mathcal {M}}\), and \(c^* := s A + e \bmod {q}\). This change is justified by Theorem 3.1.

  • (Hybrid game 2:) Let us replace the sampler \(\mathcal {D}_{\!\mathcal {M}}\). We consider \((A,c^*)\), where \(A \leftarrow \mathbb {Z}_q^{n \times m}\), \((s,e) \leftarrow U(\mathbb {Z}_q^n) \times D_{\mathbb {Z}^m,\sigma }\), and \(c^* := s A + e \bmod {q}\). This replacement is justified by Lemma 2.3.

  • (Hybrid game 3:) We next replace the ciphertext \(c^*\). We consider \((A,c^*)\), where \(A \leftarrow \mathbb {Z}_q^{n \times m}\) and \(c^* \leftarrow \mathbb {Z}_q^m\). This game is computationally indistinguishable from the previous game under the LWE assumption \(\mathsf {LWE}_{n,q,D_{\mathbb {Z},\sigma }}\).

  • (Original game 2:) We replace the public key A. We consider \((A,c^*)\), where \((A,T) \leftarrow \mathsf {TrapGen}(1^n,1^m,q)\) and \(c^* := s A + e \bmod {q}\). This change is justified by Theorem 3.1.

Remark 3.1

For simplicity, we employ the simple version of the GPV trapdoor function for LWE. Further improvements are available, e.g., [MP12, Section 5].

NTRU-based DPKE. We next review the original version of NTRUEncrypt [HPS98]. Let \(\Phi (x) = x^n-1 \in \mathbb {Z}[x]\), let \(p < q\) be positive integers with \(\gcd (p,q) = 1\), and let \(R := \mathbb {Z}[x]/(\Phi (x))\) and \(R_q := \mathbb {Z}_q[x]/(\Phi (x))\). We often set \(p = 3\) and \(q = 2^k\) for some k. Let \(\mathcal {T}\) be a set of ternary-coefficient polynomials in R, that is, \(\mathcal {T} := \{ t = \sum _{i=0}^{n-1} t_i x^i \in R \mid t_i \in \{-1,0,+1\} \}\). Let \(\mathcal {L}_f, \mathcal {L}_g, \mathcal {L}_r, \mathcal {L}_m \subseteq \mathcal {T}\). The public key is \(h = g/f\), where \(f \leftarrow \mathcal {L}_f, g \leftarrow \mathcal {L}_g\) with f has inverses in \(R_p\) and \(R_q\). The the ciphertext of \(m \in \mathcal {L}_m\) with randomness \(r \in \mathcal {L}_r\) is \(c = prh+m\). Roughly speaking, we can retrieve m if we know f; \(c f = p r g + m f \in R_q\) and it holds in R.

• Parameters: We require that \(\Vert p r g + m f \bmod {q}\Vert _{\infty } < q/2\) for any g, f, m, r in their domains, where, for \(t = \sum _{i=0}^{n-1} t_i x^i \in R\), we define \(\Vert t \Vert _{\infty } := \max _i |t_i |\). For simplicity, we assume that \(\mathcal {L}_m = \mathcal {L}_r\).

  • The plaintext space is \(\mathcal {M}:= \mathcal {L}_m \times \mathcal {L}_r\).

  • The sampler \(\mathcal {D}_{\!\mathcal {M}}\) samples \((m,r) \leftarrow \mathcal {L}_m \times \mathcal {L}_r\).

  • The ciphertext space is \(\mathcal {C}:= R_{q}\).

• Key Generation: \(\mathsf {Gen}()\) chooses \(g \leftarrow \mathcal {L}_g\) and \(f \leftarrow \mathcal {L}_f\) until f is invertible in \(R_{q}\) and \(R_{p}\). It outputs \( ek = h = g/f \in R_{q}\) and \( dk = (h,f)\).

• Encryption: \(\mathsf {Enc}( ek ,(m,r))\) outputs \(c = p r h + m \in R_{q}\).

• Decryption: \(\mathsf {Dec}( sk ,c)\) computes \(m := (f c \bmod {q}) \cdot f^{-1} \bmod {p}\) and \(r := (c - m) \cdot (ph)^{-1} \bmod {q}\).

The properties of this DPKE are summarized as follows:

• Perfect correctness: Note that \(f c \equiv p r g + m f \pmod {q}\). Since \(\Vert p r g + m f \bmod {q}\Vert _{\infty } < q/2\) from our requirement, we have \((f c \bmod {q}) = p r g + m f \in R\). Hence, we have \((f c \bmod {q}) \cdot f^{-1} \equiv (prg + mf) \cdot f^{-1} \equiv m \pmod {p}\) as we wanted. r is also recovered because \((c - m) \cdot (ph)^{-1} \equiv prh \cdot (ph)^{-1} \equiv r \pmod {q}\).

• Sparseness: Sparseness follows from \(|\mathcal {C}|= q^n \gg 3^{2n} = |\mathcal {T}^2 |\ge |\mathcal {L}_m \times \mathcal {L}_r |= |\mathsf {Enc}( ek ,\mathcal {M}) |\).

• Pseudorandomness: What we want to show is

  $$ (h, c = p r h + m) \approx _c (h, u), $$

  where \(h = g/f\) is a public key with \(f \leftarrow \mathcal {L}_f, g \leftarrow \mathcal {L}_g\) with condition f has inverses \(R_p\) and \(R_q\), \((m,r) \leftarrow \mathcal {L}_m \times \mathcal {L}_r\), and \(u \leftarrow R_{q}\). Let \(\chi _g := U(\mathcal {L}_g)\) and \(\chi _f := U(\mathcal {L}_f \cap R_{p}^* \cap R_q^*)\), where \(R_{k}^*\) for \(k \in \{p,q\}\) denotes \(\{f \in R \mid f \text { has an inverse in }R_k \}\). Let \(\chi := U(\mathcal {L}_m) = U(\mathcal {L}_r)\).

  • We first replace \(h = g/f\) with random \(h'\), which is justified by the DSPR assumption \(\mathsf {DSPR}_{\Phi ,q,\chi _f, \chi _g}\).

  • We next replace \(c = p r h'+m\) with random \(c'\), which is justified by the Poly-LWE assumption \(\mathsf {PolyLWE}_{\Phi ,q,\chi }\); Given \(\tilde{h}\) and \(c = r \tilde{h} + m\) or random, we convert them into \(h'= p^{-1} \tilde{h}\) and c. Since p is co-prime to q, \(h'\) is truly random. If \(c = r \tilde{h} + e\), then \(c = p r \cdot p^{-1} \tilde{h} + e = p r h' + e\) as we wanted.

  • We then go backward by replacing random \(h'\) with \(h = g/f\), which is justified by the DSPR assumption \(\mathsf {DSPR}_{\Phi ,q,\chi _f,\chi _g}\) again.

3.4 Generic Conversion from \({ \textsc {IND}}\hbox {-}{ \textsc {CPA}}\)-Secure PKE

Here, we show that any perfectly-correct \({ \textsc {IND}}\hbox {-}{ \textsc {CPA}}\)-secure PKE whose plaintext space is sufficiently large can be converted into a disjoint-simulatable DPKE scheme in the quantum random oracle model. We note that the conversion is non-tight.

Intuitively, we replace randomness of an underlying \({ \textsc {IND}}\hbox {-}{ \textsc {CPA}}\)-secure PKE scheme with a hash value of a message similarly to the conversion \(\mathsf {T}\) given in [HHK17] (which is in turn based on the Fujisaki-Okamoto conversion). The difference from the conversion \(\mathsf {T}\) is that we “puncture” a message space by 0⁵. That is, if a message space of an underlying \({ \textsc {IND}}\hbox {-}{ \textsc {CPA}}\)-secure PKE scheme is \(\mathcal {M}\), then a message space of the resulting scheme is \(\mathcal {M}':=\mathcal {M}\setminus \{0\}\). In this meaning, we call our conversion \(\mathsf {TPunc}\). We give the concrete description of the conversion \(\mathsf {TPunc}\) below.

Let \(\mathcal {M}\) and \(\mathcal {R}\) be the message and randomness spaces of \(\mathsf {PKE}\), respectively, and let \(\mathcal {M}':= \mathcal {M}\setminus \{0\}\). Then the resulting DPKE scheme \(\mathsf {PKE}_1 = \mathsf {TPunc}[\mathsf {PKE},\mathsf {G}]\) is described in Fig. 4 where \(\mathsf {G}:\mathcal {M}\rightarrow \mathcal {R}\) denotes a random oracle. Here, we remark that the message space of \(\mathsf {PKE}_1\) is restricted to \(\mathcal {M}':=\mathcal {M}\setminus \{0\}\). The security of \(\mathsf {PKE}_1\) is stated as follows.

Fig. 4.

\(\mathsf {PKE}_1 = (\mathsf {Gen}_1,\mathsf {Enc}_1,\mathsf {Dec}_1) = \mathsf {TPunc}[\mathsf {PKE},\mathsf {G}]\) with simulator \(\mathcal {S}\).

Theorem 3.2

(Security of \(\mathsf {TPunc}\)). Let \(\mathcal {S}\) be the algorithm described in Fig. 4. If \(\mathsf {PKE}\) is perfectly correct, then we have \(\mathsf {Disj}_{\mathsf {PKE}_1,\mathcal {S}}(\kappa )=0\). Moreover, for any quantum adversary \(\mathcal {A}\) against \(\mathsf {PKE}_1\) issuing at most \(q_{\mathsf {G}}\) quantum queries to \(\mathsf {G}\), there exist quantum adversaries \(\mathcal {B}\) and \(\mathcal {C}\) against \({ \textsc {IND}}\hbox {-}{ \textsc {CPA}}\) security of \(\mathsf {PKE}\) such that

where \(U_{\mathcal {M}'}\) denotes the uniform distribution on \(\mathcal {M}'\), and \(\mathsf {Time}(\mathcal {B})\approx \mathsf {Time}(\mathcal {C})\approx \mathsf {Time}(\mathcal {A})+q_{\mathsf {G}}\cdot t_{\mathsf {RO}}\).

Security Proof. We obviously have \(\mathsf {Disj}_{\mathsf {PKE}_1,\mathcal {S}}(\kappa )=0\) since \(\mathsf {PKE}\) is perfectly correct.

To prove the rest of the theorem, we consider the following sequence of games. See Table 1 for the summary of games and justifications.

\(\mathsf {Game}_0\): This game is defined as follows:

$$\begin{aligned}&( ek , dk ) \leftarrow \mathsf {Gen}(1^\kappa ); m^* \leftarrow \mathcal {M}'; r^* \leftarrow \mathsf {G}(m^*); c^* := \mathsf {Enc}( ek ,m^*;r^*);\\&\qquad b' \leftarrow \mathcal {A}^{\mathsf {G}(\cdot )}( ek ,c^*); \mathbf{return }\, b'. \end{aligned}$$

\(\mathsf {Game}_1\): This game is the same as \(\mathsf {Game}_0\) except that a randomness to generate a challenge ciphertext is freshly generated:

\(\mathsf {Game}_2\): This game is the same as \(\mathsf {Game}_1\) except that a challenge ciphertext is generated by \(\mathsf {Enc}( ek ,m^*;r^*)\), where \(m^* := 0\) rather than \(m^* \leftarrow \mathcal {M}'\):

Table 1. Summary of games for the security proof of Theorem 3.2

This completes the descriptions of games. It is easy to see that we have

We give an upperbound for this by the following lemmas.

Lemma 3.2

There exists an adversary \(\mathcal {B}\) such that

and \(\mathsf {Time}(\mathcal {B})\approx \mathsf {Time}(\mathcal {A})+q_{\mathsf {G}}\cdot t_{\mathsf {RO}}\).

Fig. 5.

Adversary \(\mathcal {B}\) and Algorithm \(\mathsf {F}\)

Proof

Let \(\mathsf {F}\) be an algorithm described in Fig. 5. It is easy to see that \(\mathsf {Game}_0\) can be restated as

$$ m^* \leftarrow \mathcal {M}'; r^* \leftarrow \mathsf {G}(m^*); \mathsf {inp} := \mathsf {F}( ek ,m^*;r^*); b' \leftarrow \mathcal {A}^{\mathsf {G}(\cdot )}(\mathsf {inp}); \mathbf{return }\, b'. $$

and \(\mathsf {Game}_1\) can be restated as

$$ m^* \leftarrow \mathcal {M}'; r^* \leftarrow \mathcal {R}; \mathsf {inp} := \mathsf {F}( ek ,m^*;r^*); b' \leftarrow \mathcal {A}^{\mathsf {G}(\cdot )}(\mathsf {inp}); \mathbf{return }\, b'. $$

Then applying the Algorithmic-OW2H lemma (Lemma 2.1) with \(\mathcal {X} = \mathcal {M}'\), \(\mathcal {Y} = \mathcal {R}\), \(x = m^*\), \(y = r^*\), and algorithms \(\mathcal {A}\) and \(\mathsf {F}\), we have

$$ \left| \Pr [\mathsf {Game}_0 = 1] - \Pr [\mathsf {Game}_1 = 1] \right| \le 2 q_{\mathsf {G}} \sqrt{\Pr [m^* \leftarrow \mathcal {B}^{\mathsf {G}}(ek,c^*)]}. $$

where \(\mathcal {B}^{\mathsf {G}}\) is an algorithm described in Fig. 5, \((ek,dk)\leftarrow \mathsf {Gen}(1^{\kappa })\), \(m^*\leftarrow \mathcal {M}'\), \(r^*\leftarrow \mathcal {R}\), and \(c^*:=\mathsf {Enc}(ek,m^*,r^*)\). Since the statistical distance between uniform distributions on \(\mathcal {M}\) and \(\mathcal {M}'\) is \(\frac{1}{|\mathcal {M}|}\), we have where the probability in the left-hand side is taken as in the above. (Note that additional \(\frac{1}{|\mathcal {M}|}\) appears because \(m^*\) is taken from \(\mathcal {M}'=\mathcal {M}\setminus \{0\}\) in the left-hand side probability.) Moreover, we have in general. By combining these inequalities, the lemma is proven.    \(\square \)

Lemma 3.3

There exists an adversary \(\mathcal {C}\) such that and \(\mathsf {Time}(\mathcal {C})\approx \mathsf {Time}(\mathcal {A})+q_{\mathsf {G}}\cdot t_{\mathsf {RO}}\).

Proof

We construct an adversary \(\mathcal {C}\) against the \({ \textsc {IND}}\hbox {-}{ \textsc {CPA}}\) security of \(\mathsf {PKE}\) as follows.

• \(\mathcal {C}^{\mathsf {G}}( ek )\): It chooses \(m_0 \leftarrow \mathcal {M}'\) and sets \(m_1:=0\). Then it queries \((m_0,m_1)\) to its challenge oracle and obtains \(c^* \leftarrow \mathsf {Enc}( ek ,m^*;r^*)\), where \(m^*\) is \(m_b\) for a random bit b chosen by the challenger. It invokes \(b'\leftarrow \mathcal {A}^{\mathsf {G}}( ek ,c^*)\) and outputs \(b'\).

This completes the description of \(\mathcal {C}\). It is obvious that \(\mathcal {C}\) perfectly simulates \(\mathsf {Game}_{b+1}\) depending on the challenge bit \(b \in \{0,1\}\). Therefore, we have

as we wanted.    \(\square \)

4 Conversion from Disjoint Simulatability to \({ \textsc {IND}}\hbox {-}{ \textsc {CCA}}\)

In this section, we convert a disjoint simulatable DPKE scheme into an IND-CCA-secure KEM. Let \(\mathsf {PKE}_1 = (\mathsf {Gen}_1,\mathsf {Enc}_1,\mathsf {Dec}_1)\) be a deterministic PKE scheme and let \(\mathsf {H}:\mathcal {M} \rightarrow \mathcal {K}\) and \(\mathsf {H}' :\{0,1\}^\ell \times \mathcal {C} \rightarrow \mathcal {K}\) be random oracles. Our conversion \(\mathsf {SXY}\) is described in Fig. 6. The securities of our conversion can be stated as follows.

Fig. 6.

\(\mathsf {KEM}:= \mathsf {SXY}[\mathsf {PKE}_1,\mathsf {H},\mathsf {H}']\).

Theorem 4.1

(Security of \(\mathsf {SXY}\) in the ROM (an adapted version of [HHK17, Theorem 3.6])). Let \(\mathsf {PKE}_1\) be a perfectly correct DPKE scheme. For any IND-CCA adversary \(\mathcal {A}\) against \(\mathsf {KEM}\) issuing \(q_{\mathsf {H}}\) and \(q_{\mathsf {H}'}\) quantum random oracle queries to \(\mathsf {H}\) and \(\mathsf {H}'\) and \(q_{\overline{\mathsf {Dec}}}\) decryption queries, there exists an \({ \textsc {OW}}\hbox {-}{ \textsc {CPA}}\) adversary \(\mathcal {B}\) against \(\mathsf {PKE}_1\), such that

and \(\mathsf {Time}(\mathcal {B}) \approx \mathsf {Time}(\mathcal {A})+q_{\mathsf {H}} \cdot \mathsf {Time}(\mathsf {Enc}_1) +(q_{\mathsf {H}}+q_{\mathsf {H}'}+q_{\overline{\mathsf {Dec}}})\cdot t_{\mathsf {CRO}}\), where \(t_{\mathsf {CRO}}\) is the running time to simulate the classical random oracle.

Theorem 4.2

(Security of \(\mathsf {SXY}\) in the QROM). Let \(\mathsf {PKE}_1\) be a perfectly correct DPKE scheme that satisfies the \(\mathcal {D}_{\!\mathcal {M}}\)-disjoint simulatability with a simulator \(\mathcal {S}\). For any IND-CCA quantum adversary \(\mathcal {A}\) against \(\mathsf {KEM}\) issuing \(q_{\mathsf {H}}\) and \(q_{\mathsf {H}'}\) quantum random oracle queries to \(\mathsf {H}\) and \(\mathsf {H}'\) and \(q_{\overline{\mathsf {Dec}}}\) decryption queries, there exists an adversary \(\mathcal {B}\) against the disjoint simulatability of \(\mathsf {PKE}_1\) such that

and \(\mathsf {Time}(\mathcal {B})\approx \mathsf {Time}(\mathcal {A})+q_{\mathsf {H}} \cdot \mathsf {Time}(\mathsf {Enc}_1)+(q_{\mathsf {H}}+q_{\mathsf {H}'}+q_{\overline{\mathsf {Dec}}})\cdot t_{\mathsf {RO}}\).

The proof of Theorem 4.2 follows.

Remark 4.1

We also note that our reduction enables the decapsulation oracle \(\overline{\mathsf {Dec}}\) to quantumly queried.

Security Proof. We use game-hopping proof. The overview of all games is given in Table 2.

\(\mathsf {Game}_0\): This is the original game, .

\(\mathsf {Game}_{1}\): This game is the same as \(\mathsf {Game}_0\) except that \(\mathsf {H}'(s,c)\) in the decryption oracle is replaced with \(\mathsf {H}_q(c)\) where \(\mathsf {H}_q:\mathcal {C}\rightarrow \mathcal {K}\) is another random oracle. We remark that \(\mathcal {A}\) is not given direct access to \(\mathsf {H}_q\).

\(\mathsf {Game}_{1.5}\): This game is the same as \(\mathsf {Game}_1\) except that the random oracle \(\mathsf {H}(\cdot )\) is simulated by \(\mathsf {H}'_q(\mathsf {Enc}_1( ek ,\cdot ))\) where \(\mathsf {H}'_q\) is yet another random oracle. We remark that a decryption oracle and generation of \(K_0^*\) also use \(\mathsf {H}'_q(\mathsf {Enc}_1( ek ,\cdot ))\) as \(\mathsf {H}(\cdot )\) and that \(\mathcal {A}\) is not given direct access to \(\mathsf {H}'_q\).

\(\mathsf {Game}_{2}\): This game is the same as \(\mathsf {Game}_{1.5}\) except that the random oracle \(\mathsf {H}(\cdot )\) is simulated by \(\mathsf {H}_q(\mathsf {Enc}_1( ek ,\cdot ))\) instead of \(\mathsf {H}'_q(\mathsf {Enc}_1( ek ,\cdot ))\). We remark that a decryption oracle and generation of \(K_0^*\) also use \(\mathsf {H}_q(\mathsf {Enc}_1( ek ,\cdot ))\) as \(\mathsf {H}(\cdot )\).

Table 2. Summary of games for the proof of Theorem 4.2

\(\mathsf {Game}_{3}\): This game is the same as \(\mathsf {Game}_2\) except that \(K_0^*\) is set as \(\mathsf {H}_q(c^*)\) and the decryption oracle always returns \(\mathsf {H}_q(c)\) as long as \(c\not =c^*\). We denote the modified decryption oracle by \(\overline{\mathsf {Dec}}'\).

\(\mathsf {Game}_{4}\): This game is the same as \(\mathsf {Game}_3\) except that \(c^*\) is set as \(\mathcal {S}( ek ')\).

The above completes the descriptions of games. We clearly have

by the definition. We upperbound this by the following lemmas.

Lemma 4.1

We have

$$\begin{aligned} \left| \Pr [\mathsf {Game}_0 = 1] - \Pr [\mathsf {Game}_{1} = 1] \right|&\le q_{\mathsf {H}'} \cdot 2^{\frac{-\ell +1}{2}}. \end{aligned}$$

Proof

This is obvious from Lemma 2.2.    \(\square \)

Lemma 4.2

We have

$$\begin{aligned} \Pr [\mathsf {Game}_1 = 1] = \Pr [\mathsf {Game}_{1.5} = 1] . \end{aligned}$$

Proof

Since we assume that \(\mathsf {PKE}_1\) has a perfect correctness, \(\mathsf {Enc}_1( ek ',\cdot )\) is injective. Therefore, if \(\mathsf {H}'_q(\cdot )\) is a random function, then \(\mathsf {H}'_q(\mathsf {Enc}_1( ek ,\cdot ))\) is also a random function. Remarking that access to \(\mathsf {H}'_q\) is not given to \(\mathcal {A}\), it causes no difference from the view of \(\mathcal {A}\) if we replace \(\mathsf {H}(\cdot )\) with \(\mathsf {H}'_q(\mathsf {Enc}_1( ek ,\cdot ))\).    \(\square \)

Lemma 4.3

We have

$$\begin{aligned} \Pr [\mathsf {Game}_{1.5} = 1] = \Pr [\mathsf {Game}_{2} = 1] . \end{aligned}$$

Proof

We call a ciphertext c valid if we have \(\mathsf {Enc}_1( ek ',\mathsf {Dec}_1(dk',c))=c\) and invalid otherwise. We remark that \(\mathsf {H}_q\) is used only for decrypting an invalid ciphertext c as \(\mathsf {H}_q(c)\) in \(\mathsf {Game}_{1.5}\). This means that a value of \(\mathsf {H}_q(c)\) for a valid c is not used at all in \(\mathsf {Game}_{1.5}\). On the other hand, any output of \(\mathsf {Enc}_1( ek ',\cdot )\) is valid due to the perfect correctness of \(\mathsf {PKE}_1\). Since \(\mathsf {H}'_q\) is only used for evaluating an output of \(\mathsf {Enc}( ek ',\cdot )\), a value of \(\mathsf {H}_q(c)\) for a valid c is not used at all in \(\mathsf {Game}_{1.5}\). Hence, it causes no difference from the view of \(\mathcal {A}\) if we use the same random oracle \(\mathsf {H}_q\) instead of two independent random oracles \(\mathsf {H}_q\) and \(\mathsf {H}'_q\).    \(\square \)

Lemma 4.4

We have

$$\begin{aligned} \Pr [\mathsf {Game}_{2} = 1] = \Pr [\mathsf {Game}_{3} = 1] . \end{aligned}$$

Proof

Since we set \(\mathsf {H}(\cdot ):=\mathsf {H}_q(\mathsf {Enc}_1( ek ',\cdot ))\), for any valid c and \(m:=\mathsf {Dec}_1(dk',c)\), we have \(\mathsf {H}(m)=\mathsf {H}_q(\mathsf {Enc}_1( ek ',m))=\mathsf {H}_q(c)\). Therefore, responses of the decryption oracle are unchanged. We also have \(\mathsf {H}(m^*)=\mathsf {H}_q(c^*)\) for a similar reason.    \(\square \)

Lemma 4.5

There exists an adversary \(\mathcal {B}\) such that

and \(\mathsf {Time}(\mathcal {B})\approx \mathsf {Time}(\mathcal {A})+q_{\mathsf {H}}\cdot \mathsf {Time}(\mathsf {Enc}_1)+(q_{\mathsf {H}}+q_{\mathsf {H}'}+q_{\overline{\mathsf {Dec}}})\cdot t_{\mathsf {RO}}\).

Proof

We construct an adversary \(\mathcal {B}\), which is allowed to access two random oracles \(\mathsf {H}_q\) and \(\mathsf {H}'\), against the disjoint simulatability as follows⁶.

• \(\mathcal {B}^{\mathsf {H}_q,\mathsf {H}'}( ek ', c^*):\) It picks \(b\leftarrow \{0,1\}\), sets \(K_0^*:=\mathsf {H}_q(c^*)\) and \(K_1^*\leftarrow \mathcal {K}\), and invokes \(b'\leftarrow \mathcal {A}^{\mathsf {H},\mathsf {H}',\overline{\mathsf {Dec}}'}( ek ',c^*,K_b^*)\) where \(\mathcal {A}'s\) oracles are simulated as follows.

  • \(\mathsf {H}(\cdot )\) is simulated by \(\mathsf {H}_q(\mathsf {Enc}_1( ek ',\cdot ))\).

  • \(\mathsf {H}'\) can be simulated because \(\mathcal {B}\) has access to an oracle \(\mathsf {H}'\).

  • \(\overline{\mathsf {Dec}}'(\cdot )\) is simulated by forwarding to \(\mathsf {H}_q(\cdot )\).

  Then \(\mathcal {B}\) returns \(\mathsf {boole}(b\mathbin {{\mathop {=}\limits ^{?}}}b')\).

This completes the description of \(\mathcal {B}\). It is easy to see that \(\mathcal {B}\) perfectly simulates \(\mathsf {Game}_3\) if \(c^*=\mathsf {Enc}_1( ek ,m^*)\) and \(\mathsf {Game}_4\) if \(c^*=\mathcal {S}( ek ')\). Therefore, we have

as wanted. Since \(\mathcal {B}\) invokes \(\mathcal {A}\) once, \(\mathsf {H}\) is simulated by one evaluation of \(\mathsf {Enc}_1\) plus one evaluation of a random oracle, and \(\mathsf {H}'\) and \(\overline{\mathsf {Dec}}'\) are simulated by one evaluation of random oracles, we have \(\mathsf {Time}(\mathcal {B})\approx \mathsf {Time}(\mathcal {A})+q_{\mathsf {H}}\cdot \mathsf {Time}(\mathsf {Enc}_1)+(q_{\mathsf {H}}+q_{\mathsf {H}'}+q_{\overline{\mathsf {Dec}}})\cdot t_{\mathsf {RO}}\).    \(\square \)

Lemma 4.6

We have

$$\begin{aligned} \left| 2\Pr [\mathsf {Game}_{4} = 1]-1 \right| \le \mathsf {Disj}_{\mathsf {PKE}_1,\mathcal {S}}(\kappa ). \end{aligned}$$

Proof

Let \(\mathsf {Bad}\) denote an event in which \(c^*\in \mathsf {Enc}_1( ek ',\mathcal {M})\) in \(\mathsf {Game}_4\). It is easy to see that we have

$$\begin{aligned} \Pr [\mathsf {Bad}]\le \mathsf {Disj}_{\mathsf {PKE}_1,\mathcal {S}}(\kappa ). \end{aligned}$$

When \(\mathsf {Bad}\) does not occur, i.e., \(c^*\notin \mathsf {Enc}_1( ek ',\mathcal {M})\), \(\mathcal {A}\) obtains no information about \(K_0^*=\mathsf {H}_q(c^*)\). This is because queries to \(\mathsf {H}\) only reveal \(\mathsf {H}_q(c)\) for \(c\in \mathsf {Enc}_1( ek ',\mathcal {M})\), and \(\overline{\mathsf {Dec}}'(c)\) returns \(\bot \) if \(c=c^*\). Therefore, we have

$$\begin{aligned} \Pr [\mathsf {Game}_{4}=1 \mid \overline{\mathsf {Bad}}]=1/2. \end{aligned}$$

Combining the above, we have

$$\begin{aligned}&\left| 2\Pr [\mathsf {Game}_{4} = 1]-1 \right| \\&\quad =\left| \Pr [\mathsf {Bad}] \cdot (2\Pr [\mathsf {Game}_{4}=1 \mid \mathsf {Bad}]-1)+\Pr [\overline{\mathsf {Bad}}] \right. \\&\qquad \left. \cdot (2\Pr [\mathsf {Game}_{4}=1 \mid \overline{\mathsf {Bad}}]-1)\right| \\&\quad \le \Pr [\mathsf {Bad}]+\left| 2\Pr [\mathsf {Game}_{4}=1 \mid \overline{\mathsf {Bad}}]-1 \right| \\&\quad \le \mathsf {Disj}_{\mathsf {PKE}_1,\mathcal {S}}(\kappa ) \end{aligned}$$

as we wanted.    \(\square \)

5 Implementation

We report the implementation results on a desktop PC and on a RasPi, which are based on the previous implementation of a variant of NTRU [HRSS17].

5.1 NTRU-HRSS

We review a variant of NTRU, which we call \(\mathsf {NTRU_{HRSS17}}\), developed by Hülsing, Rijneveld, Schanck, and Schwabe [HRSS17].

Let \(\Phi _m(x) \in \mathbb {Z}[x]\) be the m-th cyclotomic polynomial. We have \(\Phi _1 = x - 1\). If m is prime, then we have \(\Phi _m = 1 + x + \dots + x^{m-1}\). Define \(S_n := \mathbb {Z}[x]/(\Phi _n)\) and \(R_n := \mathbb {Z}[x]/(x^n-1)\). For prime n, we have \(x^n - 1 = \Phi _1 \Phi _n\) and \(R_n \simeq S_1 \times S_n\). We define \(\mathrm {Lift}_p :S_n/(p) \rightarrow R_n\) as

$$ \mathrm {Lift}_p(v) := \left[ \Phi _1 [v/\Phi _1]_{(p,\Phi _n)} \right] _{(x^n-1)}. $$

By definition, we have \(\mathrm {Lift}_p(v) \equiv 0 \pmod {\Phi _1}\) and \(\mathrm {Lift}_p(v) \equiv v \pmod {(p,\Phi _n)}\). Let \(\mathfrak {p} = (p,\Phi _n)\) and \(\mathfrak {q} = (q,x^n-1)\). Let

$$\begin{aligned} \mathcal {T}&:= \{a \in \mathbb {Z}[x] : a = [a]_{\mathfrak {p}} \} = \{a \in \mathbb {Z}[x] : a_i \in (p) \text { and } \deg (a) < \deg (\Phi _n) \}, \\ \mathcal {T}_+&:= \{a \in \mathcal {T}: \langle {xa,a}\rangle \ge 0\}. \end{aligned}$$

The definition of \(\mathsf {NTRU_{HRSS17}}\) is in Fig. 7. Note that all ciphertexts are equivalent to 0 modulo \((q,\Phi _1)\), which prevents a trivial distinguishing attack.

Fig. 7.

\(\mathsf {NTRU_{HRSS17}}\)

Hülsing et al. choose \((n,p,q) = (701,3,8192)\): The scheme is perfectly correct, and they claimed 128-bit post-quantum security of this parameter set. The implementation of \(\mathsf {NTRU_{HRSS17}}\) and \(\mathsf {QFO}^{\bot }[\mathsf {NTRU_{HRSS17}}, \mathsf {G}, \mathsf {H}, \mathsf {H}']\) is reported in [HRSS17].

Our Modification: We want \(\mathsf {PKE}_1\) to be deterministic. Hence, we consider a pair of (m, r) as a plaintext and make the decryption algorithm output (m, r) rather than m. The modification \(\mathsf {NTRU_{HRSS17}}'\) is summarized in Fig. 8.

The properties of this DPKE are summarized as follows:

• Perfect Correctness: This follows from the perfect correctness of the original PKE.

• Sparseness: This follows from the parameter setting of the original PKE.

• Pseudorandomness: We assume that the modified PKE \(\mathsf {NTRU_{HRSS17}}'\) satisfies pseudorandomness.

We also implement \(\mathsf {SXY}[\mathsf {NTRU_{HRSS17}}', \mathsf {H}, \mathsf {H}']\), where \(\mathsf {H}\) and \(\mathsf {H}'\) are implemented by SHAKE256. We define

$$\begin{aligned} \mathsf {H}(m,r) := \mathsf {XOF}\big ((r,m,0),256\big ) \text { and } \mathsf {H}'(s,c) := \mathsf {XOF}\big ((c,(s \Vert 00 \cdots 00),1),256\big ), \end{aligned}$$

where we treat \(r \in R_n/(q)\) and the last bit is the context string.

To avoid the inversion of polynomials in decapsulation, we add \(f^{-1}\) modulo \(\mathfrak {p}\) to \( dk \) as Hüsling et al.  did  [HRSS17]. This requires 139 extra bytes. In addition, we put \((ph)^{-1}\) modulo \(\mathfrak {q}\) in \( dk \), which requires 1140 extra bytes. Thus, our decapsulation key is 2557 bytes long.

Fig. 8.

Our modification \(\mathsf {NTRU_{HRSS17}}'\)

5.2 Experimental Results

We preform the experiment with

• one core of an Intel Core i7-6700 at 3.40 GHz on a desktop PC with 8 GB memory and Ubuntu16.04 and

• a RasPi3 with 32-bit Rasbian.

We use gcc to compile the programs with option -O3. We generate 200 keys and ciphertexts to estimate the running time of key generation, encryption, and decryption. The experimental results are summarized in Table 3. \((\mathsf {Gen}_1,\mathsf {Enc}_1,\mathsf {Dec}_1)\) and \((\overline{\mathsf {Gen}},\overline{\mathsf {Enc}},\overline{\mathsf {Dec}})\) indicate \(\mathsf {NTRU_{HRSS17}}'\) and \(\mathsf {SXY}[\mathsf {NTRU_{HRSS17}}']\). The results reflect Hüsling et al.’s constant-time implementation and ours. Our conversion adds only small extra costs for hashing in encryption and adds about \(T_{\mathsf {Enc}_1}\) for re-encrypting in decryption.

Note that our implementations are for reference and we did not optimize them. Further optimizations will speed up the algorithms as Hüsling et al. did [HRSS17]. The source code is available at https://info.isl.ntt.co.jp/crypt/eng/archive/contents.html#sxy.

Table 3. Experimental results: We have \(\left| ek \right| = 1140\) bytes, \(\left| dk \right| = 2557\) bytes, and \(\left| c \right| = 1140\) bytes.

Acknolwedgements

We would like to thank anonymous reviewers of Eurocrypt 2018, Eike Kiltz, Daniel J. Bernstein, Edoardo Persichetti, and Joost Rijneveld for their insightful comments.

Appendices

A Missing Definitions

Definition A.1

(\(\gamma \)-spread). Let \(\mathsf {PKE}= (\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) be a PKE scheme. We say \(\mathsf {PKE}\) is \(\gamma \)-spread if for every \(( ek , dk )\) generated by \(\mathsf {Gen}(1^\kappa )\) and for any \(m \in \mathcal {M}\), we have that

$$ -\lg \left( \max _{c \in \mathcal {C}} \Pr _{r \leftarrow \mathcal {R}}[c = \mathsf {Enc}( ek ,m;r)]\right) \ge \gamma . $$

(In other words, the min entropy of \(\mathsf {Enc}( ek ,m;U(\mathcal {R}))\) is at least \(\gamma \).) We say \(\mathsf {PKE}\) is well-spread in \(\kappa \) if \(\gamma = \gamma (\kappa ) = \omega (\lg {\kappa })\).

We additionally review the definitions of onewayness under validity-checking attacks (OW-VA), onewayness under plaintext-checking attacks (OW-PCA), and onewayness under plaintext and validity checking attacks (OW-PCVA) for PKE.

Definition A.2

(Security notions for PKE). Let \(\mathsf {PKE}= (\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) be a PKE scheme with message space \(\mathcal {M}\). For any adversary \(\mathcal {A}\) and for \({ \textsc {ATK}} \in \{{ \textsc {VA}}, { \textsc {PCA}}, { \textsc {PCVA}}\}\), we define the experiments , and as in Fig. 9, where

$$ O_{{ \textsc {ATK}}} := {\left\{ \begin{array}{ll} \text {Cvo}(\cdot ) &{} ({ \textsc {ATK}} = { \textsc {VA}}) \\ \text {Pco}(\cdot ,\cdot ) &{} ({ \textsc {ATK}} = { \textsc {PCA}}) \\ \text {Cvo}(\cdot ), \text {Pco}(\cdot ,\cdot ) &{} ({ \textsc {ATK}} = { \textsc {PCVA}}). \end{array}\right. } $$

For any adversary \(\mathcal {A}\), we define its OW-VA, OW-PCA, and OW-PCVA advantages as follows:

For \({ \textsc {ATK}} \in \{{ \textsc {VA}}, { \textsc {PCA}}, { \textsc {PCVA}}\}\), we say that \(\mathsf {PKE}\) is OW-ATK-secure if is negligible for any PPT adversary \(\mathcal {A}\).

Fig. 9.

Games for PKE schemes

B Transformations in the Random Oracle Model

We summarize transformations among PKE, DPKE and KEM in the ROM in Fig. 10.

GOAL-ATTACKg indicate the class of PKEs that is GOAL-ATTACK-secure and \(2^{-\omega (\lg {\kappa })}\)-uniformity [FO00, FO99], or equivalently \(\omega (\lg {\kappa })\)-spreading [FO13]. Solid arrows indicate tight reductions, dashed arrows indicate non-tight reductions, thin arrows indicate trivial reductions, thick black arrows indicate reductions in [FO00], thick green arrows indicate reductions in [Den03], and thick blue arrows indicate reductions in [HHK17].

• The transformation \(\mathsf {R}\) is in [FO00, Remark 5.5]; \(\mathsf {R}\) converts \(\mathsf {PKE}= (\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) with randomness space \(\mathcal {R}\) into \(\mathsf {PKE}' = (\mathsf {Gen}',\mathsf {Enc}',\mathsf {Dec}')\) with randomness space \(\mathcal {R} \times \mathcal {R}'\). They defined \(\mathsf {Gen}' := \mathsf {Gen}\), \(\mathsf {Enc}'( ek ,x; (r,r')) := (\mathsf {Enc}( ek ,x;r),r')\) and \(\mathsf {Dec}'( dk ,(c,r')) := \mathsf {Dec}( dk ,c)\). This change amplifies \(\gamma \)-uniformity of \(\mathsf {PKE}\) into \((\gamma /\left| \mathcal {R}' \right| )\)-uniformity.

• The transformations \(\mathsf {Dent1}\), \(\mathsf {Dent2}\), \(\mathsf {Dent3}\), \(\mathsf {Dent4}\), and \(\mathsf {Dent5}\) are given in [Den03].

• The transformations \(\mathsf {S}^\ell \), \(\mathsf {T}\), \(\mathsf {U}^{\bot }\), \(\mathsf {U}^{\not \bot }\), \(\mathsf {U}_m^{\bot }\), \(\mathsf {U}_m^{\not \bot }\), and \(\mathsf {QU}_m^{\bot }\) are given in [HHK17].

Note that \(\mathsf {Dent1} \approx \mathsf {U}_m^{\bot }\), which is a KEM variant of BR93; \(\mathsf {Dent2} \approx \mathsf {U}^\bot \), which is a KEM variant of REACT/GEM; \(\mathsf {Dent4} \approx \mathsf {QU}_m^{\bot }\); \(\mathsf {Dent5} \approx \mathsf {FO}_m^{\bot } = \mathsf {U}_m^{\bot } \circ \mathsf {T}\), which is a KEM variant of FO.

Albrecht, Orsini, Paterson, Peer, and Smart [AOP+17] gave the tight security proof for \(\mathsf {Dent5}\) when the underlying \(\mathsf {PKE}\) is a certain Ring-LWE-based PKE scheme. We also observe that \(\mathsf {Dent5}\) is decomposed into \(\mathsf {U}_m^{\bot } \circ \mathsf {T}\). Thus, starting from IND-CPAg-secure \(\mathsf {PKE}\), we obtain the similar proof by combining reductions in [HHK17].

Fig. 10.

Transformations in the ROM. GOAL-ATTACKg indicates the class of PKEs that is GOAL-ATTACK-secure and \(2^{-\omega (\lg {\kappa })}\)-uniformity [FO00, FO99], or equivalently \(\omega (\lg {\kappa })\)-spreading [FO13]. Solid arrows indicate tight reductions, dashed arrows indicate non-tight reductions, thin arrows indicate trivial reductions, thick black arrows indicate reductions in [FO00], thick green arrows indicate reductions in [Den03], and thick blue arrows indicate reductions in [HHK17]. The transformation \(\mathsf {R}\) is in [FO00, Remark 5.5]. The transformations \(\mathsf {Dent1}\), \(\mathsf {Dent2}\), \(\mathsf {Dent3}\), \(\mathsf {Dent4}\), and \(\mathsf {Dent5}\) are given in [Den03]. The transformations \(\mathsf {S}^\ell \), \(\mathsf {T}\), \(\mathsf {U}^{\bot }\), \(\mathsf {U}^{\not \bot }\), \(\mathsf {U}_m^{\bot }\), \(\mathsf {U}_m^{\not \bot }\), and \(\mathsf {QU}_m^{\bot }\) are given in [HHK17]. (Color figure online)

C Omitted Proofs

1.1 C.1 Proof of Lemma 2.2

Here, we prove Lemma 2.2. Before proving the lemma, we introduce another lemma, which gives a lower bound for a decisional variant of Grover’s search problem.

Lemma C.1

([SY17, Lemma C.1]). Let \(g_s:\{0,1\}^\ell \rightarrow \{0,1\}\) denotes a function defined as \(g_{s}(s):=1\) and \(g_s(s'):=0\) for all \(s'\not =s\), and \(g_{\bot }:\{0,1\}^\ell \rightarrow \{0,1\}\) denotes a function that returns 0 for all inputs. Then for any unbounded time adversary \(\mathcal {A}\) that issues at most q quantum queries to its oracle, we have

$$ \Pr [1\leftarrow \mathcal {A}^{g_s}() \mid s\leftarrow \{0,1\}^\ell ]-\Pr [1\leftarrow \mathcal {A}^{g_\bot }()]\le q\cdot 2^{\frac{-\ell +1}{2}}. $$

Then we prove Lemma 2.2 relying on the above lemma.

Proof

(of Lemma 2.2) To prove the theorem, we consider the following sequence of games for an algorithm \(\mathcal {A}\).

• \(\mathsf {Game}~0\): This game returns as \(\mathcal {A}^{\mathsf {H},\mathsf {H}(s,\cdot )}()\) outputs, where \(s\leftarrow \{0,1\}^{\ell }\) and \(\mathsf {H}:\{0,1\}^{\ell }\times \mathcal {X}\rightarrow \mathcal {Y}\) are random functions.

• \(\mathsf {Game}~1\): This game returns as \(\mathcal {A}^{O[s,\mathsf {H}_0,\mathsf {H}_1], \mathsf {H}_1(\cdot )}()\) outputs, where \(s\leftarrow \{0,1\}^{\ell }\), \(\mathsf {H}_0 :\{0,1\}^{\ell }\times \mathcal {X}\rightarrow \mathcal {Y}\) and \(\mathsf {H}_1 :\mathcal {X}\rightarrow \mathcal {Y}\) are independent random functions, and \(O[s,\mathsf {H}_0,\mathsf {H}_1]\) is a function defined as

  $$\begin{aligned} O[s,\mathsf {H}_0,\mathsf {H}_1](s',x):= {\left\{ \begin{array}{ll} \mathsf {H}_0(s',x) &{} \text {if }s'\not = s, \\ \mathsf {H}_1(x) &{} \text {if }s'=s. \end{array}\right. } \end{aligned}$$

  (1)

• \(\mathsf {Game}~2\): This game returns as \(\mathcal {A}^{\mathsf {H}_0,\mathsf {H}_1}()\) outputs, where \(\mathsf {H}_0 :\{0,1\}^{\ell }\times \mathcal {X}\rightarrow \mathcal {Y}\) and \(\mathsf {H}_1 :\mathcal {X}\rightarrow \mathcal {Y}\) are independent random functions.

This completes the descriptions of games. We want to prove that \(|\Pr [\mathsf {Game}_2=1]-\Pr [\mathsf {Game}_0=1] |\le q_{\mathsf {H}}\cdot 2^{\frac{-\ell +1}{2}}\). It is easy to see that we have \(\Pr [\mathsf {Game}0=1]=\Pr [\mathsf {Game}1=1]\). What is left is to prove that \(|\Pr [\mathsf {Game}_2=1]-\Pr [\mathsf {Game}_1=1] |\le q_{\mathsf {H}}\cdot 2^{\frac{-\ell +1}{2}}\). We prove this by a reduction to Lemma C.1. We consider the following algorithm \(\mathcal {B}\) that has access to g that is \(g_s\) for randomly chosen \(s\leftarrow \{0,1\}^{\ell }\) or \(g_\bot \) where \(g_s\) and \(g_{\bot }\) are as defined in Lemma C.1.

\(\mathcal {B}^{g}\)::

It picks two random functions \(\mathsf {H}_0 :\{0,1\}^{\ell }\times \mathcal {X}\rightarrow \mathcal {Y}\) and \(\mathsf {H}_1 :\mathcal {X}\rightarrow \mathcal {Y}\), and runs \(\mathcal {A}^{O,\mathsf {H}_1}\) where \(\mathcal {B}\) simulates O as follows: If \(\mathcal {A}\) queries \((s',x)\) to O, \(\mathcal {B}\) queries \(s'\) to its own oracle g to obtain a bit b. If \(b=0\), then \(\mathcal {B}\) returns \(\mathsf {H}_0(s',x)\) to \(\mathcal {A}\) and if \(b=1\), then \(\mathcal {B}\) returns \(\mathsf {H}_1(x')\) to \(\mathcal {A}\).

This completes the description of \(\mathcal {B}\). It is easy to see that if \(g=g_s\) for randomly chosen \(s\leftarrow \{0,1\}^{\ell }\), then \(\mathcal {B}\) perfectly simulates \(\mathsf {Game}_1\), and if \(g=g_{\bot }\), then \(\mathcal {B}\) perfectly simulates \(\mathsf {Game}_2\). Therefore, we have

$$ \left|\Pr [\mathsf {Game}_1=1]-\Pr [\mathsf {Game}_2=1] \right|= \left|\Pr [1\leftarrow \mathcal {B}^{g_s}() \mid s\leftarrow \{0,1\}^{\ell }]-\Pr [1\leftarrow \mathcal {B}^{g_\bot }()] \right|. $$

On the other hand, by Lemma C.1, we have

$$ \left|\Pr [1\leftarrow \mathcal {B}^{g_s}() \mid s\leftarrow \{0,1\}^{\ell }]-\Pr [1\leftarrow \mathcal {B}^{g_\bot }()] \right|\le q_{\mathsf {H}}\cdot 2^{\frac{-\ell +1}{2}}, $$

since the number of \(\mathcal {B}\)’s queries to its own oracle is exactly the same as the number of \(\mathcal {A}\)’s queries to O, which is equal to \(q_{\mathsf {H}}\). This completes the proof of Lemma 2.2.    \(\square \)